DNS Server Tests top
The topic of Testing Your DNS Servers has been moved to a new page. It explains DNS and lists multiple websites that report on the currently in effect DNS server(s). It is never obvious, yet it is critically important, to know whose DNS servers you are using.
Firewall Testers top
Level setting: Every computing device on the Internet is assigned a number. Some have two numbers. The numbers are known as IP addresses. Most also have names. The computer where this website resides goes by the name www.RouterSecurity.org and the IP address 216.92.136.14. The firewall tests below communicate with what they see as your public IP address. Usually, this IP address belongs to the router your computing device (tablet, phone, computer) is connected to. All devices connected to the same router have the same public IP address.
There are, however, three instances where the firewall tests are not communicating with your router. If you are connected to a VPN, the public sees the VPN server, rather than your router. Likewise, with Tor you end up testing the Tor exit node rather than your router. The third case involves the box your router is directly connected to. If it is just a modem, all is well. However, if it is a gateway device (combination modem, router and perhaps even a telephone adapter) from your ISP, then the device visible to the outside world may be the gateway rather than your router. For your router to be your public face on the Internet, the gateway needs to be put in Bridge mode. This dumbs it down to function only as a modem.
Port Status: An "open" port responds to unsolicited incoming requests. A "closed" port (a.k.a. "refused" in Nmap lingo) is accessible, but there is no application listening on it. A status of "stealth" (a.k.a. "filtered" to Nmap) means data sent to the port generates no response at all. This is the most secure status.
- The public IP address of your router is:
18.97.14.88 and its name is 18-97-14-88.crawl.commoncrawl.org
- See what Shodan knows about this IP address here: shodan.io/host/18.97.14.88. Not Found is good, open ports are bad. For more about this see the Shodan page.
- See what Censys.io knows about your public IP address here: censys.io/ipv4/18.97.14.88. Best response is "no publicly accessible services" Further tests of your public IP address are available on the Shodan page.
- Steve Gibson's Shields UP! is an oldie but goodie.
Stealth is the best status. Closed is OK. Open is bad news. Start with the "Common Ports" test which tests ports: 0, 21, 22, 23, 25, 79, 80, 110, 113, 119, 135, 139, 143, 389, 443, 445 1002, 1024, 1025, 1026, 1027, 1028, 1029, 1030, 1720 and 5000. Then, move on to the "All Service Ports" which tests all the ports from zero to 1055 and takes about 70 seconds to run. If all is well, it will say "Passed" in green and the status of every port will be "stealth". The passing grade also means that the router does not reply to Ping commands on the WAN port. A perfect report looks like this.
(Alternate URL)
- The Open Port Check Tool at CanYouSeeMe.org will only test your public IP address (your router). It tests one port at a time and will test any port. It says nothing about TCP vs. UDP, so probably only uses TCP.
- The Android Fing app has a "Find open ports" feature that, by default, tests 1,027 TCP ports on any computer. No UDP. You can enter either a target IP address or computer name and the list of tested ports can be customized. Fing also runs on iOS and Windows.
- Barely useful: The Speed Guide Security Scan tests 85 ports but does not say which ports it tests. If you register and create an account, then it scans 359 ports. Click the small blue "START" buttonto run the scan. Only a summary report is provided, something like "All 85 scanned ports on youripaddress are filtered (54) or open|filtered (31)".
- The TCP Port Scanner at ipvoid.com scans any public IP address. If you opt for common ports, it scans: 21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 389, 443, 445, 587, 1025, 1080, 1433, 3306, 3389, 5900, 6001, 6379 and 8080. It uses nmap terminology, so filtered means stealth.
- Network Port Checker and Scanner Tool at ipfingerprints.com lets you test an arbitrary range of ports, both for TCP and UDP. And, you can test any online device, not just the router you are connected to. It also has some advanced features. It is based on nmap and uses nmap terminology rather than simple English. They offer a translator from nmap to English.
- nmap.online is just what it says, an online version of the nmap utility. You can query any website or IP address but only a small number of nmap features are available. You may need to create a free account. The port scan looks at TCP ports FTP(21), SSH(22), SMTP(25), HTTP(80), POP(110), IMAP(143), HTTPS(443) and SMB(445). The Fast scan option scans the most popular 100 ports.
- The GUI Nmap online scanner is also an online edition of nmap. At first glance, it seems to not limit the usage of nmap features.
- The Nmap Online Port Scanner at HackerTarget.com is a free demo of a paid service. Give it an IP address or domain name and it scans 10 ports: 21(FTP), 22 (SSH), 23 Telnet, 25 Mail (SMTP), 80 Web (HTTP), 110 Mail (POP3), 143 Mail (IMAP), 443 SSL/TLS (HTTPS), 445 Microsoft (SMB) and 3389 Remote (RDP). It uses nmap with version detection enabled. The paid service is $120/year.
