Telnet into Dreamcast?

Jeos wrote to us with a fun Saturday afternoon project: "OK so today I was bored, and I did what anyone with a Dreamcast and a portscanner would do, I did a port scan on my Dreamcast. The results are interesting"-click below to read more.Update: 09/12 08:02 by H : Yes, this is a hoax - or sources from inside Sega say it is.

Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Host (129.***.**.***) appears to be up ... good.
Initiating TCP connect() scan against (129.***.**.***)

Port State Protocol Service
23 open tcp telnet
80 filtered tcp http
113 open tcp auth
179 open tcp bgp
12345 filtered tcp NetBus
12346 filtered tcp NetBus
TCP Sequence Prediction: Class=random positive increments
Difficulty=561888 (Good luck!)
Sequence numbers: 2B26AFA0 2B49A760 2B5316DA 2B647480 2B7655AB 2B852F62
No OS matches for host (see for more info)
Nmap run completed -- 1 IP address (1 host up) scanned in 33 seconds

The OS fingerprinting didn't guess the OS, big surprise, but the interesting thing is all the ports that are open. The ones that interested me the most were 23 and 80, the normal telnet and web server ports. I tried to connect to my Dreamcast with a web browser, no luck there. Then I tired to telnet into it, jackpot! I was able to telnet in, and prompted to give a username/password. Of course I had no idea what the username or password would be, I wonder if it's some sort of backdoor for Sega?
Now i have to see if I can do anything interesting with the other ports.

Dreamcast Hacking Contest?

[Hacksworth]

So if I'm the first person to crack into the dreamcast and change its files, do I get to keep it? (a la LinuxPPC :)

What kind of crack are you ingesting?

[tm2]

Here's the nmap -v against my Dreamcast on the net via ppp at the ISP Best.com: [root@pocket tm]# nmap -v 205.x.x.x Starting nmap V. 2.3BETA5 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up). Host (205.x.x.x) appears to be up ... good. Initiating TCP connect() scan against (205.x.x.x) Adding TCP port 113 (state Open). The TCP connect scan took 40 seconds to scan 1487 ports. Interesting ports on (205.x.x.x): Port State Protocol Service 113 open tcp auth Nmap run completed -- 1 IP address (1 host up) scanned in 40 seconds. Note: the browser was on irc at the time, which is how I figured out the IP address, and probably why port 113 was open (for username authentication) Why the heck would a Dreamcast let you telnet in anyway? It's not like you can store files on a Dreamcast, or run apps remotely... Toshi

It really sounds like he portscanned a router

[pp]

If the DC was behind NAT/MASQ the IP would show
up to be the router that does the NAT:ing.

The open ports are consistant with this (telnet, BGP4, http), all are services that are running
on pretty much every cisco router.

that posting was bogus.

i just wrote a quick cgi script on my linux box to print out the ip address of the client visiting it. I then went to the cgi script on the dreamcast, and telneted into it. didn't work. i don't have nmap installed, so I'm not going to telnet random ports, but i can tell you that i couldn't get anything out of port 23 and 80. And the cgi script worked right- the client address was different than my linux box's and was on the subnet my isp uses- so it seems to be pretty valid. gr, i hate bogus posts, especially when it gets all the slashdot readers all excited like that. ah well. -ethan

Re:Whoa

[m3000]

Doesn't the Dreamcast run WinCE?

How many times do we have to explain it! This has been rehashed countless times over Slashdot, and al it really amounts to is FUD. Anyway, to explain it read this.

Convergence

[Shaheen]

I would suspect Sega enabled this feature as a way to debug the Dreamcast - I would also suspect most other console manufacturers do the same, only with proprietary hardware interfaces.

But what really interests me in how well the Dreamcast pulls off this 'convergence' thing that big companies like Microsoft, Sun, and others have been harping about. I mean, last year, these two companies were saying "We're gonna make it easy for everyone to access and use the Internet! Just watch!"

Here we are a year later and out of nowhere comes Sega with this console that not only plays some really great games, but also connects to the Internet and enables you to browse the web. But what's so special about that - I can hook up my computer's G400 to a TV display, too. The really cool thing is the power of the Dreamcast is hidden from the user.

Many of us here complaints that computers are too hard to use - there's no simple way to operate a computer like a television (push a button, and you're there). (We all know we hate these comments, but almost have to admit it.) The good thing about Dreamcast is that any John Q. Gamer (even their parents) can use this thing - they don't have to be computer literate! On the other hand, there's enough power in the device that real computer hackers like us can go to the length of making interfaces to the device (provided there are external ports and such) to harness that power - and the fact of the matter is, we will if given the chance.

- Shaheen

Port 80 redirects

[belphegore]

What ISP are you dialing up through that you saw port 80 open? I've noticed that disturbingly Netcom/Mindspring has started diverting all traffic aimed at port 80 through a proxy server of theirs. I suppose nominally this is to improve caching and make my web browsing faster or something, but you can bet they're tracking everywhere I browse.
A side effect of this is that nmap will *always* show an open port 80, because when nmap sends packets aimed at port 80, they wind up going to Netcom's proxy server and not the intended host. Also means that if nmap is doing its fingerprint testing against that port 80, it will get the fingerprint of the proxy, not of the actual host.
If the machine you're portscanning from is going through a Netcom dialup, you're probably just seeing the port 80 on their proxy, and not on the dreamcast. The fact that 12345 and 12346 are also both showing up is also indicative that a router somewhere between your scanner and the dreamcast is doing some filtering/proxying/monitoring. Unless it's just coincidence, I can't imagine why Sega would open those ports.

