A port scan is a technique that is used to identify open or vulnerable ports on a network or device. An attacker or security professional can gather information about the services running on a system and determine any potential security weaknesses by scanning available ports.
Ports are communication endpoints that allow devices and applications to exchange data. Each port has a specific function, with certain ports commonly associated with particular services (e.g., port 80 for web traffic).
A port scan helps identify which ports are open, closed, or filtered, allowing attackers to pinpoint weaknesses for potential exploitation or for defenders to bolster security.
Key types of port scans include:
- TCP scan: Checks for open Transmission Control Protocol (TCP) ports by attempting to establish a connection.
- UDP scan: Identifies open User Datagram Protocol (UDP) ports, often used for applications like DNS and streaming services.
- Stealth scan: Avoids detection by scanning ports without completing a full connection, making it harder for security systems to detect.
Common uses of port scanning include:
- Security testing: Cybersecurity professionals use port scanning to assess network vulnerabilities and strengthen defences.
- Cyberattacks: Hackers use port scans to locate weak points in a network, potentially leading to unauthorised access or attacks.
Internal vs. External Port Scans
- External Port Scans: Conducted from outside the network, these scans do not require any initial access to the network itself. Attackers use external scans to identify exposed services that are accessible over the internet, such as web traffic (Ports 80/443), RDP (Port 3389), or SMB (Port 445). The information gathered from these scans can provide attackers with the entry points needed to exploit vulnerabilities and gain access to the network.
- Internal Port Scans: Performed from within the network, internal scans require the attacker to already have some level of access. Once inside, attackers use internal scans to locate services that are not externally visible but may be improperly secured or misconfigured. These services, such as SMB, RDP, NetBIOS, and VNC, can facilitate lateral movement and privilege escalation, allowing attackers to navigate through the network and gain higher levels of control.
What Ports are Attackers Looking For?
Attackers typically target common ports that are associated with vulnerable or widely used services. Some of the key ports and services include:
- Telnet (Port 23): Often targeted due to its lack of encryption of authentication credentials, making it an easy target for credential theft and man-in-the-middle attacks.
- Remote Procedure Call (RPC) – Port 111 and MSRPC – Port 135: Used for communication between networked systems; attackers exploit these for remote code execution.
- NetBIOS (Port 139): Exploited for network file-sharing attacks, especially in older Windows systems.
- Server Message Block (SMB) – Port 445: Network file-sharing protocol that is commonly exploited by ransomware actors. Known for vulnerabilities like the EternalBlue exploit used in WannaCry and other malware attacks.
- Point-to-Point Tunneling Protocol (PPTP) – Port 1723: Vulnerable to brute-force attacks due to weak encryption.
- Remote Desktop Protocol (RDP) – Port 3389: Targeted to gain remote access, often leading to ransomware or other malicious activities.
- Virtual Network Computing (VNC) – Port 5900: Commonly exploited for remote access, especially if misconfigured or left with default settings.
Security professionals should ensure that connections to these ports are restricted and limited to known and authorised devices and accounts.
How to Defend Against Malicious Port Scanning?
Organisations can take several steps to defend against malicious port scanning:
- Firewalls: Use external and internal firewalls to block unnecessary or unused ports. For example, disable Telnet (Port 23) in favour of encrypted protocols like SSH. Limit access to critical ports like RDP (Port 3389) and SMB (Port 445).
- Network Segmentation: Divide your network into smaller segments to limit the damage from internal port scans. This prevents an attacker from accessing critical areas if they gain a foothold in one segment.
- Intrusion Detection and Prevention Systems (IDS/IPS): These systems can detect scanning attempts and raise alerts, enabling defenders to respond quickly. IDS/IPS systems are particularly useful in detecting stealthy scans like those aimed at SMB (Port 445) or RDP (Port 3389).
- Regular Network Audits: Ensure regular audits are conducted to identify open ports and close any that aren’t needed. This is critical for services like RPC (Port 111 and Port 135), which are often targeted in internal attacks.
- Least Privilege: Limit access to sensitive services like RDP (Port 3389) and VNC (Port 5900), ensuring only authorised users can access them. This minimises the chances of internal actors scanning or abusing these services.
- By understanding the importance of port scans and taking proactive steps to secure both internal and external ports, organisations can significantly reduce their exposure to cyber threats, and potentially catch an intruder before the threat escalates. Regular audits, proper network segmentation, and strong access controls will help limit the risk posed by vulnerable services.
How Can We Help?
Port scanning is an essential technique in both offensive and defensive cybersecurity. Understanding how it works can help organisations safeguard their networks against potential threats.
Canopius’ Proactive Services, included with your cyber policy, offer threat intelligence to help you stay ahead of threats and perform external infrastructure scans, giving you clear insight into what attackers could discover. This enables you to secure vulnerable ports and efficiently reduce your attack surface.
If you want to protect your business against cyber threats, then get in touch and see how our cyber insurance services can help you.
