Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Gadget Security SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Gadget Security

Last week I got my xmas gift...:) A Eeepc, (see wikipedia on it).

Basically, it is a small laptop (7'' screen), running a linux version, called XandrOS
(debian based), with a quite user-friendly interface, mostly for internet applications.

Well, it is quite good, and I am really liking it, but, of course, I had to try its security :).

Fortunately it allows you to get a console, which allows you to instantly get a root access, by issuing 'sudo bash'.
Well, this is not good, since if anyone can get it, it can change the root password, maybe letting you with the
unique alternative, restoring the system. So changing the config to ask for password is a ‘must do’, imho...:)

But let’s go to interesting stuff.
I was curious to see which ports were open using nmap from a remote host on it.

That was the result:
The SYN Stealth Scan took 0.61s to scan 1239 total ports.
Host appears to be up ... good.
Interesting ports on
Not shown: 1236 closed ports
111/tcp open  rpcbind
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap finished: 1 IP address (1 host up) scanned in 1.525 seconds

Hum...port 111, 139 and 445...139 and 445 are usually associated with Windows Systems, but we are on a Linux.
Also port 111, this is portmap...

So lets dig a little more. Using smbclient to query our remote system:

lab3:~# smbclient -N -L '\\'   (-L to list and -N for no password)
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.24]

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (eeepc-root server (Asus Eee PC))
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.24]

        Server               Comment
        ---------            -------
        EEEPC-ROOT           eeepc-root server (Asus Eee PC)

        Workgroup            Master
        ---------            -------
        GRUPO                SRVWIN1
        MSHOME               PEDROLAP
        WORKGROUP            EEEPC-ROOT

On my opinion this is too much information to be shared...
Here we have the information that the EEEPC is running Samba (that explains the port 139 and 445), the SAMBA version (3.0.24) and some groups and shares info...

On port 111, nmap says portmap, so lets check it with rpcinfo:

rpcinfo -p

lab3:~# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper

Yes, portmap!

On our local system, we can check those with netstat -anp:
lab3:~# netstat -anp

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0   *               LISTEN     2339/smbd       
tcp        0      0   *               LISTEN     1409/portmap    
tcp        0      0 *               LISTEN     1398/cupsd      
tcp        0      0   *               LISTEN     2339/smbd                      
udp        0      0*                          2337/nmbd       
udp        0      0   *                          2337/nmbd       
udp        0      0*                          2337/nmbd       
udp        0      0   *                          2337/nmbd       
udp        0      0    *                          2157/dhclient3  
udp        0      0    *                          1613/dhclient3  
udp        0      0   *                          1409/portmap    
udp        0      0   *                          1398/cupsd      

Again, samba (smbd and nmbd) and portmap (sunrpc). Also, we can see Cups (used by printer).

Now, we could try to create some iptables rules to restrict access, but the iptables modules are not loaded...:(

Another alternative is to shut it down.

Since it is a debian-based linux, this could be easily done with:

/etc/init.d/portmap stop
/etc/init.d/samba stop

but it will only stop them for the current session. If you reboot it, they will be back...

Another option is to edit the file in /etc/hosts.deny and add the line

to restrict access to this service.

Or even disable it, by commenting the deamons from the usr/sbin/ file.


Again, I am not saying that letting these services open will mean that you will be hacked or so, even because I am not aware of any recent vulnerability on them, but we are at least giving too much information...


This is just one example of how our new gadgets can expose ourselves. New smart phones, linux, windows based can also expose you and your data, and as we are using them to store lots of our data, we must be paranoid on their security least I am...:)


Ah, about my is not McDonalds, but "I am loving it!" :) All my security tools were installed perfectly on it...;)



Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)



155 Posts
ISC Handler
Nov 25th 2007
What version of portmap? Samba?

Sign Up for Free or Log In to start participating in the conversation!