Current location - Quotes Website - Team slogan - What are internal ports and external ports?
What are internal ports and external ports?
/2446270.html Please refer to!

summary

What is a port?

Classification of three ports

The role of four ports in intrusion

Introduction of Five Common Ports

Six-port related tools

7. Protect your port.

Eight concluding sentences

summary

I have long wanted to write a tutorial on ports, and today I finally put it into practice. In fact, there are many tutorials about ports on the Internet, but I have never seen one that really tells you what a port is (maybe I really haven't seen it). If you read a lot of tutorials about ports, then tell me what a port is. Hehe, maybe you won't be able to answer for a while It doesn't matter. Follow me!

What is a port?

On the Internet, each host sends and receives datagrams through TCP/TP protocol, and each datagram is routed according to the ip address of its destination host. It can be seen that there is no problem in successfully sending datagrams to the destination host. What's the problem? We know that most operating systems support multiple programs (processes) running at the same time, so which process should the destination host send the received datagram to? Obviously, this problem needs to be solved, so the port mechanism is introduced.

The local operating system will assign protocol ports to those processes that need them, and each protocol port is identified by a positive integer, such as 80,139,445, and so on. After receiving the datagram, the destination host will send the data to the corresponding port according to the destination port number of the message header, and the process corresponding to this port will receive the data and wait for the arrival of the next group of data. Speaking of which, the concept of port still seems abstract. Keep following me and don't go away.

A port is actually a queue. The operating system allocates a different queue for each process. Datagrams are pushed into the corresponding queue according to the destination port, waiting to be accessed by the process. In extremely special cases, this queue may overflow, but the operating system allows each process to specify and adjust its own queue size.

Not only does the process of receiving datagram need to open its own port, but also the process of sending datagram needs to open the port, so that the active port will be identified in the datagram, so that the receiver can successfully return the datagram to this port.

Classification of three ports

On the Internet, according to the protocol type, ports are divided into two categories: TCP ports and UDP ports. Although they are all identified by positive integers, this will not cause ambiguity, such as TCP port 80 and UDP port 80, because the datagram will also indicate the port type.

In terms of port allocation, ports are divided into fixed ports and dynamic ports (some tutorials also divide high ports that are rarely used into the third category: private ports):

Fixed port (0- 1023):

Use centralized management mechanism, that is, obey the allocation of ports by a management organization, which is responsible for publishing these allocations. Because these ports are bound with some services, we will often scan these ports to determine whether the other party has started these services, such as TCP's 2 1(ftp), 80(bios), UDP's 7(echo), 69(tftp) and other well-known ports.

Dynamic port (1024-49151):

These ports are not fixed on a service. The operating system dynamically assigns these ports to each process, and the same process may be assigned to different ports twice. However, some applications do not want to use the dynamic ports assigned by the operating system. They have their own' trademark' ports, such as port 4000 of oicq client and port 7626 of Troy Glacier, which are all fixed and famous.

The role of four ports in intrusion

Someone once compared the server to a house and the port to a door leading to different rooms (services), which is a good metaphor if details are not considered. If an intruder wants to occupy the house, he will definitely break into the house (physical invasion is another word), so it is very important for the intruder to know how many doors the house has opened, what kind of doors it is and what is behind them.

Intruders usually use scanners to scan the ports of the target host to determine which ports are open. From the open port, intruders can know what services the target host provides, and then guess the possible vulnerabilities. Therefore, scanning ports can help us better understand the target host. For administrators, scanning the open ports of this machine is also the first step to do a good job of security prevention.

Introduction of Five Common Ports

Because of my limited knowledge, I only introduce some simple contents here.

1)2 1

The opening of this port means that the server provides FTP services. Intruders usually scan this port to determine whether anonymous login is allowed. If they can find a writable directory, they can upload some hacker programs for further intrusion. To close this port, you need to close the FTP service.

