This document from the Boston Institute of Analytics outlines a port scanning report for the website of Tilak Maharashtra Vidyapeeth, detailing the potential exploitation risks associated with various open ports and recommending measures to enhance security. It covers the types of ports analyzed, possible exploits, and mitigation techniques for protocols like FTP, SMTP, DNS, and others. Additionally, it emphasizes the importance of migrating to secure protocols and regularly updating services to reduce vulnerabilities.

1. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Port Scanning of Website
By Saurabh S. Kajbaje

2. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Agenda
• Abstract
• Reconcession
• Deliverable
• PoC
• Tool
• References

3. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Abstract
• Scanning of the website for active open ports.
• Functions, Benefits, and Threats of an open port.
• Research
• Data Collection
• Impact Analysis
• Recommendation & Conclusion

4. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Research
• Web Site Name: Tilak Maharashtra Vidyapeeth
• Host URL: www.tmv.edu.in
• Type: Universities and Colleges
• Overall Ranking:
Global Rank: 723,226
Country (India) Rank: 58,011
 Industry (Education) Rank: 7,181
• Usages (All Traffic):
 Total Visits (Worldwide): 47,502 (June 2024 - August 2024).
 Device Distribution: Desktop/Laptop – 30.54%, Mobile web – 69.46%

5. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Data Collection
Technology Stack
• Hosting Panels: Plesk
• Operating Server: Windows Server
• Web frameworks: Microsoft
ASP.NET (4.0.30319)
• UI frameworks: Bootstrap
• Web Servers: IIS (8.5)
• JavaScript Libraries: jQuery (1.8.2)
• CDN: jQuery CDN
• Tag Managers: Google Tag
Manager

6. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Port Scanning
• Port scanning is a technique for sending requests to ports on a network to
determine whether they are open or vulnerable.
• Port scans can help identify open ports, weak points, and security devices on a
network.
• When we send a message to a port, the response they receive determines whether
the port is being used and if any potential weaknesses could be exploited.

7. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Functionality of Port Scanner
• A port scanner sends a TCP or UDP network packet and requests the port about its
current status.
• The three types of responses are below:
• Open, Accepted
• Closed, Not Listening
• Filtered, Dropped, Blocked

8. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Types of Port Scanning
• Ping scans: A ping checks whether a network data packet can reach an IP address
without issues. Ping scans involve automated transmissions of several ICMP
requests to various servers.
• Half-open or SYNC scans: Attackers can check the state of a port without creating a
full connection by using a half-open scan, often known as an SYN scan. This kind of
scan transmits a SYN message and does not complete a connection with the
recipient.
• XMAS scans: XMAS scans send several packets to a port to check if it is open. If the
port is closed, the scanner gets a response. If it does not get a response, the port is
open and can be used to access the network.

9. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Proof Of Concept
• Finding the IP Address of the Website.
• Basic Port Scan
(scanning most common 1000 Ports) –

10. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Proof Of Concept
• Full Port Scan (scans all 65535 TCP ports):
• Service Version Detection:
To determine what services
are running on the open ports:

11. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Proof Of Concept
 Port 21 FTP
 Possible Exploitations:
• Anonymous Authentication
• Weak or Default Credentials
• Cleartext Transmission of Credentials
• FTP Bounce Attack
• Directory Traversal Attack
• Unpatched FTP Software
• Misconfigured Permissions
• Passive vs. Active FTP Modes
• Denial of Service (DoS) Attacks
• Command Injection
 Mitigations Techniques:
• Anonymous Authentication
• Disable anonymous access unless
necessary and apply strict permissions.
• Use strong authentication methods,
including multi-factor authentication.
• Restrict IP addresses that can connect to
the FTP server.
• Regularly audit and update FTP server
software.
• Log and monitor FTP activity for suspicious
behavior.
Function: The function of an FTP port is to allow a computer and a server to communicate
and transfer data.

12. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Proof Of Concept
 Port 25 SMTP
 Possible Exploitations:
• Open Relay Abuse
• Spamming
• Spoofing
• Brute Force Attacks
• Mail Bombing
• Buffer Overflow Vulnerabilities
• TLS Downgrade Attack
• Exploitation of Default or Misconfigured
Settings
• SMTP Header Injection
• Phishing and Email-based Malware
 Mitigations Techniques:
• Disable open relaying:
• Use encryption (TLS/STARTTLS
• Limit access
• Monitor logs
• Apply patches regularly
Function: Simple Mail Transfer Protocol (SMTP) is used for sending emails.

13. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Proof Of Concept
 Port 53 DNS
 Possible Exploitations:
• DNS Cache Poisoning (DNS Spoofing)
• DNS Amplification Attacks
• DNS Tunnelling
• DNS Reflection Attacks
• DNS Hijacking
• DNS-based Malware C2 Communication
• DNS Flooding
• Zone Transfer Exploitation
• DNS Rebinding
• Exploitation of DNS Over HTTPS (DoH)
 Mitigations Techniques:
• Use DNSSEC
• Close Open Resolvers
• Implement Rate Limiting
• Filter DNS Traffic
• Monitor DNS Queries
• Restrict Zone Transfers
• Deploy DNS-over-TLS (DoT)
Function: Domain Name System (DNS) resolves domain names to IP addresses, enabling users to
access services using easy-to-remember names like example.com.

14. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Proof Of Concept
Port 80 HTTP
 Possible Exploitations:
• SQL Injection (SQLi)
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Remote File Inclusion (RFI)
• Local File Inclusion (LFI)
• Unvalidated Redirects and Forwards
• Command Injection
• Server-Side Request Forgery (SSRF)
• Insecure Direct Object References (IDOR)
• Cookie Hijacking
• Broken Authentication
• Denial of Service (DoS) or Distributed Denial of
Service (DDoS)
 Mitigations Techniques:
• Use HTTPS
• Input Validation
• Use Security Headers
• Web Application Firewall (WAF)
• Patch Management
• Access Controls
• Session Security
• Error Handling
Function: HTTP is used to serve unencrypted web content. This allows users to view the website.

15. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Proof Of Concept
 Port 443 HTTPS
 Possible Exploitations:
• SSL/TLS Vulnerabilities
• Man-in-the-Middle Attacks (MITM)
• TLS Downgrade Attacks
• Insecure TLS Renegotiation
• SSL Pinning Bypass
• HTTPS Misconfigurations
• Server Vulnerabilities
• Certificate Authorities (CA) Exploitation
• HTTP/2 Vulnerabilities
 Mitigations Techniques:
• Use Modern TLS Versions
• Regularly Update and Patch
• Implement HSTS
• Use Strong Ciphers and Key Lengths
• Enable Perfect Forward Secrecy (PFS
• Monitor Certificate
• Enable Secure Cookies
• Certificate Pinning
Function: HTTPS is the secure version of HTTP, using SSL/TLS to encrypt communication between the
client and the server.

16. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Proof Of Concept
Port 110 POP3
 Possible Exploitations:
• Plaintext Credentials (Port 110)
• Brute Force Attacks
• Buffer Overflow Vulnerabilities
• SSL/TLS Downgrade Attacks (for POP3S)
• Misconfiguration and Weak Encryption
• POP3 Command Injection
• Directory Traversal (in Misconfigured
Servers)
• Denial of Service (DoS) Attacks
 Mitigations Techniques:
• Prefer IMAP or SMTP for email retrieval
and sending since they are generally more
secure and flexible than POP3.
• Enforce SSL/TLS (POP3S) to encrypt the
connection.
• Regular patching of the mail server
software to mitigate known vulnerabilities.
• Implement rate-limiting, CAPTCHA, and IP
blacklisting to defend against brute force
and DoS attacks.
• Use strong encryption algorithms and
regularly audit the server for
misconfigurations.
Function: The Post Office Protocol version 3 (POP3) retrieves emails from a mail server.

17. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Proof Of Concept
Port 135 MSRPC
 Possible Exploitations:
• Unauthorized Remote Code Execution
(RCE)
• Pass-the-Hash (PtH) and Credential
Stealing
• Privilege Escalation
• Denial of Service (DoS)
• Weak Authentication or Misconfiguration
• Man-in-the-Middle (MitM) Attacks
• SMB Relay Attacks
• Lateral Movement via MSRPC
• Brute Force Attacks on Exposed Ports
 Mitigations Techniques:
• Apply Security Patches
• Firewall Configuration
• Strong Authentication and Encryption:
• Network Segmentation
• Monitoring and Logging
Function: The MSRPC protocol is widely used for communication between Windows services over a
network, including access to network services and system resources

18. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Proof Of Concept
Port 143 IMAP/993 IMAPS
 Possible Exploitations:
• Weak Authentication (Brute Force Attacks)
• IMAP Protocol Downgrade Attacks
• Man-in-the-Middle (MITM) Attacks
• Vulnerabilities in IMAP Software
• Information Disclosure (Banner Grabbing)
• Denial of Service (DoS) Attacks
• Cross-Protocol Attacks
• Session Hijacking
• IMAP Command Injection
 Mitigations Techniques:
• Enforce SSL/TLS (IMAPS) and disable
unencrypted IMAP connections.
• Use strong authentication methods (multi-
factor authentication, strong passwords).
• Regularly update and patch IMAP software
to fix known vulnerabilities.
• Disable unnecessary service banners to
prevent information leakage.
• Monitor for unusual IMAP activity to detect
potential intrusions.
Function: IMAP is commonly used for retrieving emails from a server, and it's typically associated with port
143 (unencrypted) & port 993 (encrypted).

19. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Proof Of Concept
Port 3306 MySQL
 Possible Exploitations:
 SQL Injection Attack
 Brute Force Attacks
 Remote Code Execution (RCE)
 Exploiting Default Configurations
 Privilege Escalation
 Data Exfiltration
 Using MySQL as a Pivot Point
 Denial of Service (DoS) Attacks
 Mitigations Techniques:
 Input Validation
 Strong Password Policies
 Least Privilege Principle
 Firewall Configuration
 Regular Updates
 Monitoring and Logging
Function: MySQL is a popular open-source relational database management system (RDBMS) for
managing database-driven websites.

20. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Conclusion & Recommendations
• The scan reveals several open ports providing essential services to www.tmv.edu.in. While these services
are necessary for the proper functioning of the web server, they also expose potential security risks. It is
recommended to:
• Migrate HTTP traffic to HTTPS entirely.
• Regularly update all services, particularly SSL/TLS certificates and configurations.
• Secure the MySQL database by isolating it from public internet access.
• Implement port scanning detections like PortSentry, Scanlogd, Netcat,IDS.
• Conduct regular port scans.
• Services Monitoring.
• Close all unused ports.
• Continuously carry out port traffic filtering.
• Install firewalls on every host and patch the firewall regularly.
• Monitor open port vulnerabilities:
o Using penetration testing to simulate attacks through open ports
o Conducting vulnerability assessments

21. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
References
• https://www.fortinet.com/resources/cyberglossary/what-is-port-scan#:~:text=A
%20port%20scan%20is%20a,being%20used%20by%20an%20organization.
• https://www.geeksforgeeks.org/nmap-command-in-linux-with-examples/

22. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Tools
• Nmap Scanning Tool
• www.wappalyzer.com
• www.pro.similarweb.com
• www.shodan.io

23. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Questions ?

24. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Thank You!