Can anyone suggest what these strange ports open on my router do?

[michael_kent123]

I have a TP-Link router and recently ran an nmap scan on it from inside my network. I'm not too worried about the results as I have turned remote admin off so the router is inaccessible from the internet. I am using the Ubuntu OS.

Nonetheless, there are a few things I do not understand. Here are my results:

23/tcp open telnet
1900/tcp open upnp
2000/tcp open cisco-sccp
2001/tcp open dc
9000/tcp open cslistener

Telnet makes sense; it's a way to connect to the router.

Upnp I understand but, even though I've disabled it in the admin panel, it still shows "open". Maybe nmap is supposed to show it as open, even though it's closed from the perspective of the router. I don't know.

Sccp (https://en.wikipedia.org/wiki/Skinny_Call_Control_Protocol) is a Cisco protocol which makes no sense to me as I don't have a Cisco router unless TP-Link has paid to use this proprietary protocol.

Dc seems very mysterious and no-one seems to know what it is.

Cslistener (http://brianoneill.blogspot.com/2012/02/cslistener-on-mac-osx-on-port-9000.html) maybe the Checkpoint firewall which I have not installed.

More generally, is there a way to run a netstat like command on the router IP. I can telnet to it but I can't run commands like netstat to check what is happening on these ports from the router's perspective.

Any ideas?

[cooper]

Check out http:// part.

So in summary:

- don't assume a service waiting for you on a port is what the port number normally is used for

- NONE of these ports should be accessible from the internet

- most of these ports have no business on your LAN either.

[digip]

What you see open from inside that lan, may not be open from the internet though. you need to be on a different network, and scan your networks "external" IP address to be sure. Many routers keep ports open inside the lan, but are closed from the internet. Some of them, can not be closed depending on the brand, but this unfortunately is still an issue with some consumer routers.If you are scanning the router, the ports you see should only be that of the rotuer unless you have port forwarded something, so a checkpoint firewall, even if installed, would not see it from the router's ports, only if scanning the firewall appliance/device should you see that. Doesn't mean the router doesn't use this generic port for something like remote management or such.

Even if you scan your external IP from inside the lan, the router will not respond the same way it would if it were being scanned from an external address. You may still see ports open that would otherwise be closed. Even with remote management closed, you may still be able to connect to the admin panel at the external IP if connecting from the lan, which is a common issue with routers, but should be tested from another network to be sure, since you can get many false positives this way.

[michael_kent123]

Thanks for the information - I've done some more research as you suggested.

I scanned my external IP from inside my LAN:

Not shown: 997 closed ports
PORT STATE SERVICE
23/tcp open telnet #
1900/tcp open upnp # Upnp is turned off on the router so I don't know why this is open.
40001/tcp open unknown # This is the way I connect to the router 192.168.1.1:40001

I scanned my external IP from my VPN IP:

Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 3.21 seconds

I typed my external IP:40001 into the browser and, when using the VPN, it timed out. When I typed my external IP:port in (without using a VPN) it brought up the login screen. So my impression is that the router is not accessible from the internet.

[cooper]

So my impression is that the router is not accessible from the internet.

[fugu]

Yeah, about that...

That's really bizarre that you can actually do that

[michael_kent123]

I will check out the video over the weekend.

One more thing that I kind of but not completely understand.

I have SSH installed on my computer. If I ssh to my IP address provided by my ISP then the connection fails. However, if I connect to my VPN and then ssh to the VPN IP, I get a connection. I can login to my system using the password I use to login to my computer.

I'm assuming that's how SSH is supposed to work (it's as if I was contacting my IP from a remote system) and the VPN has allowed its users to SSH to their home computers via the VPN IP. Does that make sense? Are there any security implications?

Many thanks!

[cooper]

The security implecation seems obvious: the internet can access that port on your VPN and through it gain access to your personal system inside your LAN. It's like having armed guards and pill boxes and turrets and moats in front of your house, and leaving the back gate open.

[michael_kent123]

The security implecation seems obvious: the internet can access that port on your VPN and through it gain access to your personal system inside your LAN. It's like having armed guards and pill boxes and turrets and moats in front of your house, and leaving the back gate open.

Well, yes, but they would have to know the password. When I SSH to the VPN IP, it asks me for my password. Unless the password to my system is obvious, I don't see a problem. Or am I too naive?

[digip]

Well, yes, but they would have to know the password. When I SSH to the VPN IP, it asks me for my password. Unless the password to my system is obvious, I don't see a problem. Or am I too naive?

DNS Rebinding attacks generally require user interaction, so once logged into your VPN, if you get click jacked into something that posts data at your home router by clicking something injected, the potential is there no matter what security measures are in place. This is a problem for anyone and any services though, when closed on the outside and open on the in, it's only a matter of, how do you poke that hole, not if you can. Firewalls and NAT can be traversed through attacks like the above link and there are other methods to get through as well, but for the most part, you should be fine. Just remember it's better to be a little paranoid and question everything, cause the one time you don't and forget to check for the holes like you did with the ports, someone else will find it before you.

[cooper]

Well, yes, but they would have to know the password. When I SSH to the VPN IP, it asks me for my password. Unless the password to my system is obvious, I don't see a problem. Or am I too naive?

Yes, you are. You're saying a criminal can put a gun to my head because I'm confident bullets that kill me don't exist.

You're putting the very integrity of your LAN in the balance, saying "If someone discovers/knows about an SSH vuln that I don't know about, they're welcome to my network, and everything on it, because at that point they've earned it". Does that sound sensible to you?

If you *need* to SSH into your home box via your VPN, then it's a different story. It's a trade-off you made between good security and having the functionality you require. If you do need it, look into cert-based auto-login or 2FA instead of password-based logins. If you don't require it, close that shit down pronto!