0

Port 161 on my (fairly old Ubee UVW3200) router is open. It seems to be a backdoor from the manufacturer. It is open in stealth.

Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-14 21:18 CET
Nmap scan report for my-IP.cable.dynamic.v4.ziggo.nl (my-IP)
Host is up (0.0030s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    Ambit Microsystems Corporation SNMPv3 server

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.42 seconds

I used some of the nmap snmp scripts to check it out, but it seems like it would take cracking for an unwanted guest to talk to this server. Ambit became part of Ubee and is part of HonHai or something. The router is property of my ISP, but they basically deny the result of the above nmap run in 5+ different ways: "you're not reading it right", "according to the owner of website you first used, this is a problem", "it's an old router", "old firmware is a good sign", "it's a port on your Mac that is open." So essentially, "move along, nothing to see here." I asked them to close it or to contact the manufacturer to do so. But, in the mean time, how can I a) crack this brute force b) close the port c) monitor all traffic on the port d) make sure the traffic from my Mac is still protected? Should I warn other people about my ISP? As far as I can tell, my Mac's 161/162 are closed and there is no snmp service running on my Mac. I think it would be best to monitor the port on the external IP address, since I can imagine that the router is internally configured to further mask something.

Julius Baer
  • 23
  • 4
  • A router with SNMP v3 enabled should have port 161 opened, but whether it should be opened on WAN interface to expose the management functionality to your ISP is questionable. SNMP v3 requires the router to respond to certain messages, and that's why nmap can learn its type, but to further hack from that limited information on SNMP is not easy, as v3 requires strong user credentials if properly configured. Sounds like your ISP doesn't want to share much information with you, so I think switching to another ISP is probably your best option. – Lex Li Mar 15 '20 at 01:54
  • Thank you. What can the SNMP server administrator on the WAN do with such a server? Can SNMP route my SSL/https traffic to some data collection and analysis service? Can it facilitate endpoint attacks on my Mac on and other LAN devices? I assume my ISP is bound by Dutch law to implement this. Which is not a major problem, thanks to reasonable governance. I worry more about cracking from others. How can I try to crack the credentials? – Julius Baer Mar 15 '20 at 14:15
  • Or is it really very limited in some ways? – Julius Baer Mar 15 '20 at 14:16
  • Can I collect all traffic coming through 161 and 162? – Julius Baer Mar 15 '20 at 14:17
  • SNMP v3 messages can be encrypted, so even if you collect network packets you cannot tell what's being sent. What the ISP can do with SNMP v3 enabled devices is also unknown. Your concerns cannot be resolved here, as except the ISP no one knows what functionality has been implemented in that device (even the manufacturer can has limited information on that). – Lex Li Mar 15 '20 at 15:49
  • Thank you. can I see which IP address connects to the external port? I am also concerned that there are ports open that use non-public/non-standard protocols. (Specially prepared packets). Is that possible or would WAN routers not transmit them? I have an avenue that will crack DES in a few days. Or is SNMPv3 better secured than that? – Julius Baer Mar 16 '20 at 08:43

0 Answers0