4. Networking

4.1 Automatic IP lease (DHCP)

An ethernet cable will be used to connect the "Ethernet" port of the router and a test machine (running Ubuntu OS). We will be using Wireshark to view the live network traffic flowing between the router and test machine.

Right after the ethernet cable is plugged in, a bunch of network traffic starts flowing on the Wireshark screen. The particular type of traffic of interest would be DHCP:

From the image, we can see the DHCP DORA process: Discover, Offer, Request, ACK.

4.2 Network services scan (Nmap)

• <host> will be the IP address of the local gateway (eg. 192.168.1.1)

• The following scan types outlined below will be performed on both the LAN ("Ethernet") and WAN ("Internet") interfaces of the router

4.2.1 TCP scan

$ sudo nmap -sS -p- -T4 -n -Pn  <host>

4.2.2 UDP scan

$ sudo nmap -sU -F -T4 -n -Pn --max-retries 1 <host>

Note: UDP scans are much slower than TCP because they often don't receive a response, forcing Nmap to wait for a timeout

Hence, the following flags can be used to make the UDP scan more efficient::

1. --max-retries is important to cap the max retransmission for UDP scans

2. -F scans fewer ports

Limitations of the UDP scan

Notice that this particular UDP scan did not return port 67, even though it is open and used in the DHCP process discussed earlier. We can use netcat to confirm this:

Note: the -v flags needs to be specified to Netcat for the connection success message to be shown

$ nc -u -v <host> 67
Connection to 192.168.1.1 67 port [udp/bootps] succeeded!

$ nc -u -v <host> 70 # test with other port that is not open
$ # returns without any output 

4.2.3 Targeted TCP+UDP scan

Now that we have discovered the open TCP and UDP ports, we can perform a targeted scan on the found ports. This will involve the following additional scan types:

1. -sV: version detection

$ sudo nmap -sV -p T:<found_TCP_ports>,U:<found_UDP_ports> -n -Pn --max-retries 1 <host>

# eg.
$ sudo nmap -sV -sS -sU -p T:80,U:53,1900 -n -Pn --max-retries 1 192.168.1.1

4.2.4 LAN interface scan results

TCP scan

UDP scan

Targeted TCP+UDP scan

$ sudo nmap -sV -sS -sU -p T:80,1780,1990,51000,U:53,1900,32768,1900 -n -Pn --max-retries 1 192.168.1.1

4.2.5 WAN interface scan results

The WAN interface appears to communicate over IPv6 instead of the familiar IPv4. We can identify this from the DHCPv6 request:

[...pending update on WAN side, focus on LAN side for now]

Refer to the following links for more information on the Nmap options:

nmap | Penetration testing & ethical hacking conceptsjarrettgxz-sec.gitbook.io

nmap (general overview) | Penetration testing & ethical hacking conceptsjarrettgxz-sec.gitbook.io

4.3 Basic network services testing

# TCP/80
$ curl http://<deivce_ip>:80
$ nc -v <device_ip> 80

# UDP/53
$ nc -u -v <device_ip> 53 

• This will aid us in identifying if the router is functioning properly, which will be useful when we are experimenting with the proof-of-concept (PoC) later on