Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: CSAM: Scary ports and firewall remote administration SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
CSAM: Scary ports and firewall remote administration

Have you ever done a "quick vulnerability" check only to discover that someone found that vulnerability before you did and already had the system compromised?

During the early stages of a vulnerability scan, nmap is your friend just to quickly confirm what you got. In this case, the big surprise was that the firewall responded on port 4444. Anybody who ever dabbled with pentesting may be familiar with this port: Metasploit uses port 4444 by default for its remote shell. Other then that, it is typically not used by any "well known service". 

At this point, with a possible compromised network firewall, there isn't much point in going much further. A quick connect with netcat oddly enough let to an HTTP error. Upon further investigation, it tuns out that Sophos firewalls use port 4444 for https remote administration. Typically, ports like 8000, 8080 or 8443 are used, but then again, maybe Sophos wanted to "hide" their port, or just be different.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3694 Posts
ISC Handler
Actually, Sophos inherited the configuration for TCP 4444 from Astaro Corporation when they purchased them. The Astaro Security Gateway (ASG) programming later came to market with the Sophos Unified Threat Management (UTM) branding. I would NOT recommend assigning the remote admin port to the public WAN interface though, that is just asking for alerts and potential problems. VPN into it and them come back to the remote admin port from the inside.

I have several years of experience with the ASG's and now over a year with the UTM. They definitely make a very nice product these days.

Most also do not know that the Sophos UTM can be used freely in your home. Visit http://www.sophos.com and at the bottom left click Free Tools and you'll find a link for Home UTM.

No I do not work for Sophos...

Thanks,
Jim
Anonymous

Sign Up for Free or Log In to start participating in the conversation!