2)23 Remote login

Opening this port means that the server provides remote login service. If you have an administrator's username and password, you can take full control of the host through this service (but you must obtain NTLM authentication first) and get a shell at the command line. Many intruders like to open this service as a back door. To close this port, you need to close the Telnet service.

3)25 smtp

The opening of this port means that the server provides SMTP service. Some servers that do not support authentication allow intruders to send mail anywhere. SMTP server (especially Sendmail) is also one of the most commonly used ways to access the system. To close this port, the SMTP service needs to be closed.

4)69 TFTP (Democratic Party)

Opening this port means that the server provides TFTP service, allowing downloading and writing files from the server. If the administrator has the wrong configuration, the intruder can even download the password file. Many intruders transfer files to the target machine by running the service on their own machines, thus realizing file transfer. To close this port, the TFTP service needs to be closed.

5)79 fingers

Used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scanning from your own machine to other machines.

6)80 )

8)TCP 139 and 445

Many people are concerned about these two ports. Let me introduce them in detail:

First, let's learn some basic knowledge:

1 SMB: (server message block) Windows protocol family, used for file printing service;

2nbt: (NETBIOS over TCP/IP) NETBios network interconnection based on TCP/IP protocol is realized by using137 (UDP)138 (UDP)139 (TCP) port.

3 SMB is based on NBT in WindowsNT, that is, using 139(TCP) port; In Windows2000, in addition to NBT, SMB can be realized directly through port 445.

With these basic knowledge, we can further discuss the port selection for accessing the network:

For win2000 clients (initiators):

1 If NBT is allowed to connect to the server, the client will try to access ports 139 and 445 simultaneously. If port 445 responds, the RST packet will be sent to port 139 to disconnect and talk with port 455. When port 445 does not respond, port 139 will be used. If neither port responds,

If you connect to the server when NBT is blocked, the client will only try to access port 445. If port 445 does not respond, the session will fail.

For win2000 servers:

1 If NBT is allowed, UDP ports 137, 138 and TCP ports 139, 445 will be monitored;

If NBT is banned, only port 445 will be opened.

The port selection of IPC $ TERM session we established also follows the above principles. Obviously, if the remote server does not listen on port 139 or 445, the ipc$ session cannot be established. So how do you close these two ports on 2000?

You can block port 139 by disabling NBT.

Local area connection -TCP/IT properties-Advanced-WINS-Select "Disable NETBIOS over TCP/IT".

Port 445 can be blocked by modifying the registry.

Add a key value

Configuration unit: HKEY _ Local _ Machine

Key: System \ Control Set \ Service \ Network \ Parameter

Name: SMBDeviceEnabled

Type: REG_DWORD

Value: 0

Restart the machine after modification.

9)3389 terminal service

The opening of this port means that the server provides terminal services. If you get the administrator's username and password, you can completely control the host in the graphical interface through this service, which is really desirable, but if you can't get the password and find the input method loophole, it will be very helpless. To close this port, you need to close Terminal Services.

Six-port related tools

1

Indeed, this is not a tool, but it is the most convenient way to view the ports you have opened. Just enter this command in cmd. As follows:

c:\ & gt; Network statistical database

flexible connection

Original local address external address status

TCP 0.0.0.0: 135 0.0.0.0:0 Listening.

TCP 0.0.0.0:445 0.0.0.0:0 Monitoring

TCP 0.0.0.0:1025 0.0.0.0: 0 Listening.

TCP 0.0.0.0:1026 0.0.0.0: 0 Monitoring

TCP 0.0.0.0:1028 0.0.0.0: 0 Monitoring

TCP 0.0.0.0:3372 0.0.0.0:0 Listening.

UDP 0.0.0.0: 135 *:*

UDP 0.0.0.0:445 *:*

UDP 0.0.0.0: 1027 *:*

UDP 127 . 0 . 0 . 1: 1029 *:*

UDP 127 . 0 . 0 . 1: 1030 *:*

This is the port opened by the machine when I am not surfing the Internet. Two ports 135 and 445 are fixed ports, and the others are dynamic ports.

Fport.exe and mport.exe.

