c1 00 00 00 00 14 00 00 63 6f 6e 66 69 67 00 00 c. o. n. f. i. g 31 00 00 00 00 00 00 00 ">{ Enable : 1, MapTable : [ { Enable : 1, InnerPort : 85, OuterPort : 85, Protocol : TCP, ServiceName : HTTP }, { Enable : 1, InnerPort : 37777, OuterPort : 37777, Protocol : TCP, ServiceName : TCP }, { Enable : 1, InnerPort : 37778, OuterPort 37777 "MapTable" Requests, (Tue, Jan 10th)_HackDig : Dig high-quality web security articles for hackerHackDig" />

HackDig : Dig high-quality web security articles for hacker

Port 37777 "MapTable" Requests, (Tue, Jan 10th)

2017-01-10 20:40

Thanks to Bj">c1 00 00 00 00 14 00 00 63 6f 6e 66 69 67 00 00
c. o. n. f. i. g
31 00 00 00 00 00 00 00 ">{ Enable : 1, MapTable : [
{ Enable : 1, InnerPort : 85, OuterPort : 85, Protocol : TCP, ServiceName : HTTP },
{ Enable : 1, InnerPort : 37777, OuterPort : 37777, Protocol : TCP, ServiceName : TCP },
{ Enable : 1, InnerPort : 37778, OuterPort : 37778, Protocol : UDP, ServiceName : UDP },
{ Enable : 1, InnerPort : 554, OuterPort : 554, Protocol : TCP, ServiceName : RTSP },
{ Enable : 1, InnerPort : 23, OuterPort : 23231, Protocol : TCP, ServiceName : TELNET },
{ Enable : 1, InnerPort : 23, OuterPort : 23123, Protocol : TCP, ServiceName : NEW } ] }

The payload appears to attempt to configure port forwarding rules, which is typically done via UPNP (and UPNP has been heavily abused, but is typically not reachable from the outside). But the requests are different from UPNP in some ways:

  • UPNP usually uses HTTP like headers. These requests do not use any readable headers, just a brief binary pre-ample.
  • UPNP is typically using UDP. These requests arrive over TCP
  • UPNP uses XML/SOAP for its payload. These requests use what looks like JSON

Some newer versions of UPNP allow for REST/JSON instead of the older SOAP/XML format. But this still doesnt explain the missing headers. Port 37777 is typically used to stream video from CCTV DVRs, not for configuration. But then again, it is possible that some DVRs do accept configuration commands like the one shown above. But a request like this should probably be directed at the gateway/router, not the DVR.-)

[1]https://blgg.no/2017/01/probes-towards-tcp37777/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Source: ssr;pma&31912=diyrots?lmth.yraid/ude.snas.csi

Read:2853 | Comments:0 | Tags:No Tag

“Port 37777 "MapTable" Requests, (Tue, Jan 10th)”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud