Level setting: While connected to a VPN, all the tests on this page test the VPN server, not your router. Likewise, with Tor you end up testing your Tor exit node rather than your router. To test your router, it needs to be connected to a dumb modem. If, however, you have connected a router to a gateway device (combination modem, router and perhaps even telephone adapter) from your ISP, you may be testing the firewall in the gateway device rather than your router. To test your router in this case, the gateway device needs to be put in Bridge mode, which should disable its firewall.
The on this site will generate a query of your public IP address (and thus your router) on both Shodan and Censys.io.
DNS Server Tests top
Defensive Computing mandates that you know what your DNS servers should be. There are three reasons to be aware of your DNS servers. First, is that changing the DNS servers in a router is a common attack and without the websites listed below, it could be a very long time before this malicious change was detected. Then too, if you have a preferred set of DNS servers (perhaps OpenDNS or Quad9) the router you are connected to may ignore this preference and force you to use its DNS servers. I blogged about this in March 2018 (Some routers can force their DNS servers onto all devices). When connected to a public Wi-Fi network, you should always check if the router running the network has imposed its DNS servers on your computer. Then too, we come to VPNs. If working well, the VPN client software on your computer should change your DNS servers to those run by the VPN provider. But, sometimes this does not happen. I would advise checking on your DNS servers before and after connecting to a VPN to insure that they have changed. Finally, anyone running a VPN on Windows 8 or 10 needs to be aware of a situation where DNS requests may be sent outside of the VPN tunnel. For more, see Guide: Prevent DNS leakage while using a VPN on Windows 10 (and Windows 8).
- At browserleaks.com/ip you need to scroll down to see your DNS servers. It reports the Hostname, ISP, city and country. The page also shows lots of other useful information such as your public IP address, host name, location and ISP.
- DNS Leak Test is sponsored by VPN provider IVPN. It offers a quick standard test and a slower extended test. Both report the Hostname, ISP and Country for each detected DNS server (no city).
- www.whatsmydnsserver.com is from Sericon Technology.
- DNS Leak Test from VPN provider ExpressVPN reports the Country and "Provider" for each detected DNS server. It does not report a hostname or city. Note that it always warns that "Your DNS is exposed!" which really means you are not connected to ExpressVPN.
- DNS Leaktest from VPN provider Perfect Privacy reports your current DNS servers. For each server it shows the IP address, computer name, ISP and host country. There a bug however, the ISP name is truncated.
- dnsleak.com is sponsored and operated by London Trust Media, the company behind VPN provider Private Internet Access. It reports the hostname, city and country for each detected DNS server, but not the ISP.
- ipx.ac is from VPN provider VPN.ac. Click the big orange bottom at the bottom of the page to see the IP address, country and ISP of detected DNS servers. It does not show the names of each DNS server.
- Am I Mullvad? is a VPN tester page for the Mullvad VPN. In addition to confirming that you are connected to their VPN, it also shows the IP address, name and country of your DNS servers. And, it tests WebRTC too.
- The F-Secure Router Checker does not really check routers, it simply reports on a DNS server. All the other DNS server checkers report on multiple detected DNS servers, F-Secure only reports on one. The company says their goal is to insure that your router is using an "authorized DNS server" but there is no such thing and they don't define it. The service disappeared from roughly Feb. 2016 through Aug. 2016) but as of mid-August 2016, it's back online.
- The Tenta VPN tester reports more details about your DNS servers than anywhere else that I know of. That said, it used to have a CPU looping issue. More recently, it takes a very long time for the tests to complete.
- If you are using OpenDNS, you can verify this at www.opendns.com/welcome/.
- ipleak.net is from VPN provider AirVPN. It reports lots of things, including DNS servers. It is only available via HTTP, not HTTPS. It is also available on ports 8000 and 62222. This is my least favorite option as the font used is all but unreadable.
- Some known BAD DNS servers: 18.104.22.168 (I lost track of the source). From a 2012 attack in Brazil: 22.214.171.124 and 126.96.36.199 (source). From a December 2016 article by Proofpoint: 188.8.131.52-24, 184.108.40.206-126, 220.127.116.11-121 and 18.104.22.168-244.
In May 2017, Trend Micro made a great point, that I had not previously considered. "Unfortunately, website-based tests may not be reliable once a home router has been compromised." With that in mind, it makes sense to check with the router directly, be it with a web interface or an app, to double check the DNS servers.
