How to See What Your Router is Exposing to the Internet

Posted on Aug 25, 2018 by James Gallagher
routers

Is your home router a sitting duck with ports open to the world just waiting to be hacked? Let’s go over how you can check.

First, it’s important to start with implementing basic defenses to secure your router. Keeping the firmware up to date on your router, changing the default password and turning off remote management of your router are very important first steps. You can read more detail about these steps and others here. Also important, is to make sure you haven’t configured any custom firewall settings that unnecessarily place your network at risk. If you’ve configured port forwarding for gaming on a laptop for instance, be sure this was done as securely as possible. If you configured your router to place the laptop on a DMZ with all ports accessible, that’s generally bad. Using firewall rules that allow only the minimum communication needed is key. Sometimes in the moment, when trying to troubleshoot an issue, it can be tempting to just configure an allow-all rule. Going back and looking through your firewall rules can sometimes reveal a mistake you hadn’t noticed earlier.

But what if you want to check open ports from the outside, to be double sure? This is an important methodology, because it’s easy to miss something when navigating the router configuration web pages. You need an outside audit to make sure there are no unexpected ports open. There are three main methods of accomplishing this:

  • Shodan
  • Online port scanners
  • Nmap

Let’s start with Shodan. This is a great tool. Basically, these people constantly scan the entire Internet – including your router. They’ve put the results of this into a search engine that allows anyone to search for details on devices, ports and server software that is running out there. Anyone can see these results, though paid accounts get more features. And yes, this means threat actors can see this information, too. Before you ask why they have thrown information about you out there to everyone, consider that Shodan isn’t the only entity doing this kind of scanning. Real threat actors have their own scanners, too. In fact, this actually makes you more secure, because now you can see what is exposed on your router, without having to run your own scanner. As a side benefit, you’ll probably become addicted to scrolling through thousands of unsecured webcams which are inadvertently configured to allow you to view the video feed. Browsing Shodan can be mesmerizing, because it is dumbfounding how many insecure devices are out there and publicly accessible to the Internet.

To search for your home router on Shodan, the first thing you will need is your router’s external facing IP address. There are many websites that can provide this to you. Some search engines, like Google and Bing will actually show you this information by simply searching for “what is my ip address”. Now that you have the IP address, navigate to Shodan and simply paste the IP address into the search box. If you don’t get any results, your router likely didn’t show any ports to be open during their most recent scan. If you do get results, pay attention to the “Last Update” field. Your home router IP address can change periodically, which is a downside of using Shodan for a home network. If the scan shows a recent time stamp, the results are more likely to be legitimate.

But what if the most recent Shodan scan was a while ago and you made a router configuration today that you want audited? If you don’t have a paid Shodan account that allows on-demand scanning, there are still other ways to do this. One of them, is to use an online port scanner. If you use a search engine to search for “online port scanner”, there are some very nice free ones out there that will let you scan your router for open ports. Some of these tools have limited features, and others have many different options to choose from.

However, if you want complete control of your router scan, you are going to have to do it yourself. The good news is, it’s not that hard. A powerful free tool called nmap can be used for this, and is quite famous for its use in many movies, including Matrix Reloaded. Nmap runs on Windows, *nix and Mac. After downloading nmap, it is recommended that you find some online tutorials to familiarize yourself with the tool a bit. You can also run “nmap –help” from a command prompt to get a quick help page. Options to note which you might find useful for scanning your home router, include “-p-” (without quotes), which scans all ports, and “-Pn” which allows nmap to discover the target even if ping is being blocked. As with any network tool, make sure you fully understand exactly what a command line option does before you use it, and only scan your own infrastructure.

Using nmap against your home router in this way is going to require that you have a way to scan it from the outside. There are a few ways to do this. One, would be to go to friend’s house to scan your home IP address. Keep in mind, in some rare cases, an ISP (Internet service provider) might inadvertently flag a scan like this as being from a threat actor and shut down the source of the traffic. That wouldn’t be a nice thing to do to your friend. Another way to do this, is to simply scan from your home from a computer which is connected to a VPN service. The outbound traffic will be tunneled through the VPN, so the ISP can’t see it’s coming from you and inadvertently mistake it for malicious traffic. Since you are connected to the VPN, you will be able to scan the router as though you are located outside the network.

If you do discover ports open on your router, it can sometimes be tricky to identify which present a risk and which do not. An example of a risky configuration, would be if you accidentally left the remote management feature turned on, causing port 80, 8080 or 443 to be open. This would be good information to know. You can find many lists of common port numbers’ uses online and such lists can definitely help streamline the process of figuring out why a particular port is open. In other cases, it’s more difficult. You may even find that the ISP has an undocumented port open that allows them to communicate with the device. You’ll just need to do your research in these cases. Check through your router’s firewall configuration to see if the open port you are seeing matches a rule you perhaps forgot about.

Many tools like nmap or Shodan which are often referred to as hacker tools, were actually developed by security researchers to audit and evaluate security for legitimate purposes. By learning to use these tools thoughtfully, you can identify misconfigurations on your own infrastructure and harden your network against attack.