Sunday, October 14, 2012

Cisco IOS TCP Ports 2002, 4002, 6002, and 9002

A Cisco 2900 Series router with the following basic configuration is found answering to the TCP connection attempts (replying SYN-ACKs for the SYN requests) upon TCP ports 2002, 4002, 6002, and 9002.

Router#sh ver
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.2(1)T3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Thu 23-Aug-12 23:18 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M13, RELEASE SOFTWARE (fc1)

Router uptime is 2 minutes
System returned to ROM by reload at 08:12:30 UTC Thu Oct 11 2012
System restarted at 08:14:25 UTC Thu Oct 11 2012
System image file is "flash0:c2951-universalk9-mz.SPA.152-1.T3.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco CISCO2951/K9 (revision 1.1) with 487424K/36864K bytes of memory.
Processor board ID FGL160812PW
3 Gigabit Ethernet interfaces
1 terminal line
DRAM configuration is 72 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)


License Info:

License UDI:

-------------------------------------------------
Device#   PID                   SN
-------------------------------------------------
*0        CISCO2951/K9          FGL160812PW



Technology Package License Information for Module:'c2951'

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
------------------------------------------------------------------
ipbase        ipbasek9      Permanent      ipbasek9
security      None          None           None
uc            None          None           None
data          None          None           None

Configuration register is 0x2102

Router#
Router#sh inv
NAME: "CISCO2951/K9 chassis", DESCR: "CISCO2951/K9 chassis"
PID: CISCO2951/K9      , VID: V05 , SN: FGL160812PW

NAME: "C2921/C2951 AC Power Supply", DESCR: "C2921/C2951 AC Power Supply"
PID: PWR-2921-51-AC    , VID: V03 , SN: DCA1552K1QG


Router#
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int gi0/0
Router(config-if)#ip address 192.168.1.2 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
Oct 11 08:17:14.899: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down
Oct 11 08:17:19.351: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
Oct 11 08:17:20.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
Router(config-if)#
Router(config-if)#line vty 0 4
Router(config-line)#password cisco123
Router(config-line)#exit
Router(config)#enable secret cisco123
Router(config)#
Router(config)#banner motd ^
Enter TEXT message.  End with the character '^'.
*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
* This is a WARNING banner! *
*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
^
Router(config)#
Router(config)#end
Router#

Below shows that the router was only listening upon TCP Port 23 Telnet.
However it actually established the TCP connections for TCP ports 2002, 4002, 6002, and 9002 upon Nmap slow comprehensive port scanning.

Router#sh control-plane host open-ports
Active internet connections (servers and established)
Prot               Local Address             Foreign Address                  Service    State
 tcp                        *:23                         *:0                   Telnet   LISTEN

Router#
Router#sh control-plane host open-ports
Active internet connections (servers and established)
Prot               Local Address             Foreign Address                  Service    State
 tcp                      *:4002              192.168.1.1:53            TCP Protocols ESTABLIS
 tcp                        *:23                         *:0                   Telnet   LISTEN
 tcp                      *:6002              192.168.1.1:53            TCP Protocols ESTABLIS
 tcp                        *:23              192.168.1.1:53                   Telnet ESTABLIS
 tcp                      *:9002              192.168.1.1:53            TCP Protocols ESTABLIS
 tcp                      *:2002              192.168.1.1:53            TCP Protocols ESTABLIS

Router#
Router#sh control-plane host open-ports
Active internet connections (servers and established)
Prot               Local Address             Foreign Address                  Service    State
 tcp                        *:23                         *:0                   Telnet   LISTEN

Router#
After a while, it will actually again shows only listening upon TCP port 23.

Below shows the Nmap / Zenmap slow comprehensive scan results.

Below shows the screen of the Windows Command Prompt upon telneting to TCP port 23.

Below shows the screen of the Windows Command Prompt upon telneting to TCP ports 2002, 6002, and 9002.

Below shows the screen of the Windows Command Prompt upon telneting to TCP port 4002.


The root cause of the problem is due to the Embedded Service Engine on the Cisco ISR G2 routers. (more info here)
Router#sh line
   Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise Overruns  Int
*     0    0 CTY              -    -      -    -    -     0      2    0/0      -
      1    1 AUX   9600/9600  -    -      -    -    -     0      0    0/0      -
      2    2 TTY   9600/9600  -    -      -    -    -     4      0    0/0      -
    644  644 VTY              -    -      -    -    -     1      0    0/0      -
    645  645 VTY              -    -      -    -    -     0      0    0/0      -
    646  646 VTY              -    -      -    -    -     0      0    0/0      -
    647  647 VTY              -    -      -    -    -     0      0    0/0      -
    648  648 VTY              -    -      -    -    -     0      0    0/0      -

Line(s) not in async mode -or- with no hardware support:
3-643

Router#
Router#service-module ?
  Embedded-Service-Engine  cisco embedded service engine module

Router#service-module Embedded-Service-Engine 0/0 ?
  heartbeat-reset  Enable/disable Heartbeat failure to reset Service Module
  install          Install an application
  log              history of logs
  password-reset   Password reset of Service Module
  reload           Reload service module
  reset            Hardware reset of Service Module
  session          Service module session
  shutdown         Shutdown service module
  statistics       Service Module Statistics
  status           Service Module Information
  uninstall        Uninstall an application

Router#service-module Embedded-Service-Engine 0/0 session
IP address needs to be configured on interface Embedded-Service-Engine0/0
Router#
Router#sh run | sec Embedded
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
Router#
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int Embedded-Service-Engine0/0
Router(config-if)#ip address 192.168.1.2 255.255.255.0
% 192.168.1.0 overlaps with GigabitEthernet0/0
% 192.168.1.0 overlaps with GigabitEthernet0/0
Router(config-if)#no shutdown
% 192.168.1.0 overlaps with GigabitEthernet0/0
Embedded-Service-Engine0/0: incorrect IP address assignment
Router(config-if)#end
Router#
Router#service-module Embedded-Service-Engine 0/0 session
Trying 192.168.1.2, 2002 ... Open

*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
* This is a WARNING banner! *
*~*~*~*~*~*~*~*~*~*~*~*~*~*~*

Router#disco 1
Closing connection to 192.168.1.2 [confirm]
Router#
Router#sh run | sec line 2
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
Router#


Solution #1: Disable line 2 completely. Not recommended because this will also block us from accessing to the service module for troubleshooting and maintenance purposes.
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line 2
Router(config-line)#transport input none
Router(config-line)#end
Router#
Router#service-module Embedded-Service-Engine 0/0 session
Trying 192.168.1.2, 2002 ...
% Connection refused by remote host

Router#


Solution #2: Define access list and access class to only allow certain hosts or IP subnet ranges to access the service module.
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 10 permit 192.168.1.2
Router(config)#line 2
Router(config-line)#access-class 10 in
Router(config-line)#end
Router#
Router#service-module Embedded-Service-Engine 0/0 session
Trying 192.168.1.2, 2002 ... Open

*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
* This is a WARNING banner! *
*~*~*~*~*~*~*~*~*~*~*~*~*~*~*

Router#disco 1
Closing connection to 192.168.1.2 [confirm]
Router#

7 comments:

  1. Very Helpful , Thanks man

    ReplyDelete
  2. Thank you! Most Helpful!

    ReplyDelete
  3. Still very helpful! A security audit dinged me for answering up on "telnet" on my 2911, even though I am using SSH only. This was the issue.. Thanks again, loved your CCNA book as well..

    ReplyDelete
  4. thank you very much for this! helps a lot....

    ReplyDelete