In my last article, I found that some unknown device has a group of interesting services, including what seems to be an emergency alert service running on port 80, RPC running on port 111, and ZeroMQ running on port 5555. Let's see if we can narrow down the devices a bit more.

My network is interesting in some ways — I live in an Adobe house, and Adobe is about as transparent to radio as lead. So, I have a bunch of additional access points scattered throughout the house. When I scan my 192.168.1.0/24 range, I'm able to see all the devices on my network as I've configured my access points to pass through authentication and DHCP to my primary router. My primary router doesn't seem to know everything that's running on that subnet though as it thinks I only have 11 devices attached. NMAP tells me otherwise — it's able to scan 15 hosts. Something to note here is that you might have more on your networks than you think if you're using extenders as I do. From looking at the device map, it seems that my primary router doesn't know what's running behind the various extenders (in some cases at least).

I also have multiple IP addresses associated with the same MAC address. In these cases, it seems that the IP addresses tied to the same MAC address are behind one of my extenders or access points:

# Nmap 7.70 scan initiated Sat Nov 17 08:51:45 2018 as: nmap -sn -oA probe 192.168.1.*
Nmap scan report for picklehead (192.168.1.1)
Host is up (0.0024s latency).
MAC Address: 48:F8:B3:E5:BA:04 (Cisco-Linksys)
Nmap scan report for hedwig (192.168.1.101)
Host is up (0.089s latency).
MAC Address: 24:A0:74:F2:F6:76 (Apple)
Nmap scan report for errol (192.168.1.103)
Host is up (0.089s latency).
MAC Address: B8:E8:56:38:7A:74 (Apple)
Nmap scan report for RE7000-02D (192.168.1.107)
Host is up (0.027s latency).
MAC Address: 26:F5:A2:08:D0:30 (Unknown)
Nmap scan report for RE7000-031 (192.168.1.112)
Host is up (0.0030s latency).
MAC Address: 24:F5:A2:38:D0:31 (Belkin International)
Nmap scan report for 192.168.1.116
Host is up (0.0054s latency).
MAC Address: 24:F5:A2:03:DF:A6 (Belkin International)
Nmap scan report for DIRECTV-HR54-7D402CBE (192.168.1.120)
Host is up (0.088s latency).
MAC Address: 26:F5:A2:08:D0:30 (Unknown)
Nmap scan report for ChloesIperatice (192.168.1.122)
Host is up (0.14s latency).
MAC Address: B8:17:C2:02:5D:DF (Apple)
Nmap scan report for 192.168.1.128
Host is up (0.075s latency).
MAC Address: 26:F5:A2:08:D0:30 (Unknown)
Nmap scan report for 192.168.1.131
Host is up (0.15s latency).
MAC Address: 26:F5:A2:08:D0:30 (Unknown)
Nmap scan report for ChloesIleDevice (192.168.1.135)
Host is up (0.14s latency).
MAC Address: 00:56:CD:39:E6:76 (Apple)
Nmap scan report for HPEC8EB5190708 (192.168.1.138)
Host is up (0.075s latency).
MAC Address: EC:8E:B5:19:07:08 (Hewlett Packard)
Nmap scan report for TSVE0affa3 (192.168.1.147)
Host is up (0.0035s latency).
MAC Address: B8:2C:A0:0A:FF:A3 (Honeywell HomMed)
Nmap scan report for durga (192.168.1.134)
Host is up.
# Nmap done at Sat Nov 17 08:51:51 2018 -- 256 IP addresses (14 hosts up) scanned in 5.14 seconds

You can see the common MAC address 26:F5:A2:08:D0:30 associated with a DirecTV device, two of the unidentified devices, and this RE7000-02D device. It just so happens that the RE7000 is a Linksys range extender, and it's the range extender that I'm using in the room where the TV, DirecTV box, and doorbell equipment is (I also have one of those nifty Ring video doorbells). At this point, it seems that two of the mystery devices are my doorbell (at .128) and my doorbell base station (at .131).

I'm still interested in the traffic between the two and from the base station out to various Ring servers, especially as my doorbell has a video camera. Let's start to dig into that next. Stay tuned!