Network Scan on ISP with all 65k Ports

Today a friend of mine decided to scan the entire network of a ISP that is hosting private customers , some small companys and a few bigger corporates. The scan was done with masscan (https://github.com/robertdavidgraham/masscan).

Target of this action?
- Find most common Ports used on a ISP that distributes Internet to private customers
- Most provisioned services
- Other informations that could be useful


Many of you would say the same as i did before the scan startet. Place 1 goes to Port 80 and place 2 to Port 443 …. But, ehm, how to say it its wrong.

Statistics: scanned IP addresses 17400 Port 0-65k , that makes about 1,2 billion requests. 21 GB sent data, 1,3GB received data. Scantime 1:30h with 100k/pps , TCP


RankPortCount
14433571
28181459
3443292
480181
52169
6808061
75360
8190056
9506040
104915338
114915236
1244533
132232
14818331
15172330
16338930
17500030
1813928
193334427
204915425
212000524
22808922
2364620
24812319
2555416
26808115
2754814
28800914
29605013
304915513
3126412
32500112
33500612
341024312
3546511
3658711
37555511
3813510
3917910
40590010
41688110
42844310
434798910
441439
4550059
46479849
47238
48491568
499957
5044437
5150537
5280827
53100007
545416
558736
569936
5750096
5853576
5966906
6090036
61175006
62885
631105
644445
656315
6611115
6770015
68182315
69514135
7044444
7163524
7270004

As you can see many many of the private users have Port 4433 open. So i was wondering why?

Conclusion of this scan:
- Sonicwall, Dlink, VPN GW….. and many many other have the 4433 Port open to the public to configure there System.
- Port 8181 is most of the time from tomcat or other Webservers where the caching server sits on 80443
- In private customer sector from providers like swisscom, sunrise, orange, upc, about 5 % is running a Webserver (no more geeks out there, or are they already in the cloud)
- 1537 Devices / Banners where vulnerable with todays exploits. Which is about 10% of all internet connections on this provider.
- Some firmware devices like dlink disclosure the FW version and patch state.






comments powered by Disqus