# Has anyone tried a port scan against the HR20?



## Wolffpack (Jul 29, 2003)

Just wondering what ports it may be listening to.


----------



## Milominderbinder2 (Oct 8, 2006)

Wolffpack said:


> Just wondering what ports it may be listening to.


You constantly post about the HR20.

Are you saying that you don't have an HR20?

- Craig


----------



## Wolffpack (Jul 29, 2003)

As described in my SIG line, no I don't have a HR20. At this point in time there's nothing a HR20 can provide me that my HR10s don't provide. At least nothing I see as worth the instability of the HR20.

I've had a R15 since early 2006 and while it has become a better product over time, it's still owns a position in my house which a plain receiver could have, my office.


----------



## Starrbuck (Jun 25, 2004)

Wolffpack said:


> As described in my SIG line, no I don't have a HR20. At this point in time there's nothing a HR20 can provide me that my HR10s don't provide. At least nothing I see as worth the instability of the HR20.


You sure seem to be curious about something you do not want.

I just port-stanned mine and it seems to only be listening on ports 25 and 110.


----------



## PoitNarf (Aug 19, 2006)

Starrbuck said:


> You sure seem to be curious about something you do not want.


Something he doesn't want at the moment. I'm sure eventually (and hopefully) once the HR20 has stabilized and has additional features that make it more appealing than the HR10, then Wolffpack would probably get the HR20. Just because he doesn't have it/want it at the present moment doesn't negate the fact that there is curiosity about it.


----------



## Starrbuck (Jun 25, 2004)

Well-said, Narf. Has anyone ever told you you may have a career in politics?


----------



## Wolffpack (Jul 29, 2003)

Excuse me. So if I don't have a HR20 I'm not allowed to post questions in this hallowed forum? I never said I didn't want a HR20. What I said was that at this point in time I saw no need to replace my HR10s with a HR20. At some point in time, when more MPEG4 HD content is available, that may change and I may upgrade but for me that time hasn't come.

Yes I am curious about the HR20. This is the path DTV has chosen to take. But lately his forum (the HR20 forum) has gotten so argumentative it's ridiculous. D*fenders and D*tractors constantly arguing about which machine is better. What ever happened to simple questions because someone wanted to know. Folks have pulled off the cover and provided shots of the guts of these machines. Other have pulled the HD to see what filesystem it may or may not be using, still others have experimented with the eSATA capability. Now that networking is officially enabled on the HR20 I posted a question, a research question, to see if anyone had tried a port scan. The two responses I've received seem to question my motives? Gee, why would I be interested in something I don't have and don't want.

Given that, it is interesting that the two ports responding both have to do with email. SMTP and POP3. What possible features might those be used for? Has any noticed their HR20 attempting to gain access to external internet sites? In a typical setup most users don't block outgoing requests via a hardware firewall. I wonder if the HR20 is phoning home over the internet without customers knowledge.

You folks really need to chill out. I've kept my mouth shut about this so far, but the HR20 forum is becoming another TCF with the attitude that you're either for us or against us. It's tough just to post a question or answer over there without 50 other members giving you the 3rd degree.


----------



## PoitNarf (Aug 19, 2006)

Wolffpack said:


> But lately his forum (the HR20 forum) has gotten so argumentative it's ridiculous. D*fenders and D*tractors constantly arguing about which machine is better. What ever happened to simple questions because someone wanted to know.


I hear you loud and clear there. One of the reasons my post count hasn't been increasing at the same rate these past couple of weeks. I've moved more to a neutral stance with everything now.

But anyway... :backtotop



Wolffpack said:


> Given that, it is interesting that the two ports responding both have to do with email. SMTP and POP3. What possible features might those be used for? Has any noticed their HR20 attempting to gain access to external internet sites? In a typical setup most users don't block outgoing requests via a hardware firewall. I wonder if the HR20 is phoning home over the internet without customers knowledge.


I'd be very interested in this as well. Is it emailing back crash/usage data? I don't have Snort installed on any machines here, so I can't check it out for myself.


----------



## ItsMeJTO (Dec 22, 2006)

Wow, I just saw the firmware upgrade list for the hr20, 
that's 18 upgrades in 5 months, allmost on par with Microsoft .
Are we all beta testers too ?
Anywhoo, I just wanted to say I have just upgraded the hard drive with a new seagate 750ghb. Removed cover, unpluged both power and data fromminternal drive, then with a standard sata cable plugged into the motherboard with an 18" standard sata cable, exiting the case through the hole created by removing the external esata port (just two screws). Extended the 4 pin power connector with a standard disc drive power extension cable and placed the drive in a small 3.5" drive case I had lying arround (with a small fan inside) I powered up the hr20 in the normal way and it booted correctly and sees the new drive without any problems. I know I could just have replaced the internal drive, but didn't want to disturb more than I need to see if it's reliable. Not sure what a 750ghb translates into hours, but as its more than twice the original size it should be fine for a while, at least till I get my external raid0 setup. Can someone please tell me what the max size of drive might be that the hr20 can address ?


----------



## hasan (Sep 22, 2006)

I get nervous when people start asking about what ports the HR20 is using. The very words "port scan", make my skin crawl. It's a security thing. Perhaps this is where the question was coming from? Given the problems that the HR20 has had, it wouldn't be much of a stretch to think it could be crashed from the "outside".

I'll admit, when I saw the question, a bunch of flags went up for me, so don't necessarily take the issue as having or not having an HR20, but asking what might appear to be a "fishy" question. (I'm not saying it was, I'm saying one wouldn't be completely irrational to consider that point)

Just because you don't have an HR20 yet, doesn't mean you aren't out to get me.


