Identifying Common Open Port Vulnerabilities in Your Network

When intruders want to break into an establishment, they look for an opening. An open port is one of the openings that a hacker or threat actor looks for to access a digital network. That open port may be on a firewall, a server, or any network-connected computing device. Just as a single unlocked door can jeopardize your privacy and grant access to a physical building, a single open port can provide a point for hackers to breach your systems, exposing you to their malicious intents.

Below, we share the most vulnerable ports and critical security strategies for protecting against them.

Overview of open port vulnerabilities

An open port within your network is a vulnerability. It provides a potential entry point for unauthorized access to bypass your firewalls or other security measures and gain access to your network. Once inside, they can launch their desired attacks or perform reconnaissance to learn more about your organization and how to exploit it. Open ports pose a significant security risk and should be a high priority for security management.

Importance of securing open ports

To reduce your vulnerability to attacks, you must reduce your attack surface. You can do this by reducing the number of open ports in your systems. For example, allowing external Remote Desktop Protocol (RDP, port 3389) connections can provide legitimate users with off-prem access to your corporate network. Even so, it presents an opportunity for threat actors to seek out open RDP ports to exploit actively.

What are ports?

Definition and purpose

A port can be seen as a virtual doorway accommodating network traffic to specific services and applications. A unique number identifies each port to differentiate itself. These ports can be managed by assigned administrators who can open or close them to allow or block certain types of traffic. For example, web traffic relies on ports 80 and 443. If you have a server hosting a web application for external users, you need to open these ports to grant them access. All unused ports should be closed.

Types of ports: TCP and UDP

The most common transport protocols with port numbers are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). Software and services are designed to use TCP or UDP and assigned a designated port number.

• TCP is a connection-oriented protocol with built-in re-transmission and error recovery. TCP is usually a more dependable protocol.
• UDP is a connectionless protocol that doesn't recover or correct message errors. It is known as the best effort protocol.

States of ports

TCP and UDP ports are in one of these three states depending on your needs:

• Open - The port responds to connection requests.
• Closed - The port is unreachable, indicating no corresponding service running.
• Filtered - The firewall monitors traffic and blocks specific port connection requests.

Security risks linked to open ports

Threat actors use open ports to carry out attacks and exploit vulnerabilities. Below, we share some common exploits and attacks that malicious actors leverage, and then detail two famous attacks via open port vulnerabilities.

Common exploits and attacks

• An open RDP connection can be used to launch a credential-stuffing attack to access a server or deliver a ransomware payload.
• A Denial of service (DoS) attack sends many connection requests from various machines to disrupt a particular service. A typical example would be targeting the web ports of a web server to consume its bandwidth and resources, preventing legitimate users from accessing the service.
• Web service ports are commonly used as entry points to launch attacks such as SQL injection and cross-site request forgery to exploit vulnerabilities within the applications themselves.
• Man-in-the-middle attacks can be used to tap into unencrypted data traffic of well-known ports to collect sensitive information. An example is the re-routing of data traffic to intercept email traffic.

Case studies: WannaCry, RDP Pipe Plumbing

One of the more famous attacks was the WannaCry Ransomware attack launched in 2017. The attack was carried out globally, affecting over 300,000 computers across 150 countries. The attack exploited a vulnerability in the SMB protocol on port 445. Once the attackers infiltrated the organization, they encrypted its files and demanded a ransom payment.

RDP Pipe Plumbing is a vulnerability in the Remote Desktop Protocol that exploits Windows-named pipes. Attackers target the RDP 3389 port to create fake pipe server instances with the same name as legitimate ones. They then use these counterfeit pipes to intercept communications between RDP clients and servers. This man-in-the-middle attack allows unauthorized access to sensitive data, including clipboard contents and file transfers.

Vulnerable ports and their risks

Below is an open port vulnerabilities list. Read to learn which are most susceptible to exploitation.

Port 21 Vulnerabilities (FTP)

The File Transfer Protocol (FTP) is assigned port 21. FTP enables users to send and receive files in an unencrypted transmission to and from servers. FTP is considered outdated and insecure and should not be used for any file transfers, especially any sensitive data, as it can easily be exploited using any of the following methods:

• Brute-forcing passwords
• Anonymous authentication (it's possible to log into the FTP port with "anonymous" as the username and password)
• Cross-site scripting
• Directory traversal attacks
• Man-in-the-middle

Port 22 Vulnerabilities (SSH)

Port 22 is commonly used for Secure Shell connections. It is preferred over Telnet because the connection is encrypted. Often used for remote management, Port 22 is a TCP port for ensuring secure remote access. Despite its enhanced security, it still suffers from some basic vulnerabilities:

• Leaked SSH keys. If SSH keys are not correctly secured, they can be accessed by an attacker to gain entry without having the required password.
• Brute-forcing Credentials. Open SSH ports are easily discoverable, allowing attackers to guess username and password combinations.

