GlassWire found a device in my network with an internal IP of 172.17.142.XXX and MAC of 00-15-5d-d4-da-xx, manufacturer being “Microsoft Corporation”. This is a private virtual IP and MAC range of Hyper-V, and I use Hyper-V and VirtualBox, so I assumed it might be one of my virtual network adapters. But I checked, since it’s unusual for virtual adapters to show up on network devices list.
Here are things that I did
- NirSoft CurrPorts — No process currently using that IP
- netstat -ano | findstr 172 — No process currently using that IP
- Get-NetIPConfiguration -All -Detailed — No adapter currently assigned that IP or MAC
- sudo nmap -sn 192.168.1.0/24] — No unusual device
- sudo nmap -sn 172.17.142.0/24 — Nothing at all (0 hosts up)
- sudo nmap -Pn 172.17.142.XXX — Something???
The result of nmap
Nmap scan report for 172.17.142.XXX
Host is up (0.013s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
554/tcp open rtsp
7070/tcp open realserver
What is this thing??? If you’re reading, thanks for reading a stranger.
Further testing traffic
- sudo netcat -p 7070 -l — Blanking
- sudo netcat -p 554 -l — Blanking
Some more info
Only 1 Windows Enterprise edition machine in network
Security cams correctly assigned 192.168.X.X range IP
Using Hyper-V, WSL, VirtualBox, but none of my virtual adapters match that IP and MAC
Usually careful with installing programs, so no malware history in Malwarebytes