okay, so i know how to use CIDR notation now. knowing this, i can get a network scan to work; you specify a prefix, and look for hosts on that network. last night i did this for a while on a couple of targets (jingping's insightbb network, and an AOL network around Cincinnati that i found through another connected skype user), and found that i could recognize a computer using skype by the ports it had open - all hosts i had looked at which i knew were running skype had open TCP ports on 80 and 443. so, when i saw a couple of hosts with those open ports, i guessed it must be skype, and confirmed it with more intensive, specific scans.
i also looked at my own network. given what i know, i was the only visible skype user. there was another machine which nmap guessed was a VOIP router, which is kind of interesting.
so, looking at networks is interesting. you can see all the hosts at once, get quick summaries of just what type of host they might be and what they're doing, and all of this with a couple of simple tools and some ability to recognize states (which the tools are of course better than me at doing).
also, from my office, i can see that my home network is linked by a single router to a different node than i see from home, one of the NOX comcast nodes (i can't remember what it is from home, but it isn't NOX, which is what ties together all these new england university networks). so, that router has access to several dozen hosts including my computer, and also to several higher comcast nodes, through which it can send traffic off in various directions. in other words, i think that that router is the single bottleneck for traffic from my home computer - i'm one hop from the open internet.
Tuesday, April 27, 2010
Monday, April 26, 2010
portscan
just got my first portscan result.
it's another address in boston, using skype. it's also a comcast address, and the first 16 bits are the same as my address. the prefix of the server above it says 'needham'. i guess it's strange that it's such a similar location to mine, and i suppose i could be looking into some sort of mirror that i don't understand, but i do think it's a real, other user, somewhere here in town.
nmap saw that its http ports (80 and 443) were open, and decided that they were being used by the Skype service. i can also see that port 2265 is open, the same port from which i'm receiving packets from this computer.
the other open port (2222) is associated with a website administration program, or with who knows what else.
nmap also claims with some confidence that the computer is a pocket PC running some version of windows XP.
still, i have no idea why this computer is reflecting messages through my computer. and i still haven't figured out why there's always an explicit connection through skype with another computer - other than jingping, this is the only skype connection at the moment, so it is *the other* connection. now i'll see if it shows up again...
it's another address in boston, using skype. it's also a comcast address, and the first 16 bits are the same as my address. the prefix of the server above it says 'needham'. i guess it's strange that it's such a similar location to mine, and i suppose i could be looking into some sort of mirror that i don't understand, but i do think it's a real, other user, somewhere here in town.
nmap saw that its http ports (80 and 443) were open, and decided that they were being used by the Skype service. i can also see that port 2265 is open, the same port from which i'm receiving packets from this computer.
the other open port (2222) is associated with a website administration program, or with who knows what else.
nmap also claims with some confidence that the computer is a pocket PC running some version of windows XP.
still, i have no idea why this computer is reflecting messages through my computer. and i still haven't figured out why there's always an explicit connection through skype with another computer - other than jingping, this is the only skype connection at the moment, so it is *the other* connection. now i'll see if it shows up again...
Saturday, April 24, 2010
nmap 1
got a program called nmap, using the windows gui.
i can't really get a port scan to work on another computer. i tried to get jingping to turn off her firewall, but she said it was already off - i guess norton does its own firewall.
still, nmap has other neat functions. you can get it to do traceroute for you, along with other things, and it will hold on to all the data for you. as you do this, it creates a graphic plot of all the addresses you've been querying. if you're doing tracerouts, it plots ip paths, which is fantastic. here's what i did:
still working off the mysteries of Skype, i ran the network monitor for a few minutes, and got a list of those UDP conversations through port 34368. most of these just consist of my computer sending out a single datagram to some other address, with which i may or may not be also involved in a TCP session. a few ms later, i get a UDP back from the target. there were about 15 of these over a 5 minute period. i plugged them all into the nmap and tracerouted them (had to do this one by one, i'm going to have to get a little more sophisticated), and got back a neat plot showing how all these connections are related to me. these other IP addresses were all over the world, China, NZ, Japan, Russia, France, all over. maybe those are the supernodes, and i'm just registering with them by sending a datagram?
