Hack Router Port 53 Udp

Posted by admin
  1. Udp Port Check

known port assignments and vulnerabilities

Captive portals will often permit all outbound udp traffic destined to port 53 to facilitate DNS lookups. If the edge device is not inspecting your traffic or limiting which external hosts you can communicate with on that port then run your VPN on 53/udp and profit.

Port(s)ProtocolServiceDetailsSource
53 tcp,udpDNSDNS (Domain Name Service) is used for domain name resolution.
Apple MacDNS, FaceTime also use this port.
There are some attacks that target vulnerabilities within DNS servers. Some trojans also use this port: ADM worm, li0n, MscanWorm, MuSka52, Trojan.Esteems.C [Symantec-2005-051212-1727-99] (2005.05.12), W32.Spybot.ABDO [Symantec-2005-121014-3510-99] (2005.12.10).
W32.Dasher.B [Symantec-2005-121610-5037-99] (2005.12.16) - a worm that exploits the MS Distributed Transaction Coordinator Remote exploit (MS Security Bulletin [MS05-051]).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the [MS05-051] exploit on port 1025/tcp.
Cisco Webex Teams services uses these ports:
443,444,5004 TCP
53, 123, 5004, 33434-33598 UDP (SIP calls)
Xbox LIVE uses ports 53 tcp/udp, 80 tcp, 88 udp, 3074 tcp/udp.
Bonk (DoS) trojan horse also uses port 53 (TCP).
Kerio Personal Firewall (KPF) 2.1.4 has a default rule to accept incoming packets from DNS (UDP port 53), which allows remote attackers to bypass the firewall filters via packets with a source port of 53.
References: [CVE-2003-1491] [BID-7436]
Stack-based buffer overflow in the dns_decode_reverse_name function in dns_decode.c in dproxy-nexgen allows remote attackers to execute arbitrary code by sending a crafted packet to port 53/udp, a different issue than [CVE-2007-1465].
References: [CVE-2007-1866] [SECUNIA-24688]
Siemens Gigaset SE461 WiMAX router 1.5-BL024.9.6401, and possibly other versions, allows remote attackers to cause a denial of service (device restart and loss of configuration) by connecting to TCP port 53, then closing the connection.
References: [CVE-2009-1152] [BID-34220]
Cisco IOS is vulnerable to a denial of service, caused by an error in NAT of DNS. By sending specially-crafted DNS packets to TCP port 53, a remote attacker could exploit this vulnerability to cause the device to reload.
References: [CVE-2013-5479], [XFDB-87455]
haneWIN DNS Server is vulnerable to a denial of service attack. A remote attacker could send a large amount of data to port 53 and cause the server to crash.
References: [XFDB-90583], [BID-65024], [EDB-31014]
named in ISC BIND 9.x (before 9.9.7-P2 and 9.10.x before 9.10.2.-P3) allows remote attackers to cause denial of service (DoS) via TKEY queries. A constructed packet can use this vulnerability to trigger a REQUIRE assertion failure, causing the BIND daemon to exit. Both recursive and authoritative servers are vulnerable. The exploit occurs early in the packet handling, before checks enforcing ACLs or configuration options that limit/deny service.
See: [CVE-2015-5477]
Tftpd32 is vulnerable to a denial of service, caused by an error when processing requests. If the DNS server is enabled, a remote attacker could send a specially-crafted request to UDP port 53 to cause the server to crash.
References: [XFDB-75884] [BID-53704] [SECUNIA-49301]
TP-Link TL-WR886N 7.0 1.1.0 devices allow remote attackers to cause a denial of service (Tlb Load Exception) via crafted DNS packets to port 53/udp.
References: [CVE-2018-19528]
MikroTik RouterBOARD v6.39.2 and v6.40.5 allows an unauthenticated remote attacker to cause a denial of service by connecting to TCP port 53 and sending data that begins with many '0' characters, possibly related to DNS.
References: [CVE-2017-17537], [EDB-43200]		SG
53 tcp,udpDomain Name System (DNS) (official)Wikipedia
53 tcptrojanADM worm, li0n, MscanWorm, MuSka52Trojans
53 udpapplicationsLineage IIPortforward
53,80,443,10070-10080 tcpapplicationsSocom, Socom 2. Also uses ports 6000-6999,10070 udpPortforward
53,80,443,10070,10080 tcpapplicationsTwisted Metal Black Online (also uses ports 6000-6999 udp)Portforward
53 tcpADMworm[trojan] ADM wormNeophasis
53 tcpLion[trojan] LionNeophasis
53 tcpthreatCivcatBekkoame
53 tcpthreatEsteemsBekkoame
53 tcpthreatW32.DasherBekkoame
53 tcpthreatW32.SpybotBekkoame
53 tcp,udpdomainDomain Name ServerIANA
13 records found
When troubleshooting unknown open ports, it is useful to find exactly what services/processes are listening to them. This can be accomplished in both Windows command prompt and Linux variants using the 'netstat -aon' command. We also recommend runnig multiple anti-virus/anti-malware scans to rule out the possibility of active malicious software. For more detailed and personalized help please use our forums.

