First, the port introduction
With the development of computer network technology, the original physical interfaces (such as keyboard, mouse, network card, graphics card and other input/output interfaces) can no longer meet the requirements of network communication. As the standard protocol of network communication, TCP/IP protocol solves this communication problem. Integrating TCP/IP protocol into the kernel of the operating system is equivalent to introducing a new input/output interface technology into the operating system, because an application program interface called "Socket" is introduced into the TCP/IP protocol. With such interface technology, computers can communicate with any computer with Socket interface through software. Port is also called "socket interface" in computer programming.
With these ports, how do these ports work? For example, why can a server be a Web server, an FTP server, a mail server, and so on? One of the most important reasons is that various services use different ports to provide different services. For example, TCP/IP protocol stipulates that Web uses port 80, FTP uses port 2 1, and mail server uses port 25. In this way, the computer can communicate with the outside world without interference through different ports.
According to experts' analysis, there can be up to 65,535 server ports, but in fact there are only dozens of commonly used ports, which shows that there are quite a few undefined ports. This is why so many hacker programs can define a special port in some way to achieve the purpose of intrusion. In order to define this port, you need to rely on a program to automatically load it into memory before the computer starts, and forcibly control the computer to open that special port. This program is a "backdoor" program, and these backdoor programs are usually called Trojan horse programs. To put it simply, these Trojan horse programs first implant a program in a personal computer by some means, open a specific port, commonly known as the "back door", and make the computer an extremely open FTP server (users have extremely high permissions), and then achieve the purpose of intrusion through the back door.
Second, the classification of ports.
There are different ways to classify ports according to their reference objects. If classified according to the nature of the port, it can usually be divided into the following three categories:
(1) Known ports (known
Ports): These ports are also commonly referred to as "public ports". The port numbers of these ports range from 0 to 1024, and they are closely bound to some specific services. Usually, the communication of these ports clearly indicates the protocol of a service, and this port cannot be redefined. For example, port 80 is actually always used for HTTP communication, while port 23 is dedicated to Telnet service. These ports are usually not used by hackers like Trojans. In order to let you know more about these common ports, the services corresponding to these ports will be listed in detail later in this chapter for your understanding and reference.
(2) Registered port (registered
Ports): The port number is from 1025 to 49 15 1. They are loosely bound to some services. In other words, many services are bound to these ports, and these ports are also used for many other purposes. Most of these ports have no clear definition of service objects, and different programs can define them according to actual needs. For example, these ports will be defined in the remote control software and Trojan horse programs introduced later. It is very necessary to remember these common program ports in the protection and killing of Trojan horses. The ports used by common Trojans will be listed in detail later.
(3) dynamic and/or dedicated ports (dynamic and/or dedicated)
Port): The port number ranges from 49 152 to 65535. Theoretically, public services should not be allocated on these ports. In fact, some special programs, especially some Trojans, like to use these ports very much, because these ports are often unknown and easy to hide.
According to different service modes, ports can be divided into "TCP protocol ports" and "UDP protocol ports". Because computers generally use these two communication protocols to communicate with each other. The "connection mode" mentioned above is a direct connection with the receiver. After sending the information, you can confirm whether the information has arrived. This mode mostly adopts TCP protocol. The other is to send information online without direct connection with the receiver, regardless of whether the information arrives or not, which is the "connectionless mode" introduced earlier. This way mostly adopts UDP protocol, and IP protocol is also a connectionless way. Ports provided by services using the above two communication protocols are also divided into "TCP protocol ports" and "UDP protocol ports".
Common ports using TCP protocol mainly include the following:
(1) FTP: define the file transfer protocol, and use port 2 1. It is often said that when a computer starts FTP service, it starts file transfer service. FTP service is used to download files and upload home pages.
(2)
Telnet: It is the port for remote login. Users can connect to the computer remotely as themselves. Through this port, communication service based on DOS mode can be provided. For example, the previous BBS was a pure character interface, and the server supporting BBS opened port 23 to provide services to the outside world.
(3)
SMTP: A simple mail transmission protocol is defined, and now many mail servers use it to send mail. For example, this mail service port is used in the commonly used free mail service, so it is often seen in the mail settings that there is such an SMTP port setting bar, and the server opens port 25.
(4)
POP3: corresponding to SMTP, POP3 is used to receive mail. Generally, the POP3 protocol uses the port 1 10. That is to say, as long as you have a corresponding program using the POP3 protocol (such as Foxmail or Outlook), you can directly use the email program to receive emails without using the Web login email interface (if the email address is 163, you don't need to enter the Netease website first, and then enter your own email address to receive emails).