This is also a small program to view the open port of the local machine under two command lines. In fact, it is similar to netstat -an, except that more information can be used to show the process of opening the port. If you suspect that your strange port may be a Trojan horse, check it with them.

3 activeport.exe (also known as aports.exe)

It is also used to view the open ports of the local machine. In addition to all the functions of the above two programs, it has two more attractive features: graphical interface and the ability to close ports. This is absolutely useful for beginners and is recommended.

4 Super Scan 3.0

You haven't heard of its name, have you? 1 in pure port scanning software is fast, so you can specify the scanning port. Needless to say, this is an absolutely necessary tool.

7. Protect your port.

Friends who are new to the network are generally sensitive to their own ports. They are always afraid that their computers will have too many ports, and they are even more afraid that there will be ports for backdoor programs. But because I am not familiar with the port and have no solution, I dare not surf the Internet. In fact, it is not so difficult to protect your own port, just do the following:

1 Check: Always check the local open ports with commands or software to see if there are any suspicious ports;

2. Judgment: If you are not familiar with the opened port, you should immediately consult the port encyclopedia or Trojan common ports (there are many on the Internet) and other materials to see the description of the role of your suspicious port, or check the process of opening this port through software to judge;

3 Close: If it is a Trojan port or there is no description of this port in the data, then this port should be closed. You can use a firewall to block this port, or you can use local connection -TCP/IP- Advanced-Options -TCP/IP to filter the port and enable the filtering mechanism.

Note: Be careful when judging, because some dynamically allocated ports are also easy to cause unnecessary suspicion. Such ports are usually low and continuous. Also, some cunning backdoor software, they will borrow some common ports such as 80 to communicate (penetrate the firewall), so it is impossible to prevent, so it is the key not to run unfamiliar programs easily.

Eight concluding sentences

Please reply if you are good.

Read the full text | Reply (0) | Reference Notice | Edit

Set up obstacles for hackers

How to set up support for reading and writing FSO text files?

Universal port comparison table-

Label: port

Universal port comparison table

Start-run -CMD, enter netstat -an and press Enter to view the port.

Port: 0

Service: reserved

Description: Usually used to analyze the operating system. This method is effective because "0" is an invalid port in some systems, and when you try to connect it to a port that is usually closed, it will produce different results. A typical scan uses the IP address 0.0.0.0, sets the ACK bit and broadcasts it in the Ethernet layer.

Port: 1

Service: tcpmux

Description: This means that someone is looking for SGI Irix machine. Irix is the main provider of tcpmux, which is turned on by default in this system. Irix machine contains several default password-free accounts when it is released, such as: IP, guest UUCP, NUUCP, DEMOS, TUTOR, DIAG, OUTOFBOX, etc. Many administrators forget to delete these accounts after installation. So hackers searched for tcpmux online and used these accounts.

Port: 7

Service: echo

Description: When searching for Fraggle amplifier, you can see many messages sent by people to X.X.X.0 and X.X.X.255.

Port: 19

Service: Character Generator

Description: This is a service that only sends characters. The UDP version will respond to packets containing junk characters after receiving UDP packets. When TCP connects, it sends a data stream containing junk characters until the connection is closed. Hackers can use IP spoofing to launch DoS attacks. Forge UDP packets between two chargen servers. Similarly, the Fraggle DoS attack will broadcast a packet with a forged victim IP to this port of the target address, and the victim will be overloaded in response to the data.

Port: 2 1

Service: FTP

Description: FTP server opens ports for uploading and downloading. The most common attacker is to find a way to open anonymous's FTP server. These servers have read-write directories. Trojan Doly Trojan, Fore, Stealth FTP, WebEx, WinCrash and blade runner open ports.

Port: 22

Service: Ssh

Description: The connection between TCP established by PcAnywhere and this port may be to find ssh. This service has many weaknesses. If configured in a specific mode, many versions that use the RSAREF library will have many loopholes.

