Router Security Test Your Router Website by     
Michael Horowitz 
Home | Site Index | Router Bugs | Security Checklist | Tests | Resources | Stats | About | Search |
I will be speaking about Router Security at the O'Reilly Security Conference in New York City at the midtown Hilton Hotel (Sixth Ave and 53rd Street). The conference runs from Oct. 30 to Nov. 1, 2017. I am slated for Nov 1st at 3:50pm in the Sutton South room on the second floor.

 
Table of Contents
DNS Server TestsFirewall Testers
TCP Ports to TestUDP Ports to Test
TCP/IP Port Information  LAN side port testing
HNAP TestingURLs to try from your LAN
UPnP TestersModem Tests
IP Version 6 TestersAndroid apps
WebRTCAds Here

Level setting: While connected to a VPN, these tests test the VPN server, not your router. Same for Tor. Also, may ISPs hand out devices that serve as both modems and routers. If you start with such a device, then buy your own router, you should disable the router features in the combination device. This is not life and death, things will work fine, by and large, if you do nothing. But, with the combination device fully functional, the firewall tests will report on the firewall in the combination device, not the firewall in the router.

DNS Server Tests  top

A very common thing that bad guys do when they attack a router is change the DNS servers. There are many reasons for this, one is that almost no one will detect the change. A great defense is knowing what the DNS servers in a router should be. Checking up on your DNS servers is also a great thing to do when using a VPN - check before and after connecting to a VPN service to verify that afterwards you are using DNS servers from the VPN provider.

In May 2017, Trend Micro made a great point, that I had not previously considered. "Unfortunately, website-based tests may not be reliable once a home router has been compromised." With that in mind, it makes sense to check with the router directly, be it with a web interface or an app, to double check the DNS servers.

On a totally different plane, is Steve Gibson's Router Crash Test. While working a DNS spoofability test, Gibson accidentally discovered that he crashed some routers just by sending them legit DNS requests. This is a bit dated (Gibson has no creation dates on the pages of his site) but it takes only a few seconds to verify that your router does not fall prey to this attack. At the bottom of the page look for a gray "Initiate Router Crash Test" button.

Firewall Testers  top

Port Status: An "open" port responds to unsolicited incoming requests. A "closed" port (a.k.a. "refused" in Nmap lingo) is accessible, but there is no application listening on it. A status of "stealth" (a.k.a. "filtered" to Nmap) means data sent to the port generates no response at all. This is the most secure status.

TCP Ports to Test  top

Note that while connected to a VPN, these tests test the VPN server, not your router. Same for Tor. An "open" port responds to unsolicited incoming requests. A "closed" port (a.k.a. "refused" in Nmap lingo) is accessible, but there is no application listening on it. A status of "stealth" (a.k.a. "filtered" to Nmap) means data sent to the port generates no response at all. This is the most secure status. This list is extremely incomplete.

UDP Ports to Test  top

Note that while connected to a VPN, these tests test the VPN server, not your router. Same for Tor. This list is extremely incomplete.

UPD Port testers

The links above, that test individual UDP ports, look like this
  http://www.speedguide.net/portscan.php?udp=1&port=999
This example would test port 999. SpeedGuide can also test individual ports at their Security Scan page where you can enter any port number and chose to test UPD and/or TCP.

Another website offering UDP port tests is the UDP Port Scan with Nmap page at PentTest-Tools.com. It can test a range of UDP ports, a list of UDP ports or individual ports.

TCP/IP Port Information  top

LAN side port testing  top

TELNET: Individual LAN side ports can be tested from a computer on the LAN with Telnet. Windows 7 and 8.1 users will have to first install the Telnet client using: Control Panel -> Programs and Features -> click on "Turn Windows features on or off" in the left side column -> Turn on the checkbox for Telnet Client -> Click OK. On OS X ....

To use telnet on Windows, open a Command Prompt window, type "telnet ipaddress portnumber". For example: "telnet 192.168.1.1 80". There needs to be a space on both sides of the IP address. If the port is closed, Windows will complain that it "could not open connection to the host on port 80: connect failed". If the port is open, the responses vary, you may just see a blank screen. You can also telnet to a computer by name, such as "telnet somewhere.com 8080"

ID Serve: ID Serve is a small, portable, Internet Server Identification Utility for Windows, created by Steve Gibson. It was written in 2003 and has not been updated since. The initial screen explains its purpose, the Server Query tab is where it does its work. You can query a computer by name (www.amazon.com) or by IP address. It defaults to port 80, but you can force a different port by adding a colon and the port number after the computer name or IP address (no spaces). If data comes back from the query, ID Serve displays it all. This data may identify the server software. If data does not come back, the message, in my experience, will either be "The port is closed, so our connection attempt was refused" or "No response was received from the machine and port at that IP. The machine may be offline or the connection port may be stealthed". ID Serve is limited to TCP (no UDP) and does not support HTTPS.

BROWSER: You can also test a port with a web browser. For example, http://192.168.1.1:999 would test TCP port 999 (of course, modify the IP address as necessary for your router). I don't think a browser can test a UDP port, it is limited to TCP.

NMAP: Perhaps the best option is nmap...

HNAP Testing  top

The Home Network Administration Protocol is a network device management protocol dating back to 2007. There are four problems with HNAP. One, is that it has a long history of buggy implementations. It can also tell bad guys technical details of a router making it easier for them to find an appropriate vulnerability to attack. The fact that a router supports HNAP may not be visible in its administrative interface. Worst of all, HNAP often can not be disabled. Four strikes, you're out.

