Vulnerabilities do not rest on TCP ports, they rest on services.
Any TCP port can be open but if there is no corresponding service using that port an attack on the port will most probably fail.
There are exceptions to this – TCP Port knocking and encryption allow a port to be open but will register as closed.
All hacking / malware attacks are targeted at those services and each of those services can have different applications behind them.
A little background – A Quick introduction to hacking.
Vulnerabilities are discovered and used in attacks based on a number of things:
- application, – what is the application that is using the TCP port, Apache and IIS have different vulnerabilities and they both can be as unsafe or as safe as each other. It depends on the attacker, defender, version and the installation process
- version, – one version will be more secure that the previous one – In the labs we demonstrate a problem with VS-FTP version 2.3.4 it has a back door hard coded into the software. Anyone who knows that can use it to compromise the server it is installed on. By upgrading to 2.3.5. you remove the vulnerability and the back door. With the introduction of IOT the main vector of attack are port 80 attacks and hard coded default usernames and passwords
- installation process – the installation process for a number of applications have a default username and password. If these are not changed then the system is vulnerable. Tomcat and vnc are examples of known default usernames and passwords.
- interaction within the application and the operating system. – there are a number of applications that are vulnerable when installed on a specific type of operating system. Code red – targeted port 80 (HTTP) to attack the SQL components of a web server on port 1433 (MSSQL)
Fingerprinting and scanning
This is the process of finding out what application and services are behind the port.
It also tells us what version is running.
A simple NMap scan will deliver this information to anyone who knows how to use it.
A simple Nessus scan will reveal even more!
User rights and shell
A hacker needs 2 things to be dangerous.
He needs to have the authority – administrator (god) access and he needs to create a shell, something to run commands, scripts or applications in.
You can still do damage to a system if you have less than admin access but it is only to the application that is running – compromising tomcat will give me access to the web server component of a system. There are ways to escalate the user from a service to the administrator.
If you do not have the ability to gain a shell then most attacks will not work.
In the world of penetration testing we can discover hundreds of vulnerabilities but only one or two or ten will enable me to compromise the system with both administrator access and a shell.
They are the only ones we report, resolve and remediation.
Hackers use Google and YouTube
Most hackers will find information on what they are targeting, how to do it and what they need to do through a basic search.
So with that all being said – here are the top 20 ports with their corresponding application. Insecure network services
- 21. TCP – Ftp – file transfer protocol – one of the oldest ports on the internet and is used to transfer information from one system to another over a TCP connection. Can be used in Command and Control of malware.
- 23 – TCP – telnet – the most basic of shells, can be used to transfer commands and scripts from computer to computer. Unencrypted and easily captured.
- 25 TCP – SMTP – email servers – exchange, sendmail, and any system that has been designed to send email as part of its system requirement.
- 69 – UDP – TFTP trivial file transfer protocol – used to update and transfer information from computers to routers. Information can be intercepted because it is a UDP connection.
- 80. TCP – HTTP – hyper text transfer protocol – Apache, iis
- 143 – TCP – imap – mail protocol
- 110 – TCP – pop3 – mail protocol
- 443 – TCP – HTTPS secure hypertext transfer protocol
- 53 – TCP/UDP -DNS domain name service – bind, windows
- 8080 – TCP – tomcat management –
- 161 – TCP – SNMP –
- 3389 – TCP – RDP – remote desktop protocol
- 4444 – TCP/UDP – metasploit
- 1433 – TCP – SQL
- 137,138,139 – UDP – netbios
- 1723 – TCP – VPN PPTP
- 9100 – TCP Internet Printing
- Gaming ports – inbound and outbound – some games install and connect to a web based server on a specific port based on the game. The game allows an attacker to use the game as a platform to store and activate malware.
There is no way to secure individual ports and their applications except to make sure the application and operating system are up to date.
There are a number of ways to protect an organisation:
a second generation firewall / next generation firewall will inspect packets at the network, data and physical level as they enter and leave and compare that information to its database.
If an attack is indicated it will either stop it or move it to a sandbox.
The other ways are through logging, auditing and reporting.
Depending on the size of the organisation a SIEM maybe necessary, but a process of alerts is vital to catching the initial components of a breach.
Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, Presenter for the Business Security Intensive, author of the Digital Security Toolbox and Digital Security Framework. Rapid Restart Appliance Creator. He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world.