Port 23 Vulnerabilities (Telnet)

Telnet is a TCP protocol that uses port 23. It connects to remote devices that utilize command line interfaces such as switches, routers, and servers. Like FTP, Telnet is unencrypted, outdated and considered insecure. It has been superseded by SSH. Some of its common vulnerabilities include:

• Credential brute-forcing. Attackers exploit open port vulnerabilities to launch repeated login attempts against exposed services, attempting to gain unauthorized access by guessing credentials.
• Spoofing and credential sniffing. Open ports can expose services to attackers who exploit them to intercept and steal credentials, often by posing as legitimate entities during data transmission.

Port 25 Vulnerabilities (SMTP)

Port 25 is used by the Simple Mail Transfer Protocol (SMTP) for sending and receiving emails. SMTP was developed when cybersecurity was not a significant concern, so it can easily be exploited without third-party security solutions. Without proper configuration and protection, this TCP port is vulnerable to threats such as:

• Spoofing. Attackers can forge email headers to make messages appear as though they are coming from a trusted source.
• Spamming. Unprotected SMTP servers can be exploited to send large volumes of unsolicited emails, often overwhelming systems and spreading malware.
• Man-in-the-middle, especially when the email itself is sent in clear text.

Port 53 Vulnerabilities

Port 53 is used for the Domain Name System (DNS), which translates human-readable domain names such as facebook.com or linkedin.com into IP addresses. DNS is essential for internet traffic, and it operates using both UDP and TCP for queries and transfers, respectively. This port is particularly vulnerable to Distributed Denial of Service (DDoS) attacks, where attackers overwhelm the DNS server with a flood of requests, potentially disrupting service.

• DDoS attacks. These are common attacks in which attackers try to overwhelm the server with large volumes of packets to cause service disruption. This attack vector has some flavors, dDoS (distributed denial of service) and DNS amplification attacks.

Ports 137 and 139 (NetBIOS over TCP) and 445 (SMB) Vulnerabilities

Ports 137 and 139 (NetBIOS over TCP) and 445 (SMB) are commonly associated with file sharing and network communication in Windows environments. However, they are also known to be vulnerable to several security threats:

• EternalBlue exploit. This attack takes advantage of SMBv1 vulnerabilities in older versions of Microsoft computers. It became well known after the WannaCry ransom attack launched on a global scale in 2017.
• Capturing NTLM Hashes. Attackers can intercept and capture NTLM hashes and use them to authenticate as legitimate users.
• Brute-Forcing SMB Login Credentials. Attackers may attempt to gain access by systematically trying different username and password combinations until they find the correct credentials.

Ports 80, 443, 8080, and 8443 Vulnerabilities (HTTP and HTTPS)

Anyone who has visited a web page has used the HTTP or HTTPS protocols in their web browser. As mentioned, web ports are commonly targeted by attackers for many types of attacks, including:

• Cross-site scripting. Attackers inject malicious scripts into web pages and applications to steal cookies, tokens, or data.
• SQL injections. Attackers insert malicious SQL code into input fields to manipulate a database.
• Cross-site request forgers. An attacker exploits the trust between a user's web browser and a web application to trick the user into performing actions on a website without their knowledge or consent.
• DDoS attacks

Ports 1433, 1434, and 3306 Vulnerabilities (Used by databases)

These are the default ports for SQL Server and MySQL. They are used to perform a variety of malicious deeds, including:

• Distributing malware. Attackers use open ports to infiltrate a network, distributing malicious software that can compromise systems, steal data, or damage infrastructure.
• DDoS Scenarios. Open port vulnerabilities are exploited to overwhelm services with massive traffic in Distributed Denial of Service (DDoS) attacks, rendering systems unusable.
• Find unprotected databases with exploitable default configurations. Open ports can expose databases with weak or default settings, allowing attackers to efficiently exploit them to gain unauthorized access and manipulate or steal sensitive information.

