-
July 6th, 2005, 05:52 PM
#1
Junior Member
Netstumbler "Vendor: Fake"
As the title states im connecting to a AP that reads "fake" as the vendor in netstumbler. The even more interesting thing is that i decided to do a tracert to google.com and i saw this:
Tracing route to google.com [216.239.37.99]
over a maximum of 30 hops:
1 3 ms 3 ms 3 ms 192.168.1.1
2 9 ms 9 ms 9 ms 10.102.96.1
3 220 ms 10 ms 11 ms atm3 *
4 11 ms 13 ms 19 ms *
5 10 ms 8 ms 9 ms *
6 15 ms 11 ms 11 ms *
7 32 ms 27 ms 35 ms *
8 41 ms 28 ms 27 ms * "These other IPs did show up i jus marked them out"
9 28 ms 27 ms 28 ms *
10 27 ms 27 ms 29 ms *
11 55 ms 48 ms 40 ms *
12 42 ms 45 ms 51 ms *
13 54 ms 43 ms 49 ms *
14 244 ms 42 ms 43 ms *
15 44 ms 43 ms 42 ms 216.239.37.99
The line of interest to me is ofcourse the second one.....a private IP address "after" the packet leaves the AP Some people have said that the fake vendor is nothing really but may a glitch in netstumbler or the way an AP might present itself but in this case it seems to b more...So does this mean that this AP is forwarding everything to a private network and then to it the internet from there?
-
July 6th, 2005, 06:14 PM
#2
Netstumbler might not have an updated mac/vendor list.
I see this often with the newer westel dsl modem/wireless access point combos.
You can manually look them up.
http://www.cavebear.com/CaveBear/Ethernet/vendor.html
There are several sites out there that have the mac/vendor list. I'm not sure which are kept up to day.
As far as your trace route... your ISP (or whoever setup that AP) could be NATing out your "WAN" ip address. This is done for a variety of reasons... they are short on IP addresses and NAT can solve that problem. They can filter the services you are allowed using NAT.
I do that on my home network.
WAN (public IP) <--> WAN port (Wired Router) LAN port <--> Private LAN Subnet 1
LAN (private IP) <--> WAN port (W/less Router) LAN port <--> Private LAN Subnet 2
I have the WAN port of the wireless router hooked into a switch port on the Private LAN that gets assigned a private IP address.
So, my wired and wireless clients are on separated via router/firewall on different subnets. I can limit what services the Wireless hosts can use.
In your traceroute from the AP, the first public IP address should be your "true gateway" address if you are being NAT'd.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
July 6th, 2005, 06:15 PM
#3
A "whois" suggests the address belongs to IANA:
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US
NetRange: 10.0.0.0 - 10.255.255.255
CIDR: 10.0.0.0/8
NetName: RESERVED-10
NetHandle: NET-10-0-0-0-1
Parent:
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate:
Updated: 2002-09-12
OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org
OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org
# ARIN WHOIS database, last updated 2005-07-05 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
-
July 6th, 2005, 06:19 PM
#4
If you are connecting from your workstation to the AP, that first IP is the internal address of the AP (the one you see from your system). The AP has an external IP that is probably assigned by the ISP (whoever that may be). The next IP is the internal IP of the next system downstream from you. That is the gateway provided by your ISP. Probably a firewall and you are seeing the internal IP. The next IP, 3, is the IP of the next router downstream from there, etc., etc.
Nothing weird or mysterious here.
-
July 6th, 2005, 06:21 PM
#5
Its not really possible for you to go from #1 your internal network of 192.168.x.x to #2 10.x.x.x unless you have some routing configured. I mean once it left your network how could a 10.x.x.x be handled on the internet. But it is very possible to have any internal network routed out through another internal network (ie the 10.x.x.x network).
That which does not kill me makes me stronger -- Friedrich Nietzche
-
July 6th, 2005, 06:51 PM
#6
But it is very possible to have any internal network routed out through another internal network (ie the 10.x.x.x network).
Thats what I think is happening... but thats just by looking at part of a traceroute.
It could be the ISP that NAT'd out their addresses (happens quite often), or they could be using someone elses AP and doesn't know how it is setup.
Nihil: aren't all ip addresses "owned" by IANA? customers just "rent" them?
Any IP in these ranges will should show up with the same "whois".
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
Those IP addresses are the IPs that ANYONE can "own".
They can't be routed over the internet and are only for use on private networks.
Only one person can have any one public IP address... but anyone can have the private addresses that are listed above.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
July 6th, 2005, 08:32 PM
#7
Do you know who/what the AP really is? My gut feeling is honeypot.
-
July 6th, 2005, 09:19 PM
#8
Phish~
Nihil: aren't all ip addresses "owned" by IANA? customers just "rent" them?
Not exactly. IANA manage and allocate the addresses but they don't own them (I recall the UN were trying to take over a little while back?)
The blocks you refer to are reserved for special purposes, which makes it look odd to me, given where it shows up in traceroute?
-
July 6th, 2005, 11:08 PM
#9
Junior Member
Originally posted here by zENGER
Do you know who/what the AP really is? My gut feeling is honeypot.
I was thinking the same thing....this is just an AP in the neighborhood i jus moved too and i dont have internet just yet .....i guess it couldnt hurt to do alil investigating on my own....Ill get to practice using a few network tools and theories that we all read about
-
July 6th, 2005, 11:19 PM
#10
Erm, are you kidding me?Try a whois on 127.0.0.1. OMFG IANA owns my localhost!! lol, seriously they are RFC 1918, of course they are reserved. Does 192.168.x.x ring a bell? And of course the second hop is also a rfc1918 like the first, they are both internal networks. the 10.x.x.x (also rfc1918) is probably the wired network which gets NATed to the internet. On that wired network is a wireless AP, the wireless AP is gets its addy from 10.x.x.x DHCP and then runs its own DHCP on 192.168.x.x, this way the WLAN and LAN are separate. Its not a honeypot its some dude with a linksys AP plugged into his Linksys router.
-Maestr0
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|