4

I have an uninvited guest using my private WLAN. At first I thought it was probably just a tech-savvy neighbour in need of Internet access, in which case; it wouldn't really bother me.

However, I've noticed they always seem to connect the same three devices, all at the same time, piquing my curiosity. I decided to investigate; so that I might be able to ascertain just what exactly this person is getting up to.

So naturally, I began the process by firing up nmap, which reported several mysterious and/or unknown services bound to various arbitrary and/or unusual open TCP port numbers.

This brings me to the question at hand:

What's next? What more can I do to investigate and/or identify the "unknown services", in situations like this one; where nmap has fallen short?


Nmap Report:

root@localhost:~# nmap -A 10.1.1.2-7 -p 1-65535

Starting Nmap 6.47 ( http://nmap.org ) at 2016-05-21 15:31 EDT

Stats: 2:22:10 elapsed; 3 hosts completed (3 up), 3 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 76.17% done; ETC: 18:37 (0:44:28 remaining)

Nmap scan report for 10.1.1.2
Host is up (0.044s latency).
Not shown: 65530 closed ports
PORT      STATE SERVICE VERSION
6258/tcp  open  unknown
8382/tcp  open  unknown
9999/tcp  open  abyss?
38859/tcp open  unknown
49152/tcp open  upnp    Portable SDK for UPnP devices 1.6.20 
                        (Linux 3.4.0-perf-g61a2a9a;UPnP 1.0)

2 services unrecognized despite returning data.
If you know the service/version, please submit the following fingerprints 
at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6258-TCP:V=6.47%I=7%D=5/21%Time=5740ECE2%P=armv7l-unknown-linux-gnu
SF:eabi%r(GenericLines,67,"HTTP/1.1\x20200\x20OK\x20\r\nContent-Type:\x20
SF:text/html\r\nAccess-Control-Allow-Origin:*\r\nContent-Length:4\r\n\r\n
SF:<h1></h1>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9999-TCP:V=6.47%I=7%D=5/21%Time=5740ECE2%P=armv7l-unknown-linux-gnu
SF:eabi%r(GetRequest,AF,"HTTP/1.1\x20400\x20Bad\x20Request\r\nServer:\x20
SF:CloudHub\x20HTTP\x20Server\x20v1.0\r\nDate:\x20Sat,\x2021\x20May\x2020
SF:16\x2023:18:56\x20GMT\x2000:00\r\nContent-Length:\x2030\r\nConnection:\
SF:x20Close\r\n\r\n\r\nBad\x20Request\r\n\r\n")%r(HTTPOptions
SF:,AF,"HTTP/1.1\x20400\x20Bad\x20Request\r\nServer:\x20CloudHub\x20HTTP\
SF:x20Server\x20v1.0\r\nDate:\x20Sat,\x2021\x20May\x202016\x2023:18:57\x2
SF:0GMT\x2000:00\r\nContent-Length:\x2030\r\nConnection:\x20Close\r\n\r\n<
SF:HTML>\r\nBad\x20Request\r\n\r\n")%r(FourOhFourRequest,AF,"HTTP/1
SF:.1\x20400\x20Bad\x20Request\r\nServer:\x20CloudHub\x20HTTP\x20Server\x
SF:20v1.0\r\nDate:\x20Sat,\x2021\x20May\x202016\x2023:18:57\x20GMT\x2000:
SF:00\r\nContent-Length:\x2030\r\nConnection:\x20Close\r\n\r\n\r\nBa
SF:d\x20Request\r\n\r\n")%r(RTSPRequest,AF,"HTTP/1.1\x20400\x20Bad
SF:\x20Request\r\nServer:\x20CloudHub\x20HTTP\x20Server\x20v1.0\r\nDate:\
SF:x20Sat,\x2021\x20May\x202016\x2023:18:57\x20GMT\x2000:00\r\nContent-Len
SF:gth:\x2030\r\nConnection:\x20Close\r\n\r\n\r\nBad\x20Request\r\n<
SF:/HTML>\r\n")%r(SIPOptions,AF,"HTTP/1.1\x20400\x20Bad\x20Request\r\nSer
SF:ver:\x20CloudHub\x20HTTP\x20Server\x20v1.0\r\nDate:\x20Sat,\x2021\x20M
SF:ay\x202016\x2023:19:51\x20GMT\x2000:00\r\nContent-Length:\x2030\r\nConn
SF:ection:\x20Close\r\n\r\n\r\nBad\x20Request\r\n\r\n");