Commonly used UDP protocol ports are:
( 1)
HTTP: This is the most commonly used protocol, which is usually called Hypertext Transfer Protocol. When surfing the internet, you have to open port 80 on the computer that provides web resources to provide services. It is often said that "WWW service" and "Web server" use this port.
(2) DNS: used for domain name resolution service, which is available in Windows.
It is most used in NT system. Every computer on the Internet has a corresponding network address. This address is usually called an IP address, and is expressed in the form of a pure number+".". . However, this is not convenient to remember, so the domain name appears. When accessing a computer, you only need to know the domain name, and the conversion of domain name and IP address is completed by DNS server. DNS uses port 53.
(3) SNMP: Simple network management protocol, which uses port 16 1 to manage network devices. Because there are many network devices, connectionless service shows its advantages.
(4)
OICQ:OICQ program not only accepts services, but also provides services, so that two chat talents are equal. OICQ uses connectionless protocol, which means it uses UDP protocol. OICQ server uses port 8000 to listen to information, and client uses port 4000 to send information. If both ports are in use (many people are chatting with several friends at the same time), add them in order.
Among the more than 60,000 ports of a computer, those with port numbers within 1024 are usually called public ports, and the services corresponding to these public ports are usually fixed. Table 1 lists the default ports of the server and cannot be changed. These ports are mainly used for general communication processes.
Table 1
Service Type Default Port Service Type Default Port
Echo7Daytime 13
FTP2 1Telnet23
SMTP 25 time 37
Who is 43DNS53?
Gopher70Finger79
WWW80POP3 1 10
nntp 1 19 IRC 194
In addition, proxy servers usually use the following ports:
(1). Common port number of HTTP protocol proxy server: 80/8080/3128/8081/9080.
(2).SOCKS proxy protocol server public port number: 1080.
(3) Commonly used port number of FTP protocol proxy server: 2 1.
(4).Telnet protocol proxy server universal port: 23
Third, the application of ports in hackers
Hacking programs such as Trojans achieve their goals by invading ports. In the use of ports, hackers usually have two ways, namely "port monitor" and "port scanning".
"port monitor" and "port scanning" are two commonly used port technologies in hacker attack and protection. In hacker attacks, they can be used to accurately find the target and obtain useful information. In personal and network protection, hacker attacks and some security vulnerabilities can be found in time through the application of this port technology. Let's briefly introduce the similarities and differences between these two port technologies.
"port monitor" is to use some programs to listen to the ports of the target computer to see which ports are available on the target computer. You can also capture other people's useful information through interception, which is mainly used in hacker software, but it is also very useful for individuals. You can use interceptors to protect your computer and monitor selected ports of your computer so that you can find and intercept some hacker attacks. You can also monitor the designated ports of other people's computers to see if you can invade freely.
"Port Scan" (Port
Scanning is to determine what service is running by connecting to the TCP protocol or UDP protocol port of the target system, and then obtain the corresponding user information. Nowadays, many people confuse "port monitor" with "port scanning", and they simply can't tell what kind of situation uses monitoring technology and what kind of situation uses scanning technology. However, this kind of software seems a little vague about these two technologies now, and some simply integrate the two functions together.
"port monitor" and "port scanning" have both similarities and differences. The similarity is that both of them can monitor the target computer, but the difference is that "port monitor" is a passive process, waiting for others to connect, and only through the other party's connection can we monitor the needed information. In personal application, if the function of reporting to the user immediately when abnormal connection is detected is set, the hacker's connection attempt can be effectively intercepted and the Trojan horse program residing in this machine can be removed in time. This listener is usually installed on the target computer. The "port monitor" used by hackers usually means that the hacker program resides on the server, waiting for the server to capture the information needed by hackers in normal activities, and then sending it out in a connectionless way through UDP protocol. "Port scanning" is an active process, which actively scans the selected ports of the target computer and discovers all activities (especially some online activities) of the selected ports in real time. Scanner is usually installed on the client, but its connection with the server is mainly through UDP protocol without connection.
In the network, when information is spreading, you can use tools to set the network interface to monitoring mode, so that you can intercept or capture the information spreading in the network and then attack. Port monitor can be implemented in any location mode in the network, and hackers generally use port monitor to intercept user passwords.
Fourth, the principle of port monitor.
