CompTIA CYSA+ CS0-002 – Analyzing Network IOCs Part 4

Nonstandard Port Usage (OBJ 4.3) Nonstandard port usage. Now, before we can start talking about nonstandard port usage, we have to know what is a port? Well, the Internet Assigned Numbers Authority or Iana maintains a list of well known and registered TCP and UDP port mappings. Now each of these ports are basically an opening on a computer. Now they’re logical openings, but essentially they work as a door. For instance, if you live in an apartment building, you all have the exact same address. You might be living…

  1. Nonstandard Port Usage (OBJ 4.3)

Nonstandard port usage. Now, before we can start talking about nonstandard port usage, we have to know what is a port? Well, the Internet Assigned Numbers Authority or Iana maintains a list of well known and registered TCP and UDP port mappings. Now each of these ports are basically an opening on a computer. Now they’re logical openings, but essentially they work as a door. For instance, if you live in an apartment building, you all have the exact same address. You might be living at one, two, three Main Street. Well, that apartment building address is just like the IP address on your computer that gets you to the computer, but it doesn’t tell you what service is running on each individual room.

Just like if you go to the one, two, three main street and you see an apartment building that has 500 apartments, how do you know which of those 500 apartments I live in? Well, you’d have to know my door number or port number. And that’s what we’re going to talk about here. Now, when we talk about a well known port, these are ports between zero and 1023. Anytime you find a port between zero and 1023, these are considered well known ports under the Iana system. Now, on the second half, we have what’s called registered ports. These are ports 1024 to 49151. Now if you go from ports 1024 to 49,151, anything in this range is considered a registered port.

Now anytime you get above that, you start getting into dynamic ports. These are ports 49,152 all the way up to 65,535. Anything in this range is considered a dynamic port. Now these are just three categories of ports, but they are important for you to understand. Now, when you’re dealing with a legitimate application server, these things are going to use well known and registered ports by default. So something underneath 49,152. Now that’s still a ton of ports out there. Do you have to memorize all of those? Of course not, but there are about 40 that you will need to know, and we’ll cover that in the next two lessons. Now let’s take an example here. You probably have used an internet site before. For example, if you’re watching this video, you had to go into your web browser and type in a domain name like deontraining. com to access it.

Now, if you’re using it over Http, this is unsecure, so it’s using port 80. If you want to get to my secure web server, you would type in Https deontraining. com and hit enter. That would operate over port four, four three and create an encrypted tunnel between your client and my server. That’s the way these ports work. You’re still going to the exact same server. The only difference is which service is going to answer up? Is it going to be unencrypted port 80 or encrypted port four four three? And using that will help you determine which part of the server, which function, which service is going to answer that request. Now, there is no definitive list or comprehensive list of all the different ports used by Malware.

If I’m going to use something like a web server that may operate on port 80, but it doesn’t have to. And so every Malware writer can decide what ports they want to use. And because they’re not known for documenting all of their port usage with a central authority like Iana, they can really just use any port they want. So what might be an indicator that a piece of malware is running on a port instead of an authorized application? Well, for one, if you see an open dynamic port on a machine, something being the 49,152 range all the way up to 65,535 range, and it appears to be constantly open on a host, this could indicate a malicious traffic channel because this isn’t common. These ports up in this range are usually open for a short period of time, used and then closed.

And so if you see one that’s open for long, long periods, like days or weeks, that could be an indication that somebody is running some kind of a malicious server in that range. Now, another thing that might tip you off that there is something going on here with Malware is that you start seeing nonstandard port usage, which is what the title of this lesson was. Now, a nonstandard port is when you see communications of a TCP IP application. For instance, Http, which is web, or FTP, which is File transfer or DNS, which is domain name system. If you see any of this stuff happening over a port that is not the well known or registered port established for that protocol, this would be a nonstandard report.

So I just used the example of Web. Web is Http, that’s port 80. If I was running that over port one five three, for instance, not port 80, that would be a nonstandard port. There’s nothing wrong with doing that, but it is something that should flag as suspicious and something you want to investigate. Now, the first IOC we want to talk about here is the use of a nonstandard port when a well known or registered port is already established for that purpose. For example, Malware might use a nonstandard port other than port 53 for DNS traffic. So if I start sending DNS traffic over port 80 or port 20 or port 63 or any number that is not 53, that is considered nonstandard. Now, another indicator of compromise you might see is if you start finding mismatched port application traffic where nonstandard traffic is communicated over well known or registered ports.

So if I start taking some nonstandard traffic and I start putting it over web port 80, that is a well known port, and I’m not using web traffic over port 80, that again is something that is a mismatch and that should flag you as something to investigate. So what are some mitigations against this. Now, the first mitigation is to configure your firewalls to only allow whitelisted ports to communicate on the ingress and egress interfaces. So if you’re using something like an application layer firewall, it can detect what application is being sent out. If I’m trying to send web traffic on something other than port 80 or port four four three, it can block it. If I’m trying to receive web traffic on something other than port 80 or port four four three, it can block it.

That’s what we’re talking about here with this mitigation. Our second mitigation is to have good configuration management. And if we can have our configuration documentation showing us which server ports are allowed on any given host type, that allows us to then configure host based firewalls and other prevention mechanisms from allowing nonstandard things to be run on those systems. For example, if I just built a web server and I said for this server, I should only run ports 80, ports four four three, and ports 22 because I need to be able to log in through SSH to configure that web server, anything else is going to be blocked.

And that way we can configure that host in a more secure manner. Our third mitigation is to configure detection rules to detect mismatch protocol usage over a standard port. So again, we’re going to look at all of our standard ports, port 2122-232-5538, things like that. And if we start seeing things that don’t match those ports, we are going to flag those in our detection system and that way our analysts can look into it further. So I think at this point we have a good idea of this nonstandard port concept. But one of the things that is often used by attackers is the ability to get a remote shell and then communicate that over some kind of standard or nonstandard port.

Now this is important because an attacker is going to attempt to get remote access so they can start running commands on a victimized system. And there’s two ways they can do this. The first is what’s known as a shell. Now a shell is when an attacker opens a listening port that exposes the command prompt on the local host and connects to that port from a remote host. The reverse of this is what’s known as a reverse shell. This is when an attacker opens a listening port on the remote host and causes the infected host to go and reach out and connect to it. Now, the reason why reverse shells are popular is because a lot of times the host is going to be behind a firewall.

And if it’s behind a firewall and you open a listening port on it, well, the remote host can’t get to it because the firewall will block them coming from the internet into the organization. But a reverse shell is used to exploit organizations that haven’t configured outbound traffic filtering at the firewall because a lot of firewalls have a policy set up that if somebody on the inside requests to open the port to go out, it will allow that. And so in the case of reverse shell, the listener is set up on the attacker’s machine. And so when you’re making the connection, you’re going from the internal network, opening the port to request the information of that remote server.

Once you’ve opened that door, the attacker can then get in. That’s why reverse shells are very popular. So you may be wondering, how do you create a shell or reverse shell? What does an attacker do? Well, normally they’re going to use a program like a remote access Trojan, or they can do it manually using something like Netcat. Netcat, also known as NC, because that’s the command line tool, is a utility for reading and writing raw data over a network connection that’s often used as a listener for remote shells. So if I wanted to set up a regular shell on a victim system, I can do that by simply typing in NC. L for listening, p for port four four three, the port I want to listen on, e for execute and command exe the command line. So what this is saying is netcat set up a listener on port four four three and execute the command command exe whenever somebody connects to it.

Very simple command. Now, on my machine, if I want to connect to that listener, I would simply type in netcat ten 10 one, or the IP address I’m trying to connect to and the port number four four three. If I hit enter, I should get back a C prompt on that machine. So I’m at the command prompt on the remote machine. Now, that’s the way we can connect to these things using a shell. Now, again, you can connect these in either way. It can either be a shell or reverse shell. It just depends on where the listener is being set up. If the listener was being set up inside the network on the victim, it’s a shell. If the listener is being set up on the attackers machine and making the victim connect to them, that’s a reverse shell.

