unknown IP addresses showing up in nmap

Gortex · 02-26-2009, 12:26 PM

Today I decided to Nmap my network since we statically assign our own IP addresses, and I thought it would be helpful to have a table to list what IP address goes to which network device. At the end of the nmap it lists a few IP addresses that we didn't set up and I am having problems figuring out what is going on with them.

here is the results from the n-map its all Internal Ip addresses.

Code:



Starting Nmap 4.62 ( http://nmap.org ) at 2009-02-26 11:02 CST
Host 192.168.2.1 appears to be up.
MAC Address: 00:1D:7E:1B:87:89 (Cisco-Linksys)
Host 192.168.2.68 appears to be up.
MAC Address: 00:11:50:BF:9A:FB (Belkin)
Host 192.168.2.113 appears to be up.
MAC Address: 00:18:F3:36:17:50 (Asustek Computer)
Host 192.168.2.115 appears to be up.
MAC Address: 00:06:5B:52:D6:BA (Dell Computer)
Host 192.168.2.119 appears to be up.
MAC Address: 00:06:5B:17:F8:E9 (Dell Computer)
Host 192.168.2.127 appears to be up.
MAC Address: 00:1E:8C:A7:8E:E1 (Asustek Computer)
Host 192.168.2.130 appears to be up.
MAC Address: 00:19:DB:C4:81:03 (Micro-star International CO.)
Host 192.168.2.132 appears to be up.
MAC Address: 00:40:2B:44:BB:50 (Trigem Computer)
Host 192.168.2.133 appears to be up.
MAC Address: 00:19:21:D0:8C:8A (Elitegroup Computer System Co.)
Host 192.168.2.202 appears to be up.
MAC Address: 00:80:F0:58:68:1A (Panasonic Communications Co.)
Host 192.168.2.203 appears to be up.
MAC Address: 00:80:F0:58:67:6A (Panasonic Communications Co.)
Host 192.168.2.204 appears to be up.
MAC Address: 00:80:F0:58:68:19 (Panasonic Communications Co.)
Host 192.168.2.205 appears to be up.
MAC Address: 00:80:F0:A0:CB:D0 (Panasonic Communications Co.)
Host 192.168.2.206 appears to be up.
MAC Address: 00:0C:76:FD:C5:60 (Micro-star International CO.)
Host 192.168.2.222 appears to be up.
Host 192.168.2.223 appears to be up.
MAC Address: 00:14:6C:86:59:16 (Netgear)
Stats: 0:07:31 elapsed; 768 hosts completed (16 up), 0 undergoing Ping Scan
Ping Scan Timing: About 14.53% done; ETC: 11:33 (0:23:40 remaining)
Stats: 0:24:14 elapsed; 768 hosts completed (16 up), 0 undergoing Ping Scan
Ping Scan Timing: About 75.02% done; ETC: 11:33 (0:06:54 remaining)
Host 192.168.34.17 appears to be up.
Host 192.168.34.18 appears to be up.
Host 192.168.34.21 appears to be up.
Host 192.168.34.22 appears to be up.

the Ip addresses that are at 192.168.34.17 , 34.18, 34.21, 34.22 are the ones in questions.
Any Ideas as to what this could be or what I should do to find out. Also Portscaning these Ip address show that
there are no lessening services.

almost forgot a traceroute to these IP addresses, shows a hop off our local network and on to our isp and to a back bone connection then it gets filtered out....

JulianTosh · 02-26-2009, 02:12 PM

using nmap, use '-O' to try and determine the operating system... from that output, you can also see the MAC address. Use this URL to lookup the MAC and see what kind of hardware it is:

http://www.coffer.com/mac_find/

salasi · 02-26-2009, 03:44 PM

Quote:

Originally Posted by Gortex

almost forgot a traceroute to these IP addresses, shows a hop off our local network and on to our isp and to a back bone connection then it gets filtered out....

