One of the most important aspects of my job is identifying attacker activity, understanding how attackers gain access to a network and determining how to respond effectively to secure the environment.
Attackers use various techniques to breach systems such as port scanning, phishing, and many others. In this discussion, we will take a deep dive into port scanning and port sweeping. Let’s explore this topic in detail!
Port Scan
Port scanning is part of the reconnaissance phase, where attackers gather information about the network. They identify which ports and services are open and potentially exploitable.
Attackers look for open ports and associate them with the services or applications running on the system. For example:
22: SSH
3389: RDP
21: FTP
This allows attackers to potentially gain access to the network.
A network has 65,535 possible port numbers, which are used to identify applications and services running on a network.
Several tools are commonly used for port scanning, such as:
Advanced IP Scanner
Nmap: A powerful command-line tool for network discovery
Now, let’s discuss the different types of port scans.
Horizontal Scan: This is when an attacker scans multiple IP addresses to check for a single open port.
Vertical Scan: This is when an attacker scans one IP address to check for multiple open ports.
Port Sweep
Port sweeping is a technique that falls under the lateral movement phase, meaning the attacker has already gained access to the network. At this stage, the attacker scans specific critical ports or, in some cases, all ports, to identify potential targets for further exploitation.
Critical Ports Commonly Targeted in a Port Sweep:
22 (SSH): Secure Shell, used for remote access.
3389 (RDP): Remote Desktop Protocol, used to access other desktops or hosts.
445 (SMB): Server Message Block, used for file sharing and communication.
5985 (WinRM): Windows Remote Management, used for remote management tasks.
21 (FTP): File Transfer Protocol, used for transferring files.
How Attackers Exploit These Ports:
Remote Access Ports (22 and 3389):
If these ports are open, attackers can exploit them to gain remote control over other devices within the network.
File Sharing and Communication (445 – SMB):
Open SMB ports allow attackers to share or drop malicious files or payloads onto network shares.
These files can execute malware and establish a connection back to the attacker’s command-and-control (C2) server, enabling further exploitation or data exfiltration.
Remote Management (5985 – WinRM):
Attackers can use open WinRM ports to execute remote PowerShell commands, manage systems, or move laterally within the network.
Same like Advanced IP Scanner,
Nmap: A powerful command-line tools are used in port sweep