----------



## PoitNarf (Aug 19, 2006)

ItsMeJTO said:


> Anywhoo, I just wanted to say I have just upgraded the hard drive with a new seagate 750ghb. Removed cover, unpluged both power and data fromminternal drive, then with a standard sata cable plugged into the motherboard with an 18" standard sata cable, exiting the case through the hole created by removing the external esata port (just two screws). Extended the 4 pin power connector with a standard disc drive power extension cable and placed the drive in a small 3.5" drive case I had lying arround (with a small fan inside) I powered up the hr20 in the normal way and it booted correctly and sees the new drive without any problems. I know I could just have replaced the internal drive, but didn't want to disturb more than I need to see if it's reliable. Not sure what a 750ghb translates into hours, but as its more than twice the original size it should be fine for a while, at least till I get my external raid0 setup. Can someone please tell me what the max size of drive might be that the hr20 can address ?


I believe this thread will be more helpful to you: http://www.dbstalk.com/showthread.php?t=66201


----------



## Wolffpack (Jul 29, 2003)

hasan said:


> Just because you don't have an HR20 yet, doesn't mean you aren't out to get me.


Rest assured, I'm not out to "get" anyone. I'm interested in any CE product in my house that is network aware and could be blindly attached to a home network. Not having any idea what it's doing or with whom.

I was expecting no ports to be open. The fact that those two (25 and 110) are open concerns me a bit. Again, I'm assessing this and want to be fully aware of anything I attach to my network. I can't imagine why these ports would be open.

Has anyone setup a monitor to see what packets are flowing to and from the HR20? Looked at the packet types and their destinations? Has anyone tried to open a session with port 25 or 110 via telnet? Tried a 'helo' or 'help' command?

It's well know that the general public is too trusting and ignorant of attaching a device to their home network that in turn could have access to the Internet. How many of you have plugged your HR20 into your home network without even asking yourself the question what it may be doing? Those are the questions I ask for a living. Again I don't have a HR20 so I haven't reviewed it's network activity.

For background, I'm what some (my clients) consider a security professional. I hold a certification known as CISSP and have for years. For me to hold that certification there is a Code of Ethics I and other holders of this certification adhere to.

So, does all this sound paranoid? You bet it does. That's what CISSPs do for a living. They are paranoid regarding IT/Network security and that's what they're paid for.

I see a CE device that has many bugs in it and recently had networking added to it. Given the track record of both the HR20 and R15 I would have a hard time connecting this to my network without knowing it's impact. It very well may just be Viiv, but if so, why is it listening on 25 and 110? Also, is it initiating it's own sessions with servers outside your home network?

I didn't plan on going into this detail, but does that clarify my intentions in asking the original question?


----------



## PoitNarf (Aug 19, 2006)

Wolffpack said:


> Has anyone tried to open a session with port 25 or 110 via telnet? Tried a 'helo' or 'help' command?


No dice for me:


```
C:\Users\admin>telnet 192.168.1.104 25
Connecting To 192.168.1.104...Could not open connection to the host, on port 25:
 Connect failed

C:\Users\admin>telnet 192.168.1.104 110
Connecting To 192.168.1.104...Could not open connection to the host, on port 110
: Connect failed
```


----------



## jaywdetroit (Sep 21, 2006)

Wolffpack said:


> Rest assured, I'm not out to "get" anyone. I'm interested in any CE product in my house that is network aware and could be blindly attached to a home network. Not having any idea what it's doing or with whom.
> 
> I was expecting no ports to be open. The fact that those two (25 and 110) are open concerns me a bit. Again, I'm assessing this and want to be fully aware of anything I attach to my network. I can't imagine why these ports would be open.
> 
> ...


Could the answer to your question be as simple as the consideration that the HR20 may allow you access to your e-mail at some point in the future? Don't ask me why they would add this feature, but why the hell else would they leave these ports open?


----------



## HDTVsportsfan (Nov 29, 2005)

Hey Wolf,

A number of months ago I remember not seeing you post for over a week. Your response was that you had been to a security conference. So with that said, If I hadn't been a little familiar with you and your posts (as much as one can in this environment anyway), I would have been curious (suspicious) about why you had asked the question. It wouldn't have had anything to do with whether or not you owned an HR20. 

I get paranoid as well, and was very curious to see the answer to your question. I'm an owner in IT company as well. I do not hold a cerification such as yours(my partner has the certs). We do alot of IT security along w/ general IT support services. And frankly it's scary. We come accross many new customers that have wireless AP's wide open. Broadcasting SSID, no passwords, no WPA or security, nothing. We can sit in the parking lot and "see" everything. It's simply incrediable that people still don't get it. Others that have third party vendors RDP'ing straight to the server w/ no firewall. 

We haven't had to do this yet because we have always been able to articulate and explain why these things are a problem. But we will generate documents stating that they have been advised of the serious security concerns within there network and we are not responsible for it. blah blah blah.....

It's going to be interesting to see why ports 25 and 110 are open and how it plays out on the HR20.


----------



## jaywdetroit (Sep 21, 2006)

Can someone give me a worse case scenario for what they fear the HR20 might actually be doing? Are you concerned it may be monitoring your e-mail communications? Or is it more along the lines of a privacy violation by sending viewing data over the net via a mail app? 

Since I am not a security professional, I can't imagine how diabolical someone could get with a TV box. 

What are we talking about here?


----------



## oakwcj (Sep 28, 2006)

My results with nmap show no open ports:

nmap -v -A -P0 192.168.0.2

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-23 18:27 PST
DNS resolution of 1 IPs took 0.01s.
Initiating Connect() Scan against 192.168.0.2 [1680 ports] at 18:27
Connect() Scan Timing: About 8.93% done; ETC: 18:32 (0:05:06 remaining)
The Connect() Scan took 347.26s to scan 1680 total ports.
Host 192.168.0.2 appears to be up ... good.
All 1680 scanned ports on 192.168.0.2 are filtered


----------



## Wolffpack (Jul 29, 2003)

PoitNarf said:


> No dice for me:
> 
> 
> ```
> ...


Interesting. Starrbuck stated 25 and 110 were open. Can you run a port scan and see if your HR20 is also showing those ports as open?

Starrbuck, what port scan did you run?


----------



## Wolffpack (Jul 29, 2003)

oakwcj said:


> My results with nmap show no open ports:
> 
> nmap -v -A -P0 192.168.0.2
> 
> ...


