viewport
To view the ports in Windows 2000/XP/Server 2003, you can use the Netstat command:
Click "Start → Run" in turn, enter "cmd" and press enter to open the command prompt window. Type "netstat -a -n" at the command prompt, and then press Enter to view the port number and status of TCP and UDP connections displayed in digital form.
Close/open port
Before introducing the functions of various ports, let's introduce how to close/open ports in Windows, because by default, many unsafe or useless ports are open, such as port 23 for Telnet service, port 2 1 for FTP service, port 25 for SMTP service, port 135 for RPC service and so on. In order to ensure the security of the system, we can close/open the port by the following methods.
Close the port
For example, to close port 25 of SMTP service in Windows 2000/XP, you can do this: first open the control panel, double-click the administrative tools, and then double-click the service. Then find and double-click the Simple Mail Transfer Protocol (SMTP) service in the opened service window, click the Stop button to stop the service, then select Disable in the Startup Type, and finally click the OK button. In this way, closing the SMTP service is equivalent to closing the corresponding port.
port
If you want to open the port, just select Automatic in the startup type, click OK, then open the service, click Start Enable Port in the service status, and finally click OK.
Tip: There is no "service" option in Windows 98. You can use the rule setting function of the firewall to close/open the port.
Port classification
There are many classification standards for ports in the logical sense. The following will introduce two common classifications:
1. divided by port number distribution
(1) well-known ports
Well-known ports are well-known port numbers from 0 to 1023, which are generally assigned to some services. For example, port 2 1 is assigned to FTP service, port 25 is assigned to SMTP (Simple Mail Transfer Protocol) service, port 80 is assigned to HTTP service, port 135 is assigned to RPC (Remote Procedure Call) service and so on.
(2) Dynamic port.
Dynamic ports range from 1024 to 65535, and these port numbers are generally not fixed to a service, which means that many services can use these ports. As long as a running program requests the system to access the network, the system can assign one of these port numbers to the program. For example, port 1024 is assigned to the first program that sends an application to the system. After closing the program process, the occupied port number will be released.
However, dynamic ports are often used by virus Trojans. For example, the default connection port of Glacier is 7626, WAY 2.4 is 80 1 1, Netspy 3.0 is 7306, and YAI virus is 1024.
2. According to the protocol type.
According to the protocol type, it can be divided into TCP, UDP, IP and ICMP (Internet Control Message Protocol) ports. The following mainly introduces TCP and UDP ports:
(1)TCP port
TCP port, transmission control protocol port, needs to establish a connection between the client and the server, which can provide reliable data transmission. Common ports are 2 1 port of FTP service, 23 port of Telnet service, 25 port of SMTP service and 80 port of HTTP service.
(2)UDP port
UDP port, that is, user datagram protocol port, does not need to establish a connection between the client and the server, so the security cannot be guaranteed. Common ones are port 53 for DNS service, port 16 1 for SNMP service, ports 8000 and 4000 used by QQ and so on.
Common network ports
Basic knowledge of network! Port control
Port: 0
Service: reserved
Description: Usually used to analyze the operating system. This method is effective because "0" is an invalid port in some systems, and when you try to connect it to a port that is usually closed, it will produce different results. A typical scan uses the IP address 0.0.0.0, sets the ACK bit and broadcasts it in the Ethernet layer.
Port: 1
Service: tcpmux
Description: This means that someone is looking for SGI Irix machine. Irix is the main provider of tcpmux, which is turned on by default in this system. Irix machine contains several default password-free accounts when it is released, such as: IP, guest UUCP, NUUCP, DEMOS, TUTOR, DIAG, OUTOFBOX, etc. Many administrators forget to delete these accounts after installation. So hackers searched for tcpmux online and used these accounts.
Port: 7
Service: echo
Description: When searching for Fraggle amplifier, you can see many messages sent by people to X.X.X.0 and X.X.X.255.
Port: 19
Service: Character Generator
Description: This is a service that only sends characters. The UDP version will respond to packets containing junk characters after receiving UDP packets. When TCP connects, it sends a data stream containing junk characters until the connection is closed. Hackers can use IP spoofing to launch DoS attacks. Forge UDP packets between two chargen servers. Similarly, the Fraggle DoS attack will broadcast a packet with a forged victim IP to this port of the target address, and the victim will be overloaded in response to the data.
Port: 2 1
Service: FTP
Description: FTP server opens ports for uploading and downloading. The most common attacker is to find a way to open anonymous's FTP server. These servers have read-write directories. Trojan Doly Trojan, Fore, Stealth FTP, WebEx, WinCrash and blade runner open ports.
Port: 22
Service: Ssh
Description: The connection between TCP established by PcAnywhere and this port may be to find ssh. This service has many weaknesses. If configured in a specific mode, many versions that use the RSAREF library will have many loopholes.
