Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.

Sunday, June 10, 2018

Smart lightweight port scan for AWS Infrastructure

As pen-tester/red team members, port scanning is part of regular work, to check the open ports, services and then perform service enumeration and finally find the cat in the network. 

Cloud-computing adoption has been increasing rapidly, large organizations have successfully moved their IT system to AWS infrastructure. As IT Security Engineer, you must ensure unwanted ports/services are not exposed to outside world without making much noise in the network. Then you can restrict your scan to major AWS specific ports and perform a light weight scan;

Please read the Acceptable Use Policy, complete and submit the AWS Vulnerability/Penetration Testing Request Form and take the necessary approvals from the stakeholders/organization before doing the scans and pen test. 

AWS Ports List 21,22,25,53,80,88,111,123,135,137,138,139,389,443,445,1433,1521,2049,3260,3306,3389,4489,5432,5439,8000,8080,8182,8200,20048 

Off course we can include/exclude top 10 or 20 most vulnerable ports, or any other service specific ports to the list depending on the conditions and infrastructure you are scanning. 

Standard Protocols 

TCP/UDP 88 – Kerberos authentication, Amazon EMR release version 5.10.0 and later supports Kerberos. 

UDP 123 – Network Time Protocol is used for clock synchronization between AWS resources. 

UDP 137 - 138 and TCP 139 – Netlogon, this is part of AWS Managed Microsoft AD Prerequisites. These ports are used for NetBIOS name resolution (e.g. mapping a NetBIOS name to an IP address) by services such as File and Printer Sharing service running on Microsoft Windows Server OS. 

TCP/UDP 389 – LDAP, used by AWS LDAP instance. 

TCP/UDP 445 – SMB, this is part of AWS Managed Microsoft AD Prerequisites. 

TCP 80 – Used by AWS resources, to communicate over (HTTP) channel. 

TCP 443 – Used by AWS resources, to communicate over encrypted (HTTPS) channel. 

TCP 3389 – RDP, used to take RDP of Windows EC2 instance.

TCP 21 – FTP, used to access AWS resource over FTP. 

TCP 22 – SSH, used to access AWS resource over SSH, e.g. access Linux EC2 instance.

TCP 135 - RPC 

TCP 1024-65535 - Dynamic ports for RPC, but for light weight scan we can keep this port range out of scope. 

Amazon Mail

25, 587, 2587 – To set up a STARTTLS connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 25, 587, or 2587, issues an EHLO command, and waits for the server to announce that it supports the STARTTLS SMTP extension. 

465, 2465 – To set up a TLS Wrapper connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 465 or 2465. 

587, 2587 – Amazon Elastic Compute Cloud (Amazon EC2) throttles email traffic over port 25 by default. To avoid timeouts when sending email through the SMTP endpoint from EC2, use a different port (587 or 2587) or fill out a Request to Remove Email Sending Limitations to remove the throttle. 


3306 - MySQL, MariaDB, Connecting to an Amazon Aurora MySQL DB Cluster.

5432 - PostgreSQL, Connecting to an Amazon Aurora PostgreSQL DB Cluster.

1433 - Microsoft SQL Server. 

1521 - Oracle.

5439 – Redshift.

8000 - DynamoDB default port. 

8182 - A security group that allows TCP access to the Neptune port (the default is 8182) from the Amazon EC2 IP or its security group. 

11211 – ElastiCache (Usually this port is not exposed directly to outside AWS, rather through NAT). 

EC2 Container Service and Docker

49153 – 65535 - EC2 Container Service, the default ephemeral port ranges from 49153 through 65535 is always used for Docker versions before 1.6.0. But for light weight scan we can keep this port range out of scope. 

Port Requirements for Amazon WorkSpaces 

Port 4172 (UDP and TCP) - This port is used for streaming the WorkSpace desktop and health checks. It must be open to the PCoIP Gateway IP address ranges and health check servers in the region that the WorkSpace is in. For more information, see PCoIP Gateway and Health Check Servers. 

Web client Inbound security group rules: 
TCP 4489 
TCP 8200 – Used for management and configuration of the WorkSpace. 

AWS Storage Gateway 

TCP/UDP 2049 – Used for local systems to connect to NFS shares your gateway exposes. 

TCP/UDP 111 – Used for local systems to connect to the portmapper your gateway exposes. Only needed for NFSv3 clients.

TCP/UDP 20048 – Used for local systems to connect to mountd your gateway exposes. 

TCP 3260 – By local systems to connect to iSCSI targets exposed by the gateway. 


No comments:

Post a Comment