- An option on the Speed Guide Security Scan lets you scan any port for
TCP, UDP or both. You can also make your own link. To scan port 999 for both TCP and UDP use
speedguide.net/ portscan.php? port=999&tcp=1&udp=1
- Shields UP! can also test a single port, a feature called portprobe. There is no GUI interface though, you have to make your own
URL. This example, grc.com/x/portprobe=999, tests port 999 and changing it to test another port is self-explanatory. Many examples in the next section do just this. Gibson does not address TCP vs. UDP, so I have to assume the test is TCP only.
- - - - Less Useful - - - - - - - - -
- The website pentest-tools.com offers two port scanners based on nmap.
One is for UDP, the other is
for TCP. It can scan any computer, either by IP address or by name. The TCP scan claims to scan 100 common ports but in my testing it only scanned 20 ports. The UDP scan does not say what it does and in my initial testing, it never worked. Months later it did work - the UDP scan is only for six ports. One issue for me has been that it Pings before it scans and any router I configure blocks Pings. There is supposed to be a scan that does not require Ping, but it did not work for me. This is a limited free demo for a paid service that costs at least $110/month.
- The Port Scanners page at WhatsMyIP.org can scan a single port or four different groups of common ports. They don't say if the scans are TCP, UDP or both. A port that does not respond is said to time out. This does not differentiate between closed and stealthed ports, making it relatively useless.
- The Mullvad VPN Port Checker scans one port on your router at a time. The result is either "Port is reachable" or "Port is unreachable".
- Security company Incapsula suggested using www.yougetsignal.com/tools/open-ports/ by Krk Ouimet. But, it only scans one port at
a time, does not say anything about TCP vs. UDP and does not differentiate between Closed and Stealthed ports.
- heise Security has a port scanner that tests 49 different ports. But, it is only available in German.
TCP Ports to Test top
Note that while connected to a VPN, these tests test the VPN server, not your router. Same for Tor. An "open" port responds to unsolicited incoming requests. A "closed" port (a.k.a. "refused" in Nmap lingo) is accessible, but there is no application listening on it. A status of "stealth" (a.k.a. "filtered" to Nmap) means data sent to the port generates no response at all. This is the most secure status. This list is extremely incomplete.
- April 9, 2024: For some reason (perhaps UPnP), LG televisions are directly available on the Internet. Bitdefender found 4 bugs in their operating system (WebOS versions 4 - 7) and wrote about it here: Vulnerabilities Identified in LG WebOS. The vulnerable service was intended for LAN access only, but Shodan finds over 91,000 devices exposing it to the Internet. The service runs on ports 3000/3001 (HTTP/HTTPS/WSS) and is used by the LG ThinkQ smartphone app to control the TV. The article does not say if ports are TCP or UDP.
Test TCP port 3000
Test TCP port 3001
- In April 2023, we learned about a problem with the SLP protocol. It was intended to be used on a LAN but thousands of devices were exposing it on the Internet. My summary of this is in the Router News page (look for April 2023). SLP exposes two ports, 427 for both TCP and UDP.
Test TCP port 427 in your router.
Test UDP port 427 in your router
- In April 2023 we learned of an easily exploited bug in the Windows Messaging Queuing service. Security firm Censys found 465,263 MSMQ servers open to the Internet (see CVE-2023-21554: MSMQ). The service listens on TCP port 1801.
Test TCP port 1801.
- In June 2022, we learned of new router malware dubbed ZuoRAT. According to Black Lotus Labs the malware listens on port 48101. Test TCP port 48101.
- In April 2022, there was a critical bug in Windows (see Critical Remote Code Execution Vulnerabilities in Windows RPC Runtime that let remote bad guys execute code on a vulnerable PC. One defense was not to have TCP port 445 open at the router. Steve Gibson's Shields Up! (see above) tests TCP port 445, so this is just another reason to run it periodically.
- In March 2022, Microsoft issued a warning about Trickbot malware running on MikroTik routers. Their writeup mentioned three ports (presumably TCP, they are not smart enough to say, and it being Microsoft, they offer no means of feedback) that are used by infected routers: 449, 443 and 8291.
- November 2021: New malware called BotenaGo attacks assorted routers from DrayTek, D-Link, Netgear, Linksys, GPON, Comtrend and others. Test TCP port 19412. More: AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits.
- November 2020: New malware was first discovered in October 2020 and described here: Gitpaste-12: a new worming botnet with reverse shell capability spreading via GitHub and Pastebin by Juniper. Some versions of the malware open TCP ports 30004 and 30005 for reverse shell commands. Test TCP port 30004 and port 30005.
- January 2020: Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices. The leaked passwords were for Telnet on TCP port 23. Test TCP port 23.
- In August 2019, Netlab 360 found
Fibrehome routers in the Philippines and Thailand infected with malware that installed an SSH server on the router. The SSH server listened on TCP port 23455. Test TCP port 23455.
