Before becoming a "hacker", you must master the "network protocol port"

In the previous article, we gave a detailed description of the "network communication principles". The concept of port was also mentioned in the communication principles, but it was not explained in detail. Today I will explain the "network protocol port" in detail, because this "thing" is also a means that hackers often use to penetrate and invade.

[[251166]]

1. Let’s first talk about the definitions of several different “ports”

Computer "port" is the translation of the English word "port", which can be considered as the outlet for the computer to communicate with the outside world. The port in the hardware field is also called the interface, such as USB port, serial port, etc.

Ports in the software field generally refer to communication protocol ports for connection-oriented services and connectionless services in the network. They are an abstract software structure that includes some data structures and I/O (basic input and output) buffers.

In network technology, port has several meanings. The port of a hub, switch, or router refers to the interface that connects to other network devices, such as RJ-45 port, Serial port, etc.

The "network protocol port" we are going to talk about today does not refer to the port in the physical sense, but specifically refers to the port in the TCP/IP protocol, which is a port in the logical sense.

2. Brief description of network protocol ports

What does a port in a network protocol refer to? If an IP address is compared to a house, a port is the door to enter and exit the house. A real house has only a few doors, but an IP address can have as many as 65536 (i.e. 256×256) ports! Ports are marked by port numbers, which are integers ranging from 0 to 65535 (256×256).

On the Internet, datagrams are sent and received between hosts through the TCP/TP protocol. Each datagram is routed in the Internet according to the IP address of its destination host. It can be seen that there is no problem in smoothly transmitting the datagram to the destination host. Where is the problem? We know that most operating systems support multiple programs (processes) running at the same time, so to which of the many simultaneously running processes should the destination host transmit the received datagram? Obviously, this problem needs to be solved, and the port mechanism is introduced.

The operating system will assign protocol ports (commonly known as ports) to processes that have requirements. Each protocol port is identified by a positive integer, such as 80, 139, 445, etc. When the destination host receives the datagram, it will send the data to the corresponding port according to the destination port number in the message header, and the process corresponding to this port will receive the data and wait for the next set of data to arrive. At this point, the concept of port seems still abstract, so continue to listen to my explanation.

A port is actually a team. The operating system allocates different teams to each process. Datagrams are pushed into the corresponding team according to the destination port, waiting to be used by the process. In extremely special circumstances, the team may overflow, but the operating system allows each process to specify and adjust the size of its own team.

The process that receives the datagram needs to open its own port, and the process that sends the datagram also needs to open the port. In this way, the active port will be marked in the datagram so that the recipient can successfully return the datagram to this port.

3. Detailed explanation of “network protocol port”

I often hear on the Internet, "How many ports does my host have open? Will it be hacked?!" Or "Which port is safer to open? And, which port should my service correspond to?!" It's amazing! How can there be so many strange ports on a host? What are the functions of these ports?!

Since the service functions of each network are different, it is necessary to send different packets to different services for processing. Therefore, when your host opens FTP and WWW services at the same time, the data packets sent by others will be given to the FTP service or the WWW service for processing according to the port number on TCP, and of course there will be no confusion! Many people will ask: "Why do computers have so many services such as FTP, WWW, and E-Mail? When data is transmitted, how does the computer know how to judge? Will the computer really not make misjudgments?" Now you know why, right?! "That's right! It's because the ports are different"! Each service has a specific port to monitor! You don't need to worry about the computer making misjudgments.

Each TCP connection must be initiated by one end (usually the client). This port is usually randomly selected to be greater than 1024. Its TCP packet will set (and only set) the SYN flag. This is the first packet of the entire connection. If the other end (usually the server) accepts this request (of course, special services need to be carried out with special ports, such as port 21 of FTP), it will send back the second packet of the entire connection to the requesting end. In addition to the SYN flag, the ACK flag is also set, and resources are established on the local end in anticipation of the connection. Then, after the requesting end receives the first response packet from the server, it must respond to the other party with a confirmation packet. At this time, the packet only carries the ACK flag (in fact, all packets in subsequent connections must carry the ACK flag).

