Does your router have a backdoor?
Find out if your router is listening on backdoor port 32764
Some days ago it became public knowledge that some routers, that's devices used for establishing Internet connections among other things, are listening on the undocumented port 32764.
First, it was only discovered in one device, the Linksys WAG200G, but it was soon discovered that many routers were also listening on that port. Among the devices are the Cisco WAP4410N-E, the Netgear DGN2000, the OpenWAG200, or the LevelOne WBR3460B.
The list on the Github website is large, and it is likely that here are other routers affected not listed there yet. It seems to be predominantly Cisco, Linksys and Netgear which listen on the port, even though not all routers by the mentioned companies are affected by it. The Linksys WRT160Nv2 for example is not listening.
It is currently not known why the routers are listening on that port. Many have suggested that this is yet another way for the NSA to spy on people around the world, and while that is a possibility, it is not the only one.
Find out if your router is listening on port 32764
http://cdn.ghacks.net/wp-content/upl...r-backdoor.png
If your router is not on the positive or negative list, you may want to find out if it is listening on port 32764, and if it is, stop the process to protect your systems.
There are several options to find that out. Here are several ones:
- Load http://yourRouterIP:32764/ in your web browser of choice. If affected, you should see ScMM or MMcS on the screen. I cannot confirm that this works for all set ups though. You can check your IP address here.
- Run the Python script poc.py on your system. You do need Python installed on it for that to work though. Run the script in the following way: python poc.py --ip yourRouterIP.For instance python poc.py --ip 192.168.1.1
- If telnet is running, you can also use the command telnet yourRouterIP 32764 to find out if the router is vulnerable. You see ScMM or MMcS in that case on the command prompt.
- Alternatively, try running router backdoor scanner, a script that attempts to establish a connection on the port.
Fixes if your router is leaking information
If your router is listening on port 32764, you may want to block this from happening. You have quite a few possibilities to cope with the situation and secure your system.
- Add a rule to the router's firewall to block the port 32764. How that is done depends on the model you are using. Usually, it involves loading the router's web interface on its local address, e.g. http://192.168.1.1/, typing in the password (on the back of the router usually if default), and finding the firewall or network options there.
- Install an Open Source firmware like Tomato or OpenWRT. Note that some have been reported to be vulnerable as well, so make sure you test again after you install.
- Get a router that is not affected by the vulnerability.
Testing
Once you have made changes, it is highly recommended to test for the vulnerability again to make sure that you have successfully blocked the port on your system.
CREDIT: http://www.ghacks.net/2014/01/06/fin...or-port-32764/
Re: Does your router have a backdoor?
cannot connect using ip:32764
also
Result of Backdoor Scans
Your router does not provide the port 32764 backdoor. Glückwunsch!
Re: Does your router have a backdoor?
When I join my routers gateway ip with minecraft, I came on a server called: NsaCraft
Sent from my ST26i using Tapatalk
Re: Does your router have a backdoor?
I just checked. I only have these ports on, 80 3306, 30000 and 30001. :p
Thanks anyways Dan!
Sent from my iPhone using Tapatalk
Re: Does your router have a backdoor?
Confirmed as probably not vulnerable on the Superhub.
Re: Does your router have a backdoor?
Wasn't affected but appreciate this Mental! Much love & keep it up!
Re: Does your router have a backdoor?
Checking up the opened ports should matter of course. It's a part of configuration to do when setting up the router for the first use.
However, thanks for clarify this, MentaL.
Re: Does your router have a backdoor?
Quote:
Originally Posted by
שเ๒єtгเ๒є
Checking up the opened ports should matter of course. It's a part of configuration to do when setting up the router for the first use.
However, thanks for clarify this, MentaL.
A backdoor is not something you configure out of the box.
Re: Does your router have a backdoor?
Thanks MentaL for posting this!
I already heard that some routers are backdoored like this ...
Now I can check my router :)
Re: Does your router have a backdoor?
Seems to not be vulnerable on Virgin Media Superhub. (I tried two different methods to test this, the python method, and rouerip:32764)
Re: Does your router have a backdoor?
Not vulnerable :D Netgear R6300 and some chinees thing are clean :p
Even thought the netgear has a backdoor, wouldn't matter for us, it's behind an other router >.>
Re: Does your router have a backdoor?
pfSense does not have this backdoor thingy :)
Better use pfSense than those expensive routers.
Re: Does your router have a backdoor?
Thanks for the heads up, luckily it's not open on my end :L
Re: Does your router have a backdoor?
I installed https://openwrt.org/ on my router, you should try it if your router is in the compatible list.
It has an amazing GUI and it's very advanced with many features.
Re: Does your router have a backdoor?
Clean on Asus RT-AC66U :)