- If UPnP has exposed either a Chromecast, smart TV or Google Home to the Internet, then beware. Bad guys are hijacking these exposed devices to play a video urging victims to subscribe to a YouTube channel. According to Catalin Cimpanu, bad guys are exploiting TCP ports 8008, 8009, and 8443, which are normally used for management functions. Test
TCP port 8008 and
TCP port 8009 and
TCP port 8443.
- The writeup of a bug in some Cisco routers, by RedTeam Pentesting in January 2019, notes that the routers "expose the web server to the WAN on TCP port 8007." If you have a Cisco router, Test TCP port 8007.
- A January 2019 writeup from Trend Micro noted that Mirai variant Yowai listens on port 6 for commands from the command and control server. Yowai infects routers and other devices using a few methods: a ThinkPHP Vulnerability, CVE-2014-8361, a Linksys bug, CVE-2018-10561 and a CCTV-DVR bug. Test TCP port 6.
- According to security firm SEC Consult, Xiongmai video devices offer high-privileged shell access over TCP ports 23 (Telnet) and 9527 (a Telnet-like console interface) using hard-coded credentials. Many of the above firewall testers include port 23, but 9527 is not common at all. Test
TCP port 9527.
- Windows remote desktop uses port 3389 and bad guys probe it often. In September 2018, the FBI warned about it: FBI warns companies about hackers increasingly abusing RDP connections. In March 2018, Rendition Infosec reported that the city of Atlanta had computers with port 3389 open on the Internet. Atlanta government was compromised in April 2017 – well before last week’s ransomware attack. Test
TCP port 3389.
- The hacking of MikroTik routers is all over the Router News page. Many of the attacks target Winbox, a Windows application that administers the router. Winbox talks to the router over port 8291. Anyone with a MikroTik router should insure that port 8291 is not open to the Internet. TCP port 8291. In Sept. 2018 one attack on MikroTik routers turned them into SOCKS 4 proxies using the non-standard TCP port 4153. Test TCP port 4153.
- In October and November 2018 we learned that publicly exposed (which implies mis-configured) Docker Services were being attacked to mine
cryptocurrency. The point of entry is TCP ports 2375 or 2376, each of which defaults to providing unencrypted and unauthenticated communication. Yikes.
Test TCP port 2375 and
Test TCP port 2376.
- In July 2018 a design flaw with FTP in Netgear routers led to the leaking of military documents. No hacking was needed, the owners of many Netgear routers do not change default passwords. The Netgear KB articles on FTP configuration are shameful in their ignoring security issues. Coverage of the hacking is on the Router News page under July 2018. Test TCP port 21.
- The Satori botnet keeps changing. We have already seen (below) that it attacks ports 37215 and 52869. In June 2018, Netlab 360 found a new variant that scans for ports 80 and 8000.
Test TCP port 80 and test
TCP port 8000.
- The VPNFilter malware/botnet attacks Mikrotik routers on TCP port 2000 (May 2018). Even if you don't have a Mikrotik router, the botnet is huge and dangerous, so test TCP port 2000.
- At the end of Sept. 2018, Talos released additional information on the VPNfilter router malware. It may create a SOCKS5 VPN proxy server on TCP port 5380. So, test port 5380
- In May 2018 FortiGuard Labs reported that the WICKED botnet tries to connect to port 8080 and, if successful, tries to exploit a flaw in Netgear DGN1000 and DGN2200 v1 routers from October 2017. Test TCP port 8080.
- The WICKED botnet also tries to connect to port 8443, and if successful, tries to exploit a flaw in Netgear R7000 and R6400 routers from March 2017. Test TCP port 8443.
- March 2018: Devices running Cisco Smart Install client have TCP port 4786 open by default. It should not be exposed to the Internet, yet over 8 million devices have this port open (see the March 2018 section of the Router Bugs page for more. There was a critical flaw in the Smart Install software. Test TCP port 4786.
- MikroTik routers leave TCP port 2000 open by default. It was abused by botnets in DDoS attacks in January 2018. The port is used for bandwidth testing and the company says to disable it in production. Test TCP port 2000.
- Dec 2017: If you have a Huawei router/gateway, then test port 37215. In Nov. 2015 there was an issue with it. Also, in March 2017, an article at RedPiranha said "This port has been detected to be the most vulnerable aspect of the Huawei router as it does not validate any of the data packets sent to it whatsoever." Then, in Dec 2017, 360 netlab warned about the Satori botnet, spreading on port 37215 and 52869. Fortinet also wrote about this.
To test port 52869, click here.
- Sept 2017: If AT&T is your ISP then test if port 49152 is
open as per Bugs in Arris Modems Distributed by
AT&T Vulnerable to Trivial Attacks by security firm Nomotion. Also, check if
SSH port 22 is open.
