DNS Server Tests top
A very common thing that bad guys do when they attack a router is change the DNS servers. There are many reasons for this, one is that almost no one will detect the change. A great defense is knowing what the DNS servers in a router should be.
- DNS Leak Test is the best site for this that I have run across.
It is well suited to non-techies.
- dnsleak.com is sponsored and operated by London Trust Media, Inc. I don't know who they are. It is only available via HTTP and is linked to by VPN provider PrivateInternetAccess
- At browserleaks.com/ip, scroll down to see your DNS servers. Very friendly format. Also shows lots of other
useful information such as your host name, location and ISP.
- ipleak.net is from VPN provider AirVPN. It reports lots of things, including DNS servers. It is only available via HTTP, not HTTPS. It is also available on ports 8000 and 62222.
- The F-Secure Router Checker does not really check routers, it simply reports your current DNS server(s). The company says their goal is to insure that your router is using an "authorized DNS server" but there is no such thing and they don't define it. Maybe they check a list of known good DNS servers? Maybe they check a list of known bad DNS servers? Maybe they do nothing. The service disappeared for months (roughly Feb. 2016 through Aug. 2016) but as of mid-August 2016, it's back online.
- If you are using OpenDNS, you can verify this at www.opendns.com/welcome/.
- BAD DNS servers: 188.8.131.52 (I lost track of the source). From a 2012 attack in Brazil: 184.108.40.206 and 220.127.116.11 (source). From a December 2016 article by Proofpoint: 18.104.22.168-24, 22.214.171.124-126, 126.96.36.199-121 and 188.8.131.52-244.
On a totally different plane, is Steve Gibson's Router Crash Test. While working a DNS spoofability test, Gibson accidentally discovered that he crashed some routers just by sending them legit DNS requests. This is a bit dated (Gibson has no creation dates on the pages of his site) but it takes only a few seconds to verify that your router does not fall prey to this attack. At the bottom of the page look for a gray "Initiate Router Crash Test" button.
Firewall Testers top
Note that while connected to a VPN, these tests test the VPN server, not your router. Same for Tor. An "open" port responds to unsolicited incoming requests. A "closed" port (a.k.a. "refused" in Nmap lingo) is accessible, but there is no application listening on it. A status of "stealth" (a.k.a. "filtered" to Nmap) means data sent to the port generates no response at all. This is the most secure status.
- To see what Shodan knows about your router, replace the Xs in this link https://www.shodan.io/host/xxxxxx with your public IP address. A result of "Not Found" is best. Among the many sites that report your public IP address are: ipchicken.com, checkip.dyndns.com and
- Steve Gibsons Shields UP! is an oldie but goodie.
Stealth is the best status. Closed is OK. Open is bad news. Start with the "Common Ports" test which tests ports: 0, 21, 22, 23, 25, 79, 80, 110, 113, 119, 135, 139, 143, 389, 443, 445 1002, 1024, 1025, 1026, 1027, 1028, 1029, 1030, 1720 and 5000. Then, move on to the "All Service Ports" which
tests all the ports from zero to 1055 and takes about 70 seconds to run. A perfect report looks like this.
- The Speed Guide Security Scan tests 359 ports
if you register and create an account, 85 ports if you do not.
Click the small blue "START" button. If all is well, it will say "Our Security Scan found NO open ports."
- Shields UP! can also test a single port, a feature called portprobe. There is no GUI interface though, you have to make your own
URL. This example, grc.com/x/portprobe=999, tests port 999 and changing it to test another port is self-explanatory. Gibson does not address TCP vs. UDP, so I have to assume the test is TCP only.
- An option on the Speed Guide Security Scan lets you scan any port for
TCP, UDP or both. Or, you can make a link such as
speedguide.net/ portscan.php? port=999&tcp=1&udp=1 which scans port 999 for both TCP and UDP.
- The website pentest-tools.com offers two port scanners based on nmap.
