7

I'm fairly new to network stuff and currently exploring a Wi-Fi radio device in my home network. In this process I noticed an open port.

58028/tcp open     unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org>/cgi-bin/submit.cgi?new-service :
SF-Port58028-TCP:V=7.00%I=7%D=12/20%Time=5676C80D%P=x86_64-unknown-linux-g
SF:nu%r(GetRequest,53,"HTTP/1\.1\x20412\x20Failed\r\nServer:\x20FSL\x20DLN
SF:ADOC/1\.50\x20UPnP\x20Stack/1\.0\r\nContent-Length:\x200\r\n\r\n")%r(HT
SF:TPOptions,53,"HTTP/1\.1\x20412\x20Failed\r\nServer:\x20FSL\x20DLNADOC/1
SF:\.50\x20UPnP\x20Stack/1\.0\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequ
SF:est,53,"HTTP/1\.1\x20412\x20Failed\r\nServer:\x20FSL\x20DLNADOC/1\.50\x
SF:20UPnP\x20Stack/1\.0\r\nContent-Length:\x200\r\n\r\n")%r(FourOhFourRequ
SF:est,53,"HTTP/1\.1\x20412\x20Failed\r\nServer:\x20FSL\x20DLNADOC/1\.50\x

This is the corresponding nmap output. So now I am naturally interested in this service. How does one continue now? I tried to netcat, but the connection was reseted by peer. It does not respond to HTTP requests either.

Any advice or tips or common methodologies?

try_some_ubik
  • 71
  • 1
  • 3

1 Answers1

2

Some initial first next steps I would undertake are:

  1. Take a look at the device MAC address, the first three bytes are a vendor ID, it might help elucidate what the device is, or at the very least the manufacturer of the network device.
  2. Look up the services that use that port. It could be a dynamically used port from an application, I've seen "Xsan. Xsan Filesystem Access". Do you have storage area network devices or Macs on your network?
  3. Then I'd start looking to see if any of the substrings in the nmap report are useful. I see "RTSPRequest", I'm going to venture and say RTSP is "Real Time Streaming Protocol (RTSP)". I'm starting to suspect a streaming video server is involved here, maybe even an Apple TV device.
  4. The DLNADOC string also supports the function of this service might be related to streaming media.

Since this looks like a media server I'll stop here. But you could continue looking into the other substrings (FourOhFourRequest for instance), telnet in and send http commands to the web-server, try common paths to see if any web pages exist...

Whome
  • 1,231
  • 11
  • 21
  • Thank you for your response. I did not make this very clear: I already know what kind of device it is. It's an internet radio device and it has a HTTP-Server i can interact with. I was just curious about this specific service. Still your points 2 and 3 are standing and the RTSP is a nice hint. – try_some_ubik Dec 20 '15 at 17:00
  • 2
    @try_some_ubik: The RTSP is just the name of nmap's probe which triggered an answer from the device (which was a "HTTP/1.1 402 Failed" answer, same answer when trying a classic HTTP GET), it doesn't mean that the service is related to RTSP in any way. Each probe is described between parentheses as follow: '(' probe name ',' response length ',"' response string '")'. Apparently the device talks HTTP but does not answer to GET requests, so one may try with other HTTP requests... – WhiteWinterWolf Dec 20 '15 at 17:07
  • 1
    @try_some_ubik However the "DLNADOC" string is indeed part of the device's answer, the server identifies himself as follow "Server: FSL DLNADOC/1.50 UPnP Stack/1.0". A quick search shows that there seems to show that there are standards describing UPnP/DLNA media streaming, which is most probably the actual service offered on this port :) ! – WhiteWinterWolf Dec 20 '15 at 17:28