What checks should I perform to ensure my router is malware free? This is for a home network
I have Lulu setup under osx on my Mac. So say an errant program, curl, if it tries to access outside address is stopped.
Would an external router based firewall bring any extra level of protection? I surmise that it will not be fine-grained enough to stop a particular process.
I believe that outgoing request are more risky than incoming request as I do not have any programming listening for request. e.g. No web server enabled.
What use would external router based firewall bring?
Sometimes I come across articles that write about vulnerable IoT-devices and that there are a lot of routers that are not sufficiently protected.
I own a router myself which has SSH access and I was wondering what possible attack vectors exist because I can’t think of many except forwarding ports by looking up the ARP table and even then you need to know what kind of device is at the other end.
I also don’t understand how malware could for example take over my router and add it to a botnet when it is not possible to execute shell commands, usually you can only execute commands within a (I presume) secured environment and that is limited to a few commands. So they should not be able to upload a binary and execute it.
I’m getting regular attacks
2020-07-29 14:44:42 Security Warning Intrusion -> SRC=188.8.131.52 DST=184.108.40.206 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=63607 PROTO=TCP SPT=52363 DPT=1433 WIN
it’s every 10 mins as I can see
I changed wifi password and made it hidden AP and the attacks still coming.
I even disconnected all devices and the logs keep getting this attack
Should I be worried?
2020-07-29 14:54:05 Security Warning Intrusion -> SRC=220.127.116.11 DST=18.104.22.168 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=40337 PROTO=TCP SPT=42068 DPT=3378 WINDO
I’m trying to understand how my router works so I’m analyzing a couple of outputs (I logged in through SSH). I get these lines when trying
netstat -a -e, and I’m not sure where do these addresses come from, or what they are exactly doing.
The xxx.xxx.xxx.xxx is the IP address that my router gets from the ISP router (WAN).
tcp 0 0 xxx.xxx.xxx.xxx:50689 a104-75-170-17.deploy.static.akamaitechnologies.com:www ESTABLISHED tcp 0 0 xxx.xxx.xxx.xxx:50695 a104-75-170-17.deploy.static.akamaitechnologies.com:www ESTABLISHED tcp 0 0 xxx.xxx.xxx.xxx:35877 a104-75-170-56.deploy.static.akamaitechnologies.com:www ESTABLISHED tcp 0 0 xxx.xxx.xxx.xxx:35883 a104-75-170-56.deploy.static.akamaitechnologies.com:www ESTABLISHED tcp 0 0 xxx.xxx.xxx.xxx:35876 a104-75-170-56.deploy.static.akamaitechnologies.com:www ESTABLISHED tcp 0 0 xxx.xxx.xxx.xxx:50688 a104-75-170-17.deploy.static.akamaitechnologies.com:www ESTABLISHED tcp 0 0 xxx.xxx.xxx.xxx:50696 a104-75-170-17.deploy.static.akamaitechnologies.com:www ESTABLISHED tcp 0 0 xxx.xxx.xxx.xxx:50697 a104-75-170-17.deploy.static.akamaitechnologies.com:www ESTABLISHED
I’m interested in methods/solutions for blocking incoming and/or out-going WhatsApp requests and/or traffic on a personal home Google WiFi network.
I also have the Google WiFi app with manager/admin rights.
Man-in-the-Middle is not working with my router (Huawei) on my Windows machine/any device.
But it works with another router on my same Windows machine/any device.
When I doing MITM with Huawei router:
Linux MAC: a0:af:bd:c5:21:87 Router's MAC: 7c-11-cb-1f-ad-85
My Windows ARP table before doing MITM on it:
c:\Users\acer>arp -a Interface: 192.168.1.113 --- 0x4 Internet Address Physical Address Type 192.168.1.1 7c-11-cb-1f-ad-85 dynamic 192.168.1.255 ff-ff-ff-ff-ff-ff static 224.0.0.022 01-00-5e-00-00-16 static
arpspoof script to do MITM:
arpspoof -i wlan0 -t 192.168.1.113 192.168.1.1
arpspoof -i wlan0 -t 192.168.1.1 192.168.1.113
Then the Widows machine ARP table is:
c:\Users\acer>arp -a Interface: 192.168.1.113 --- 0x4 Internet Address Physical Address Type 192.168.1.1 7c-11-cb-1f-ad-85 dynamic 192.168.1.112 a0:af:bd:c5:21:87 dynamic 192.168.1.255 ff-ff-ff-ff-ff-ff static 224.0.0.022 01-00-5e-00-00-16 static
I tried with bettercap, ettercap, my own python script and I done ‘echo 1 > /proc/sys/net/ipv4/ip_forward’ in Linux. It is still not working! Not capturing anything.
The expected ARP table on Windows:
Interface: 192.168.1.113 --- 0x4 Internet Address Physical Address Type 192.168.1.1 a0:af:bd:c5:21:87 dynamic 192.168.1.255 ff-ff-ff-ff-ff-ff static 224.0.0.022 01-00-5e-00-00-16 static
I have an IOT System that works the following way: The IOT bridge makes a TCP Handshake with a server in china with a static ip address 47.255… (bridge sends syn the china server sends syn ack and then bridge ack)
Then the bridge sends MQTT Connect Command to the chinese server (This includes a client id, user name, and a password) The server just sends an accept back.
After that I can use a smartphone app to control the bridge: The smartphone sends a MQTT packet to the china server and the server sends the exact same packet to the bridge (Only the source/destination ips and mac addresses get changed from server to bridge)
I want to remove the chinese server completely from this equation and want to simulate it with my own pc.
So my pc should get every packet that gets send to the chinese ip. The bridge is in wifi so I have to change this in the router.
Are there easy ways to redirect ip addresses with your router? Or is it possible to directly modify the packets with the router and change the ip address of the packet.
The Bridge doesn’t use dns to find the chinese ip address so I can’t use a pihole or similar dns spoofing tools.
And if this works I guess my pc has to spoof it’s source ip address in the packages to the chinese server or the tcp protocol won’t accept the connection with different destinations–>sources.
I was fiddling with my router’s UPnP settings and found this
Why is an external IP address showing here?
I also did a reverse IP search and to my surprise the IP 22.214.171.124 showed "UK Ministry of Defence". I am not in the UK military or on a military base.
Something fishy going on? I have already disabled Upnp.
I’ve conducted a scan of my network and I’ve noticed a worrying amount of ports and services now running on my router.
I have a Virgin Media Superhub2. Below are the ports and services that are open. I cannot find information on the internet.
Can anyone shed some light as to what has possessed my router? Some of the services are things I’ve never seen before!