One is for UDP, the other is
for TCP. See their Terms of Service (PDF)
- The Port Scanner at mxtoolbox.com scans 25 TCP (no UDP) ports: 21 ftp, 22 ssh, 23 telnet, 25 smtp, 53 dns, 80 http, 110 pop3, 111 portmapper, rpcbind, 135 Microsoft RPC services, 139 netbios, 143 imap, 389 ldap, 443 https, 445 SMB over IP, 587 msa-outlook, 1025 IIS, NFS, or listener RFS remote_file_sharing, 1352 lotus notes, 1433 sql server, 1723 PPTP, 3306 my sql, 3389 MS remote desktop, 5060 SIP, 5900 VNC, 6001 X Window server and 8080 webcache. Port status is reported using Nmap naming conventions (refused is the same as closed and filtered is the same as stealth).
- The Port Scanners page at WhatsMyIP.org can scan a single port or four different groups of common ports. They don't say if the scans are TCP, UDP or both. A port that does not respond is said to time out.
This does not differentiate between closed and stealthed ports, making it relatively useless.
- Security company Incapsula suggested using www.yougetsignal.com/tools/open-ports/ by Krk Ouimet. But, it only scans one port at
a time, does not say anything about TCP vs. UDP and does not differentiate between Closed and Stealthed ports.
TCP Ports to Test top
Note that while connected to a VPN, these tests test the VPN server, not your router. Same for Tor. An "open" port responds to unsolicited incoming requests. A "closed" port (a.k.a. "refused" in Nmap lingo) is accessible, but there is no application listening on it. A status of "stealth" (a.k.a. "filtered" to Nmap) means data sent to the port generates no response at all. This is the most secure status. This list is extremely incomplete.
- March 2017: If you own a video camera, then you may want to read about flaws in thousands of models. In terms of routers, one
of the flaws lets anyone watch the camera. Anyone who connects to TCP port 10554 that is. Test port 10554. (More)
- According to SANS, some IoT devices use port 2323 as an alternate port for Telnet. The Mirai botnet scans for IoT devices on both ports 23 and 2323. Test TCP port 2323.
- UPnP and SSDP use port 1900 and do not belong on the Internet. They were
intended for LAN use only. This is only supposed to use UDP but its so important, testing TCP too can't hurt. Test TCP port 1900.
- Windows remote desktop uses port 3389 and bad guys probe it often. Test
TCP port 3389.
- Port 7547 is used by a remote management protocol known as either TR-069 or CWMP (Customer Premises Equipment WAN Management Protocol). Some ISPs use this protocol to re-configure your router/gateway/modem. In November 2016, the protocol was abused to attack DSL modems. A device
infected in this attack, will have its port 7547 closed by the malware to prevent new firmware from being installed. In April 2017 Wordfence reported that Thousands of Hacked Home Routers are Attacking WordPress Sites and they
attributed the router hacking to port 7547 being open. They said that Shodan reports over 41 million devices are listening on port 7547. So,
test port 7547.
- Some D-Link routers expose port 8181 for a unknown service that had a buffer overflow flaw that let remote unauthenticated attackers run commands on the router. D-Link said they fixed this with firmware released in August 2016. Still, can't hurt to test TCP port 8181.
- In December 2016 Cybereason found flaws in many IP cameras. They made an online tester for people to check if their cameras are vulnerable. The test page says the vulnerable cameras use port 81. Test
TCP port 81.
- Printers can use multiple ports.
Port 9100 is used for RAW output with TCP,
Port 631 is used for
Internet Printing Protocol (IPP) with TCP and UDP, and
Port 515 is used for
Line Printer Daemon with TCP.
In Feb. 2017 a hacker claiming he wanted to raise awareness about the risks of leaving printers exposed to the Internet, forced thousands of printers to spew out rogue messages. This was not the first such attack and it was inspired by research published Jan 2017. More here and here and here.