the plot is interesting in itself:
you can't read them but the ip address of every node along the route is listed. the maps are dynamic; you can highlight a node and all its children (those further down the route away from the center), change the center node, rotate, etc.
like i said, most of those UDP exchanges were just 2 packets, one out and one response. there were two other things that happened. one was, I sent 2 UDP packets and got back 1 RTP packet, which i think is actually a UDP packet carrying audio/video information. there wasn't anything else associated with that address, though, so i can't guess what that was about.
the other interesting thing was an instance where i sent 3 UDP packets to a certain address, with no response. i actually guessed the reason: they were being sent to jingping's laptop on campus, on the UofL wireless network, where it hasn't actually been connnected since early friday evening: i sent those UDP packets after midnight, more than 7 hours after she had disconnected.
why did this happen? one thing is, i may have left Skype running on the computer in my office, and during the day that was a connection to her laptop on the campus wireless network. or, i may have turned it off - sometimes i forget, usually i don't, but i don't usually remember if i remembered, only if i forgot (strange how that works). at any rate, for some reason, my computer, being connected with my Skype account, thought to check to see if that UofL address was still on, despite the fact that the account it had been associated with was now associated with another IP address. this doesn't make a lot of sense to me. some sort of cleanup work on Skype's part?
mysteries, mysteries.
i can't really get a port scan to work on another computer. i tried to get jingping to turn off her firewall, but she said it was already off - i guess norton does its own firewall.
still, nmap has other neat functions. you can get it to do traceroute for you, along with other things, and it will hold on to all the data for you. as you do this, it creates a graphic plot of all the addresses you've been querying. if you're doing tracerouts, it plots ip paths, which is fantastic. here's what i did:
still working off the mysteries of Skype, i ran the network monitor for a few minutes, and got a list of those UDP conversations through port 34368. most of these just consist of my computer sending out a single datagram to some other address, with which i may or may not be also involved in a TCP session. a few ms later, i get a UDP back from the target. there were about 15 of these over a 5 minute period. i plugged them all into the nmap and tracerouted them (had to do this one by one, i'm going to have to get a little more sophisticated), and got back a neat plot showing how all these connections are related to me. these other IP addresses were all over the world, China, NZ, Japan, Russia, France, all over. maybe those are the supernodes, and i'm just registering with them by sending a datagram?
the plot is interesting in itself:
you can't read them but the ip address of every node along the route is listed. the maps are dynamic; you can highlight a node and all its children (those further down the route away from the center), change the center node, rotate, etc.
like i said, most of those UDP exchanges were just 2 packets, one out and one response. there were two other things that happened. one was, I sent 2 UDP packets and got back 1 RTP packet, which i think is actually a UDP packet carrying audio/video information. there wasn't anything else associated with that address, though, so i can't guess what that was about.
the other interesting thing was an instance where i sent 3 UDP packets to a certain address, with no response. i actually guessed the reason: they were being sent to jingping's laptop on campus, on the UofL wireless network, where it hasn't actually been connnected since early friday evening: i sent those UDP packets after midnight, more than 7 hours after she had disconnected.
why did this happen? one thing is, i may have left Skype running on the computer in my office, and during the day that was a connection to her laptop on the campus wireless network. or, i may have turned it off - sometimes i forget, usually i don't, but i don't usually remember if i remembered, only if i forgot (strange how that works). at any rate, for some reason, my computer, being connected with my Skype account, thought to check to see if that UofL address was still on, despite the fact that the account it had been associated with was now associated with another IP address. this doesn't make a lot of sense to me. some sort of cleanup work on Skype's part?
mysteries, mysteries.
Thursday, April 22, 2010
http://nil.isi.edu/
oh, this is neat!
i saw an ICMP 'echo request' packet! i was in an IRC channel at the time, for the first time in like 10 years, so i thought maybe it was somebody there. but the request actually had a working URL attached, which is in the title of this post (http://nil.isi.edu/). it really was a ping, an automated, scientific ping!
internet is very, very interesting.
i saw an ICMP 'echo request' packet! i was in an IRC channel at the time, for the first time in like 10 years, so i thought maybe it was somebody there. but the request actually had a working URL attached, which is in the title of this post (http://nil.isi.edu/). it really was a ping, an automated, scientific ping!
internet is very, very interesting.
Subscribe to:
Posts (Atom)