Those were the results I'd expect. Don't know what Starrbuck ran against his/hers. As an aside....ain't that a ***** that we had a guy Starbuck and then a girly Starbuck? But in the end, the girly Starbuck could easliy kick the guy Starbuck ass!


----------



## dervari (Dec 1, 2005)

The box *could not* sniff any network traffic unless it was connected to a hub or mirroring port on a switch. I seriously doubt ports 25/110 are open. It seems like Starbuck was scanning an email server somewhere. 25 is SMTP and 110 is POP3. There is absolutely no reason for the HR20 to me using this port. If anything, I would expect to see some UDP broadcast traffic dealing with uPNP.


----------



## RobertE (Jun 10, 2006)

Looks all nice and secure here. 

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

nmap -v -A -P0 192.168.10.103

Starting Nmap 4.20 ( http://insecure.org ) at 2006-12-23 21:58 Eastern Standard
Time
Initiating ARP Ping Scan at 21:58
Scanning 192.168.10.103 [1 port]
Completed ARP Ping Scan at 21:58, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:58
Completed Parallel DNS resolution of 1 host. at 21:58, 0.02s elapsed
Initiating SYN Stealth Scan at 21:58
Scanning 192.168.10.103 [1697 ports]
Completed SYN Stealth Scan at 21:58, 38.22s elapsed (1697 total ports)
Initiating Service scan at 21:58
Warning: OS detection for 192.168.10.103 will be MUCH less reliable because we
did not find at least 1 open and 1 closed TCP port
Initiating OS detection (try #1) against 192.168.10.103
Host 192.168.10.103 appears to be up ... good.
All 1697 scanned ports on 192.168.10.103 are filtered
MAC Address: 00:50:94:C7:F5:72 (Pace Micro Technology PLC)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http:
//insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 40.142 seconds
Raw packets sent: 3419 (152.714KB) | Rcvd: 1 (42B)


----------



## Wolffpack (Jul 29, 2003)

HDTVsportsfan said:


> Hey Wolf,
> 
> A number of months ago I remember not seeing you post for over a week. Your response was that you had been to a security conference. So with that said, If I hadn't been a little familiar with you and your posts (as much as one can in this environment anyway), I would have been curious (suspicious) about why you had asked the question. It wouldn't have had anything to do with whether or not you owned an HR20.
> 
> ...


That's the sign of a great security guy. You pay attention and keep track of what you've read. That was last June, the CSINet conference here in Phoenix (love it when it's local).

I understand folks being scared of my questions not knowing me. But why would someone asking a question such as what I ask concern folks if they have done their own homework? My point on this, don't plug any CE devise into your network without knowing what it can do. If you still want to plug that device in, configure your hardware firewall to block outside access for that IP or MAC address and monitor it's traffic.

It's obvious you are seeing the same trends as I.

Being a CISSP, belonging to CSI, ISSA and Infragard one gets a different view of our world. Ah, but that's for the security forums. Again, it was my security side that originally asked the question. If I had a HR20 I would have already run that baby through my bag of tricks.


----------



## Wolffpack (Jul 29, 2003)

jaywdetroit said:


> Can someone give me a worse case scenario for what they fear the HR20 might actually be doing? Are you concerned it may be monitoring your e-mail communications? Or is it more along the lines of a privacy violation by sending viewing data over the net via a mail app?
> 
> Since I am not a security professional, I can't imagine how diabolical someone could get with a TV box.
> 
> What are we talking about here?


Keep in mind I'm a paranoid IT security guy. Worst case in my mind is that the HR20 could open connections to the outside which then could be exploited by some unscruplous hacker.

My real concern is that I don't believe the HR20 should be attempting any contact with the outside world other than what a customer has approved. In this case Viiv on an inter lan. If the HR20 is doing anything outside that....bad news. To me that means disconnect the lan. But that would require someone monitor the network traffic on their HR20. As I don't have one, is anyone game to do it and report the results?


----------



## HDTVsportsfan (Nov 29, 2005)

Anything attached to your network from the inside or outside whether it's wireless or hard wired should be considered a security vulnerability until assessed and all reasonable efforts are made to secure them.

btw, Wolf, thank you for your comments. I feel honored.


----------



## PoitNarf (Aug 19, 2006)

My subsequent port scans of the HR20 also yield 0 open ports.

Now to port scan my Wii...


----------



## PoitNarf (Aug 19, 2006)

Additionally, has anyone sniffed the network traffic while the HR20 is running it's network connectivity tests? From what D* told Earl, it just pings directv.com, but I'd like to be sure


----------



## iacas (Nov 18, 2006)

Wolffpack said:


> I was expecting no ports to be open. The fact that those two (25 and 110) are open concerns me a bit. Again, I'm assessing this and want to be fully aware of anything I attach to my network. I can't imagine why these ports would be open.


I'm not sure the guy who said 25 and 110 were open has it right. It's very, very odd that the HR20 would have the SMTP and POP3 ports open - those are the services typically run on 25 and 110.


----------



## Spanky_Partain (Dec 7, 2006)

I'm willing to put ethereal on and check it out and bring a managed switch to the house.

I have been intending on doing that, but then I would need to run a cable unless ethereal supports wireless now.

Earlier today it peaked my curioustiy as well when this thread was posted about multi-cast traffic being seen on the wire from HR20
http://www.dbstalk.com/showthread.php?t=74119


----------



## Wolffpack (Jul 29, 2003)

It does seem from subsequent posts that others have found no open ports on the HR20. But again, I'd be interested to see the actualy traffic coming from the HR20.


----------



## Spanky_Partain (Dec 7, 2006)

Wolffpack said:


> It does seem from subsequent posts that others have found no open ports on the HR20. But again, I'd be interested to see the actualy traffic coming from the HR20.


Especially what it does send from the test.

This will be a simple setup and check.

Wolfpack, would you object to some PM's from me when I get this going?


----------



## PoitNarf (Aug 19, 2006)

Spanky_Partain said:


> Wolfpack, would you object to some PM's from me when I get this going?