Test port 9100
Test port 631 for TCP,
and, Test 631 for UDP
Test port 515
- Port 5555. This is sometimes used by ISPs for the TR-069 protocol. Test port 5555.
- Port 55555. This is used by the Lenovo Solution Center and was found to
vulnerabilities in December 2015. More about this here and here. Test port 55555.
- Port 7779. This is used by Dell System Detect which is part of Dell
Foundation Services and was found to be a security issue in December 2015. More here and here.
Test port 7779.
- If you are not using an L2TP VPN then port 1701 should not be open.
- A bug in some Linksys routers left port 8083 open even if their web interface said that remote management was disabled. You can test for a vulnerable router by browsing to http://184.108.40.206:8083/ where 220.127.116.11 is your public IP address. Vulnerable routers will put you into their admin console, without even asking for a password.
- Port 32764 was made infamous in Jan. 2014 when Eloi Vanderbecken found that his Linksys WAG 200G used it as a backdoor. Other Linksys, Netgear and Cisco routers
did the same. See my blog on this: How and why to check port 32764 on your router. But, then it got worse, when in April 2014, the "fix" merely hid the backdoor better.
If your router has version 2 of the backdoor, you can't test for it. But, we can test for version 1 externally with portprobe and internally by pointing a web browser
to HTTP://18.104.22.168:32764 where 22.214.171.124 is the LAN side IP address of the router.
- SNMP normally uses UDP, but it has been seen in the wild using TCP. So, what the heck, test
port 161 and
- LDAP port 389 uses both TCP and UDP. See the UDP section below for links to test each.
UDP Ports to Test top
Note that while connected to a VPN, these tests test the VPN server, not your router. Same for Tor.
This list is extremely incomplete.
- As per Attackers are now abusing exposed LDAP servers to amplify DDoS attacks (by Lucian Constantin Oct 26, 2016) Connectionless LDAP (CLDAP), a variant of LDAP (Lightweight Directory Access Protocol) that uses UDP, is being abused in DDoS attacks. LDAP is used in corporate networks and "its use directly on the internet is considered risky and is highly discouraged." Yet, SHODAN reports over 140,000 systems using it. Test port 389 TCP and port 389 UDP.
- UPnP and SSDP use port 1900 and do not belong on the Internet. They were
intended for LAN use only. Test it
- NAT-PMP, like UPnP, lets a LAN-resident device poke a hole in the router firewall. It was designed by Apple who uses it for Back to My Mac.
It listens on UDP port 5351. In 2014 it was discovered that over a million devices, connected to the Internet, had this port open on the WAN side. Oops. Some companies making devices with this flaw were Belkin, Netgear, Technicolor,
Ubiquiti and ZyXEL. The Shadowserver Foundation scans for this daily. On Nov. 11, 2016 they found 1.2 million devices exposing NAT-PMP. More here and here.
Test port 5351.
- If you are not using SNMP, and most people are not, then UDP ports 161 and 162 should be closed. A device running SNMP can be abused in SNMP amplification attacks, a type of DDoS attack. The Shadowserver Foundation scans the Internet for devices that respond to SNMP commands on UDP port 161. In mid-November 2016, they found 3,490,417 such devices.
Test port 161 and
Test port 162.
- Port 1233. The Toshiba Service Station application receives commands via this port and was found to be a security issue in December 2015.
- If you are not using an L2TP VPN then port 1701 should not be open. Not sure if this uses UDP, better safe than sorry.
Test port 1701
- A bug in Netis and Netcore routers could be exploited on port 53413. Read more here and here. From Aug. 2014.
According to a mid-November 2016 scan by the Shadowserver Foundation, there are 20,320 vulnerable
routers online, the vast majority of which are in China. Netis routers are sold in the US.
