Hacking Your Home
What's running on your network?
Join the DZone community and get the full member experience.Join For Free
So, I've been looking a little deeper into what I have running on my network over the past day or so, and I found a few interesting things. I covered the most interesting things I found in my last piece, as well as some initial scans of the equipment I found. I had a couple of interesting addresses on my NAT LAN, at .128, .131, and .147.
I have no idea what's running at .128. Whatever it is, it has absolutely no ports open, and believe me, I've looked over them all (nmap ... -p-65535 is your friend). I ran all the usual suspects from the script library too, and it doesn't register any vulnerabilities nor has it been hooked by any known malware. I'm going to need to figure out another way to get to whatever that is.
So, I gave up on that, for now, to take a look at .131, which has been more interesting so far.
Let's look a bit more closely at this .131. The device will still be resident on the network when turned off, seemingly, but none of its services are active. The services on the device will only be active when the box is on, as I've had some scans return with no open services and some return with services available. So what do we see?
Nmap scan report for 192.168.1.131 Host is up (0.0071s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 80/tcp open http SAGE EAS Digital Endec remote audio monitor/level meter |_http-title: Site doesn't have a title. 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind |_ 100000 2 111/udp rpcbind 5555/tcp open zmtp ZeroMQ ZMTP 2.0 MAC Address: 2C:A1:7D:40:2C:C0 (Arris Group) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.36 - 2.6.37, Linux 2.6.37 Network Distance: 1 hop
We have a few interesting services here. We have RPC running via TCP and UDP on port 111, something that identifies as an emergency alert system running on port 80, and ZeroMQ running on port 5555. The 5555 service will also show as freeciv in a default scan. These are actually all very interesting to me — I don't see why any of my devices need to be able to execute remote procedure calls or needs to run a message service. Let's look a little more deeply at these. It could have something to do with one of my entertainment systems, or perhaps my Internet-enabled doorbell, or even my home security system. We'll see, stay tuned!
Opinions expressed by DZone contributors are their own.