Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | [3] | 4 | (show all)   Print Thread
Standard User ukhardy07
(knowledge is power) Sun 19-Mar-17 15:36:58
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
If you PM me your external IP address I am happy to run a ports scan for you.

https://www.whatismyip.com/

Do not post your IP here.
Standard User legume
(experienced) Sun 19-Mar-17 17:02:23
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
In reply to a post by meditator:
I don't know if I mentioned this earlier in my postings but the router manufacturer maintains that if you do a port scan from within the LAN, to the WAN IP address of the router, you get a false result. Apparently, this is because of the way in which 'NAT loopback' works when the scan is initiated from the LAN side, ie from a computer on the LAN. This doesn't however explain why I also see these five ports as open when a scan's done on the router's LAN IP address. I'm at a loss. Go figure.


Even without nat loopback it's normal for a default setup linux box to answer all the IPs it owns on any interface, so whether you use the WAN IP or the LAN IP its just two different ways of accessing the router.
The firewall set up on the router will prevent access from the internet.
Standard User caffn8me
(knowledge is power) Sun 19-Mar-17 18:24:11
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
Looking at the selection of ports which respond on your router's WAN IP when probed from the LAN, it seems perfectly normal for a router which has web, SSH and telnet management (many do), and a USB port into which you can plug a printer or storage device. It's just a fairly typical domestic router.

Even when you disable remote management via SSH and telnet, the router may still respond to these ports from LAN connected devices.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Sun 19-Mar-17 18:28:45)


Register (or login) on our website and you will not see this ad.

Standard User 10forcash
(regular) Sun 19-Mar-17 19:39:29
Print Post

Re: Are these TCP ports vulnerable?


[re: legume] [link to this post]
 
Let's start with the basics, it'll help clear up a lot of the disinformation and outright C~rap above.
A firewall will allow or disallow packets to traverse it in either direction, according to the rules programmed into it. *most* domestic firewalls are a sub-function of the router used to connect the local network (LAN) to the internet (WAN). Generally, these type of firewalls default setting is to allow all outbound traffic on all ports, note that these 'ports' are nominally allocated by the IETF and IEEE in some cases to separate different types of traffic, it is possible that some ports have multiple uses, either due to programmers ignoring the 'rules' or attempting to subvert blocking techniques. Conversely, inbound traffic (from WAN TO LAN) is generally blocked completely unless it is a reply to a request sent from within the LAN. So, if as the original post states, the test was from LAN to WAN, then as port 53 is not open, NO DNS requests will reach any DNS server on the WAN side of the firewall. This is not the same as suggesting that there is a local DNS server on the LAN - Which in any case would be useless as any cached record would become stale after their TTL expired and if it's on the LAN, would not need a firewall rule to allow access to it from other LAN devices. As I suggested previously, the fact that the original poster did not state that they have problem accessing the internet or have to type in an octet string, the likelihood that the test is actually LAN to WAN Is low, which leaves the scenario that all the ports listed are actually open to the WAN...
All of which means that the firewall rules need to be examined and corrected. If this was an issue with NAT loopback, then ALL PORTS WOULD BE OPEN - remember that domestic routers trust the LAN by default and do not apply an active mitigation strategy to any LAN traffic.

Edited by 10forcash (Sun 19-Mar-17 19:44:09)

Standard User ukhardy07
(knowledge is power) Sun 19-Mar-17 19:43:31
Print Post

Re: Are these TCP ports vulnerable?


[re: 10forcash] [link to this post]
 
All of which means that the firewall rules need to be examined and corrected.
my sentiments exactly. Provided the ports are even open which they might not be.

Edited by ukhardy07 (Sun 19-Mar-17 22:08:14)

Standard User legume
(experienced) Sun 19-Mar-17 21:10:41
Print Post

Re: Are these TCP ports vulnerable?


[re: 10forcash] [link to this post]
 
In reply to a post by 10forcash:
Let's start with the basics, it'll help clear up a lot of the disinformation and outright C~rap above.

