Can anyone help me with Nmap output?

starseed-pl · 28 January 2021 16:24

Please excuse me, this is my first question regarding network security and first time I have been really interested in learning more.

I have noticed a host on my network with an IP I dont recognize. I can log into my router and list all connected devices but the host with that IP will not show in the list. It will show in Nmap as a similar MAC as my router, but with last digit changed. The host shows all ports closed except port 80 in Ubuntu MATE (Which it's serving a blank html file).

In my Debian partition it shows the host again with nmap, but shows that all it's ports are closed, and when I type the IP in the browser, sure enough, the blank html file isn't being served. Is there something that is pretending to be my router like a MITMA but only able to open ports when I boot in Ubuntu?

What do I do know? At first I thought it was my router having a 2nd IP (because I have a 8 port switch connected to LAN-4 port so I can connect my IP cameras), but I disconnected that switch and everything except the router and the PC im using.

Help please I dont want my router hacked.

The culprit is always first in the list:

Nmap scan report for 192.168.1.136  <---- this one
Host is up (0.00071s latency).
All 1000 scanned ports on 192.168.1.136 are closed
MAC Address: xx:xx:xx:A6:CE:02 (Unknown)

Nmap scan report for 192.168.1.254 <--- my router has always had this IP
Host is up (0.00079s latency).
Not shown: 996 closed ports
PORT    STATE    SERVICE
53/tcp  open     domain
80/tcp  open     http
111/tcp filtered rpcbind
443/tcp open     https
MAC Address: xx:xx:xx:A6:CE:00 (Unknown)

Stats: 0:01:43 elapsed; 255 hosts completed (3 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 1.00% done; ETC: 08:02 (0:00:00 remaining)
Stats: 0:01:43 elapsed; 255 hosts completed (3 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 2.00% done; ETC: 08:02 (0:00:00 remaining)
Stats: 0:01:43 elapsed; 255 hosts completed (3 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 3.00% done; ETC: 08:02 (0:00:00 remaining)
Nmap scan report for starseed.attlocal.net (192.168.1.133)
Host is up (0.000032s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

I tried arp-scan and here is the result:

    Interface: enp0s31f6, datalink type: EN10MB (Ethernet)
    Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
    192.168.1.136	xx:xx:xx:a6:ce:02	(Unknown)
    192.168.1.136	xx:xx:xx:a6:ce:02	(Unknown) (DUP: 2)
    192.168.1.254	xx:xx:xx:a6:ce:00	(Unknown)

   3 packets received by filter, 0 packets dropped by kernel
   Ending arp-scan 1.9.5: 256 hosts scanned in 2.380 seconds (107.56 hosts/sec). 3 responded

Curious as to why my PC doesn't show up (192.168.1.133)
So in the end I got paranoid and turned the WiFi off on router and disconnected everything with sensitive data.

WWYD?

denpes · 31 January 2021 01:51

WWYD? I would get a bit paranoid to.

Your pc (192.168.1.133) shows up in the nmap scan, which is normal, but not in the arp-scan, which is also normal. The fact that your arp-scan output only shows (unknown) with the device info is a bit weird. Do you have the package ieee-data installed? which should be a dependency of arp-scan. Because ieee-data provides the data for arp-scan to show you the info on mac addresses. Since it might just be your phone connected to your wifi. And did you run it with sudo?

And what happend after you shutdown the wifi? was the 192.168.1.136 still there?