Port scanning against assets that are behind a WAF

Question

I am trying to automate my recon process. For port scanning, I resolve subdomains to IPs then loop over those IPs with masscan. But is it worth it to port scan an asset that is hidden behind a web firewall? In other words, by doing this I'm scanning the WAF IPs. Is it a common thing that some subdomains are behind a WAF and others are not? In this case, I can perform a WAF check before performing the port scanning process.

Answer 1

There are lots of reasons to still do port scanning against an asset behind a web app firewall (WAF).

A port scan is partially a test to make sure the network (not WAF) firewall rules are correct. Let's say the DNS has been changed so that all your users have their traffic go through the WAF IP. The admins are then supposed to cut off access directly to the origin IP address and force everyone to go through the WAF. But did they? A port scan against the origin IP address can tell if any web ports are still open to the world.

WAFs protect the web ports. If the asset in question has other services, they might have vulnerabilities that the port scan can detect.

Answer 2

Yes, port scanning is a good idea for the following reason: To confirm what you think you know.

Most folks have a pretty good idea of how their network infrastructure should work. Port scans tell you what is actually happening.

One other thing I'll do is setup a small system, say a Raspberry Pi, with a few open ports (80, 443, etc.) and ensure there's no reason anyone should ever want to access this machine. I'll configure it such that if anyone ever does hit an open port, it alerts the Intrusion Detection System. It's a classic Honey Pot... which is intended to catch flies and anyone (other than you) scanning your network.