BGP / MPLS Routers on Infinity TR069 Network

Following on from the previous post, the extra VLAN provided to each customers CPE can be bridged through to the secondary ethernet port, allowing any computer to receive an IP address on the management network via DHCP.

Obviously I wanted to know how far-reaching this network goes that is getting pushed into every customers premises.

First thing first, the access subnet only allows communication between your CPE and the subnet gateway, which is a lot better than seeing a sea of other CPE’s from a security standpoint.

TR069 Server

So the CPE doesnt seem to have a TR069 URL and there is no extra information in the DHCP lease, so I haven’t looked for/at the TR069 server.
However, available details from the CPE device are;

ACS URL: Blank
ACS USER: hgw
ACS PW: ❤ chars>
CONNECTION REQUEST USER: acs
CONNECTION REQUEST PASS: ❤ chars>
CERT ENABLE: no
PERIODIC INFORM: no

DNS Servers

I was given two DNS servers;

10.160.170.231
10.160.170.232

These look to be running a stable, well patched version of Bind but I didn’t probe any deeper as this is journey is for understanding the infrastructure ONLY, not for causing issues or poor technicians any extra work!

Routes

On the way to our DNS servers we pass a couple of hops;

[root@box ~]# tracepath 10.160.170.232
 1:  30.4x.x.me                                           0.119ms pmtu 1500
 1:  30.4x.x.x                                             5.924ms asymm  2
 2:  10.160.160.65                                        13.684ms asymm  3
 3:  no reply
 4:  no reply

[root@box ~]# tracepath 10.160.170.231
 1:  30.4x.x.me                                           0.107ms pmtu 1500
 1:  30.4x.x.x                                             5.954ms asymm  2
 2:  10.160.160.65                                        13.699ms asymm  3
 3:  no reply
 4:  no reply

This got me thinking, what else is on 10.160.170.231; Nothing.
Further thinking, 10.160.160.x, 10.160.170.x, followed the pattern, some 10.160.x.0/24 subnets come back as routable, while some give dest net unreachable.
Creating a list of routable nets starting 10.160.x.0/24 seemed wise;

[root@box ~]# for i in $(seq 1 254) ; do ping -t 1 -c 1 10.160.$i.1 | grep -B 1 “Destination Net Unreachable” ; done | grep PING | sort | uniq | awk -F “.” ‘{print $3}’ | sort -n > notvalid.txt
[root@box ~]# seq 1 255 > all.txt
[root@box ~]# diff notvalid.txt all.txt | grep “>” | cut -c 3-6

In this CLI mess above, we are finding a list of 10.160.x subnets that Don’t have a route (Destination Net Unreachable). and inverting it to give us a list of valid nets.

BGP / MPLS Devices

So what’s on the routable subnets? Looks like BGP/MPLS routers, as SSH, BGP and LDP (Label distribution protocol) services are available;

Host is up (0.014s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
179/tcp open  bgp
646/tcp open  ldp

10.160.128.67
Host is up (0.012s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
179/tcp open  bgp
646/tcp open  ldp

10.160.160.66
Host is up (0.011s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
179/tcp open  bgp
646/tcp open  ldp

This is my stop

If this were my network, my next thoughts would be;

– BGP requires configuration on both sides to bring up a peer but LDP doesn’t have any such security and allows directed creation of sessions even on different IP subnets.
– a successful LDP session may give information as to surrounding routers and networks.
– SSH could have weak passwords

But, this ISN’T my network and as this was merely a quick look into the VLAN’s presented in the premises, I’m not going to risk (for legal and ethical reasons) bringing up an LDP session or trying the SSH connection.

Hopefully someone BT-related could fill in this picture with what we are looking at here?
Anyway, wasn’t expecting open BGP/LDP ports a hop away from any users CPE!