Team: Managed Endpoint Detection and Response (EDR)
Product: External Recon
Environment: Huntress Platform
Summary: External Recon provides visibility into your network’s external attack surface by identifying open ports and services exposed to the internet, helping you reduce risk and improve your security posture.
In this Article
Key Takeaway
External Recon provides an outside‑in view of your internet‑facing attack surface. It highlights open ports and services in your environment by pulling data from Shodan.io. Use it to spot risk, then investigate and remediate in your environment (firewalls, routers, cloud security groups, and other security tools).
Overview
External Recon is a feature in the Huntress Platform that helps you understand your organization’s external attack surface. It highlights open ports and services on public IP addresses where the Huntress Agent is installed. This visibility allows you to identify exposures that attackers often target, such as open Remote Desktop Protocol (RDP) or Server Message Block (SMB) ports, and take action to improve your security posture.
External Recon also helps you spot unexpected changes, such as those made by third-party vendors or “shadow IT” activities, by surfacing new or altered exposures on your network’s edge.
Accessing External Recon
To view your account's external exposures, hover over EDR in the left navigation menu to expand the submenu, then select External Recon.
The External Recon dashboard displays each public IP address detected by the Huntress Agent, along with:
- Protocol (for example, TCP or UDP)
- Port number
- Last time Huntress queried the port
- Last time Shodan scanned the port
- Service running on the port (if available)
Use this information to review your edge devices (such as firewalls or routers) and determine which internal endpoints are exposed. Not every open port is a security issue, but each one should be reviewed to ensure it is necessary and secured.
Important: Huntress does not have visibility into network traffic or internal devices beyond what is exposed on public IP addresses. Open ports may be required for business operations, but they should be configured securely.
How External Recon Works
External Recon scans the public IP addresses used by your endpoints to connect to the Huntress service. It uses the public IP addresses seen by the Huntress Agent and combines that with open‑port data from Shodan.io to identify which ports and services are exposed to the internet.
The primary goal is to provide actionable insights by highlighting “low-hanging fruit”, i.e. common exposures that threat actors often exploit. Examples include:
- Open Remote Desktop Services (RDP) ports, including default and common alternate ports
- Open SMB (Windows File Sharing) ports
- Open SQL Server database or Management Studio ports
Changing the default port for a service, such as RDP, is not a substitute for proper security controls. Security-through-obscurity does not provide meaningful protection.
External Recon cannot provide a complete list of all exposures. The feature focuses on what is visible from the outside, not internal network details.
Interpreting ports in the External Recon table
Use the public IP and port to investigate where that exposure is coming from, for example checking your firewall, router, or cloud security group rules to determine whether the service is running on the edge device itself or being forwarded to an internal system. Some examples of common ports you may see include:
| Service | Port | Protocol |
|---|---|---|
| HTTP | 80 | TCP |
| HTTPS | 443 (sometimes 8080/8443) | TCP |
| RDP | 3389 | TCP |
| SMB | 445 | TCP |
| SSH | 22 | TCP |
| FTP | 21 | TCP |
| SMTP | 25 | TCP |
| SIP | 5060 (common for VoIP) | UDP |
| PPTP | 1723 | TCP |
Frequently Asked Questions
How often does External Recon update?
Huntress uses Shodan to surface open ports and services on your public IPs in External Recon. Huntress queries Shodan every few days. Shodan returns the most recent observation it has for a given IP and port, generally based on data collected within the last 30 days. It isn’t a real time scan, and coverage and refresh timing vary by asset and service. Changes can take days, and sometimes longer, to appear. For more detail on Shodan’s data timing, see Shodan's Data Timeline.
Why can’t Huntress identify the specific endpoint with the exposed port?
External Recon scans visible ports on the public IP your Huntress agents use to reach our service. An open port on that IP usually means an edge device (firewall/router) is forwarding it to an internal host. Because we only see this from the outside, and multiple devices can share the same public IP via NAT, we can’t reliably tell which internal device is exposed. The portal shows which organization/site the IP belongs to; from there, review the port‑forward/NAT rules on your edge device to find the specific endpoint.
Can I allowlist the IP addresses Huntress scans from?
No. Huntress runs on a cloud-based, scalable infrastructure in Amazon Web Services (AWS) and External Recon relies on Shodan’s internet-wide scanning. Because of that design, we don’t provide a fixed, static set of source IP addresses or FQDNs to allowlist. Cloud infrastructure uses distributed egress and redundancy for reliability and failover, so source addresses can change over time.
On the Shodan side, they don’t publish a complete, authoritative list of all scanner IPs. You may find unofficial lists online, but we can’t validate their accuracy or completeness at any given time.
More importantly, restricting results to allowlisted scanner IPs would reduce the “real world” value of External Recon. Attackers don’t originate from a predictable, fixed list of IPs, and allowlisting scanning sources can create an artificially clean view by making exposures appear reachable when they’re only reachable from that allowlisted set. For the most accurate picture, it’s best not to allowlist scanner IPs.
How can I view which device an IP belongs to?
External Recon can’t directly show which internal device is behind a public IP because of NAT. As a workaround, export your Agents list to CSV/XLSX and filter on the External IP column to see which endpoints have reported from that IP, then check your firewall/router’s port‑forward/NAT rules for that IP and port to see which internal host it’s forwarded to.
Does every open port mean there is a security issue?
Not necessarily. Some open ports are required for business operations. However, every open port increases your attack surface. Review each exposure to ensure it is necessary and properly secured.
Any open port can be an entry point for attackers. Regularly review and update your port forwarding rules to minimize unnecessary exposure.