PDA

View Full Version : NSA Mimics Google to Monitor "Target" Web Users




green73
09-12-2013, 05:58 PM
Buried in a Brazilian television report on Sunday was the disclosure that the NSA has impersonated Google and possibly other major internet sites in order to intercept, store, and read supposedly secure online communications. The spy agency accomplishes this using what's known as a "man-in-the-middle (MITM) attack," a fairly well-known exploit used by elite hackers. This revelation adds to the growing list of ways that the NSA is believed to snoop on ostensibly private online conversations.

In what appears to be a slide taken from an NSA presentation that also contains some GCHQ slides, the agency describes "how the attack was done" on "target" Google users. According to the document, NSA employees log into an internet router—most likely one used by an internet service provider or a backbone network. (It's not clear whether this was done with the permission or knowledge of the router's owner.) Once logged in, the NSA redirects the "target traffic" to an "MITM," a site that acts as a stealthy intermediary, harvesting communications before forwarding them to their intended destination.

cont
http://www.motherjones.com/politics/2013/09/flying-pig-nsa-impersonates-google

torchbearer
09-12-2013, 06:05 PM
hmmmmmmmmmmmmm, weird things have been happening with my online services that keep track of my location for security.
they thought my computer was in Arkansas today.
i checked for viruses on my computer, ran combofix anyway.
i can't really scan my router... but i doubt its infected.
something happened.

torchbearer
09-12-2013, 06:07 PM
about to install neotrace. time to figure out who the man in the middle is...

green73
09-12-2013, 06:13 PM
hmmmmmmmmmmmmm, weird things have been happening with my online services that keep track of my location for security.
they thought my computer was in Arkansas today.
i checked for viruses on my computer, ran combofix anyway.
i can't really scan my router... but i doubt its infected.
something happened.

For the last two months or so I've had certain tabs refreshing. It started with Daily Paul tabs. I thought Nystrom was up to something to increase his stats. But then it began happening with the Ron Paul site I run. And then Wenzel's blog. And then RPF tabs! I've almost started a thread several times here about what is happening. Last week it was so bad that they'd be refreshing every minute. The content would not be refreshing but the scripts would be. And usually it was the Google scripts. After roughly two months, it stopped two days ago. Don't know wtf that was all about.

torchbearer
09-12-2013, 06:21 PM
my man in the middle is located at 10.238.64.1 and actually captures my packets prior my ISP.
which is weird, that seems like a local addressing scheme, but not mine.


NeoTrace Trace Version 3.25 Results
Target: www.msn.com
Date: 9/12/2013 (Thursday), 7:23:09 PM
Nodes: 11


Node Data
Node Net Reg IP Address Location Node Name
3 1 - 10.238.64.1 Unknown


Packet Data
Node High Low Avg Tot Lost
3 9 9 9 1 0


Network Data
Network id#: 1


ARIN WHOIS data and services are subject to the Terms of Use
available at: https://www.arin.net/whois_tou.html




Query terms are ambiguous. The query is assumed to be:
n 10.238.64.1

Use ? to get help.



The following results may also be obtained via:
http://whois.arin.net/rest/nets;q=10.238.64.1?showDetails=true&showARIN=false&ext=netref2


NetRange: 10.0.0.0 - 10.255.255.255
CIDR: 10.0.0.0/8
OriginAS:
NetName: PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED
NetHandle: NET-10-0-0-0-1
Parent:
NetType: IANA Special Use
Comment: These addresses are in use by many millions of independently operated networks, which might be as small as a single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices. They are only intended for use within a private context and traffic that needs to cross the Internet will need to use a different, unique address.

Comment:

Comment: These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry. The traffic from these addresses does not come from ICANN or IANA. We are not the source of activity you may see on logs or in e-mail records. Please refer to http://www.iana.org/abuse/answers

Comment:

Comment: These addresses were assigned by the IETF, the organization that develops Internet protocols, in the Best Current Practice document, RFC 1918 which can be found at:

Comment: http://datatracker.ietf.org/doc/rfc1918
RegDate:
Updated: 2013-08-30
Ref: http://whois.arin.net/rest/net/NET-10-0-0-0-1

OrgName: Internet Assigned Numbers Authority
OrgId: IANA
Address: 12025 Waterfront Drive

Address: Suite 300
City: Los Angeles
StateProv: CA
PostalCode: 90292
Country: US
RegDate:
Updated: 2012-08-31
Ref: http://whois.arin.net/rest/org/IANA

