UPDATE 10/20/2020: We made some updates and improvements to our External Recon service.
Our External Recon feature provides visibility into a network's external attack surface where the Huntress agent is installed. We do this by scanning the public IP addresses that the agent is using to connect to the Huntress service.
- An open Remote Desktop Services (RDP, RDS) port (the default port as well as some popular alternate ports)
- Changing the default port for Remote Desktop is "security-through-obscurity" at best and does not offer any measurable protection over using the default port.
- An open SMB (Windows File Sharing) share port
- An open SQL server database or Management Studio port
Why didn't Huntress identify the specific endpoint with the exposed port? External Recon is scanning for visible ports on the public IP address our agent connects to the Huntress service from. An open port indicates an edge device (e.g., firewall, router) is forwarding the port to an internal host. As Huntress is scanning from externally, we cannot determine the exact device hosting the open port as many devices may connect to our service from the same public IP address. There may also be devices on the network Huntress is unaware of, such as printers, IoT devices, and non-Windows systems. The Huntress portal identifies the organization where the port is exposed, indicating which site to investigate. A general recommendation would be to consult the edge device of the site in question and review the port forwarding (aka "pinholes," "port mapping," or "port address translation") rules to determine which endpoint is exposed.
Can you tell me the IP addresses you scan from so I can whitelist them? The short answer? No. There are, however, several good reasons. Huntress utilizes port scanning data from our scanning engine as well as Shodan.io's API. As you may already know, Huntress is cloud-based in Amazon Web Services' (AWS) fully scalable infrastructure. To maintain redundant connectivity and allow for failover, there is no static IP addresses/FQDNs. On the Shodan side of things, they do not publicly post all of their scanner IPs. While there are some unofficial lists, we cannot attest to their accuracy at any given time. More importantly, attackers do not come from a list of source IPs. If they did, security would be infinitely easier. To simulate a more real-world experience, it's best not to whitelist the scanner IPs as then we'd list ports that might otherwise be locked down.
How can I view which device an IP belongs to? There currently isn't a way for you to drill-down by IP address. As a workaround, you can export the Agent data to a spreadsheet that includes the Agents' external IP addresses.
Accessing External Recon
After logging into the Huntress portal, click the radar icon in the left-hand column and you will be presented with a dashboard similar to the following:
For each IP address the External Recon dashboard will display the following statistics:
- Port number
- Last time it was queried by Huntress
- Last time Shodan initiated a Port scan
- The service running on the port, as determined by Shodan (if Available)
Some examples of notable ports visible in this list are PPTP (tcp/1723), HTTP (tcp/80), and HTTPS (tcp/443). A partner can utilize this information to check the edge device (e.g., firewall, router) of the organizations listed to determine which endpoint has the exposed port. It's important to understand that not necessarily everything on this list means there is a security issue. Still, it does provide an easy checklist of where to investigate and determine if further action is needed. Any open port can be an attack surface, but sometimes open ports are required to provide the necessary services to an organization. Ensuring ports are open only in a secure manner is key to a healthy security posture.
As always, please do not hesitate to reach out to Support if you need assistance with or have questions about the External Recon service.