PM all you guys want, just share the results with the rest of us please


----------



## Wolffpack (Jul 29, 2003)

HDTVsportsfan said:


> Anything attached to your network from the inside or outside whether it's wireless or hard wired should be considered a security vulnerability until assessed and all reasonable efforts are made to secure them.
> 
> btw, Wolf, thank you for your comments. I feel honored.


I agree completely. Now that Joe Smoe can connect his fridge and such to his network, another layer of consumer awareness needs to be stressed. Incursions you and I see in the business world today could soon become common place in Joe's world with this move toward complete network connectivity. How long do you think it would take for someone from Yeckblecistan to find an exploit for your LG refrigerator and take that over as a spam-bot. In addition to defrosting it every other day and spoiling all of your food.

Many folks joke about the number of security patches that MS releases every week. That's not a joke. It's something that is needed because every day at least one or two dozen new exploits are uncovered in the security world. MS doesn't release those updates because they missed something. They release them because there's folks out there with time on their hands and $$$ in their pockets that try to break into devices.

I have always worried about a DTV DVR connecting to the internet to download VOD. I don't even let my PCs/Servers connect to the internet without my knowing when, why and the size of the files they intend to download. If I don't trust my PCs/Servers to do this, I'm not about to trust some CE device to do this when I have no knowledge of the code and which the programming track record isn't the greatest. If I had a HR20 I'd only connect it to my network while keeping a close eye on what it's doing and I would block it from any Internet access outside my network. But that's just me.


----------



## Wolffpack (Jul 29, 2003)

Spanky_Partain said:


> Especially what it does send from the test.
> 
> This will be a simple setup and check.
> 
> Wolfpack, would you object to some PM's from me when I get this going?


As PoitNarf states, post items here. It's best for all to read and all to contribute. I'm not opposed to PMs but when the info concerns everyone that's interested let's keep everyone involved.

Wow, cool. :allthumbs Now this is what I was talking about. Getting back to the roots of this forum. A few folks try things, report them and others help further the discussion. Everyone learns from the discussion. We don't have to worry about who's calling who stupid. :grin:

Believe me, if I had a HR20 there would already be a thread on what I've found on networking. But go ahead and try stuff Spanky, no one here's going to have trouble with what you share.


----------



## Spanky_Partain (Dec 7, 2006)

My intention of the PM is to keep the jabber of different setups or captures that I might not think of off the forum. 

Not to keep anything that I(WE DBStalk inquiring minds) want to know.

The faster seccurity holes are discovered, the quicker they get fixed.


----------



## Wolffpack (Jul 29, 2003)

Honestly Spanky, throw them out here for everyone to review. Don't worry about not knowing everything. The great part about this field, and the tools available, is that no one knows everything about every tool.

If you've got a spare PC/laptop or can boot your regular PC from a CD for a 24 hour period take a look at the tools on The Backtrack boot CD. Check out remote-expoit.org. It's free and has a ton of fun tools to play with.


----------



## Dave_S (Jan 7, 2006)

I set my HR20 up with a static IP. Did a quick Nessus scan and came up empty. Ran a Nmap port scan:
All 256 scanned ports on 192.168.XXX.XXX are open|filtered
MAC Address: 00:50:94:XX:XX:XX (Pace Micro Technology PLC)
Too many fingerprints match this host to give specific OS details
Nmap finished: 1 IP address (1 host up) scanned in 14.321 seconds

My HR20 is not returning pings either, so must be some type of filtering/built in firewall. I get nothing on a "connect" scan. If I get some time I may try the Backtrack boot cd on one of my old laptops with a x-over, looks like it has some real cool tools. I also want to set up some of the media sharing from one of my XP boxes, connect the HR20 to a hub, and take a look.


----------



## Spanky_Partain (Dec 7, 2006)

Here are some ethereal captures of the HR20

There are two capture files in the zip.

A one minute capture of just watching A&E and a capture of the network test.

Looks to me like there may be something here, like a heartbeat of the HR20 checking in with directv.com when just sitting idle.

To view these files, download ethereal from ethereal.com. Unzip the files, and couble click on them and ethereal will start up and show them.


----------



## Kevin2735 (Dec 27, 2006)

> Keep in mind I'm a paranoid IT security guy.


Every single IT security guy I have met is paranoid. I think it is in thier gene pool or something. 

Looks like some say they saw the ports open and some say they don't? Did I miss it, but no one mentioned what firmware/software version they are running on the HR-20. I will try it on my own SOHO tonight and see what I find. I am running the latest update.

Do you think those that the forced download of earlier beta code had "phone home" capabilities? Maybe the legitimate beta testers agreed to it so the developers could see bug reports? Not an uncommon feature in most beta code these days. I haven't looked, but is there a license agreement for the HR-20, does it mention the ability report statistical data over the Internet?


----------



## Wolffpack (Jul 29, 2003)

Interesting caps. Just looking quick it appears the heartbeat is UPnP. Also appears it may be running the 2.4.29 Linux Kernel....or at least a LIB from that kernel. I'l look at more tomorrow.


----------



## Wolffpack (Jul 29, 2003)

Humm, maybe even www.skelmir.com 
*(User-Agent: Skelmir/CEE-J 2.7.088 (BUILD:2264)*)


----------



## Wolffpack (Jul 29, 2003)

Further humm. Interesting note (uclibc-bcrm) uClibC ({uclibc.org}a smaller footprint version of glibc) and bcrm (the NASDAQ symbol for Broadcom Corporation).

In full the text string was "Linux/2.4.29-uclibc-brcm".

Okay, I gotta quit and get back to the family. What are others seeing off these caps.


----------



## Spanky_Partain (Dec 7, 2006)

Here is a capture(s) using twonky...

One is a photo play and one is a music play

IP's
199.100.123.4 - HR20
199.100.123.100 - Twonky Server
199.100.123.224 - Switch used to mirror ports for capture
199.100.123.9 - This computer, doing capture

HR20 FW 10b from national release


----------



## PoitNarf (Aug 19, 2006)

Spanky_Partain said:


> IP's
> 199.100.123.4 - HR20


199.100.x.x? What kind of a network are you running there?