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org
OrgAbuseRef: http://whois.arin.net/rest/poc/IANA-IP-ARIN

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org
OrgTechRef: http://whois.arin.net/rest/poc/IANA-IP-ARIN

torchbearer
09-12-2013, 06:27 PM
For the last two months or so I've had certain tabs refreshing. It started with Daily Paul tabs. I thought Nystrom was up to something to increase his stats. But then it began happening with the Ron Paul site I run. And then Wenzel's blog. And then RPF tabs! I've almost started a thread several times here about what is happening. Last week it was so bad that they'd be refreshing every minute. The content would not be refreshing but the scripts would be. And usually it was the Google scripts. After roughly two months, it stopped two days ago. Don't know wtf that was all about.

I have high security on my steam account.
today, it alerted my that the computer i was logging into was in hot springs, ark. (which it is not)
steam had been fine. now its security has alerted me to a change in my network appearance to its server.

Philhelm
09-12-2013, 06:43 PM
I wonder if this could be exploited in order to get free Internet service?

Bomb!
Terrorist!
9/11!

Liberty Rebellion
09-12-2013, 06:52 PM
my man in the middle is located at 10.238.64.1 and actually captures my packets prior my ISP.
which is weird, that seems like a local addressing scheme, but not mine.

It's most likely the gateway for your modem. If your directly connected from your pc/laptop it would be the first hop, if you're using a router it would be the second.

CPUd
09-12-2013, 07:30 PM
what port/protocol is it using?

green73
09-12-2013, 07:30 PM
bump

CPUd
09-12-2013, 07:40 PM
You can set up wireshark to capture on the WAN side of your router, and you can see some of your ISP's equipment. I've seen some routing protocols operating in that IP range- usually for load-balancing.

presence
09-12-2013, 08:24 PM
https://www.youtube.com/watch?v=wuk8AOjGURE


google search hashtag:

#goodmorningvietnamfuckyounsa



https://www.youtube.com/watch?v=4jk-Ngm5kKQ

idiom
09-12-2013, 08:32 PM
If they can MITM Google, they can MITM anyone.

Get the hell away from public security certificates. Even then you will have to defend private certificates against the worlds largest collection of zero-days.

torchbearer
09-12-2013, 08:51 PM
It's most likely the gateway for your modem. If your directly connected from your pc/laptop it would be the first hop, if you're using a router it would be the second.

hmmm, well, i can log into my modem at 192.168.100.1
its a passthrough, that should be the address on the ping.

torchbearer
09-12-2013, 08:52 PM
what port/protocol is it using?

i don't know. i hit it with udp ping through neotrace.

Barrex
09-13-2013, 03:42 AM
For the last two months or so I've had certain tabs refreshing. It started with Daily Paul tabs. I thought Nystrom was up to something to increase his stats. But then it began happening with the Ron Paul site I run. And then Wenzel's blog. And then RPF tabs! I've almost started a thread several times here about what is happening. Last week it was so bad that they'd be refreshing every minute. The content would not be refreshing but the scripts would be. And usually it was the Google scripts. After roughly two months, it stopped two days ago. Don't know wtf that was all about.

It was happening to me too.

GunnyFreedom
09-13-2013, 04:13 AM
my man in the middle is located at 10.238.64.1 and actually captures my packets prior my ISP.
which is weird, that seems like a local addressing scheme, but not mine.

10.anything is usually a local WAN router, depending on setup. I have two routers from my laptop (I use my own WiFi device instead of my ISPs DSL router) and my first hop is 192... and my second hop is 10...

I traced to several destination IP's and they were fine, but when I traced to MSN.com I got a spurious 10... IP that borked my hops

My traces to MSN are all kinds of borked, maybe try a different destination IP and see what happens?


