In network technology, ports have two meanings: one is physical ports, such as interfaces used by ADSL modems, hubs, switches and routers to connect other network devices, such as RJ-45 ports and SC ports. The second is logical port, which generally refers to the port in TCP/IP protocol. Port numbers range from 0 to 65535, such as port 80 for browsing web services, port 2 1 for FTP services and so on. What I want to introduce here is the logical port.
Port classification
There are many classification standards for ports in the logical sense. The following will introduce two common classifications:
1. divided by port number distribution
(1) well-known ports
Well-known ports are well-known port numbers from 0 to 1023, which are generally assigned to some services. For example, port 2 1 is assigned to FTP service, port 25 is assigned to SMTP (Simple Mail Transfer Protocol) service, port 80 is assigned to HTTP service, port 135 is assigned to RPC (Remote Procedure Call) service and so on.
(2) Dynamic port.
Dynamic ports range from 1024 to 65535, and these port numbers are generally not fixed to a service, which means that many services can use these ports. As long as a running program requests the system to access the network, the system can assign one of these port numbers to the program. For example, port 1024 is assigned to the first program that sends an application to the system. After closing the program process, the occupied port number will be released.
However, dynamic ports are often used by virus Trojans. For example, the default connection port of Glacier is 7626, WAY 2.4 is 80 1 1, Netspy 3.0 is 7306, and YAI virus is 1024.
2. According to the protocol type.
According to the protocol type, it can be divided into TCP, UDP, IP and ICMP (Internet Control Message Protocol) ports. The following mainly introduces TCP and UDP ports:
(1)TCP port
TCP port, transmission control protocol port, needs to establish a connection between the client and the server, which can provide reliable data transmission. Common ports are 2 1 port of FTP service, 23 port of Telnet service, 25 port of SMTP service and 80 port of HTTP service.
(2)UDP port
UDP port, that is, user datagram protocol port, does not need to establish a connection between the client and the server, so the security cannot be guaranteed. Common ones are port 53 for DNS service, port 16 1 for SNMP service, ports 8000 and 4000 used by QQ and so on.
viewport
To view the ports in Windows 2000/XP/Server 2003, you can use the Netstat command:
Click "Start → Run" in turn, enter "cmd" and press enter to open the command prompt window. Type "netstat -a -n" at the command prompt, and then press Enter to view the port number and status of TCP and UDP connections displayed in digital form.
Tip: the usage of Netstat command
Command format: Netstat? -a-a -n -o -s?
-a displays all active TCP connections and TCP and UDP ports that the computer listens to.
-e indicates the number of bytes and packets sent and received by Ethernet.
-n indicates that only the addresses and port numbers of all active TCP connections are displayed in digital form.
-o displays the active TCP connections, including the process ID(PID) of each connection.
-s indicates that statistics of various connections, including port numbers, are displayed by protocol.
Close/open port
Before introducing the functions of various ports, let's introduce how to close/open ports in Windows, because by default, many unsafe or useless ports are open, such as port 23 for Telnet service, port 2 1 for FTP service, port 25 for SMTP service, port 135 for RPC service and so on. In order to ensure the security of the system, we can close/open the port by the following methods.
Close the port
For example, to close port 25 of SMTP service in Windows 2000/XP, you can do this: first open the control panel, double-click the administrative tools, and then double-click the service. Then find and double-click the Simple Mail Transfer Protocol (SMTP) service in the opened service window, click the Stop button to stop the service, then select Disable in the Startup Type, and finally click the OK button. In this way, closing the SMTP service is equivalent to closing the corresponding port.
port
If you want to open the port, just select Automatic in the startup type, click OK, then open the service, click Start Enable Port in the service status, and finally click OK.
Tip: There is no "service" option in Windows 98. You can use the rule setting function of the firewall to close/open the port.
Common network ports
Port: 0
Service: reserved
Description: Usually used to analyze the operating system. This method is effective because "0" is an invalid port in some systems, and when you try to connect it to a port that is usually closed, it will produce different results. A typical scan uses the IP address 0.0.0.0, sets the ACK bit and broadcasts it in the Ethernet layer.
Port: 1
Service: tcpmux
Description: This means that someone is looking for SGI Irix machine. Irix is the main provider of tcpmux, which is turned on by default in this system. Irix machine contains several default password-free accounts when it is released, such as: IP, guest UUCP, NUUCP, DEMOS, TUTOR, DIAG, OUTOFBOX, etc. Many administrators forget to delete these accounts after installation. So hackers searched for tcpmux online and used these accounts.
Port: 7
Service: echo
Description: When searching for Fraggle amplifier, you can see many messages sent by people to X.X.X.0 and X.X.X.255.
Port: 19
Service: Character Generator
Description: This is a service that only sends characters. The UDP version will respond to packets containing junk characters after receiving UDP packets. When TCP connects, it sends a data stream containing junk characters until the connection is closed. Hackers can use IP spoofing to launch DoS attacks. Forge UDP packets between two chargen servers. Similarly, the Fraggle DoS attack will broadcast a packet with a forged victim IP to this port of the target address, and the victim will be overloaded in response to the data.
2 1 port
Port Description: Port 2 1 is mainly used for FTP (File Transfer Protocol) service, and is mainly used for uploading and downloading files between two computers. One computer serves as an FTP client and the other computer serves as an FTP server. You can log in to the FTP server by using anonymous login and authorized user name password login. At present, FTP service is the main way to upload and download files on the Internet. In addition, there is a 20 port, which is the default port number for FTP data transmission.
In Windows, you can provide FTP connection and management through Internet Information Services (IIS), or you can install FTP server software separately to realize FTP functions, such as the common FTP serv-U.
Operation suggestion: Because some FTP servers can log in anonymously, they are often used by hackers. In addition, port 2 1 will be used by some trojans, such as blade runner, FTP Trojan, Dolly Trojan, WebEx and so on. If no FTP server is set, it is recommended to close port 2 1.
Port: 22
Service: Ssh
Description: The connection between TCP established by PcAnywhere and this port may be to find ssh. This service has many weaknesses. If configured in a specific mode, many versions that use the RSAREF library will have many loopholes.
Port 23
Port Description: Port 23 is mainly used for Telnet (Remote Login) service, which is a login and simulation program widely used on the Internet. You also need to set up clients and servers so that clients with Telnet services can log in to the remote Telnet server and log in with an authorized user name and password. After logging in, users are allowed to use the command prompt window for corresponding operations. In Windows, you can use Telnet to log in remotely by typing the "Telnet" command in the command prompt window.
Operation suggestion: With the help of Telnet service, hackers can search the service of remote login to Unix and scan the type of operating system. Moreover, in Windows 2000, there are many serious loopholes in the Telnet service, such as privilege elevation and denial of service, which can crash the remote server. Port 23 of Telnet service is also the default port of TTS (Mini Telnet Server) Trojan. Therefore, it is recommended to close port 23.
The method of closing/opening ports is described above, and the contents of ports 2 1 and 23 are introduced. Below, we will introduce other common port descriptions and corresponding operation suggestions.
Simple mail transfer protocol
Port Description: Port 25 is opened by SMTP (Simple Mail Transfer Protocol) server and is mainly used for sending mail. Now, most mail servers use this protocol. For example, when we use an e-mail client program, we will ask the SMTP server address when we create an account. By default, the server address uses port 25.
Port vulnerability:
1. Through port 25, hackers can find an SMTP server to forward spam.
Port 2.25 was opened by many trojans, such as Ajan, Antigen, Email Password Sender, ProMail, Trojan, Tapiras, Terminator, WinPC, WinSpy and so on. Take WinSpy as an example. By opening port 25, you can monitor all windows and modules that your computer is running.
