Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | (show all)   Print Thread
Standard User meditator
(fountain of knowledge) Fri 17-Mar-17 16:29:34
Print Post

Are these TCP ports vulnerable?


[link to this post]
 
I recently performed a scan on my WAN IP address and was surprised to find the following open TCP ports:-

22 ssh
23 telnet
80 http
139 netbios-ssn
445 microsoft-ds

Now, I recognise port 80 as being valid - but I've no idea about the others, really. Anyone got any opinions? I thought telnet was something that was always highly vulnerable to being used by nefarious factions on the Internet, or am I wrong about that?

Anyone know how to close off some of these? This is on a Mac, incidentally. Presumably, if I were to block port 23 I wouldn't be able to telnet into my router to look at stats, and that would also include the GUI version of the stats?
Standard User 10forcash
(regular) Fri 17-Mar-17 19:18:28
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
Which side did you scan from? If you scanned from within your LAN to find ports open to your router, then it's fine, if you scanned from 'the internet' to your WAN IP address, it's bad, very bad. Ideally, no open ports should be visible from 'the internet' to your router's WAN IP. Open ports as listed can indicate an already compromised router or LAN device.
Standard User TheEulerID
(experienced) Fri 17-Mar-17 19:33:49
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
Do you mean your WAN facing IP address (that is the one you get if you go to this, or similar sites)

http://whatismyipaddress.com/

Or do you mean the address of your router as seen from your computer?

If it's the former, then that's not good. Generally ports to the Internet should be closed unless you are port forwarding or have some very good reason to open them. In either case, you need to know what you are doing. I would certainly not expect to see telnet as an open port to the Internet as that invites trouble.

If it's the latter, then what you have is fairly normal. I'm guessing that you probably scanned the local router address (which will probably be a 192.x.x.x address of some sort).

You can't generally scan your Internet facing port from a local computer, but there are sites, like this one, which will scan from common vulnerabilities.

https://mxtoolbox.com/PortScan.aspx


Register (or login) on our website and you will not see this ad.

Standard User meditator
(fountain of knowledge) Fri 17-Mar-17 21:31:46
Print Post

Re: Are these TCP ports vulnerable?


[re: TheEulerID] [link to this post]
 
Thanks, everyone.

I was scanning from a utility running on a computer on my LAN so, to answer your repeated question, it was an 'internal' scan, not a scan from the actual Internet. I'm obviously relieved to learn that this result is normal and is nothing to get concerned about.

Since posting this query I've also heard from the manufacturer of my router that it includes a firewall - other than that naturally resulting from NAT - to block access on these ports and, as long as that firewall is enabled (which it is), unsolicited access on these ports, past the router, is barred from the Internet (but, from within the LAN, these ports are meant to appear open).

Phew!
Standard User 10forcash
(regular) Fri 17-Mar-17 22:43:04
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
Are you sure? is it possible that this 'utility' contacted an external server to run a vulnerability scan on your WAN IP, commanded from within your LAN
If these ports are indeed the only ones open from your LAN to WAN, then your use of the internet is very restricted - I assume you use email? If so, there should be TCP ports 25 & 110 or if you use secure transmission, 465 & 993 with TCP port 143 available for IMAP4 if used.
Secondly, are these ports firewalled on a per machine basis or at the router?, standard SOHO / domestic routers have an outbound policy of 'allow all' (totally insecure, but what ISP's want to prevent their first line phone answerers having to explain how to configure a router securely).
If the firewall is actually a machine based one, i'm intrigued as to why port 445 is open, this is typically used for Microsoft RPC's - such as credential exchange on a microsoft network - i'm not sure this is open on an Apple OS unless it is domain joined. It can and is, however, used as an attack vector from WAN to LAN.
Other outbound ports i'd expect to see available include NTP and DNS, other traffic can usually be ported through 80 or 443 if required.

Edited by 10forcash (Fri 17-Mar-17 22:47:12)

Standard User legume
(experienced) Sat 18-Mar-17 00:53:20
Print Post

Re: Are these TCP ports vulnerable?


