But why bother actively scanning a potential target, when someone has already done the work for you? Organizations and services like Shodan and Censys probe the internet on a massive scale and provide a search engine anyone can use to find out more about an IP address or an organization, provided Shodan has seen it or scanned it before. Techniques like these are termed passive reconnaissance.
Using combined reconnaissance, attackers then try to piece together a profile of their target:
“There is an F5 load balancer at x.x.x.x . It is running software update yy.z. It may be vulnerable to foo.”
“There is an exchange server running OWA (outlook web access) at a.a.a.a . Not sure what the patch level is. May have to test with multiple vulnerabilities.”
“There’s a custom web application running at m.m.m.m. May need to use an intercept proxy or sqlmap to see if any of the inputs are injectable or if there are parameters that can be messed with to gain more access.
What I’m describing above is a small portion of the attacker and/or penetration tester lifecycle. Of course, I’m vastly oversimplifying things here, but if you’re interested in learning more about this sort of thing, consider looking into the phases of a pentest. Depending on what penetration testing outfit you ask, they all have a different idea of how many phases there are to a penetration test–but in general, Core Security has been around for a very long time and I liked their take on it. You may also want to consider looking at Lockheed Martin’s cyber kill chain for learning about how nation-state threats do things.
For those wanting to know detailed information about the tactics different attack groups use, consider looking at Mitre ATT&CK.
On the Right Tack
Bad guys, pentesters, and the red team use your open ports against you for reconnaissance, sure. But what if the defenders did it instead? Welcome to vulnerability management.
In short, vulnerability management is an effort by a security operations team to proactively probe their own systems for vulnerabilities on a regular basis, prioritize those vulnerabilities in terms of criticality and potential impact, remediate or otherwise mitigate them, confirm they are remediated, and then repeat the whole process again.
There are a variety of commercial tools designed to do this (Qualys, Nessus, Nexpose), and many can use both active and passive probing techniques to attempt to detect what network applications and protocols are running as well as what the vulnerabilities may be just by observing the network traffic–including what ports the communication takes place on.