- July 2017: If AT&T is your ISP then test if port 61001 is
open. According to Nomotion, in Exploring the AT&T U-verse 5268AC DSL Modem, the port is only open from outside of the AT&T U-verse network.
- March 2017: If you own a video camera, then you may want to read about flaws in thousands of models. In terms of routers, one
of the flaws lets anyone watch the camera. Anyone who connects to TCP port 10554 that is. Test port 10554. (More)
- According to SANS, some IoT devices use port 2323 as an alternate port for Telnet. The Mirai botnet scans for IoT devices on both ports 23 and 2323. Test TCP port 2323.
- Port 7547 is used by a remote management protocol known as either TR-069 or CWMP (Customer Premises Equipment WAN Management Protocol). Some ISPs use this protocol to re-configure your router/gateway/modem. In November 2016, the protocol was abused to attack DSL modems. A device
infected in this attack, will have its port 7547 closed by the malware to prevent new firmware from being installed. In April 2017 Wordfence reported that Thousands of Hacked Home Routers are Attacking WordPress Sites and they
attributed the router hacking to port 7547 being open. They said that Shodan reports over 41 million devices are listening on port 7547. So,
test port 7547.
- Some D-Link routers expose port 8181 for a unknown service that had a buffer overflow flaw that let remote unauthenticated attackers run commands on the router. D-Link said they fixed this with firmware released in August 2016. Still, can't hurt to test TCP port 8181.
- In December 2016 Cybereason found flaws in many IP cameras. They made an online tester for people to check if their cameras are vulnerable. The test page says the vulnerable cameras use port 81. Test
TCP port 81.
- Printers can use multiple ports.
Port 9100 is used for RAW output with TCP,
Port 631 is used for
Internet Printing Protocol (IPP) with TCP and UDP, and
Port 515 is used for
Line Printer Daemon with TCP.
In Feb. 2017 a hacker claiming he wanted to raise awareness about the risks of leaving printers exposed to the Internet, forced thousands of printers to spew out rogue messages. This was not the first such attack and it was inspired by research published Jan 2017. More here and here and here.
Test port 9100
Test port 631 for TCP,
and, Test 631 for UDP
Test port 515
- Port 5555. This is sometimes used by ISPs for the TR-069 protocol. In July 2018, Trend Micro
found a new exploit using port 5555. The activity involved the command line utility called Android Debug Bridge (ADB). See Open ADB Ports Being Exploited to Spread Possible Satori Variant in Android Devices. In March 2017, Trend Micro found Linux malware that also abused this port.
Test port 5555.
- Port 55555. This is used by the Lenovo Solution Center and was found to
have security
vulnerabilities in December 2015. More about this here and here. Test port 55555.
- Port 7779. This is used by Dell System Detect which is part of Dell
Foundation Services and was found to be a security issue in December 2015. More here and here.
Test port 7779.
- If you are not using an L2TP VPN then port 1701 should not be open.
Test it.
- A bug in some Linksys routers left port 8083 open even if their web interface said that remote management was disabled. You can test for a vulnerable router by browsing to http://1.2.3.4:8083/ where 1.2.3.4 is your public IP address. Vulnerable routers will put you into their admin console, without even asking for a password.
- Port 32764 was made infamous in Jan. 2014 when Eloi Vanderbecken found that his Linksys WAG 200G used it as a backdoor. Other Linksys, Netgear and Cisco routers
did the same. See my blog on this: How and why to check port 32764 on your router. But, then it got worse, when in April 2014, the "fix" merely hid the backdoor better.
If your router has version 2 of the backdoor, you can't test for it. But, we can test for version 1 externally with portprobe and internally by pointing a web browser
to HTTP://1.2.3.4:32764 where 1.2.3.4 is the LAN side IP address of the router.
- SNMP normally uses UDP, but it has been seen in the wild using TCP. So, what the heck, test
port 161 and
port 162.
- LDAP port 389 uses both TCP and UDP. See the UDP section below for links to test each.
UDP Ports to Test top
Note that this list is quite incomplete.
- In April 2023, a joint report was issued by the UK National Cyber Security Centre , the US Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI that warned about Russians hacking Cisco routers. The Russians got in by abusing an SNMP flaw that had been patched in 2017. SNMP uses UDP ports 161 and 162. Test
UDP port 161 and
UDP port 162.
- In January 2021, it was revealed that Plex used UPnP in routers to open UDP ports 32410 and 32414 and that these were being
abused in reflection amplification attacks. Test UDP port 32410 and
UDP port 32414.
- In June 2019, it was discovered that UDP port 3283 was being used in DDoS attacks. See A Call To ARMS: Apple Remote Management Service UDP Reflection/Amplification DDoS Attacks. Test UDP port
3283.
- In March 2018, Cisco issued a fix for a bounds-checking error in IOS/IOS XE's quality-of-service subsystem. The flaw can be attacked on UDP port 18999. Test UDP port 18999.
