Inside Scan not completing?

Comments

14 comments

  • Avatar
    Firewalla

    Inside scan actually runs on the phone.  It is not a feature of Firewalla, yet.  The stuck is likely one of your devices is slow responding to the probs, then likely some bug we don't know caused everything to stop.    In case of 'stuck', it is likely one of the devices have some type of login that's open. 

  • Avatar
    Seth Powsner

    Hmm... anything I can do to help narrow down the problem? And what do you mean by “login that’s open”?

  • Avatar
    Firewalla

    best is to locate that device that has telnet open. (for example) do you have any camera's? (Costco made or similar)?

  • Avatar
    Seth Powsner

    Yes. I found there's a Telnet port open: an old HP JetDirect EX Plus (ethernet to parallel port). HP offer a command line interface unit it sees "exit<nl>". And, it seems iPhone & Apple Watch have open Telnet ports, but do nothing. Telnet from Mac OS X to my iPhone will timeout, but takes a while. Guess a timeout is needed for each Telnet test.

    Here's the Bash code I used to check things:

    #!/bin/bash
    localNetworkIp=192.168.1
    for localAddr in nn1 nn2 nn3 nn4 # put final ip address octets in place of 
      do
        ip=$localNetworkIp.$localAddr
        telnet -N $ip
      done

  • Avatar
    Seth Powsner

    Just occurred to me to recheck situation after today's update. Inside scan now seems to finish in a reasonable time (1-2min). It's not saying anything about the HP JetDirect, but it may not be a risk.

  • Avatar
    Seth Powsner

    Oops... Inside Scan still gets hung up on HP JetDirect. Only reason it looked like it was working was that I'd confused HP's Telnet with my Mac. Rest of HP leads to message "Deep scanning" and then IP addr of HP. Inside Scan says it gets through 250 addresses (about 1 minute), then hangs.

     

  • Avatar
    Firewalla

    Seth, we will look at this, likely need to put a timeout in the code.  The reason for the problem is likely something in JetDirect is holding up something we don't understand.   I did a research, not finding JetDirect anywhere on default user/password attacks.  But do recommend to upgrade firmware, in case

  • Avatar
    Seth Powsner

    Here's an example of Telnet to my HP JetDirect EX Plus J2591A with n.n.n.n substituted for it's actual IP address. Hope this is helpful.

    $ telnet n.n.n.n
    Trying n.n.n.n...
    Connected to n.n.n.n.
    Escape character is '^]'.

    HP JetDirect

    Please type "?" for HELP, or "/" for current settings
    > ?

    To Change/Configure Parameters Enter:
    Parameter-name: value <Carriage Return>

    Parameter-name Type of value
    ip: IP-address in dotted notation
    subnet-mask: address in dotted notation (enter 0 for default)
    default-gw: address in dotted notation (enter 0 for default)
    syslog-svr: address in dotted notation (enter 0 for default)
    idle-timeout: seconds in integers
    set-cmnty-name: alpha-numeric string (32 chars max)
    host-name: alpha-numeric string (upper case only, 32 chars max)
    dhcp-config: 0 to disable, 1 to enable
    allow: <ip> [mask] (0 to clear, list to display, 10 max)
    addrawport: <TCP port num> (<TCP port num> 3000-9000)
    deleterawport: <TCP port num>
    listrawport: (No parameter required)
    ipx/spx: 0 to disable, 1 to enable
    dlc/llc: 0 to disable, 1 to enable
    ethertalk: 0 to disable, 1 to enable
    banner: 0 to disable, 1 to enable

    Type passwd to change the password.

    Type "?" for HELP, "/" for current settings or "quit" to save-and-exit.
    Or type "exit" to exit without saving configuration parameter entries
    > /

    ===JetDirect Telnet Configuration===
    Firmware Rev. : E.08.20
    MAC Address : 00:60:b0:b8:54:0e
    Config By : USER SPECIFIED

    IP Address : n.n.n.n
    Subnet Mask : 255.255.255.0
    Default Gateway : n.n.n.1
    Syslog Server : Not Specified
    Idle Timeout : 90 Seconds
    Set Cmnty Name : Not Specified
    Host Name : NPIB8540E

    DHCP Config : Disabled
    Passwd : Disabled
    IPX/SPX : Enabled
    DLC/LLC : Enabled
    Ethertalk : Enabled
    Banner page : Enabled
    > help
    Illegal Entry, Please retry

    Please type "?" for HELP, "/" for current settings or "quit" to save-and-exit.
    Or type "exit" to exit without saving parameters
    > exit

    EXITING WITHOUT SAVING ANY ENTRIES
    > Connection closed by foreign host.
    $

  • Avatar
    Firewalla

    you sure there is no password?  if not, you will need to set one.  If you can't set one ...    The problem likely with the no password that stuck our code.  will log this and hopefully, we get time to fix this. 

