Network Service Scanning

From attackics
Jump to navigation Jump to search
Network Service Scanning
Technique
ID T0841
Tactic Discovery
Data Sources Network protocol analysis, Packet capture
Asset Field Controller/RTU/PLC/IED

Description

Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on specific port numbers, the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is Nmap.

An adversary may attempt to gain information about a target device and its role on the network via Network Service Scanning techniques, such as port scanning. Network Service Scanning is useful for determining potential vulnerabilities in services on target devices. Network Service Scanning is closely tied to .

Scanning ports can be noisy on a network. In some attacks, adversaries probe for specific ports using custom tools. This was specifically seen in the Triton and PLC-Blaster attacks.


Mitigations

  • Network Segmentation - Ensure proper network segmentation is followed to protect critical servers and devices.