----------



## Wolffpack (Jul 29, 2003)

PoitNarf said:


> 199.100.x.x? What kind of a network are you running there?


He's obviously Performance Systems International out of Washington DC as they own the 199.97.0.0 through 199.100.255.255 range of IPs. :grin:

All kidding aside, (no rip on you Spanky!!!) there are blocks of non-routable, private IP address available as follows:

```
10.0.0.0 through 10.255.255.255 (Class A)
172.16.0.0 through 172.31.255.255 (Class B)
192.168.0.0 through 192.168.255.255 (Class C)
```
Most home address are using the 192.168.x.x range but that's not really enforced by any body as long as it's NATted behind a firewall/router.


----------



## Spanky_Partain (Dec 7, 2006)

I make up kinds of stuff when testing...

Wanted to keep this network isolated.


----------



## Spanky_Partain (Dec 7, 2006)

Going to download the Bootdisk iso and start it tonight.

I think my wife is getting ready to pick this 30' Hot Pink Cat 5 cable and wrap it around my neck.

Good thing I pickec up all the Christmas wrapping/boxes/etc...:lol: :bonk1:


----------



## Spanky_Partain (Dec 7, 2006)

One other tid bit, it has been verified the HR20 is 10/100, no gig,  just like Earl said!


----------



## Wolffpack (Jul 29, 2003)

:icon_lol: 

Keep up the good work. Love the info. As you can imagine if I did get a HR20 it'd be in my office and like my R15, apart more than it was together when it was new. I'd love to plug that HD into a couple of my systems. :lol:


----------



## mrshermanoaks (Aug 27, 2006)

I have port scanned the HR20 on the last couple of versions and have seen zero open ports.

As far as I've seen, the HR20 throws out the uPnP announcements so that WMP and Viiv can see that it exists. But that's been it.


----------



## Radio Enginerd (Oct 5, 2006)

PoitNarf said:


> Something he doesn't want at the moment. I'm sure eventually (and hopefully) once the HR20 has stabilized and has additional features that make it more appealing than the HR10, then Wolffpack would probably get the HR20. Just because he doesn't have it/want it at the present moment doesn't negate the fact that there is curiosity about it.


If you don't have MPEG-4 locals (nor want them) and you have OTA gear installed at your home, there isn't much of a reason to upgrade to the HR-20 at the present time... Once the DTV 10 and 11 HD birds launch, I'm sure we'll see Wolfpack put together some coin and purchase an HR-20.


----------



## Spanky_Partain (Dec 7, 2006)

If you download some of the cap files, it is clear that the HR20 is talking to home base. Not just a WMP or twonky serving up files to it.


----------



## mrshermanoaks (Aug 27, 2006)

I saw it communicate out when you did a network test or setup, it would do a ping to what I assumed was DirecTV. But when I was monitoring, I didn't see any regular communication. Did I miss that or not watch long enough?


----------



## Dave_S (Jan 7, 2006)

I have Backtrack booted on one of my laptops connected to a hub shared by the HR20, with an up link to the Internet. Just browsing around the interface checking out all of the tools/utilities available, seems pretty cool. Any special requests from users that are more familiar with it?


----------



## solo1026 (Mar 21, 2006)

Great info! I have not connected my HR20 to my home network and I won't until I'm sure all of these security are working the way they should. So Guys thanks for all the great info:goodjob: 


Happy New Year:balloons:


----------



## jaywdetroit (Sep 21, 2006)

solo1026 said:


> Great info! I have not connected my HR20 to my home network and I won't until I'm sure all of these security are working the way they should. So Guys thanks for all the great info:goodjob:
> 
> Happy New Year:balloons:


I need to play a little Devil's advocate. Because I really don't understand the risk here. First off- I have done some basic server security work for small offices. I understand the 'paranoia' mind set. That said-

What is it that you folks are worried the HR20 is going to do? I mean any TIVO user with their box connected to a phone line was sharing all their viewing data, right? What can it do which is more invasive than that?

And if it gets hacked-- Most of us are leasing this thing right? Turn it in and get a new one.

I worry about someone hacking into my personal files on my home PC. So I understand the paranoia there- but I don't understand the paranoia surrounding the HR20. Worse case: someone deletes your recordings and fills your box with porn or something. (Don't get any ideas hackers) Or erases the hard disk. - Turn it in and get a new one or redownload the software, right?

Am I missing something here?


----------



## Kapeman (Dec 22, 2003)

jaywdetroit said:


> I need to play a little Devil's advocate. Because I really don't understand the risk here. First off- I have done some basic server security work for small offices. I understand the 'paranoia' mind set. That said-
> 
> What is it that you folks are worried the HR20 is going to do? I mean any TIVO user with their box connected to a phone line was sharing all their viewing data, right? What can it do which is more invasive than that?
> 
> ...


I think that one issue is that of using the HR20 as a "jump point".

If someone were able to hack/connect to the HR20, they could theoretically use the HR20 to "jump" (gain access) to another device on the network.

If they could do that, there are a LOT of nasty things they could do.


----------



## jaywdetroit (Sep 21, 2006)

Kapeman said:


> I think that one issue is that of using the HR20 as a "jump point".
> 
> If someone were able to hack/connect to the HR20, they could theoretically use the HR20 to "jump" (gain access) to another device on the network.
> 
> If they could do that, there are a LOT of nasty things they could do.


That makes sense - I mean - I can understand being paranoid if that is a possibility.

So the question is then- Is it possible? right? I mean assume you have direct access to the box, can you load some kind of kernel and execute anything?

Is that where we are? Or have we established that this can in fact be done?


----------



## Kapeman (Dec 22, 2003)

jaywdetroit said:


> That makes sense - I mean - I can understand being paranoid if that is a possibility.
> 
> So the question is then- Is it possible? right? I mean assume you have direct access to the box, can you load some kind of kernel and execute anything?
> 
> Is that where we are? Or have we established that this can in fact be done?


