Understanding Port Scanning: A Critical Tool in Web Security

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Port Scanning of Website
By Saurabh S. Kajbaje

Agenda
• Abstract
• Reconcession
• Deliverable
• PoC
• Tool
• References

Abstract
• Scanning of the website for active open ports.
• Functions, Benefits, and Threats of an open port.
• Research
• Data Collection
• Impact Analysis
• Recommendation & Conclusion

Research
• Web Site Name: Tilak Maharashtra Vidyapeeth
• Host URL: www.tmv.edu.in
• Type: Universities and Colleges
• Overall Ranking:
Global Rank: 723,226
Country (India) Rank: 58,011
 Industry (Education) Rank: 7,181
• Usages (All Traffic):
 Total Visits (Worldwide): 47,502 (June 2024 - August 2024).
 Device Distribution: Desktop/Laptop – 30.54%, Mobile web – 69.46%

Data Collection
Technology Stack
• Hosting Panels: Plesk
• Operating Server: Windows Server
• Web frameworks: Microsoft
ASP.NET (4.0.30319)
• UI frameworks: Bootstrap
• Web Servers: IIS (8.5)
• JavaScript Libraries: jQuery (1.8.2)
• CDN: jQuery CDN
• Tag Managers: Google Tag
Manager

Port Scanning
• Port scanning is a technique for sending requests to ports on a network to
determine whether they are open or vulnerable.
• Port scans can help identify open ports, weak points, and security devices on a
network.
• When we send a message to a port, the response they receive determines whether
the port is being used and if any potential weaknesses could be exploited.

Functionality of Port Scanner
• A port scanner sends a TCP or UDP network packet and requests the port about its
current status.
• The three types of responses are below:
• Open, Accepted
• Closed, Not Listening
• Filtered, Dropped, Blocked

Types of Port Scanning
• Ping scans: A ping checks whether a network data packet can reach an IP address
without issues. Ping scans involve automated transmissions of several ICMP
requests to various servers.
• Half-open or SYNC scans: Attackers can check the state of a port without creating a
full connection by using a half-open scan, often known as an SYN scan. This kind of
scan transmits a SYN message and does not complete a connection with the
recipient.
• XMAS scans: XMAS scans send several packets to a port to check if it is open. If the
port is closed, the scanner gets a response. If it does not get a response, the port is
open and can be used to access the network.

Proof Of Concept
• Finding the IP Address of the Website.
• Basic Port Scan
(scanning most common 1000 Ports) –

Proof Of Concept
• Full Port Scan (scans all 65535 TCP ports):
• Service Version Detection:
To determine what services
are running on the open ports:

Proof Of Concept
 Port 21 FTP
 Possible Exploitations:
• Anonymous Authentication
• Weak or Default Credentials
• Cleartext Transmission of Credentials
• FTP Bounce Attack
• Directory Traversal Attack
• Unpatched FTP Software
• Misconfigured Permissions
• Passive vs. Active FTP Modes
• Denial of Service (DoS) Attacks
• Command Injection
 Mitigations Techniques:
• Anonymous Authentication
• Disable anonymous access unless
necessary and apply strict permissions.
• Use strong authentication methods,
including multi-factor authentication.
• Restrict IP addresses that can connect to
the FTP server.
• Regularly audit and update FTP server
software.
• Log and monitor FTP activity for suspicious
behavior.
Function: The function of an FTP port is to allow a computer and a server to communicate
and transfer data.

Proof Of Concept
 Port 25 SMTP
• Open Relay Abuse
• Spamming
• Spoofing
• Brute Force Attacks
• Mail Bombing
• Buffer Overflow Vulnerabilities
• TLS Downgrade Attack
• Exploitation of Default or Misconfigured
Settings
• SMTP Header Injection
• Phishing and Email-based Malware
• Disable open relaying:
• Use encryption (TLS/STARTTLS
• Limit access
• Monitor logs
• Apply patches regularly
Function: Simple Mail Transfer Protocol (SMTP) is used for sending emails.

Proof Of Concept
 Port 53 DNS
• DNS Cache Poisoning (DNS Spoofing)
• DNS Amplification Attacks
• DNS Tunnelling
• DNS Reflection Attacks
• DNS Hijacking
• DNS-based Malware C2 Communication
• DNS Flooding
• Zone Transfer Exploitation
• DNS Rebinding
• Exploitation of DNS Over HTTPS (DoH)
• Use DNSSEC
• Close Open Resolvers
• Implement Rate Limiting
• Filter DNS Traffic
• Monitor DNS Queries
• Restrict Zone Transfers
• Deploy DNS-over-TLS (DoT)
Function: Domain Name System (DNS) resolves domain names to IP addresses, enabling users to
access services using easy-to-remember names like example.com.

Proof Of Concept
Port 80 HTTP
• SQL Injection (SQLi)
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Remote File Inclusion (RFI)
• Local File Inclusion (LFI)
• Unvalidated Redirects and Forwards
• Command Injection
• Server-Side Request Forgery (SSRF)
• Insecure Direct Object References (IDOR)
• Cookie Hijacking
• Broken Authentication
• Denial of Service (DoS) or Distributed Denial of
Service (DDoS)
• Use HTTPS
• Input Validation
• Use Security Headers
• Web Application Firewall (WAF)
• Patch Management
• Access Controls
• Session Security
• Error Handling
Function: HTTP is used to serve unencrypted web content. This allows users to view the website.

