au Qua Station - Part 2 - Doing the Samba and Mapping the N
Hacking the built in software
In part 1, we discussed why the au Qua Station failed as a product, and noted that the built in software is lacking in many areas. One of those was that it uses the outdated SMB 1.0. Is SMB 1.0 that bad, though?
To be sure, it has security vulnerabilities - but then again, it isn't recommended to run *any* version of SMB over the internet. If you are only running it on your local network, then hacking should not be a major concern.
Although ultimately I will install a new Linux distribution, before attempting to reinstall the OS, I first want to find out what I can about the built-in OS out of curiosity.
Connecting to WiFi
The first think you need to do is connect to the device via WiFi. When you power the device up, it will create a WiFi access point, with a name and password that are printed on a sticker on the bottom of the box.
Connecting to this IP will give you an address via DHCP. In my case, the address was 192.168.43.110 the first time, and 192.168.43.80 the second time I tried.
Attempting SMB
Newer versions of Windows and Mac OS do not support SMB 1.0 by default, but it can be enabled in Windows with relative ease:
run -> Control.exe -> programs & features -> enable/disable features -> SMB 1.0
However, even turning this on, I couldn't get Windows to successfully connect and list the shared folders.
NMAP
Since I was connected, I figured I may as well run NMAP to see what interesting things might be lurking:
I attempted to telnet to these ports, but didn't get anything interesting, so they may well be used for upnp. (That would not be surprising since this device does also operate as a WiFi access point for tethering from the LTE).root@LAPTOP-R2UTNLDS:~# nmap -Av 192.168.43.1
Starting Nmap 7.60 ( https://nmap.org ) at 2021-06-26 01:52 JST
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 01:52
Completed NSE at 01:52, 0.00s elapsed
Initiating NSE at 01:52
Completed NSE at 01:52, 0.00s elapsed
Initiating Ping Scan at 01:52
Scanning 192.168.43.1 [4 ports]
Completed Ping Scan at 01:52, 0.68s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:52
Completed Parallel DNS resolution of 1 host. at 01:52, 13.01s elapsed
Initiating SYN Stealth Scan at 01:52
Scanning 192.168.43.1 [1000 ports]
Discovered open port 139/tcp on 192.168.43.1
Discovered open port 53/tcp on 192.168.43.1
Discovered open port 49153/tcp on 192.168.43.1
Discovered open port 49152/tcp on 192.168.43.1
Discovered open port 4004/tcp on 192.168.43.1
Completed SYN Stealth Scan at 01:52, 2.59s elapsed (1000 total ports)
Initiating Service scan at 01:52
Scanning 5 services on 192.168.43.1
Stats: 0:01:02 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 60.00% done; ETC: 01:54 (0:00:30 remaining)
root@LAPTOP-R2UTNLDS:~#
Service scan Timing: About 60.00% done; ETC: 01:55 (0:00:53 remaining)
Completed Service scan at 01:54, 90.57s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against 192.168.43.1
Retrying OS detection (try #2) against 192.168.43.1
Initiating Traceroute at 01:54
Completed Traceroute at 01:54, 0.68s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 01:54
Completed Parallel DNS resolution of 2 hosts. at 01:54, 13.00s elapsed
NSE: Script scanning 192.168.43.1.
Initiating NSE at 01:54
Completed NSE at 01:55, 8.49s elapsed
Initiating NSE at 01:55
Completed NSE at 01:55, 0.01s elapsed
Nmap scan report for 192.168.43.1
Host is up (0.51s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.51
| dns-nsid:
|_ bind.version: dnsmasq-2.51
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
4004/tcp open upnp CyberLink upnp 1.0
49152/tcp open upnp Cisco-Linksys E4200 WAP upnpd (UPnP 1.0)
49153/tcp open upnp Cisco-Linksys E4200 WAP upnpd (UPnP 1.0)
Aggressive OS guesses: Linux 3.2 - 4.8 (96%), Linux 3.10 - 4.8 (94%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1) (93%), Android 4 (93%), Android 5.1 (93%), Linux 2.6.32 (93%), Linux 3.2 - 3.16 (93%), Android 4.1.1 (93%), Android 4.2.2 (Linux 3.4) (93%), DD-WRT v3.0 (Linux 4.4.2) (93%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.015 days (since Sat Jun 26 01:33:43 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux 4.1.17; CPE: cpe:/o:linux:linux_kernel:4.1.17, cpe:/h:cisco:e4200
Host script results:
|_clock-skew: mean: -2002d15h16m45s, deviation: 0s, median: -2002d15h16m45s
| nbstat: NetBIOS name: KTS31-259EA1, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| KTS31-259EA1<00> Flags: <unique><active>
| KTS31-259EA1<03> Flags: <unique><active>
| KTS31-259EA1<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
|_ WORKGROUP<00> Flags: <group><active>
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.39 ms LAPTOP-R2UTNLDS.mshome.net (172.30.208.1)
2 660.43 ms 192.168.43.1
NSE: Script Post-scanning.
Initiating NSE at 01:55
Completed NSE at 01:55, 0.00s elapsed
Initiating NSE at 01:55
Completed NSE at 01:55, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 143.64 seconds
Raw packets sent: 1272 (57.612KB) | Rcvd: 1250 (51.440KB)
root@LAPTOP-R2UTNLDS:~#
Okay, so I already know from others that the OS is Android based, so some form on Linux. I don't know the exact version, so I can't verify whether NMAP got that correct or not.
Update: The version reported by NMAP is correct.
The uptime is roughly correct (I had plugged in the power about 30 minutes before running this scan).
The SMB and DNS services running were not a surprise, and the SMB2 protocol negotiation error did not surprise me either.
The 2 hops required is probably just an artifact from running NMAP in WSL.
What I did not expect to be open were ports 4004, 49152, and 49153. In the listing above, it shows these as upnp, but in a previous scan, 4004 showed as pxc-droid, and the other ports showed differently as well.
Specifically, this is what I got:
shiruba@LAPTOP-R2UTNLDS:~$ nmap -ov 192.168.43.1
Starting Nmap 7.60 ( https://nmap.org ) at 2021-06-26 02:20 JST
Nmap scan report for 192.168.43.1
Host is up (0.0071s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
53/tcp open domain
139/tcp open netbios-ssn
4004/tcp open pxc-roid
49152/tcp open unknown
49153/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 15.20 seconds
shiruba@LAPTOP-R2UTNLDS:~$
Since there is no telnet, ssh, or www open, there is not much more interesting I can do from the outside. It is possible that different services might be open to the LTE IP Address, however I have no way of knowing what IP address it is assigned.
Comments
Post a Comment