Now, Netcat can also be used with scripting or redirection to be able to send and receive files. And so we’re actually going to go back a couple of sections and bring back some of our scripting and some of our concepts that we talked about. For instance, if I set up a listener to receive a file, I’m going to use netcat l for listener, P for port. Let’s say we’re going to use port 53 on DNS, again, a nonstandard port for our user, and then we want to pipe that information into a file. So anything that Netcat receives over port 53 as it’s listening is going to be dropped into this database SQL file. Now, again, this is nonstandard because we’re dealing with an SQL which is database file, but we’re dealing with port 53, which is DNS, right? So this might be something your system could flag.

Now, if I want to send that file to the listener, what am I going to use? Well, I’m going to use the type command, which basically says, print this file to the screen, and the file I want to print is Database SQL. Now, instead of just typing it to the screen, though, I’m going to use a pipe, and by piping it, I can take the data and send it to the next command. So instead of pushing it to the screen, I’m actually pushing it to Netcat. And Netcat is going to send us to the listening IP, which in this case is ten. It’s going to receive it on whatever port we have listeners set up on, in this case, port 53.

So take this database and push it to the Netcat listener. And then the last command we just had, we had the listener set up to receive. And whatever it received, it pushed it into a file called Database SQL. So we effectively have transferred this file. So as you can see, an attacker can use these nonstandard ports to start sending data around, because most systems will allow traffic out on port 80 or four, four, three or port 53, because you need that to run your business to access the Web and DNS. But an attacker can also use those to send out information to some server they’ve set up, like Netcat that will listen on those ports even if they’re not running DNS or Web.

  1. TCP Ports (OBJ 4.3)

Transmission control protocol ports. Now, as a cybersecurity analyst, you have to know some TCP port numbers for the different registered ports that are commonly scanned against. This way, as you’re going through your logs, you don’t have to keep looking them up each time. If you see a port like port 80, you should know that’s web traffic, it’s Http. For instance, in this lesson, I’m going to go through the most common ports that you need to know. For the exam. We’re going to go through them fairly quickly, because these are all things you should know already from your previous studies in Security Plus, network plus, or A Plus. If there’s any of these that you don’t understand, make a note of it, go on to Google and look it up so you can understand what that service is and what it’s used for.

First we have 21, which is FTP. This is the file transfer protocol. This is used, as you could guess, to transfer files. Essentially, if you’re running an FTP server, port 21 would be open on your firewall. Next, we have port 22, which is SSH or SFTP. SSH is secure. Shell. It is a remote access tool to give you command line access over a remote system. Now, when you’re dealing with SFTP, this is FTP over SSH, which allows you to take file transfer protocol and run it securely through an SSH secure tunnel. Then we have port 23, Telnet. Telnet is an unsecure remote administration interface. SSH has pretty much replaced telnet in most cases, and telnet is extremely vulnerable.

If you see that you’re running a telnet server on your system, you probably should look at upgrading it into an SSH server and getting rid of telnet. 25 is SMTP. It is the simple mail transfer protocol. This allows your email servers to send mail, and so port 25 will be open if you’re running an email server that can send outbound mail. Port 53 DNS DNS is the domain name system. Now, DNS translates our IPS to names and our names to IPS. Now, one of the unique things about DNS is DNS is port 53 on both TCP and UDP. In the next lesson, we’re going to go through the UDP ports. But for right now, remember that 53 is DNS, and when you’re using it for TCP, it’s going to be used for zone transfers. Next, we have port 80, which is web traffic Http, which is hypertext transfer protocol.

This is the unsecured version of being able to send data over the Internet. So for example, if you go to Dion training and you’re using the Http version, you’re going to get an unencrypted version of my site. Next, we have 110, and this is pop three. Pop. Three is the post office protocol. Version three, and this is a legacy mailbox access protocol. These days, pop three has been replaced mostly with IMAP, which we’ll talk about later. Port one. One. This is RPC Bind. This is going to map the Remote Procedure Call or RPC service to port numbers inside a Unixlike environment. Now, anytime we talk about a Unixlike environment, this is going to apply to Unix, Linux, and MacOSX, because all three of those are a Unixlike environment.

