Tengo un invitado sin invitación utilizando mi WLAN privada. Al principio pensé que probablemente era solo un vecino experto en tecnología que necesitaba acceso a Internet, en cuyo caso; realmente no me molestaría.
Sin embargo, me he dado cuenta de que siempre parecen conectar los mismos tres dispositivos, todos al mismo tiempo, despertando mi curiosidad. Decidí investigar de modo que pueda determinar exactamente a qué se está yendo exactamente esta persona.
Naturalmente, comencé el proceso activando nmap
, que reportó varios servicios misteriosos y / o desconocidos vinculados a varios arbitrarios y / o inusuales
Esto me lleva a la pregunta en cuestión:
¿Qué sigue? ¿Qué más puedo hacer para investigar y / o identificar los "servicios desconocidos", en situaciones como esta? donde nmap
se ha quedado corto?
Informe de Nmap:
root@localhost:~# nmap -A 10.1.1.2-7 -p 1-65535
Starting Nmap 6.47 ( http://nmap.org ) at 2016-05-21 15:31 EDT
Stats: 2:22:10 elapsed; 3 hosts completed (3 up), 3 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 76.17% done; ETC: 18:37 (0:44:28 remaining)
Nmap scan report for 10.1.1.2
Host is up (0.044s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
6258/tcp open unknown
8382/tcp open unknown
9999/tcp open abyss?
38859/tcp open unknown
49152/tcp open upnp Portable SDK for UPnP devices 1.6.20
(Linux 3.4.0-perf-g61a2a9a;UPnP 1.0)
2 services unrecognized despite returning data.
If you know the service/version, please submit the following fingerprints
at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6258-TCP:V=6.47%I=7%D=5/21%Time=5740ECE2%P=armv7l-unknown-linux-gnu
SF:eabi%r(GenericLines,67,"HTTP/1.1\x20200\x20OK\x20\r\nContent-Type:\x20
SF:text/html\r\nAccess-Control-Allow-Origin:*\r\nContent-Length:4\r\n\r\n
SF:<h1></h1>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9999-TCP:V=6.47%I=7%D=5/21%Time=5740ECE2%P=armv7l-unknown-linux-gnu
SF:eabi%r(GetRequest,AF,"HTTP/1.1\x20400\x20Bad\x20Request\r\nServer:\x20
SF:CloudHub\x20HTTP\x20Server\x20v1.0\r\nDate:\x20Sat,\x2021\x20May\x2020
SF:16\x2023:18:56\x20GMT\x2000:00\r\nContent-Length:\x2030\r\nConnection:\
SF:x20Close\r\n\r\n\r\nBad\x20Request\r\n\r\n")%r(HTTPOptions
SF:,AF,"HTTP/1.1\x20400\x20Bad\x20Request\r\nServer:\x20CloudHub\x20HTTP\
SF:x20Server\x20v1.0\r\nDate:\x20Sat,\x2021\x20May\x202016\x2023:18:57\x2
SF:0GMT\x2000:00\r\nContent-Length:\x2030\r\nConnection:\x20Close\r\n\r\n<
SF:HTML>\r\nBad\x20Request\r\n\r\n")%r(FourOhFourRequest,AF,"HTTP/1
SF:.1\x20400\x20Bad\x20Request\r\nServer:\x20CloudHub\x20HTTP\x20Server\x
SF:20v1.0\r\nDate:\x20Sat,\x2021\x20May\x202016\x2023:18:57\x20GMT\x2000:
SF:00\r\nContent-Length:\x2030\r\nConnection:\x20Close\r\n\r\n\r\nBa
SF:d\x20Request\r\n\r\n")%r(RTSPRequest,AF,"HTTP/1.1\x20400\x20Bad
SF:\x20Request\r\nServer:\x20CloudHub\x20HTTP\x20Server\x20v1.0\r\nDate:\
SF:x20Sat,\x2021\x20May\x202016\x2023:18:57\x20GMT\x2000:00\r\nContent-Len
SF:gth:\x2030\r\nConnection:\x20Close\r\n\r\n\r\nBad\x20Request\r\n<
SF:/HTML>\r\n")%r(SIPOptions,AF,"HTTP/1.1\x20400\x20Bad\x20Request\r\nSer
SF:ver:\x20CloudHub\x20HTTP\x20Server\x20v1.0\r\nDate:\x20Sat,\x2021\x20M
SF:ay\x202016\x2023:19:51\x20GMT\x2000:00\r\nContent-Length:\x2030\r\nConn
SF:ection:\x20Close\r\n\r\n\r\nBad\x20Request\r\n\r\n");
MAC Address: 8C:3A:E3:94:B9:A9 (LG Electronics)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel:3.4.0-perf-g61a2a9a
TRACEROUTE
HOP RTT ADDRESS
1 43.69 ms 10.1.1.2
Nmap scan report for 10.1.1.6
Host is up (0.11s latency).
