What's giving the IP's after the T1?

Here's what's very likely a very stupid question. I will take any flames
like a good newbie.

Where I work, I did a portscan on our system (from a machine outside the
network.) It showed the network to be pingable, and every port closed
instead of stealthed and a couple of dangerous ports open! Like Telnet!

So I investigated, and from what I can tell, we have a partitioned T1 coming
in, to a box sporting the name of our ISP, Nuvox, which then runs to a
Netgear switch which then runs to each wall jack.

Now each machine has an internal IP (198.x.x.x), but, what's assigning the
IP? We're using workgroup, not a domain, and that switch is definitely a
swith and not a router or NAT. Does whatever equipment that the T1 line
runs to normally do that kind of thing?

In any case, my intent is to try to secure the network, but if there's
already a firewall/router or sorts already on the system, that might give
me more of an idea of what to do.

So, any suggestions on how to go about taking the next step? Finding out
what's assigning IP's? If it matters, I tried web browsing to the Default
Gateway IP (198.10.1.1 or something...not sure of that 2nd octet,) and
nothing, but telneting to that address gives me a login prompt.

Thanks for any suggestions!!
Liam

On Thu, 04 Mar 2004 04:28:55 GMT, LRW wrote:

> Here's what's very likely a very stupid question. I will take any flames
> like a good newbie.
>
> Where I work, I did a portscan on our system (from a machine outside the
> network.) It showed the network to be pingable, and every port closed
> instead of stealthed and a couple of dangerous ports open! Like Telnet!
>
> So I investigated, and from what I can tell, we have a partitioned T1 coming
> in, to a box sporting the name of our ISP, Nuvox, which then runs to a
> Netgear switch which then runs to each wall jack.
>
> Now each machine has an internal IP (198.x.x.x), but, what's assigning the
> IP? We're using workgroup, not a domain, and that switch is definitely a
> swith and not a router or NAT. Does whatever equipment that the T1 line
> runs to normally do that kind of thing?
>
> In any case, my intent is to try to secure the network, but if there's
> already a firewall/router or sorts already on the system, that might give
> me more of an idea of what to do.
>
> So, any suggestions on how to go about taking the next step? Finding out
> what's assigning IP's? If it matters, I tried web browsing to the Default
> Gateway IP (198.10.1.1 or something...not sure of that 2nd octet,) and
> nothing, but telneting to that address gives me a login prompt.
>
> Thanks for any suggestions!!
> Liam

Maybe the DSU/CSU the T1 plugs into has an integrated router.

"LRW" <(E-Mail Removed)> wrote in message
news:bgy1c.453120$I06.5125577@attbi_s01

> Now each machine has an internal IP (198.x.x.x), but, what's
> assigning the IP? We're using workgroup, not a domain, and that
> switch is definitely a swith and not a router or NAT. Does whatever
> equipment that the T1 line runs to normally do that kind of thing?
>
> In any case, my intent is to try to secure the network, but if there's
> already a firewall/router or sorts already on the system, that might
> give me more of an idea of what to do.
>
> So, any suggestions on how to go about taking the next step? Finding
> out what's assigning IP's? If it matters, I tried web browsing to the
> Default Gateway IP (198.10.1.1 or something...not sure of that 2nd
> octet,) and nothing, but telneting to that address gives me a login
> prompt.

Using the correct IP/mask as root, e.g.:

# nmap -sUS -p67 198.10.1.0/24 | egrep -i "interesting|open|filtered"

This will show you what IPs are running dhcpserver. It will also return
the machine names if they are resolvable.


tony

--
use hotmail for any email replies



-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

On Thu, 04 Mar 2004 04:28:55 GMT, LRW <(E-Mail Removed)>
wrote:

>Now each machine has an internal IP (198.x.x.x), but, what's assigning the
>IP?

Are you sure that they're being assigned? They might have fixed ips.