Port: 23

Service: Telnet

Description: Remote login, the intruder is searching for the service of remote login UNIX. In most cases, scanning this port is to find the operating system running on the machine. And using other technologies, intruders will also find the password. Trojan mini Telnet server opens this port.

Port: 25

Service: SMTP

Description: The port opened by SMTP server is used to send mail. Intruders are looking for SMTP servers to send their spam. The intruder's account is closed, and they need to connect to a high-bandwidth email server and send simple information to different addresses. Trojan horse antigen, e-mail password sender, Haebu Coceda, Shtrilitz Stealth, WinPC and WinSpy all open this port.

Port: 3 1

Service: message authentication

Description: Trojan Master Park and Hacker Park open this port.

Port: 42

Service: WINS replication

Description: WINS replication

Port: 53

Service: Domain Name Server (DNS)

Description: For the port opened by DNS server, intruders may try to pass TCP, cheat DNS(UDP) or hide other communication. Therefore, firewalls usually filter or record this port.

Port: 67

Service: Boot Protocol Server

Description: A large amount of data sent to the broadcast address 255.255.255.255 is often seen through the firewall of DSL and Cable modem. These machines are requesting addresses from the DHCP server. Hackers often enter them, assign an address and use themselves as local routers to launch a large number of man-in-the-middle attacks. The client broadcasts the requested configuration to port 68 and the server broadcasts the response request to port 67. This response is broadcast because the client does not know the IP address that can be sent.

Port: 69

Service: cumbersome file transfer

Description: Many servers provide this service together with bootp, so it is convenient to download the startup code from the system. However, they often allow intruders to steal any files from the system due to configuration errors. They can also be used for system writing files.

Port: 79

Service: finger server

Description: Intruders are used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scanning from their own machines to other machines.

Port: 80

Service: HTTP

Description: used for web browsing. The Trojan Executor opened the port.

Port: 99

Service: Metagrammar Relay

Description: Backdoor program ncx99 opens this port.

Port: 102

Service: Message Transfer Agent (MTA)-x.400 over TCP/IP.

Description: Message Transfer Agent.

Port: 109

Service: post office protocol-Version 3

Description: The POP3 server opens this port to receive mail, and the client accesses the mail service on the server side. POP3 services have many recognized weaknesses. There are at least 20 weaknesses about user name and password exchange buffer overflow, which means that intruders can enter the system before actually logging in. There are other buffer overflow errors after successful login.

Port: 1 10

Service: all ports of SUN's RPC service.

Description: Common RPC services include rpc.mountd, NFS, rpc.statd, rpc.csmd, rpc.ttybd, amd, etc.

Port: 1 13

Service: authentication service

Description: This is a protocol that runs on many computers and is used to identify users of TCP connections. You can get information about many computers by using this standard service. But it can be used as a recorder for many services, especially FTP, POP, IMAP, SMTP and IRC. Usually, if many customers access these services through firewalls, they will see many connection requests to this port. Remember, if you block this port, the client will feel that the connection to the email server on the other side of the firewall is slow. Many firewalls support sending back RST during blocking of TCP connections. This will stop the slow connection.

Port: 1 19

Service: network news transfer protocol.

Description: news newsgroup transport protocol, which carries USENET communication. The connection of this port is usually when people are looking for a USENET server. Most ISPs only allow their customers to access their newsgroup servers. Opening the newsgroup server will allow anyone to post/read, access restricted newsgroup servers, post anonymously or send spam.

Port: 135

Services: Location Services

Description: Microsoft runs DCE RPC endpoint mapper on this port as its DCOM service. This is similar to the function of UNIX11port. Services using DCOM and RPC register their locations with the endpoint mapper on the computer. When remote customers connect to their computers, they will look for the location where the endpoint mapper finds the service. Will a hacker scan this port of a computer to find the Exchange Server running on this computer? What version? There are also some DOS attacks on this port.