Windows users have another excellent option, the DNS query sniffer program by Nir Sofer. The program is free, portable and from a trustworthy source. It simply traces DNS requests and responses. Before connecting to a VPN, tell it to examine either your Wi-Fi or Ethernet connection to confirm the program is working. Then connect to the VPN and you should see no further DNS activity. As further proof that the VPN is handling things, tell the program to examine your VPN connection (Options -> Capture Options) and you should see all your DNS requests.
On a totally different plane, is Steve Gibson's Router Crash Test. While working a DNS spoofability test, Gibson accidentally discovered that he crashed some routers just by sending them legit DNS requests. This is a bit dated (Gibson has no creation dates on the pages of his site) but it takes only a few seconds to verify that your router does not fall prey to this attack. At the bottom of the page look for a gray "Initiate Router Crash Test" button.
Firewall Testers top
Port Status: An "open" port responds to unsolicited incoming requests. A "closed" port (a.k.a. "refused" in Nmap lingo) is accessible, but there is no application listening on it. A status of "stealth" (a.k.a. "filtered" to Nmap) means data sent to the port generates no response at all. This is the most secure status.
- See what Shodan knows about your router on my Shodan page. A Not Found result is a good thing. Any open ports are bad.
- Steve Gibsons Shields UP! is an oldie but goodie.
Stealth is the best status. Closed is OK. Open is bad news. Start with the "Common Ports" test which tests ports: 0, 21, 22, 23, 25, 79, 80, 110, 113, 119, 135, 139, 143, 389, 443, 445 1002, 1024, 1025, 1026, 1027, 1028, 1029, 1030, 1720 and 5000. Then, move on to the "All Service Ports" which tests all the ports from zero to 1055 and takes about 70 seconds to run. If all is well, it will say "Passed" in green and the status of every port will be "stealth". The passing grade also means that the router does not reply to Ping commands on the WAN port. A perfect report looks like this.
- The Speed Guide Security Scan tests 85 ports but does not say which ports it tests. If you register and create an account, then it scans 359 ports. Click the small blue "START" buttonto run the scan. Only a summary report is provided, something like "All 85 scanned ports on youripaddress are filtered (54) or open|filtered (31)" All told, barely useful.
- Network Port Checker and Scanner Tool at ipfingerprints.com lets you test an arbitrary range of ports, both for TCP and UDP. And, you can test any online device, not just the router you are connected to. It also has some advanced features. It is based on nmap and uses nmap terminology rather than simple English. They offer a translator from nmap to English.
- The Nmap Online Port Scanner at HackerTarget.com is a free demo of a paid service. Give it an IP address or domain name and it scans 10 ports: 21(FTP), 22 (SSH), 23 Telnet, 25 Mail (SMTP), 80 Web (HTTP), 110 Mail (POP3), 143 Mail (IMAP), 443 SSL/TLS (HTTPS), 445 Microsoft (SMB) and 3389 Remote (RDP). It uses nmap with version detection enabled. The paid service is $120/year.
- The website pentest-tools.com offers two port scanners based on nmap.
One is for UDP, the other is
for TCP. It scans the 100 common ports, but does not say what they
are. It never worked for me because it always tries to ping the target and my router blocks pings. You have to enter the IP address to be scanned and
the site does not report your current IP address. It is a free demo for a paid service that costs $45/month. Hard to justify the price when the demo is bad.
- The Port Scanners page at WhatsMyIP.org can scan a single port or four different groups of common ports. They don't say if the scans are TCP, UDP or both. A port that does not respond is said to time out.
This does not differentiate between closed and stealthed ports, making it relatively useless.
- Security company Incapsula suggested using www.yougetsignal.com/tools/open-ports/ by Krk Ouimet. But, it only scans one port at
a time, does not say anything about TCP vs. UDP and does not differentiate between Closed and Stealthed ports.
- An option on the Speed Guide Security Scan lets you scan any port for
TCP, UDP or both. Or, you can make a link such as
speedguide.net/ portscan.php? port=999&tcp=1&udp=1 which scans port 999 for both TCP and UDP.
- Shields UP! can also test a single port, a feature called portprobe. There is no GUI interface though, you have to make your own
URL. This example, grc.com/x/portprobe=999, tests port 999 and changing it to test another port is self-explanatory. Many examples in the next section do just this. Gibson does not address TCP vs. UDP, so I have to assume the test is TCP only.