traceroute to gmail.com (173.194.43.54), 64 hops max, 72 byte packets 1 192.168.1.1 (192.168.1.1) 1.477 ms 1.101 ms 1.952 ms
2 10.0.0.1 (10.0.0.1) 2.030 ms 2.395 ms 1.319 ms
3 nc-munged-my-wan-ip.dhcp.embarqhsd.net (munged.my.wan.ip) 10.218 ms 10.210 ms 10.101 ms
4 rbncrcmt11 (69.69.52.209) 12.141 ms 17.364 ms 12.411 ms
5 206-51-88-118.centurylink.net (206.51.88.118) 72.252 ms 9.532 ms 9.741 ms
6 bb-asbnvacy-jx9-02-ae3.0.core.centurytel.net (208.110.248.170) 18.320 ms 36.245 ms 66.812 ms
7 bb-asbnvacy-jx9-01-ae0.0.core.centurytel.net (208.110.248.117) 17.125 ms 18.153 ms 18.035 ms
8 72.14.219.254 (72.14.219.254) 17.470 ms 19.612 ms 19.639 ms
9 216.239.46.250 (216.239.46.250) 17.954 ms 22.945 ms 19.460 ms
10 72.14.236.146 (72.14.236.146) 18.996 ms 19.285 ms 19.331 ms
11 72.14.239.92 (72.14.239.92) 32.576 ms 29.576 ms 24.404 ms
12 209.85.252.251 (209.85.252.251) 24.927 ms 27.727 ms 23.830 ms
13 72.14.237.254 (72.14.237.254) 23.310 ms 23.267 ms 25.692 ms
14 lga15s35-in-f22.1e100.net (173.194.43.54) 23.972 ms 23.587 ms 23.965 ms


traceroute to ronpaulforums.com (67.225.158.173), 64 hops max, 72 byte packets
1 192.168.1.1 (192.168.1.1) 4.331 ms 1.209 ms 0.991 ms
2 10.0.0.1 (10.0.0.1) 1.726 ms 1.458 ms 1.846 ms
3 nc-munged-my-wan-ip.dhcp.embarqhsd.net (munged.my.wan.ip) 9.869 ms 9.637 ms 9.350 ms
4 nc-184-3-159-221.sta.embarqhsd.net (184.3.159.221) 11.449 ms 19.676 ms 15.130 ms
5 206-51-88-116.centurylink.net (206.51.88.116) 9.645 ms 10.637 ms 10.994 ms
6 bb-rcmtncxa-jx9-02-ae0.core.centurytel.net (208.110.248.66) 13.261 ms 17.894 ms 10.042 ms
7 bb-asbnvacy-jx9-02-ae3.0.core.centurytel.net (208.110.248.170) 18.461 ms 17.573 ms 17.876 ms
8 bb-asbnvacy-jx9-01-ae0.0.core.centurytel.net (208.110.248.117) 18.370 ms 17.357 ms 17.067 ms
9 dcx2-edge-01.inet.qwest.net (65.113.64.197) 16.673 ms 42.643 ms 17.279 ms
10 65.120.84.66 (65.120.84.66) 19.397 ms 17.731 ms 18.043 ms
11 he-2-8-0-0-cr01.ashburn.va.ibone.comcast.net (68.86.83.77) 20.006 ms
he-2-6-0-0-cr01.ashburn.va.ibone.comcast.net (68.86.83.73) 17.921 ms
he-2-5-0-0-cr01.ashburn.va.ibone.comcast.net (68.86.83.69) 20.743 ms
12 he-0-13-0-0-cr01.newyork.ny.ibone.comcast.net (68.86.85.98) 24.804 ms 24.128 ms 28.804 ms
13 he-0-6-0-0-cr01.350ecermak.il.ibone.comcast.net (68.86.88.154) 40.560 ms 42.328 ms 41.785 ms
14 be-12-pe03.350ecermak.il.ibone.comcast.net (68.86.84.190) 39.626 ms 40.230 ms 39.272 ms
15 66.208.216.86 (66.208.216.86) 38.704 ms 41.646 ms *
16 lw-border5-te1-4.rtr.liquidweb.com (209.59.157.214) 68.471 ms 39.515 ms 39.175 ms
17 lw-dc2-core3-te9-1.rtr.liquidweb.com (209.59.157.224) 49.702 ms 49.808 ms 49.102 ms
18 lw-dc2-sec2-dist4-po1.rtr.liquidweb.com (209.59.157.234) 49.519 ms 83.067 ms 49.760 ms
19 67.225.158.173 (67.225.158.173) 50.805 ms 49.734 ms 52.041 ms


