Often, when I see many network engineers’ resumes stating they are familiar with “TCP/IP, HTTP, and other protocols,” I always ask them sincerely: Can you explain what you understand about ports? Many can answer part of it, but few can provide a perfect explanation. For laymen, you can simply understand ports as the communication outlets between computers and the outside world. However, in network technology, ports generally have two meanings:

(1) Ports in hardware devices

Such as interfaces on switches and routers used to connect to other devices. (e.g., SC ports, etc.)

(2) Ports in the TCP/IP protocol

Such as port 21 for FTP services and port 80 for web browsing services.

Why are there two meanings? There is a reason for this.

After all, with the popularization of the internet, the interfaces in pure hardware could no longer meet the needs of network communication. Therefore, new technologies were introduced in the TCP/IP protocol, forming “software ports,” which facilitate computer connections across spatial limitations.

Theoretically, there can be up to 65,535 ports. To facilitate understanding, network ports are categorized into three types based on this number:

(1) Well-Known Ports

Ranges from 0 to 1023. These ports are often referred to as “common ports” and are closely bound to specific services.

(2) Registered Ports

Ranges from 1024 to 49151. They are loosely bound to some services. Many services are bound to these ports, which are also used for many other purposes.

(3) Dynamic and/or Private Ports

Ranges from 49152 to 65535. Theoretically, common services should not be assigned to these ports. In practice, some special programs, especially Trojan programs, prefer to use these ports.

There is another classification method, such as ports based on the service method, which can be divided into “TCP protocol ports” and “UDP protocol ports.”

You might find this a bit confusing, so let me give you an example:

Common ports using the TCP protocol include FTP (using port 21) and SMTP (using port 25), while common ports using the UDP protocol include HTTP (using port 80) and DNS (using port 53).

Port: 0

Service: Reserved

Description: Typically used for analyzing operating systems. This method works because “0” is an invalid port in some systems. Attempting to connect to it using a normal closed port will yield different results. A typical scan uses an IP address of 0.0.0.0, sets the ACK bit, and broadcasts at the Ethernet layer.

Port: 1

Service: tcpmux

Description: This indicates someone is looking for SGI Irix machines. Irix is the main provider of tcpmux, which is enabled by default on these systems. Irix machines come with several default accounts without passwords, such as IP, GUEST UUCP, NUUCP, DEMOS, TUTOR, DIAG, OUTOFBOX, etc. Many administrators forget to delete these accounts after installation. Therefore, hackers search for tcpmux on the internet and exploit these accounts.

Port: 7

Service: Echo

Description: You can see many people searching for Fraggle amplifiers sending messages to X.X.X.0 and X.X.X.255.

Port: 19

Service: Character Generator

Description: This is a service that only sends characters. The UDP version will respond with a packet containing garbage characters after receiving a UDP packet. A TCP connection will send a stream of garbage characters until the connection is closed. Hackers can launch DoS attacks using IP spoofing. Forging UDP packets between two chargen servers. Similarly, Fraggle DoS attacks broadcast a packet with a spoofed victim’s IP to the target address, causing the victim to overload by responding to these packets.

Port: 21

Service: FTP

Description: The port opened by the FTP server for uploading and downloading. Attackers commonly use this to find anonymous FTP servers. These servers have readable and writable directories. Trojan programs like Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash, and Blade Runner open this port.

Port: 22

Service: Ssh

Description: A TCP connection established by PcAnywhere to this port might be to find ssh. This service has many vulnerabilities, especially if configured in specific modes, many versions using the RSAREF library will have several vulnerabilities.

Port: 23

Service: Telnet

Description: Remote login. Intruders search for remote login UNIX services. Most of the time, scanning this port is to find the operating system running on the machine. Using other techniques, intruders can also find passwords. The Tiny Telnet Server Trojan opens this port.

Port: 25

Service: SMTP

Description: The port opened by the SMTP server for sending emails. Intruders look for SMTP servers to deliver their SPAM. When their accounts are closed, they need to connect to high-bandwidth E-MAIL servers to send simple messages to different addresses. Trojan programs like Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, WinPC, and WinSpy open this port.

Port: 31

Service: MSG Authentication

Description: Trojan programs like Master Paradise and Hackers Paradise open this port.

Port: 42

Service: WINS Replication

Description: WINS replication.

Port: 53

Service: Domain Name Server (DNS)

Description: The port opened by the DNS server. Intruders may attempt zone transfers (TCP), DNS spoofing (UDP), or hide other communications. Therefore, firewalls often filter or log this port.

