nmap vs grapheneos

elivoncoder

good day to all. i have a grapheneos device connected to my local network via wifi. from a desktop pc, i ran 'nmap -A' and received a response of '7/tcp filtered echo'

while i know this doesnt mean insecure, im very curious to understand why it doesnt get the same as every other port, ie 1000/1000 closed.

thanks!

Johnnyloans

I don't know the inner workings of the system but it all depends on what you have running.

Signal websocket--no google play services--will listen to 443/TCP I think.

Kdeconnect, to share files and info with your computer will open a port so your phone is able to be found on the network and then they link up.

elivoncoder '7/tcp filtered echo'

Any state that isnt closed isnt the same as an open door to your phone.

First of all, nmap cannot determine the status of the port for sure. Maybe there is zero access via this port.

If you do have an app on the port 7, A hacker would have to find/use an exploit for signal, kdeconnect, etc whatever is listening on the port

Johnnyloans

elivoncoder

I don't know if GOS will place limitations on "well-known port" usage but most likely port 7 is not being used.

aeououoieaeuaie

elivoncoder It means that the port 7 is firewalled, while the other 1000 are simply unused.

In more detail, you did a TCP scan which uses the 3-way handshake to establish a connection. nmap sends the initial SYN; if nothing is bound (listening) on a port, the kernel replies with RST and nmap knows it's closed. If there is no reply, the port is marked as filtered (after a timeout). This means it's even less reachable.

After a bit of testing, I get the fun result that the port 7 is blocked when, and only when, the screen is off.

aeououoieaeuaie

After looking a little more out of curiosity — it's a hardware offload firewall. The purpose is to drop packets on the WiFi chipset before they reach the kernel, running on the main CPU, and wake it up. I have never seen TCP/7 flying around in the wild, but Google has clearly seen enough of them to decide it makes sense to actively prevent them from waking the device up.

The firewall reacts to power transitions here and resets the filter in response here. I still can't find the relevant conditional (the only reader is here), and would appreciate if someone can hold my hand with that, but the essence is clear.

elivoncoder TL;DR Android drops junk packets early to avoid waking up.

elivoncoder

appreciate the reply. i do in fact use kde-connect ill take a look at that. thanks!

elivoncoder

according to kde people, its definately not that. i guess i should reflash stock android to confirm whether its graphene specific or not. ./sigh

elivoncoder

aeououoiaeuaie thanks for participating! interesting find. do you have an idea why tho, its not reporting the same as the others?

DohnJoe

elivoncoder

There are several ways you could try to search for the culprit.

The least invasive one I can think of is to remove network permission one app at a time and rescan your device, until you get the port as closed.

If you didn't already, try to scan your device using root (if unix like OS) or Administrator/System (if Windows) from your pc, and use the option -sS, which basically ask nmap to not finish the entire tcp handshake (it will send only the SYN packages and wait for replies) and the option -sV to try to enumerate the service behind the port.

While you don't have any firewall to elude, sometimes this leads you to better results (and less traffic overall).
Versioning (especially for OSes) and SYN scan are not available for non-root users.

Also, the echo protocol on port 7/TCP is a very old thing, probably there is some misconfiguration somewhere (?)
I would try to perform more scans to make sure it is not exposing knwon vulnerabilities.

If we still have to use nmap I would try something like:

nmap -p 7 --script banner <target> (to check if echo is actually running as intended)
nmap -p 7 --script vuln <target> (which is a very generic way to ask nmap if some known vuln is present for that port)

You already skipped adb (5555/TCP), so no need to check for that, but I would still try something like: nmap --script broadcast-* to see if the smartphone is broadcasting something.

Datasapiens

scan results can be 'faked', especially using mobile internet. Carriers configure the routers to show flase states of ports, when detecting scans. That is for security

elivoncoder

dohnjoe thank you very much for the insight. i will investigate this further.

edit all 4 suggested commands yielded the same results. i will now adjust the app perms 1by1. appreciate the advice!

datasapien, thank you too, but just to clarify, ive only examined this on so far on wifi. i should try it over the carrier network too.

Datasapiens

elivoncoder wifi router can have security settings too.

elivoncoder

Datasapiens yes a good consideration, however no other devices return similar.

aeououoieaeuaie

Android actually filters the echo port. It creates the filter here as part of this. I can't see the conditionals responsible for toggling it based on screen-on state, as I observe on my phone, but my knowledge of Android's API is really poor..

I have no idea why port 7 in particular.

elivoncoder

aeououoieaeuaie wow thank you so much for finding and sharing this info.