Dan

Dan wrote:

> On Thu, 04 Mar 2004 04:28:55 GMT, LRW <(E-Mail Removed)>
> wrote:
>
>>Now each machine has an internal IP (198.x.x.x), but, what's assigning the
>>IP?
>
> Are you sure that they're being assigned? They might have fixed ips.
>
> Dan

Yep. Positive. I help set the computers up and they're using DHCP. =)
Liam

"ynotssor" <"ynotssor"> wrote:


>
> Using the correct IP/mask as root, e.g.:
>
> # nmap -sUS -p67 198.10.1.0/24 | egrep -i "interesting|open|filtered"
>
> This will show you what IPs are running dhcpserver. It will also return
> the machine names if they are resolvable.
>

From home I tried that using the public IP (I'll do it to the gateway IP
from inside the network when I go to work today,) and got the following:

PORT STATE SERVICE
67/tcp closed dhcpserver
67/udp open dhcpserver

Does that mean that the router which is likely the DSU/CSU a previous post
mentioned (I'll have to investigate the meaning of that on the 'net later
today,) is acting as a DHCP server? Is what's giving internal IP addresses
to the machines inside the network?

Wow I need to learn more about networking. Any good books/sites you'd
recommend for newbies?

Thanks!!
Liam

"ynotssor" <"ynotssor"> wrote in message news:<(E-Mail Removed)>...

> Using the correct IP/mask as root, e.g.:
>
> # nmap -sUS -p67 198.10.1.0/24 | egrep -i "interesting|open|filtered"
>
> This will show you what IPs are running dhcpserver. It will also return
> the machine names if they are resolvable.

OK this is interesting, although I'm not sure what it means. I'm
pasting the results below.
Allow me to babble a moment to see if I'm getting this OK....
Since the default gateway internal IP has an open DHCP port, and the
public IP shows the same closed/open tcp/udp, does that mean that the
piece of hardware the fractional T1 is plugged into is indeed serving
as router/IP assigner (if that's not a redundant statement. I guess
not since they're often two different items.)

Now, all these other machines with visible port 67's, is that good or
bad? I notice that my own PC is not among them. What does this mean,
really?

Thanks for your help and advice!!!
Liam

$ nmap -sUS -p67 192.168.1.0/24

Starting nmap 3.50 ( http://www.insecure.org/nmap ) at 2004-03-04
08:50 Central
Standard Time
Interesting ports on 192.168.1.1:
PORT STATE SERVICE
67/tcp closed dhcpserver
67/udp open dhcpserver

Interesting ports on SHIPPING (192.168.1.156):
PORT STATE SERVICE
67/tcp closed dhcpserver
67/udp closed dhcpserver

Interesting ports on SARAH (192.168.1.220):
PORT STATE SERVICE
67/tcp closed dhcpserver
67/udp closed dhcpserver

Interesting ports on SUE (192.168.1.221):
PORT STATE SERVICE
67/tcp closed dhcpserver
67/udp closed dhcpserver

Interesting ports on CHIPPER (192.168.1.229):
PORT STATE SERVICE
67/tcp closed dhcpserver
67/udp closed dhcpserver

Interesting ports on DAVID2 (192.168.1.235):
PORT STATE SERVICE
67/tcp closed dhcpserver
67/udp closed dhcpserver

Interesting ports on CHRIS (192.168.1.236):
PORT STATE SERVICE
67/tcp closed dhcpserver
67/udp closed dhcpserver

Interesting ports on 192.168.1.244:
PORT STATE SERVICE
67/tcp closed dhcpserver
67/udp closed dhcpserver

Interesting ports on BRYAN (192.168.1.245):
PORT STATE SERVICE
67/tcp closed dhcpserver
67/udp closed dhcpserver

Interesting ports on JERRY (192.168.1.247):
PORT STATE SERVICE
67/tcp closed dhcpserver
67/udp closed dhcpserver

Host 192.168.1.255 seems to be a subnet broadcast address (returned 1
extra ping
s). Still scanning it due to ping response from its own IP.
Interesting ports on 192.168.1.255:
PORT STATE SERVICE
67/tcp closed dhcpserver
67/udp open dhcpserver

Nmap run completed -- 256 IP addresses (11 hosts up) scanned in 21.593
seconds

OK, I tracked it back, and discovered from some box that looks like
the phone company's, a cable enters a "Adtran Total Access 608" device
before going to the switch.
A little Web searching, and found that it's a DSL router(?) (I was
told we had a partitioned T1 line. Is that what ADSL is?)
The good and bad news is that the manufacturer's product manual PDF
online doesn't seem to include a default password for the telnet
access.
Good because that means if it hasn't been changed, some yahoo can't
gain access from just doing a Web search. =) Bad because I can't get
in it to do things like packet filtering and closing ports.