TCP Ports to Test top
Note that while connected to a VPN, these tests test the VPN server, not your router. Same for Tor. An "open" port responds to unsolicited incoming requests. A "closed" port (a.k.a. "refused" in Nmap lingo) is accessible, but there is no application listening on it. A status of "stealth" (a.k.a. "filtered" to Nmap) means data sent to the port generates no response at all. This is the most secure status. This list is extremely incomplete.
- According to security firm SEC Consult, Xiongmai video devices offer high-privileged shell access over TCP ports 23 (Telnet) and 9527 (a Telnet-like console interface) using hard-coded credentials. Many of the above firewall testers include port 23, but 9527 is not common at all. Test
TCP port 9527.
- Windows remote desktop uses port 3389 and bad guys probe it often. In September 2018, the FBI warned about it: FBI warns companies about hackers increasingly abusing RDP connections. In March 2018, Rendition Infosec reported that the city of Atlanta had computers with port 3389 open on the Internet. Atlanta government was compromised in April 2017 – well before last week’s ransomware attack. Test
TCP port 3389.
- The hacking of MikroTik routers is all over the Router News page. Many of the attacks target Winbox, a Windows application that administers the router. Winbox talks to the router over port 8291. Anyone with a MikroTik router should insure that port 8291 is not open to the Internet. TCP port 8291. In Sept. 2018 one attack on MikroTik routers turned them into SOCKS 4 proxies using the non-standard TCP port 4153. Test TCP port 4153.
- In July 2018 a design flaw with FTP in Netgear routers led to the leaking of military documents. No hacking was needed, the owners of many Netgear routers do not change default passwords. The Netgear KB articles on FTP configuration are shameful in their ignoring security issues. Coverage of the hacking is on the Router News page under July 2018. Test TCP port 21.
- The Satori botnet keeps changing. We have already seen (below) that it attacks ports 37215 and 52869. In June 2018, Netlab 360 found a new variant that scans for ports 80 and 8000.
Test TCP port 80 and test
TCP port 8000.
- The VPNFilter malware/botnet attacks Mikrotik routers on TCP port 2000 (May 2018). Even if you don't have a Mikrotik router, the botnet is huge and dangerous, so test TCP port 2000.
- At the end of Sept. 2018, Talos released additional information on the VPNfilter router malware. It may create a SOCKS5 VPN proxy server on TCP port 5380. So, test port 5380
- In May 2018 FortiGuard Labs reported that the WICKED botnet tries to connect to port 8080 and, if successful, tries to exploit a flaw in Netgear DGN1000 and DGN2200 v1 routers from October 2017. Test TCP port 8080.
- The WICKED botnet also tries to connect to port 8443, and if successful, tries to exploit a flaw in Netgear R7000 and R6400 routers from March 2017. Test TCP port 8443.
- March 2018: Devices running Cisco Smart Install client have TCP port 4786 open by default. It should not be exposed to the Internet, yet over 8 million devices have this port open (see the March 2018 section of the Router Bugs page for more. There was a critical flaw in the Smart Install software. Test TCP port 4786.
- MikroTik routers leave TCP port 2000 open by default. It was abused by botnets in DDoS attacks in January 2018. The port is used for bandwidth testing and the company says to disable it in production. Test TCP port 2000.
- Dec 2017: If you have a Huawei router/gateway, then test port 37215. In Nov. 2015 there was an issue with it. Also, in March 2017, an article at RedPiranha said "This port has been detected to be the most vulnerable aspect of the Huawei router as it does not validate any of the data packets sent to it whatsoever." Then, in Dec 2017, 360 netlab warned about the Satori botnet, spreading on port 37215 and 52869. Fortinet also wrote about this.
To test port 52869, click here.
- Sept 2017: If AT&T is your ISP then test if port 49152 is
open as per Bugs in Arris Modems Distributed by
AT&T Vulnerable to Trivial Attacks by security firm Nomotion. Also, check if
SSH port 22 is open.
- July 2017: If AT&T is your ISP then test if port 61001 is
open. According to Nomotion, in Exploring the AT&T U-verse 5268AC DSL Modem, the port is only open from outside of the AT&T U-verse network.