Test port 53413
- In September 2016, a backdoor was found in a D-Link router. Sending "HELODBG" to UDP port 39889 would cause the router to run Telnet, letting a bad guy login without
a password. Test port 39889
- Port 631 is used for Internet Printing Protocol with both TCP and UDP. More about this is in the above section on TCP ports
UPD Port testers
The links above, that test individual UDP ports, look like this
This example would test port 999. SpeedGuide can also test individual ports at their Security Scan page where you can enter any port number and chose to test UPD and/or TCP.
Another website offering UDP port tests is the UDP Port Scan with Nmap page at PentTest-Tools.com. It can test a range of UDP ports, a list of UDP ports or individual ports.
TCP/IP Port Information top
LAN side port testing top
TELNET: Individual LAN side ports can be tested from a computer on the LAN with Telnet. Windows 7 and 8.1 users will have to first install the Telnet client using: Control Panel -> Programs and Features -> click on "Turn Windows features on or off" in the left side column -> Turn on the checkbox for Telnet Client -> Click OK. On OS X ....
To use telnet on Windows, open a Command Prompt window, type
"telnet ipaddress portnumber". For example: "telnet 192.168.1.1 80". There needs to be a space on both sides of the IP address. If the port is closed, Windows will complain that it "could not open connection to the host on port 80: connect failed". If the port is open, the responses vary, you may just see a blank screen. You can also telnet to a computer by name, such as
"telnet somewhere.com 8080"
ID Serve: ID Serve is a small, portable, Internet Server Identification Utility for Windows, created by Steve Gibson. It was written in 2003 and has not been updated since. The initial screen explains its purpose, the Server Query tab is where it does its work. You can query a computer by name (www.amazon.com) or by IP address. It defaults to port 80, but you can force a different port by adding a colon and the port number after the computer name or IP address (no spaces). If data comes back from the query, ID Serve displays it all. This data may identify the server software. If data does not come back, the message, in my experience, will either be "The port is closed, so our connection attempt was refused" or "No response was received from the machine and port at that IP. The machine may be offline or the connection port may be stealthed". ID Serve is limited to TCP (no UDP) and does not support HTTPS.
BROWSER: You can also test a port with a web browser. For example, http://192.168.1.1:999 would test TCP port 999 (of course, modify the IP address
as necessary for your router). I don't think a browser can test a UDP port, it is limited to TCP.
NMAP: Perhaps the best option is nmap...
HNAP Testing top
The Home Network Administration Protocol is a network device management protocol dating back to 2007. There are four problems with HNAP. One, is that it has a long history of buggy implementations. It can also tell bad guys technical details of a router making it easier for them to find an appropriate vulnerability to attack. The fact that a router supports HNAP may not be visible in its administrative interface. Worst of all, HNAP often can not be disabled. Four strikes, you're out.
You can test if a router supports HNAP by typing http://126.96.36.199/HNAP1/ where 188.8.131.52 is the IP address of your router. Of course, every router has two IP addresses one on the public side and one on the private side. I suggest testing for HNAP on each.
You can learn your public IP address at many websites, such as ipchicken.com and checkip.dyndns.com. For the LAN side of a router, see my Sept. 2013 blog
Find the IP address of your home router.
If HNAP is enabled, this test displays basic device information about your router in an XML file. See sample output. If it fails, there will be some type of error about the web page not being able to be displayed, perhaps a 404 Not Found error.
If HNAP is enabled, try to turn it off in the router administrative interface and then test again. You may not be able to turn it off. For more, see the HNAP page.
URLs to try from your LAN top
In these examples, 184.108.40.206 represents the LAN side IP address of the router.
As per Scott Helme's 2014 description of his BrightBox router, try the URL below, where 220.127.116.11 is the IP address of your router. A good result returns nothing but an error message. Here is a sample of a bad result.
In December 2016, Pedro Ribeiro reported on flaws in the Netgear WNR2000 router. If you own a Netgear router, it can't hurt to check for information leakage with the URL below. It may leak the device serial number.
Many Netgear routers had a security flaw in December 2016
(see here and
here for more). The command below tests a Netgear router. If this results in a web page with the word "Vulnerable", then the router is vulnerable. Netgear has issued fixes for all vulnerable routers.