On 192.168.34.x addresses? Weird.

wsduvall · 02-26-2009, 03:47 PM

How did you run nmap (with what flags et cetera...)?

dguitar · 02-26-2009, 03:58 PM

Any chance you have any Visualization running? (IE: VMware/xVM(VBox)/Xen etc)

Gortex · 02-26-2009, 04:23 PM

root@Rppt:~# nmap -O 192.168.34.17

Starting Nmap 4.62 ( http://nmap.org ) at 2009-02-26 15:47 CST
All 1715 scanned ports on 192.168.34.17 are filtered
Too many fingerprints match this host to give specific OS details

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 335.857 seconds

was the results of the -O switch

No vm ware or anything of that nature..

nmap -sP 192.168.0.0/16

JulianTosh · 02-26-2009, 06:19 PM

sorry i didnt catch the different octects... if they are not in the same broadcast domain then you wont be able to determine the MAC addresses.

What is your nmap scanner's IP and subnet mask? Please post the output of 'ifconfig -a'.

If the hosts are on the same subnet, then you can ping it, and then check your arp table ('arp -a') for a MAC address. Then lookup the MACs in the link above to find out what kind of hardware it is.

If that doesn't work, then you'll need to have access to the switch (if it's managed and you can log into it) to trace the mac through the switch ports and find out where it's plugged in.

CaptainInsane · 02-26-2009, 08:33 PM

I am suddenly very interested in this also.
Just for kicks, I ran that same nmap command on my lan.

My desktop, a linksys router, and 2 linux game/web servers
are on static IP's connected to internet via the cayman dsl router.

Never seen those 192.168.34.xxx addresses until tonight....

Code:

[root@p43000 ~]# nmap -sP 192.168.0.0/16

Starting Nmap 4.52 ( http://insecure.org ) at 2009-02-26 20:03 CST
Host 192.168.1.25 appears to be up.
MAC Address: 00:30:48:24:13:06 (Supermicro Computer)
Host p43000.new3 (192.168.1.33) appears to be up.
Host 192.168.1.41 appears to be up.
MAC Address: 00:30:48:71:CA:3E (Supermicro Computer)
Host 192.168.1.43 appears to be up.
MAC Address: 00:1C:10:18:5E:E4 (Cisco-Linksys)
Host 192.168.1.254 appears to be up.
MAC Address: 00:00:89:1C:C8:7A (Cayman Systems)
Host 192.168.34.17 appears to be up.
Host 192.168.34.18 appears to be up.
Host 192.168.34.21 appears to be up.
Host 192.168.34.22 appears to be up.

Anybody got any idea what is up with this ?

CaptainInsane · 02-26-2009, 08:42 PM

Very very odd....

Code:

[root@p43000 ~]# traceroute 192.168.34.17
traceroute to 192.168.34.17 (192.168.34.17), 30 hops max, 60 byte packets
 1  192.168.1.254 (192.168.1.254)  0.811 ms  0.992 ms  1.456 ms
 2  * * *
 3  * * *
.
.
.
29  * * *
30  * * *
[root@p43000 ~]# ping 192.168.34.17
PING 192.168.34.17 (192.168.34.17) 56(84) bytes of data.
64 bytes from 192.168.34.17: icmp_seq=1 ttl=245 time=64.5 ms
64 bytes from 192.168.34.17: icmp_seq=2 ttl=245 time=63.4 ms
64 bytes from 192.168.34.17: icmp_seq=3 ttl=245 time=64.1 ms
64 bytes from 192.168.34.17: icmp_seq=4 ttl=245 time=63.5 ms
64 bytes from 192.168.34.17: icmp_seq=5 ttl=245 time=64.0 ms
^C
--- 192.168.34.17 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 63.404/63.919/64.534/0.435 ms
[root@p43000 ~]#

CaptainInsane · 02-26-2009, 09:20 PM

Ran arp -a and a few pings as a test.
192.168.1.254 is my dsl router.
Also pinged google and one of the mystery IP's.

Note the ping times, these IP's are outside somewhere....