     

  • Avatar
    Seth Powsner

    Tried setting a password, which does change Telent interaction (see below). However, it doesn't change Firewalla's Inside Scan behavior. Scan continues to report "Deep scanning" on Jet Direct IP addr. And, it indicates that it has searched 250 addresses, but it never completes.

    $ telnet 192.168.1.98

    Trying 192.168.1.98...

    Connected to 192.168.1.98.

    Escape character is '^]'.

    HP JetDirect

    Password: passwd

    You are logged in

    Please type "?" for HELP, or "/" for current settings

    > exit

     EXITING WITHOUT SAVING ANY ENTRIES 

    > Connection closed by foreign host.

    Interaction with bad password is

    ...

    HP JetDirect

    Password: xxx

    Password: xxx

  • Avatar
    Firewalla

    We will need to debug further.   Will log a bug on this.   In your case, as long as you got a none default password and there is no more devices to scan, you should be secure.

  • Avatar
    Ken Shibata

    Hey Seth,

    I remember having one of these external print servers back in the day; it appears yours continues to serve you well!

    Looks like you can upgrade your firmware at least 2 revisions: E.08.20 > E.08.32 > E.08.49

    Reference:

    https://support.hp.com/us-en/document/bpj07429#AbT6

    ftp://ftp.hp.com/pub/softlib/software13/COL53637/jd-129389-2/current_firmware_readme.html

    Don't know if you need to have these legacy services/protocols turned on (maybe you are still running some old Novell/legacy Apple systems in your environment? But, I wonder if disabling might help troubleshoot the hanging scan):

    "IPX/SPX : Enabled 
    DLC/LLC : Enabled 
    Ethertalk : Enabled"

    If I were in your position, I would also run a nmap scan against your JetDirect IP address to see what nmap calls out (might help the Firewalla developers to understand what other variables might be at play in the scan):

    https://nmap.org/book/inst-macosx.html

    Caveat in scanning 9100/TCP:

    http://seclists.org/nmap-dev/2005/q2/191

     

    "Set Cmnty Name : Not Specified"

    The SNMP community name is in essence another password, so you may need to set that as well, if the developers were asking you to set the password in the other login instance.

     

    To the Firewalla developers, your statement "Inside scan actually runs on the phone.  It is not a feature of Firewalla, yet." got me curious, what type of scan is actually being carried out from the phone? Are you planning on incorporating something like nmap in the Firewalla sometime in the future (similar to how Rapid7 NeXpose has nmap running under the hood?)

  • Avatar
    Seth Powsner

    Tried to upgrade firmware-- couldn't get my JetDirect to accept http:// ftp:// or command line ftp. Haven't got any easy way to run Windows download manager, so...

    Did try disabling 3 services you mentioned and setting community name-- no change in Inside Scan behavior.

    Here's NMAP (ZenMap) key output

    Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-18 22:37 EST
    ...
    Scanning 192.168.1.98 [1000 ports]
    Discovered open port 23/tcp on 192.168.1.98
    Discovered open port 9100/tcp on 192.168.1.98
    Discovered open port 515/tcp on 192.168.1.98
    Completed SYN Stealth Scan at 22:37, 7.84s elapsed (1000 total ports)
    Initiating Service scan at 22:37
    Scanning 2 services on 192.168.1.98
    Completed Service scan at 22:37, 6.08s elapsed (3 services on 1 host)
    Initiating OS detection (try #1) against 192.168.1.98
    Retrying OS detection (try #2) against 192.168.1.98
    Retrying OS detection (try #3) against 192.168.1.98
    Retrying OS detection (try #4) against 192.168.1.98
    adjust_timeouts2: packet supposedly had rtt of -2264075 microseconds. Ignoring time.
    ...
    Retrying OS detection (try #5) against 192.168.1.98
    NSE: Script scanning 192.168.1.98.
    Initiating NSE at 22:37
    Completed NSE at 22:37, 5.03s elapsed
    Initiating NSE at 22:37
    Completed NSE at 22:37, 0.00s elapsed
    Nmap scan report for 192.168.1.98
    Host is up (0.0061s latency).
    Not shown: 997 closed ports
    PORT STATE SERVICE VERSION
    23/tcp open tcpwrapped
    515/tcp open printer
    9100/tcp open jetdirect?
    MAC Address: 00:60:B0:B8:54:0E (Hewlett Packard)
    No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
    ...
    Network Distance: 1 hop
    TCP Sequence Prediction: Difficulty=0 (Trivial joke)
    IP ID Sequence Generation: Incremental

    TRACEROUTE
    HOP RTT ADDRESS
    1 6.06 ms 192.168.1.98

    ...

    Hope that's helpful.

  • Avatar
    Frank Mahon

    I've run the Inside Scan several times with no issues.  For some reason I can no longer complete the scan.  It gets to 88.3% and hangs as deep scanning my firewall.  Nothing has changed in the environment.  Any ideas?

Please sign in to leave a comment.

Powered by Zendesk