Click here to see if your router is listening on port 32764

[The_Decryptor Veteran]

Ahh right. Networking isn't my forte so I was confused for a moment. Cheers guys. (Y)

Ehh, Stealth isn't any more secure than Closed, it just gives the idea what the system is powered off (Because at this point it's not like you'll find an unused IPv4 address). I setup my firewall to close connections (So it reports as closed, funnily enough) because it's faster than dropping them (The other system will retry) and it's easier to deal with debugging in that case.

Responding to pings would give an attacker more information (Yet, is still just as harmless)

[TPreston]

32764

Closed Unknown Protocol for this port

Unknown Application for this port

877w

[ReimondX]

Netgear RP614v4

 

Port     Status Protocol and Application
32764  Stealth Unknown Protocol for this port
Unknown Application for this port

 

I would have to manually set this port open from the router's firewall settings by Port Forwarding and Adding a Custom Service.

[+theblazingangel MVC]

I am concerned here that people may be misunderstanding what the result given by the grc link actually means. I think some clarification is needed...

 

Everyone, the result you are getting does not necessarily mean what you think it does! Please understand the following:

 

The scan provided by grc only performs a REMOTE scan against the EXTERNAL/internet-facing port on your router. Very few of the routers with this vulnerability/backdoor (those by far the most at risk) actually expose this backdoor externally (see the list on the github page). While a stealth/closed result on the external side is good, your router may still be exposing the port on the local side, to all hosts within your LAN. This is less critical than external exposure, but never the less may still be something you should be concerned about.

 

Why? Well, any malware, on any machine on your LAN (or VM with an active NAT/bridged network adapter), has the opportunity to connect to and compromise your router. Similarly an attacker who has compromised a machine/VM could do so.

 

So? So, a compromised router can, for example, open up additional external ports, allowing attackers through your router's NAT and firewall to hosts on your LAN, potentially leading to compromise via exposed vulnerable services. Another possibility is that a compromised router could provide a platform for man-in-the-middle attacks against all hosts on your LAN (when connecting externally to something).

 

edit: To know whether your router has this backdoor on the LAN side, check the list of routers provided in the github link. If your router isn't listed, or you want to check for yourself anyway, visit some of the other links provided in the first post to find some methods to do so.

[snaphat (Myles Landwehr) Member]

I am concerned here that people may be misunderstanding what the result given by the grc link actually means. I think some clarification is needed...

 

Everyone, the result you are getting does not necessarily mean what you think it does! Please understand the following:

 

The scan provided by grc only performs a REMOTE scan against the EXTERNAL/internet-facing port on your router. Very few of the routers with this vulnerability/backdoor (those by far the most at risk) actually expose this backdoor externally (see the list on the github page). While a stealth/closed result on the external side is good, your router may still be exposing the port on the local side, to all hosts within your LAN. This is less critical than external exposure, but never the less may still be something you should be concerned about.

 

Why? Well, any malware, on any machine on your LAN (or VM with an active NAT/bridged network adapter), has the opportunity to connect to and compromise your router. Similarly an attacker who has compromised a machine/VM could do so.

 

So? So, a compromised router can, for example, open up additional external ports, allowing attackers through your router's NAT and firewall to hosts on your LAN, potentially leading to compromise via exposed vulnerable services. Another possibility is that a compromised router could provide a platform for man-in-the-middle attacks against all hosts on your LAN (when connecting externally to something).

^awesome point

[The_Decryptor Veteran]

To be fair, a perfectly working router with UPnP/NAT-PMP/PCP can be told to open ports in the firewall without needing a backdoor.

[WAQT]

Stealth for me :)

[+theblazingangel MVC]

To be fair, a perfectly working router with UPnP/NAT-PMP/PCP can be told to open ports in the firewall without needing a backdoor.

 

Open ports, yes fair point, but while opening ports via UPNP/etc may lead to some level of compromise of hosts via temporary hole punching, this backdoor, depending on precisely what is possible (which seems to be lots from a cursory read), provides much more potential power to an attacker. This includes persistent access into a network; a man-in-the-middle platform as already mentioned; and potentially the ability to sniff LAN-host to LAN-host traffic. It could also potentially allow an attacker to use the router as an anonymous proxy and thus could even result in a visit from law enforcement mistakenly arresting you for illegal activity of the attacker. Furthermore, exposure via UPNP can be fixed simply with a configuration change, while a properly compromised router could present much more of a challenge.

[+devHead Subscriber²]

Yep then there is that bug where the text gets cut off.

yeah, what's up with that?

[Raa]

Stealth, as expected.

[primexx]

isn't the 32764 exploit listening in on your LAN? You should be trying to go to routerip:32764 from inside your network to see if it returns anything no?

[The Evil Overlord]

Cisco or Linksys, (take your pick) Stock firmware E4200 status Stealth

 

My thanks to Warwagon for the link I was curious about my settings as I haven't installed ddwrt

[hyde+]

Can we just use this website to probe all ports and have it report back if it finds any vulnerable ports open / apps running? For example, at our office, we use SQL and we forward a random port from external to a different random port internally that corresponds to our SQL database so our remote users can access it.

We get tons of probes from random hackers, of course we have several security measures, simplest being allowed IP blocks, Mac addresses, etc.. So when someone outside these IP ranges or mac addresses probe that port, they immediately get blocked, and blocked forever.

