Results 1 to 11 of 11

Thread: RE: Help, is 192.168.1.255 port probes on 137 and 138 bad?

  1. #1
    Security + Shinobi's Avatar
    Join Date
    Jan 2001
    Location
    South Carolina
    Posts
    4,407
    Blog Entries
    1

    Exclamation RE: Help, is 192.168.1.255 port probes on 137 and 138 bad?

    I see this a lot on my happy packet sniffer, 192.168.1.255 port probes on 137 and 138, UDP Protocol. Sometimes 192.168.1.255 is the source sometimes its the destination. Is this some sort of trojan, or is a Internal I.P. apart of my Network and Normal? I have a NAT Router Firewall and happy Sygate software Firewall on each of my clients and server on my network.
    Thanks for any help you guys can provide.
    Oh, I use NetworkActiv packet sniffer, freeware from www.networkactiv.com (non-plug) really good!

  2. #2
    Elite Member blebs's Avatar
    Join Date
    Dec 2000
    Location
    North Canton, Ohio
    Posts
    12,848
    http://www.google.com/search?hl=en&i...=Google+Search

    I'm seeing gazzillions of hits. I would think it's Bugbear infected computers searching, but as for the IP, wait for greEd to come through. He should be able to tell you more.

  3. #3
    192.168.1.255 is an internal address.

  4. #4
    Security + Shinobi's Avatar
    Join Date
    Jan 2001
    Location
    South Carolina
    Posts
    4,407
    Blog Entries
    1

    Question RE: I wonder what....

    Thanks to both for the fast response. If it is internal, I wonder whats it from? all my I.P. are from 192.168.1.100-192.168.1.114 all from my routers DHCP - The routers at 192.168.1.1
    I hope GreEd post a reply to my post.

    Thanks
    blebs99 and Norm.

  5. #5
    Regular Member
    Join Date
    Aug 1999
    Posts
    341
    Originally posted by Norm
    192.168.1.255 is an internal address.
    Actually, that's the broadcast address (also represented as the MAC address ff:ff:ff:ff:ff:ff depending on the protocol used) for IPs 192.168.1.1 thru 192.168.1.254--if you send a message to this IP (192.168.1.255) all the machines on the LAN will receive the message. So, it could be generated internally or externally (since you receive all broadcast messages, even the ones that you sent).

    Typically, in a Windows based LAN (or *nix based running Samba), it's generated by one machine trying to resolve a local name using the NetBIOS Name Service on port 137. For instance, when you ping a non-existant machine on your LAN, say "toad", your computer broadcasts (to the entire 192.168.1 LAN) a query via the NBNS that tries to resolve "toad" to an IP or MAC address, at that point it might try to look it up in the DNS--which will fail, since no machine named "toad" exists. Of course, if "toad" does exist it will reply with it's location.

  6. #6
    Very nice explanation Stu, easy to understand. Thanks

    One thing I'm confused about, quote"So, it could be generated internally or externally"
    Can someone outside the LAN, on the WAN side use this address to initiate a connection with a PC on the LAN? Through a typical home router, or even ICS NAT?
    Can, with the same scenario, someone outside the LAN even get e reply from a ping from a PC on the LAN (if it exists)?
    Is there any type of scan/software that will get through a router, or NAT, to a PC on the LAN?

    Or is this not what you meant?

  7. #7
    Security Specialist greEd's Avatar
    Join Date
    May 2001
    Location
    Maryland
    Posts
    807
    Originally posted by Norm
    Very nice explanation Stu, easy to understand. Thanks

    One thing I'm confused about, quote"So, it could be generated internally or externally"
    Can someone outside the LAN, on the WAN side use this address to initiate a connection with a PC on the LAN? Through a typical home router, or even ICS NAT?
    Can, with the same scenario, someone outside the LAN even get e reply from a ping from a PC on the LAN (if it exists)?
    Is there any type of scan/software that will get through a router, or NAT, to a PC on the LAN?

    Or is this not what you meant?
    192.168.1.255 is your computers sending local broadcasts, obviously you have your network setup as 192.168.1.X (probably 192.168.1.1 = router .2 =box etc etc) it is also a private subnet accessible only internally, this is why most manufacturers set the default dhcp scope to 192 etc etc.
    An attacker could generate packets with this ip address included in hopes of gaining access, and though you can get pass the properties of NAT and access ones filtered server the process is extremely slow and bothersome. If are providing no services and have a private internal IP you are pretty safe. If you forward services you may want to look more into the security of those services.
    "I'm doing a (free) operating system (just a hobby, won't be big and professional...) for AT clones... It's not portable and it probably [won't ever] support anything other than AT hard disks, as thats all I have :-(." --Posted on Usenet August 1991 by Linus Trovalds
    http://www.computerglitch.net
    curiosity builds security | dd if=/dev/zero of=/dev/hda bs=512 count=100
    EOF

  8. #8
    Thanks for your time and knowledge greEd. Good to see you

    I think I'm safe, I use NetBEUI, and unbind everything from TCP.
    Hope this has helped Shinobi as well. After all, he did start the thread.

    Good stuff guys, thanks again.

    Norm

  9. #9
    Regular Member
    Join Date
    Aug 1999
    Posts
    341
    Originally posted by Norm
    One thing I'm confused about, quote"So, it could be generated internally or externally"
    When I said, "it could be generated internally or externally", I was implying that it can be seen as generated externally to the computer (another machine on the network is sending a broadcast), or internally to the computer (it is receiving a broadcast it sent itself). So, I was looking at it from the machine you are using's point of view.

  10. #10
    I though that's what you meant Stu, just wanted to verify, thanks

  11. #11
    Security + Shinobi's Avatar
    Join Date
    Jan 2001
    Location
    South Carolina
    Posts
    4,407
    Blog Entries
    1

    Thumbs up Thanks All

    Thanks everyone for helping me, I understand now. Even tho I been a Hardware Tech for a while now, I still don't know everything about the internal working of a network. Configuring shares and profiles no probs.
    Thanks for the info!
    Happy Holidays!
    Shinobi

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •