As IT pros already know, when we speak of ports, we mean the 16-bit virtual ports used when interconnecting systems i.e. during communication over protocols such as TCP or UDP and not physical connections on the system such as USB, HDMI etc. See the OSI model and list of port numbers and their assigned function if not an IT pro. Port 80 is commonly used for HTTP activity, for example, and many applications communicate using assigned default ports.
With more than 65,000 ports available (65,336 in fact, including 0), monitoring them is essential. The reason? As always, to prevent malicious or data harvesting attacks from state actors, hackers seeking access to obtain validation from their peers and of course, cybercriminals seeking financial gain.
Given the number of possible ports, how can network administrators handle a monitoring process or even detect an intrusion? How do we know that others can test our networks for vulnerabilities? What can we do to ensure maximum security and without affecting user productivity?
In an earlier article, Greg Mooney defined a port scanner and demonstrated how port scanning on your own network allows you to see what potential attackers will see when scanning your network. Logically, monitoring avenues of attack command-line profound benefits on security and being aware of the attack methods used can only help protect your network. Let’s look at some of the standard tools that penetration testers (and hackers) use to verify security.
Kali, More Than A Hindu Goddess
Kali Linux is perhaps the best-known distro aimed at penetration testing and it’s crammed with open-source hacking tools. It may not be the only one, but it will serve to demonstrate the logical approach used to penetrate a network. Have a look at the sheer number of hacking tools available in Kali Linux by default (more can be added). Broken down into convenient categories such as Information Gathering, Vulnerability Analysis, Exploitations Tools, Stress Testing and Wireless Attacks, it’s possible for hackers of all types (including cybercriminals and legitimate penetration testers) to gather relevant info, identify vulnerabilities and exploit them, all from the same tool repository. A direct link to the Exploit Database ensures the hacker has access to the latest in verified application vulnerabilities. A review of the past week clearly indicates how detailed this resource is… It makes sense to launch attacks based on recently identified and verified vulnerabilities when many administrators do not install patches promptly, even when the vulnerability is the subject of a security alert.
Admittedly, many tools use a command-line approach, but newbies can easily obtain the necessary commands by using online research or forums. Most will have tutorials in any case. Hackers that fail with social engineering have plenty of options to choose from when scanning ports. Whether it’s Nmap port scanning, Unicornscan (if regular port scanning is impossible) or Wireshark (network traffic and packet analysis), information is discovered that could be used later to launch an attack. Have a look at the best 20 hacking and penetration tools for Kali Linux, as reported by FOSSMint, to get a feel for what is easily achievable for even the newest of hackers. Do you think port monitoring is a worthwhile exercise at this point?
Any Port In A Storm
Given that gathering information is the first step for any hacker, and port scanning and similar techniques are used to obtain relevant details, it’s generally considered insane to ignore network, traffic, and port monitoring. Of course, performed incorrectly, it can take up a large part of the working day… not the best solution. Unfortunately, in some cases, due to lack of investment, IT pros are reduced to hunting for patterns in log files, a reactive approach to fault-finding. Isn’t a proactive, real-time approach to monitoring a better and more productive use of IT’s time and resources? Some try to develop their own application but costs end up more than a commercial tool and/or offer fewer features than the commercial equivalent. As a techie, if you need to convince management of the viability of a good network monitoring tool then review this article from John McArdle.
While monitoring open ports may well be a key security function, it’s by no means easy as ports open and close according to the service used or according to firewall action. Some protocols and applications use random ports for communication…
By using an effective port/network monitoring solution, admins can set a baseline for port activity and configure automated alerts for any suspicious activity. Over time, monitoring is almost entirely automated, identifying any new and therefore suspicious processes and services, thereby saving your IT team for other business-focused projects.
Of course, security pros use other techniques to confuse or at least slowdown hackers. Avoid using defaults, whether it’s an internal IP-address range or port numbers. If port 80 is not used for HTTP, for example, an attack on port 80 using HTTP is rendered ineffective.
In conclusion, port monitoring is a vital part of network security. How you implement it will depend on available budget, technical competence and of course, staff resources. Network vulnerabilities are certainly worth investigating, using some of the tools mentioned earlier or by hiring a certified ethical hacker to verify your security level, bearing in mind that other techniques such as ‘port knocking’ can use firewall rules against you. No company is too small to be hacked so I ask you… how secure is your network, given that anyone can use free hacking tools to compromise your network and the data stored within? What techniques do you use to prevent external port scanning?