traceroute to facebook.com (173.252.110.27), 64 hops max, 72 byte packets
1 192.168.1.1 (192.168.1.1) 1.429 ms 1.036 ms 0.940 ms
2 10.0.0.1 (10.0.0.1) 1.558 ms 1.420 ms 1.338 ms
3 nc-munged-my-wan-ip.dhcp.embarqhsd.net (munged.my.wan.ip) 11.041 ms 12.851 ms 10.019 ms
4 nc-69-34-121-201.sta.embarqhsd.net (69.34.121.201) 10.391 ms 12.562 ms 10.214 ms
5 206-51-88-116.centurylink.net (206.51.88.116) 10.945 ms 9.702 ms 10.305 ms
6 bb-rcmtncxa-jx9-02-ae0.core.centurytel.net (208.110.248.66) 40.395 ms 11.263 ms 10.626 ms
7 bb-asbnvacy-jx9-02-ae3.0.core.centurytel.net (208.110.248.170) 17.207 ms 17.709 ms 17.963 ms
8 bb-asbnvacy-jx9-01-ae0.0.core.centurytel.net (208.110.248.117) 18.251 ms 25.025 ms 17.982 ms
9 bb-nycmny83-jx9-01-ae1.0.core.centurytel.net (208.110.248.97) 24.830 ms 27.705 ms 24.348 ms
10 bb-nycmny83-jx9-02-ae0-0.core.centurytel.net (208.110.248.114) 27.119 ms 23.742 ms 24.277 ms
11 bb-chcgilwu-jx9-02-ae4-0.core.centurytel.net (208.110.248.69) 49.112 ms 54.715 ms 46.712 ms
12 bb-chcgildt-jx9-01-ae1.0.core.centurytel.net (208.110.248.14) 47.236 ms 45.939 ms 46.342 ms
13 equinix.br01.ord1.tfbnw.net (206.223.119.115) 42.080 ms 41.151 ms 40.502 ms
14 ae1.bb01.ord1.tfbnw.net (31.13.29.0) 41.021 ms 41.999 ms 41.394 ms
15 ae11.bb01.atl1.tfbnw.net (31.13.27.148) 54.159 ms 48.980 ms 48.812 ms
16 ae16.bb02.frc1.tfbnw.net (31.13.27.112) 57.263 ms 56.372 ms 57.744 ms
17 ae2.dr03.frc1.tfbnw.net (31.13.27.78) 51.329 ms 50.685 ms 50.857 ms
18 * * *
19 * * *
20 edge-star-shv-13-frc1.facebook.com (173.252.110.27) 53.190 ms 50.765 ms 50.830 ms


traceroute to msn.com (65.55.206.228), 64 hops max, 72 byte packets
1 192.168.1.1 (192.168.1.1) 1.406 ms 0.973 ms 2.053 ms
2 10.0.0.1 (10.0.0.1) 1.747 ms 1.774 ms 1.362 ms
3 nc-munged-my-wan-ip.dhcp.embarqhsd.net (munged.my.wan.ip) 10.521 ms 9.811 ms 9.553 ms
4 nc-69-34-121-201.sta.embarqhsd.net (69.34.121.201) 10.290 ms 9.964 ms 11.098 ms
5 206-51-88-116.centurylink.net (206.51.88.116) 9.642 ms 14.042 ms 10.425 ms
6 bb-rcmtncxa-jx9-02-ae0.core.centurytel.net (208.110.248.66) 10.287 ms 10.124 ms 10.488 ms
7 bb-asbnvacy-jx9-02-ae3.0.core.centurytel.net (208.110.248.170) 19.741 ms 20.600 ms 17.852 ms
8 bb-asbnvacy-jx9-01-ae0.0.core.centurytel.net (208.110.248.117) 17.977 ms 17.445 ms 17.988 ms
9 * * *
10 xe-0-1-1-0.blu-96c-1a.ntwk.msn.net (207.46.43.37) 23.469 ms 25.304 ms 23.336 ms
11 ten8-2.blu-76c-1b.ntwk.msn.net (207.46.47.153) 22.007 ms 19.742 ms 20.224 ms
12 10.22.96.86 (10.22.96.86) 24.513 ms 21.730 ms 20.223 ms
13 * * *
14 * * *
15 * * *
16 * * * (ad nauseum, killed the trace at line 28)