Please use the 'Add Comment' button below to provide additional information or comments about port 53.
rate: avg:
Trojan.Zbot uses a 12 character DGA query for internet connectivity checks.
Port

Udp Port Check

Related Links:Tcp udp portsPort
  • SG Ports Database » Vulnerable Ports
  • SG Security Scan » Scanned Ports » Commonly Open Ports

As an ethical hacker, you should glean as much information as possible after scanning your systems. Determine what’s running on your open ports. You can often identify the following information:

  • Protocols in use, such as IP, IPX, and NetBIOS

  • Services running on the hosts, such as e-mail, web servers, and database applications

  • Available remote access services, such as Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), and Secure Shell (SSH)

  • Virtual Private Network (VPN) services, such as PPTP, SSL, and IPsec

  • Required authentication for network shares

You can look for the following sampling of open ports (your network-scanning program reports these as accessible or open):

  • Ping (ICMP echo) replies, showing that ICMP traffic is allowed to and from the host

  • TCP port 21, showing that FTP is running

  • TCP port 23, showing that telnet is running

  • TCP ports 25 or 465 (SMTP and SMPTS), 110 or 995 (POP3 and POP3S), or 143 or 993 (IMAP and IMAPS), showing that an e-mail server is running

  • TCP/UDP port 53, showing that a DNS server is running

  • TCP ports 80, 443, and 8080, showing that a web server or web proxy server is running

  • TCP/UDP ports 135, 137, 138, 139 and, especially, 445, showing that an unprotected Windows host is running

Thousands of ports can be open — 65,534 each for both TCP and UDP, to be exact. A continually updated listing of all well-known port numbers (ports 0–1023) and registered port numbers (ports 1024–49151), with their associated protocols and services, is located at www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt. You can also perform a port-number lookup at www.cotse.com/cgi-bin/port.cgi.

If a service doesn’t respond on a TCP or UDP port, that doesn’t mean it’s not running. You may have to dig further to find out.

If you detect a web server running on the system that you test, you can check the software version by using one of the following methods:

  • Type the site’s name followed by a page that you know doesn’t exist, such as www.your_domain.com/1234.html. Many web servers return an error page showing detailed version information.

  • Use Netcraft’sWhat’s that site running? search utility, which connects to your server from the Internet and displays the web server version and operating system.

You can dig deeper for more specific information on your hosts:

  • NMapWin can determine the system OS version.

  • An enumeration utility (such as DumpSec) can extract users, groups, and file and share permissions directly from Windows.

  • Many systems return useful banner information when you connect to a service or application running on a port. For example, if you telnet to an e-mail server on port 25 by entering telnet mail.your_domain.com 25 at a command prompt, you may see something like this:

    Most e-mail servers return detailed information, such as the version and the current service pack installed. After you have this information, you (and the bad guys) can determine the vulnerabilities of the system.

  • A share-finder tool, such as the one built in to GFI LanGuard, can find open Windows shares.

  • An e-mail to an invalid address might return with detailed e-mail header information. A bounced message often discloses information that can be used against you, including internal IP addresses and software versions. On certain Windows systems, you can use this information to establish unauthenticated connections and sometimes even map drives.