- March 2017: If you own a video camera, then you may want to read about flaws in thousands of models. In terms of routers, one
of the flaws lets anyone watch the camera. Anyone who connects to TCP port 10554 that is. Test port 10554. (More)
- According to SANS, some IoT devices use port 2323 as an alternate port for Telnet. The Mirai botnet scans for IoT devices on both ports 23 and 2323. Test TCP port 2323.
- UPnP and SSDP use port 1900 and do not belong on the Internet. They were
intended for LAN use only. This is only supposed to use UDP but its so important, testing TCP too can't hurt. Test TCP port 1900.
- Port 7547 is used by a remote management protocol known as either TR-069 or CWMP (Customer Premises Equipment WAN Management Protocol). Some ISPs use this protocol to re-configure your router/gateway/modem. In November 2016, the protocol was abused to attack DSL modems. A device
infected in this attack, will have its port 7547 closed by the malware to prevent new firmware from being installed. In April 2017 Wordfence reported that Thousands of Hacked Home Routers are Attacking WordPress Sites and they
attributed the router hacking to port 7547 being open. They said that Shodan reports over 41 million devices are listening on port 7547. So,
test port 7547.
- Some D-Link routers expose port 8181 for a unknown service that had a buffer overflow flaw that let remote unauthenticated attackers run commands on the router. D-Link said they fixed this with firmware released in August 2016. Still, can't hurt to test TCP port 8181.
- In December 2016 Cybereason found flaws in many IP cameras. They made an online tester for people to check if their cameras are vulnerable. The test page says the vulnerable cameras use port 81. Test
TCP port 81.
- Printers can use multiple ports.
Port 9100 is used for RAW output with TCP,
Port 631 is used for
Internet Printing Protocol (IPP) with TCP and UDP, and
Port 515 is used for
Line Printer Daemon with TCP.
In Feb. 2017 a hacker claiming he wanted to raise awareness about the risks of leaving printers exposed to the Internet, forced thousands of printers to spew out rogue messages. This was not the first such attack and it was inspired by research published Jan 2017. More here and here and here.
Test port 9100
Test port 631 for TCP,
and, Test 631 for UDP
Test port 515
- Port 5555. This is sometimes used by ISPs for the TR-069 protocol. In July 2018, Trend Micro
found a new exploit using port 5555. The activity involved the command line utility called Android Debug Bridge (ADB). See Open ADB Ports Being Exploited to Spread Possible Satori Variant in Android Devices. In March 2017, Trend Micro found Linux malware that also abused this port.
Test port 5555.
- Port 55555. This is used by the Lenovo Solution Center and was found to
vulnerabilities in December 2015. More about this here and here. Test port 55555.
- Port 7779. This is used by Dell System Detect which is part of Dell
Foundation Services and was found to be a security issue in December 2015. More here and here.
Test port 7779.
- If you are not using an L2TP VPN then port 1701 should not be open.
- A bug in some Linksys routers left port 8083 open even if their web interface said that remote management was disabled. You can test for a vulnerable router by browsing to http://22.214.171.124:8083/ where 126.96.36.199 is your public IP address. Vulnerable routers will put you into their admin console, without even asking for a password.
- Port 32764 was made infamous in Jan. 2014 when Eloi Vanderbecken found that his Linksys WAG 200G used it as a backdoor. Other Linksys, Netgear and Cisco routers
did the same. See my blog on this: How and why to check port 32764 on your router. But, then it got worse, when in April 2014, the "fix" merely hid the backdoor better.
If your router has version 2 of the backdoor, you can't test for it. But, we can test for version 1 externally with portprobe and internally by pointing a web browser
to HTTP://188.8.131.52:32764 where 184.108.40.206 is the LAN side IP address of the router.
- SNMP normally uses UDP, but it has been seen in the wild using TCP. So, what the heck, test
port 161 and
- LDAP port 389 uses both TCP and UDP. See the UDP section below for links to test each.
UDP Ports to Test top
Note that while connected to a VPN, these tests test the VPN server, not your router. Same for Tor.
This list is extremely incomplete.
- UPnP and SSDP use port 1900 and do not belong on the Internet. They were
intended for LAN use only. Test port 1900.
- In March 2018, Cisco issued a fix for a bounds-checking error in IOS/IOS XE's quality-of-service subsystem. The flaw can be attacked on UDP port 18999. Test UDP port 18999.