Port: 67

Service: Bootstrap Protocol Server

Description: Firewalls with DSL and Cable modems often see a lot of data sent to the broadcast address 255.255.255.255. These machines are requesting an address from the DHCP server. Hackers often enter them, assign an address, and launch many man-in-the-middle attacks by acting as a local router. The client broadcasts a configuration request to port 68, and the server broadcasts a response request to port 67. This response uses broadcast because the client does not yet know the IP address to send to.

Port: 69

Service: Trivial File Transfer

Description: Many servers provide this service along with bootp to facilitate downloading startup code from the system. However, they often allow intruders to steal any file from the system due to misconfiguration. They can also be used to write files to the system.

Port: 79

Service: Finger Server

Description: Intruders use this to obtain user information, query the operating system, probe known buffer overflow errors, and respond to Finger scans from their machine to other machines.

Port: 80

Service: HTTP

Description: Used for web browsing. The Executor Trojan opens this port.

Port: 99

Service: Metagram Relay

Description: The ncx99 backdoor program opens this port.

Port: 102

Service: Message Transfer Agent (MTA) – X.400 over TCP/IP

Description: Message transfer agent.

Port: 109

Service: Post Office Protocol – Version 3

Description: The POP3 server opens this port for receiving emails and client access to the server’s mail service. POP3 services have many well-known weaknesses. There are at least 20 buffer overflow weaknesses related to username and password exchange, meaning intruders can enter the system before authentic login. There are other buffer overflow errors after successful login.

Port: 110

Service: SUN’s RPC services all ports

Description: Common RPC services include rpc.mountd, NFS, rpc.statd, rpc.csmd, rpc.ttybd, amd, etc.

Port: 113

Service: Authentication Service

Description: This is a protocol running on many computers for authenticating TCP connections. Using this standard service, you can obtain information from many computers. However, it can also be used as a logger for many services, especially FTP, POP, IMAP, SMTP, and IRC. If many clients access these services through a firewall, you will see many connection requests to this port. Remember, if this port is blocked, clients will feel a slow connection to the E-MAIL server on the other side of the firewall. Many firewalls support sending an RST during the blocking of TCP connections. This will stop the slow connection.

Port: 119

Service: Network News Transfer Protocol

Description: NEWS newsgroup transfer protocol, carrying USENET communication. This port’s connections are usually people looking for USENET servers. Most ISPs restrict access to their newsgroup servers to only their customers. Opening a newsgroup server will allow posting/reading anyone’s posts, accessing restricted newsgroup servers, posting anonymously, or sending SPAM.

Port: 135

Service: Location Service

Description: Microsoft runs the DCE RPC end-point mapper on this port for its DCOM services. This is similar to the function of UNIX port 111. Services using DCOM and RPC register their locations on the computer’s end-point mapper. When remote clients connect to the computer, they look up the end-point mapper to find the service’s location. Hackers scan this port on the computer to find the Exchange Server running on it? What version? Some DOS attacks target this port directly.

Port: 137, 138, 139

Service: NETBIOS Name Service

Description: Among them, 137 and 138 are UDP ports, used when transferring files through Network Neighborhood. Port 139: Connections entering through this port attempt to obtain NetBIOS/SMB services. This protocol is used for Windows file and printer sharing and SAMBA. WINS Registration also uses it.

Port: 143

Service: Interim Mail Access Protocol v2

Description: Like the security issues of POP3, many IMAP servers have buffer overflow vulnerabilities. Remember: A LINUX worm (admv0rm) will reproduce through this port, so many scans of this port come from unaware infected users. When REDHAT allows IMAP by default in their LINUX release, these vulnerabilities become popular. This port is also used for IMAP2, but it is not popular.

Port: 161

Service: SNMP

Description: SNMP allows remote management of devices. All configuration and operational information is stored in a database, which can be obtained through SNMP. Many misconfigurations by administrators will be exposed on the Internet. Crackers will attempt to access the system using the default passwords public, private. They may try all possible combinations. SNMP packets may be misdirected to the user’s network.

Port: 177

Service: X Display Manager Control Protocol

Description: Many intruders access the X-windows console through it, which also requires opening port 6000.

Port: 389

Service: LDAP, ILS

Description: Lightweight Directory Access Protocol and NetMeeting Internet Locator Server share this port.

Port: 443

Service: Https

Description: Web browsing port, providing encryption and secure port transmission of another HTTP.

Port: 456

Service: [NULL]

Description: The HACKERS PARADISE Trojan opens this port.

Port: 513

Service: Login, remote login

Description: This is a broadcast from UNIX computers using cable modems or DSL to log into the subnet. These provide information for intruders to enter their systems.