Port: 23
Service: Telnet
Description: Remote login, the intruder is searching for the service of remote login UNIX. In most cases, scanning this port is to find the operating system running on the machine. And using other technologies, intruders will also find the password. Trojan mini Telnet server opens this port.
Port: 25
Service: SMTP
Description: The port opened by SMTP server is used to send mail. Intruders are looking for SMTP servers to send their spam. The intruder's account is closed, and they need to connect to a high-bandwidth email server and send simple information to different addresses. Trojan horse antigen, e-mail password sender, Haebu Coceda, Shtrilitz Stealth, WinPC and WinSpy all open this port.
Port: 3 1
Service: message authentication
Description: Trojan Master Park and Hacker Park open this port.
Port: 42
Service: WINS replication
Description: WINS replication
Port: 53
Service: Domain Name Server (DNS)
Description: For the port opened by DNS server, intruders may try to pass TCP, cheat DNS(UDP) or hide other communication. Therefore, firewalls usually filter or record this port.
Port: 67
Service: Boot Protocol Server
Description: A large amount of data sent to the broadcast address 255.255.255.255 is often seen through the firewall of DSL and Cable modem. These machines are requesting addresses from the DHCP server. Hackers often enter them, assign an address and use themselves as local routers to launch a large number of man-in-the-middle attacks. The client broadcasts the requested configuration to port 68 and the server broadcasts the response request to port 67. This response is broadcast because the client does not know the IP address that can be sent.
Port: 69
Service: cumbersome file transfer
Description: Many servers provide this service together with bootp, so it is convenient to download the startup code from the system. However, they often allow intruders to steal any files from the system due to configuration errors. They can also be used for system writing files.
Port: 79
Service: finger server
Description: Intruders are used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scanning from their own machines to other machines.
Port: 80
Service: HTTP
Description: used for web browsing. The Trojan Executor opened the port.
Port: 99
Service: Metagrammar Relay
Description: Backdoor program ncx99 opens this port.
Port: 102
Service: Message Transfer Agent (MTA)-x.400 over TCP/IP.
Description: Message Transfer Agent.
Port: 109
Service: post office protocol-Version 3
Description: The POP3 server opens this port to receive mail, and the client accesses the mail service on the server side. POP3 services have many recognized weaknesses. There are at least 20 weaknesses about user name and password exchange buffer overflow, which means that intruders can enter the system before actually logging in. There are other buffer overflow errors after successful login.
Port: 1 10
Service: all ports of SUN's RPC service.
Description: Common RPC services include rpc.mountd, NFS, rpc.statd, rpc.csmd, rpc.ttybd, amd, etc.
Port: 1 13
Service: authentication service
Description: This is a protocol that runs on many computers and is used to identify users of TCP connections. You can get information about many computers by using this standard service. But it can be used as a recorder for many services, especially FTP, POP, IMAP, SMTP and IRC. Usually, if many customers access these services through firewalls, they will see many connection requests to this port. Remember, if you block this port, the client will feel that the connection to the email server on the other side of the firewall is slow. Many firewalls support sending back RST during blocking of TCP connections. This will stop the slow connection.
Port: 1 19
Service: network news transfer protocol.
Description: news newsgroup transport protocol, which carries USENET communication. The connection of this port is usually when people are looking for a USENET server. Most ISPs only allow their customers to access their newsgroup servers. Opening the newsgroup server will allow anyone to post/read, access restricted newsgroup servers, post anonymously or send spam.
Port: 135
Services: Location Services
Description: Microsoft runs DCE RPC endpoint mapper on this port as its DCOM service. This is similar to the function of UNIX11port. Services using DCOM and RPC register their locations with the endpoint mapper on the computer. When remote customers connect to their computers, they will look for the location where the endpoint mapper finds the service. Will a hacker scan this port of a computer to find the Exchange Server running on this computer? What version? There are also some DOS attacks on this port.
Ports: 137, 138, 139
Service: NETBIOS name service
Note: Among them, 137 and 138 are UDP ports, which are used when transmitting files through network neighbors. And port 139: the connection coming through this port attempts to obtain NetBIOS/SMB service. This protocol is used for windows file and printer sharing and SAMBA. WINS Regisrtation also uses it.
Port: 143
Service: Temporary Mail Access Protocol v2.
Description: Like the security problem of POP3, many IMAP servers have buffer overflow vulnerabilities. Remember: LINUX worms (admv0rm) will spread through this port, so many scans of this port come from uninformed infected users. These vulnerabilities became popular when REDHAT allowed IMAP by default in its LINUX distribution. This port is also used for IMAP2, but it is not popular.
Port: 16 1
Service: SNMP
Description: SNMP allows remote management of devices. All configuration and operation information is stored in the database, and these letters can be obtained through SNMP.