Open Ports on Router (esp. port 7547).

[michael_kent123]

I recently ran nmap -sS -p1-65365 192.168.1.1 -vv on my Zyxel router.

Here are the results:

PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
7547/tcp open unknown

The 7547 appears to be the CPE WAN Management Protocol (CWMP) which is this: http://www.axiros.com/knowledge-base/faqs-on-device-mgmt/cpe-wan-management-protocol-tr-069.html?no_cache=1

This does assume that 7547 isn't something else.

The other ports are open because they are part of the remote management (I realise I can set these ports to something non-standard or close them on the router).

However, I'm not entirely sure whether 7547 should be open (http://www.o2help.co.uk/router-close-port-7547/).

Any thoughts?

Thanks!

[digip]

Scanning from local lan can sometimes lead to false positives, but I would try from an external scan just to be safe. Try from a remote machine to scan your home IP if you can, which should hit your router, and that to me would be a better test.

Also, try several other scans for various results at getting ports to pop and give up info, such as "nmap -v -A -PN --open --reason -sV -sC -p 1-65535 x.x.x.x" where x.x.x.x is your IP address. Go to ipchicken.com or type "what is my IP address" into google and google should tell you as the first result in bold(google knows everything). Sometimes, a port can say its open, when really it isn't too depending on mangled packets or just crappy product design they can fail open and closed if continually scanning, and be randomness, so try various scans, as well as try the same ones with the UDP switch added as well, since some things, only show under UDP(but can often be false positives under UDP scans so not as reliable).

-sV -sC (standard scan) will tell you the service and version running if it can grab a banner from it or identify the service itself. You can also try -sV -sT which tries to actually connect to the port, or use a -sM which sends a FIN/ACK to try and force a reset or RST packet response from the device, to prove the port is open or closed or just that a device is alive.

[michael_kent123]

Here are my updated nmap scans:

PORT STATE SERVICE VERSION
21/tcp open ftp?
|_ftp-bounce: no banner
23/tcp open telnet?
80/tcp open http Allegro RomPager 4.07 UPnP/1.0 (ZyXEL ZyWALL 2)
| http-methods: GET HEAD POST PUT
| Potentially risky methods: PUT
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-generator: GoLive CyberStudio 3
|_http-title: .:: ::.
7547/tcp open http Allegro RomPager 4.07 UPnP/1.0 (ZyXEL ZyWALL 2)
|_http-title: Object Not Found
| http-methods: GET HEAD POST PUT
| Potentially risky methods: PUT
|_See http://nmap.org/nsedoc/scripts/http-methods.html

53/udp open domain ISC BIND (Fake version: Nominum Vantio 5.2.0.1)
|_dns-recursion: Recursion appears to be enabled
| dns-nsid:
|_ bind.version: Nominum Vantio 5.2.0.1
161/udp open|filtered snmp
|_snmp-win32-shares: TIMEOUT
7547/udp open|filtered unknown
Too many fingerprints match this host to give specific OS details

As I understand it, if users (hackers) scan dymanic IP addresses with nmap then they are likely to find some home routers.

They can then connect via telnet and try default passwords, brute force with hydra, etc.

But what can they do even if they find the password (or if none is set). In other words: what is the point of remotely gaining access to someone's home router?

[Infiltrator]

Here are my updated nmap scans:

PORT STATE SERVICE VERSION

21/tcp open ftp?

|_ftp-bounce: no banner

23/tcp open telnet?

80/tcp open http Allegro RomPager 4.07 UPnP/1.0 (ZyXEL ZyWALL 2)

| http-methods: GET HEAD POST PUT

| Potentially risky methods: PUT

|_See http://nmap.org/nsedoc/scripts/http-methods.html

|_http-generator: GoLive CyberStudio 3

|_http-title: .:: ::.

7547/tcp open http Allegro RomPager 4.07 UPnP/1.0 (ZyXEL ZyWALL 2)

|_http-title: Object Not Found

| http-methods: GET HEAD POST PUT

| Potentially risky methods: PUT

|_See http://nmap.org/nsedoc/scripts/http-methods.html

53/udp open domain ISC BIND (Fake version: Nominum Vantio 5.2.0.1)

|_dns-recursion: Recursion appears to be enabled

| dns-nsid:

|_ bind.version: Nominum Vantio 5.2.0.1

161/udp open|filtered snmp

|_snmp-win32-shares: TIMEOUT

7547/udp open|filtered unknown

Too many fingerprints match this host to give specific OS details

As I understand it, if users (hackers) scan dymanic IP addresses with nmap then they are likely to find some home routers.

They can then connect via telnet and try default passwords, brute force with hydra, etc.

But what can they do even if they find the password (or if none is set). In other words: what is the point of remotely gaining access to someone's home router?

As a security practice, it's highly recommended to have all these remote management features turned off, or only allowed on local intranets instead of over the internet.

My router security is pretty tight, I only allow a certain computer to manage it remotely and management over wireless is disallowed too

Any other services such as Telnet or HTTP, which transmits information in clear-text is also disabled, I use either SSH or HTTP(s)

Port forwarding rules are disabled, unless it's required or otherwise.

[digip]

As stated above, disable ALL remote management, and I would also advise, if you have the option, to disable uPnP, asap, as well as SSDP. They can be used to open ports, probe for responses about the devices and pull other info.

If FTP , Telnet, and port HTTP are viewable from the internet, that is NOT a good thing.You also have SNMP on?? Big no no. Try hitting your router from an external IP with metasploit or Armitage. It will show you all kinds of things using SNMP attacks and scanning for further fingerprinting, most likely using an open community string.

NONE of the ports you listed, should be reachable from the internet, and if they all showed open from an external scan, you're at a much higher potential for a break in.