- As per Attackers are now abusing exposed LDAP servers to amplify DDoS attacks (by Lucian Constantin Oct 26, 2016) Connectionless LDAP (CLDAP), a variant of LDAP (Lightweight Directory Access Protocol) that uses UDP, is being abused in DDoS attacks. LDAP is used in corporate networks and "its use directly on the internet is considered risky and is highly discouraged." Yet, SHODAN reports over 140,000 systems using it. Test port 389 TCP and port 389 UDP.
- NAT-PMP, like UPnP, lets a LAN-resident device poke a hole in the router firewall. It was designed by Apple who uses it for Back to My Mac.
It listens on UDP port 5351. In 2014 it was discovered that over a million devices, connected to the Internet, had this port open on the WAN side. Oops. Some companies making devices with this flaw were Belkin, Netgear, Technicolor,
Ubiquiti and ZyXEL. The Shadowserver Foundation scans for this daily. On Nov. 11, 2016 they found 1.2 million devices exposing NAT-PMP. More here and here.
Test port 5351.
- The Asus infosvr service listens on UDP port 9999. It has a buggy history (see here and here and here and here. It is supposed to be a LAN side only issue (see section below on LAN side port testing) still, cant hurt to test it on WAN side too if you have an Asus router. Test port 9999.
- If you are not using SNMP, and most people are not, then UDP ports 161 and 162 should be closed. A device running SNMP can be abused in SNMP amplification attacks, a type of DDoS attack. The Shadowserver Foundation scans the Internet for devices that respond to SNMP commands on UDP port 161. In mid-November 2016, they found 3,490,417 such devices.
Test port 161 and
Test port 162.
- Port 1233. The Toshiba Service Station application receives commands via this port and was found to be a security issue in December 2015.
- If you are not using an L2TP VPN then port 1701 should not be open. Not sure if this uses UDP, better safe than sorry.
Test port 1701
- A bug in Netis and Netcore routers could be exploited on port 53413. Read more here and here. From Aug. 2014.
According to a mid-November 2016 scan by the Shadowserver Foundation, there are 20,320 vulnerable
routers online, the vast majority of which are in China. Netis routers are sold in the US.
Test port 53413
- In September 2016, a backdoor was found in a D-Link router. Sending "HELODBG" to UDP port 39889 would cause the router to run Telnet, letting a bad guy login without
a password. Test port 39889
- Port 631 is used for Internet Printing Protocol with both TCP and UDP. More about this is in the above section on TCP ports
UDP Port testers
The links above, that test individual UDP ports, look like this
This example would test port 999. SpeedGuide can also test individual ports at their Security Scan page where you can enter any port number and chose to test UDP and/or TCP.
Another website offering UDP port tests is the UDP Port Scan with Nmap page at PentTest-Tools.com. It can test a range of UDP ports, a list of UDP ports or individual ports.
LAN side port testing top
TELNET: Individual LAN side ports can be tested from a computer on the LAN with Telnet. Windows 7 and 8.1 users will have to first install the Telnet client using: Control Panel -> Programs and Features -> click on "Turn Windows features on or off" in the left side column -> Turn on the checkbox for Telnet Client -> Click OK. On OS X ....
To use telnet on Windows, open a Command Prompt window, type
"telnet ipaddress portnumber". For example: "telnet 192.168.1.1 80". There needs to be a space on both sides of the IP address. If the port is closed, Windows will complain that it "could not open connection to the host on port 80: connect failed". If the port is open, the responses vary, you may just see a blank screen. You can also telnet to a computer by name, such as
"telnet somewhere.com 8080"
ID Serve: ID Serve is a small, portable, Internet Server Identification Utility for Windows, created by Steve Gibson. It was written in 2003 and has not been updated since. The initial screen explains its purpose, the Server Query tab is where it does its work. You can query a computer by name (www.amazon.com) or by IP address. It defaults to port 80, but you can force a different port by adding a colon and the port number after the computer name or IP address (no spaces). If data comes back from the query, ID Serve displays it all. This data may identify the server software. If data does not come back, the message, in my experience, will either be "The port is closed, so our connection attempt was refused" or "No response was received from the machine and port at that IP. The machine may be offline or the connection port may be stealthed". ID Serve is limited to TCP (no UDP) and does not support HTTPS.
BROWSER: You can also test a port with a web browser. For example, http://192.168.1.1:999 would test TCP port 999 (of course, modify the IP address
as necessary for your router). I don't think a browser can test a UDP port, it is limited to TCP.