traceroute to us.co1.cb3.glbdns.microsoft.com (131.253.13.21), 64 hops max, 72 byte packets
1 192.168.1.1 (192.168.1.1) 1.647 ms 1.015 ms 0.748 ms
2 10.0.0.1 (10.0.0.1) 4.757 ms 1.622 ms 1.243 ms
3 nc-munged-my-wan-ip.dhcp.embarqhsd.net (munged.my.wan.ip) 9.919 ms 17.672 ms 9.823 ms
4 nc-65-40-111-233.sta.embarqhsd.net (65.40.111.233) 10.914 ms 10.680 ms 10.100 ms
5 206-51-88-116.centurylink.net (206.51.88.116) 10.767 ms 10.239 ms 10.341 ms
6 bb-rcmtncxa-jx9-02-ae0.core.centurytel.net (208.110.248.66) 11.479 ms 10.308 ms 10.347 ms
7 bb-asbnvacy-jx9-02-ae3.0.core.centurytel.net (208.110.248.170) 20.377 ms 17.765 ms 17.785 ms
8 bb-asbnvacy-jx9-01-ae0.0.core.centurytel.net (208.110.248.117) 17.548 ms 17.335 ms 17.134 ms
9 8057.microsoft.com (206.126.236.17) 21.266 ms 20.234 ms 18.780 ms
10 * ge-0-3-0-59.sjc-64cb-1b.ntwk.msn.net (207.46.47.253) 21.836 ms *
11 207.46.40.43 (207.46.40.43) 35.667 ms 41.261 ms 24.852 ms
12 xe-1-0-0-0.bn1-96c-1a.ntwk.msn.net (207.46.42.218) 37.787 ms 57.482 ms 25.269 ms
13 * * *
14 * * *
15 * * *
16 * * * (ad nauseum, killed the trace at line 20)


My traces to M$ drop into a black hole around hop 12 and never come back. Maybe Bill Gates knows I don't like him...

Liberty Rebellion
09-13-2013, 07:53 AM
hmmm, well, i can log into my modem at 192.168.100.1
its a passthrough, that should be the address on the ping.

The ISP cable company I work for, that is the internal modem IP, but the side facing the CMTS (the router your modem talks to) is a 10. address, so the first hop off your router will be a 10. address.

Also, a 10. address further upstream really isn't suspcious. In the trace Gunny provided you can see his trace is already on MSN's network and then it hits a 10. address. Nothing abnormal about that just as how hitting a 10. address or other RFC1913 space on your ISP isn't abnormal either.

torchbearer
09-13-2013, 12:06 PM
10.anything is usually a local WAN router, depending on setup. I have two routers from my laptop (I use my own WiFi device instead of my ISPs DSL router) and my first hop is 192... and my second hop is 10...

I traced to several destination IP's and they were fine, but when I traced to MSN.com I got a spurious 10... IP that borked my hops

My traces to MSN are all kinds of borked, maybe try a different destination IP and see what happens?


traceroute to gmail.com (173.194.43.54), 64 hops max, 72 byte packets 1 192.168.1.1 (192.168.1.1) 1.477 ms 1.101 ms 1.952 ms
2 10.0.0.1 (10.0.0.1) 2.030 ms 2.395 ms 1.319 ms
3 nc-munged-my-wan-ip.dhcp.embarqhsd.net (munged.my.wan.ip) 10.218 ms 10.210 ms 10.101 ms
4 rbncrcmt11 (69.69.52.209) 12.141 ms 17.364 ms 12.411 ms
5 206-51-88-118.centurylink.net (206.51.88.118) 72.252 ms 9.532 ms 9.741 ms
6 bb-asbnvacy-jx9-02-ae3.0.core.centurytel.net (208.110.248.170) 18.320 ms 36.245 ms 66.812 ms
7 bb-asbnvacy-jx9-01-ae0.0.core.centurytel.net (208.110.248.117) 17.125 ms 18.153 ms 18.035 ms
8 72.14.219.254 (72.14.219.254) 17.470 ms 19.612 ms 19.639 ms
9 216.239.46.250 (216.239.46.250) 17.954 ms 22.945 ms 19.460 ms
10 72.14.236.146 (72.14.236.146) 18.996 ms 19.285 ms 19.331 ms
11 72.14.239.92 (72.14.239.92) 32.576 ms 29.576 ms 24.404 ms
12 209.85.252.251 (209.85.252.251) 24.927 ms 27.727 ms 23.830 ms
13 72.14.237.254 (72.14.237.254) 23.310 ms 23.267 ms 25.692 ms
14 lga15s35-in-f22.1e100.net (173.194.43.54) 23.972 ms 23.587 ms 23.965 ms