Action suggestion: If the SMTP mail server is not set, you can close the port.
Port 53
Port Description: Port 53 is opened by DNS (Domain Name Server) server and is mainly used for domain name resolution. DNS service is the most widely used service in NT system. Through DNS server, the conversion of domain name and IP address can be realized. As long as you remember the domain name, you can quickly visit the website.
Port vulnerability: If DNS service is turned on, hackers can directly obtain the IP addresses of hosts such as Web servers by analyzing DNS servers, and then use port 53 to break through some unstable firewalls, thus carrying out attacks. Recently, an American company also published 10 vulnerabilities that are most vulnerable to hackers, the first of which is the BIND vulnerability of DNS servers.
Operation suggestion: If the current computer is not used to provide domain name resolution service, it is recommended to close this port.
Ports 67 and 68
Port description: Ports 67 and 68 are the open ports of Bootstrap Protocol Server and Bootstrap Protocol Client serving Bootp. Bootp service is a remote startup protocol originated from early Unix, and the DHCP service we often use now is extended from Bootp service. Through Bootp service, you can dynamically assign IP addresses to computers in the LAN without setting static IP addresses for each user.
Port vulnerability: If the Bootp service is enabled, hackers will often use the assigned IP address as a local router to attack in a "man-in-the-middle" way.
Operation suggestion: It is recommended to close this port.
Above we introduced port 25 for SMTP service, port 53 for DNS server and ports 67 and 68 for Bootp service. Next, we will introduce port 69 of TFTP, port 79 of finger service and port 80 of HTTP service respectively.
Port 69
Port Description: Port 69 is open for TFTP (Simple File Transfer Protocol) service. TFTP is a simple file transfer protocol developed by Cisco, similar to FTP. However, compared with FTP, TFTP has no complicated interactive access interface and authentication control. This service is suitable for data transmission between client and server, and does not need a complicated exchange environment.
Port vulnerability: Many servers provide both TFTP service and Bootp service, which are mainly used to download startup code from the system. However, because TFTP service can write files in the system, and hackers can also use the wrong configuration of TFTP to get any files from the system.
Operation suggestion: It is recommended to close this port.
Port 79
Port Description: Port 79 is open for Finger service, which is mainly used to query the online users of the remote host, operating system type, whether the buffer overflows and other details. For example, to display the information of user0 1 on the remote computer www.abc.com, you can type "finger user 0 1@www.abc.com" on the command line.
Port vulnerability: Generally, hackers want to attack each other's computers by using the corresponding port scanning tools to obtain relevant information. For example, using Streamer, they can scan the operating system version of the remote computer by using port 79 to obtain user information, and can also detect known buffer overflow errors. In this way, it is easy to be attacked by hackers. In addition, port 79 is also used as the default port by Firehotcker Trojan Company.
Operation suggestion: It is recommended to close this port.
Hypertext transfer protocol
Port Description: Port 80 is open to HTTP (Hypertext Transfer Protocol), which is the most widely used protocol on the Internet, and is mainly used for transmitting information on WWW (World Wide Web) services. We can visit the website by adding ":80" (commonly known as "website") to the HTTP address, for example: 80. Because the default port number of the web browsing service is 80, we only need to enter the website address instead of ":80".
Port vulnerability: Some Trojans can use port 80 to attack computers, such as Executor and RingZero.
Operation suggestion: In order to surf the Internet normally, port 80 must be opened.
Through the above introduction, we learned about port 69 of TFTP service, port 79 of finger service and port 80 of WWW service on the Internet. The unfamiliar port 99, the port of POP3 service 109, 1 10 and the port of RPC service 1 1 will be introduced respectively.
Port 99
Port Description: Port 99 is used for a service called Metagrammar Relay, which is rare and generally not used.
Port vulnerability: Although Metasyntax Relay service is not commonly used, Trojan programs (such as hidden port and NCx99) will use this port. For example, in Windows 2000, NCx99 can bind the cmd.exe program to port 99, so that you can connect to the server by Telnet, add users and change permissions at will.