NMAP: This command tests UDP ports 11 through 13 on the device at IP address 220.127.116.11
nmap -sU -p 11-13 18.104.22.168
TCP/IP Port Information top
- The most Commonly Open Ports for both TCP and UDP from SpeedGuide.net
- List of TCP and UDP port numbers at WikiPedia
- A master file of port assignments from Iana. Its a huge list, use the search function rather than paging through it.
- If you have a Synology NAS, then see What network ports are used by Synology services?
- Windows users: Network Ports Used by Key Microsoft Server Products undated
- Also from Microsoft, Port Assignments for Commonly-Used Services dating back to Windows 2000
- Ports blocked by Comcast: Blocked Internet Ports List. As of Sept. 2017, they block: TCP 0 down, TCP 25 both ways, UDP 67 down, 135-139 in both directions for both TCP and UDP, UDP 161 in both directions, TCP 445 up and down,
UDP 520 up and down, UDP 547 down, TCP 1080 down and UDP 1900 in both directions.
HNAP Testing top
The Home Network Administration Protocol is a network device management protocol dating back to 2007. There are four problems with HNAP. One, is that it has a long history of buggy implementations. It can also tell bad guys technical details of a router making it easier for them to find an appropriate vulnerability to attack. The fact that a router supports HNAP may not be visible in its administrative interface. Worst of all, HNAP often can not be disabled. Four strikes, you're out.
You can test if a router supports HNAP by typing http://22.214.171.124/HNAP1/ where 126.96.36.199 is the IP address of your router. Of course, every router has two IP addresses one on the public side and one on the private side. I suggest testing for HNAP on each.
You can learn your public IP address at many websites, such as ipchicken.com and checkip.dyndns.com. For the LAN side of a router, see my Sept. 2013 blog
Find the IP address of your home router.
If HNAP is enabled, this test displays basic device information about your router in an XML file. See sample output. If it fails, there will be some type of error about the web page not being able to be displayed, perhaps a 404 Not Found error.
If HNAP is enabled, try to turn it off in the router administrative interface and then test again. You may not be able to turn it off. For more, see the HNAP page.
URLs to try from your LAN top
In these examples, 188.8.131.52 represents the LAN side IP address of the router.
As per Scott Helme's 2014 description of his BrightBox router, try the URL below, where 184.108.40.206 is the IP address of your router. A good result returns nothing but an error message. Here is a sample of a bad result.
In December 2016, Pedro Ribeiro reported on flaws in the Netgear WNR2000 router. If you own a Netgear router, it can't hurt to check for information leakage with the URL below. It may leak the device serial number.
Many Netgear routers had a security flaw in December 2016
(see here and
here for more). The command below tests a Netgear router. If this results in a web page with the word "Vulnerable", then the router is vulnerable. Netgear has issued fixes for all vulnerable routers.
This issue with port 32764 is explained above in the TCP Ports to Test section.
In September 2017, security firm Embedi found port 19541 open on many D-Link routers. It responds to commands such as one to reboot the router. They did not find any way to close the port. The default IP address is 192.168.0.1 but the router may also respond to dlinkrouter.local.
If there is a video surveillance system on your LAN, then hopefully it was not made by Xiongmai. In October 2018, SEC Consult published a big expose about the many ways these systems are not secure. The number of security flaws is huge. These devices are re-branded by at least 100 other companies, so to detect a Xiongmai system, they suggest viewing this page from the LAN
If the page exists and it refers to 'Xiongmai' at all, then read the article by SEC Consult. They also offer other suggestions for identifying Xiongmai hardware. SEC Consult feels that the security is so bad it can not be fixed and that the hardware should be discarded.
UPnP Testers top
UPnP is dangerous because it lets computing devices (typically IoT devices) punch a hole in the routers firewall. This exposes them to the Internet where their poor security, such as default passwords, can be abused. This danger involves UPnP being enabled on the LAN side of the router. I am still looking for a LAN side tester.
UPnP on the WAN/Internet side of a router is a totally different problem. UPnP was never meant to be exposed on the Internet. The online tester below insures that your router does not respond to UPnP requests sent to it over the Internet. For more on why UPnP from the Internet side of a router is an issue at all, see my Jan. 2013 blog Check your router now, before Lex Luthor does.