traceroute to ronpaulforums.com (67.225.158.173), 64 hops max, 72 byte packets
1 192.168.1.1 (192.168.1.1) 4.331 ms 1.209 ms 0.991 ms
2 10.0.0.1 (10.0.0.1) 1.726 ms 1.458 ms 1.846 ms
3 nc-munged-my-wan-ip.dhcp.embarqhsd.net (munged.my.wan.ip) 9.869 ms 9.637 ms 9.350 ms
4 nc-184-3-159-221.sta.embarqhsd.net (184.3.159.221) 11.449 ms 19.676 ms 15.130 ms
5 206-51-88-116.centurylink.net (206.51.88.116) 9.645 ms 10.637 ms 10.994 ms
6 bb-rcmtncxa-jx9-02-ae0.core.centurytel.net (208.110.248.66) 13.261 ms 17.894 ms 10.042 ms
7 bb-asbnvacy-jx9-02-ae3.0.core.centurytel.net (208.110.248.170) 18.461 ms 17.573 ms 17.876 ms
8 bb-asbnvacy-jx9-01-ae0.0.core.centurytel.net (208.110.248.117) 18.370 ms 17.357 ms 17.067 ms
9 dcx2-edge-01.inet.qwest.net (65.113.64.197) 16.673 ms 42.643 ms 17.279 ms
10 65.120.84.66 (65.120.84.66) 19.397 ms 17.731 ms 18.043 ms
11 he-2-8-0-0-cr01.ashburn.va.ibone.comcast.net (68.86.83.77) 20.006 ms
he-2-6-0-0-cr01.ashburn.va.ibone.comcast.net (68.86.83.73) 17.921 ms
he-2-5-0-0-cr01.ashburn.va.ibone.comcast.net (68.86.83.69) 20.743 ms
12 he-0-13-0-0-cr01.newyork.ny.ibone.comcast.net (68.86.85.98) 24.804 ms 24.128 ms 28.804 ms
13 he-0-6-0-0-cr01.350ecermak.il.ibone.comcast.net (68.86.88.154) 40.560 ms 42.328 ms 41.785 ms
14 be-12-pe03.350ecermak.il.ibone.comcast.net (68.86.84.190) 39.626 ms 40.230 ms 39.272 ms
15 66.208.216.86 (66.208.216.86) 38.704 ms 41.646 ms *
16 lw-border5-te1-4.rtr.liquidweb.com (209.59.157.214) 68.471 ms 39.515 ms 39.175 ms
17 lw-dc2-core3-te9-1.rtr.liquidweb.com (209.59.157.224) 49.702 ms 49.808 ms 49.102 ms
18 lw-dc2-sec2-dist4-po1.rtr.liquidweb.com (209.59.157.234) 49.519 ms 83.067 ms 49.760 ms
19 67.225.158.173 (67.225.158.173) 50.805 ms 49.734 ms 52.041 ms


traceroute to facebook.com (173.252.110.27), 64 hops max, 72 byte packets
1 192.168.1.1 (192.168.1.1) 1.429 ms 1.036 ms 0.940 ms
2 10.0.0.1 (10.0.0.1) 1.558 ms 1.420 ms 1.338 ms
3 nc-munged-my-wan-ip.dhcp.embarqhsd.net (munged.my.wan.ip) 11.041 ms 12.851 ms 10.019 ms
4 nc-69-34-121-201.sta.embarqhsd.net (69.34.121.201) 10.391 ms 12.562 ms 10.214 ms
5 206-51-88-116.centurylink.net (206.51.88.116) 10.945 ms 9.702 ms 10.305 ms
6 bb-rcmtncxa-jx9-02-ae0.core.centurytel.net (208.110.248.66) 40.395 ms 11.263 ms 10.626 ms
7 bb-asbnvacy-jx9-02-ae3.0.core.centurytel.net (208.110.248.170) 17.207 ms 17.709 ms 17.963 ms
8 bb-asbnvacy-jx9-01-ae0.0.core.centurytel.net (208.110.248.117) 18.251 ms 25.025 ms 17.982 ms
9 bb-nycmny83-jx9-01-ae1.0.core.centurytel.net (208.110.248.97) 24.830 ms 27.705 ms 24.348 ms
10 bb-nycmny83-jx9-02-ae0-0.core.centurytel.net (208.110.248.114) 27.119 ms 23.742 ms 24.277 ms
11 bb-chcgilwu-jx9-02-ae4-0.core.centurytel.net (208.110.248.69) 49.112 ms 54.715 ms 46.712 ms
12 bb-chcgildt-jx9-01-ae1.0.core.centurytel.net (208.110.248.14) 47.236 ms 45.939 ms 46.342 ms
13 equinix.br01.ord1.tfbnw.net (206.223.119.115) 42.080 ms 41.151 ms 40.502 ms
14 ae1.bb01.ord1.tfbnw.net (31.13.29.0) 41.021 ms 41.999 ms 41.394 ms
15 ae11.bb01.atl1.tfbnw.net (31.13.27.148) 54.159 ms 48.980 ms 48.812 ms
16 ae16.bb02.frc1.tfbnw.net (31.13.27.112) 57.263 ms 56.372 ms 57.744 ms
17 ae2.dr03.frc1.tfbnw.net (31.13.27.78) 51.329 ms 50.685 ms 50.857 ms
18 * * *
19 * * *
20 edge-star-shv-13-frc1.facebook.com (173.252.110.27) 53.190 ms 50.765 ms 50.830 ms


