SEARCH
— 葡萄酒 | 威士忌 | 白兰地 | 啤酒 —
— 葡萄酒 | 威士忌 | 白兰地 | 啤酒 —
Often, when I see many network engineers’ resumes stating they are familiar with “TCP/IP, HTTP, and other protocols,” I always ask them sincerely: Can you explain what you understand about ports? Many can answer part of it, but few can provide a perfect explanation. For laymen, you can simply understand ports as the communication outlets between computers and the outside world. However, in network technology, ports generally have two meanings:
(1) Ports in hardware devices
Such as interfaces on switches and routers used to connect to other devices. (e.g., SC ports, etc.)
(2) Ports in the TCP/IP protocol
Such as port 21 for FTP services and port 80 for web browsing services.
Why are there two meanings? There is a reason for this.
After all, with the popularization of the internet, the interfaces in pure hardware could no longer meet the needs of network communication. Therefore, new technologies were introduced in the TCP/IP protocol, forming “software ports,” which facilitate computer connections across spatial limitations.
Theoretically, there can be up to 65,535 ports. To facilitate understanding, network ports are categorized into three types based on this number:
(1) Well-Known Ports
Ranges from 0 to 1023. These ports are often referred to as “common ports” and are closely bound to specific services.
(2) Registered Ports
Ranges from 1024 to 49151. They are loosely bound to some services. Many services are bound to these ports, which are also used for many other purposes.
(3) Dynamic and/or Private Ports
Ranges from 49152 to 65535. Theoretically, common services should not be assigned to these ports. In practice, some special programs, especially Trojan programs, prefer to use these ports.
There is another classification method, such as ports based on the service method, which can be divided into “TCP protocol ports” and “UDP protocol ports.”
You might find this a bit confusing, so let me give you an example:
Common ports using the TCP protocol include FTP (using port 21) and SMTP (using port 25), while common ports using the UDP protocol include HTTP (using port 80) and DNS (using port 53).
Port: 0
Service: Reserved
Description: Typically used for analyzing operating systems. This method works because “0” is an invalid port in some systems. Attempting to connect to it using a normal closed port will yield different results. A typical scan uses an IP address of 0.0.0.0, sets the ACK bit, and broadcasts at the Ethernet layer.
Port: 1
Service: tcpmux
Description: This indicates someone is looking for SGI Irix machines. Irix is the main provider of tcpmux, which is enabled by default on these systems. Irix machines come with several default accounts without passwords, such as IP, GUEST UUCP, NUUCP, DEMOS, TUTOR, DIAG, OUTOFBOX, etc. Many administrators forget to delete these accounts after installation. Therefore, hackers search for tcpmux on the internet and exploit these accounts.
Port: 7
Service: Echo
Description: You can see many people searching for Fraggle amplifiers sending messages to X.X.X.0 and X.X.X.255.
Port: 19
Service: Character Generator
Description: This is a service that only sends characters. The UDP version will respond with a packet containing garbage characters after receiving a UDP packet. A TCP connection will send a stream of garbage characters until the connection is closed. Hackers can launch DoS attacks using IP spoofing. Forging UDP packets between two chargen servers. Similarly, Fraggle DoS attacks broadcast a packet with a spoofed victim’s IP to the target address, causing the victim to overload by responding to these packets.
Port: 21
Service: FTP
Description: The port opened by the FTP server for uploading and downloading. Attackers commonly use this to find anonymous FTP servers. These servers have readable and writable directories. Trojan programs like Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash, and Blade Runner open this port.
Port: 22
Service: Ssh
Description: A TCP connection established by PcAnywhere to this port might be to find ssh. This service has many vulnerabilities, especially if configured in specific modes, many versions using the RSAREF library will have several vulnerabilities.
Port: 23
Service: Telnet
Description: Remote login. Intruders search for remote login UNIX services. Most of the time, scanning this port is to find the operating system running on the machine. Using other techniques, intruders can also find passwords. The Tiny Telnet Server Trojan opens this port.
Port: 25
Service: SMTP
Description: The port opened by the SMTP server for sending emails. Intruders look for SMTP servers to deliver their SPAM. When their accounts are closed, they need to connect to high-bandwidth E-MAIL servers to send simple messages to different addresses. Trojan programs like Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, WinPC, and WinSpy open this port.
Port: 31
Service: MSG Authentication
Description: Trojan programs like Master Paradise and Hackers Paradise open this port.
Port: 42
Service: WINS Replication
Description: WINS replication.
Port: 53
Service: Domain Name Server (DNS)
Description: The port opened by the DNS server. Intruders may attempt zone transfers (TCP), DNS spoofing (UDP), or hide other communications. Therefore, firewalls often filter or log this port.