All 65535 scanned ports on 10.1.1.6 are closed (46662) or filtered (18873)
MAC Address: 64:BC:0C:7D:8A:E9 (Unknown)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 108.85 ms 10.1.1.6
Nmap scan report for 10.1.1.7
Host is up (0.0083s latency).
Not shown: 64944 closed ports, 590 filtered ports
PORT STATE SERVICE VERSION
8187/tcp open unknown
1 service unrecognized despite returning data.
If you know the service/version, please submit the following fingerprint
at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port8187-TCP:V=6.47%I=7%D=5/21%Time=5740ECE2%P=armv7l-unknown-linux-gnu
SF:eabi%r(GetRequest,22D,"HTTP/1.0\x20400\x20Bad\x20Request\x20\r\nCONTEN
SF:T-TYPE:\x20text/xml;\x20charset=\"utf-8\"\x20\r\nSERVER:\x20UPnP/1.1\x
SF:20Samsung\x20AllShare\x20Server/1.0\x20\r\nCONTENT-LENGTH:\x20417\x20\
SF:r\n\r\n<\?xml\x20version=\"1.0\"\?>http://sch
SF:emas\.xmlsoap\.org/soap/envelope/\"\x20s:encodingStyle=\"http://schemas
SF:\.xmlsoap\.org/soap/encoding/\">s:ClientUPnPError402Invalid\x20Args")%r(HTTPOptions,22D,"HTTP/1.0\x20400\x20B
SF:ad\x20Request\x20\r\nCONTENT-TYPE:\x20text/xml;\x20charset=\"utf-8\"\x2
SF:0\r\nSERVER:\x20UPnP/1.1\x20Samsung\x20AllShare\x20Server/1.0\x20\r\n
SF:CONTENT-LENGTH:\x20417\x20\r\n\r\n<\?xml\x20version=\"1.0\"\?>http://schemas\.xmlsoap\.org/soap/envelope/\"\x20s:enc
SF:odingStyle=\"http://schemas\.xmlsoap\.org/soap/encoding/\">s:ClientUPnPError402Invalid\x20Args")%r(RTSPRequest
SF:,22D,"HTTP/1.0\x20400\x20Bad\x20Request\x20\r\nCONTENT-TYPE:\x20text/x
SF:ml;\x20charset=\"utf-8\"\x20\r\nSERVER:\x20UPnP/1.1\x20Samsung\x20AllS
SF:hare\x20Server/1.0\x20\r\nCONTENT-LENGTH:\x20417\x20\r\n\r\n<\?xml\x20
SF:version=\"1.0\"\?>http://schemas\.xmlsoap\.or
SF:g/soap/envelope/\"\x20s:encodingStyle=\"http://schemas\.xmlsoap\.org/so
SF:ap/encoding/\">s:ClientUPnPError402Inval
SF:id\x20Args")%r(FourOhFourRequest,22D,"HTTP/1.0\x20400\x20Bad\x20Reque
SF:st\x20\r\nCONTENT-TYPE:\x20text/xml;\x20charset=\"utf-8\"\x20\r\nSERVER
SF::\x20UPnP/1.1\x20Samsung\x20AllShare\x20Server/1.0\x20\r\nCONTENT-LEN
SF:GTH:\x20417\x20\r\n\r\n<\?xml\x20version=\"1.0\"\?>http://schemas\.xmlsoap\.org/soap/envelope/\"\x20s:encodingStyle=
SF:\"http://schemas\.xmlsoap\.org/soap/encoding/\">s:ClientUPnPError402Invalid\x20Args");
MAC Address: 84:2E:27:67:50:0E (Unknown)
No exact OS matches for host.
If you know what OS is running on it, see http://nmap.org/submit/.
TCP/IP fingerprint:
OS:SCAN(V=6.47%E=4%D=5/21%OT=8187%CT=1%CU=39163%PV=Y%DS=1%DC=D%G=Y%M=842E27
OS:%TM=5740ED91%P=armv7l-unknown-linux-gnueabi)SEQ(SP=109%GCD=1%ISR=108%TI=
OS:Z%CI=I%II=I%TS=7)OPS(O1=M5B4ST11NW8%O2=M5B4ST11NW8%O3=M5B4NNT11NW8%O4=M5
OS:B4ST11NW8%O5=M5B4ST11NW8%O6=M5B4ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF
OS:%W5=FFFF%W6=FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M5B4NNSNW8%CC=Y%Q=)T1(R=Y%DF
OS:=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z
OS:%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=
OS:Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%
OS:RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
OS:IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 8.32 ms 10.1.1.7
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 6 IP addresses (3 hosts up) scanned in 13841.90 seconds