traceroute to msn.com (65.55.206.228), 64 hops max, 72 byte packets
1 192.168.1.1 (192.168.1.1) 1.406 ms 0.973 ms 2.053 ms
2 10.0.0.1 (10.0.0.1) 1.747 ms 1.774 ms 1.362 ms
3 nc-munged-my-wan-ip.dhcp.embarqhsd.net (munged.my.wan.ip) 10.521 ms 9.811 ms 9.553 ms
4 nc-69-34-121-201.sta.embarqhsd.net (69.34.121.201) 10.290 ms 9.964 ms 11.098 ms
5 206-51-88-116.centurylink.net (206.51.88.116) 9.642 ms 14.042 ms 10.425 ms
6 bb-rcmtncxa-jx9-02-ae0.core.centurytel.net (208.110.248.66) 10.287 ms 10.124 ms 10.488 ms
7 bb-asbnvacy-jx9-02-ae3.0.core.centurytel.net (208.110.248.170) 19.741 ms 20.600 ms 17.852 ms
8 bb-asbnvacy-jx9-01-ae0.0.core.centurytel.net (208.110.248.117) 17.977 ms 17.445 ms 17.988 ms
9 * * *
10 xe-0-1-1-0.blu-96c-1a.ntwk.msn.net (207.46.43.37) 23.469 ms 25.304 ms 23.336 ms
11 ten8-2.blu-76c-1b.ntwk.msn.net (207.46.47.153) 22.007 ms 19.742 ms 20.224 ms
12 10.22.96.86 (10.22.96.86) 24.513 ms 21.730 ms 20.223 ms
13 * * *
14 * * *
15 * * *
16 * * * (ad nauseum, killed the trace at line 28)


traceroute to us.co1.cb3.glbdns.microsoft.com (131.253.13.21), 64 hops max, 72 byte packets
1 192.168.1.1 (192.168.1.1) 1.647 ms 1.015 ms 0.748 ms
2 10.0.0.1 (10.0.0.1) 4.757 ms 1.622 ms 1.243 ms
3 nc-munged-my-wan-ip.dhcp.embarqhsd.net (munged.my.wan.ip) 9.919 ms 17.672 ms 9.823 ms
4 nc-65-40-111-233.sta.embarqhsd.net (65.40.111.233) 10.914 ms 10.680 ms 10.100 ms
5 206-51-88-116.centurylink.net (206.51.88.116) 10.767 ms 10.239 ms 10.341 ms
6 bb-rcmtncxa-jx9-02-ae0.core.centurytel.net (208.110.248.66) 11.479 ms 10.308 ms 10.347 ms
7 bb-asbnvacy-jx9-02-ae3.0.core.centurytel.net (208.110.248.170) 20.377 ms 17.765 ms 17.785 ms
8 bb-asbnvacy-jx9-01-ae0.0.core.centurytel.net (208.110.248.117) 17.548 ms 17.335 ms 17.134 ms
9 8057.microsoft.com (206.126.236.17) 21.266 ms 20.234 ms 18.780 ms
10 * ge-0-3-0-59.sjc-64cb-1b.ntwk.msn.net (207.46.47.253) 21.836 ms *
11 207.46.40.43 (207.46.40.43) 35.667 ms 41.261 ms 24.852 ms
12 xe-1-0-0-0.bn1-96c-1a.ntwk.msn.net (207.46.42.218) 37.787 ms 57.482 ms 25.269 ms
13 * * *
14 * * *
15 * * *
16 * * * (ad nauseum, killed the trace at line 20)


My traces to M$ drop into a black hole around hop 12 and never come back. Maybe Bill Gates knows I don't like him...

i was testing MSN.com as well when i got the weird 10. address.

CPUd
09-13-2013, 04:19 PM
Any IP that starts with a 10 is private use, meaning there could be multiple devices with the same IP. Similar to how almost all consumer-grade routers have 192/8 addresses by default.

http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml

Since it is the first hop, you can probably see it (passively) in wireshark- the easiest way is to run it on the interface that is connected directly to the modem. There aren't many cable modems that have more than 1 ethernet port though, and unless you buy your own, you can't run custom firmware on them. If it has its own wifi router, you could run it from a laptop or something.