The working principle of Ethernet protocol is to send data packets to all connected computers. The correct address of the computer that should receive the packet is included in the packet header, because only computers that match the target address in the packet can receive the packet. However, when the computer is working in listening mode, the computer will be able to receive the data packet regardless of the target physical address. When two computers in the same network communicate, the source computer sends the data packet with the destination computer address directly to the destination computer, or when one computer in the network communicates with an external computer, the source computer sends the data packet with the destination computer IP address to the gateway. However, this kind of data packet cannot be sent directly at the upper layer of the protocol stack, and the data packet to be sent must be handed over to the network interface-data link layer from the IP protocol layer of TCP/IP protocol. The network interface will not recognize the IP address. In the network interface, the packet with IP address from IP protocol layer adds some header information of Ethernet. In the frame header, two fields are the physical addresses of the source computer and the destination computer, which can only be recognized by the network interface. This is a 48-bit address, and this 48-bit address corresponds to an IP address. In other words, IP addresses also correspond to physical addresses. As a gateway computer, because it is connected to multiple networks, it also has many IP addresses, and each network has one. Frame Relay sent outside the network carries the physical address of the gateway.
Frames with physical addresses in Ethernet are sent from network ports (or gateway ports) and transmitted to physical lines. If the local area network is connected by thick coaxial cable or thin coaxial cable, digital signals can reach every computer on the line by transmitting signals on the cable. When a hub is used, the transmitted signal reaches the hub and then is sent to each line connected to the hub. In this way, digital signals transmitted on physical lines can reach every computer connected to the hub. When the digital signal reaches the network interface of the computer, the network interface checks the read data frame under normal circumstances. If the physical address carried in the data frame is its own or the physical address is a broadcast address, then the data frame will be handed over to the IP protocol layer software. This procedure should be performed for each data frame that arrives at the network interface. But when the computer works in listening mode, all data frames will be handed over to the upper protocol software for processing.
When computers connected to the same cable or hub are logically divided into several subnets, if a computer is in listening mode, it can receive packets sent to computers not in the same subnet (using different masks, IP addresses and gateways), and all information transmitted on the same physical channel can be received.
On UNIX system, when a user with super permission wants to put the computer he controls into the listening mode, he only needs to send an I/O control command to the interface (network interface) to set the computer into the listening mode. In Windows,
In 9x system, it can be realized by running the monitoring tool directly, regardless of whether the user has permission or not.
When a port listens, it often needs to save a lot of information (including a lot of junk information) and sort out a lot of collected information, which will make the listening computer respond slowly to other users' requests. At the same time, the listener needs to consume a lot of processor time when it is running. If the contents of data packets are analyzed in detail at this time, many data packets will be lost because they are too late to be received. Therefore, listeners usually store the intercepted packets in a file for later analysis. Analyzing the intercepted data packets is a headache, because the data packets in the network are very complicated. The continuous sending and receiving of data packets between two computers will inevitably add some data packets interacted by other computers to the interception results. It is not easy for listeners to sort out the packets of the same TCP session. If you want to sort out the detailed information of users, you need to do a lot of analysis of data packets according to the protocol.
At present, the protocols used in the network are all designed earlier, and many of them are based on very friendly and complete trust. In the usual network environment, users' information, including passwords, is transmitted in clear text on the Internet, so it is not difficult to obtain user information through port interception. As long as you have a preliminary understanding of TCP/IP protocol, you can easily intercept the information you want.
Five, the principle of port scanning
"Port scanning" usually refers to sending all the ports to be scanned by the target computer with the same information, and then analyzing whether the ports of the target computer are open or available according to the returned port status. An important feature of "port scanning" behavior is that many packets are sent from the same source address to different destination ports in a short time.
For those who use port scanning to attack, attackers can always get scanning results, making it difficult for them to be found or traced back. In order to hide the attack, the attacker can scan slowly. Unless the target system is usually idle (so packets without listening ports will attract the attention of administrators), it is difficult to identify port scans with long intervals. The way to hide the source address is to send a large number of deceptive port scanning packets (1000), only one of which comes from the real source address. In this way, even if all the packets (1000) are detected and recorded, no one knows which is the real source address. All you can find is "scan once". It is precisely because of this that hackers happily continue to use this port scanning technology in large numbers to obtain the information of the target computer and carry out malicious attacks.
At present, port scanning software, also known as "port scanner", is the main tool for port scanning. Port scanning can serve three purposes:
(1) Identify the TCP protocol and UDP protocol services running on the target system.
(2) Identify the operating system type of the target system (Windows 9x, Windows NT or UNIX, etc.). ).
(3) Identify the version number of an application or a specific service.
Port scanner is a program that automatically detects the security weaknesses of remote or local computers. Using the scanner, you can find the distribution and services of various TCP protocol ports of remote servers without leaving a trace, and you can also know the software version they use! This can indirectly understand the security problems of remote computers.