Please quote what disinformation you refer to.
A firewall will allow or disallow packets to traverse it in either direction, according to the rules programmed into it. *most* domestic firewalls are a sub-function of the router used to connect the local network (LAN) to the internet (WAN). Generally, these type of firewalls default setting is to allow all outbound traffic on all ports, note that these 'ports' are nominally allocated by the IETF and IEEE in some cases to separate different types of traffic, it is possible that some ports have multiple uses, either due to programmers ignoring the 'rules' or attempting to subvert blocking techniques. Conversely, inbound traffic (from WAN TO LAN) is generally blocked completely unless it is a reply to a request sent from within the LAN.

OK so far.
So, if as the original post states, the test was from LAN to WAN, then as port 53 is not open, NO DNS requests will reach any DNS server on the WAN side of the firewall.

Here's where you go wrong, as I have already said. The OP is testing the router its self, either by LAN IP or WAN IP, NOT what the router does to traffic that passes through to to the internet.
This is not the same as suggesting that there is a local DNS server on the LAN - Which in any case would be useless as any cached record would become stale after their TTL expired and if it's on the LAN, would not need a firewall rule to allow access to it from other LAN devices.

No one suggested there was a DNS server on the LAN.
As I suggested previously, the fact that the original poster did not state that they have problem accessing the internet or have to type in an octet string, the likelihood that the test is actually LAN to WAN Is low, which leaves the scenario that all the ports listed are actually open to the WAN...

That does not follow at all. The OP is testing the router from LAN side, you say yourself that inbound traffic from WAN (note WAN here meaning WAN interface = from the internet, NOT WAN IP which is owned by the router) is blocked
All of which means that the firewall rules need to be examined and corrected.

It would if telnet were accessible from the internet - but that is undetermined at time of writing.
If this was an issue with NAT loopback, then ALL PORTS WOULD BE OPEN - remember that domestic routers trust the LAN by default and do not apply an active mitigation strategy to any LAN traffic.

LOOPBACK was tossed in later by some router helpdesk - ignoring for now to avoid sidetracking.

On trusting LAN by default:
For traffic to internet (FORWARD chain in netfilter) yes.
For traffic to themselves (INPUT chain in netfilter) - variable eg. an unlocked Huawei blocks ports from anywhere to its self.
It's possible the OPs router also does - I mean 53 is blocked isn't it. But then we don't know what the scanner is doing. It may just be looking for running tcp services ie. send SYN get SYN/ACK back and say "open".
What it does if it sends a SYN and gets a RST is unknown - does it say "open" because the port is open but there's nothing listening, or does it call that as closed - I don't know.
Standard User caffn8me
(knowledge is power) Sun 19-Mar-17 21:32:11
Print Post

Re: Are these TCP ports vulnerable?


[re: 10forcash] [link to this post]
 
In reply to a post by 10forcash:
So, if as the original post states, the test was from LAN to WAN, then as port 53 is not open, NO DNS requests will reach any DNS server on the WAN side of the firewall.
10forcash? I'll give you six fifty wink

You seem to have misunderstood what a port scan of the router's WAN IP from the LAN shows. Of course, clients on the LAN can access external DNS servers, subject to ISP filtering. The scan done by meditator wasn't testing for that.

What the scan actually shows is that the router itself is not showing as being open on port 53 on its WAN IP address when viewed by clients on the LAN. That tells you nothing whatsoever about whether LAN clients can access external DNS servers.