Edited January 15, 2013 by digip

[GuardMoony]

Michael are you sure you scanned from OUTSIDE your network like didip said. Because all of your results look from inside your own network.

Also some routers/will allow scanning your external ip from inside your local network and it will report the local network ports. ( And i know Zyxel DOES ALLOW THIS! )

If you still see problems always make sure to get the latest firmware. For zyxel you can get them at ftp://ftp.zyxel.com/ be sure to read the pdf ( some updates remove all settings so make a backup first )

[michael_kent123]

Thanks for the advice. I was scanning my external IP but from inside the network. From what people have said this will not necessarily show the same information as when scanning externally.

I'll scan the external IP tomorrow but from outside the network.

NONE of the ports you listed, should be reachable from the internet, and if they all showed open from an external scan, you're at a much higher potential for a break in.

Here is what I don't understand. Let's say that someone did break in. What could they actually do?

They would telnet or netcat to my router and login. Then could they install software e.g. sslstrip. What would an attacker actually do in your opinion?

Edited January 15, 2013 by michael_kent123

[digip]

Redriect all your traffic to flow through them and run off their DNS, and MITM proxy all your traffic, including SSl traffic and you'd be none the wiser. Not to mention, possible to port forward to known hosts on the network, attack individual machines on the LAN if they are vulnerable, if he/she can see traffic, they can see your OS, Browser user agent, software in use, such as flash, adobe reader, java, etc, then serve or inject payloads into pages and compromise your hosts, then log directly onto your workstations, pivot off one vulnerable machine to the rest of your network and scan your inside lan, etc, etc, etc....

[GuardMoony]

Like digip said. Here's a real example like what they do:

http://nakedsecurity.sophos.com/2012/10/01/hacked-routers-brazil-vb2012/

[michael_kent123]

Here is what I get when I use nmap -A to my IP when outside my network.

This is with telnet, ftp, snmp, dns, and http deliberately open and with Unphp on.

Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http-proxy Tinyproxy 1.6.2
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported: CONNECTION
443/tcp open ssl/http Boa HTTPd 0.93.15
| ssl-cert: Subject: commonName=phc.prontonetworks.com/organizationName=Pronto Networks.Inc/stateOrProvinceName=California/countryName=US/localityName=Pleasanton
| Issuer: commonName=Trustwave Organization Validation CA, Level 2/organizationName=Trustwave Holdings, Inc./stateOrProvinceName=Illinois/countryName=US/emailAddress=ca@trustwave.com/localityName=Chicago
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2012-12-13 17:17:30
| Not valid after: 2015-12-14 18:02:43
| MD5: b2dd 0fdb 27da a917 20a0 7118 f079 26db
| SHA-1: 02f2 8772 79d6 1946 a4a3 757b 437b dc89 1c49 16a1
| -----BEGIN CERTIFICATE-----
|[cut]
-----END CERTIFICATE-----
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
| http-title: 302 Moved Temporarily
|_8080/tcp open http-proxy Tinyproxy 1.6.2
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported: CONNECTION
8443/tcp open http-proxy Tinyproxy 1.6.2
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported: CONNECTION

PORT STATE SERVICE VERSION
21/tcp filtered ftp
23/tcp filtered telnet
7547/tcp filtered unknown

PORT STATE SERVICE VERSION
53/udp open domain ISC BIND 9.7.1-P2
|_dns-recursion: Recursion appears to be enabled
| dns-nsid:
|_ bind.version: 9.7.1-P2
161/udp open|filtered snmp
|_snmp-win32-shares: TIMEOUT
7547/udp open|filtered unknown

I've turned off all methods except for HTTP (so I can access the router on 192.168.1.1). In the past when I turned off HTTP access I then could not access the router via 192.168.1.1 to turn it on!

My "server access" options are:
LAN
LAN / WAN
WAN
Disable

I don't quite understand what the difference is between the first three options? The results above come from LAN.

What, in your opinion, would be the most secure setup?

Would you suggest I use an external DNS rather than have port 53 open (and hence use my IPs DNS)?

I would like access to the router (when connected to my home network). What would you say is the best method?

Currently I have HTTP and DNS set to LAN with FTP, Telnet, and SNMP set to Disable.

I am going to try again next week with everything locked down and post my results again.

Thanks!

[digip]

You can turn off everything, and still reach he router on port 80 from INSIDE the lan. You need to disable remote administration, so port 80 will be closed to people on the internet and outside your lan. Also, if the device has the options, disable admin interface over wireless, and also make it use https only, and not http for the admin panel login. This way, if someone is on your local lan, they can't intercept your login credentials sent in the clear over port 80, and will force it to only allow HTTPS for encrypting all logins to the router. Not 100% guaranteed, but way better than using default port 80, since that sends everything in plain text and can be sidejacked or MITM'd.

[aias]

Hello, (SOLVED)

This port comes by default open to the WAN on many ZyXel commercial routers. It is intended for use with the Customer Premises Equipment WAN Management Protocol, a.k.a. CWMP. It has become prone to easy exploitation. Unfortunately, the web-based management interface lacks any hint that this service is enabled, much less a method to disable it. To close this port on your router you may take the following steps:

1. Login to your device via telnet (or ssh, but mine doesn't support it).

2. Issue the following command: sys cwmp clearall.

This will stop the port listening on the LAN and WAN and clear all other settings related to CWMP. You may wish to view the related information before clearing it, or otherwise make changes. Simply use `sys cwmp help` for more usage instructions.

I can confirm that this will survive a reboot.

For reference, the model tested: ZyXEL AMG1302-T10A.

Happy hacking.

- aias