Solved: Cisco ISR 3925 port TCP9067

Lukasz Kacprzynski · ‎03-04-2016

Hi,

During audit in my company network scan revealed open port TCP9067 on Cisco ISR 3925 device. Do you have any idea what for this ports is used? I spent hours of googling but with no luck.

Regards,

Lukasz

Matt Glosson · ‎03-04-2016

You can run the following command on the router:

 show control-plane host open-ports

... and it will give you a list of ports that it's listening on and what services are invoking the listeners.

View solution in original post

Matt Glosson · ‎03-04-2016

You can run the following command on the router:

 show control-plane host open-ports

... and it will give you a list of ports that it's listening on and what services are invoking the listeners.

Lukasz Kacprzynski · ‎03-07-2016

Thank you for command however I found strange behaviour of cisco router. Scan found few ports opened on device:
above mentioned tcp9067 but also
tcp2067 - Data-Link Switching
tcp4067 - Information Distribution Protocol
tcp6067 - SRB (source-route bridging ) protocol

For all of them, when I make a telnet to mgmt IP with that ports I received login prompt, is that normal behaviour? Usually when port is opened there is only "black screen" indicating that connection has been established.

None of this ports are listed under "show control-plane host open-ports"

Matt Glosson · ‎03-07-2016

Interesting. At the moment you're actual connected on those tcp ports via telnet, you can go to the router and run the command "show control-plane host open-ports". It not only shows you what's listening (labeled as "LISTEN") but it should show you currently established connections (labeled as "ESTABLIS") and what process is on the router end of said session. If those ports still don't show up even as there is a seemingly open telnet session, go to the host you initiated the telnet session from and run:

 netstat -n | findstr "10.10.10.10"

... assuming the router's IP address is 10.10.10.10. See if it really shows that it's established or SYN_SENT or something else. If you're using a flavor of UNIX, change findstr to grep. Other commands that show you established sessions are "show tcp" or "show tcp brief" but those don't show you the processes involved so they are not as useful for finding the information you're looking for.

Good luck.

Lukasz Kacprzynski · ‎03-07-2016

Matt, thank you for response. You're right, port showed up in output of "show control-plane host open-ports" but timeout was very short and that's why I didn't noticed it. Unfortunately it's not telling me much:

Prot Local Address Foreign Address Service State

tcp *:9067 <my_IP>:51509 TCP Protocols ESTABLIS

as there is only "TCP Protocols" marked as a service. I opened a TAC case for that and will see what they will tell me. Thank you once again.

Regards,

Lukasz

Matt Glosson · ‎03-08-2016

Wow, that's really interesting. I would love to hear the follow-up from your TAC case!

Cheers,
Matt

Keith Lawrence · ‎11-22-2016

I have had the same issue.

It looks like port 9067 allows remote telnet access to the embedded service engine card on the router.

In my case I have a 2951 running CME/Unity Express.

Unity Express is on the service engine card.

Looking at blocking that port with an access list on the router now!

semenoa@mosenergosbyt.ru · ‎04-09-2018

I have had the same issue.
It looks like TCP ports 2067, 4067, 6067, 9067 allows remote telnet access to the SM-ES3G-16-P service module card on the router. This ports are mapping to con0 console port. If it has default config, then I can connect to the service module from network without password with privilege level 15.