Port 3389 vulnerabilities (Remote Desktop)

• Remote Desktop Protocol vulnerabilities expose RDP to brute force attacks and man-in-the-middle attacks.
• BlueKeep Vulnerability (CVE-2019-0708) is a RDP vulnerability found in older Microsoft operating systems such as Windows 7 and Windows Server 2008. BlueKeep can be exploited to spread malware across an organization without user intervention.

Steps to secure open ports

Prefer encrypted ports over unencrypted ones

Most of the regular services used in an IP-based environment now have an encrypted version of the elder plain-text, original protocol. A good practice is to switch to the encrypted version to avoid any data leakage while information is transmitted over the wires.

Regular patching and updates

Patching keeps your systems and firewalls up to date. Vendors regularly release patches that repair vulnerabilities and flaws in their products that cybercriminals could use to gain full access to your systems and data.

Port scanning tools

You should also regularly scan and check your ports. There are three main ways to do this:

• Command-line tools. If you have the time to scan and check ports manually, use command-line tools to spot and scan open ports. Examples include Netstat and Network Mapper, which you can install on various operating systems, including Windows and Linux.
• Port scanners. If you want faster results, consider using a port scanner. A computer program checks if ports are open, closed, or filtered. The process is simple: The scanner transmits a network request to connect to a specific port and captures the response.
• Vulnerability scanning tools. Vulnerability scanning tools are automated applications that identify and inventory IT assets, such as servers, desktops, and network devices, to detect security weaknesses. They scan for known vulnerabilities arising from misconfigurations or flawed programming. The results from these scans provide valuable insights into an organization's risk level and can be used to recommend effective mitigation strategies.

Monitoring service configuration changes

Staying abreast of any configuration changes made to your servers, firewalls, switches, routers, and other network devices is important, as these changes can introduce vulnerabilities. Such modifications may occur accidentally or intentionally. Using Netwrix Change Tracker, you can harden your systems by tracking unauthorized changes and other suspicious activities. In particular, it provides the following functionality:

• Actionable alerting about configuration changes
• Automatically recording, analyzing, validating and verifying every change
• Real-time change monitoring
• Constant application vulnerability monitoring

Using intrusion detection and prevention systems (IDP and IPS)

IDS monitors network traffic for signs of suspicious activity or known threats, while IPS goes one step further and blocks detected threats. Both can prevent common exploits that target open ports, including SQL injections, DDoS attacks, and other cyber threats.

Implementing SSH keys

SSH keys are less vulnerable to brute force attacks, phishing, and human error. These encrypted keys eliminate the need for users to remember and enter passwords, thus reducing the likelihood of unauthorized access through open ports. There are two types of SSH keys:

• Private or identity keys, which identify users and give them access
• Public or authorized keys, which determine who can access your system

Conducting penetration tests and vulnerability assessments

Penetration tests and vulnerability assessments should be used to spot vulnerabilities in IT infrastructure, although each uses a different approach. A penetration test (a pen test) is conducted by a security professional who simulates a cyberattack on a computer system or network to identify and exploit vulnerabilities. It shows how an attack might actively infiltrate your network. A vulnerability assessment, on the other hand, is an automated scan that identifies and prioritizes known vulnerabilities. Together, they can provide a comprehensive summation of your port vulnerabilities.

Best practices for port security

• Assessing external attack surfaces. You should regularly evaluate your network's exposure to external threats by identifying and securing open ports that an attacker could exploit. Ensure that every open port is necessary. Close ports associated with deprecated applications or services immediately.
• Continuous monitoring for emerging risks. Implement ongoing and extensive monitoring to detect new vulnerabilities and threats associated with open ports. Follow up with timely response and mitigation when necessary.
• Grading the performance of open ports. Regularly review and assess the security and functionality of all open ports. Ensure that open ports are adequately mapped to their designated internal targets and that the least privilege is applied to all applicable resources.
• Adhering to a consistent patch schedule. Regular patching can pay big security dividends. Make sure that all security-related patches are deployed immediately after release.
• Misconfigured, unpatched, and vulnerable services. Unpatched or misconfigured systems can lead to a compromised system. Verify that all configurations follow best security practices. Implement a monitoring system to alert your network support personnel when a configuration change occurs.