- As per Attackers are now abusing exposed LDAP servers to amplify DDoS attacks (by Lucian Constantin Oct 26, 2016) Connectionless LDAP (CLDAP), a variant of LDAP (Lightweight Directory Access Protocol) that uses UDP, is being abused in DDoS attacks. LDAP is used in corporate networks and "its use directly on the internet is considered risky and is highly discouraged." Yet, SHODAN reports over 140,000 systems using it. Test port 389 TCP and port 389 UDP.
- NAT-PMP, like UPnP, lets a LAN-resident device poke a hole in the router firewall. It was designed by Apple who uses it for Back to My Mac.
It listens on UDP port 5351. In 2014 it was discovered that over a million devices, connected to the Internet, had this port open on the WAN side. Oops. Some companies making devices with this flaw were Belkin, Netgear, Technicolor,
Ubiquiti and ZyXEL. The Shadowserver Foundation scans for this daily. On Nov. 11, 2016 they found 1.2 million devices exposing NAT-PMP. More here and here.
Test port 5351.
- The Asus infosvr service listens on UDP port 9999. It has a buggy history (see here and here and here and here. It is supposed to be a LAN side only issue (see section below on LAN side port testing) still, cant hurt to test it on WAN side too if you have an Asus router. Test port 9999.
- If you are not using SNMP, and most people are not, then UDP ports 161 and 162 should be closed. A device running SNMP can be abused in SNMP amplification attacks, a type of DDoS attack. The Shadowserver Foundation scans the Internet for devices that respond to SNMP commands on UDP port 161. In mid-November 2016, they found 3,490,417 such devices.
Test port 161 and
Test port 162.
- Port 1233. The Toshiba Service Station application receives commands via this port and was found to be a security issue in December 2015.
More here.
Test it
- If you are not using an L2TP VPN then port 1701 should not be open. Not sure if this uses UDP, better safe than sorry.
Test port 1701
- A bug in Netis and Netcore routers could be exploited on port 53413. Read more here and here. From Aug. 2014.
According to a mid-November 2016 scan by the Shadowserver Foundation, there are 20,320 vulnerable
routers online, the vast majority of which are in China. Netis routers are sold in the US.
Test port 53413
- In September 2016, a backdoor was found in a D-Link router. Sending "HELODBG" to UDP port 39889 would cause the router to run Telnet, letting a bad guy login without
a password. Test port 39889
- Port 631 is used for Internet Printing Protocol with both TCP and UDP. More about this is in the above section on TCP ports
UDP Port testers
The links above, that test individual UDP ports, look like this
www.speedguide.net/ portscan.php?udp=1&port=999
This example would test port 999 (ignore the space in the URL). SpeedGuide can also test individual ports at their Security Scan page where you can enter any port number and chose to test UDP and/or TCP.
Another website offering UDP port tests is the UDP Port Scan with Nmap page at PentTest-Tools.com. It can test a range of UDP ports, a list of UDP ports or individual ports.
Yet another site is the UDP Port Scanner at ipvoid.com. It can scan any public IP address but you need to
solve a CAPTCH for each request. If you opt for Common Ports it scans: 53, 68, 69, 123, 137, 161, 389, 636, 1900, 5353 and 11211. It uses nmap terminology.
UPnP Testers (Major revisions: Nov 30, 2018)
top
There are two core security problems with UPnP: what it does on the LAN, by design, and keeping it off the Internet.
On the LAN side, UPnP is dangerous because it lets computing devices (typically IoT devices) punch a hole in the routers firewall. This exposes devices to the Internet where their poor security, such as default passwords, can be abused. LAN side devices can do much more, in terms of configuring the router they sit behind, but puncturing the firewall is the classic issue.
UPnP on the WAN/Internet side of a router is a totally different problem. UPnP was never meant to be exposed on the Internet. The protocol has no security at all. No passwords, no encryption, no identity verification, nothing. It was designed to be used between trusted devices. Back in January 2013, Rapid7 found over 80 million devices exposing UPnP on the Internet. There should have been none. I blogged about it at the time: Check your router now, before Lex Luthor does.
And, many of those 80 millions devices were running UPnP software that was buggy to boot. You can't make this stuff up.
So, just disable UPnP? Not so fast. While it is certainly safer to disable UPnP, it may not be a perfect solution. For one thing, there is a chance a router may only disable UPnP on the LAN side, since it was never supposed to be exposed to the Internet in the first place. Then too, routers have their bugs, and disabling UPnP may well do nothing at all. Back in 2013, when Steve Gibson created his UPnP test (see below) he found examples of both issues, saying: "We have confirmed that there are some routers that leave it on outside, even if it's off inside, and some that don't actually turn it off inside." Clearly, we need to test for UPnP.