I think everyone here is trying to establish if the box can be hacked/compromised or not.

At this point, we don't know.


----------



## yamaham (Oct 6, 2006)

Oh my god I heard DirecTV is selling our network addresses to spammers who are routing unsolicited email through our HR20s!!!!


----------



## Radio Enginerd (Oct 5, 2006)

yamaham said:


> Oh my god I heard DirecTV is selling our network addresses to spammers who are routing unsolicited email through our HR20s!!!!


Oh boy, don't get everyone started!


----------



## lguvenoz (Aug 23, 2006)

Kapeman said:


> I think that one issue is that of using the HR20 as a "jump point".
> 
> If someone were able to hack/connect to the HR20, they could theoretically use the HR20 to "jump" (gain access) to another device on the network.
> 
> If they could do that, there are a LOT of nasty things they could do.


This is the single biggest concern I think people have. Most of us have home networks that assume devices attached are "safe and trustworthy". I for one have every PC behind a hardware firewall, but they all still have their own firewalls, antivirus and spyware blocking for further protection.

"If" the HR20 can be compromised, it has no other safeguards. It could be utilized to access anything on the network potentially or even used as a zombie. Can you imagine the day your HR20 stops recording and you spend hours on the phone only to find out that some 15 year old hacker has seized control of your box??

Until they get all the security elements of ViiV worked out, I'm not real excited about putting this thing on my home network.


----------



## Wolffpack (Jul 29, 2003)

yamaham said:


> Oh my god I heard DirecTV is selling our network addresses to spammers who are routing unsolicited email through our HR20s!!!!


No, but have you ever heard of a "rootkit"? Do you know that if there is an exploit for the OS/software that DTV is using on the HR20 some unscrupulous folks can take advantage of a buffer overflow or other exploit and plant a trojan or bot of some type in which they can do that very thing?

Hackers can use any electronic device with network access and a soft security profile to launch DOS attacks both internally on your network and externally against corporate servers.

Hackers can also use this method to grab disk space on your PC (or possibly your HR20) and use that space to store anything from hacker how-tos to child porn. I have seen organizations that noticed a shortage of available disk space only to find out they were hosting a child porn site. All of this can be done using any one of thousands of available and known exploits.

Having a Tivo phone home is nothing compared to an HR20 going out through your home network onto the 'Net. At this point the HR20 doesn't look like it's opened up very much but with the upcoming VOD via broadband I hope DTV is using some outside security resources to beef up the perimeter of that box and that their security testing procedures were not written by the same folks that wrote their software testing procedures. :eek2:

We can joke about the HR20 sending our viewing habits to DTV but in reality if there isn't strong security in place, and frequent updates to seal vulnerabilities as they are discovered, sharing your viewing habits will be the least of your worries. I'm not claiming that the sky is falling. All I recommend is that one should keep an eye skyward just in case it does.


----------



## Starrbuck (Jun 25, 2004)

Wolffpack said:


> Interesting. Starrbuck stated 25 and 110 were open. Can you run a port scan and see if your HR20 is also showing those ports as open?
> 
> Starrbuck, what port scan did you run?


I hesitate to answer you as I don't want to upset you again and make you go into another hissy, but I was using a free port scanner I found called NetworkActiv Port Scanner 4.0. Unfortunately now I am also not getting either port I first reported to answer the same. I don't think I made any mistakes initially as there is nothing else on my network with those ports open either. I don't think I accidentally scanned a different IP as the settings I used in the port scanner were still there when I started it up again. I had just run the network setup on the HR20 so perhaps those ports were active for a time after the setup. Otherwise I can't explain it.


----------



## Dave_S (Jan 7, 2006)

Not to mention most users that are setting up a network connection with the HR20 are doing so to provide a mechanism to share files, largely with their home PC's running Windows. So if the HR20 was unsecured and someone was able to hack in, you have provided them an entry point to your home machine. For some folks who do on-line banking, stock trading, on-line shopping, keep financial records etc. it could be potentially devastating. From early glimpses, it does not appear to be an issue, however, we can't take it for granted that D* is looking out for the security of our home networks.


----------



## yamaham (Oct 6, 2006)

Wolffpack said:


> No, but have you ever heard of a "rootkit"? Do you know that if there is an exploit for the OS/software that DTV is using on the HR20 some unscrupulous folks can take advantage of a buffer overflow or other exploit and plant a trojan or bot of some type in which they can do that very thing?


As a consultant in the Sony/BMG compact disc 'rootkit' fiasco...naahh never heard of it :lol:


----------



## Wolffpack (Jul 29, 2003)

yamaham said:


> As a consultant in the Sony/BMG compact disc 'rootkit' fiasco...naahh never heard of it :lol:


!Devil_lol Great example of a firm not taking security seriously.


----------



## Spanky_Partain (Dec 7, 2006)

Dave_S said:


> I have Backtrack booted on one of my laptops connected to a hub shared by the HR20, with an up link to the Internet. Just browsing around the interface checking out all of the tools/utilities available, seems pretty cool. Any special requests from users that are more familiar with it?


So Wolfpack, can you give Dave some pointer on this? I have not burned the CD yet. Just getting caught up this morning. Seems my throat is starting to feel like a cold is starting to set in.


----------



## yamaham (Oct 6, 2006)

Forget all this mess, someone fix the pink bug!


----------



## Wolffpack (Jul 29, 2003)

Dave_S said:


> I have Backtrack booted on one of my laptops connected to a hub shared by the HR20, with an up link to the Internet. Just browsing around the interface checking out all of the tools/utilities available, seems pretty cool. Any special requests from users that are more familiar with it?


You can start under Backtrack -> Scanners -> Port Scanners and try those. Autoscan is graphical and provides goo basic. For grins turn the firewall off on one of your PCs and see what Autoscan returns.


----------



## Spanky_Partain (Dec 7, 2006)

Alright, got it going. Dang new hardware!!!! Setup an another laptop...

Good tool set, I feel right at home in the Linux env...

I'll get started...


