Asset Discovery skips port 443?

strawgate · February 19, 2017, 3:47pm

Hey –

Does anyone know why asset discovery skips port 443?

It appears it only scans the following:
TCP:22
TCP:23
TCP:80
TCP:135
TCP:139
TCP:235
TCP:445
TCP:61616
UDP:52311

I know it’s not meant to capture everything but scanning port 80 and skipping port 443 seems like an oversight…

Bill

AlanM · February 20, 2017, 7:32am

Perhaps because it would be an encrypted connection and thus this is more complicated. Will have to see if I can find out why

pmanga · February 21, 2017, 8:21am

Bill, It is not an oversight. Asset discovery has two main purposes: firstly, find all assets that can be managed by bigfix. secondly, generate custom network scan report by using wizard. If you are using asset discovery to achieve goal one, then include or exclude 443 doesn’t help, since there is no logic inside importer to detect status for port 443, or we can say, the only port that will influence importing result will be 52311, which is the udp port that bigfix agent is using. If you would like to use wizard to generate a custom network scan report, then you could adjust ports you want to include for scanning. Note, due to different network firewall settings, the sniffing packages that target to 443 may be blocked.

strawgate · February 21, 2017, 3:29pm

If the only port that matters is 52311 then why scan any other ports at all?

The port open results of the scan are listed under the “Other Properties” section of the report. This is particularly useful for identifying if a machine is hosting web services – if TCP 80 was considered useful at one point to include in an asset discovery scan surely TCP 443 is just as important and deserving of inclusion?

Bill

JasonWalker · February 21, 2017, 4:51pm

The goal of Asset Discovery is, I thought, to discover assets, not necessarily just to identify potential BES clients. That’s why http, snmp, ssh, etc. are scanned - the idea is that most network devices would listen on at least one of those ports. As more IoT and network devices move to TLS-only, I’d expect that identifying port 443 is at least as important as port 80. I’d support an RFE to identify that port.

AlanM · February 21, 2017, 7:31pm

The 52311 is looked at to see “is this already a BigFix system” so I’d presume the port in question would move around based on your deployment port. The rest are just to find out “is something here” but yes the 443 port might be a good one to try though we would have to look at the scanning tool’s capabilities.

pmanga · February 22, 2017, 2:04pm

The entry point is the port 52311 and 443 could be part of the extra info that asset discovery can provide in ‘Other Properties’.
I also agree 443 is an interesting port but are you sure to keep the scan fast by increasing the number of default ports?

Lin_Shi · March 3, 2017, 9:21pm

I don’t think increase the number of default ports will keep the scan fast, since the way that how nmap is working is based on the basic knowledge of sniffing tool. The more packages you sent out, the longer time of nmap need to wait until get results.

If 443 is necssary for generating the custom network report, or we feel like it’s valuable to keep it in “other property”, then yes, 443 should add it back to default port. But keep in mind, we always can modify it from dashboard when you generate a new scan.