[re: 10forcash] [link to this post]
 
In reply to a post by 10forcash:
Are you sure? is it possible that this 'utility' contacted an external server to run a vulnerability scan on your WAN IP, commanded from within your LAN
If these ports are indeed the only ones open from your LAN to WAN, then your use of the internet is very restricted


I guess the scan was to the router, not to somewhere through it.
Knowing exactly what the scanner tested and how would be useful to answer the port 445 question.
Standard User meditator
(fountain of knowledge) Sat 18-Mar-17 15:31:35
Print Post

Re: Are these TCP ports vulnerable?


[re: 10forcash] [link to this post]
 
Are you sure? is it possible that this 'utility' contacted an external server to run a vulnerability scan on your WAN IP, commanded from within your LAN.

Well, I can't be 100% certain about it. That's why I'm asking for second opinions.

I'm not sure if the following makes it any clearer to us all: https://support.apple.com/en-gb/HT202944. For instance, are we to presume that all of the named services in that article are normally left open, or is it just a list and will depend on machine usage and user preferences? Or what exactly? There's no guidance given there as to how and why any of them should be manually closed or left open. Another thing that's apparent is that RFC numberings are not set in stone for all time (if I'm understanding things correctly). For instance, ssh is port 22 normally, but according to that article is now port 4253. Similarly, for the other services in my original list.

I can understand why perhaps port 139 is found open. That's because some time ago I experimented with file sharing between a Windows machine and the Mac (on the same LAN), albeit that I no longer use the machines in that way any longer. Port 445 might be listed simply because I use MS Office for Mac and need to download updates from time to time. I'm surprised to see telnet so prominent, though. I always thought that telnet was potentially an open door for Internet scanners, but I guess it needs to be open, if only across the LAN, so as to make the router's GUI and showtime stats available.

Perhaps whether certain ports get reported on depends on which version of OSX is in use and how the various applications on the machine are configured? 'macOS' per se refers specifically to the latest version of OSX called Sierra, which I'm not using at present and instead am using an earlier version of OSX, so I'm not sure whether the statement "The application firewall in macOS ..... instead of by port" at the beginning of that Learn More section of the article has any significance.

Knowing exactly what the scanner tested and how would be useful to answer the port 445 question.

This is a case where there just doesn't seem to be any useful in-depth info given by Apple about 'Port Scan', to determine what it actually does and which ports could be vulnerable if left open, and in which direction.
Standard User 10forcash
(regular) Sat 18-Mar-17 16:31:09
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
It would help if you could describe your physical setup, including manufacturer names of items, I strongly suspect that you were initiating a scan from an external server to your WAN IP. My primary reason for thinking this is that port 53 is not listed, without this, DNS will not function (unless you have some pretty complex port redirect rules in your firewall config.) and you will have to input web addresses as an octet string. If i'm right, those ports you list are open on your WAN IP to unsolicited traffic. BTW port 445 is irrelevant to Office on Apple OS, It is primarily used for domain authentication and RPC traffic - it does have some use in RDP under certain configurations, hence why it would be open in a compromised router / firewall. It would also be worth looking at the NAT tables in your router / firewall to see which machine these open ports are pointing to.
Standard User caffn8me
(knowledge is power) Sat 18-Mar-17 16:51:02
Print Post

Re: Are these TCP ports vulnerable?


[re: 10forcash] [link to this post]
 
In reply to a post by 10forcash:
My primary reason for thinking this is that port 53 is not listed, without this, DNS will not function
Erm, nope. All the router needs to do is to pass the ISP or other open DNS server addresses to LAN clients via DHCP for them to work properly. There's no need for the router itself to listen on port 53 TCP or UDP.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Sat 18-Mar-17 16:55:32)

Standard User Zadeks
(experienced) Sat 18-Mar-17 16:58:15
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
Use grc.com's ShieldsUP! All Service Ports scan.
Pages in this thread: 1 | 2 | 3 | 4 | (show all)   Print Thread

Jump to