Vodafone router port 6699 open

deanfourie · July 11, 2015, 08:26:48 AM

Hey guys,

I have a vodafone router, supplied by vodafone. I have recently done a namp scan on my router and found port 6699 open, then check it externally and 6699 is still open, externally. I have checked my forwards and also checked DMZ, disabled uPnP. I cant understand how this port is open.

The only thing I can think is its been open in the backend, modifying the code. I cant really default the router cause I am flatting but also really want to try see whats going on. Ive also noticed some weird stuff going on ( an example is I had a windows 8 style update box popup on windows 7 asking me to update windows, I clicked yes not thinking and nothing happened. )

I have a server directly attached to the router running wireshark, and tried listening in promiscuous mode on tcp.port==6699 but I get no results. No traffic on that port? Is it possible the port is being changed using NAT or something?

Im quite worried about this, but I want to get under or behind it as a learning process. Ive considered intercepting traffic with the server ( WAN in on one NIC and LAN out on another so no traffic can phisically pass with me seeing it. ) but this would not be right based on my living situation.

Is there a way to see the traffic on that port? Or other captures I can use to see whats going on?

Cheers

wintermute000 · July 12, 2015, 02:39:47 AM

when you say the port is open - whats listening? The router itself or a host behind a static NAT on port 6699?

To wireshark the traffic, put a switch in front of the router. Span the router port to a PC and run wireshark. Then hit port 6699 and capture the replies.

You can do the same on the inside, if there's nothing then its the router itself responding to 6699.

deanfourie · July 12, 2015, 02:48:42 AM

Thanks for the reply.

Theres no forwards in the router. Also nothing in the DMZ. Checked uPnP and disabled it.

Ive nampped most clients on the LAN for 6699 open. Nothing.

So my guess is its the router iteself thats listenning. But ive been through everything settinga wise and cant find anything, which is what make me extremely suspect.

The other night, I had a windows 8 style popup come up saying a windows update is available and im running windows 7, I clicked update and nothing happened.

I will do some more testing, but my guess is someone has opened this port in the backend.

Cheers

wintermute000 · July 12, 2015, 06:32:24 AM

Could just be carrier code or poorly documented feature.
My ISP cable modem/router has a .200 hidden address it uses for DLNA, for example.
Is the WAN via ethernet i.e. is it possible to capture it using an ordinary ethernet switch?

deanfourie · July 12, 2015, 06:39:51 AM

Im not sure. I havnt managed to capture any traffic yet.

I have a server directly connected to the router to the gigabit port, ran a wireshark cap on that

tcp.port==6699 with absolutely no traffic.

Have powered the server down, and re checked the port, still open to I know its not the server.

Cheers

deanwebb · July 12, 2015, 07:16:56 AM

Close it. 6699 is for outdaded peer to peer software and malware. You do not want it, you do not need it.

deanfourie · July 27, 2015, 08:43:57 AM

So, defauled the router tonight.

Help down the reset pin for roughly 20 secs, did its default proceedure and re-configured the WiFi SSID and password so know clients could reconnect.

And, port 6699 is still ipen. This guys good!

So, now I would immagine hes actually edited the firmware, so its when it loads default configuration the port is still open.

Or? Am I overthinking this? But, this port really shouldnt be open.

And I hate to say it, ive been seeing some weird shit hapenning. Like DNS caching and massive lagg, maybe im a botnet haha.

Your thoughts please. Starting to get rather suspect!

deanwebb · July 27, 2015, 10:29:56 AM

I'm reading a series about a guy that used a stub code section on a wireless router to get it to accept a custom firmware image that allowed him to basically own the wireless router from that point forward.

Soooo, maybe you ought to flash the firmware yourself. If it bricks your device, then there is a chance it was set to only accept firmware from the person that took it over, and therefore it was compromised.

Reggle · July 27, 2015, 04:32:29 PM

Quick round of Google learns me that more than one person found that port opened on an ADSL and/or Vodafone router.
You're likely overythinking it and dealing with something in the firmware. That doesn't make it secure because you don't control it of course.

deanfourie · July 27, 2015, 04:36:58 PM

Yea the only thing that worries me.

Port 6699 - Napster (and other p2p programs)

icecream-guy · July 28, 2015, 07:04:03 AM

2 options present themselves if you do not trust the device:

1. replace with known trusted device
2. put a firewall between the device and other trusted devices.