UPDATE 10/4 6:47 EDT
I have been going through all the comments. THANKS!!! I did not know about the techniques listed, so they are extremely helpful. Sorry for the slow update. As I mentioned below, I got behind with this yesterday so work cut into my evening.
I ran a port scan. The first syntax, -p, brought no joy. The nmap software itself suggested changing to -Pn. That brought an interesting response:
nmap -Pn 1-9999 <Local IP Addr>
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-04 11:44 BST
Failed to resolve “1-9999”. Nmap scan report for <Local IP Address> Host is up (0.070s latency). All 1000 scanned ports on 192.168.0.46 are in ignored states. Not shown: 990 filtered tcp ports (no-response), 10 filtered tcp ports (host-unreach) Nmap done: 1 IP address (1 host up) scanned in 6.03 seconds Just to be absolutely sure, I turned off my work computer (the only windows box on my network) and reran the same syntax with the same results.
As I read this, there is definitely something on my network running windows that is not showing up on the DHCP.
UPDATE 10/6
I am working through all these suggestions. I am sorry for the slow responses, but I have my hands full with family weekend. I will post more next tomorrow. But I did do one thing that has me scratching my head and wondering if this may be a wild goose chase.
I ran the nmap again per below with a completely fictional IP address within my normal range. It gave the exact same results:
nmap -A -T4 -p- -Pn <Fictional IP>
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-05 13:36 BST Nmap scan report for <Fictional IP>
Host is up (0.054s latency).
All 65535 scanned ports on <Fictional IP> are in ignored states.
Not shown: 65525 filtered tcp ports (no-response), 10 filtered tcp ports (host-unreach)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 182.18 seconds
If you can, power stuff off and check if that web page is still available. Start with any Windows machines. It could be a virtual machine running inside of something else though.
Edit: here’s how to disable that web server https://superuser.com/a/1377078 . I’d do that on any Windows machines as well.
I shut off my only windows machine and it is still there.
I’d go around unplugging anything that might be connected to the network, like game consoles, smart TV, etc. It’s unlikely, but maybe something has copied that same screen to throw you off.
It is probably going to come to this.
The mac address can also tell you the hardware vendor.
The default home page for Microsoft IIS, the web server built into Windows Server (and probably some desktop builds too).
Home network or corporate?
Its a windows server, if you are using widows too you can try establishing a RDP connection with Remote Desktop Connection.
It is a home network. Configured by someone who understands the basics, but is mostly following recipeies rather than having deep knowledge.
Yeah and giving a potential attacker your account details while trying to log on?
Eyeballing the login screen may give some insight, you’re right that its probably unwise to try real creds if you don’t recognize the server.
You’re looking at my worst nightmare 😅
I would download metasploit and dig up some interesting exploits to try against it.
How insanely small was the transfer? Like 1 bit?
9 packets
Depending on your router, it could have a docker setup with Windows on it. I’ve seen some strange shit on cheap routers with far too much processing power and storage.
I will probably have to shut all the devices off and put them back one by one. OMG that will take a long time.
Bro, you gotta keep us updated, I’m surprisingly invested in this now.
I lost my entire morning to this yesterday. I had to work late to catch up. There are some good ideas in here I’m starting on now.
Maybe try traceroutre or lft (layer 4 traceroutre) to see if something wacky is happening with routing in your lan?
Windows 8 is starting to break out
lol!
Is your IP adres same as localhost and you are using Windows Pro, then probably IIS is installed on your device.
… So when you port scanned it, IIS was gone?
deleted by creator
Get the MAC address from the ARP table, and look up the OIN, should help you determine if it’s virtual or physical, and if physical the type of NIC it’s using.
That gave nothing useful
Sorry, I meant the OUI ( was going by memory ) . It’s the part that you can look up that tells your what kind of device the MAC address belongs to.
Thanks!
Did this actually help?
The first few octets of the Mac address are unique to a manufacturer. This may at least help narrow which device it is. You can look it up at https://macaddress.io/
Following, I want to know what god awful iot device this is. Refrigerator? Toaster oven? Vibrating dildo? The suspense is killing me
Nobody wants windows on a vibrating dildo
I mean, Windows already fucks us metaphorically
Maybe I want my vibrating dildo to take an hour to load and come with spyware
Hey, I’m not normally one to judge but it seems like a bad idea to call yourself spyware. Either you’re going to blow your cover or it’s just negative self talk.
blow
load and come
I have a Bluetooth controlled vibrator. Reverse engineered the app (which has a chat function) and it has a blacklist of words (mainly Chinese) you’re not allowed to text using the app.
I did not check if your horny chat gets copied to Chinese spy agencies, but I suspect that will be done on the server.
That is IIS, all it means is you are probably talking to a windows server. Is the traffic encrypted? What port is it going to?
It shows NOT SECURE in the browser window
Is the traffic encrypted?
If it is, look at the certificate. Which hostname is it for primarily? Which SAN (Subject Alternative Name - basically a list of all other hostnames the certificate is valid for) are set, if any? Which Certificate Authority issued the certificate or is it self signed?
