If You're Reachable, You're Breachable, Part 2: The Adversary's Second Move – Classifying You

In the first part of this three-part series, we explored how adversaries no longer need to hunt for you; they simply consult massive internet-wide scanning databases to find your exposed digital doorways. This provides them with a list of "reachable" IP addresses—the digital equivalent of a list of buildings with unlocked front doors.

But finding the door is just the beginning. Before an adversary can attempt to enter, they need to understand what they're looking at. Is it a flimsy wooden door or a reinforced steel vault? Does it lead to an empty janitor's closet or the CEO's office?

This is the second, crucial phase of the attack playbook: classification. Now that they've found you, they need to figure out exactly what they've found.

From IP Address to Attack Plan: Active Reconnaissance

While the "Find" phase was largely passive, classification requires active probing. The adversary begins to interact with your exposed systems to build a detailed blueprint. They use a suite of standard, readily available tools to answer critical questions.

1. Which Doors are Open? (Port Scanning with nmap)

The first step is to see which services are listening on the IP addresses they found. Think of it as an attacker walking up to your digital building and checking every single one of the 65,535 possible doors and windows (ports) to see which ones are unlocked (open).

A simple scan reveals which ports are listening. Is port 3389 open, suggesting a Remote Desktop? Is port 22 open, indicating an SSH server for administrative access? Is port 443 open for web traffic? Each open port is a potential attack vector.

2. What’s Written on the Doorbell? (Banner Grabbing)

Once an open port is identified, the attacker wants to know what service is running behind it. Often, services willingly announce themselves through a "banner"—a small bit of text sent to any new connection.

A banner might look like this: Apache/2.4.29 (Ubuntu) or Microsoft-IIS/10.0.

This is a goldmine. The banner doesn't just reveal the service; it provides the exact version. The attacker can then instantly cross-reference this version with a database of Common Vulnerabilities and Exposures (CVEs) to find a known, exploitable flaw. They've gone from "an open web server" to "a web server vulnerable to CVE-2021-41773."

3. What Kind of Lock is on the Door? (Fingerprinting)

What if the banner is generic or has been removed? This is where attackers get more sophisticated, using fingerprinting techniques to identify the underlying technology.

• TLS/SSL Fingerprinting: The way a server negotiates a secure connection is highly unique. The combination of supported TLS versions, cipher suites, and extensions creates a fingerprint. An attacker can capture this fingerprint and compare it against a database to identify the technology. That generic web server might have a TLS fingerprint that screams the brand and the version of the VPN or a Firewall—revealing the nature of your security stack.
• Web Fingerprinting: For web servers (ports 80/443), some of the tools go even deeper. They inspect HTTP headers, cookie names, and HTML source code to identify not just the server, but the entire application stack: the Content Management System, the JavaScript libraries, and even embedded analytics tools. Each identified component is another potential source of vulnerabilities.
• Protocol Analysis: For unusual or custom services, an attacker might use a protocol analyzer to capture and dissect the traffic. This helps them reverse-engineer how the application communicates, looking for weaknesses in the protocol itself, such as unencrypted authentication or predictable session tokens.

The AI Analyst: Supercharging Classification

A skilled human can perform this analysis, but it's slow and requires deep expertise. Once again, AI is a game-changer for the adversary, acting as an automated, super-intelligent analyst.

An attacker can now feed the raw data from these tools into an AI model. This model, trained on millions of known device and service profiles, accomplishes two things with terrifying speed and accuracy:

1. High-Confidence Identification: The AI correlates all the data points—open ports, banners, headers, TLS fingerprints—to make a high-confidence classification. It moves beyond simple signatures to probabilistic analysis. For example: "The combination of this TLS fingerprint, these HTTP server headers, and this login page HTML structure gives a high probability of a specific “VPN running a vulnerable version of an OS." This allows attackers to instantly identify your perimeter security devices, which are prime targets for exploitation.
2. Automated Vulnerability Mapping: The AI doesn't stop at identification. It immediately cross-references the identified service and version with real-time threat intelligence feeds, exploit databases, and even chatter on dark web forums. The output is no longer just a list of services; it's a prioritized list of actionable attack vectors. It tells the attacker not just what you are, but how you are vulnerable, right now.

You Can't Hide What You Expose

The classification phase is where your attack surface goes from being a list of addresses to a detailed blueprint for an attack. Every service you expose to the internet is broadcasting information about itself, and adversaries, armed with modern tools and AI, are listening. They are profiling your web servers, your VPN gateways, your firewalls, and your applications, patiently building a case for how to break in.

This leads to the final, inevitable step. Now that they have found you and classified you, they are ready to exploit you.

For summarizing this information, check out our video.

Join me in the final part of this series, where we will dive into the methods attackers use to turn this intelligence into a breach.