I’ve just read an interesting article entitled “ who makes the IoT things under attack “, explaining that devices connected to the Internet such as router, IP cameras, IP Phones, etc.. may be used by Botnet to launch DDoS attacks, and they do so using the default username and password. So you may think once you’ve updated the firmware when available, and changes the default admin/admin in the user interface, you’d be relatively safe. You’d be wrong, because the malware mentioned in the article, Mirai , uses Telnet or SSH trying a bunch of default username and password.
That made me curious, so I scanned the ports on my TP-Link wireless router and ZTE ZXHN F600W fiber-to-the-home GPON modem pictured below, and installed by my Internet provider, the biggest in the country I live, so there may be hundred of thousands or millions of such modems in the country with the same default settings.
I’ve started by scanning the TP-Link router in the local network: <br /> sudo nmap -sS 192.168.0.1</p> <p>Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-06 10:10 ICT<br /> Nmap scan report for 192.168.0.1 (192.168.0.1)<br /> Host is up (0.00034s latency).<br /> Not shown: 997 closed ports<br /> PORT STATE SERVICE<br /> 80/tcp open http<br /> 1900/tcp open upnp<br /> 49152/tcp open unknown<br /> MAC Address: 94:0C:6D:XX:XX:XX (Tp-link Technologies)</p> <p>Nmap done: 1 IP address (1 host up) scanned in 14.15 seconds<br />
1
2
3
4
5
6
7
8
9
10
11
12
13
sudo nmap - sS 192.168.0.1
Starting Nmap 7.01 ( https : / / nmap .org ) at 2016 - 10 - 06 10 : 10 ICT
Nmap scan report for 192.168.0.1 ( 192.168.0.1 )
Host is up ( 0.00034s latency ) .
Not shown : 997 closed ports
PORT STATE SERVICE
80 / tcp open http
1900 / tcp open upnp
49152 / tcp open unknown
MAC Address : 94 : 0C : 6D : XX : XX : XX ( Tp - link Technologies )
Nmap done : 1 IP address ( 1 host up ) scanned in 14.15 seconds
UPnP and the web interface ports are open, plus an extra post likely opened by UPnP, which looked fine.
Now I did the same on the ZTE modem in the local network first:
<br /> sudo nmap -sS 192.168.1.1</p> <p>Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-06 10:10 ICT<br /> Nmap scan report for 192.168.1.1 (192.168.1.1)<br /> Host is up (0.00086s latency).<br /> Not shown: 996 closed ports<br /> PORT STATE SERVICE<br /> 23/tcp open telnet<br /> 53/tcp open domain<br /> 80/tcp open http<br /> 443/tcp open https</p> <p>Nmap done: 1 IP address (1 host up) scanned in 20.12 seconds<br />1
2
3
4
5
6
7
8
9
10
11
12
13
sudo nmap - sS 192.168.1.1
Starting Nmap 7.01 ( https : / / nmap .org ) at 2016 - 10 - 06 10 : 10 ICT
Nmap scan report for 192.168.1.1 ( 192.168.1.1 )
Host is up ( 0.00086s latency ) .
Not shown : 996 closed ports
PORT STATE SERVICE
23 / tcp open telnet
53 / tcp open domain
80 / tcp open http
443 / tcp open https
Nmap done : 1 IP address ( 1 host up ) scanned in 20.12 seconds
The telnet port is opened that’s not good… I would be much worse if it was also open with the public IP:
<br /> sudo nmap -sS MODEM-PUBLIC-IP<br /> Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-06 10:11 ICT<br /> Nmap scan report for MODEM-PUBLIC-IP<br /> Host is up (0.00088s latency).<br /> Not shown: 996 closed ports<br /> PORT STATE SERVICE<br /> 23/tcp open telnet<br /> 53/tcp open domain<br /> 80/tcp open http<br /> 443/tcp open https </p> <p>Nmap done: 1 IP address (1 host up) scanned in 22.71 seconds<br />1
2
3
4
5
6
7
8
9
10
11
12
sudo nmap - sS MODEM - PUBLIC - IP
Starting Nmap 7.01 ( https : / / nmap .org ) at 2016 - 10 - 06 10 : 11 ICT
Nmap scan report for MODEM - PUBLIC - IP
Host is up ( 0.00088s latency ) .
Not shown