UPnP is relatively hard to test for as there are two components to the protocol. The first component lets a UPnP enabled device discover other UPnP enabled devices. The second is the ongoing conversation between UPnP enabled devices. The initial discovery of UPnP-enabled devices is done with the Simple Service Discovery Protocol (SSDP) which listens on UDP port 1900. The actual communication between UPnP devices is done via HTTP on varying TCP ports. Initially, SSDP tells clients which TCP port to use for the subsequent HTTP conversations. According to Rapid7, the HTTP TCP port number varies by vendor and is often chosen at random. Ugh. As for non-random ports, they say that some Broadcom, D-Link and TP-Link routers use TCP port 5431, some devices use port 80 and still others use 2869.
In April 2018 Akamai found over 4.8 million devices were vulnerable to UDP SSDP (the UDP portion of UPnP) inquiries. Of those, roughly 765,000 also exposed their vulnerable TCP implementations.
ONLINE UPnP TESTERS
- In June 2017, Marek Majkowski and Ben Cox of Cloudflare described an amplification attack they saw that exploited the SSDP component of UDP: Stupidly Simple DDoS Protocol (SSDP) generates 100 Gbps DDoS. In response, Cox created an online UPnP tester at badupnp.benjojo.co.uk. A good result is: "All good! It looks like you are not listening on UPnP on WAN"
- Steve Gibson added UPnP testing to his ShieldsUP! service in January 2013. On the first page, click on the gray Proceed button. On the next page, click on the yellow/orange button for "GRC's Instant UPnP Exposure Test". A good result is when your router does not respond.
- Click here to test if UDP port 1900 is open on your router. A good result is a status of "filtered?" and the message: "Our Security Scan found NO open ports."
- According to the Netlab team at Qihoo 360 the BCMUPnP_Hunter botnet, which first appeared in September 2018, constantly scans for routers with an exposed UPnP interface on port 5431. As of November 7, 2018, the botnet consists of 100,000 routers. Rapid7 reported that some Broadcom, D-Link and TP-Link routers use TCP port 5431 for UPnP. Test TCP port 5431. A good result is "Stealth"
- In November 2018, Akamai reported on a router attack they called EternalSilence that is one of many attacks on routers that expose UPnP to the Internet. In part, the bad guys targeted devices that use TCP port 2048 for UPnP. The blog was updated in Jan. 2022. Test TCP port 2048. A good result is "Stealth"
- Rapid7 reported that some routers use TCP port 2869 for UPnP. Test TCP port 2869. A good result is "Stealth"
- It seems that Huawei uses port 37215 for UPnP and they have exposed it to the Internet. Test TCP port 37215. A good result is "Stealth"
- UPnP is only supposed to use UDP on port 1900 but considering the massive mistakes made with UPnP, it can hurt to also test TCP port 1900. A good result is "Stealth"
I am still looking for a LAN side UPnP tester. One possibility is Universal Plug-and-Play Tester for Windows by Noël Danjou.
DISCONTINUED: Rapid7 used to offer an online UPnP Check but they discontinued it. Rapid7 also discontinued their installable ScanNow program that scanned a LAN for UPnP enabled devices and reported if the devices were running buggy versions of UPnP software. This was useful to insure that your router was also not responding to UPnP
on the LAN side. The program only ran on Windows and required 32 bit versions of either Java 6 or Java 7. As for why they abandoned ScanNow see ScanNow DLL Search Order Hijacking Vulnerability and Deprecation.
LAN side port testing top
TELNET: Individual LAN side ports can be tested from a computer on the LAN with Telnet. Windows users will have to first install the Telnet client using: Control Panel -> Programs and Features -> click on "Turn Windows features on or off" in the left side column -> Turn on the checkbox for Telnet Client -> Click OK. On OS X ....
To use telnet on Windows, open a Command Prompt window, type
"telnet ipaddress portnumber". For example: "telnet 192.168.1.1 80". There needs to be a space on both sides of the IP address. If the port is closed, Windows will complain that it "could not open connection to the host on port 80: connect failed". If the port is open, the responses vary, you may just see a blank screen. You can also telnet to a computer by name, such as
"telnet somewhere.com 8080"
From Synology: How do I know if a TCP port is open or closed?. The article explains, with pictures, how test test ports from Windows, Linux (both with Telnet) and a Mac computer before macOS 11 Big Sur. Typical of Synology there is no date on the article.
ID Serve: ID Serve is a small, portable, Internet Server Identification Utility for Windows, created by Steve Gibson. It was written in 2003 and has not been updated since. The initial screen explains its purpose, the Server Query tab is where it does its work. You can query a computer by name (www.amazon.com) or by IP address. It defaults to port 80, but you can force a different port by adding a colon and the port number after the computer name or IP address (no spaces). If data comes back from the query, ID Serve displays it all. This data may identify the server software. If data does not come back, the message, in my experience, will either be "The port is closed, so our connection attempt was refused" or "No response was received from the machine and port at that IP. The machine may be offline or the connection port may be stealthed". ID Serve is limited to TCP (no UDP) and does not support HTTPS.
