Hiding Dangerous Services

exposed internet ports

Many common services are increasingly required for an organization to function properly. Having tools such as Remote Desktop available allows workers from around the world to congregate in one place. Unfortunately, these can be prime targets for attackers as well. Many common services are better not being exposed to the open internet, yet are far too common of a finding. These dangerous targets for hackers are much better kept on private networks hidden away from the internet

Authentication Services

Many open services provide an attack path for attackers when misconfigured, though many others are vulnerable by design. An excellent example of this would be services for remote login, such as RDP or SSH. These services are great targets for attackers since they can be hit with different types of password attacks to gain access. This can be brute forcing a single user, password spraying against many users, or trying credential stuffing with breached credentials.

In the case of RDP, there is commonly information leakage. Domain information and some details about the internal network commonly get bled through the service, allowing attackers to craft a more targeted attack. A search on shodan.io for open port 3389, the default RDP port, reveals over 4 million results. Searching for SSH reveals over 25 million results. Combined, these cover thousands of companies around the world.

RDP is best kept behind a private network to prevent information from being leaked to the internet and password attacks. Alternatively, RD Web Access can be configured to allow the same access, though this can implement rate limiting and prevent the information leakage problem. However, care must be taken when configuring this service, as it is prone to its own vulnerabilities. Certain versions of RD Web Access are prone to username enumeration flaws.

SSH is more secure by default than RDP and poses less of a risk. Ideally, it can also be hidden behind a VPN, though in cases where this is impossible, the use of private keys and regular patch management makes it more secure. If password authentication is disabled, it can be challenging for attackers to gain access. Similarly, keeping SSH servers up to date prevents attackers from exploiting one of the many vulnerabilities that have come up in numerous SSH clients.

File Share and Internal Services

Login panels are not the only dangerous service to be exposed to the internet. File share services, such as SMB and NFS, are far too commonly exposed to the open internet, potentially opening up sensitive data to exfiltration. These services often come with exploitable vulnerabilities as well. A search on shodan.io for open port 445, the default for SMB, shows over 1.6 million ports. Combining this to search for SMB servers with authentication disabled, allowing for anonymous access to sensitive data, shows that over 300,000 of those servers have no protections in place.

Aside from simply abusing the functionality of these servers, they are very prone to exploits. SMB is an extremely commonly attacked protocol due to the severity of many exploits and how common those exploits are. Exploiting these can oftentimes give immediate system-level access from a completely unauthenticated standpoint in many cases, such as with the infamous Eternal Blue attack. Despite being a very old and well-known attack, it still shows up on internet-exposed devices with alarming frequency.

Other services, such as LDAP, are unfortunately commonly found despite being dangerous on the internet. A search for exposed LDAP servers returns almost 75,000 results. These servers can often be queried for extremely sensitive information that will greatly aid attackers in the exploitation of the network.

When in doubt, it is best not to leave any unnecessary services exposed to the internet. This opens up too much of an attack surface for hackers to exploit and greatly increases the complexity of security for your organization. In the event that it is essential to have a certain risky service exposed, it is extremely important that it is properly secured in the event of an attack. Tools such as shodan.io show just how easy it is to amass information about vulnerable networks.

Test Your Network’s Security With Blue Goat Cyber

It can be difficult to keep track of every part of your network, and even harder to make sure that everything is defended. That is why our team specializes in identifying any exposed weak points and working with you to get your organization hardened against attack. Contact us to schedule a consultation and find the solution right for you.

Blog Search

Social Media