Ports: 137, 138, 139

Service: NETBIOS name service

Note: Among them, 137 and 138 are UDP ports, which are used when transmitting files through network neighbors. And port 139: the connection coming through this port attempts to obtain NetBIOS/SMB service. This protocol is used for windows file and printer sharing and SAMBA. WINS Regisrtation also uses it.

Port: 143

Service: Temporary Mail Access Protocol v2.

Description: Like the security problem of POP3, many IMAP servers have buffer overflow vulnerabilities. Remember: LINUX worms (admv0rm) will spread through this port, so many scans of this port come from uninformed infected users. These vulnerabilities became popular when REDHAT allowed IMAP by default in its LINUX distribution. This port is also used for IMAP2, but it is not popular.

Port: 16 1

Service: SNMP

Description: SNMP allows remote management of devices. All configuration and operation information is stored in the database and can be obtained through SNMP. Many administrators' misconfigurations will be exposed online. Cackers will try to access the system using the default passwords public and private. They will try all possible combinations. SNMP packets may be incorrectly pointed to the user's network.

Port: 177

Service: X Display Manager Control Protocol

Description: Many intruders access the X-windows console through it, and it needs to open 6000 ports at the same time.

Port: 389

Services: LDAP, ILS

Description: Lightweight Directory Access Protocol and NetMeeting Internet Locator server * * * use this port.

Port: 443

Service: Https

Description: Web browsing port, another HTTP that can provide encryption and transmission through a secure port.

Port: 456

Service: [empty]

Trojan hacker paradise opens this port.

Port: 5 13

Services: login, remote login

Description: It is a broadcast from a UNIX computer that logs on to the subnet using a cable modem or DSL. These people provide information for intruders to enter their systems.

Port: 544

Service: [empty]

Description: kerberos kshell

Port: 548

Service: Macintosh, file service (AFP/IP)

Description: Macintosh, file service.

Port: 553

Service: CORBA IIOP (UDP)

Description: Use a cable modem, DSL or VLAN to view the broadcast on this port. CORBA is an object-oriented RPC system. Intruders can use this information to enter the system.

Port: 555

Service: DSF

Description: Trojan horse PhAse 1.0, stealth spy and IniKiller open this port.

Port: 568

Service: member DPA

Description: Membership DPA.

Port: 569

Service: Member MSN

Description: Member MSN.

Port: 635

Service: install d

Description: mountd Bug of Linux. This is a common error in scanning. The scanning of this port is mostly based on UDP, but the mountd based on TCP is increased (mountd runs on two ports at the same time). Remember that mountd can run on any port (which port is it, you need to query portmap on port11), but the default port of Linux is 635, just like NFS runs on port 2049.

Port: 636

Service: LDAP

Description: SSL (Secure Sockets Layer)

Port: 666

Service: Doom Id software

Description: Trojan attacks FTP and Satanz backdoor to open this port.

Port: 993

Service: IMAP

Description: SSL (Secure Sockets Layer)

Port: 100 1,101/

Service: [empty]

Description: Trojan silencer and WebEx open port 100 1. Trojan open port 10 1 1.

Port: 1024

Service: reserved

Description: It is the beginning of a dynamic port. Many programs don't care which port to use to connect to the network. They asked the system to assign them the next free port. Based on this, the allocation starts from port 1024. This means that the first person to send a request to the system will be assigned to port 1024. You can restart the machine, open Telnet, and then open a window to run natstat -a A. You will see that Telnet is assigned the port 1024. And SQL sessions also use this port and 5000 port.

Port: 1025, 1033

Service: 1025: network black jack 1033:[ empty]

Description: Trojan netspy opens these two ports.

Port: 1080

Service: socks

Description: This protocol tunnels through the firewall, allowing people behind the firewall to access the Internet through an IP address. Theoretically, it should only allow internal communication to reach the Internet. However, due to the wrong configuration, attacks outside the firewall will pass through the firewall. WinGate often makes this mistake and often sees it when joining IRC chat rooms.

Port: 1 170

Service: [empty]

Description: Trojan streaming audio Trojan, Psyber streaming server and voice open this port.