The port scanner records the answers given by the target computer port by selecting the services of different ports of the remote TCP/IP protocol (such as port monitor? Do you allow anonymous login? Whether there is a writable FTP directory, whether TELNET can be used, etc.
Port scanner is not a program that directly attacks network vulnerabilities, it can only help to find some inherent weaknesses of the target machine. A good scanner can also analyze the data it obtains to help find the vulnerabilities of the target computer. But it won't provide a systematic detailed step.
The port scanner has the following three functions during scanning:
(1) the ability to discover computers or networks;
(2) Once the computer is found, it has the ability to find out what services the target computer is running;
(3) The ability to find existing vulnerabilities by testing these services on the target computer.
Writing scanner programs requires a lot of knowledge of TCP/IP protocol programming and C, Perl and/or SHELL languages. Some background in socket programming is needed, which is a way to develop client/service applications.
Common port of intransitive verbs
Among the more than 60,000 ports of a computer, those with port numbers within 1024 are usually called public ports, and the services corresponding to these public ports are usually fixed, so it is very necessary to understand these public ports in a certain program. Table 2 below lists the services corresponding to the common ports of computers (Note: the number before "=" in this list is the port number, and the services after "=" are the corresponding ports. )。
1=tcpmux(TCP port service multiplexer) 40 1 = UPS (uninterruptible power supply)
Supply)
2 = compressnet = Management Utility 402 = Wizard (Wizard Protocol)
3 = compressnet = compression process 403 = decapsulation
5=rje (remote job input) 404=nced
7=echo=Echo405=ncld
9 = Discard 406=imsp (Interactive Mail Support Protocol)
1 1=systat, active user 407 = Timbuktu.
13 = daytime408 = PRM-sm (prospero resource manager system. Dude. )
17=qotd (current market) 409 = PRM-nm (prosper resource Manager node man. )
18=msp (Messaging Protocol) 410 = DeclaredDebug (DeclaredDebug remote debugging
Agreement)
19 = character generator 4 1 1=rmt (remote mt protocol)
20=FTP-data (file transfer [default data]) 412 = Synoptics-trap (trap
Conference port)
2 1=FTP (file transfer [control ])4 13=smsp
22=ssh4 14=infoseek
23=telnet4 15=bnet
24 private mail system 16=silverplatter
25=smtp (Simple Mail Transfer) 4 17=onmux
27=nsw-fe(NSW user system Fe) 418 = hyper-g.
29 = msg-ICP 4 19 = Ariel 1
3 1=msg-auth420=smpte
33 = display support protocol 42 1=ariel2
35 = dedicated printer server 422=ariel3
37=time423=opc-job-start(IBM operation planning and control start)
38=rap (Routing Access Protocol) 424=opc-job-track(IBM Business Plan and
Control track)
39=rlp (Resource Location Protocol) 425=icad-el(ICAD)
4 1=graphics426=smartsdp
42 = Name server (WINS hostname server) 427=svrloc (server location)
43 = NIC name(Who)428 = OCS _ CMU
44=mpm-flags(MPM Marking Protocol) 429=ocs_amu
45=mpm (Message Processing Module [recv])430=utmpsd
46 = MPM-snd(MPM[ default send ])43 1=utmpcd
47=ni-ftp432=iasd
48 = digital audit Daemon433=nnsp
49=tacacs (Login Host Protocol (TACACS))434=mobileip proxy
50=re-mail-ck (Remote Mail Inspection Protocol) 435 = Mobip-Mn
5 1=la-maint(IMP logical address maintenance) 436=dna-cml
52=xns-time(XNS time protocol) 437=comscm
53 = Domain Name Server 438=dsfgw
54=xns-ch(XNS clearing house) 439=dasp(dasp Thomas Obermair)
55=isi-gl(ISI Graphic Language) 440=sgcp
56=xns-auth(XNS authentication) 44 1=decvms-sysmgt
57= private terminal access 442=cvc_hostd
58=xns-mail(XNS mail) 443=ews482=bgs-nsi
99 = Metagrammar, Metagrammar Relay483=ulpnet
100=newacct, [unauthorized use ]484=integra-sme(Integra software management
Environment)
10 1 = hostname, NIC hostname server 485=powerburst (soft power burst in the air)
102 = ISO-TSAP (ISO-TSAP level 0) 486 = poultry
103=gppitnp (originating point-to-point transmission network) 487=saft
104=acr-nema(ACR-NEMA digital image. & Communication 300)488=gss-tl (