Linksys Router port 80 open

[Offsecguy]

Hello Friends,

I have scanned an IP address and found only port 80 is open. Nmap service scan is unable to detect http server name , it seems linksys broadband router from nmap OS detection and i guess they have done some hardening on linksys router.

Anyone came across this problem? 

Nmap output:-

Host is up, received user-set (0.011s latency).

PORT   STATE SERVICE REASON  VERSION

80/tcp open  http?   syn-ack

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :

SF-Port80-TCP:V=6.47%I=7%D=3/8%Time=54FC2E7F%P=i686-pc-linux-gnu%r(HTTPOpt

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: specialized|WAP|phone

Running: iPXE 1.X, Linksys Linux 2.4.X, Linux 2.6.X, Sony Ericsson embedded

OS CPE: cpe:/o:ipxe:ipxe:1.0.0%2b cpe:/o:linksys:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6 cpe:/h:sonyericsson:u8i_vivaz

OS details: iPXE 1.0.0+, Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phone

[karniv0re]

What is the problem?

[Offsecguy]

Unable to detect http server name ,version and I don't get any response with netcat. Is it realy some http server?

[karniv0re]

What did you try with netcat? If port 80 is open, it is most likely an HTTP server. And it is also possible for a server to be setup in such a way that it does not give out any tellatale headers.

Regards,

karniv0re

[Offsecguy]

i tried

nc -nvv IP 80

(UNKNOWN) [IP] 80 (http) open

GET / HTTP/1.0

<HTML>

<HEAD>

<TITLE>Could Not Connect</TITLE>

</HEAD>

<BODY BGCOLOR="white" FGCOLOR="black">

<H1>Could Not Connect</H1>

<HR>

<FONT FACE="Helvetica,Arial"><B>

Description: Could not connect to the requested server host.

</B></FONT>

<HR>

</BODY>

 sent 17, rcvd 247

From a range of IP address i find only port 80 open and No response :(

[Gaurav Raval]

It may be port forwarding & mapped with some server.

--Gaurav Raval

--
_______________________________________________________________________________
Register for HackIM Powered by EMC, win Samsung gear,Arduino,nullcon pass,2 nights stay!
Details: http://ctf.nullcon.net nullcon - the neXt security thing!
_______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[karniv0re]

Use the host header alongwith HTTP/1.1. See if there is any difference.

Regards,

karniv0re

[Shah Dhruv]

Could be a possibility that it is restricted to a particular IP address for access .if its a router

--

[Offsecguy]

Gaurav - If its been port forwarded, i should be able probe internal server rite?

Synpter - If firewall allows only particular IP address, nmap scan result should be filtered rite? not open.

Carnivore - I don't have hostname for this IP address, its challenging to identify virtual hosts.

[Anant Shrivastava]

what karniv0re meant was change HTTP/1.0 to HTTP/1.1 in your request. that might give a different response.

Anant Shrivastava 
Web : http://anantshri.info

[karniv0re]

What I meant was to use the Host header. Which means your input to netcat after it is connected becomes:

OPTIONS / HTTP/1.1

Host: I.P.Address.Here

Try using other verbs as well.

Regards,

karniv0re

[Offsecguy]

Hi All, 

Thank you for responding, i have tried with netcat again as suggested by Karniv0re with different verbs, Get,Post,HEAD,OPTIONS etc.

Same issue, if this http server is configured with virtual servers do we have provide existing virtual server name or just IP also works?

nc -nvv IP_address 80

(UNKNOWN) [IP_address] 80 (http) open

HEAD / HTTP/1.1

Host: IP_address

 sent 37, rcvd 0

[Offsecguy]

Hello Friends,

It seems i have identified reason for this behavior, however could not identify logic behind this behavior. May be someone can help here.

1) It was strange entire /25 range ip address port 80 was open, however it never struck me.

2) Strange behavior with netcat, as described before

3) Other day while scanning there was different scan result.

Now it was time for me to freak out and start thinking about it. My first suspicion was on firewall, checked with client for any firewall changes. Client confirmed no changes made on firewall.

Then i realized different result i got was from my Airtel 4g connection and i am using ACT broadband as primary connection. ACT broadband identifies all IP address has port 80 open and ACT provides me a private range of IP address(strange). May be ACT using some proxy which responds for port scan.

ACT broadband screwed up my testing, has anyone faced similar issue with ACT? any logical reason behind this?

[Anant Shrivastava]

ACT has a transparent caching proxy and that's the reason you get this response. Never run your scans from act network rather use a pivot box and run scan's via it.

refer:

https://twitter.com/makash/status/534344642188550144

https://twitter.com/jackerhack/status/534351786996277249 

https://twitter.com/jackerhack/status/546887781302009857

So far calling them up has not resulted in any good (belive me on that i have had 3 calls of 1 hour each hoping from one person to another till one person responded yes we run a transparent proxy but we can't do anything about)

Anant Shrivastava 
Web : http://anantshri.info

[TAS]

Try nmap -Pn --traceroute -p 80 IP address here.

And the last IP address in the output os where you are likely getting response from. From your email it looks like there is some intermediate device that is responding to your scan.

I am not commenting on the ACT part.

-
TAS
http://twitter.com/p0wnsauc3

[Offsecguy]

Thank you anant,

I was going crazy with this problem.

For now i will stick with my airtel 4G.