Only when the server receives the ACK packet from the requester (which is the third packet of the entire connection), the connection between the two ends can be formally established. This is the principle of the so-called "Three-Way Handshake" of TCP connection. After the three-way handshake, your client port is usually a randomly obtained port higher than 1024. As for the host, it depends on which port the service is opened at that time. For example, WWW chooses 80 and FTP uses 21 as the normal connection channel!

4. Port Classification

1. There are two types of ports according to the corresponding protocol type

One is TCP port, the other is UDP port. When computers communicate with each other, there are two ways: one is to confirm whether the information has arrived after sending it, that is, there is a response method, this method mostly uses TCP protocol; the other is to ignore it after sending it, and do not confirm whether the information has arrived, this method mostly uses UDP protocol. The ports provided by the services corresponding to these two protocols are also divided into TCP ports and UDP ports.

From the seven-layer OSI protocol of the network, we know that TCP/UDP works at the transport layer. The biggest difference between the transport layer and the network layer is that the transport layer provides process communication capabilities. The final address of network communication includes not only the host address, but also some identifier that can describe the process. Therefore, the protocol port proposed by the TCP/IP protocol can be considered as an identifier of the network communication process.

After the application (generally called a process after loading into memory and running) establishes a connection (binding) with a port through a system call, the data transmitted by the transport layer to the port is received by the corresponding process, and the data sent by the corresponding process to the transport layer is output from the port. In the implementation of the TCP/IP protocol, port operations are similar to general I/O operations. When a process obtains a port, it is equivalent to obtaining a local unique I/O file, which can be accessed in a general read-write manner similar to a file descriptor. Each port has an integer descriptor called a port number to distinguish different ports. Since the TCP and UDP protocols of the TCP/IP transport layer are two completely independent software modules, their respective port numbers are also independent of each other. For example, TCP has a port number 255, and UDP can also have a port number 255, and the two do not conflict. There are two basic ways to allocate port numbers: the first is called global allocation, which is a centralized allocation method. A recognized authoritative central agency will make unified allocations based on user needs and publish the results to the public. The second is local allocation, also known as dynamic connection, that is, when a process needs to access the transport layer service, it will apply to the local operating system, and the operating system will return a unique local port number. The process will then connect itself to the port through appropriate system calls (binding). The allocation of TCP/IP port numbers combines the above two methods, dividing the port numbers into two parts. A small number of them are reserved ports and are allocated to service processes in a global manner. Each standard server has a globally recognized port called a well-known port, and its port number is the same even on different machines. The rest are free ports, which are allocated locally. TCP and UDP stipulate that only ports less than 256 can be used as reserved ports.

2. According to the port number, it can be divided into 3 categories:

• Well-known ports: from 0 to 1023, they are tightly bound to some services. Usually the communication on these ports clearly indicates the protocol of a certain service. For example, port 80 is actually always HTTP communication.
• Registered Ports: from 1024 to 49151. They are loosely bound to some services. That is, there are many services bound to these ports, and these ports are also used for many other purposes. For example, many systems handle dynamic ports starting from around 1024.
• Dynamic and/or Private Ports: from 49152 to 65535. In theory, these ports should not be assigned to services. In practice, machines are usually assigned dynamic ports starting from 1024. But there are exceptions: SUN's RPC ports start from 32768.

