Published on April 19th, 2017 | by Vatsal Desai
Network Ports can be Risky Business
Network ports are entry points into your system, and understanding network infrastructure and hosted services helps to determine the ports that are expected to be open on the network. Any listening port that is unexpectedly open in your environment is a potential attack vector; that being said, adversaries have managed to interact over common ports like 80/443 as these are expected to be allowed by the enterprise firewall. But many other ports have been exploited for malicious activities; here’s a look at a few:
Port 6667 – IRC
The IANA standard port assigned for IRC (Internet Relay Chat) is 194, however most IRC servers are configured to run on port 6667. Since port 194 is a “privileged port”, running IRC on port 6667 eliminates the requirement of having root privileges to host the service. IRC is often associated with Botnet and Command & Control (C2) traffic. A common malicious use of this port involves an infected system (bot) beaconing out to a C2 server at regular intervals, then announcing its presence and waiting for malicious instructions. While APTs may randomize the callback timers to evade basic detection schemes, traces like automated callbacks and persistent after-hours traffic on this port are classic methods of pinpointing an infected system.
Ports 5985/5986 – Remote PowerShell
The Microsoft PowerShell framework is often used to automate security and administrative tasks, but as powerful and useful as it is, having PowerShell access open for remote administration is a potential entry point for adversaries. Some Windows exploits are known to enable “PowerShell Remoting” on a compromised system to drop additional malware and ensure persistent access. Like any other service on the network, this one should be disabled unless there is an absolute need. Basic control measures like hopping though a VPN can be implemented to avoid direct access.
Ports 3128/8080/8888/45554 – Proxy, Ports 9001/9030 – TOR Anonymizer
In an enterprise environment, content restrictions are often implemented to ensure that the users are not compromised by phishing attacks and drive-by downloads. Proxy services and software such as TOR can be used to circumvent content restrictions. A layer of anonymity is also provided with these services, as the destination does not know the true source unless authentication information is also forwarded. If restrictions are in effect on the network, with traffic subject to an “Acceptable Use Policy (AUP)”, then considerable volume of traffic to ports associated with these proxies is a likely indicator of compromise (IOC). Having a protocol visibility tool is one possible solution to identify such IOCs.
Vatsal is a Threat Researcher at SS8. He believes that security is a time-based control — it is only a matter of time before someone breaks into the network, the goal is to improve the control time to surpass the value of the asset under protection.