ClientTest: ClientTest is another small, portable Windows program. It is from Joe of joeware.net and was last updated in 2005. You point it at the IP address of your router, specify a port number and try to connect.
BROWSER: You can also test a port with a web browser. For example, http://192.168.1.1:999 would test TCP port 999 (of course, modify the IP address
as necessary for your router). I don't think a browser can test a UDP port, it is limited to TCP.
NMAP: This command tests UDP ports 11 through 13 on the device at IP address 1.2.3.4
nmap -sU -p 11-13 1.2.3.4
TCP/IP Port Information top
- The most Commonly Open Ports for both TCP and UDP from SpeedGuide.net
- List of TCP and UDP port numbers at WikiPedia
- A master file of port assignments from Iana. Its a huge list, use the search function rather than paging through it.
- If you have a Synology NAS, then see What network ports are used by Synology services?
- Windows users: Network Ports Used by Key Microsoft Server Products undated
- Also from Microsoft, Port Assignments for Commonly-Used Services dating back to Windows 2000
- Ports blocked by Comcast: Blocked Internet Ports List. As of Sept. 2017, they block: TCP 0 down, TCP 25 both ways, UDP 67 down, 135-139 in both directions for both TCP and UDP, UDP 161 in both directions, TCP 445 up and down,
UDP 520 up and down, UDP 547 down, TCP 1080 down and UDP 1900 in both directions.
HNAP Testing top
The Home Network Administration Protocol is a network device management protocol dating back to 2007. There are four problems with HNAP. One, is that it has a long history of buggy implementations. It can also tell bad guys technical details of a router making it easier for them to find an appropriate vulnerability to attack. The fact that a router supports HNAP may not be visible in its administrative interface. Worst of all, HNAP often can not be disabled. Four strikes, you're out.
You can test if a router supports HNAP by typing
http://1.2.3.4/HNAP1/
where 1.2.3.4 is the IP address of your router. Of course, every router has two IP addresses one on the public side and one on the private side. I suggest testing for HNAP on each.
You can learn your public IP address at many websites, such as ipchicken.com and checkip.dyndns.com. For the LAN side of a router, see my Sept. 2013 blog
Find the IP address of your home router.
If HNAP is enabled, this test displays basic device information about your router in an XML file. See sample output. If it fails, there will be some type of error about the web page not being able to be displayed, perhaps a 404 Not Found error.
If HNAP is enabled, try to turn it off in the router administrative interface and then test again. You may not be able to turn it off. For more, see the HNAP page.
October 26, 2018: Multiple bugs in Linksys E-Series routers were revealed by Talos in October 2018. What was not revealed was a simple way for Linksys owners to check if their routers were vulnerable. According to Jared Rittle, who found the flaws, HNAP can help. Owners can navigate to the official HNAP URL (http://1.2.3.4/HNAP1/) to see the currently installed firmware version (1.2.3.4 is the LAN side IP address of the router). This has the advantage of not needing to know the router password. For the E1200, if the firmware is at or below version 2.0.09, the router is vulnerable. For the E2500, if the firmware is at or below version 3.0.04, it is vulnerable. Owners of other E Series Linksys routers are on their own.
URLs to try from your LAN top
In these examples, 1.2.3.4 represents the LAN side IP address of the router.
In June 2020 we learned that 79 different Netgear devices shared the same flaw. A bad guy can learn the exact model and firmware of a Netgear router using a URL like
http://1.2.3.4/currentsetting.htm
and customize an exploit specifically for that router. If you have a Netgear router, try this URL. If it returns information about your router, look for the most recent firmware. Hopefully, it will have been released after June 2020. At the time when the flaw was made public (June 15, 2020) Netgear had done nothing regarding a fix.
In October 2019 we learned of 10 D-Link routers with critical flaws that will not be fixed. If you have any of these D-Link routers, don't bother testing, just get a new router: DIR-655, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835 and the DIR-825. For confirmation, CERT has a Proof of Concept web page that will disconnect a vulnerable D-Link router from the Internet for a minute.
In January 2019 we learned of two information disclosure bugs in some Cisco routers. More details are on the Bugs page. If the URL below shows details about your Cisco router, that is bad. A public/WAN side version of this is auto-generated on the Shodan page.
http://1.2.3.4/cgi-in/config.exp
http://1.2.3.4/cgi-bin/export_debug_msg.exp
As per Scott Helme's 2014 description of his BrightBox router, try the URL below, where 1.2.3.4 is the IP address of your router. A good result returns nothing but an error message. Here is a sample of a bad result.
http://1.2.3.4/cgi/ cgi_status.js
In December 2016, Pedro Ribeiro reported on flaws in the Netgear WNR2000 router. If you own a Netgear router, it can't hurt to check for information leakage with the URL below. It may leak the device serial number.
