chadmr-lew.com
Date: Mon Aug 22 2005 - 18:44:57 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  Let's try to clear this up a bit...

If you have a network mask of 255.255.255.0 (24 bits), then
the .0 address is your Network ID and can NOT be used as a
host address. The .255 address will be your broadcast
address and also can not be used as a host address. This
makes .1 thru .254 as valid host addresses.

192.168.1.0/24 - Network ID (All Host bits are 0)
192.168.1.1-254 - Host Addresses
192.168.1.255 - Broadcast Address (All Host bits are 1)

   You may see some responses from a Cisco router, not
actually a host address, but it may respond to some of the
ICMP probes. I am sure some other systems performing routing
functions may do the same in some circumstances, but in my
experience they do not answer up with SYN/ACK or RST/ACK for
port scans.

Now if you have a network mask of 255.255.254.0 (23 bits) or
anything less than 24 bits for that matter, a .0 can and IS
a valid host address.

In the example of 10.0.0.0/23 the Network ID would be the
first 23 bits, making it 10.0.0.0. The first available host
would have the 32nd bit turned on, making it 10.0.0.1. The
last available host would have bits 24 thru 31 turned on,
with the 32nd bit turned off making it 10.0.1.254. This
would include 10.0.1.0 as a VALID host address.

Where the confusion comes from is crossing the bit boundary.
You need to look at it in binary to see how it is just the
next host when going from 10.0.0.255 to 10.0.1.0. Hopefully
this diagram can help (and won't get butchered in
delivery) ;)

      1 1
      2 6 3 1 2 6 3 1
10.0. 8 4 2 6 8 4 2 | 1 . 8 4 2 6 8 4 2 1
----------------------------------------
   NETWORK PORTION | HOST PORTION
--.-. 0 0 0 0 0 0 0 | 0 . 0 0 0 0 0 0 0 0 Network ID
--.-. 0 0 0 0 0 0 0 | 0 . 0 0 0 0 0 0 0 1 1st Available
Host
--.-. 0 0 0 0 0 0 0 | 0 . 1 1 1 1 1 1 1 1 Valid Host
--.-. 0 0 0 0 0 0 0 | 1 . 0 0 0 0 0 0 0 0 Valid Host
--.-. 0 0 0 0 0 0 0 | 1 . 1 1 1 1 1 1 1 0 Last Available
Host
--.-. 0 0 0 0 0 0 0 | 1 . 1 1 1 1 1 1 1 1 Broadcast Address

Also, Classful addressing was not done away with by CIDR.
CIDR granted us the ability to better use and
identify/aggregate our networks. Classful addressing is
still used today in numerous places (RIPv1 for example), but
when possible classful addressing is normally preferred.

It was pointed out that RFC 3021 outlines the specific use
of a 31 bit mask, which would break this model if used. It
must be pointed out that the RFC outlines this use on point-
to-point links only. Considering that the system
was "reported" as having ports 68/tcp, 723/tcp and 6000/tcp
open, I would be inclined to rule against it being on a
point-to-point link.

68/tcp - ??? Could this be some TCP based BOOTP server...
723/tcp - OpenMosix File System (curious)
6000/tcp - Probably X Windows

I would try to gather some more O/S fingerprinting
information by generating more ICMP and TCP responses
(SYN/ACK and RST/ACK) with hping2 and then gather the
responses with a sniffer to try and use p0f to get a better
picture.

I would be curious to hear what the final findings are...

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]