Conclusion

Open ports are like a double-edged sword. On one hand, they are essential for your business operations to enable web pages, applications, and services. On the other hand, they present opportunities for threat actors to infiltrate and exploit your network. This makes managing and monitoring open ports a critical aspect of network security and cannot be overstated. Your organization should have a policy outlining the procedures for securing all open ports and ensuring that all systems and software are updated regularly. Insecure ports such as Telnet and FTP should be depreciated and replaced with modern solutions that utilize modern secure technologies. Conduct regular assessments to ensure all open ports are necessary and confirm that configurations adhere to best practices. Remember that as technology evolves, your port requirements will also change. With the proper strategy and focus, your open ports can remain working assets rather than vulnerabilities that expose your business to greater risk.

FAQ

What is an open port vulnerability?

An open port vulnerability is a security gap caused by an open port. Without proper configuration and protection, attackers can use open ports to access your systems and data.

Is port 80 a security risk?

Port 80 isn't inherently a security risk. However, the biggest port 80 vulnerabilities come from not having the proper configurations in place, allowing attackers to easily access your systems and data. Unlike port 443 (HTTPS), port 80 is unencrypted, making it easy for cybercriminals to access, leak, and tamper with sensitive data.

Why is port 23 insecure?

Port 23 is used by the Telnet protocol and is considered insecure primarily because of its lack of encryption. This makes it highly vulnerable to eavesdropping and interception attacks, allowing attackers to capture sensitive information quickly. Telnet is susceptible to credential brute-forcing as the authentication process only requires a username and password. For these and other reasons, Telnet has largely been replaced by more secure protocols like SSH, which offer enhanced security features.

Is port 443 vulnerable?

While HTTPS is encrypted, some port 443 vulnerabilities include misconfigured settings, unpatched software, or outdated SSL/TLS protocols.

Is port 52 insecure?

Like port 443, port 52 is not inherently insecure but can prove a potential security risk if not properly managed. It is used for the XNS (Xerox Network Systems) time protocol.

What are vulnerability ports?

Specific ports and their applications are more likely to be targeted because they often have weaker credentials and defenses. Standard vulnerable ports include:

• FTP (20, 21)
• SSH (22)
• Telnet (23)
• SMTP (25)
• DNS (53)
• NetBIOS over TCP (137, 139)
• SMB (445)
• HTTP and HTTPS (80, 443, 8080, 8443)
• Ports 1433, 1434 and 3306
• Remote desktop (3389)

Why is Port 445 vulnerable?

Port 445 is vulnerable due to its association with the Server Message Block (SMB) protocol. Windows systems use SMBs for file sharing and network communication. Attackers can exploit older versions of SMB to execute malicious code and malware. Port 445 was infamously exploited by the WannaCry ransomware attack in 2017 that caused widespread damage on a global scale.

Why is port 23 vulnerable?

Port 23 is associated with Telnet, an outdated and insecure protocol used to remotely access and manage devices with a command-line interface. It should no longer be utilized within your network.

Why is port 25 vulnerable?

The Simple Mail Transfer Protocol uses port 25. It is used for sending and receiving emails and is considered vulnerable because it lacks authentication. This makes it susceptible to spam and email spoofing, and it is also vulnerable to open relay abuse.

What is a high-risk port?

A high-risk port is one that is exposed to the public Internet and is frequently targeted by attackers due to its extensive use. High-risk ports are often associated with well-known vulnerabilities or outdated applications or protocols.

What is port 80 vulnerable to?

Port 80 vulnerabilities include a lack of encryption, which makes it susceptible to eavesdropping and packet interception. In addition, the services and applications that run on it are open to attacks such as SQL injection, cross-site scripting (XSS), and cross-site request forgery.

What is the vulnerability of an open port?

An open port represents an open door that an unauthorized party can potentially use to infiltrate your network. In addition to unauthorized access, open ports can be susceptible to other attacks, such as brute force attacks and DDoS attacks.

What are the risks of open ports?

Open ports expand the attack surface of your network and thus increase the chance of a breach or malware infestation. The services and applications that utilize these open ports may also have unpatched vulnerabilities that can be exploited by attackers as well.

Is open port 22 a vulnerability?

While port 22 is far more secure than port 23, SSH is still vulnerable to brute force attacks and leaked SSH keys.

Is open port 80 a vulnerability?

For most networks, port 80 must be open for outgoing internet traffic. Any internet-facing web server must also usually allow incoming traffic. While any open port is risky, proper management and attention to security best practices will reduce the associated risk level. Port 8080 is commonly used as an alternative to port 80 for HTTP services, and a common port 8080 vulnerability is unsecured or poorly configured web applications or services.