5. List of known services and common ports used by Trojans

1. TCP Port

• 7 = Echo
• 9 = Discard
• 11 = Online users
• 13 = Time Service
• 15 = Network status
• 17 = Daily Quote
• 18 = Message sent
• 19 = Character Generator
• 20 = ftp data
• 21 = File transfer
• 22 = SSH port
• 23 = Remote Terminal
• 25 = Send email
• 31 = Masters Paradise Trojan
• 37 = Time
• 39 = Resource Location Protocol
• 41 = DeepThroat Trojan
• 42 = WINS host name service
• 43 = WhoIs service
• 58 = DMSetup Trojan
• 59 = Personal Document Services
• 63 = WHOIS port
• 69 = TFTP service
• 70 = Information Retrieval
• 79 = Query online users
• 80 = WEB page
• 88 = Kerberros5 certification
• 101 = host name
• 102 = ISO
• 107 = Remote login terminal
• 109 = pop2 mail
• 110 = pop3 mail
• 111 = SUN remote control
• 113 = Authentication
• 117 = UUPC
• 119 = nntp newsgroup
• 121 = JammerKillah Trojan
• 135 = Local Service
• 138 = Invisible Thief
• 139 = File Sharing
• 143 = IMAP4 mail
• 146 = FC-Infector Trojan
• 158 = Mail service
• 170 = Print service
• 179 = BGP
• 194 = IRC PORT
• 213 = TCP OVER IPX
• 220 = IMAP3 mail
• 389 = Directory Services
• 406 = IMSP PORT
• 411 = DC++
• 421 = TCP Wrappers
• 443 = Secure Web Access
• 445 = SMB (Server Message Block)
• 456 = Hackers Paradise Trojan
• 464 = Kerberros authentication
• 512 = Remote execution or satellite communication
• 513 = Remote login and query
• 514 = SHELL/system log
• 515 = Print service
• 517 = Talk
• 518 = Internet chat
• 520 = EFS
• 525 = Time Service
• 526 = Date Update
• 530 = RPC
• 531 = RASmin Trojan
• 532 = News Reading
• 533 = Emergency Broadcast
• 540 = UUCP
• 543 = Kerberos login
• 544 = remote shell
• 550 = who
• 554 = RTSP
• 555 = Ini-Killer Trojan
• 556 = Remote file system
• 560 = Remote monitoring
• 561 = Monitoring
• 636 = Security Directory Services
• 666 = Attack FTP Trojan
• 749 = Kerberos Management
• 750 = Kerberos V4
• 911 = Dark Shadow Trojan
• 989 = FTPS
• 990 = FTPS
• 992 = TelnetS
• 993 = IMAPS
• 999 = DeepThroat Trojan
• 1001 = Silencer Trojan
• 1010 = Doly Trojan
• 1011 = Doly Trojan
• 1012 = Doly Trojan
• 1015 = Doly Trojan
• 1024 = NetSpy Trojan
• 1042 = Bla Trojan
• 1045 = RASmin Trojan
• 1080 = SOCKS proxy
• 1090 = Extreme Trojan
• 1095 = Rat Trojan
• 1097 = Rat Trojan
• 1098 = Rat Trojan
• 1099 = Rat Trojan
• 1109 = Kerberos POP
• 1167 = Private phone
• 1170 = Psyber Stream Server
• 1214 = KAZAA Download
• 1234 = Ultors/Evil Eagle Trojan
• 1243 = Backdoor/SubSeven Trojan
• 1245 = VooDoo Doll Trojan
• 1349 = BO DLL Trojan
• 1352 = Lotus Notes
• 1433 = SQL SERVER
• 1492 = FTP99CMP Trojan
• 1494 = CITRIX
• 1503 = Netmeeting
• 1512 = WINS resolution
• 1524 = IngresLock backdoor
• 1600 = Shivka-Burka Trojan
• 1630 = NetEase Bubble
• 1701 = L2TP
• 1720 = H323
• 1723 = PPTP (Virtual Private Network)
• 1731 = Netmeeting
• 1755 = Streaming services
• 1807 = SpySender Trojan
• 1812 = Radius authentication
• 1813 = Radius Assessment
• 1863 = MSN Chat
• 1981 = ShockRave Trojan
• 1999 = Backdoor Trojan
• 2000 = TransScout-Remote-Explorer Trojan
• 2001 = TransScout Trojan
• 2002 = TransScout/EvilHawk Trojan
• 2003 = TransScout Trojan
• 2004 = TransScout Trojan
• 2005 = TransScout Trojan
• 2023 = Ripper Trojan
• 2049 = NFS server
• 2053 = KNETD
• 2115 = Bugs Trojan
• 2140 = Deep Throat Trojan
• 2401 = CVS
• 2535 = Evil Eagle
• 2565 = Striker Trojan
• 2583 = WinCrash Trojan
