Baicells – nmap scan of eNodeB shows connected subscribers

Doing a port scan on the 50000-59999 port range reveals all the connected subscriber modules.

Alfred@localhost:~$ nmap -p 1-65535 10.0.0.2
 Starting Nmap 7.60 ( https://nmap.org ) at 2019-09-30 23:55 CDT
 Nmap scan report for 10.0.0.2
 Host is up (0.026s latency).
 Not shown: 65520 closed ports
 PORT      STATE    SERVICE
 80/tcp    open     http
 7547/tcp  open     cwmp
 27149/tcp open     unknown
 59423/tcp open     unknown
 54984/tcp open     unknown
 51241/tcp open     unknown
 Nmap done: 1 IP address (1 host up) scanned in 19.18 seconds

Should be able to access the login page for the subscriber module by going to https://enodb-ip:xxxxx

Where xxxxx is the port number from the scan. Should be 5 with the last four IMSI numbers of the subscriber unit.

SSH into Baicells eNodeB

Based upon multiple nmap scans on Baicells eNoceB’s it appears that they use port 27149 as the default SSH port.

Example scan

Alfred@localhost:~$ nmap -p 1-28999 10.0.0.2
Starting Nmap 7.60 ( https://nmap.org ) at 2019-08-27 21:19 CDT
 Nmap scan report for 10.0.0.2
 Host is up (0.044s latency).
 Not shown: 28996 closed ports
 PORT      STATE SERVICE
 80/tcp    open  http
 7547/tcp  open  cwmp
 27149/tcp open  unknown  <-- SSH Port 
Nmap done: 1 IP address (1 host up) scanned in 10.81 seconds

SSH into eNodeB

ssh -p 27149 admin@10.0.0.2 

Example:

ssh -p27149 admin@10.0.0.2 
 Password: 
 CELL> ?
   enable      Turn on privileged mode command
   exit        Exit current mode and down to previous mode
   list        Print command list
   passwd      User password
   ping        Send echo messages
   quit        Exit current mode and down to previous mode
   show        Show running system information
   ssh         Open an ssh connection
   telnet      Open a telnet connection
   terminal    Set terminal line parameters
   traceroute  Trace route to destination
   whoami      Show current user in system
 CELL>