Operation suggestion: It is recommended to close this port.
109, 1 10 port
Port description: port 109 is open for post office protocol 2 (post office protocol version 2) service, and port 1 10 is open for POP3 (mail protocol 3) service. POP2 and POP3 are mainly used to receive mail. At present, POP3 is widely used, and many servers support both POP2 and POP3. The client can access the mail service of the server using POP3 protocol, which is now used by most mail servers of ISP. When using the e-mail client program, you will be asked to enter the POP3 server address. By default, the port 1 10 is used (as shown).
Port vulnerabilities: POP2 and POP3 have many vulnerabilities while providing mail receiving services. There are no fewer than 20 vulnerabilities in the user name and password exchange buffer of POP3 service alone, such as the vulnerability of legal user name information disclosure of WebEasyMail POP3 server, through which remote attackers can verify the existence of user accounts. In addition, the 1 10 port is also used by Trojans such as ProMail, and the user name and password of the POP account can be stolen through the 1 10 port.
Operation suggestion: If it is an execution mail server, you can open this port.
1 1 1 port
Port Description: Port11is an open port of SUN's RPC (Remote Procedure Call) service, which is mainly used for internal process communication between different computers in a distributed system. RPC is a very important component in various network services. Common RPC services include rpc.mountd, NFS, rpc.statd, rpc.csmd, rpc.ttybd, amd and so on. In Microsoft Windows, there are also RPC services.
Port vulnerability: SUN RPC has a big vulnerability, that is, the xdr_array function has a remote buffer overflow vulnerability when there are multiple RPC services.
Above, we introduced the unknown 99 port vulnerable to Trojan attacks, the common 109, 1 10 ports of POP service, and the1/port of Sun's RPC service. The following will introduce the 1 13 port closely related to many network services, the 1 19 port used for news newsgroup transmission, and the 135 port attacked by "shock wave".
1 13 port
Port Description: Port 1 13 is mainly used for "authentication service" of Windows. Generally, computers connected to the network run this service, which is mainly used to authenticate users connected to TCP, and information about connecting computers can be obtained through this service. In Windows 2000/2003 Server, there is also a special IAS component, which can facilitate authentication and policy management in remote access.
Port vulnerability: Although 1 13 port can facilitate authentication, it is often used as a recorder for FTP, POP, SMTP, IMAP and IRC, and will be used by corresponding Trojans, such as those controlled by IRC chat rooms. In addition, 1 13 port is also the default open port of Trojan horses such as invisible Identd Deamon and Kazimas.
Operation suggestion: It is recommended to close this port.
1 19 port
Port description: 1 19 port is open for "network news transfer protocol" (NNTP for short), which is mainly used for the transmission of newsgroups, and will be used when searching the USENET server.
Port vulnerability: The well-known Happy99 worm virus opens the port 1 19 by default. If infected, it will continue to send emails to spread, causing network congestion.
Operation suggestion: If you use USENET newsgroup frequently, you should pay attention to closing the port irregularly.
Port 135
Port Description: Port 135 is mainly used to provide DCOM (Distributed Component Object Model) services by using RPC (Remote Procedure Call) protocol. Through RPC, a program running on a computer can successfully execute code on a remote computer. Using DCOM, we can communicate directly through the network and transmit across various networks including HTTP protocol.
Port vulnerability: I believe that many Windows 2000 and Windows XP users were infected with the "Shockwave" virus last year, which used RPC vulnerabilities to attack computers. There are loopholes in RPC itself when dealing with message exchange through TCP/IP, which is caused by improper handling of messages with incorrect format. This vulnerability will affect the interface between RPC and DCOM, which listens on port 135.
Operation suggestion: In order to avoid the attack of "shock wave" virus, it is recommended to close this port.