It would be quite normal for a domestic router to listen for DNS queries only on its LAN IP address and respond only to LAN clients. This stops the router beng an open DNS resolver which could form part of a DNS amplification attack.

meditator, to check what you can reach as far as DNS is concerned, try the following if you have a Mac;

1. Open up a Terminal window from under Applications > Utilities
2. At the prompt type
dig @8.8.8.8 www.bbc.co.uk a

You should see something like this;
macchiato:~ sarah$ dig @8.8.8.8 www.bbc.co.uk a

; <<>> DiG 9.11.0-P3 <<>> @8.8.8.8 www.bbc.co.uk a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5839
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.bbc.co.uk.			IN	A

;; ANSWER SECTION:
www.bbc.co.uk.		139	IN	CNAME	www.bbc.net.uk.
www.bbc.net.uk.		205	IN	A	212.58.244.70
www.bbc.net.uk.		205	IN	A	212.58.246.94

;; Query time: 11 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Mar 19 20:59:39 GMT 2017
;; MSG SIZE  rcvd: 100
If you run Windows;

1. Press the Windows Key + R and type "cmd" to open a command prompt.
2. Type;
nslookup

3. Then type;
server 8.8.8.8

4. Finally enter;
www.bbc.co.uk
and you should see something like this;
C:\Users\sarah>nslookup
Default Server:  ns1.zen.co.uk
Address:  212.23.3.1

> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> www.bbc.co.uk
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
Name:    www.bbc.net.uk
Addresses:  212.58.244.68
          212.58.246.92
Aliases:  www.bbc.co.uk

>
What this test shows is that you can query an external DNS server. Now try the same test again substituting your router's LAN address for 8.8.8.8 and your router's WAN address for 8.8.8.8 and report back smile

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User XRaySpeX
(eat-sleep-adslguide) Sun 19-Mar-17 23:03:14
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
Just run Shields UP! -- Internet Connection Security Analysis's All Ports Scan. All ports should be reported "Stealth", unless you have deliberately opened them.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User meditator
(fountain of knowledge) Mon 20-Mar-17 11:59:12
Print Post

Re: Are these TCP ports vulnerable?


[re: ukhardy07] [link to this post]
 
Well, I really do seem to have whipped up a storm! Never imagined that the simple question I originally posed would attract such conflicting views. I'm nonetheless extremely grateful for everyone's attempts over the last couple of days to help me with this issue; you've all invested a lot of your time on this. I'd especially like to thank ukhardy07 for the offer recently of running an external scan on my behalf.

But ... there's a happy ending. First thing this morning (Mon), and as a long shot, I e-mailed my ISP about it and asked whether they themselves could run a port scan test on my router. They're quite familiar with this particular router anyway. Amazingly, they've obliged and have done it and given me the result.

Seen from the Internet, there are no visible open ports. In fact, my ISP is of the view that what the OSX Port Scan must be doing is fallaciously reporting the status on the internal side of the router, ie. 192.168.x.x, even though I told it (giving it the router's WAN IP) to scan the external side. This is also what the manufacturer of the router gave as their reply, though not specifically citing OSX Port Scan as being untrustworthy.

It seems there's really no substitute for a reliable external scanner. Needless to say, I'll not be bothering to ever use OSX's Port Scan again. You know, I was really beginning to wonder whether there was a serious bug in my router that made it look as though, in the GUI, most of these ports were closed to the external world, but which in reality was actually leaving them open. But that was not, and is not, the case - thank goodness.

If a lesson's to be learnt from this it's not to trust an 'internal' port scanner (ie. a scanner operating on a machine inside a LAN) to do an external scan. Do it instead with an external scanner.

[As a sequel, my ISP has commented that it's common to see these particular ports open on the LAN side, and that the only time you'd really ever want to have them open on the WAN side is if you were doing port forwarding to a server running some associated services].

Edited by meditator (Mon 20-Mar-17 12:06:21)

Standard User caffn8me
(knowledge is power) Mon 20-Mar-17 12:10:02
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
You can't blame OS X port scan for a router's normal default behaviour. Any port scanner lanuched from the LAN would give the same results.

What you were trying to do was to do an external port scan from the internal network, and that's not going to give reliable or useful results.

If you want to do an external port scan, you absolutely must do it from an externally connected device. OS X port scan is absolutely fine, it's the way you were trying to use it.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Pages in this thread: 1 | 2 | [3] | 4 | (show all)   Print Thread

Jump to