How to detect hacker’s port scanning in less than 50 bucks

There’s a huge misconception in the security industry about hacker methodology when it comes to internal threats, unfortunately most people still believe hackers are using port scanning tools like NMAP or Angry IP scanner when they want to discover elements in the enterprise network, they are so wrong and it’s affecting their defense strategy and their company security.

The Attacker ROI

Setting aside the intelligence hacking efforts of governmental agencies, the attacker’s attack incentive in 95% of cases is Monetization, this is why many of the “bad” guys are changing their path to Ransomware in the last few years, “easy” money, higher Return-on-Investment(ROI); Based on this, I hope you agree hackers don’t wake up in the morning and start hacking for no reason, and usually they are being managed by business people driven by high yield ROI.

How ROI related to hackers not using NMAP?

The answer is very simple, hackers don’t want to get caught in the middle of their operation, it takes a lot of time/people to breach networks, whether it’s a custom social engineer or hacking the cloud or DMZ servers, it takes lots of resources == money.
After working so hard to penetrate the target’s network why would the try to use a scanning tool like NMAP? which is very easy to detect from a defense point of view. why use such method when you have other great options which will evade almost any solution???

Why there’s a misconception about this anyway?

Well I mainly blame three things:

1. Pentesters perspective:

It’s very common to invite every year/quarter to the organization external pentesters who will provide detailed reports about the current security issues but the problem is that they hold totally different mindset. Pentesters have limited short time to make their report, it’s usually checklist and compliance driven analysis and in most cases it’s not even red-team oriented; pentesters tend to use NMAP scan because they don’t care about getting caught, they care about mainly creating huge reports with many items as possible and make it as fast as they can, so scanning tools would be good fit for their huge non-hacker reports.

*I’m really sorry if you are a different type of pentester and I offended you by my comments.

2. Certifications:

Many security folks are doing non-hacker certifications like CEH/CISSP/CISA which educate them with high level security stuff instead getting into hacker’s mindset and researching real data breach operations and APT’s which are public for everyone, for example — https://github.com/kbandla/APTnotes

3. Vendors:

Most security vendors are aligned with this mindset, but unfortunately there are some vendors offer a solution which can detect only port scanning and conficker types of attacks, so they will present it of course as the main issue with your internal visibility.

So why NMAP is such a bad option

Evasion

The very first reason is the lack of ability to evade security solutions:

1. Whether you are on Linux or Windows target you need to download non-native OS files, in most cases end-point solutions will identify NMAP or other scanners as malicious files.
2. When you execute the actual IP/Port scanning you need to scan the entire IP ranges and multiple tcp/udp ports for each IP, this will trigger so many alarms on big networks and it’s one of the easiest thing to detect, huge anomaly.

Accuracy

1. First, IP/Port scanning will not be able to reach all the assets in the organization, whether it’s because firewalls or lack of network connectivity.
2. Even if you have network connectivity to a specific target, NMAP detection results are made by analyzing fingerprints, server responses and other signatures types which makes it not accurate at all, it’s external perspective doing a best effort.

Scalability

If your victim has 3 servers and 5 PCs than you probably will succeed to hack anything and even use NMAP, but imagine a very large network with presence all over the world, 10k-100k end-points, how much time would it even take you to scan all of these end-points? How accurate would that information be? Very bad results…

So what is the hacker actual current methodologies?

The smartest thing to do which is what actually is being done is going stealthy after centralized point of data like Domain Controllers, SCCM, McAfee EPO, Management systems, Analytics systems and of course Admin PC/servers.

One quick example to emphasize the huge difference is reconnaissance the domain controller:

Every real red-teamer would start with this recon, making it a very good starting point since it’s legitimate and you would gain a really good perspective about computers, users, services, policies, credentials to make your attack stealthy and successful.

Evasion

From an attacker point of view you don’t need to download any malicious files, only use legitimate files, windows API’s and processes which already exist on the victim’s machine such as cmd, dsquery, powershell, wmi, etc…

a. Net group “domain computers” /domain
b. dsquery computer -limit 0
c. Spn scanning — https://adsecurity.org/?p=1508

Accuracy

These centralized points of data are the core of the organization, they must be accurate so that the network assets and services will actually work.

Scalability

Unlike NMAP, I don’t really need to check all the end-points in the organization, I just need to recon these focal points, which is legitimate and it doesn’t make any noise or huge traffic in the network.

So how to detect Port Scanning in 50 dollars?

If you are still not convinced and think that port scanning is your biggest threat, here are few simple steps how to configure your linux vm for such purpose:

Step 1

Install ubuntu linux server on one of your internal vm’s(you can even use raspberry device with debian)

Step 2

Install some services like apache, mysql, smb:

sudo apt-get install apache2 mysql-server samba

Step 3

Install Suricata:

http://pastebin.com/raw/8xkqireU

Configure suricata.yaml with your internal IP addresses:

sudo vi /etc/suricata/suricata.yaml

And activate Suricata:

sudo suricata -c /etc/suricata/suricata.yaml -i eth0

Step 4

watch it burn:

sudo tail -f /var/log/suricata/fast.log

Some last words

I’m not saying getting into hacker’s mindset is easy, it takes years to have the knowledge and develop the ability to protect your company, however it’s really frustrated when I see security professionals who are not working hard to acquire the necessary knowledge, this is your job for god sake, stop chasing after non-useful certifications and read everything you can, train yourself and your team with real live scenarios and attacks to be a better professional.