• We did not send an email asking for donations - please read this post.

MAC Duplicate, Host on 255, arp-scan, strange things

lane17

New Member
Joined
Sep 23, 2019
Messages
4
Reaction score
0
Credits
47
I recently was running arp-scan quite often on my local network. I've noticed that one of the devices has 192.168.0.255.
Is that normal to have a device on a broadcast address?

nmap doesn't have much to say about that device apart from the fact that it's Google's Mac.
Code:
sudo nmap -sS -O -A 192.168.0.255
Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-07 14:28 BST
Nmap scan report for 192.168.0.255
Host is up (0.14s latency).
All 1000 scanned ports on 192.168.0.255 are filtered
MAC Address: 1C:F2:9A:xx:xx:xx (Google)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT       ADDRESS
1   141.39 ms 192.168.0.255

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.69 seconds

Now few days later I ran arp-scan again and for like a week now, there's another device I haven't noticed ever before with ip 192.168.0.28, but it has exactly the same MAC address as the 192.168.0.255!

However nmap shows that it's a different device but after I checked ports on it I still have no idea what it is.
Code:
sudo nmap -sS -O -A 192.168.0.28
[sudo] password for mm:         
Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-07 14:31 BST
Nmap scan report for 192.168.0.28
Host is up (0.054s latency).
Not shown: 841 closed ports, 154 filtered ports
PORT      STATE SERVICE         VERSION
8008/tcp  open  http?
|_http-title: Site doesn't have a title (text/html).
8009/tcp  open  ssl/ajp13?
|_ajp-methods: Failed to get a valid response for the OPTION request
| ssl-cert: Subject: commonName=d1729ed8-f1f3-b790-d887-aa6dc9dcabfa
| Not valid before: 2022-09-06T14:31:58
|_Not valid after:  2022-09-08T14:31:58
|_ssl-date: 2022-09-07T13:34:08+00:00; 0s from scanner time.
8443/tcp  open  ssl/https-alt?
9000/tcp  open  ssl/cslistener?
10001/tcp open  ssl/scp-config?
MAC Address: 1C:F2:9A:xx:xx:xx (Google)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=9/7%OT=8008%CT=1024%CU=41045%PV=Y%DS=1%DC=D%G=Y%M=1CF2
OS:9A%TM=63189E67%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10A%TI=I%CI=I%
OS:II=RI%SS=S%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B
OS:4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7200%W2=7200%W3=7200%W4=7200%
OS:W5=7200%W6=7200)ECN(R=N)T1(R=Y%DF=N%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3
OS:(R=N)T4(R=Y%DF=N%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=
OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=
OS:Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%R
OS:IPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=40%CD=S)

Network Distance: 1 hop

TRACEROUTE
HOP RTT      ADDRESS
1   54.25 ms 192.168.0.28

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 300.20 seconds

I'm renting a room at this place and I know that the landlord has (or had) one of those Google speakers (I think Google Nest), but I have no idea if he uses it or not.
I don't have access to the router.
 


OP
L

lane17

New Member
Joined
Sep 23, 2019
Messages
4
Reaction score
0
Credits
47
I blocked this ip using ufw. I blocked this using iptables. It helped right after I created the rule, but it just keeps coming back! Nothing is working.
To the best of my knowledge I wasn't hacked per se (but I don't know anymore at this point)

Why I can't block it? It's very doggy from the start.
It uses 8009 to connect to me (after I thought I blocked it it just change the port it will connect to me and it's very hight. So it will keep its 8009 but after my reaction it will go say from 24532 to 54123 as an example to connect to me right now:
Code:
tcp        0      0 192.168.0.94:49864      192.168.0.28:8009       ESTABLISHED keepalive (1.72/0/0)
).

Whatever I do like sudo service iptables restart, it's still there. I cannot kill it with tcpkill, nothing...

And I can't figure out what it does from Wireshark, but probably mostly because I'm not good at reading packets.
Buy going through it's ports you can figure out that it might be a trojan called Silencer, but that's for Windows...

Code:
8008/tcp  open  http         syn-ack ttl 64
8009/tcp  open  ajp13        syn-ack ttl 64
8012/tcp  open  unknown      syn-ack ttl 64
8443/tcp  open  https-alt    syn-ack ttl 64
9000/tcp  open  cslistener   syn-ack ttl 64
10001/tcp open  scp-config   syn-ack ttl 64
10005/tcp open  stel         syn-ack ttl 64
10007/tcp open  mvs-capacity syn-ack ttl 64
10101/tcp open  ezmeeting-2  syn-ack ttl 64

I want to post all this on Kali Linux Forums, but for some reason I cannot register there.
BUT it doesn't matter now. I just can't believe I cannot simply block it with anything.
Anyone?
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation

Members online

No members online now.

Top