Port: 544

Service: [NULL]

Description: kerberos kshell.

Port: 548

Service: Macintosh, File Services (AFP/IP)

Description: Macintosh, file services.

Port: 553

Service: CORBA IIOP (UDP)

Description: Using cable modems, DSL, or VLAN will see broadcasts on this port. CORBA is an object-oriented RPC system. Intruders can use this information to enter the system.

Port: 555

Service: DSF

Description: Trojan programs like PhAse1.0, Stealth Spy, IniKiller open this port.

Port: 568

Service: Membership DPA

Description: Membership DPA.

Port: 569

Service: Membership MSN

Description: Membership MSN.

Port: 635

Service: mountd

Description: Linux mountd Bug. This is a popular bug for scanning. Most scans on this port are based on UDP, but TCP-based mountd has increased (mountd runs on both ports). Remember, mountd can run on any port (which port exactly needs to be queried on port 111), just Linux’s default port is 635, like NFS usually running on port 2049.

Port: 636

Service: LDAP

Description: SSL (Secure Sockets layer).

Port: 666

Service: Doom Id Software

Description: Trojan programs like Attack FTP, Satanz Backdoor open this port.

Port: 993

Service: IMAP

Description: SSL (Secure Sockets layer).

Port: 1001, 1011

Service: [NULL]

Description: Trojan programs like Silencer, WebEx open port 1001. Trojan Doly Trojan opens port 1011.

Port: 1024

Service: Reserved

Description: It is the beginning of dynamic ports. Many programs do not care which port they use to connect to the network; they request the system to assign the next idle port. Based on this, the allocation starts from port 1024. This means the first one to request the system will be assigned port 1024. You can restart the machine, open Telnet, and open another window to run natstat -a, which will show Telnet assigned port 1024. SQL sessions also use this port and port 5000.

Port: 1025, 1033

Service: 1025: network blackjack 1033: [NULL]

Description: The netspy Trojan opens these two ports.

Port: 1080

Service: SOCKS

Description: This protocol passes through the firewall in a tunnel manner, allowing people behind the firewall to access the INTERNET through an IP address. Theoretically, it should only allow internal communication to reach the INTERNET. However, due to misconfiguration, it allows attacks outside the firewall to pass through. WinGate often has this error, and you often see this when joining IRC chat rooms. Port: 1170 Service: [NULL] Description: Trojan programs like Streaming Audio Trojan, Psyber Stream Server, Voice open this port.

Port: 1234, 1243, 6711, 6776

Service: [NULL]

Description: Trojan programs like SubSeven 2.0, Ultors Trojan open ports 1234, 6776. Trojan SubSeven 1.0/1.9 opens ports 1243, 6711, 6776.

Port: 1245

Service: [NULL]

Description: The Vodoo Trojan opens this port.

Port: 1433

Service: SQL

Description: The port opened by Microsoft’s SQL service.

Port: 1492

Service: stone-design-1

Description: The FTP99CMP Trojan opens this port.

Port: 1500

Service: RPC client fixed port session queries

Description: RPC client fixed port session queries.

Port: 1503

Service: NetMeeting T.120

Description: NetMeeting T.120.

Port: 1524

Service: ingress

Description: Many attack scripts will install a backdoor SHELL on this port, especially scripts targeting vulnerabilities in Sendmail and RPC services on SUN systems. If you see connection attempts on this port right after installing a firewall, it is likely due to the above reasons. You can try Telnet to this port on your computer to see if it gives you a SHELL. Connecting to 600/pcserver also has this problem.

Port: 1600

Service: issd

Description: The Shivka-Burka Trojan opens this port.

Port: 1720

Service: NetMeeting

Description: NetMeeting H.233 call Setup.

Port: 1731

Service: NetMeeting Audio Call Control

Description: NetMeeting audio call control.

Port: 1807

Service: [NULL]

Description: The SpySender Trojan opens this port.

Port: 1981

Service: [NULL]

Description: The ShockRave Trojan opens this port.

Port: 1999

Service: cisco identification port

Description: The BackDoor Trojan opens this port.

Port: 2000

Service: [NULL]

Description: Trojan programs like GirlFriend 1.3, Millenium 1.0 open this port.

Port: 2001

Service: [NULL]

Description: Trojan programs like Millenium 1.0, Trojan Cow open this port.

Port: 2023

Service: xinuexpansion 4

Description: The Pass Ripper Trojan opens this port.

Port: 2049

Service: NFS

Description: NFS programs often run on this port. Usually, you need to access Portmapper to query which port this service runs on.

Port: 2115

Service: [NULL]

Description: The Bugs Trojan opens this port.

Port: 214