If you are using your own NAT router connected to the modem, it would be the WAN port. I flashed OpenWRT on mine, which let me run tshark (a command line version of wireshark), and mounted a network drive to save the packet dumps.

You could do it with a PC, too. Have 2 network interfaces, and put it between the modem and the rest of your network. Run a bridge betwen the 2 interfaces, and set wireshark to listen to the bridge. Also, if you set up forwarding rules here, you have essentially a DIY hardware firewall.

torchbearer
09-13-2013, 04:58 PM
Any IP that starts with a 10 is private use, meaning there could be multiple devices with the same IP. Similar to how almost all consumer-grade routers have 192/8 addresses by default.

http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml

Since it is the first hop, you can probably see it (passively) in wireshark- the easiest way is to run it on the interface that is connected directly to the modem. There aren't many cable modems that have more than 1 ethernet port though, and unless you buy your own, you can't run custom firmware on them. If it has its own wifi router, you could run it from a laptop or something.

If you are using your own NAT router connected to the modem, it would be the WAN port. I flashed OpenWRT on mine, which let me run tshark (a command line version of wireshark), and mounted a network drive to save the packet dumps.

You could do it with a PC, too. Have 2 network interfaces, and put it between the modem and the rest of your network. Run a bridge betwen the 2 interfaces, and set wireshark to listen to the bridge. Also, if you set up forwarding rules here, you have essentially a DIY hardware firewall.

i'd have to be really motivated...
i have wireshark for pc, and really haven't fooled with it enough to know how to use it.

CPUd
09-13-2013, 05:22 PM
i'd have to be really motivated...
i have wireshark for pc, and really haven't fooled with it enough to know how to use it.

Learning how to use the filters is useful to get the most out of it:
http://wiki.wireshark.org/DisplayFilters

A busy network will make the dumpfile almost too large to work with if you don't filter; particularly with ARP packets.

torchbearer
09-13-2013, 05:33 PM
Learning how to use the filters is useful to get the most out of it:
http://wiki.wireshark.org/DisplayFilters

A busy network will make the dumpfile almost too large to work with if you don't filter; particularly with ARP packets.

using filters, you could capture a streaming video with the dump file?

CPUd
09-13-2013, 05:38 PM
using filters, you could capture a streaming video with the dump file?

Yes, as long as you could extract the data from the raw packets and put it together in the proper order. Depending on the type of stream, there are specialized tools for this. Like for RTMP sreams:
http://rtmpdump.mplayerhq.hu/

If you've done any socket programming, you could probably work out how to do it with a particular format.

torchbearer
09-13-2013, 05:45 PM
Yes, as long as you could extract the data from the raw packets and put it together in the proper order. Depending on the type of stream, there are specialized tools for this. Like for RTMP sreams:
http://rtmpdump.mplayerhq.hu/

If you've done any socket programming, you could probably work out how to do it with a particular format.

they call me "the brain" at work. i earned the title by being able to fix anything.
and socket programming is above my pay grade.
if socket programming is second nature to you, you should be making big bucks.

I live in louisiana. I'm one of the top networking guys in central louisiana, and compared to the big boys- i ain't shit.
I do have a knack for fixing machines and systems i've never seen before. That is how i get asked to fix specialty equipment for fusion centers and fema camp centers.

for reference, there are still some people in louisiana who think you can make a phone call on a rotary phone with a 4-digit number.

oh, and i had a fun time at my local narcotics office, today. fixing their equipment. saw they are on the inside of a recently re-opened local headshop. (that was busted/shut down for selling fake weed) apparently, the owner has decided to work with them to negate the kidnapping and cage. I have spread the word- they spy on us, i spy on them.
get this- the local narcs have moved their office into the federal building with the dea and fbi.
they are now co-op.
in leesville, their local police, sheriff's dept, and dhs fusion center are in the same building without division.
the local law works on behalf of the feds.
domestic army.
this probably is happening all over the country. my job puts me right in the middle of their bunkers.
I go through many layers of security for these places, but i know their layouts now.
(sorry for side track)

but just for the lulz,
the sonic wall to the leesville fusion center is default login.

satchelmcqueen
09-13-2013, 07:30 PM
same here. has happened quiet a few times in the last 2 years.
hmmmmmmmmmmmmm, weird things have been happening with my online services that keep track of my location for security.
they thought my computer was in Arkansas today.
i checked for viruses on my computer, ran combofix anyway.
i can't really scan my router... but i doubt its infected.
something happened.