A network scan reveals some interesting details:
# nmap n200
Starting Nmap 4.76 ( http://nmap.org )
Interesting ports on 192.168.n2.00:
Not shown: 997 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
8082/tcp open blackice-alerts
MAC Address: 00:CE:39:DE:DB:EF (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds
Port 80 was to be expected, everything these days has a web-interface, however functional. Port 23 for Telnet was a happy discovery, and promised deep-level access into the device.
On port 23 we find the expected login prompt, and we get a root shell without a password. Swell. We will set a password later on.
Unfortunately, the N200 doesn't have netstat -plunt, even worse, it has no netstat at all.
Edit: I found a compatible busybox binary with netstat builtin.
Even more unknown ports! 1900 is supposed to be UPNP. Through testing, the 'DvdPlayer' binary is known to be the one using all these ports. But what for?
/tmp/usbmounts/sda1/bin # ./busybox1.9.1 netstat -lunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8082 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:8086 0.0.0.0:*
udp 0 0 0.0.0.0:54450 0.0.0.0:*
udp 0 0 0.0.0.0:1900 0.0.0.0:*
Note: Anybody know a way to show listening ports (with processes) without netstat?
I turned to the webpage, hoping for something that resembles the web interface of my Dreambox 800, including a PDA-usable virtual remote control. Some pointers pertaining to Port 8082, perhaps it being the admin port for some software component, like a builtin transcoding UPNP MediaServer ... </wishful_thinking>
The webpage was -well- rather limited. I suppose its useful for the integer-adding-impaired, but apart from that? Back at the root shell, with ps we find inetd running, enabled services are telnetd and httpd, both of which are symbolic links in /usr/sbin/ pointing to busybox.
Inspecting the contents of /var/www/cgi-bin/ it becomes visible, that the webpage summing up 2 number is meant to demonstrate the ease at which one could add more functionality through simple shell scripts.
All this is great news, but we still don't know what Port 8082 is about? It's probably not 'blackice-alerts'!
I tried connecting to it, which worked, but after that i pretty much hit a dead end for now:
# telnet n200 8082
Trying 192.168.N2.00...
Connected to 192.168.N2.00.
Escape character is '^]'.
help
?
test
W
X
menu
^]
telnet> quit
Connection closed.
No matter, what I typed, no returned output at all.
Thanks for reading; if you have some useful info (or praise), please do leave a comment.
Install lsof with ipkg you show like this:
ReplyDeleteDvdPlayer 85 root 6u IPv4 498 TCP *:8082 (LISTEN)
DvdPlayer 93 root 6u IPv4 498 TCP *:8082 (LISTEN)
DvdPlayer 94 root 6u IPv4 498 TCP *:8082 (LISTEN)
IR_MONITO 96 root 6u IPv4 498 TCP *:8082 (LISTEN)
DvdPlayer 98 root 6u IPv4 498 TCP *:8082 (LISTEN)
RPC_threa 99 root 6u IPv4 498 TCP *:8082 (LISTEN)
RPC_threa 100 root 6u IPv4 498 TCP *:8082 (LISTEN)
RPC_threa 101 root 6u IPv4 498 TCP *:8082 (LISTEN)
RPC_threa 102 root 6u IPv4 498 TCP *:8082 (LISTEN)
RPC_threa 103 root 6u IPv4 498 TCP *:8082 (LISTEN)
RPC_threa 104 root 6u IPv4 498 TCP *:8082 (LISTEN)
VFD_Updat 105 root 6u IPv4 498 TCP *:8082 (LISTEN)