Port: 67
Service: Bootstrap Protocol Server
Description: Firewalls with DSL and Cable modems often see a lot of data sent to the broadcast address 255.255.255.255. These machines are requesting an address from the DHCP server. Hackers often enter them, assign an address, and launch many man-in-the-middle attacks by acting as a local router. The client broadcasts a configuration request to port 68, and the server broadcasts a response request to port 67. This response uses broadcast because the client does not yet know the IP address to send to.
Port: 69
Service: Trivial File Transfer
Description: Many servers provide this service along with bootp to facilitate downloading startup code from the system. However, they often allow intruders to steal any file from the system due to misconfiguration. They can also be used to write files to the system.
Port: 79
Service: Finger Server
Description: Intruders use this to obtain user information, query the operating system, probe known buffer overflow errors, and respond to Finger scans from their machine to other machines.
Port: 80
Service: HTTP
Description: Used for web browsing. The Executor Trojan opens this port.
Port: 99
Service: Metagram Relay
Description: The ncx99 backdoor program opens this port.
Port: 102
Service: Message Transfer Agent (MTA) – X.400 over TCP/IP
Description: Message transfer agent.
Port: 109
Service: Post Office Protocol – Version 3
Description: The POP3 server opens this port for receiving emails and client access to the server’s mail service. POP3 services have many well-known weaknesses. There are at least 20 buffer overflow weaknesses related to username and password exchange, meaning intruders can enter the system before authentic login. There are other buffer overflow errors after successful login.
Port: 110
Service: SUN’s RPC services all ports
Description: Common RPC services include rpc.mountd, NFS, rpc.statd, rpc.csmd, rpc.ttybd, amd, etc.
Port: 113
Service: Authentication Service
Description: This is a protocol running on many computers for authenticating TCP connections. Using this standard service, you can obtain information from many computers. However, it can also be used as a logger for many services, especially FTP, POP, IMAP, SMTP, and IRC. If many clients access these services through a firewall, you will see many connection requests to this port. Remember, if this port is blocked, clients will feel a slow connection to the E-MAIL server on the other side of the firewall. Many firewalls support sending an RST during the blocking of TCP connections. This will stop the slow connection.
Port: 119
Service: Network News Transfer Protocol
Description: NEWS newsgroup transfer protocol, carrying USENET communication. This port’s connections are usually people looking for USENET servers. Most ISPs restrict access to their newsgroup servers to only their customers. Opening a newsgroup server will allow posting/reading anyone’s posts, accessing restricted newsgroup servers, posting anonymously, or sending SPAM.
Port: 135
Service: Location Service
Description: Microsoft runs the DCE RPC end-point mapper on this port for its DCOM services. This is similar to the function of UNIX port 111. Services using DCOM and RPC register their locations on the computer’s end-point mapper. When remote clients connect to the computer, they look up the end-point mapper to find the service’s location. Hackers scan this port on the computer to find the Exchange Server running on it? What version? Some DOS attacks target this port directly.
Port: 137, 138, 139
Service: NETBIOS Name Service
Description: Among them, 137 and 138 are UDP ports, used when transferring files through Network Neighborhood. Port 139: Connections entering through this port attempt to obtain NetBIOS/SMB services. This protocol is used for Windows file and printer sharing and SAMBA. WINS Registration also uses it.
Port: 143
Service: Interim Mail Access Protocol v2
Description: Like the security issues of POP3, many IMAP servers have buffer overflow vulnerabilities. Remember: A LINUX worm (admv0rm) will reproduce through this port, so many scans of this port come from unaware infected users. When REDHAT allows IMAP by default in their LINUX release, these vulnerabilities become popular. This port is also used for IMAP2, but it is not popular.
Port: 161
Service: SNMP
Description: SNMP allows remote management of devices. All configuration and operational information is stored in a database, which can be obtained through SNMP. Many misconfigurations by administrators will be exposed on the Internet. Crackers will attempt to access the system using the default passwords public, private. They may try all possible combinations. SNMP packets may be misdirected to the user’s network.
Port: 177
Service: X Display Manager Control Protocol
Description: Many intruders access the X-windows console through it, which also requires opening port 6000.
Port: 389
Service: LDAP, ILS
Description: Lightweight Directory Access Protocol and NetMeeting Internet Locator Server share this port.
Port: 443
Service: Https
Description: Web browsing port, providing encryption and secure port transmission of another HTTP.
Port: 456
Service: [NULL]
Description: The HACKERS PARADISE Trojan opens this port.
Port: 513
Service: Login, remote login
Description: This is a broadcast from UNIX computers using cable modems or DSL to log into the subnet. These provide information for intruders to enter their systems.
Port: 544
Service: [NULL]
Description: kerberos kshell.
Port: 548
Service: Macintosh, File Services (AFP/IP)
Description: Macintosh, file services.
Port: 553
Service: CORBA IIOP (UDP)
Description: Using cable modems, DSL, or VLAN will see broadcasts on this port. CORBA is an object-oriented RPC system. Intruders can use this information to enter the system.
Port: 555
Service: DSF
Description: Trojan programs like PhAse1.0, Stealth Spy, IniKiller open this port.