Proof Of Concept
 Port 443 HTTPS
• SSL/TLS Vulnerabilities
• Man-in-the-Middle Attacks (MITM)
• TLS Downgrade Attacks
• Insecure TLS Renegotiation
• SSL Pinning Bypass
• HTTPS Misconfigurations
• Server Vulnerabilities
• Certificate Authorities (CA) Exploitation
• HTTP/2 Vulnerabilities
• Use Modern TLS Versions
• Regularly Update and Patch
• Implement HSTS
• Use Strong Ciphers and Key Lengths
• Enable Perfect Forward Secrecy (PFS
• Monitor Certificate
• Enable Secure Cookies
• Certificate Pinning
Function: HTTPS is the secure version of HTTP, using SSL/TLS to encrypt communication between the
client and the server.

Proof Of Concept
Port 110 POP3
• Plaintext Credentials (Port 110)
• Brute Force Attacks
• Buffer Overflow Vulnerabilities
• SSL/TLS Downgrade Attacks (for POP3S)
• Misconfiguration and Weak Encryption
• POP3 Command Injection
• Directory Traversal (in Misconfigured
Servers)
• Prefer IMAP or SMTP for email retrieval
and sending since they are generally more
secure and flexible than POP3.
• Enforce SSL/TLS (POP3S) to encrypt the
connection.
• Regular patching of the mail server
software to mitigate known vulnerabilities.
• Implement rate-limiting, CAPTCHA, and IP
blacklisting to defend against brute force
and DoS attacks.
• Use strong encryption algorithms and
regularly audit the server for
misconfigurations.
Function: The Post Office Protocol version 3 (POP3) retrieves emails from a mail server.

Proof Of Concept
Port 135 MSRPC
• Unauthorized Remote Code Execution
(RCE)
• Pass-the-Hash (PtH) and Credential
Stealing
• Privilege Escalation
• Denial of Service (DoS)
• Weak Authentication or Misconfiguration
• Man-in-the-Middle (MitM) Attacks
• SMB Relay Attacks
• Lateral Movement via MSRPC
• Brute Force Attacks on Exposed Ports
• Apply Security Patches
• Firewall Configuration
• Strong Authentication and Encryption:
• Network Segmentation
• Monitoring and Logging
Function: The MSRPC protocol is widely used for communication between Windows services over a
network, including access to network services and system resources

Proof Of Concept
Port 143 IMAP/993 IMAPS
• Weak Authentication (Brute Force Attacks)
• IMAP Protocol Downgrade Attacks
• Man-in-the-Middle (MITM) Attacks
• Vulnerabilities in IMAP Software
• Information Disclosure (Banner Grabbing)
• Cross-Protocol Attacks
• Session Hijacking
• IMAP Command Injection
• Enforce SSL/TLS (IMAPS) and disable
unencrypted IMAP connections.
• Use strong authentication methods (multi-
factor authentication, strong passwords).
• Regularly update and patch IMAP software
to fix known vulnerabilities.
• Disable unnecessary service banners to
prevent information leakage.
• Monitor for unusual IMAP activity to detect
potential intrusions.
Function: IMAP is commonly used for retrieving emails from a server, and it's typically associated with port
143 (unencrypted) & port 993 (encrypted).

Proof Of Concept
Port 3306 MySQL
 SQL Injection Attack
 Brute Force Attacks
 Remote Code Execution (RCE)
 Exploiting Default Configurations
 Privilege Escalation
 Data Exfiltration
 Using MySQL as a Pivot Point
 Denial of Service (DoS) Attacks
 Input Validation
 Strong Password Policies
 Least Privilege Principle
 Firewall Configuration
 Regular Updates
 Monitoring and Logging
Function: MySQL is a popular open-source relational database management system (RDBMS) for
managing database-driven websites.

Conclusion & Recommendations
• The scan reveals several open ports providing essential services to www.tmv.edu.in. While these services
are necessary for the proper functioning of the web server, they also expose potential security risks. It is
recommended to:
• Migrate HTTP traffic to HTTPS entirely.
• Regularly update all services, particularly SSL/TLS certificates and configurations.
• Secure the MySQL database by isolating it from public internet access.
• Implement port scanning detections like PortSentry, Scanlogd, Netcat,IDS.
• Conduct regular port scans.
• Services Monitoring.
• Close all unused ports.
• Continuously carry out port traffic filtering.
• Install firewalls on every host and patch the firewall regularly.
• Monitor open port vulnerabilities:
o Using penetration testing to simulate attacks through open ports
o Conducting vulnerability assessments

References
• https://www.fortinet.com/resources/cyberglossary/what-is-port-scan#:~:text=A
%20port%20scan%20is%20a,being%20used%20by%20an%20organization.
• https://www.geeksforgeeks.org/nmap-command-in-linux-with-examples/

Tools
• Nmap Scanning Tool
• www.wappalyzer.com
• www.pro.similarweb.com
• www.shodan.io

Questions ?

Thank You!

Understanding Port Scanning: A Critical Tool in Web Security

More Related Content

Similar to Understanding Port Scanning: A Critical Tool in Web Security (20)

More from Boston Institute of Analytics (20)

Recently uploaded (20)

Understanding Port Scanning: A Critical Tool in Web Security