cheapside, London, UK


Running a little port canary for half a year, observations, data, application, and thoughts.

Just to scratch that itch, I created a little script that opens up some TCP ports of your choosing, and when activity is detected on those ports, takes the IP address interacting and performs some recon on the address, writes the results to an sqlite file, and slings it into a webhook if you like (mine is thrown into slack).

I thought I would look at two ports 5500 and 7443, one of those ports is for Cobalt Strike's managment control, and the other Sliver, what I wanted to see was if just having the port open was enough to find the IP address on a blacklist, I've ran it for close to 6 months, let's see what we can see...

(Bad) Code if you want it.

Collected Data:

The root domains from the lookups show us over 6 months (ish) these two ports 50500 and 8888 have been touched over 2208 times minus 742 that have no domain attributed to their ops.

On the IP Address front we have 2208 IP addresses but 1096 unique addresses

Nothing super exciting in those IP addresses when crossrefrencing against's services

feed IPs to DeHashed API
feed IPs to DeHashed API. GitHub Gist: instantly share code, notes, and snippets.

Anyway, to the point... it's been hit a fair few times, mostly re-hit.


perhaps because there is no service banner, or fingerprintable content to work with it appears much of the TI will ignore the ports, even tho they're very much in the 'probably badly configured C2' catagory

So we're left with a nice way to get an idea who's snooping without giving them a great deal to work with, I'm sure you could do something similar with TCPDump, but I suspect this might be lighter on the OS and able to add more features (sqlite, Webhooks)

You could use this as a dumb-dumb-dumb canary, but you'd be infinatly better off heading on over to Thinkst and speak to those fine people. (Haroon was kind enough to send me an actual canary, and they are lovely, lovely UX, lovely client support, just brilliant) i wouldnt want this script to detract from the value of a beautifully built toolkit from Thinkst.