[SGHLT]s weblog
computer science without borders
[SGHLT]s weblog

Hiking in the WAN

Share Tweet Share

Last night I was a little bit bored. So about 2:00 am I started to scan my ISPs subnet, I was located in, without big expectations. And, let my spoiler that, it was very alarming what a bored guy can find by the simple technique of “scan and connect”.

Step 1 – legal frame

Before I start, lets have a little intermezzo to german law. It says…

§ 202c (1) Whosoever unlawfully obtains data for himself or another that were not intended for him and were especially protected against unauthorised access, if he has circumvented the protection, shall be liable to imprisonment not exceeding three years or a fine.

We notice that one move within a legal frame, when you not break any security mechanisms. So I did…

Step 2 – target specification

To shorten the time of scanning I limited the targets and services I was searching for. I chose:

  • ftp
  • telnet
  • http

A quick whois on my IP address told me I was in a /17 subnet, so there were “just” 32768 IPs to scan. To fasten the scan process I took the -T5 option of nmap.

# nmap -T5 -p21,22,80

Step 3 – connect

When the first open ports were shown I started to connect.


I don’t know why but even when people doesn’t secure anything in their network… the FTP servers required valid (non-anonymous) credentials. The only successfull authentications I had were with default credentials, so I looked these up in the internet (btw, is the use of default user/password a “special protection against unauthorized access”?).

NASFTPD Turbo station

Whatsoever, I expected much more valid anonymous-logins through FTP, than there actually were. So how about giving telnet a chance...


Telnet provided me with more success, even when I had to lookup default logins constantly.



Unfortunately the telnet accesses were only provided by busybox’s shell – so I couln’t keep on exploring without compiling tools or similar.

So I finally switched to:


The most interesting stuff I found through HTTP. Mostly there were dreamboxes and routers …


dreambox webcontrol


Dream multimedia

… but also an IP camera...


And even a homematic smart home system…


Especially the homematic smart home system kind of shocked me… I simply browsed to the IP-address and got automatically logged in… That’s not even scary, it is also dangerous.


I don’t know whether my IP-neighbors are reckless, unaware, followers of security by obscurity or simply stupid but this booty overview is very alarming. Especially a complete house control should not be accessable passwordless through the internet.

Anyways… a big thanks to all my neighbors, for banish my bordom for at least one night.

Receive Updates