nmap discrepancies

[devrand0m]

Some of you guys may have read the recent blog post from nomotion.net about AT&T Uverse Arris modem vulnerabilities.  I have Uverse at my office.  The modem is a different model, but I decided to see if there were any open ports just in case.

I went home and ran nmap scan against it. ( nmap -v -Pn -sS -p1-65535 <my.ip.address>). All ports were reported as no response by nmap.  I have a separate Uverse service on different floor so I ran exactly same command on the second IP from different Kali machine at home.  Port 25 and a bunch of bittorrent ports showed up this time ( although all reported as closed).  I decided to run nmap again against the first modem/IP again.  This time, port 25 and bittorrent ports showed up.

Only difference between the first scan and second/third scan was that the machine running second/third scan had vpn on.  Otherwise both my laptops were running same version of Kali/nmap.

Any ideas how nmap running directly through home network would give different results than running through vpn?

[digip]

Do you have permission to scan the work network?

When on a VPN, you're scanning from inside the work network, which might have more lax security settings(assuming it's the work VPN and not another 3rd party VPN service, which you could end up scanning your VPN services network if not careful).

My guess is, scanning from outside the network, packets are being dropped and not reset or replied to. There are different types of scans you can try like fin scans and xmas tree scans, but if you see bit torrent on there, unless it's port forward by the modem/router, you probably shouldn't see it at all, and could be hitting another device like workstation or server. Port 25 is SMTP, for an email server, which I don't think is going to be running on the modem/router itself, nor should a torrent client. 

Assuming you do have permission, try:

nmap -sC -sV -v -Pn -p- -O --fuzzy --open -T5 x.x.x.x

 

[digininja]

If both were from outside the network then it is probably your home ISP dropping things. My ISP drops all port 25 traffic to stop home machines being used to send spam. I've worked with another one who always returned closed for port 139.

If you want to find out for sure exactly what is going on you need a box that replies on all ports that you can scan. That will show you what's being blocked or modified.

I wrote a tool called Ear Trumpet years ago that would listen on all ports but it hasn't been updated since. Mubix also released one but I can't remember the name, his is probably better.

And add as digip says, make sure you have permission to scan.

[devrand0m]

Thanks for the input guys.  I never knew ISP's modified traffic.  The my home is in the suburbs and the office is in downtown.  The market is pretty much just dominated by two players ... AT&T and Time Warner.  My VPN connection was to a commercial VPN service server in different state.  If local AT&T or TW networks are dropping packets (I didn't know they did that), then the scan through VPN could be more accurate.  Which doesn't please me since that scan was the one with open SMTP and torrent ports.  That could mean I could have unauthorized mail and torrent services running on my router which means that my router is pwned.  Any way to figure out if my router is compromised?

BTW, do you know how I can find Ear Trumpet especially if it runs on modern Windows, Linux, or MacOS?  ( I have machines running all the OS's so any version would do.  Actually, how would you connect a regular desktop directly to public IP address anyways? )

And yes, I have permission to scan... I own the business on the first floor the AT&T, unoccupied residential unit on second floor with Time Warner (I use it sometimes if I'm too tired to go home...50 mile drive home), and I own the entire building as a whole.  Unless I'm supposed to ask for permission from my ISP's.

[digininja]

It's not your router that is modifying the traffic, it will be something up stream from that so you can't get round it by putting in your own router. It's to stop spam, torrenting and also to try to stop people using home contacts for business use.

 

Ear Trumpet is on my site digi.ninja, Google and you'll find it. It should work but may need some tweaks.

 

For permissions, you should have permission by the company you are scanning but it is also sometimes worth checking with the ISP but maybe not for something this small.

[digip]

You should try and confirm the results are actually from your work. Seeing SMTP and Torrents in a scan result, would mean that the ports need to be forwarded to the end machines that are responding to them unless the router itself has some kind of reverse shell that is impersonating on those specific ports, which is probably not the case, but also not impossible. You can setup SSH to any port for example and in the event your work's firewall rules have something that allows only specific ports for in/outbound then an attacker would need to know this to make use of it as such. More than likely you're scanning the VPN's network. What range of IP did you try to scan? 192.168.x.x, 172.16.x.x, 10.x.x.x? If so, you're not hitting the work network, unless you scan from INSIDE the network, as these are LOCAL private ip ranges. You can't just fire up nmap and scan 192.168.1.0/24 from home and expect to see the work network, but we're assuming you know this much about subnets and IP networking before so. If you didn't know this, it explains more the results you're seeing.

[devrand0m]

I tried various scans again, this time per digip's -sC scan included with Wireshark running.  With -sS scan with no VPN, all packets were dropped.  With -sS scan through VPN, port 25 and 6881-89 had reset packets come back.  However, from what I can tell, packets looked like they came from the VPN gateway!  This was reported as ports closed rather than packets dropped by nmap.  I guess VPN wants to stop use of these ports.  

HOWEVER, -sC scan revealed something more interesting.  Open port on 8000.  I tried connecting with browser.  Any other port just hangs.  This port actively sends out resets.  Tried with nc, ssh, telnet, etc.  nc and telnet connects but do not get any responses from any commands then the connection is reset/closed.  ssh comes back with "ssh_exchange_identification: Connection closed by remote host."  Usually, my MacOS ssh either hangs or just "connection reset by remote host", not this ssh_exchange error message.  I'm starting to think there may be a ssh back door that is set to connect with certain certificates.  

The original NoMotion blog was about ATT routers having vulnerabilities as well as couple of back doors.

[digip]

8000 might be a web proxy. You can test by setting your browsers http proxy to use port 8000 and the IP address of the work site, then opening any website to see if it loads anything or displays an error message. This might also be a work VPN port for something like a java VPN but more than likely some kind of web proxy port like a squid box. Could also be a honeyport, depending on what is running on the network, port forwarded to a honeypot that responds, logs your IP and eventually blocks you all together.

Try different scan's like "-sT -Pn -p- -v -n" or "-sF -Pn -p- -v -n" and also UDP scanning with the -sU switch. 

Still, if you're in charge of the network stuff, you should have login deets for the router/modem(all in one device I assume) to look at what ports are open or forwarded. Some devices have ports opened that can only be closed by logging onto them over telent or SSH(from the lan side) and the stopping the service. My asus routers for example, start things like STP on boot, whcih can be disabled by logging in with telnet and then disabling and putting a commit to nvram, then rebooting, which will then start without the service. Some devices have these ports open that can never be turned off, most of the time for the ISP to connect and configure devices, which modems fall into that category, since all ISP's that I know of, have access to provision devices, even self owned modems(thanks comcast for bricking a few of mine in the past too). About the only thing that can make you less paranoid, buy your own modem and swap it out from the ISP's and call them to put the MAC address of your purchased modem onto the network. Just check with them first on what modems they allow as not all ISP's accept every modem manufacturer and might need specific models that have a certain protocol family in place, ie: DOCSIS 3.0 vs 1.0 for cable modems, or also have VOIP+Network capabilities.