Port: 568
Service: Membership DPA
Description: Membership DPA.
Port: 569
Service: Membership MSN
Description: Membership MSN.
Port: 635
Service: mountd
Description: Linux mountd Bug. This is a popular bug for scanning. Most scans on this port are based on UDP, but TCP-based mountd has increased (mountd runs on both ports). Remember, mountd can run on any port (which port exactly needs to be queried on port 111), just Linux’s default port is 635, like NFS usually running on port 2049.
Port: 636
Service: LDAP
Description: SSL (Secure Sockets layer).
Port: 666
Service: Doom Id Software
Description: Trojan programs like Attack FTP, Satanz Backdoor open this port.
Port: 993
Service: IMAP
Description: SSL (Secure Sockets layer).
Port: 1001, 1011
Service: [NULL]
Description: Trojan programs like Silencer, WebEx open port 1001. Trojan Doly Trojan opens port 1011.
Port: 1024
Service: Reserved
Description: It is the beginning of dynamic ports. Many programs do not care which port they use to connect to the network; they request the system to assign the next idle port. Based on this, the allocation starts from port 1024. This means the first one to request the system will be assigned port 1024. You can restart the machine, open Telnet, and open another window to run natstat -a, which will show Telnet assigned port 1024. SQL sessions also use this port and port 5000.
Port: 1025, 1033
Service: 1025: network blackjack 1033: [NULL]
Description: The netspy Trojan opens these two ports.
Port: 1080
Service: SOCKS
Description: This protocol passes through the firewall in a tunnel manner, allowing people behind the firewall to access the INTERNET through an IP address. Theoretically, it should only allow internal communication to reach the INTERNET. However, due to misconfiguration, it allows attacks outside the firewall to pass through. WinGate often has this error, and you often see this when joining IRC chat rooms. Port: 1170 Service: [NULL] Description: Trojan programs like Streaming Audio Trojan, Psyber Stream Server, Voice open this port.
Port: 1234, 1243, 6711, 6776
Service: [NULL]
Description: Trojan programs like SubSeven 2.0, Ultors Trojan open ports 1234, 6776. Trojan SubSeven 1.0/1.9 opens ports 1243, 6711, 6776.
Port: 1245
Service: [NULL]
Description: The Vodoo Trojan opens this port.
Port: 1433
Service: SQL
Description: The port opened by Microsoft’s SQL service.
Port: 1492
Service: stone-design-1
Description: The FTP99CMP Trojan opens this port.
Port: 1500
Service: RPC client fixed port session queries
Description: RPC client fixed port session queries.
Port: 1503
Service: NetMeeting T.120
Description: NetMeeting T.120.
Port: 1524
Service: ingress
Description: Many attack scripts will install a backdoor SHELL on this port, especially scripts targeting vulnerabilities in Sendmail and RPC services on SUN systems. If you see connection attempts on this port right after installing a firewall, it is likely due to the above reasons. You can try Telnet to this port on your computer to see if it gives you a SHELL. Connecting to 600/pcserver also has this problem.
Port: 1600
Service: issd
Description: The Shivka-Burka Trojan opens this port.
Port: 1720
Service: NetMeeting
Description: NetMeeting H.233 call Setup.
Port: 1731
Service: NetMeeting Audio Call Control
Description: NetMeeting audio call control.
Port: 1807
Service: [NULL]
Description: The SpySender Trojan opens this port.
Port: 1981
Service: [NULL]
Description: The ShockRave Trojan opens this port.
Port: 1999
Service: cisco identification port
Description: The BackDoor Trojan opens this port.
Port: 2000
Service: [NULL]
Description: Trojan programs like GirlFriend 1.3, Millenium 1.0 open this port.
Port: 2001
Service: [NULL]
Description: Trojan programs like Millenium 1.0, Trojan Cow open this port.
Port: 2023
Service: xinuexpansion 4
Description: The Pass Ripper Trojan opens this port.
Port: 2049
Service: NFS
Description: NFS programs often run on this port. Usually, you need to access Portmapper to query which port this service runs on.
Port: 2115
Service: [NULL]
Description: The Bugs Trojan opens this port.
Port: 214
Data Transfer Units (DTUs) are the unsung heroes of the Industrial Internet of Things (IIoT). These compact devices work tirelessly behind the scenes, ensuring data from industrial equipment is securely and reliably transmitted to the cloud or oth...
View detailsThe rapid development of modern intelligence has made remote management and maintenance of various devices a significant trend. Not only do industries such as manufacturing require industrial routers for remote configuration and maintenance, but t...
View detailsToday, we will detail eight of the most common server types, including their functions, uses, and applications in different scenarios.
View detailsAs digital transformation accelerates, cybersecurity has become an indispensable part of every industry. For modern businesses and organizations, protecting sensitive data from unauthorized access, malware attacks, and other cyber threats is crucial.
View detailsMo