MAC Address: 8C:3A:E3:94:B9:A9 (LG Electronics)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel:3.4.0-perf-g61a2a9a

TRACEROUTE
HOP RTT      ADDRESS
1   43.69 ms 10.1.1.2

Nmap scan report for 10.1.1.6
Host is up (0.11s latency).
All 65535 scanned ports on 10.1.1.6 are closed (46662) or filtered (18873)

MAC Address: 64:BC:0C:7D:8A:E9 (Unknown)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT       ADDRESS
1   108.85 ms 10.1.1.6

Nmap scan report for 10.1.1.7
Host is up (0.0083s latency).
Not shown: 64944 closed ports, 590 filtered ports
PORT     STATE SERVICE VERSION
8187/tcp open  unknown

1 service unrecognized despite returning data. 
If you know the service/version, please submit the following fingerprint 
at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port8187-TCP:V=6.47%I=7%D=5/21%Time=5740ECE2%P=armv7l-unknown-linux-gnu
SF:eabi%r(GetRequest,22D,"HTTP/1.0\x20400\x20Bad\x20Request\x20\r\nCONTEN
SF:T-TYPE:\x20text/xml;\x20charset=\"utf-8\"\x20\r\nSERVER:\x20UPnP/1.1\x
SF:20Samsung\x20AllShare\x20Server/1.0\x20\r\nCONTENT-LENGTH:\x20417\x20\
SF:r\n\r\n<\?xml\x20version=\"1.0\"\?>http://sch
SF:emas\.xmlsoap\.org/soap/envelope/\"\x20s:encodingStyle=\"http://schemas
SF:\.xmlsoap\.org/soap/encoding/\">s:ClientUPnPError402Invalid\x20Args")%r(HTTPOptions,22D,"HTTP/1.0\x20400\x20B
SF:ad\x20Request\x20\r\nCONTENT-TYPE:\x20text/xml;\x20charset=\"utf-8\"\x2
SF:0\r\nSERVER:\x20UPnP/1.1\x20Samsung\x20AllShare\x20Server/1.0\x20\r\n
SF:CONTENT-LENGTH:\x20417\x20\r\n\r\n<\?xml\x20version=\"1.0\"\?>http://schemas\.xmlsoap\.org/soap/envelope/\"\x20s:enc
SF:odingStyle=\"http://schemas\.xmlsoap\.org/soap/encoding/\">s:ClientUPnPError402Invalid\x20Args")%r(RTSPRequest
SF:,22D,"HTTP/1.0\x20400\x20Bad\x20Request\x20\r\nCONTENT-TYPE:\x20text/x
SF:ml;\x20charset=\"utf-8\"\x20\r\nSERVER:\x20UPnP/1.1\x20Samsung\x20AllS
SF:hare\x20Server/1.0\x20\r\nCONTENT-LENGTH:\x20417\x20\r\n\r\n<\?xml\x20
SF:version=\"1.0\"\?>http://schemas\.xmlsoap\.or
SF:g/soap/envelope/\"\x20s:encodingStyle=\"http://schemas\.xmlsoap\.org/so
SF:ap/encoding/\">s:ClientUPnPError402Inval
SF:id\x20Args")%r(FourOhFourRequest,22D,"HTTP/1.0\x20400\x20Bad\x20Reque
SF:st\x20\r\nCONTENT-TYPE:\x20text/xml;\x20charset=\"utf-8\"\x20\r\nSERVER
SF::\x20UPnP/1.1\x20Samsung\x20AllShare\x20Server/1.0\x20\r\nCONTENT-LEN
SF:GTH:\x20417\x20\r\n\r\n<\?xml\x20version=\"1.0\"\?>http://schemas\.xmlsoap\.org/soap/envelope/\"\x20s:encodingStyle=
SF:\"http://schemas\.xmlsoap\.org/soap/encoding/\">s:ClientUPnPError402Invalid\x20Args");