http://1.2.3.4/ BRS_netgear_success.html
Many Netgear routers had a security flaw in December 2016
(see here and
here for more). The command below tests a Netgear router. If this results in a web page with the word "Vulnerable", then the router is vulnerable. Netgear has issued fixes for all vulnerable routers.
http://www.routerlogin.net /cgi-bin/;echo$IFS'Vulnerable'
This issue with port 32764 is explained above in the TCP Ports to Test section.
http://1.2.3.4:32764
In September 2017, security firm Embedi found port 19541 open on many D-Link routers. It responds to commands such as one to reboot the router. They did not find any way to close the port. The default IP address is 192.168.0.1 but the router may also respond to dlinkrouter.local.
http://1.2.3.4:19541
If there is a video surveillance system on your LAN, then hopefully it was not made by Xiongmai. In October 2018, SEC Consult published a big expose about the many ways these systems are not secure. The number of security flaws is huge. These devices are re-branded by at least 100 other companies, so to detect a Xiongmai system, they suggest viewing this page from the LAN
http://[cameraipaddress] /err.htm
If the page exists and it refers to 'Xiongmai' at all, then read the article by SEC Consult. They also offer other suggestions for identifying Xiongmai hardware. SEC Consult feels that the security is so bad it can not be fixed and that the hardware should be discarded.
Modem Tests top
A modem is a computer and it too, can have bugs. Chances are the modem as an IP address such as 192.168.100.1. If nothing else, you should try to access
the modem by its IP address so that technical information about your Internet connection is available to you. Also, you want to see what information is available
without a password, some modems expose too much. If there is a password, then change it from the default.
As per ARRIS Cable Modem has a Backdoor in the Backdoor try to view
the page below. An error viewing the page is the good result. See a video of this hack.
http://192.168.100.1/cgi-bin/tech_support_cgi
As per ARRIS DG860A NVRAM Backup Password Disclosure you should try to view the URL below. Again, an error is the good result.
http://192.168.0.1/ router.data
For better security, a router may be able to block access to the modem by blocking its IP address. I blogged about modem access from the LAN side of a router in February 2015. While it can be helpful to directly access the modem, it can also be dangerous. See
Talk to your modem and
Using a router to block a modem. Some routers can do this, some can not. Dumbed down routers, such as the consumer mesh systems (eero, Google Wifi, Ubiquiti AmpliFi, etc) can not do this.
A great way to see if a modem is accessible from the LAN side is to ping it using the command below. Hopefully, the command fails.
ping 192.168.100.1
If it is pingable, then test Telnet access to the modem with the command below. Failure is the secure outcome.
telnet 192.168.100.1
An other good test is nmap. The simplest command is
nmap 192.168.100.1
For a much more comprehensive look at the LAN side of the modem use the below:
nmap -v -A -p 1-65535 192.168.100.1
IP Version 6 Testers top
I know of no reason for IPv6 to be enabled on a home router. If it is enabled on yours, try to disable it then verify that it's really off. All the sites below are only available via HTTP.
- Test for the existence of IP version 6 at whatismyv6.com. Click on the "IPv6 only Test" or go directly to ipv6.whatismyv6.com. It is a good thing if ipv6.whatismyv6.com fails to load in your browser.
- Another site, ipv6leak.com is from London Trust Media, Inc. I don't know who they are, but the site is linked to by VPN provider PrivateInternetAccess.
- test-ipv6.com is from Jason Fesler. It offers many technical details and is open source (see Github). The point of view here is that IP v6 is good, which I don't agree with.
- Test your IPv6 connectivity from cz.nic is copyrighted by Jason Fesler.
- Check IP from VPN provider Perfect Privacy reports connection details (IP address, DNS server, City and Country) for both IPv4 and IPv6. If it doesn't find any IPv6, the message is: "You do not seem to have IPv6 connectivity."
- From Wireshark.org: IPv4 and IPv6 Connectivity Test
Android Apps top
- According to the company, RouterCheck "is the first consumer tool for protecting your home router ...
RouterCheck is like an anti-virus system for your router. It protects your router from hackers..." Its an Android app. I have not tried it.
WebRTC top
Technically, WebRTC is not a router thing, it is a web browser thing. This section is here just for the heck of it. Anyone using a VPN needs to run these tests. WebRTC can expose your public IP address which is normally hidden by the VPN. If you use more than one browser, you need to run these WebRTC tests on each one.
Some routers have been hacked to generate income from showing ads. This website has no ads. If you see any ads while viewing this web page, then something has been hacked. Perhaps your router, perhaps your computer, perhaps your web bowser.
If you are trying to block ads and trackers, then Eduard Ursu has an adblock tester page at d3ward.github.io/toolz/adblock.html.
Honorable mention goes to the Shadowserver Foundation that scans the Internet for all sorts of things that should not be there.
See
The scannings will continue until the
Internet improves.