• 2773 = Backdoor/SubSeven Trojan
• 2774 = SubSeven Trojan
• 2801 = Phineas Phucker Trojan
• 2869 = UPNP (Universal Plug and Play)
• 3024 = WinCrash Trojan
• 3050 = InterBase
• 3128 = Squid proxy
• 3129 = Masters Paradise Trojan
• 3150 = DeepThroat Trojan
• 3306 = MYSQL
• 3389 = Remote Desktop
• 3544 = MSN Voice
• 3545 = MSN Voice
• 3546 = MSN Voice
• 3547 = MSN Voice
• 3548 = MSN Voice
• 3549 = MSN Voice
• 3550 = MSN Voice
• 3551 = MSN Voice
• 3552 = MSN Voice
• 3553 = MSN Voice
• 3554 = MSN Voice
• 3555 = MSN Voice
• 3556 = MSN Voice
• 3557 = MSN Voice
• 3558 = MSN Voice
• 3559 = MSN Voice
• 3560 = MSN Voice
• 3561 = MSN Voice
• 3562 = MSN Voice
• 3563 = MSN Voice
• 3564 = MSN Voice
• 3565 = MSN Voice
• 3566 = MSN Voice
• 3567 = MSN Voice
• 3568 = MSN Voice
• 3569 = MSN Voice
• 3570 = MSN Voice
• 3571 = MSN Voice
• 3572 = MSN Voice
• 3573 = MSN Voice
• 3574 = MSN Voice
• 3575 = MSN Voice
• 3576 = MSN Voice
• 3577 = MSN Voice
• 3578 = MSN Voice
• 3579 = MSN Voice
• 3700 = Portal of Doom Trojan
• 4080 = WebAdmin
• 4081 = WebAdmin+SSL
• 4092 = WinCrash Trojan
• 4267 = SubSeven Trojan
• 4443 = AOL MSN
• 4567 = File Nail Trojan
• 4590 = ICQ Trojan
• 4661 = eMule download
• 4662 = eMule download
• 4663 = eMule download
• 4664 = eMule download
• 4665 = eMule download
• 4666 = eMule download
• 4899 = Radmin Trojan
• 5000 = Sokets-de Trojan
• 5000 = UPnP (Universal Plug and Play)
• 5001 = Back Door Setup Trojan
• 5060 = SIP
• 5168 = Gaobo Worm
• 5190 = AOL MSN
• 5321 = Firehotcker Trojan
• 5333 = NetMonitor Trojan
• 5400 = Blade Runner Trojan
• 5401 = Blade Runner Trojan
• 5402 = Blade Runner Trojan
• 5550 = JAPAN xtcp Trojan
• 5554 = Fake Police Worm
• 5555 = ServeMe Trojan
• 5556 = BO Facil Trojan
• 5557 = BO Facil Trojan
• 5569 = Robo-Hack Trojan
• 5631 = pcAnywhere
• 5632 = pcAnywhere
• 5742 = WinCrash Trojan
• 5800 = VNC port
• 5801 = VNC port
• 5890 = VNC port
• 5891 = VNC port
• 5892 = VNC port
• 6267 = Guangdong University of Foreign Studies female
• 6400 = The Thing Trojan
• 6665 = IRC
• 6666 = IRC SERVER PORT
• 6667 = Little Postman
• 6668 = IRC
• 6669 = IRC
• 6670 = DeepThroat Trojan
• 6711 = SubSeven Trojan
• 6771 = DeepThroat Trojan
• 6776 = BackDoor-G Trojan
• 6881 = BT download
• 6882 = BT download
• 6883 = BT download
• 6884 = BT download
• 6885 = BT download
• 6886 = BT download
• 6887 = BT download
• 6888 = BT download
• 6889 = BT download
• 6890 = BT download
• 6939 = Indoctrination Trojan
• 6969 = GateCrasher/Priority Trojan
• 6970 = GateCrasher Trojan
• 7000 = Remote Grab Trojan
• 7001 = Windows messager
• 7070 = RealAudio control port
• 7215 = Backdoor/SubSeven Trojan
• 7300 = Network Genie Trojan
• 7301 = Network Genie Trojan
• 7306 = Network Genie Trojan
• 7307 = Network Genie Trojan
• 7308 = Network Genie Trojan
• 7424 = Host Control Trojan
• 7467 = Padobot
• 7511 = Smart Gene
• 7597 = QaZ Trojan
• 7626 = Glacier Trojan
• 7789 = Back Door Setup/ICKiller Trojan
• 8011 = Rascal Boy
• 8102 = Internet Thief
• 8181 = Disaster Fly
• 9408 = Shanquan Trojan
• 9535 = Remote Management
• 9872 = Portal of Doom Trojan
• 9873 = Portal of Doom Trojan
• 9874 = Portal of Doom Trojan
• 9875 = Portal of Doom Trojan
• 9898 = Fake Police Worm
• 9989 = iNi-Killer Trojan
• 10066 = Ambush Trojan
• 10067 = Portal of Doom Trojan
• 10167 = Portal of Doom Trojan
• 10168 = Evil Postman
• 10520 = Acid Shivers Trojan
• 10607 = COMA Trojan
• 11000 = Senna Spy Trojan
