[ previous ] [ next ] [ threads ]
 
 From:  Chet Harvey <chet at pittech dot com>
 To:  Alex Sandini <asandini at blue dash chip dot be>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] tcp open ports on wan interface in 1.1
 Date:  Fri, 3 Sep 2004 13:29:12 -0400
yeah the modem should act as a bridge only but I know that some have admin 
capabilities that respond on certain ports. Kinda silly if you ask me.

If you run Shields Up from inside the network does it see these too?

(I know thats not a great source but a good second eval)

You could also run just Nessus to see if there is a responding service exploit 
on those ports.

and this is a great statement: "No way on this box, users are accessing it and 
I don't want them to bother me because they can't connect..."

Thats funny....

Chet Harvey
Pitbull Technologies <http://www.pittech.com/> 
Protecting your Digital Assets
703.407.7311


Quoting Alex Sandini <asandini at blue dash chip dot be>:

> 
> 
> Chet Harvey wrote:
> > Looking at the NMap output a few questions come to mind, A) does m0n0 plug
> 
> > directly into the internet connection or B) do you have a "modem" device 
> > between m0n0 and the outside?
> Correct, the m0n0 is connected to a Terayon terapro cable modem, good point.
> 
> > 
> > I ask because the footprint is ID'd as "Panasonic IP Technology Broadband 
> > Networking Gateway, KX-HGW200".
> AFAIK, the cable modem work's as bridge; when a plug a linux, openbsd or 
> freebsd box to it, nmap reconize them as correctly.
> Anyway, nmap OS guess is not to be trusted when ICMP is blocked and no 
> rules are set to reject at least one port and accept at least one port 
> on the firewall. I'll try to open m0n0's http port on WAN in a test 
> environment.
> 
> > 
> > When I run nessus or nmap against mine straight to the WAN interface (no
> router 
> > or modem in between) using version 1.1b15 it can not ID the OS but guesses
> it 
> > is Unix.
> > 
> > It could be your broadband router or modem that is actually responding.
> Absolutely correct, thx for pointing it out.
> > 
> > Just a thought.
> > 
> > 1 suggestion, move SSH off of port 22 and change the response field to not
> ID 
> > as SSH. I love watching people run RDP hacks on port 3389 which isn't RDP.
> I am 
> > freak like that =)
> No way on this box, users are accessing it and I don't want them to 
> bother me because they can't connect...
> 
> Alex
> > 
> > 
> > Chet Harvey
> > Pitbull Technologies <http://www.pittech.com/> 
> > Protecting your Digital Assets
> > 703.407.7311
> > 
> > 
> > Quoting Alex Sandini <asandini at blue dash chip dot be>:
> > 
> > 
> >>/usr/local/bin/nmap -O -A -T4 example.com
> >>Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-03 13:03 
> >>CEST
> >>Warning:  OS detection will be MUCH less reliable because we did not 
> >>find at least 1 open and 1 closed TCP port
> >>Interesting ports on example.com (xxx.xxx.xxx.xxx):
> >>(The 1656 ports scanned but not shown below are in state: filtered)
> >>PORT     STATE SERVICE       VERSION
> >>22/tcp   open  ssh           OpenSSH 3.9p1 (protocol 1.99)
> >>389/tcp  open  ldap?
> >>1002/tcp open  windows-icfw?
> >>1720/tcp open  microsoft-rdp Microsoft Terminal Service (Used with 
> >>Netmeeting, Remote Desktop, Remote Assistance)
> >>Device type: general purpose|media device|broadband router
> >>Running: Linux 2.4.X, Pace embedded, Panasonic embedded
> >>OS details: Linux 2.4.6 - 2.4.21, Pace digital cable TV receiver, 
> >>Panasonic IP Technology Broadband Networking Gateway, KX-HGW200
> >>
> >>Nmap run completed -- 1 IP address (1 host up) scanned in 207.037 seconds
> >>
> >>nmap is ran from my office, the m0n0wall is at home.
> >>
> >>The only forwarded port is the 22.
> >>I can indeed connect to to ports 389, 1002 and 1720 from the WAN
> interface.
> >>
> >>The telnet connections on are not shown when typing netstat -an in
> exec.php.
> >>
> >>Any can confirm/explain this?
> >>
> >>Cheers,
> >>Alex
> >>
> >>
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >>
> >>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>