If you see port one one one open, this is usually a dead giveaway that a particular server is running Unix, Linux or Mac OS X because Windows uses different ports when you’re dealing with RPC. Speaking of Windows and RPC, we have port 135. Port 135 is Msrpc. This advertises what RPC services or remote procedure call services are available within a Windows environment. Next, we have 139, which is NetBIOS SSN NetBIOS Session Service is going to support Windows file sharing with pre Windows 2000 version hosts. Now, a lot of recent hosts will still use this because it is backwards compatible. So it is something that may be open on your Windows servers in your Windows domain.

Note there is a lot of vulnerabilities against this particular server and service, so it is something that you’d want to shut down if you don’t need it. Next, we have iMapp, which is port one four three. IMAP is the Internet Mail Access Protocol, and it is a newer version of Mail Access that has replaced top three in most systems.Port four four three is Https, which is hypertext. Transfer protocol secure. If you’re going to my website at Deon Training and you’re going to log in, you want to make sure that in the header it says Httpsdontraining. com. This way you create an encrypted tunnel between your client and my server when you’re setting your usernames and passwords back and forth. If you see the lock or the green bar on your title bar, when you type in your address, that means you’re using a secure connection over port four four three.

The next port is port four four five, and this is Microsoft DS. This supports Windows file sharing using server message block over TCP IP on current Windows networks. So if you’re running Windows ten and you’re doing Windows file sharing, you’re using port four four five. Next we have IMAP S, which is the secure version of Internet mail access protocol. This runs over port nine nine three. Similarly, we have a secure version for pop three. This is port 995, also known as pop three S. This is Post Office Protocol version three Secure. And essentially with both of these we’re going to have a SSL or TLS tunnel created between our client and the server we’re trying to reach, very much like Http versus Https.

The next one we have is port 1723, which is PPTP, the point to point tunneling protocol. This is a legacy VPN protocol that was used early on, but it does have a weak security implementation, so we don’t really use it very often these days. Instead, we’ve moved to more secure things like IPsec. The next port we’re going to talk about is for MySQL servers. This is 336336 is used for a MySQL database connection. So if you’re creating a web application that can read and write to a MySQL database server, it’s going to do this over port three three six. The next port we have is 3389, which is RDP, or the Remote Desktop Protocol.

This will allow you to visually log into a remote system. You’ll be able to see what the screen has, send keyboard and mouse commands back and forth, and that way you’ll be able to control a system from a distance without having to use the command prompt. RDP is heavily used in a Windows environment. Next we have Port 5900, which is VNC, which is the virtual network computing remote access service. This service is basically like RDP, but it is open source and used across all systems, not just Windows. Now, when you’re using security with VNC, you may be using different ports depending on the configuration you’re using. But port 5900 is the default port for VNC, regardless of which security implementation you’re using. And then based on the security implementation you’re using, it may change that port.

The last port we have is port 80 80, which is Http proxy. This is a web proxy service or alternate port that can be used for Http. If I’m running two web servers on one server, I might have port 80 for the first one and port 80 80 for the second one. Or if I’m running a proxy server, I can use port 80 80 to run that proxy server. Now, for the exam, do you have to memorize these ports? I would say yes. Now, are they going to ask you a question like what is port 8080? The answer is no, they’re not. Instead, as you’re going through and doing your packet analysis, or you’re looking over firewall log configurations or anything like that, you’re going to see port numbers all over the place. And a lot of times they’re not going to tell you what that port is used for.

So if I’m looking at a packet capture and I see 3389, they’re not going to say 3389 parentheses RDP, it’ll just say port 3389. And then you have to know that that is RDP, which means somebody might be remotely connecting to your server and controlling it from a distance. If that’s coming from outside on the Internet, from some unknown IP, that could be an indicator of compromise. So that’s the idea that you have to think about when you’re dealing with these different port numbers. In this lesson, all the ports I just gave you are TCP. They are. Transmission control protocol. They use a three way handshake. They have resubmission of data. If the data doesn’t get there because of the way TCP works. In the next lesson, we’re going to talk about UDP ports.