Code:

[root@p43000 ~]# arp -a
? (192.168.1.254) at 00:00:89:1c:c8:7a [ether] on eth0
[root@p43000 ~]# arp -a 192.168.34.17
arp: in 1 entries no match found.
[root@p43000 ~]# nmap 192.168.34.17

Starting Nmap 4.52 ( http://insecure.org ) at 2009-02-26 20:50 CST
All 1714 scanned ports on 192.168.34.17 are filtered

Nmap done: 1 IP address (1 host up) scanned in 111.550 seconds
[root@p43000 ~]# ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
64 bytes from 192.168.1.254: icmp_seq=1 ttl=49 time=0.430 ms
64 bytes from 192.168.1.254: icmp_seq=2 ttl=49 time=0.377 ms
64 bytes from 192.168.1.254: icmp_seq=3 ttl=49 time=0.575 ms
^C
--- 192.168.1.254 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.377/0.460/0.575/0.087 ms
[root@p43000 ~]# ping google.com
PING google.com (74.125.45.100) 56(84) bytes of data.
64 bytes from yx-in-f100.google.com (74.125.45.100): icmp_seq=1 ttl=240 time=47.7 ms
64 bytes from yx-in-f100.google.com (74.125.45.100): icmp_seq=2 ttl=240 time=48.0 ms
64 bytes from yx-in-f100.google.com (74.125.45.100): icmp_seq=3 ttl=240 time=48.0 ms
64 bytes from yx-in-f100.google.com (74.125.45.100): icmp_seq=4 ttl=240 time=47.4 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 47.488/47.837/48.088/0.360 ms
[root@p43000 ~]# ping 192.168.34.17
PING 192.168.34.17 (192.168.34.17) 56(84) bytes of data.
64 bytes from 192.168.34.17: icmp_seq=1 ttl=245 time=63.6 ms
64 bytes from 192.168.34.17: icmp_seq=2 ttl=245 time=64.1 ms
64 bytes from 192.168.34.17: icmp_seq=3 ttl=245 time=63.0 ms
64 bytes from 192.168.34.17: icmp_seq=4 ttl=245 time=63.5 ms
^C
--- 192.168.34.17 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 63.080/63.604/64.128/0.414 ms
[root@p43000 ~]#

Here is the output from my ifconfig -a on the desktop box:

Code:

[root@p43000 ~]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:30:48:75:1C:40
          inet addr:192.168.1.33  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::230:48ff:fe75:1c40/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1492  Metric:1
          RX packets:30875 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29529 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:28252448 (26.9 MiB)  TX bytes:5043497 (4.8 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:824 errors:0 dropped:0 overruns:0 frame:0
          TX packets:824 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2059756 (1.9 MiB)  TX bytes:2059756 (1.9 MiB)

JulianTosh · 02-26-2009, 10:56 PM

from the nmap machine, do

netstat -rnv

paste the output. if there's just a simple default gateway pointing to a firewall/router, then do the same command from that host. post that output as well.

CaptainInsane · 02-26-2009, 10:59 PM

Code:

[root@p43000 ~]# netstat -rnv
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0 eth0

JulianTosh · 02-26-2009, 11:22 PM

can you run the same command from 192.168.1.254? we need to find a firewall/router directly connected to the 192.168.34.x network so we can get arp information and determine the type of device this.

CaptainInsane · 02-26-2009, 11:32 PM

The 192.168.1.254 is a cayman netopia dsl router. Next hop out from it
would be some machine or device on AT&T's side of the line.

I had checked the routers logs, and no sign of those ip's in route cache or anywhere
else.

Just connected to it via telnet. only -i and -r options available with netstat on
it.

Here is the output from those anyways: (xxx'ed out my routers external IP)
Peer below is AT&T

Code:

Cayman3000/1243165> netstat -i

IP interfaces:
ENET (10/100BT-LAN): ( up broadcast default rip-send v1 rip-receive v1 )
  inet 192.168.1.254 netmask 255.255.255.0 broadcast 192.168.1.255
  physical address 00-00-89-1c-c8-7a mtu 1500
PPP (pppoe/vcc1): ( up point-to-point admin-disabled address-mapping )
  inet xxx.xxx.xxx.xxx netmask 0.0.0.0 peer address 69.210.213.254
  physical address 00-00-00-00-00-00 mtu 1492

Cayman3000/1243165> netstat -r

IP gateway (route) table:
0. Default Gateway -> PPP (pppoe/vcc1), D 2, T 0, (configured) UP DEFAULT

