LAN to Non LAN Private Network

NOYB

Just did some more Skype with friend.  And bang.  There it is.

Did the net stat and Skype is using that port 38808 but to my friends WAN address.
TCP    192.168.2.21:52077    50.43.x.x:38808    ESTABLISHED
[Skype.exe]

However there is a machine on my friends LAN with 192.168.1.8.

Hmmm.  What is Skype trying to accomplish?

firewalluser

Hook this into skype http://www.rohitab.com/apimonitor and see what api's it's using.

I wonder if advapi.dll is used or something else buried deep in the bowels of the OS which could suggest a new method of hiding functionality.

Of course it could just be a bug which might turn out to be exploitable. Have you tried sending a simple text file between each other? I wonder if your machine HD FAT gets lifted as its quick and easy to lift that as its not particular big in relation to bigger files, omitting standard file locations of course from the FAT to further reduce what gets lifted.

johnpoz

is the machine your friend on 192.168.1.8 or .6 for its private IP?  Or you saying its some other machine on his network and his machine is say 192.168.1.14

NOYB

Yes friend could be using either of those.  The connection attempt seems to correspond to when I send a message rather than when receiving.

Firewall log timestamps correspond with Skype timestamps of my sent messages.

johnpoz

seems like a bug in skype that it would try sending to a rfc1918 address when its connected to other end via a public IP..  Be it you block it or not - it sure is not going to work ;)

firewalluser

@NOYB:

Yes friend could be using either of those.  The connection attempt seems to correspond to when I send a message rather than when receiving.

Firewall log timestamps correspond with Skype timestamps of my sent messages.

What happens when your friend changes their ip address, do you see a change in the ip address at your end?

And did you say it occurred after the skype call as well, or just during a skype call/chat?

Derelict

This sounds to me like Skype might be checking to see if the private addresses can communicate locally.

NOYB

What is being seen currently is during a Skype session; when sending a message.

I with Derelict though.  Although that could potentially break if there was a local Skype client that happened to be listening on that same IP and port combination.  Very unlikely.  But still, seems to be of poor design.  Not good form in my opinion to do stuff like that and go around what the users have established.

Derelict

I would think there is some crypto involved using keys that have been agreed upon over the Skype channels first, but with the Skype "malware" who knows.

firewalluser

@Derelict:

This sounds to me like Skype might be checking to see if the private addresses can communicate locally.

Only one way to find out and thats to test the scenario, maybe even testing on different subnets behind the same gateway might be interesting.