• 11223 = Progenic Trojan
• 11927 = Win32.Randin
• 12076 = GJammer Trojan
• 12223 = Keylogger Trojan
• 12345 = NetBus Trojan
• 12346 = GabanBus Trojan
• 12361 = Whack-a-mole Trojan
• 12362 = Whack-a-mole Trojan
• 12363 = Whack-a-Mole Trojan
• 12631 = WhackJob Trojan
• 13000 = Senna Spy Trojan
• 13223 = PowWow Chat
• 14500 = PC Invader Trojan
• 14501 = PC Invader Trojan
• 14502 = PC Invader Trojan
• 14503 = PC Invader Trojan
• 15000 = NetDemon Trojan
• 15382 = SubZero Trojan
• 16484 = Mosucker Trojan
• 16772 = ICQ Revenge Trojan
• 16969 = Priority Trojan
• 17072 = Conducent Advertisement
• 17166 = Mosaic Trojan
• 17300 = Kuang2 the virus Trojan
• 17449 = Kid Terror Trojan
• 17499 = CrazzyNet Trojan
• 17500 = CrazzyNet Trojan
• 17569 = Infector Trojan
• 17593 = Audiodoor Trojan
• 17777 = Nephron Trojan
• 19191 = Blue Flame
• 19864 = ICQ Revenge Trojan
• 20001 = Millennium Trojan
• 20002 = Acidkor Trojan
• 20005 = Mosucker Trojan
• 20023 = VP Killer Trojan
• 20034 = NetBus 2 Pro Trojan
• 20808 = QQ Girlfriend
• 21544 = GirlFriend Trojan
• 22222 = Proziack Trojan
• 23005 = NetTrash Trojan
• 23006 = NetTrash Trojan
• 23023 = Logged Trojan
• 23032 = Amanda Trojan
• 23432 = Asylum Trojan
• 23444 = Cyber ​​Bull
• 23456 = Evil FTP Trojan
• 23456 = EvilFTP-UglyFTP Trojan
• 23476 = Donald-Dick Trojan
• 23477 = Donald-Dick Trojan
• 25685 = Moonpie Trojan
• 25686 = Moonpie Trojan
• 25836 = Trojan-Proxy
• 25982 = Moonpie Trojan
• 26274 = Delta Source Trojan
• 27184 = Alvgus 2000 Trojan
• 29104 = NetTrojan
• 29891 = The Unexplained Trojan
• 30001 = ErrOr32 Trojan
• 30003 = Lamers Death Trojan
• 30029 = AOL Trojan
• 30100 = NetSphere Trojan
• 30101 = NetSphere Trojan
• 30102 = NetSphere Trojan
• 30103 = NetSphere Trojan
• 30103 = NetSphere Trojan
• 30133 = NetSphere Trojan
• 30303 = Sockets de Troie
• 30947 = Intruse Trojan
• 31336 = Butt Funnel Trojan
• 31337 = Back-Orifice Trojan
• 31338 = NetSpy DK Trojan
• 31339 = NetSpy DK Trojan
• 31666 = BOWhack Trojan
• 31785 = Hack Attack Trojan
• 31787 = Hack Attack Trojan
• 31788 = Hack-A-Tack Trojan
• 31789 = Hack Attack Trojan
• 31791 = Hack Attack Trojan
• 31792 = Hack-A-Tack Trojan
• 32100 = Peanut Brittle Trojan
• 32418 = Acid Battery Trojan
• 33333 = Prosiak Trojan
• 33577 = Son of PsychWard Trojan
• 33777 = Son of PsychWard Trojan
• 33911 = Spirit 2000/2001 Trojan
• 34324 = Big Gluck Trojan
• 34555 = Trinoo Trojan
• 35555 = Trinoo Trojan
• 36549 = Trojan-Proxy
• 37237 = Mantis Trojan
• 40412 = The Spy Trojan
• 40421 = Agent 40421 Trojan
• 40422 = Master-Paradise Trojan
• 40423 = Master-Paradise Trojan
• 40425 = Master-Paradise Trojan
• 40426 = Master-Paradise Trojan
• 41337 = Storm Trojan
• 41666 = Remote Boot tool Trojan
• 46147 = Backdoor.sdBot
• 47262 = Delta Source Trojan
• 49301 = Online KeyLogger Trojan
• 50130 = Enterprise Trojan
• 50505 = Sockets de Troie Trojan
• 50766 = Fore Trojan
• 51996 = Cafeini Trojan
• 53001 = Remote Windows Shutdown Trojan
• 54283 = Backdoor/SubSeven Trojan
• 54320 = Back-Orifice Trojan
• 54321 = Back-Orifice Trojan
• 55165 = File Manager Trojan
• 57341 = NetRaider Trojan
• 58339 = Butt Funnel Trojan
• 60000 = DeepThroat Trojan
• 60411 = Connection Trojan
• 61348 = Bunker-hill Trojan
• 61466 = Telecommando Trojan
• 61603 = Bunker-hill Trojan
• 63485 = Bunker-hill Trojan
• 65000 = Devil Trojan
• 65390 = Eclypse Trojan
• 65432 = The Traitor Trojan
• 65535 = Rc1 Trojan

