{{announcement.body}}
{{announcement.title}}

Hacking Your Home

DZone 's Guide to

Hacking Your Home

What's running on your network?

· Security Zone ·
Free Resource

So, I've been looking a little deeper into what I have running on my network over the past day or so, and I found a few interesting things. I covered the most interesting things I found in my last piece, as well as some initial scans of the equipment I found. I had a couple of interesting addresses on my NAT LAN, at .128, .131, and .147.

I have no idea what's running at .128. Whatever it is, it has absolutely no ports open, and believe me, I've looked over them all (nmap ... -p-65535 is your friend). I ran all the usual suspects from the script library too, and it doesn't register any vulnerabilities nor has it been hooked by any known malware. I'm going to need to figure out another way to get to whatever that is.

So, I gave up on that, for now, to take a look at .131, which has been more interesting so far.

Let's look a bit more closely at this .131. The device will still be resident on the network when turned off, seemingly, but none of its services are active. The services on the device will only be active when the box is on, as I've had some scans return with no open services and some return with services available. So what do we see?

Nmap scan report for 192.168.1.131
Host is up (0.0071s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    SAGE EAS Digital Endec remote audio monitor/level meter
|_http-title: Site doesn't have a title.
111/tcp  open  rpcbind 2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|_  100000  2            111/udp  rpcbind
5555/tcp open  zmtp    ZeroMQ ZMTP 2.0
MAC Address: 2C:A1:7D:40:2C:C0 (Arris Group)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.36 - 2.6.37, Linux 2.6.37
Network Distance: 1 hop


We have a few interesting services here. We have RPC running via TCP and UDP on port 111, something that identifies as an emergency alert system running on port 80, and ZeroMQ running on port 5555. The 5555 service will also show as freeciv in a default scan. These are actually all very interesting to me — I don't see why any of my devices need to be able to execute remote procedure calls or needs to run a message service. Let's look a little more deeply at these. It could have something to do with one of my entertainment systems, or perhaps my Internet-enabled doorbell, or even my home security system. We'll see, stay tuned!

Topics:
scanning ,security ,analysis ,home network ,network security ,vulnerabilities ,malware ,addresses

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}