So, what do you think?
I think it's unwise and unsafe to leave it like it is with an open
telnet and 2000 port, and everything else "closed" instead of
"stealthed".
Or, is it no big deal?

Thanks for any advice!!
Liam

On Thursday 04 March 2004 1:46 pm, LRW uttered these immortal words:

> Wow I need to learn more about networking. Any good books/sites you'd
> recommend for newbies?

I found O'Reilly's "TCP/IP Network Administration" (UNIX version) to be very
good to start with.

--
Andy.

"LRW" <(E-Mail Removed)> quoted and wrote:

> From home I tried that using the public IP (I'll do it to the gateway
> IP from inside the network when I go to work today,) and got the
> following:
>
> PORT STATE SERVICE
> 67/tcp closed dhcpserver
> 67/udp open dhcpserver
>
> Does that mean that the router which is likely the DSU/CSU a previous
> post mentioned (I'll have to investigate the meaning of that on the
> 'net later today,) is acting as a DHCP server? Is what's giving
> internal IP addresses to the machines inside the network?

If that's the public IP, it shouldn't be running a dhcpserver, but the
results merely indicate that the port is open. The -p67,68 option to nmap
will show that it's also got a port open as dhcpclient, so that it's getting
the public IP from your ISP's dhcpserver. To really see what's going on, use
the "-sV" option. See the nmap man page for more information.

> OK this is interesting, although I'm not sure what it means. I'm
> pasting the results below.
> Allow me to babble a moment to see if I'm getting this OK....
> Since the default gateway internal IP has an open DHCP port, and the
> public IP shows the same closed/open tcp/udp, does that mean that the
> piece of hardware the fractional T1 is plugged into is indeed serving
> as router/IP assigner (if that's not a redundant statement. I guess
> not since they're often two different items.)

[ relocated ]
> Interesting ports on 192.168.1.1:
> PORT STATE SERVICE
> 67/tcp closed dhcpserver
> 67/udp open dhcpserver
....
> Host 192.168.1.255 seems to be a subnet broadcast address (returned 1
> extra pings). Still scanning it due to ping response from its own IP.
> Interesting ports on 192.168.1.255:
> PORT STATE SERVICE
> 67/tcp closed dhcpserver
> 67/udp open dhcpserver

The interface 192.168.1.1 is in all likelihood the source of your DHCP
addressing since it's the only host address with a positive response. The
..255 is a broadcast address, so it's the same response (logical OR of all
polled addresses) as the other. The fact that 192.168.1.1 is the only box on
the subnet returning an open port 67 is definitive; that's where your LAN
DHCP addresses are coming from, at least for all machines on the subnet that
are configured as DHCP clients. Again, "-sV" will be helpful.

> Now, all these other machines with visible port 67's, is that good or
> bad? I notice that my own PC is not among them. What does this mean,
> really?

> Interesting ports on SHIPPING (192.168.1.156):
> PORT STATE SERVICE
> 67/tcp closed dhcpserver
> 67/udp closed dhcpserver

It means that nmap polled the port and got no response. You would get the
same "closed" result from any port that nmap polled that had no
client/server process running. As an educational exercise, simply run
"nmap -sV -sSU 192.168.0.0/24" and see the results for each machine. Someday
when you have the time and wish to really start understanding your network,
use the "-p1-65535" to see everything on each machine. You'll probably want
to redirect the output to a file for later review.

In the list of polled IPs, you say that your "own PC is not among them";
does that include 192.168.1.244 for which there is no name resolution?


tony

--
use hotmail for any email replies



-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----