Finding Non-Standard Port & Protocol Pairings with Censys ASM
Censys recently released the new Universal Internet DataSet. One of the most important benefits of the dataset is automatic protocol detection. Through this feature, Censys now provides more in-depth data about services running on non-standard ports. As 66% of the services we detect are running on non-standard ports, it’s increasingly important for threat hunters and security teams to understand why we should be looking on non-standard ports, as well as how to use our Censys ASM Platform or Censys Enterprise Data to gain the best visibility into the services running on them.
The Basics of Ports and Protocols
The functionality of the Internet is in large part thanks to ports. A port is a software or service-related endpoint that allows data to be transmitted from your computer out to the Internet or even another computer in a network. There are 65,535 in total and on these different ports run different protocols, or a set of rules, that determine the specific data to be transmitted. While any protocol can be run on any port, luckily there is some standardization for the most common pairings to make things simple for everyone. For example, SSH is typically found on port 22 and HTTPS on 443, etc. (full list can be seen here). While this is the more common implementation, there are some instances when non-standard port/protocol pairings occur and can create security problems if you lack visibility into what is running in your environment.
Why are people using non-standard ports?
Security Through Obscurity
Over the years, cybersecurity has changed and evolved on a daily basis for both the malicious actors and those they are trying to affect. An endless supply of new software exposures, more sophisticated phishing attacks, and everything in between has made the role of defending a company’s digital attack surface nothing short of a heroic effort. One too often used approach is the idea of “security through obscurity”, applied in this instance by using non-standard ports to run services in an attempt to make your own points of entry less obvious. From an attacker’s perspective this could make it more difficult to find since you are expecting a certain thing to be in a certain place. So there is some merit to this strategy, but it is widely accepted that more must be done in order to truly secure your environments. Nonetheless, this is a strategy that is employed by some.
Given there are over 64,000 ports to choose from, it’s understandable that hiding behind a non-standard port is actually an effective way of infiltrating and compromising an environment’s security. The standard ports and their respective protocols will obviously garner the most attention, and rightfully so, but what about the rest? This presents a large problem for a lot of the tools out there today. They are looking where they expect problems to be, but not necessarily where the adversary will be trying to obscure its communication. Being able to look for potential issues across an entire environment is essential to securing your attack surface.
Even if we cross all our T’s and dot all our I’s, there are still problems around every corner when you consider all the different software that is running within any given environment. One example is an old rpcbind misconfiguration that would inadvertently cause the program to listen on an obscure, non-standard port (above 32770) instead of the standard port 111. Needless to say, an unexpected exposure like this could take days, weeks, or months to discover with the potential for significant harm to your organization. Imagine there were windows and doors unlocked all over your house that you weren’t aware of, yikes!
Automatic Protocol Detection with Censys ASM
Censys has recently released an update to our scanning pipeline that will now allow you to detect all of the above scenarios using automatic protocol detection. If we go back to the beginning and think about the standard port/protocol pairings, it paints a pretty clear picture of how most scanning engines work today.
We know SSH runs on port 22, so the engine scans port 22 for SSH. However, as we now know this is not always the case. Rather than searching for a specific protocol on the standard port, Censys is looking for 17 different protocols on each of the 2000+ ports that are scanned on a weekly basis. Not only does this allow you to find malicious actors intentionally using non-standard ports, it provides more accurate discovery and monitoring of your own infrastructure so that you can quickly remediate when misconfigurations occur.
Every technology environment is becoming more and more complex every day and managing your system is a challenge, regardless of the size of your team. The Censys ASM Platform enables teams to have the best visibility into what needs to be protected and where it lives.