machine on my broadcast ip

**Kumado** · 06-09-2009

Hi,

I take care of a small network, about 130 systems behind a NAT box. This is one
of 2 networks at this school. It is of constant concern about interference from the other
network individual.
2 of my main feeds go through their network. I am "not allowed" access or control of these feeds.

For a little while I have had strange effects in the network and then while doing a full nmap, I
discover a system on my broadcast IP. ( x.y.z.255 ) The OS is not identified. It says :

nmap -sS -O x.y.z.255

Starting nmap 3.81 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2009-06-09 16:39 EDT
Host x.y.z.255 seems to be a subnet broadcast address (returned 10 extra pings). Still scanning it due to ping response from its own IP.
Interesting ports on x.y.z.255:
(The 1660 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
443/tcp open https
MAC Address: 00:14:BF:5F:A9:29 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see Nmap Fingerprint Submitter 2.0).
TCP/IP fingerprint:
SInfo(V=3.81%P=i586-suse-linux%D=6/9%Tm=4A2EC8A7%O=23%C=1%M=0014BF)
TSeq(Class=TR%IPID=RD%TS=U)
T1(Resp=Y%DF=N%W=200%ACK=S++%Flags=AS%Ops=)
T1(Resp=Y%DF=N%W=200%ACK=O%Flags=AS%Ops=)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=200%ACK=S++%Flags=AS%Ops=)
T3(Resp=Y%DF=N%W=200%ACK=O%Flags=AS%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=N)

Nmap finished: 1 IP address (1 host up) scanned in 25.401 seconds

I can't telnet or connect by browser because " Network is unreachable "

Is there any methods or tests to find out more about this machine?

Thanks

kumado

**b2bwild** · 06-10-2009

If you can manually ping the broadcast address, then the network should not be unreachable.

Well thats not possible with 32bit IPv4 addressing.
X_X Very strange.

**HROAdmin26** · 06-10-2009

If you want to change your local system so that this is "just another node IP", then change your subnet mask.

Existing config:

192.168.156.0/24

Problem IP = 192.168.156.255

Change your local NIC to:

192.168.156.0/23 (Subnet mask changes from 255.255.255.0 to 255.255.254.0)

Now 192.168.156.255 is not a broadcast address and you can telnet/SSH to it.

* If there are machines on another VLAN using 192.168.157.X addresses, you will not be able to reach them. Just change the NIC info back to the original to correct the routing table once done.

**b2bwild** · 06-10-2009

Well, thats a solution..
only thing is, you need to have redefine the routing between two subnets.

**HROAdmin26** · 06-10-2009

Originally Posted by b2bwild

Well, thats a solution..
only thing is, you need to have redefine the routing between two subnets.

No - no network changes are made on any network devices. This is strictly done on the local machine. The local machine will still send packets not destined for the local VLAN (192.168.156.0/23) to its gateway. As stated, *if* there are actually machines on a 192.168.157.0/24 network, your local machine will not be able to reach them while you have the subnet mask set "incorrectly."

**Kumado** · 06-10-2009

I can't ping it though nmap says it is.

I am at home atm, I was having one of my buddies run the same
test, just change the subnet from x.x.240.0 to x.x.224.0. He
has not told me what happened yet.

I ran a check online and the mac belongs to linksys. I only have
one managed switch, 2 APs and possibly a few linksys nics out
there.

ahhhm the game is afoot, to hunt and string up a spy...

Thanks all

kumado

Thread Tools

Display

machine on my broadcast ip

Posting Permissions