Where's Waldo? Auditing My Wi-Fi

So a few days ago, I was playing around with nmap on my home network, just reviewing a few command line options. It's really remarkable exactly how much stuff is attached to my network these days. I don't think I'm exceptional in this regard either — I have your usual family-of-four stuff — cell phones, computers (too many of which are mine), DirecTV equipment, network provider equipment, and so on. This is a list of stuff from a network probe of my Wi-Fi. I don't expect yours will be very different:

Figure 1: All the garbage attached to my home network. Yikes!

So the Belkin stuff is all DirecTV equipment; there's a couple of laptops, a printer, a switch — really nothing exciting. But there are a couple of things I want to look at a little more closely. There's unknown devices on .128 and .131, and something that nmap thinks is a Honeywell Medical device on .147 based on the MAC address. I know I don't have one of those either. So let's do a detailed scan of these IPs and see what we can find (this is the results of the command nmap -iL ips.txt -oA ips -A, where the IPs are listed in the ips.txt file, one per line).

First, let's look at .128:

Nmap scan report for 192.168.1.128

Host is up (0.0031s latency).

All 1000 scanned ports on 192.168.1.128 are closed

MAC Address: 0C:B2:B7:03:9A:52 (Texas Instruments)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1

closed port

Aggressive OS guesses: D-Link DI-524 wireless broadband router (98%), Bose SoundTouch 20

audio receiver (95%), Denon CEOL RDC-N8 audio system (95%), Yamaha RX-S600 or Denon AVR-1

912 or AVR-2312 audio receiver (95%), KCorp KLG-575 WAP (95%), Sony CMT-MX700Ni audio pla

yer (95%), Virdi 3000 fingerprint access controller (95%), Yamaha RX-A2040 AV receiver (9

5%), D-Link DI-524 or WBR-2310 wireless broadband router (95%), D-Link DWL-900AP+, Planet

WAP-1966, or USRobotics USR5450 WAP (95%)

No exact OS matches for host (test conditions non-ideal).

Not much here. We'll try another simple scan on this shortly and widen our port range.

.131 gives us this:

Nmap scan report for 192.168.1.131

Host is up (0.0071s latency).

Not shown: 997 closed ports

PORT STATE SERVICE VERSION

80/tcp open http SAGE EAS Digital Endec remote audio monitor/level meter

|_http-title: Site doesn't have a title.

111/tcp open rpcbind 2 (RPC #100000)

| rpcinfo:

| program version port/proto service

| 100000 2 111/tcp rpcbind

|_ 100000 2 111/udp rpcbind

5555/tcp open zmtp ZeroMQ ZMTP 2.0

MAC Address: 2C:A1:7D:40:2C:C0 (Arris Group)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.36 - 2.6.37, Linux 2.6.37

That's a little more interesting. We'll need to attach to the HTTP port and see what we get on this one, too. Finally, .147 gives us:

Nmap scan report for TSVE0affa3 (192.168.1.147)

Host is up (0.0058s latency).

Not shown: 998 filtered ports

PORT STATE SERVICE VERSION

80/tcp open http Jetty 6.1.11

|_http-server-header: Jetty(6.1.11)

|_http-title: Enter activation key

8080/tcp open http Jetty 6.1.11

|_http-server-header: Jetty(6.1.11)

|_http-title: Enter activation key

MAC Address: B8:2C:A0:0A:FF:A3 (Honeywell HomMed)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose

Running: Linux 3.X

OS CPE: cpe:/o:linux:linux_kernel:3

OS details: Linux 3.6 - 3.10

Another HTTP port opens here. Well, this is a start. I'm going to need to start to look at these all a bit more closely. Stay tuned for more NMAP fun!