How to attack open ports and what cybercriminals might do

What does it imply for a port to be “open”?

Communications on the transport layer degree, utilizing primarily TCP and UDP protocols, make use of what is named “Internet socket”. This socket constitutes a mechanism by which two processes (functions, for instance) can trade knowledge via the native community or via the Internet. Any knowledge circulation that makes use of TCP or UDP requires a minimum of the next info:

  • Source IP
  • Port of origin
  • Destination IP
  • port of vacation spot

In an area community, in a totally automated and clear manner, ports are constantly being opened and closed by the completely different processes to have the opportunity to talk with different computer systems. For two processes to talk, it’s vital for one course of to have the opportunity to “find” the opposite to get hold of companies or present companies to you.

3-way handshake scheme

When we outline {that a} “port is open”, it may be in two very completely different situations:

  • An open port on an area pc, for instance, on our pc or on an area server. In precept, all ports must be closed as a result of the firewall is generally configured restrictively (all the pieces blocked besides what is particularly allowed).
  • An open port within the router NAT. Normally within the router we do not have any “open” port, or moderately, we do not have within the “Virtual Server” or “Port Forwarding” part any port to any pc. By default in any router this desk is empty, nonetheless, we are able to register completely different guidelines to open ports to completely different computer systems.

When do we want to open ports domestically?

If our native pc acts as a server “of one thing”, reminiscent of, for instance, FTP server, net server, SSH server, VPN server, database server and an extended etcetera, we may have to have a port or a number of ports open within the firewall in order that the completely different computer systems on the native community or Internet can entry our companies, in any other case, they won’t be able to entry as a result of the firewall will block this communication and connections won’t be established.

Normally in a house surroundings, if we set Windows 10 or a Linux-based working system as “Private community” or “Home community”, the firewall is disabled and all incoming connections can be allowed. However, if we’ve it as “Public community” the firewall can be activated and will block all incoming connections that we’ve not beforehand made outgoing, subsequently, we face a “restrictive” firewall.

When do we want to open ports within the router’s NAT?

If we’ve a pc on the native community that acts as a “one thing” server, as within the earlier case, and we would like these companies to be accessible from the Internet, it will likely be vital to do a “port forwarding” or also called “open ports ». In this manner, if somebody opens a socket with the general public IP handle and a corresponding exterior port, that knowledge circulation will routinely be forwarded to the pc for which we’ve “opened the ports”.

Any router by default doesn’t have any guidelines to carry out port forwarding, we may have to do it particularly. In addition, a vital element is that in case your operator has CG-NAT, even when you open a port on the router externally, you won’t be able to do something to entry the interior sources of the native community.

How do you attack a port?

You can not actually “attack” a port, what is attacked is the service behind that “port” that’s listening to settle for incoming connections. For instance, if we’ve port 5555 open and an FTP server is configured right here, what we’ll do is attack the FTP service, however not the port. The port continues to be a “door” to the knowledge, what is really attacked are the companies behind these ports.

The time period attacking a port is often used, when it actually must be mentioned “do a port scan” to verify which ports are open on a sure pc, to later attack the companies behind this particular service. To do a port scan there are a lot of strategies, however, no doubt, one of the best that we are able to use is to carry out a scan with Nmap, this system par excellence of host discovery and port scanning, as well as, it might additionally enable its exploitation via of NSE that’s an add-on to Nmap with the potential of cracking completely different companies and exploiting identified vulnerabilities.

Nmap is a really easy-to-use program, simply set up it on any Linux-based working system to begin its operation, it’s within the official repositories of every distribution, subsequently, simply execute the next command:

sudo apt set up nmap

Once put in, we may have to execute the particular command to see if a port is open, filtered or closed:

nmap -p PUERTO IP

We might additionally scan a spread of ports as follows:


For instance, if we’ve an internet server with HTTP and HTTPS operating, it’s fully regular that we’ve ports 80 and 443 open, like this:

Checking open, filtered or closed ports with Nmap is simple, nonetheless, we’d advocate you learn the entire Nmap wiki the place we’ve detailed step-by-step manuals of the several types of port scanning that we’ve obtainable.

What can a cybercriminal do with a port that’s open?

When we’ve an open port, there may be a number of instances round what a cybercriminal can or can not do. If we’ve an open port, however there is no such thing as a service behind it listening, it won’t be able to do something in any respect, nonetheless, the open port quantity might be “saved” in case we do put a service to hear sooner or later.

If we’ve an open port and there’s a service behind listening, it might carry out many actions:

  • Make use of a respectable manner to verify its operation
  • If the service requires authentication, it might carry out a dictionary or brute drive attack to entry the service.
  • Perform a denial of service attack to trigger the service to cease working correctly and to cease offering service.
  • Exploiting a safety vulnerability within the service, both to illegitimately entry the sources of the service, to enter the system, and even to escalate privileges and take full management of the server.

As you’ll be able to see, with an open port and a service operating behind it, a cybercriminal can carry out many malicious actions, subsequently, it is rather essential to defend the companies behind this port, to defend them, it’s advisable to carry out the next actions:

  • Correctly configure the firewall to enable entry solely to those that really want it, for instance, you’ll be able to filter by nations.
  • To mitigate DoS assaults, you’ll be able to configure firewall guidelines to deny too many simultaneous connections to the identical supply IP.
  • You can set up a program like fail2ban to detect a number of login makes an attempt, then inform the firewall to block the supply IP.
  • Hardening the service that’s listening, be it an SSH server, FTP or net server, there are all the time superior settings in these companies to defend them much more.
  • Hardening the working system that’s internet hosting the service, defining sturdy authentication insurance policies, updating the system, and even utilizing superior methods reminiscent of SELinux amongst others.

There are many safety measures that we are able to apply to a system and service to be safer, however you have to keep in mind that 100% safety doesn’t exist, subsequently, you should be ready for an incident and have the opportunity to get better the system.