IP route cache (39 entries):
Net 80.82.191.1 point-to-point metric 0 timeout 5 via PPP (pppoe/vcc1)
Net 192.168.1.33 gateway 192.168.1.33 metric 0 timeout 5 via ENET (10/100BT-LAN)
Net 172.190.68.33 point-to-point metric 0 timeout 1 via PPP (pppoe/vcc1)
Net 216.27.56.3 point-to-point metric 0 timeout 5 via PPP (pppoe/vcc1)
Net 202.97.238.227 point-to-point metric 0 timeout 2 via PPP (pppoe/vcc1)
Net 64.236.144.228 point-to-point metric 0 timeout 1 via PPP (pppoe/vcc1)
Net 76.108.2.132 point-to-point metric 0 timeout 0 via PPP (pppoe/vcc1)
Net 74.201.118.102 point-to-point metric 0 timeout 1 via PPP (pppoe/vcc1)
Net 63.144.111.7 point-to-point metric 0 timeout 1 via PPP (pppoe/vcc1)
Net 78.92.84.9 point-to-point metric 0 timeout 3 via PPP (pppoe/vcc1)
Net 63.144.111.10 point-to-point metric 0 timeout 5 via PPP (pppoe/vcc1)
Net 206.220.40.42 point-to-point metric 0 timeout 1 via PPP (pppoe/vcc1)
Net 85.214.106.43 point-to-point metric 0 timeout 5 via PPP (pppoe/vcc1)
Net 75.126.162.205 point-to-point metric 0 timeout 1 via PPP (pppoe/vcc1)
Net 124.180.205.141 point-to-point metric 0 timeout 1 via PPP (pppoe/vcc1)
Net 207.38.11.174 point-to-point metric 0 timeout 5 via PPP (pppoe/vcc1)
Net 79.180.221.15 point-to-point metric 0 timeout 3 via PPP (pppoe/vcc1)
Net 190.4.37.240 point-to-point metric 0 timeout 4 via PPP (pppoe/vcc1)
Net 72.188.222.112 point-to-point metric 0 timeout 4 via PPP (pppoe/vcc1)
Net 78.132.191.177 point-to-point metric 0 timeout 1 via PPP (pppoe/vcc1)
Net 128.242.191.50 point-to-point metric 0 timeout 1 via PPP (pppoe/vcc1)
Net 125.46.71.179 point-to-point metric 0 timeout 3 via PPP (pppoe/vcc1)
Net 98.151.9.148 point-to-point metric 0 timeout 4 via PPP (pppoe/vcc1)
Net 194.8.75.54 point-to-point metric 0 timeout 1 via PPP (pppoe/vcc1)
Net 190.44.147.247 point-to-point metric 0 timeout 5 via PPP (pppoe/vcc1)
Net 64.72.116.55 point-to-point metric 0 timeout 4 via PPP (pppoe/vcc1)
Net 190.56.90.215 point-to-point metric 0 timeout 1 via PPP (pppoe/vcc1)
Net 206.141.193.55 point-to-point metric 0 timeout 0 via PPP (pppoe/vcc1)
Net 125.65.112.217 point-to-point metric 0 timeout 0 via PPP (pppoe/vcc1)
Net 65.112.87.186 point-to-point metric 0 timeout 5 via PPP (pppoe/vcc1)
Net 66.102.1.155 point-to-point metric 0 timeout 2 via PPP (pppoe/vcc1)
Net 128.242.191.59 point-to-point metric 0 timeout 1 via PPP (pppoe/vcc1)
Net 190.99.171.155 point-to-point metric 0 timeout 0 via PPP (pppoe/vcc1)
Net 12.217.132.28 point-to-point metric 0 timeout 4 via PPP (pppoe/vcc1)
Net 66.102.1.156 point-to-point metric 0 timeout 2 via PPP (pppoe/vcc1)
Net 64.94.107.29 point-to-point metric 0 timeout 1 via PPP (pppoe/vcc1)
Net 192.168.1.255 broadcast via ENET (10/100BT-LAN)
Net 72.14.247.127 point-to-point metric 0 timeout 2 via PPP (pppoe/vcc1)
Net 87.97.50.95 point-to-point metric 0 timeout 0 via PPP (pppoe/vcc1)

Cayman3000/1243165>

JulianTosh · 02-27-2009, 12:51 AM

Ok.. you're fine. The hosts responding to pings are misconfigured and out on the internet somewhere. Those addresses should not be publicly routable, so I'm going to say it's another subscriber on your ISP.

If you were to use a proper subnet prefix when scanning your internal network with nmap (/24 instead of /16 or 255.255.255.0) then you would not have seen them.