Through the above introduction, you must know the port of authentication service 1 13, the port of network news group 1 19, and the port used by "shock wave" virus 135. Next, the author will introduce 137 port of NetBIOS name service, 139 port of Windows file and printer, and 143 port of IMAP protocol.
Port 137
Port description: Port 137 is mainly used for "NetBIOS name service" and belongs to UDP port. Users only need to send a request to the port 137 of a computer on the local area network or the Internet to get the computer name, registered user name, whether the main domain controller is installed, and whether IIS is running.
Port vulnerability: Because it is a UDP port, it is easy for an attacker to obtain the information of the target computer by sending a request, and some information can be directly used to analyze vulnerabilities, such as IIS services. In addition, by capturing the data packets being communicated through port 137, the startup and shutdown times of the target computer can be obtained, so that special tools can be used to attack.
Operation suggestion: It is recommended to close this port.
Port 139
Port Description: Port 139 is provided for "NetBIOS session service", which is mainly used to provide access to Windows files and printers and Samba services in Unix. In Windows, you must use this service to enjoy files on the LAN. For example, in Windows 98, you can open the Control Panel, double-click the Network icon, click the File and Print * * * button in the Configuration tab and select the corresponding settings to install and enable the service; In Windows 2000/XP, you can open the "Control Panel" and double-click the "Network Connection" icon to open the local connection properties; Next, select Internet Protocol (TCP/IP) in the general tab of the property window, and click the property button; Then in the window that opens, click the Advanced button; Select the WINS tab in the advanced TCP/IP settings window and enable NetBIOS over TCP/IP in the NetBIOS settings area.
Port vulnerability: Although the open port 139 can provide * * * access service, it is often used by attackers to attack. For example, using port scanning tools such as Streamer and SuperScan, you can scan the port 139 of the target computer. If you find a loophole, you can try to get a user name and password, which is very dangerous.
Operation suggestion: If you don't need to provide files and printers, it is recommended to close this port.
Above, we introduced the port 137 that can get the name information of remote computers and the port 139 that can provide files and printers for Windows. The following will introduce the port 143 of the mail receiving service (IMAP), the port16 of the SNMP service and the port 443 of the HTTPS service.
Port 143
Port Description: Port 143 is mainly used for Internet Message Access Protocol V2 (Internet Message Access Protocol for short), which, like POP3, is a protocol for receiving e-mail. Through IMAP protocol, we can know the contents of the mail without receiving it, which is convenient for managing the mail in the server. However, it is more responsible than the POP3 protocol. Today, most mainstream email client software supports this protocol.
Port vulnerability: Like the 1 10 port of POP3 protocol, the 143 port used by IMAP also has a buffer overflow vulnerability, through which the user name and password can be obtained. In addition, a Linux worm named "admv0rm" will use this port to spread.
Operation suggestion: If it is not an IMAP server operation, the port should be closed.
16 1 port
Port Description: Port 16 1 is used for Simple Network Management Protocol (SNMP), which is mainly used to manage network protocols in TCP/IP networks. In Windows, SNMP service can provide status information of hosts and various network devices on TCP/IP network. At present, almost all network equipment manufacturers support SNMP.
To install SNMP service in Windows 2000/XP, we can first open the Windows Component Wizard, select management and monitoring tools in the component, click Details to view Simple Network Management Protocol (SNMP), and then select this component. Then, click Next to install.
Port vulnerability: Because the status information of various devices in the network can be obtained through SNMP, it can also be used to control network devices, so hackers can completely control the network through SNMP vulnerability.
Operation suggestion: It is recommended to close this port.
Port 443
Port Description: Port 443, a web browsing port, is mainly used for HTTPS service, which is another HTTP that provides encryption and transmission through a secure port. In some websites with high security requirements, such as banks, securities, shopping, etc. , using HTTPS service, so that the information exchanged on these websites can not be seen by others, ensuring the security of transactions. The address of the web page can be used to transfer the streaming media file to RealPlayer for playing, which can effectively maximize the use.