This issue with port 32764 is explained above in the TCP Ports to Test section.
UPnP Testers top
UPnP is dangerous because it lets computing devices (typically IoT devices) punch a hole in the routers firewall. This exposes them to the Internet where their poor security, such as default passwords, can be abused. This danger involves UPnP being enabled on the LAN side of the router. I am still looking for a LAN side tester.
UPnP on the WAN/Internet side of a router is a totally different problem. UPnP was never meant to be exposed on the Internet. The online tester below insures that your router does not respond to UPnP requests sent to it over the Internet. For more on why UPnP from the Internet side of a router is an issue at all, see my Jan. 2013 blog Check your router now, before Lex Luthor does.
UPnP is relatively hard to test for as there are two components to the protocol. Discovering UPnP enabled devices is done with the Simple Service Discovery Protocol (SSDP) which listens on UDP port 1900. The actual communication between devices is done via HTTP on varying ports. SSDP tells clients which port to use for HTTP communication. According to Rapid7, the TCP port number varies by vendor and is often chosen at random. Ugh. Their report notes that some Broadcom, D-Link and TP-Link routers use TCP port 5431, some devices use port 80 and still others use 2869.
- Steve Gibson added UPnP testing to his ShieldsUP! service in January 2013. On the first page, click on the
gray Proceed button. On the next page, click on the yellow/orange button for GRC's Instant UPnP Exposure Test.
- Rapid7 used to offer an online UPnP Check but they discontinued it.
- Rapid7 also discontinued their installable
ScanNow program that scanned a LAN for UPnP
enabled devices and reported if the devices were running buggy versions of UPnP software. This was useful to insure that your router was also not responding to UPnP
on the LAN side. The program only ran on Windows and required 32 bit versions of either Java 6 or Java 7. As for why they abandoned ScanNow see ScanNow DLL Search Order Hijacking Vulnerability and Deprecation
Modem Tests top
A modem is a computer and it too, can have bugs. Chances are the modem as an IP address such as 192.168.100.1. If nothing else, you should try to access
the modem by its IP address so that technical information about your Internet connection is available to you. Also, you want to see what information is available
without a password, some modems expose too much. If there is a password, then change it from the default. For better security, a router should be able to block
access to the modem by blocking its IP address.
I blogged about modem access from the LAN side of a router in February 2015. While it can be helpful to directly access the modem, it can also be dangerous. See
Talk to your modem and
Using a router to block a modem.
IP Version 6 Testers top
I know of no reason for IPv6 to be enabled on a home router. If it is enabled on yours, try to disable it then verify that it's really off. All the sites below are only available via HTTP.
- Test for the existence of IP version 6 at whatismyv6.com. Click on the "IPv6 only Test" or go directly to ipv6.whatismyv6.com. It is a good thing if ipv6.whatismyv6.com fails to load in your browser.
- Another site, ipv6leak.com is from London Trust Media, Inc. I don't know who they are, but the site is linked to by VPN provider PrivateInternetAccess.
- test-ipv6.com is from Jason Fesler. It offers many technical details and is open source (see Github). The point of view here is that IP v6 is good, which I don't agree with.
Android Apps top
- According to the company, RouterCheck "is the first consumer tool for protecting your home router ...
RouterCheck is like an anti-virus system for your router. It protects your router from hackers..." Its an Android app. I have not tried it.
- The Avast Wi-Fi Finder can do a network scan to show all devices connected to the network. It also claims to offer a Wi-Fi Security Scan that finds potential security holes and issues on the network.
Ads Here top
Some routers are hacked to generate income from showing ads. This website has no ads. If you see any ads while viewing this web page, then either the router you are connected to has been hacked or your computer has.
Honorable mention goes to the Shadowserver Foundation that scans the Internet for all sorts of things that should not be there.
See The scannings will continue until the