Detecting "Off Port" Services

If you are attempting to perform network security monitoring in a large, unmanaged environment that has "poor" security, you are most likely dealing with botnets, phishing attempts, worms and Trojans. Many of these threats install some sort of FTP, SSH or Web server as a backdoor or drop point on a port other than the typical default port. Discovering these on your network may help you find compromised servers, or even administrators who are trying to bypass firewall rules. This blog entry discusses how to find these "off port" services with the Passive Vulnerability Scanner (PVS), Nessus scanner and through log analysis.

Example Passive Detection with the PVS

The Passive Vulnerability Scanner has three built in rules which discover SSH not running on port 22, HTTP not running on port 80 and also FTP servers not running on port 21. The PVS also has many plugins which simply find and report these services regardless of the port that they are on. If a hacker, Trojan or malicious insider has compromised a system on your network and installed a server for their partners to visit and/or transfer files, the PVS will discover this.

To illustrate this concept, below is a screen shot of a port summary for all discovered FTP servers at a small university:

In the image, there are two ports found - 21 and 419. Port 21 is the TCP port assigned for use by the File Transfer Protocol and port 419 is the Ariel service used for printing. Ariel might not be familiar to readers, as it is a printing service which uses the File Transfer Protocol to move print jobs around.

The point of this port summary is that users should expect that their FTP servers normally run on port 21. If an FTP server turns up not on port 21, it should be investigated.

For web servers, the PVS has rules which can find services running on non-standard ports. Below is a screen shot of a port listing of all non-standard web servers found on an operational network:

In this listing, many of the discovered web servers are serving content and also using the HTTP protocol to participate in a variety of P2P networks. Web servers are embedded in many different types of network appliances and often run on ports other than 80. The PVS's largest advantage when looking for these off-port web services is to look for "new" services. In real-time, any of the PVS's vulnerabilities can be sent as an alert, including when a new non-port-80 web server is found.

And for the last example, the following passive discovery of a Secure Shell daemon running on an off-port (in this case port 8080) was discovered at one of Tenable's monitoring sites. Below is a screen shot of a port summary for all SSH vulnerabilities, as well as a banner listing of the SSH daemon on port 8080:

There are a few "port 0" vulnerabilities in the port listing because client-side vulnerabilities are reported with a source port of zero. Also, it is quite likely that port 8080 was chosen by an administrator to look like a commonly used off-port web server. Perhaps port 22 access was being blocked by a firewall, and port 8080 was chosen because it was allowed.

In each of these cases, the PVS also accurately reported on all discovered FTP, HTTP and SSH servers that were running on their correct ports. If there were 100 FTP servers detected and one of them were running on a port such as 2100, the PVS would still report 100 FTP servers and an addition record for the single off-port FTP server.

Scanning with Nessus

Nessus will also readily identify FTP, SSH and HTTP servers not running on their default ports. Unlike the PVS, a detected service event still has the default Nessus IDs. In other words, it will report an SSH server it discovered exactly the same way on port 22 as it will for one discovered on port 5100. With a tool like the Security Center, you can tell it to list all FTP servers and then ignore port 21. The Security Center can also take into account the results from active and passive scanning and automatically create dynamic asset lists with servers that have FTP ports not on port 21.

Below is a screen shot of an FTP server found on port 49152:

In this case, the discovered FTP server was being used to host content, such as movies or music. It was found by sorting on all vulnerabilities discovered from the FTP plugin family, conducting a port summary and then noticing that there were a handful of vulnerabilities on non-port-21 ports.

When performing vulnerability scanning, keep in mind that by default, Nessus doesn't scan all ports.

Analyzing activity with the Log Correlation Engine

If you've found a web server running on a port like 8000 or an FTP server running on 65000, you may be able to analyze the network traffic associated with it. If you have a Log Correlation Engine being fed logs from network monitoring, net-flow or firewalls, they will likely contain access and usage information which can be analyzed.

Simply typing in the IP address of the suspicious server and the port of interest can identify if many or a few remote users are accessing it. If suspicious activity is found, generalizing the search to look for any events may find a sequence of events that indicates a compromise. If the LCE is processing logs from intrusion detection systems, it may also have a record of the actual attack if one was used to compromise the server.

In the previous example with the PVS finding an SSH server on port 8080, we also had a Tenable Log Correlation Engine and a Tenable Network Monitor on that same network. This provides us with a log of every network session. Typing in the IP address of the system with the high port SSH server as well as port 8080 yielded the following information:

There have been several access attempts on port 8080 over the past few weeks. Further queries with the Security Center could yield a list of source IP addresses, determine when the port first went into use and could also determine if remote users achieved access to other system on the network.

For More Information

If this type of network analysis is interesting to the reader, these other Tenable blog entries will also likely be of interest:

• Passive Discovery of User Accounts
• Finding Interactive and Encrypted Network Sessions
• Hunting Symantec Worms
• Using New Port Browsing events to find Worm Outbreaks