MAC Address: 84:2E:27:67:50:0E (Unknown)
No exact OS matches for host.
If you know what OS is running on it, see http://nmap.org/submit/.
TCP/IP fingerprint:
OS:SCAN(V=6.47%E=4%D=5/21%OT=8187%CT=1%CU=39163%PV=Y%DS=1%DC=D%G=Y%M=842E27
OS:%TM=5740ED91%P=armv7l-unknown-linux-gnueabi)SEQ(SP=109%GCD=1%ISR=108%TI=
OS:Z%CI=I%II=I%TS=7)OPS(O1=M5B4ST11NW8%O2=M5B4ST11NW8%O3=M5B4NNT11NW8%O4=M5
OS:B4ST11NW8%O5=M5B4ST11NW8%O6=M5B4ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF
OS:%W5=FFFF%W6=FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M5B4NNSNW8%CC=Y%Q=)T1(R=Y%DF
OS:=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z
OS:%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=
OS:Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%
OS:RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
OS:IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   8.32 ms 10.1.1.7

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 6 IP addresses (3 hosts up) scanned in 13841.90 seconds
voices
  • 1,649
  • 7
  • 22
  • 36
  • Can you monitor where they are going via your router ? Sometimes devices will "call home" for updates revealing their manufacturer and in some cases what type of device they are. – Trey Blalock May 22 '16 at 16:02
  • 1
    Do you have an open WiFi so that anybody can connect? If not I would suggest that these are either mobile phones or some smart devices (i.e. IoT) you've added to your network, like Smart TV, WiFi light bulbs or similar. – Steffen Ullrich May 22 '16 at 16:51
  • @SteffenUllrich I can assure you; these three particular devices are not mine. – voices May 22 '16 at 22:14
  • @TreyBlalock Sorry, not really sure exactly what you just said. But yeah, it looks like 1x Samsung & 2x LG devices. – voices May 22 '16 at 22:21

1 Answers1

1

You can start with 2 simple steps:

  1. Update to the latest Nmap. Version 6.47 was released in 2014 with a service fingerprint database last updated in June 2013. The current 7.12 release has two and a half years of fingerprint updates you are missing.
  2. You can submit these fingerprints to Nmap so that future versions can include them. Even if you don't have a complete description of the service, describing the device you scanned is helpful.

If you do those things and still have an unidentified service, you can follow the general steps that I do when presented with a service fingerprint submission that doesn't contain identifying information from the user:

  1. Expand the service fingerprint. The service fingerprint format is described in the online documentation, so it's just a matter of separating the various responses and unescaping them. You can see some interesting strings in yours above, like "Samsung AllShare Server" and "CloudHub HTTP Server."
  2. Use Google or your favorite search engine to look for the more unusual strings in those fingerprints. You may find other folks' research, or even source code. In many cases, it's helpful to search GitHub for open source software that might match, since returned messages should exist in the code somewhere.
  3. You can do more probing. I don't have this option post-mortem, but if you still have the live target there, you could add NSE script scanning to your scan, or do manual probing with netcat/Ncat or a web browser.
bonsaiviking
  • 11,316
  • 1
  • 27
  • 50
  • Thanks for acknowledging my question; you always try to help me out with good advice re: `nmap`. I was hoping more for something else though, (i.e. tools/methods other than `nmap`. Are there any particular NSE scripts (or other tools) that you can recommend for this? FYI: I have submitted a bunch of fingerprints (in detail) in the past, none of which seem to have been implemented or acknowledged. Also, I have a newer version on my main computer, I just happened to be using my old (pwnix) smartphone OS when posting the question. Hopefully I've addressed all your suggestions here; thanks again. – voices May 25 '16 at 09:50