UPnP is relatively hard to test for as there are two components to the protocol. Discovering UPnP enabled devices is done with the Simple Service Discovery Protocol (SSDP) which listens on UDP port 1900. The actual communication between devices is done via HTTP on varying ports. SSDP tells clients which port to use for HTTP communication. According to Rapid7, the TCP port number varies by vendor and is often chosen at random. Ugh. Their report notes that some Broadcom, D-Link and TP-Link routers use TCP port 5431, some devices use port 80 and still others use 2869.
- Steve Gibson added UPnP testing to his ShieldsUP! service in January 2013. On the first page, click on the
gray Proceed button. On the next page, click on the yellow/orange button for GRC's Instant UPnP Exposure Test.
- Rapid7 used to offer an online UPnP Check but they discontinued it.
- Rapid7 also discontinued their installable
ScanNow program that scanned a LAN for UPnP
enabled devices and reported if the devices were running buggy versions of UPnP software. This was useful to insure that your router was also not responding to UPnP
on the LAN side. The program only ran on Windows and required 32 bit versions of either Java 6 or Java 7. As for why they abandoned ScanNow see ScanNow DLL Search Order Hijacking Vulnerability and Deprecation
Modem Tests top
A modem is a computer and it too, can have bugs. Chances are the modem as an IP address such as 192.168.100.1. If nothing else, you should try to access
the modem by its IP address so that technical information about your Internet connection is available to you. Also, you want to see what information is available
without a password, some modems expose too much. If there is a password, then change it from the default.
As per ARRIS Cable Modem has a Backdoor in the Backdoor try to view
the page below. An error viewing the page is the good result. See a video of this hack.
As per ARRIS DG860A NVRAM Backup Password Disclosure you should try to view the URL below. Again, an error is the good result.
For better security, a router may be able to block access to the modem by blocking its IP address. I blogged about modem access from the LAN side of a router in February 2015. While it can be helpful to directly access the modem, it can also be dangerous. See
Talk to your modem and
Using a router to block a modem. Some routers can do this, some can not. Dumbed down routers, such as the consumer mesh systems (eero, Google Wifi, Ubiquiti AmpliFi, etc) can not do this.
A great way to see if a modem is accessible from the LAN side is to ping it using the command below. Hopefully, the command fails.
If it is pingable, then test Telnet access to the modem with the command below. Failure is the secure outcome.
An other good test is nmap. The simplest command is
For a much more comprehensive look at the LAN side of the modem use the below:
nmap -v -A -p 1-65535 192.168.100.1
IP Version 6 Testers top
I know of no reason for IPv6 to be enabled on a home router. If it is enabled on yours, try to disable it then verify that it's really off. All the sites below are only available via HTTP.
- Test for the existence of IP version 6 at whatismyv6.com. Click on the "IPv6 only Test" or go directly to ipv6.whatismyv6.com. It is a good thing if ipv6.whatismyv6.com fails to load in your browser.
- Another site, ipv6leak.com is from London Trust Media, Inc. I don't know who they are, but the site is linked to by VPN provider PrivateInternetAccess.
- test-ipv6.com is from Jason Fesler. It offers many technical details and is open source (see Github). The point of view here is that IP v6 is good, which I don't agree with.
- Test your IPv6 connectivity from cz.nic is copyrighted by Jason Fesler.
- Check IP from VPN provider Perfect Privacy reports connection details (IP address, DNS server, City and Country) for both IPv4 and IPv6. If it doesn't find any IPv6, the message is: "You do not seem to have IPv6 connectivity."
- From Wireshark.org: IPv4 and IPv6 Connectivity Test
Android Apps top
- According to the company, RouterCheck "is the first consumer tool for protecting your home router ...
RouterCheck is like an anti-virus system for your router. It protects your router from hackers..." Its an Android app. I have not tried it.
- The Avast Wi-Fi Finder can do a network scan to show all devices connected to the network. It also claims to offer a Wi-Fi Security Scan that finds potential security holes and issues on the network.
Technically, WebRTC is not a router thing, it is a web browser thing. This section is here just for the heck of it. Anyone using a VPN needs to run these tests. WebRTC can expose your public IP address which is normally hidden by the VPN. If you use more than one browser, you need to run these WebRTC tests on each one.
Ads Here top
Some routers are hacked to generate income from showing ads. This website has no ads. If you see any ads while viewing this web page, then either the router you are connected to has been hacked or your computer has.
Honorable mention goes to the Shadowserver Foundation that scans the Internet for all sorts of things that should not be there.
See The scannings will continue until the