Just scanned a Dreamcast

[sTp81]

I checked the http server log for my site (dricasworld.com - complete coverage of the Dreamcast's online capabilities) and got a hostname of a Dreamcast user. Scanned it for open ports and none of those mentioned in the article were open. The guy either blundered and scanned the wrong IP or is full of it.

Boy... they weren't helpful...

[ElDaveo]

I called Sega a few muinets ago and asked for the U/P. Once I explained the Telnet thing, the customer service rep became *very* aggrivated, and said that Sega has left a lot of ports open, and the reason "will be announced at a later date". Right.

How it really went...

[cot]

DaveO:Hi, I just nmapped my DC and saw several open ports! I could even telnet into it and get a login prompt! What are you trying to pull?

Sega:Ummm, sorry sir, I don't know about any maps or netting.... The extra ports on your computer are for possible expansion in the future, to allow for new featu-

DaveO:What are you talking about?!? This is an invasion of my and every American's privacy! You people make me sick!

Sega:I'm sorry you feel this way. Honestly, there have been additional connectors on SEGAs console systems for years, allowing for future upgradability, such as more controllers, external storage, etc. I don't really see how this affects your privacy. You could always return the system if you can't live with this.

DaveO:This is ridiculous, I can't believe you thing you are going to get away with this you ^##%@#%$@

-click-


cot.

"Filtered" in nmap

[ZeroTolerance]

23 open tcp telnet
80 filtered tcp http
113 open tcp auth
179 open tcp bgp
12345 filtered tcp NetBus
12346 filtered tcp NetBus

The 'filtered' in the above means that those ports are actually intercepted somewhere in between ... this DOESN'T mean that the device is actually listening on those ports ... for ports 12345 and 12346 I can understand this ... most ISP's totally block access to ports 12345, 12346 and 31337 nowadays (oh how difficult it is to change the IP of BO/NetBus .. but it protects your system from the average script kiddie, I guess) .. I don't know why port 80 would be blocked though .. makes no sense to me .. but from the above list, it's absolutely logical that you didn't get a connection with your web-browser
--

Wow! Dreamcast as an affordable router!

[ethomson]

According to this portscan, the dreamcast supports BGP! For those of you who aren't familar with BGP, it's a policy-based routing protocol used (for instance) at the NAPs.

So does this mean that Sega is going to start selling routing cards for the dreamcast? It's good to see that someone's finally working on an internet device that isn't just a client, but an affordable router! It's high-time I got rid of that crappy Cisco we have over here and replaced it with a fine piece of networking machinery, like a Sega. I'm so happy to see a router that's not just cheap - but you can also play games on!!!

Seriously, though, it does indeed appear that your ISP is doing something silly redirecting ports. This is particularly probably since nobody else can recreate this test. Either that or Sega chose a really bad port number to bind on.

A Little more info

[Jeos]

Ok heres a little more info on the Dreamcast, I was the one who posted.

I was running the web browser CD on the Dreamcast and I was dialed to my ISP, my university. I ran the port scan from my computer. I obtained the IP of the Dreamcast from a website which gives you your IP. It's possible this is wrong, but this is the only way I can think of to get my IP. As far as I know there is no direct way to get the IP, the Dreamcast doesn't tell you your IP.

I would like to try and find a l/p for it, although it'll be kinda hard since I don't even have a username. If anyone knows of a good brute force program for telnet let me know. My email is aminidab@mailcity.com.

cluelessness :P

[whimsy]

i called sega's dreamcast number (1-888-345-SEGA), they asked for my name and phone, and i proceeded to fake it:

rep:can i please have your name and phone number?
aaron:doody doody doo!
r: thanks, how can i help you?
a: well.. i was using my dreamcast, and i tried to telnet into it. it asked me for a username and password.
r: huh?
a: i tried telnetting into my dreamcast from another computer.
r: is telnet ppp?
a: huh?
r: do you know what ppp is?
a: yes. both computers are connected via ppp. the dreamcast is connected over modem and my computer is connected via dsl.
r: uhhhh...
a: anyway, could you give me the username and password?
r: you shouldn't need one.
a: everything works fine - thats not the problem. i just want to see what it does.
r: do you use at & t worldnet?
a: no.
r: well just go to "other" when you reboot, and that will tell you how to sign up. did i answer all your questions today?
a: well, no. that's not the problem, everythign works fine. there's no other number i could call?
r: you mean your isp?
a: no. for dreamcast.
r: that's me!
a: okay. do you know a login and password for the dreamcast?
r: you need a login and password when you start the dreamcast?
a: *chuckle* i think we're misunderstanding each other. i'll start over. my dreamcast is connected via modem, via my isp. my computer is connected via dsl, via another isp.
r: okay...is your isp worldnet?
a: no. i tried scanning for open ports on my dreamcast, i saw telnet was open, and i tried using telnet to access it. i did this from my dsl-connected computer. i got the login and password prompt in the telnet window. the dreamcast works fine, even when i'm using telnet.
r: whoa, man. i dunno.
a: alright..
r: i couldn't give you any dns or anything
a: yeah?
r: that'd be ILLEGAL!
a: *chuckle*
r: alright, sorry i couldn't help. have a good day.
a: you too!

hmm..and i don't even own a dreamcast :P