This week we are returning back to our analysis of the Xbox One and checking out some of the data we gathered during the last post. I know some folks were very interested in what we are doing with the Xbox and I apologize for the delay. We decided to push back this post due to some excitement over healthcare.gov and its security.
First, lets take a look at how this system shows up in an nmap scan. It turns out that we only have one network port listening on the network; tcp port 2869. nmap wasn’t able to recognize the service, but some hunting around online appears to indicate that this is related to UPnP or media sharing. I’ll be looking at that closer in another post. The operating system detected was something that I was interested in. nmap returns this as running Windows 7, Windows 2008 or Windows 8. You can download the .nmap file of the scan here. All together this isn’t too exciting, but it is interesting to see that the Xbox One has enough similar network behavior to come back as a Windows OS. It was something I had expected, but I was curious to see if Microsoft had gone a different route with the console.
The traffic analysis has been taking quite a bit of time. So far I’ve captured several gigabytes of data with the Xbox One in different conditions. The states of I’ve looked at are:
- Initial startup and configuration
- Registering the device with Xbox Live
- During an OS update
- Xbox One powered down over night
- Startup and shutdown
- While changing settings and watching trailers
Jason Wood is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at jason@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.
I wonder if the "cfiadhjcfuuagwb" is the unique identifier of your X1. Maybe you need a second X1 :).
I've heard of the random domain requests before, I think it was Windows checking whether it had an internet connection.
I'd guess it is random to stop it being a predictable attack vector.