Any Port in a Storm: Ports and Security, Part 2

Wireshark is an extremely useful tool. One of the neat things about it is the ability to follow conversations called “streams.”

Provided that the traffic can be decoded and is not encrypted (or if you can decrypt it), you can follow the entire conversation and see what protocol commands are being exchanged. In this case, the pcap ratinfected.pcapng from Chris Sanders’ Practical Packet Analysis is opened in Wireshark. We then chose the option to follow the TCP stream contained in this PCAP and can see the Command and Control traffic for this malware.

In other cases, with sufficiently large pcaps, it might not be a bad idea to analyze the protocol hierarchy…

…and see how the network traffic breaks down. This is the TCP and UDP traffic breakdown for the pcap lotsofweb.pcapng. How is Wireshark able to identify these TCP and UDP protocols?

Wireshark has its own services file it uses to help define network services based on the port numbers observed for TCP and UDP services! This is in addition to protocol parsers and other magic under the hood.

The bottom line is that knowing your port numbers and the services associated with them are essential to network forensics and network intrusion detection.

Shot Across the Bows

Another use case for understanding port numbers is knowing what services and network applications/protocols are exposed to the public internet or on your local network, and through that better understand the vulnerabilities of these services and their potential attack surface. 

For example, in order for clients to connect to a service, that service has to be available and waiting for connections on an assigned (or configured) TCP or UDP port. Exposing network services to the internet means your service is going to be poked, prodded, or otherwise scanned for potential vulnerabilities that might allow the bad guys in. 

Most bad guys start by trying to establish connections to various TCP and/or UDP ports on an IP address and then waiting for valid responses. The ports that provide valid responses are considered open and require further probing and enumeration (when open ports are probed to determine what services and versions of the service are running on that port) before an attacker knows what services and/or underlying operating system is running at the target IP address(es). This is usually done by sending network traffic to the open ports specific to the application protocol in order to get the target system to tell the attacker more about itself

• What web server software is being used to serve the HTTP/HTTPS traffic?
• What version of the SSH package is being run?
• What versions of the SMB protocol are available?
• What type of network appliance are you?
• What kind of VPN concentrator are you?

This is a part of a process most attackers will refer to as footprinting, reconnaissance, and/or information gathering in general. 

More specifically, the use of port scanning applications or other tools directly against a target is referred to as active reconnaissance. With passive reconnaissance, on the other hand, adversaries may use data gathered from third parties to learn more about their targets. 

Examples include passive and/or related DNS records–and websites that display data about hosts they themselves have probed across the internet. Two prominent examples of this type of reconnaissance are shodan.io and censys.io. After all, why scan and fingerprint a target manually if the data is already out there?

NMAP is considered one of the world’s foremost port scanners in the world, using network requests and responses to learn more about the target computer. Open ports are probed further to determine what services and versions of the service are running on that port, referred to as enumeration. Nmap is just one tool in a suite of active reconnaissance tools.

But why bother actively scanning a potential target, when someone has already done the work for you? Organizations and services like Shodan and Censys probe the internet on a massive scale and provide a search engine anyone can use to find out more about an IP address or an organization, provided Shodan has seen it or scanned it before. Techniques like these are termed passive reconnaissance.

Using combined reconnaissance, attackers then try to piece together a profile of their target:

“There is an F5 load balancer at x.x.x.x . It is running software update yy.z. It may be vulnerable to foo.”

“There is an exchange server running OWA (outlook web access) at a.a.a.a . Not sure what the patch level is. May have to test with multiple vulnerabilities.”

“There’s a custom web application running at m.m.m.m. May need to use an intercept proxy or sqlmap to see if any of the inputs are injectable or if there are parameters that can be messed with to gain more access.

What I’m describing above is a small portion of the attacker and/or penetration tester lifecycle. Of course, I’m vastly oversimplifying things here, but if you’re interested in learning more about this sort of thing, consider looking into the phases of a pentest. Depending on what penetration testing outfit you ask, they all have a different idea of how many phases there are to a penetration test–but in general, Core Security has been around for a very long time and I liked their take on it. You may also want to consider looking at Lockheed Martin’s cyber kill chain for learning about how nation-state threats do things. 

For those wanting to know detailed information about the tactics different attack groups use, consider looking at Mitre ATT&CK.

On the Right Tack

Bad guys, pentesters, and the red team use your open ports against you for reconnaissance, sure. But what if the defenders did it instead? Welcome to vulnerability management. 

In short, vulnerability management is an effort by a security operations team to proactively probe their own systems for vulnerabilities on a regular basis, prioritize those vulnerabilities in terms of criticality and potential impact, remediate or otherwise mitigate them, confirm they are remediated, and then repeat the whole process again.

There are a variety of commercial tools designed to do this (Qualys, Nessus, Nexpose), and many can use both active and passive probing techniques to attempt to detect what network applications and protocols are running as well as what the vulnerabilities may be just by observing the network traffic–including what ports the communication takes place on.

Tenable’s Nessus is one of the most well-known vulnerability assessment tools out there. They provide both active and passive vulnerability assessment tools, as do many other vendors.

As you might have guessed by my explanation, vulnerability management has a lifecycle all its own. Once again, depending on the vendor, they all have slightly different takes on the steps of the life cycle. Gartner is the closest thing to an unbiased source here, and their take on the vulnerability management cycle is pretty solid. 

In Conclusion

Knowing what a port number is and what it signifies helps us understand how port numbers are applied in various cybersecurity disciplines.

In network forensics, packet analysis tools such as Wireshark use port numbers and protocol parsers to define different network services. They are also used alongside source and destination IP addresses to track conversations or “streams” between hosts. These streams can be further analyzed to discover the nature of the network service, as well as the connection between those hosts.

For offensive security disciplines, open port numbers play a huge role acquiring more information about a targeted system or organization. Open ports can be actively probed using port scanners to attempt to acquire more information about the host–such as what types of services are running on the host, their versions, and potential vulnerabilities that may be used to exploit those services. In some cases, adversaries can use passive reconnaissance and acquire information about targets through a third party without having to send a single packet to probe a target for vulnerabilities.

Hosts with open ports are also used extensively for vulnerability management, as a part of both active and passive vulnerability scans. The general idea behind vulnerability management is allowing your security team to probe hosts for vulnerabilities so that they can be mitigated before the bad guys exploit them.

I hope this two-part series was educational–best of luck in your network security endeavors.