Skip to main content

External Recon

Cameron Granger
  • Updated

Our External Recon feature provides visibility into a network's external attack surface where the Huntress agent is installed. We do this by scanning the public IP addresses that the agent is using to connect to the Huntress service.

 

This feature's primary goal is to provide insight to our Partners by highlighting the "low-hanging fruit" that attackers often gravitate toward when launching their attacks. Showing our Partners these low-hanging exposures offers actionable next steps into improving security posture. Another insight External Recon may provide is changes made by "shadow" IT providers such as a third-party equipment vendor or an on-site "IT person" designee. While we cannot provide a full list of everything External Recon can identify, as it's a moving target and extremely environment-dependent, some examples may include:

  • An open Remote Desktop Services (RDP, RDS) port (the default port as well as some popular alternate ports)
    • Changing the default port for Remote Desktop is "security-through-obscurity" at best and does not offer any measurable protection over using the default port.
  • An open SMB (Windows File Sharing) share port
  • An open SQL server database or Management Studio port

How often does Huntress rescan IPs? Huntress uses Shodan.io to determine open ports. Huntress sends requests to Shodan every few days, but sometimes it may take up to 2 weeks for Shodan to update. 

Why didn't Huntress identify the specific endpoint with the exposed port? External Recon is scanning for visible ports on the public IP address our agent connects to the Huntress service from. An open port indicates an edge device (e.g., firewall, router) is forwarding the port to an internal host. As Huntress is scanning from externally, we cannot determine the exact device hosting the open port as many devices may connect to our service from the same public IP address. There may also be devices on the network Huntress is unaware of, such as printers, IoT devices, and non-Windows systems. The Huntress portal identifies the organization where the port is exposed, indicating which site to investigate. A general recommendation would be to consult the edge device of the site in question and review the port forwarding (aka "pinholes," "port mapping," or "port address translation") rules to determine which endpoint is exposed.

Can you tell me the IP addresses you scan from so I can whitelist them? The short answer? No. There are, however, several good reasons. Huntress utilizes port scanning data from our scanning engine as well as Shodan.io's API. As you may already know, Huntress is cloud-based in Amazon Web Services' (AWS) fully scalable infrastructure. To maintain redundant connectivity and allow for failover, there is no static IP addresses/FQDNs. On the Shodan side of things, they do not publicly post all of their scanner IPs. While there are some unofficial lists, we cannot attest to their accuracy at any given time. More importantly, attackers do not come from a list of source IPs. If they did, security would be infinitely easier. To simulate a more real-world experience, it's best not to whitelist the scanner IPs as then we'd list ports that might otherwise be locked down. 

How can I view which device an IP belongs to? There currently isn't a way for you to drill-down by IP address. As a workaround, you can export the Agent data to a spreadsheet that includes the Agents' external IP addresses. 

Accessing External Recon

After logging into the Huntress portal, click the radar icon in the left-hand column and you will be presented with a dashboard similar to the following: 

file-H6NXSv4oih.png

For each IP address the External Recon dashboard will display the following statistics:

  • Protocol
  • Port number
  • The last time it was queried by Huntress (Huntress sends requests to Shodan every few days)
  • The last time Shodan initiated a Port scan
  • The service running on the port, as determined by Shodan (if Available)

Some examples of notable ports visible in this list are  PPTP (TCP/1723), HTTP (TCP/80), and HTTPS (TCP/443). A partner can utilize this information to check the edge device (e.g., firewall, router) of the organizations listed to determine which endpoint has the exposed port. It's important to understand that not necessarily everything on this list means there is a security issue. Still, it does provide an easy checklist of where to investigate and determine if further action is needed. Any open port can be an attack surface, but sometimes open ports are required to provide the necessary services to an organization. Ensuring ports are open only in a secure manner is key to a healthy security posture. 

Huntress does not have any visibility into the network beyond open ports, and is unable to see or monitor network traffic.

As always, please do not hesitate to reach out to Support if you need assistance with or have questions about the External Recon service. 

Comments

0 comments

Please sign in to leave a comment.

Related articles