----------



## Dave_S (Jan 7, 2006)

Wolffpack said:


> You can start under Backtrack -> Scanners -> Port Scanners and try those. Autoscan is graphical and provides goo basic. For grins turn the firewall off on one of your PCs and see what Autoscan returns.


Autoscan sees the HR20 as a firewall 62/62 ports firewalled. I blew my WAP offline running Ninja :lol: nmap shows nothing interesting, as do most of the port scanners. I can see the device on the network with netdiscover (from ARP resolution) but that is about it. Did a few caps with wireshark, all I picked up were the uPnP udp packets. Looking at SuperScan and snmp enum right now....


----------



## Spanky_Partain (Dec 7, 2006)

I can confirm what Dave has seen as well. Saw more information via the ethereal cap files of actual data, I didn't run ninja but ran the others Dave mentioned. Etherape also confirms what we saw in the cap files. I use that tool at work for tracking down the person who started another DHCP server on our lab net.

Seems the HR20 is pretty much shutdown from attacks.

I love Linux...


----------



## Spanky_Partain (Dec 7, 2006)

I'm putting *her* back on the net...


----------



## Wolffpack (Jul 29, 2003)

From these reports it does sound like the HR20 is pretty locked up at this point. Which, by chance, was my purpose of this thread. Thanks to all that did the work and posted their results.

I'd recommend this same procedure for every new update to the HR20.


----------



## Spanky_Partain (Dec 7, 2006)

As far as WMP11, Vista, ViiV, and Twonky...
For those using these services, I recommend a hardware firewall using a router to start with. Then configuring your firewall software appropriately. If running wireless, use a WPA security.

I will NOT go into how to do this.

There are other forums that are geared just for that.

Have fun, I know I did just checking this thing out.

Oh yea, thanks to everyone who contributed...:bowdown:


----------



## PoitNarf (Aug 19, 2006)

Interesting read. Thanks to all the contributors.


----------



## mjbehren (Nov 21, 2006)

I found an open port... See below:

I can telnet to it, and it does in fact connect...

c:\>nmap -v -O -p1-65535 192.168.222.20

Starting Nmap 4.20 ( http://insecure.org ) at 2006-12-29 00:10 Eastern Standard
Time
Initiating ARP Ping Scan at 00:10
Scanning 192.168.222.20 [1 port]
Completed ARP Ping Scan at 00:10, 0.17s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:10
Completed Parallel DNS resolution of 1 host. at 00:10, 0.01s elapsed
Initiating SYN Stealth Scan at 00:10
Scanning 192.168.222.20 [65535 ports]
SYN Stealth Scan Timing: About 2.02% done; ETC: 00:35 (0:24:21 remaining)
Discovered open port 49152/tcp on 192.168.222.20
SYN Stealth Scan Timing: About 13.51% done; ETC: 00:31 (0:18:37 remaining)
SYN Stealth Scan Timing: About 20.70% done; ETC: 00:26 (0:13:03 remaining)
SYN Stealth Scan Timing: About 31.14% done; ETC: 00:22 (0:08:38 remaining)
SYN Stealth Scan Timing: About 49.98% done; ETC: 00:19 (0:04:45 remaining)
Completed SYN Stealth Scan at 00:19, 524.09s elapsed (65535 total ports)
Warning: OS detection for 192.168.222.20 will be MUCH less reliable because we
did not find at least 1 open and 1 closed TCP port
Initiating OS detection (try #1) against 192.168.222.20
Host 192.168.222.20 appears to be up ... good.
Interesting ports on 192.168.222.20:
Not shown: 65534 filtered ports
PORT STATE SERVICE
49152/tcp open unknown
MAC Address: 00:EDITED:00:00:00 (Pace Micro Technology PLC)
Device type: general purpose|WAP|storage-misc
Running: Linux 2.4.X, Linksys Linux 2.4.X, Asus Linux 2.4.X, Maxtor Linux 2.4.X
OS details: Linux 2.4.20 - 2.4.32, Linux-based embedded device (Linksys WRT54GL
WAP, Buffalo AirStation WLA-G54 WAP, Maxtor Shared Storage Drive, or Asus Wirele
ss Storage Router)
Uptime: 0.012 days (since Fri Dec 29 00:01:44 2006)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=206 (Good luck!)
IPID Sequence Generation: All zeros

OS detection performed. Please report any incorrect results at http://insecure.o
rg/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 526.235 seconds
Raw packets sent: 131181 (5.774MB) | Rcvd: 85 (4006B)

Thoughts?

Mb



oakwcj said:


> My results with nmap show no open ports:
> 
> nmap -v -A -P0 192.168.0.2
> 
> ...


----------



## Spanky_Partain (Dec 7, 2006)

I think we beat this one up pretty well and determined the HR20 appears to be safe on a home network...


----------



## Coffey77 (Nov 12, 2006)

You know they're going to keep a record of programs we watch and submit them to the networks. Also to drop in advertisements. Might not happen now but you can almost bet marketing will be involved shortly. A button will appear on the HR20 screen that will say, if you want to remove these Ads, please upgrade to the Premium Subscription... All through that little blinking ethernet port.


----------



## Spanky_Partain (Dec 7, 2006)

I don't think they can force people to be on the network. It would be just as easy to unplug the network as plug it in.

Not to mention firewalls they would have to overcome.

So far, when using the internal network, to get pictures and music off the PC, it is just as easy to put bogus DNS/Gateway IP's in as well to keep it off the internet and still get your local network sharing.

Spanky


----------



## Dave_S (Jan 7, 2006)

Like Spanky said, that would be easy to defeat. A simple ACL or config change would keep the Hr20 available to your home network, but make it unavailable to the internet. As far as pushing down ads etc, they can do that over the Sats, and if they wanted to collect data they could require attaching phone lines. So either way, I do not think using the ethernet port is a big threat in that respect.


----------



## yamaham (Oct 6, 2006)

mjbehren said:


> I found an open port... See below:
> 
> I can telnet to it, and it does in fact connect...
> 
> ...