2. UDP Port

• 31 = Masters Paradise Trojan
• 41 = DeepThroat Trojan
• 53 = Domain name resolution
• 67 = Dynamic IP service
• 68 = Dynamic IP Client
• 135 = Local Service
• 137 = NETBIOS name
• 138 = NETBIOS DGM service
• 139 = File Sharing
• 146 = FC-Infector Trojan
• 161 = SNMP service
• 162 = SNMP query
• 445 = SMB (Server Message Block)
• 500 = VPN Key Negotiation
• 666 = Bla Trojan
• 999 = DeepThroat Trojan
• 1027 = Gray Pigeon
• 1042 = Bla Trojan
• 1561 = MuSka52 Trojan
• 1900 = UPNP (Universal Plug and Play)
• 2140 = Deep Throat Trojan
• 2989 = Rat Trojan
• 3129 = Masters Paradise Trojan
• 3150 = DeepThroat Trojan
• 3700 = Portal of Doom Trojan
• 4000 = QQ chat
• 4006 = Gray Pigeon
• 5168 = Gaobo Worm
• 6670 = DeepThroat Trojan
• 6771 = DeepThroat Trojan
• 6970 = ReadAudio audio data
• 8000 = QQ chat
• 8099 = VC remote debugging
• 8225 = Gray Pigeon
• 9872 = Portal of Doom Trojan
• 9873 = Portal of Doom Trojan
• 9874 = Portal of Doom Trojan
• 9875 = Portal of Doom Trojan
• 10067 = Portal of Doom Trojan
• 10167 = Portal of Doom Trojan
• 22226 = High Wave Worm
• 26274 = Delta Source Trojan
• 31337 = Back-Orifice Trojan
• 31785 = Hack Attack Trojan
• 31787 = Hack Attack Trojan
• 31788 = Hack-A-Tack Trojan
• 31789 = Hack Attack Trojan
• 31791 = Hack Attack Trojan
• 31792 = Hack-A-Tack Trojan
• 34555 = Trin00 DDoS Trojan
• 40422 = Master-Paradise Trojan
• 40423 = Master-Paradise Trojan
• 40425 = Master-Paradise Trojan
• 40426 = Master-Paradise Trojan
• 47262 = Delta Source Trojan
• 54320 = Back-Orifice Trojan
• 54321 = Back-Orifice Trojan
• 60000 = DeepThroat Trojan

