So this Blog is intended to give an overview of how people should view results when they receive a Penetration test / vulnerability assessment report and how to deal with “Ports Found” on a Penetration Test / Vulnerability Assessment. This is a fairly wide ranging topic depending on your setup so if there is any additional information we miss then feel free to get in touch via the comments and we will clarify anything for you.
We wrote a blog called “Common Ways Hackers Can Get Into Your System”. Read this before you start as it gives a good overview as to who are the types of adversaries and how they might attack. However below we will just concentrate on the actual specifics around test reports and technically how you should approach the subject of “Open Ports”.
Ports Open In your Penetration Test / Vulnerability Scan, what does this mean ?
So if you have done an external Penetration Test or Vulnerability Scan and you have found you have Ports Open then this doesn’t mean the end of the world but it does mean that you have to ask yourself some questions.
A port open effectively means that the Firewall or Router device that protects your network has an open channel (or port) on it that will allow traffic to flow through to the internal network. This is usually called network address translation or “NAT” and effectively redirects traffic requested on that IP address for that port to a service listening either within the network or on the actual router itself.
The IP Address externally could be 82.3.6X.XX (“X” used to hide real IP) with Port Number 80.
Now in this above example the router which has “82.3.6X.XX” as its external IP address if anyone makes a request on that IP for Port 80 it will redirect the traffic from outside the network to inside the network to an internal server that is terminating port 80.
Effectively the router can be directing external traffic for Port 80 from the external address of 82.3.6X.XX to an internal address of 192.168.10.1 which for this example’s sake is a webserver that is listening on Port 80 (which is a web traffic Port).
What does it mean for a Port to be open?
So if you have Ports Open in your report which basically means that you are accepting connections from outside your network to inside your network then you are effectively exposing to the outside world the service (piece of software) which is listening inside your network.
If this “piece of software” that is listening inside your network is super secure, up to date and designed to thwart of external attack then “great” however if this particular service that is exposed to the world is vulnerable, weak, old and “un-patched” then this is what attackers will try to exploit to get into your network.
Reasons you may have Ports Open
· An office to have inbound VOIP telecoms enabled
· An office or data centre that needs to terminate VPN connections
· A web server terminating web connections
· A Media device with an inbound connection to serve media clients from outside the network
· Online computer games needing to connect into the network for online game play
· Inbound API application services
· Remote Desktop Connectivity
iana is the global repository if there is a specific port you would like to lookup, common software will use the same ports but not always.
What can I do about open Ports?
So just because you have open ports, this is not the end of the world and in fact super needed if you have critical systems which requires data to move from external RAW internet to an internal network. However please see below for some considerations around this:
- If you have open ports that face raw (or dirty) internet and you 100% need them (i.e they run a critical service for you) then you need to ensure that the software terminating these ports are up to date, has no vulnerabilities, and is designed to take external web traffic.
- If you have ports open and don’t know what they are for then its always worth closing them down on your firewall and seeing if anything breaks. Quite often when we find ports open they are not always needed.
- Any external connections that face raw internet should ideally be running over SSL (so port 443). This isn’t always the case but a good example here is that web traffic shouldn’t be run over Port 80 it should be 443 to know its encrypted.
- External Ports open facing raw internet should ideally be behind some kind of proxy / web application firewall tech. Having to deal with bots trying to Port Scan you or Denial of Service Attacks (and a whole host of other internet nasties) is fairly advanced tech and ideally any Ports open facing raw internet should have Proxy / Web Application Firewall capabilities in front of them.
Things also to note about a Penetration Test:
- Please note some home or poorly configured business devices will allow a service called “UpnP” to open its own ports automatically on the router for media or computer games use. This can be dangerous as you wouldn’t know unless you performed an external port scan.
- Most Port Scanning tools will just do the top 1000 ports used, which will usually find most things but to be 100% sure you really need to conduct a scan of 65,535 ports (a full port scan) you can do this on both the Robo Shadow platform and most other tools and platforms you may come into contact with. Just be sure that you have conducted at least 1 full scan of your network across all 65,535 ports.
- If you have no Ports open at all then your router device is practically impossible to hack. The bad guys will need a port open to be able to try and exploit a weakness.
- Some scanning technologies can tell you if you have Ports open on your firewall but nothing being terminated behind them. This is a fringe case and if you have ports open but nothing terminating them (I.e no software behind the port listening) then this is still fairly secure, however if the bad guys learn this by doing a low level scan it does potentially give them another door to use if they can get on the inside of the network and create some software to listen to.
Please feel free to contact us if you have any questions on this Blog.
About the Author: Terry Lewis a 25-year Tech Entrepreneur and Technology Blogger.
“I’m lucky to of worked in technology all over the world for large multi-national organisations, in recent years I have built technology brands and developed products to help make technology that bit easier for people to grasp and manage. By day I run tech businesses, by night (as soon as the kids have gone to bed) I write code and I love building Cyber Security technology.