dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
12
share rss forum feed

lanwarrior

join:2007-08-09
Los Angeles, CA
reply to dahan

Re: 2Wire 3801HGV - ports open (even when I didn't open it)

Crap, I was typing a response and Chrome crashed... Had to re-type.

Anyways, I have tried running the scan using 2 different mobile hotspots from Clear and T-Mobile and in both cases, NMAP shows the same ports open.

Is there a syntax I can use to check if the open ports really have open services? I.e. if I telnet to port 25, run some syntax to see if this is truly an SMTP service.

If there is a tool that can do that (I used to use Nessus, but they're no longer open source), let me know.

PS: I am now using the ASUS router as an "internal" firewall, so if it is determined that the 2WIRE modem/router that have the open ports, at least my internal network is still secured by the ASUS router. I am not sure if there is a performance issue for having a router connecting to another router...


mackey
Premium
join:2007-08-20
kudos:12
said by lanwarrior:

Is there a syntax I can use to check if the open ports really have open services? I.e. if I telnet to port 25, run some syntax to see if this is truly an SMTP service.

Yes.

Port 25: ehlo test.example
If there's a mail server there it will respond with something like:
telnet gmail-smtp-in.l.google.com 25
Trying 74.125.25.26...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP zw4si4576639pbc.64
ehlo test.example
250-mx.google.com at your service, [76.171.149.106]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250 ENHANCEDSTATUSCODES
quit
221 2.0.0 closing connection zw4si4576639pbc.64
Connection closed by foreign host.
 
Both "ehlo test.example" and "quit" were typed by me.

For ports 80 and 8080: GET / HTTP/1.0 (and then hit 'Enter' twice)
telnet google.com 80
Trying 74.125.224.197...
Connected to google.com.
Escape character is '^]'.
GET / HTTP/1.0
 
HTTP/1.0 200 OK
Date: Wed, 05 Dec 2012 00:14:15 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=4683a86bd76be483:FF=0:TM=1354666455:LM=1354666455:S=TEj_dOEgqeCVVkI6; expires=Fri, 05-Dec-2014 00:14:15 GMT; path=/; domain=.google.com
Set-Cookie: NID=66=RsydMO-p4v_qBH_jrcbz9sM84wyPxivLSjgUvWL2NHPsj-qT2PIXBdpiXCpX88-NxsG_wdY4ZhSotKdVjGaOH0RMEMfyvKxEXrE_Tfa5oavkjvgtood6CK0pbv0-lhkq; expires=Thu, 06-Jun-2013 00:14:15 GMT; path=/; domain=.google.com; HttpOnly
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
 
<!doctype html><html itemscope="itemscope" itemtype="http://schema.org/WebPage"><head><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp" name="robots"><meta itemprop="image" content="/images/google_favicon_128.png"><title>Google</title><script>(function(){
window.google={kEI:"15G-UNfWM4WFiAL3pIGQCQ",getEI:function(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI},https:function(){return"https:"==window.location.protocol},kEXPI:"25657,39523,39976,40363,4000116,4000473,4000566,4000945,4000955,4001372,4001456,4001569,4001855,4001933,4001959,4001966,4002000,4002036,4002048,4002161,4002240,4002348,4002359,4002378,4002391,4002436,4002460,4002466,4002510,4002562,4002710,4002733,4002756,4002789,4002883",kCSI:{e:"25657,39523,39976,40363,4000116,4000473,4000566,4000945,4000955,4001372,4001456,4001569,4001855,4001933,4001959,4001966,4002000,4002036,4002048,4002161,4002240,4002348,4002359,4002378,4002391,4002436,4002460,
...
 

/M

ipman

join:2010-08-31
San Jose, CA
Only if you know the type of service it is running.

I found that TCP port 3476 is open on my 3600. Clearly, it is waiting for some data after connect. I just hope it is not a backdoor to access my LAN. Luckily, I have another router behind it to protect from this madness. But if someone hacked the 3600 and change its DNS, I am screwed. Maybe it is time to use a public DNS like 8.8.8.8.

Port 25 will result in immediate disconnect.