Ports: 1234,1243,6711,6776.

Service: [empty]

Description: Trojan and Autes Trojan open ports 1234 and 6776. Trojan Subeven 1.0/ 1.9 Open ports 1243, 671and 6776.

Port: 1245

Service: [empty]

Caption: Troy Waldo opened this port.

Port: 1433

Service: SQL

Description: Microsoft SQL service open port.

Port: 1492

Service: stone-design-1

Description: Trojan FTP99CMP opens this port.

Port: 1500

Service: RPC client fixed port session query.

Description: RPC client fixed port session query

Port: 1503

Service: NetMeeting T. 120

Description: network conference T. 120

Port: 1524

Service: entrance

Description: Many attack scripts will install the backdoor shell on this port, especially for the vulnerabilities of Sendmail and RPC services in SUN system. If you see someone trying to connect to this port after installing a firewall, this is probably the reason. You can try Telnet to this port on the user's computer to see if it will give you a SHELL. Connecting to a 600/pcserver also has this problem.

Port: 1600

Service: issd

Caption: Troy Shivka-burka opens this port.

Port: 1720

Service: NetMeeting

Description: NetMeeting H.233 call setup.

Port: 173 1

Service: NetMeeting audio call control

Description: NetMeeting audio call control.

Port: 1807

Service: [empty]

Caption: Troy Spisend opens this port.

Port: 198 1

Service: [empty]

Caption: Trojan shock opened this port.

Port: 1999

Service: Cisco Identification Port

Description: Trojan back door opens this port.

Port: 2000

Service: [empty]

Description: Trojan girlfriend 1.3 and Millennium 1.0 open this port.

Port: 200 1

Service: [empty]

Description: Trojan Millennium 1.0 and Trojan cows open this port.

Port: 2023

Service: xinuexpansion 4

Caption: Troy passes the ripper to open this port.

Port: 2049

Service: NFS

Description: NFS programs often run on this port. You usually need to visit the port mapper to find out which port the service is running on.

Port: 2 1 15

Service: [empty]

Description: Trojan bugs open this port.

Ports: 2 140, 3 150

Service: [empty]

Description: Trojan Deep Throat 1.0/3.0 Open this port.

Port: 2500

Service: RPC clients that use fixed port session replication.

Description: RPC client applying fixed port session replication.

Port: 2583

Service: [empty]

Description: Trojan Wincrash 2.0 opens this port.

Port: 280 1

Service: [empty]

Caption: Troy phineas Puke opened this port.

Ports: 3024, 4092

Service: [empty]

Caption: Troy Winchester opens this port.

Port: 3 128

Service: squid

Description: This is the default port of squid HTTP proxy server. Attackers scan this port to search for proxy servers and access the Internet anonymously. You will also see that ports 8000, 800 1, 8080 and 8888 are searching for other proxy servers. Another reason for scanning this port is that the user is entering a chat room. Other users will also check this port to determine whether the user's machine supports the agent.

Port: 3 129

Service: [empty]

Caption: Trojan Master Park opens this port.

Port: 3 150

Service: [empty]

Caption: Trojan invaders opened this port.

Ports: 32 10/0,4321

Service: [empty]

Description: Trojan school bus opens this port.

Port: 3333

Service: detailed description

Caption: Troy Maprothiak opened this port.

Port: 3389

Service: HyperTerminal

Description: WINDOWS 2000 terminal opens this port.

Port: 3700

Service: [empty]

Caption: The Doors of Troy opened this port.

Ports: 3996, 4060

Service: [empty]

Description: Trojan remote anything opens this port.

Port: 4000

Service: QQ client

Description: Tencent QQ client opens this port.

Port: 4092

Service: [empty]

Caption: Troy Winchester opens this port.

Port: 4590

Service: [empty]

Caption: Trojan ICQTrojan opened this port.

Ports: 5000,5001,532 1, 50505.

Service: [empty]

Description: Trojan blazer5 opens 5000 ports. Trojan horse socket open