Introduction To Port Scanning
One of the most popular methods for finding susceptible server hosts that may be running collaboration software is port scanning. Port scanning in general is a practice for ascertaining potential faults by transferring an asset called port probes. Port scanners are often used by SharePoint administrators for general network discovery, however port scanning can also be leveraged for malicious intent for various network vulnerabilities. Additionally, port scanning can result in other detrimental effects, such as contributing to network congestion as well as the introduction of false positives in IDS systems.
Three Types of Port Scanning
There are three main types of scans that a malicious user can use against a SharePoint environment, vertical scans, horizontal scans, and block scans.
- Vertical Scans – A vertical scan is a port scan that will in essence target numerous destination ports on a singular host running SharePoint. This is an extremely broad scan and is typically easy to detect because only local detection mechanisms (those that will directly exist on the target server) are necessary in order to build up proper alerts and begin to mitigate threats from such a scan. The amount of valuable information that a malicious user gathers from a vertical scan can be defined as the size of the return packet from a particular probe. Vertical scans tend to predominate port scanning activity, mostly because when an exploit is made public it tends to arose the community.
- Horizontal Scans (also called a block scan) – A horizontal scan is a port scan that targets the same port on several hosts, effectively looking for a universal exploit that may exist. This is a fairly common when the attacker is privy to certain vulnerability information and seeks out within an arbitrary network susceptible host machines. The amount of valuable information that a malicious user gathers from a horizontal scan on a target can be defined as the amount of destination sets that the user receives.
- Block Scans – It is feasible to combine the above two methods to derive a new method which will, in essence, compose a large sweep of a network for either type of derived exploits, this is common when producing assets for future exploitations.
Why an SharePoint Administrator Would Use Port Scanning
Port scanning will in essence provide a SharePoint administrator the option of defining possibly exploitable SharePoint machines as well as providing a basis for defining a set of heuristics that will be able to educate an administrator between suspicious packets and those that compose legitimate traffic. This is called the classification of packets, and is mainly done by inspecting probes that may originate from two or more IP address and port number pairs. Although this may be skewed if the port scanner origination host is concealing their origin, it can provide a rudimentary basis for determining the variations in traffic that may occur by randomizing the order of destination IP and port probes. As well, there have to be concessions that exist for variations in frame traffic.
The Most Commonly Scanned Ports
- 137 NetBIOS name service (UDP)
- 21 FTP
- 25 SMTP
- 53 DNS
- 17 QOTD
- 113 IDENTD/AUTH
- 105 CSO
- 33 DSP
- 129 PWDGEN
- 29 MSG-ICP
- 1 TCPMUX
- 13 daytime
- 93 DCP
- 41 RAT
- 85 MIT ML Device
- 97 Swift Remote Virtual File Protocol
- 77 Private Remote Job Execution Services
- 73 Remote Job Services
- 121 Jammerkilla