Do you happen to have a Linksys WRT54G wireless router on your home network?


----------



## Coffey77 (Nov 12, 2006)

Do you think the majority of HR20 owners will have any clue as to what ports to watch/close/firewall? I doubt half the people with HR20s right now know they have OTA enabled. I bet I could call my friend and he wouldn't know that he's had 3 software downloads since he's owned the thing, let alone that the network is enabled as well. When I tell him, he'll set it up but won't have a clue that it'll need to be protected... His only concern - that it works!


----------



## Wolffpack (Jul 29, 2003)

mjbehren's scan did include all possible 65535 ports. The scan shown by oakwcj only scanned 1680 ports.

mjbehren, have you tried to telnet into that port to see if there's any info banner displayed? Do you have access to "amap"? That also has a -b option which will display the banner.


----------



## Spanky_Partain (Dec 7, 2006)

I can't telnet, ssh, scp, ftp, or even ping mine...


----------



## Tom Robertson (Nov 15, 2005)

Wolffpack said:


> mjbehren's scan did include all possible 65535 ports. The scan shown by oakwcj only scanned 1680 ports.
> 
> mjbehren, have you tried to telnet into that port to see if there's any info banner displayed? Do you have access to "amap"? That also has a -b option which will display the banner.


I did a telnet, no banner, no echo, just a black hole so far. More tests to come.

Cheers,
Tom


----------



## Wolffpack (Jul 29, 2003)

Spanky_Partain said:


> I can't telnet, ssh, scp, ftp, or even ping mine...


Did you try the port mjbehren found?

telnet a.b.c.d 49152


----------



## lpctv (Aug 26, 2006)

mjbehren said:


> I found an open port... See below:
> 
> I can telnet to it, and it does in fact connect...
> 
> ...


I thought that port looked familiar....
Call me crazy but I think this may be there for "future expansion".
This port is part of a range (see image) normally used by a piece of software that deals with Thin client management. Albeit, in that case it is a propietary piece of software....but, could this be tied in to HMC?


----------



## mjbehren (Nov 21, 2006)

yamaham said:


> Do you happen to have a Linksys WRT54G wireless router on your home network?


Yes actually. I figured that is where the fingerprint came from... 

Mb


----------



## mjbehren (Nov 21, 2006)

Wolffpack said:


> mjbehren's scan did include all possible 65535 ports. The scan shown by oakwcj only scanned 1680 ports.
> 
> mjbehren, have you tried to telnet into that port to see if there's any info banner displayed? Do you have access to "amap"? That also has a -b option which will display the banner.


I do as a matter of fact... Output below...

c:\amap-5.2-win>amap -b 192.168.222.20 49152
amap v5.2 (www.thc.org/thc-amap) started at 2006-12-29 10:56:05 - MAPPING mode

Protocol on 192.168.222.20:49152/tcp matches http - banner: HTTP/1.1 404 Not F
und\r\nSERVER Linux/2.4.29-uclibc-brcm, UPnP/1.0 JetHead SDK for UPnP devices /
.0 DLNADOC/1.00 INTEL_NMPR/2.1\r\nCONNECTION close\r\nCONTENT-LENGTH 48\r\nCONT
NT-TYPE text/html\r\n\r\n
*404 Not Found*

Unidentified ports: none.

amap v5.2 finished at 2006-12-29 10:56:11

Looks like an http port interestingly enough... I am connected to my twonkymedia server. That could be it. Not sure.

I can telnet to the port via telnet.exe but no banners...

I can telnet to the port via PuTTY.exe, I get a response as follows:

HTTP/1.1 400 Bad Request
SERVER: Linux/2.4.29-uclibc-brcm, UPnP/1.0 JetHead SKD for UPnP devices /1.0 DLNADOC/1.00 INTEL_NMPR/2.1
CONNECTIN: close
CONTENT-LENGTH: 50
CONTENT-TYPE: text/html

*400 Bad Request*

Interesting stuff...

Mb


----------



## Spanky_Partain (Dec 7, 2006)

c:\telnet a.b.c.d 49152

HTTP/1.1 400 Bad Request
SERVER: Linux/2.4.29-uclibc-brcm, UPnP/1.0 JetHead SDK for UPnP devices /1.0 DLN
ADOC/1.00 INTEL_NMPR/2.1
CONNECTION: close
CONTENT-LENGTH: 50
CONTENT-TYPE: text/html

*400 Bad Request*

Connection to host lost.

c:\mytmp>telnet 199.100.123.4 49152


----------



## Spanky_Partain (Dec 7, 2006)

I have twonky going as well.....

I could not get to the port via http...


----------



## Spanky_Partain (Dec 7, 2006)

As expected, killing twonky does not change anything. Here are the twonky ports on a twonky server.


FAQ Network Config The server ports 

The ports used by the server are:
UDP 1030, 1900, 9080
TCP starting at 9000 until a free port is found.


----------



## Spanky_Partain (Dec 7, 2006)

Not sure how I missed what mj posted. I did not see the port. O'Well. Good Work.

Any outher ideas on what to test out?

When using https:://a.b.c.d:49152, there is a delay just like when you try to telnet in as well, like it is waiting for the proper app.

Using plain http, it falls out pretty quick.


----------



## Spanky_Partain (Dec 7, 2006)

Earl, do you have the app for this? If you don't want to answer, I can respect keeping unreleased material, confidential.


----------



## mjbehren (Nov 21, 2006)

Spanky_Partain said:


> Not sure how I missed what mj posted. I did not see the port. O'Well. Good Work.
> 
> Any outher ideas on what to test out?
> 
> ...


Ive tried, http, https, rlogin, ssh, ftp, raw, etc...

Not surprisingly, but maybe coincidental, my trick play stopped working after probing the box... I had to reset the box to get it to work correctly again... Perhaps a buffer or memory issue.

Ill keep playing. 

Mb


----------



## Cyrus (Oct 22, 2006)

The single open port is most likely for the ViiV feature which is the only network feature they have enabled. Any request to that port which is not ViiV/dlna related probably results that bad request message.


----------