 

At home, we don't have such setup, so I would love to have something proble all 65535  and report back, is this possible?

I used ShieldsUP! and got

 

 

THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!

 

But I don't think this scans all open ports/etc..

 

PS:

Result of my budget TP LINK WDR3600, Stealth.

[riahc3]

Hello,

I'm not sure you what you are talking about. Was it discovered that there is legitimate reason for that particular port to be open? I was under the impression that there was a specific exploitable vulnerability.

If YOU (not 1000s of documents/videos/articles/pictures/etc "leaked" on the internet) can prove that this mysterious port is a backdoor, then I will first apologize then I will fully believe you.

Till then, there is no backdoor.

[primexx]

Hello,

If YOU (not 1000s of documents/videos/articles/pictures/etc "leaked" on the internet) can prove that this mysterious port is a backdoor, then I will first apologize then I will fully believe you.

Till then, there is no backdoor.

 

 

the whole point of a backdoor is to not be obviously identifiable as one. granted, they usually suck at actually achieving this, but then again we only ever notice the bad ones because the good ones never get detected.

 

in any case, whether it's an intentional backdoor or not, it's certainly been well established that there's an exploitable security vulnerability. do you think someone who got hit via it will care whether someone put it there on purpose or was just bad at their job?

[riahc3]

Hello,

the whole point of a backdoor is to not be obviously identifiable as one. granted, they usually suck at actually achieving this, but then again we only ever notice the bad ones because the good ones never get detected.

 

in any case, whether it's an intentional backdoor or not, it's certainly been well established that there's an exploitable security vulnerability. do you think someone who got hit via it will care whether someone put it there on purpose or was just bad at their job?

the whole point of a alien sighting is to not be obviously identifiable as one. granted, they usually suck at actually achieving this, but then again we only ever notice the bad ones because the good ones never get detected.

 

in any case, whether it's an intentional alien sighting or not, it's certainly been well established that there are alien sightings. do you think someone who saw them will care whether someone let themselves be seen on purpose or was just bad at their job?

See what I did there? ;) (Wording is a bit off but...)

[The_Decryptor Veteran]

Hello,

If YOU (not 1000s of documents/videos/articles/pictures/etc "leaked" on the internet) can prove that this mysterious port is a backdoor, then I will first apologize then I will fully believe you.

Till then, there is no backdoor.

It's either a backdoor or a developer tool they somehow left in.

One of the things is does is give the connected user a dump of all the operating variables, including the access passwords and the wifi passwords.

[riahc3]

Hello,

It's either a backdoor or a developer tool they somehow left in.

One of the things is does is give the connected user a dump of all the operating variables, including the access passwords and the wifi passwords.

So now it is a developer tool they somehow left in....

OK; Can you do this? Generate a dump of all the operating variables of a remote router?

[The Dark Knight]

Stealth over here. ASUS RT-N56U running custom firmware. :)

[snaphat (Myles Landwehr) Member]

Hello,

So now it is a developer tool they somehow left in....

OK; Can you do this? Generate a dump of all the operating variables of a remote router?

 

It literally gives you shell access, allows you dump ram contents, get configuration variables, restore default settings, allows you to switch to bridge mode, gives you the ability to perform buffer overflows, etc. This is pretty much the definition of a backdoor from a security standpoint. ANY unauthorized and undocumented access ability is a backdoor regardless of whether it is a developer tool or not.

 

And, no I'm not testing this out (especially considering I don't actually own any susceptible hardware). You'll have to take the word of the Internet for it. No reason to doubt it is true though.

[primexx]

Hello,

the whole point of a alien sighting is to not be obviously identifiable as one. granted, they usually suck at actually achieving this, but then again we only ever notice the bad ones because the good ones never get detected.

 

in any case, whether it's an intentional alien sighting or not, it's certainly been well established that there are alien sightings. do you think someone who saw them will care whether someone let themselves be seen on purpose or was just bad at their job?

See what I did there? (Wording is a bit off but...)

 

hahaha yes, you tried to discredit something you disagree with by drawing a ridiculous analogy instead of addressing the point.

 

what, exactly, are you trying to establish? whether you call it a backdoor or not, the evidence on what the thing actually is and what it does is pretty clear. are you suggesting that it's a bad name for it or are you rejecting that it exists at all?

[riahc3]

Hello,

You'll have to take the word of the Internet for it. No reason to doubt it is true though.

Im speechless.

 

 

are you suggesting that it's a bad name for it or are you rejecting that it exists at all?

I am rejecting it exists at all. I apoligize if I wasnt clear on my intentions :)

[snaphat (Myles Landwehr) Member]

Hello,

Im speechless.

 

 

I am rejecting it exists at all. I apoligize if I wasnt clear on my intentions :)

 

Why? It's not exactly the first time there is a reported backdoor method to access networking devices. If it were a hoax then it would be found out given that people testing the platforms would not find it. Or are suggesting that all of the various sources are a collective and elaborate orchestrated hoax? Going down the road of having to independently verify everything you read is absurd and impossible.

[PGHammer]

^awesome point

It's also why I use whitelisting (any unknown MAC ID gets voted off the network).

[The_Decryptor Veteran]

^ MAC filtering doesn't work at all, no idea why routers even show that information these days.

...

I am rejecting it exists at all. I apoligize if I wasnt clear on my intentions :)

Huh? It's been proven multiple times over by different people and there's exploit code floating around, it's been definitively proven.