You can test if a router supports HNAP by typing http://1.2.3.4/HNAP1/ where 1.2.3.4 is the IP address of your router. Of course, every router has two IP addresses one on the public side and one on the private side. I suggest testing for HNAP on each.

You can learn your public IP address at many websites, such as ipchicken.com and checkip.dyndns.com. For the LAN side of a router, see my Sept. 2013 blog Find the IP address of your home router.

If HNAP is enabled, this test displays basic device information about your router in an XML file. See sample output. If it fails, there will be some type of error about the web page not being able to be displayed, perhaps a 404 Not Found error.

If HNAP is enabled, try to turn it off in the router administrative interface and then test again. You may not be able to turn it off. For more, see the HNAP page.

URLs to try from your LAN  top

In these examples, 1.2.3.4 represents the LAN side IP address of the router.

As per Scott Helme's 2014 description of his BrightBox router, try the URL below, where 1.2.3.4 is the IP address of your router. A good result returns nothing but an error message. Here is a sample of a bad result.
   http://1.2.3.4/cgi/cgi_status.js

In December 2016, Pedro Ribeiro reported on flaws in the Netgear WNR2000 router. If you own a Netgear router, it can't hurt to check for information leakage with the URL below. It may leak the device serial number.
   http://1.2.3.4/BRS_netgear_success.html

Many Netgear routers had a security flaw in December 2016 (see here and here for more). The command below tests a Netgear router. If this results in a web page with the word "Vulnerable", then the router is vulnerable. Netgear has issued fixes for all vulnerable routers.
  http://www.routerlogin.net/cgi-bin/;echo$IFS'Vulnerable'

This issue with port 32764 is explained above in the TCP Ports to Test section.
   http://1.2.3.4:32764

In September 2017, security firm Embedi found port 19541 open on many D-Link routers. It responds to commands such as one to reboot the router. They did not find any way to close the port. The default IP address is 192.168.0.1 but the router may also respond to dlinkrouter.local.
   http://1.2.3.4:19541

UPnP Testers  top

UPnP is dangerous because it lets computing devices (typically IoT devices) punch a hole in the routers firewall. This exposes them to the Internet where their poor security, such as default passwords, can be abused. This danger involves UPnP being enabled on the LAN side of the router. I am still looking for a LAN side tester.

UPnP on the WAN/Internet side of a router is a totally different problem. UPnP was never meant to be exposed on the Internet. The online tester below insures that your router does not respond to UPnP requests sent to it over the Internet. For more on why UPnP from the Internet side of a router is an issue at all, see my Jan. 2013 blog Check your router now, before Lex Luthor does.

UPnP is relatively hard to test for as there are two components to the protocol. Discovering UPnP enabled devices is done with the Simple Service Discovery Protocol (SSDP) which listens on UDP port 1900. The actual communication between devices is done via HTTP on varying ports. SSDP tells clients which port to use for HTTP communication. According to Rapid7, the TCP port number varies by vendor and is often chosen at random. Ugh. Their report notes that some Broadcom, D-Link and TP-Link routers use TCP port 5431, some devices use port 80 and still others use 2869.

Modem Tests  top

A modem is a computer and it too, can have bugs. Chances are the modem as an IP address such as 192.168.100.1. If nothing else, you should try to access the modem by its IP address so that technical information about your Internet connection is available to you. Also, you want to see what information is available without a password, some modems expose too much. If there is a password, then change it from the default.

As per ARRIS Cable Modem has a Backdoor in the Backdoor try to view the page below. An error viewing the page is the good result. See a video of this hack.
http://192.168.100.1/cgi-bin/tech_support_cgi

As per ARRIS DG860A NVRAM Backup Password Disclosure you should try to view the URL below. Again, an error is the good result.
http://192.168.0.1/router.data

For better security, a router may be able to block access to the modem by blocking its IP address. I blogged about modem access from the LAN side of a router in February 2015. While it can be helpful to directly access the modem, it can also be dangerous. See Talk to your modem and Using a router to block a modem. Some routers can do this, some can not. Dumbed down routers, such as the consumer mesh systems (eero, Google Wifi, Ubiquiti AmpliFi, etc) can not do this.

A great way to see if a modem is accessible from the LAN side is to ping it using the command below. Hopefully, the command fails.
ping 192.168.100.1
If it is pingable, then test Telnet access to the modem with the command below. Failure is the secure outcome.
telnet 192.168.100.1
An other good test is nmap. The simplest command is
nmap 192.168.100.1
For a much more comprehensive look at the LAN side of the modem use the below:
nmap -v -A -p 1-65535 192.168.100.1

IP Version 6 Testers  top

I know of no reason for IPv6 to be enabled on a home router. If it is enabled on yours, try to disable it then verify that it's really off. All the sites below are only available via HTTP.

Android Apps  top

WebRTC  top

Note: Blocking WebRTC is a web browser thing. If you use more than one browser, you should run a WebRTC test in each one.

Ads Here  top

Some routers are hacked to generate income from showing ads. This website has no ads. If you see any ads while viewing this web page, then either the router you are connected to has been hacked or your computer has.


Honorable mention goes to the Shadowserver Foundation that scans the Internet for all sorts of things that should not be there.
See The scannings will continue until the Internet improves.

Top 
This page was last updated: October 21, 2017 8PM CT     
Created: December 5, 2015
Viewed 401,072 times since December 5, 2015
(583/day over 688 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2017