What are Ports?
Within computer networking, ports enable data packets, consisting of control information and user data, to be communicated throughout a network. A port is associated with a standardized number and specified process or service. Additionally, ports are part of the transport layer (Layer 4) of the OSI Model in which the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) transport protocols direct traffic to the port with its respective host and service.
Ports are imperative to the efficiency of computer networking as its primary responsibility is to differentiate between the different IP services, such as web service (HTTP), file transfer (FTP), etc. Without ports, the transport of the various services or applications will ultimately be poorly communicated from its start to end, decreasing the efficiency and effectiveness of data communication.
The Danger of Open Ports
In total, there are 65,535 TCP ports and 65,535 UDP ports. But what is the buzz around ports being dangerous or unsafe? To be clear, all ports and their respective service have some risk of attack. By default, open ports are not immediately a security threat but become a concern of high risk when threat actors exploit these open ports because they may be misconfigured, vulnerable to exploits, unpatched, or poorly maintained. On top of initial access, threat actors can leverage open ports to listen in, search for credentials, perform man-in-the-middle attacks, perform remote code execution (RCE), and exfiltrate data in plain sight. For instance, threat actors may commonly use TCP/UDP port 53, utilized by Domain Name System (DNS), to exfiltrate data collected within the network since DNS traffic is not widely tracked. Therefore, an open port 53 serves as a quiet exit route for adversaries.
By default, open ports are not immediately a security threat but become a concern of high risk when threat actors exploit these open ports because they may be misconfigured, vulnerable to exploits, unpatched, or poorly maintained.
On the other hand, closed ports are much less risky as adversaries are unable to listen in or tamper with the communication. Therefore, security teams advocate for closed ports as it reduces the attack surface, increasing the overall cybersecurity posture of the enterprise.
How Open Ports Are Exploited
Discovering open ports on a network is one of the actions items both threat actors (bad guys) and penetration testers (good guys) take to understand the environment and find potential exploits. This is known as the reconnaissance phase. On top of discovering open ports, they identify the different services running, protocols used, and baseline traffic to pinpoint vulnerabilities they can exploit. Port scanning is a common technique used to identify open ports. Several open-source penetration testing platforms and tools enable scanning a network, like Kali Linux or BlackArch. For instance, Nmap, short for Network Mapper, is regularly used to scan for open ports and associated security risks like vulnerabilities.
Furthermore, attackers may leverage OSINT (Open-Source Intelligence) tools like a simple Google search for existing Common Vulnerabilities and Exposures (CVE) pertaining to the different protocols and ports used in that specific environment. Take a CVE published in 2001 that exploited port 3389 over Remote Data Protocol (RDP). Found in CVE’s database, CVE-2001–0014 is an RDP vulnerability over port 3389 in Windows 2000 Terminal Service that does not correctly handle specific malformed packets, allowing remote attacks to execute a denial of service; aka “Invalid RDP Data.” This is a prime example in which an open port, 3389 in this example, can easily be exploited once that threat actor discovers this existing vulnerability. Therefore, it is essential for enterprises that do not use RDP over port 3389, ensure this port is closed to reduce the attack surface ultimately.
Commonly Hacked Ports
Port 21 — FTP (File Transfer Protocol)
FTP is used to transfer files throughout the Internet. It is inherently insecure because it uses cleartext usernames and passwords for authentication, failing to utilize encryption. FTP is vulnerable to sniffing and brute force attacks.
Port 22 — SSH (Secure Shell)
SSH remotely connects to a server or host that allows one to execute various commands and movement of files. If poorly managed, threat actors can locate private keys and authenticate into any account in which they can pivot their privileges and ultimately laterally move throughout the network.
Port 23 — Telnet
Telnet creates a connection between a server and a remote computer, called hosts. Because Telnet transports data all in clear text, attackers can sniff the network for clear text credentials, inject commands, and collect unauthorized data.
Port 25 — SMTP (Simple Mail Transfer Protocol)
SMTP allows for electronic mail transmission. SMTP is used by mail servers to send and recieve mail. Since SMTP exists without any security features, it can often be vulnerable to attacks that hijack an email server to deliver spam or malware through emails (phishing).
Port 53 — DNS (Domain Name System)
DNS acts as the Internet’s phonebook in which it translates website names to their respective IP address. DNS is susceptible to register hijacking where an adversary can compromise your DNS commercial account and transfer ownership. Additionally, an attacker can execute a DNS flood distributed denial of service (DDoS) attack that overwhelms the domain’s DNS server, disrupting services and normal traffic.
Port 80 and 443 — HTTP (Hypertext Transfer Protocol) & HTTPS (Hypertext Transfer Protocol Secure)
HTTP and HTTPS are application-layer protocols used for communication between web browsers and web servers. HTTP enables attackers to eavesdrop on usernames and passwords in cleartext. On the other hand, HTTPS involves encryption that creates an encrypted tunnel every time data packets are communicated over the network so adversaries are unable to eavesdrop or intercept data communication.
Port 8080 and 8088 — HTTP Alternative
Because these two ports are HTTP alternatives for web traffic, they inherently do not have encryption embedded during data communication. This makes all web traffic communicated over the network susceptible to being sniffed and intercepted by threat actors.
Port 445 — SMB (Server Message Block)
SMB is used as a network file sharing protocol, from a computer or server to transfer data to other systems. Remote code execution (RCE) is prevalent among Windows systems. An exploit called EternalBlue in 2017 targeted a vulnerability in SMB v1.0 that allows attackers to remotely execute arbitrary code and gain access into the network through specially crafted packets. Well-known malware that utilized EternalBlue was WannaCry (ransomware) and Emotet (Trojan).
Port 3389 — RDP (Remote Desktop Protocol)
RDP enables users with a graphical interface that connects to another computer over a network connection. Unlike VPN, RDP provides access to network resources database, etc., without limitations and high bandwidth. Brute force or credential stuffing attacks have been frequent as weak sign-in credentials is a common RDP vulnerability.