6. Related methods and tools for viewing ports

1. netstat -an

Just enter this command in cmd. As follows:

 C: > netstat -an  
 Active Connections  
 Proto Local Address Foreign Address State  
 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING  
 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING  
 TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING  
 TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING  
 TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING  
 TCP 0.0.0.0:3372 0.0.0.0:0 LISTENING  
 UDP 0.0.0.0:135 *:*  
 UDP 0.0.0.0:445 *:*
 UDP 0.0.0.0:1027 *:*  
 UDP 127.0.0.1:1029 *:*  
 UDP 127.0.0.1:1030 *:*

These are the ports that my machine opens when I am not online. The two 135 and 445 are fixed ports, and the rest are dynamic ports.

2. Strobe

The super optimized TCP port detection program Strobe is a TCP port scanner. It has the ability to quickly locate and scan all TCP "listening" ports of a remote target host or many hosts with maximum bandwidth utilization and minimum process resource requirements.

3. Internet Scanner

Internet Scanner is arguably the fastest and most comprehensive security scanning tool available for UNIX and Windows NT. It is easy to configure, scans quickly, and produces comprehensive reports.

4. Port Scanner

Port Scanner is a port scanning tool that runs on Windows 95 and Windows NT. Two input boxes are displayed on its start interface. The upper input box is used to enter the starting host IP address to be scanned, and the lower input box is used to enter the ending host IP address to be scanned. Hosts between these two IP addresses will be scanned.

5. Nmap

The world's most popular scanner for hackers, capable of secret scanning, dynamic delay, retransmission and parallel scanning, deception scanning, port filtering detection, RPC direct scanning, distributed scanning, etc. It is very flexible and powerful.

7. What is the role of ports in intrusion and how can we protect them?

1. The role of ports in intrusion

Hackers once compared the target terminal to a house and the port to the door leading to different rooms (services). If an intruder wants to occupy the house, he must break in through the door. So for the intruder, it is crucial to know how many doors the house has, what kind of doors they are, and what is behind the doors.

Intruders usually use scanners to scan the ports of the target host to determine which ports are open. From the open ports, the intruder can know what services the target host provides and guess possible vulnerabilities. Therefore, scanning the ports can help us better understand the target host. For administrators, scanning the open ports of the local machine is also the first step in taking security precautions.

2. Ports commonly used by hackers

Some ports are often used by hackers and some Trojan viruses to attack computer systems. The following is an analysis of the ports that have been hacked.

(1) Port penetration analysis

FTP is usually used to manage remote servers, and a typical application is the management of web systems. Once the FTP password is leaked, it will directly threaten the security of the web system, and even hackers can directly control the server by escalating privileges. Here, we take the Serv_uFTP server as an example to analyze several methods of penetrating the FTP server.

• For Serv_u5.004 and below, you can directly use the overflow program to perform remote overflow, and after success, you can directly obtain system permissions. Use the metespolit penetration toolkit in kali to overflow. This tool needs to be installed.
• The key to brute force cracking of FTP passwords is to create a dictionary. The commonly used cracking tool is X-way.
• Read Serv_u user configuration files and crack user encrypted passwords. Usually webshell is used for reading.
• Arbitrary system commands can be executed through local privilege escalation tools.
• Use sniffing to intercept the FTP password and use the tool Cain for penetration.

(2) Port 23 penetration analysis

Telnet is an old remote management method. When using the telnet tool to log in to the system, the user name and password transmitted on the network are sent in plain text. Hackers can use sniffing technology to intercept such passwords.

• Brute force cracking is a commonly used technique, which is cracked using the X-SCAN scanner.
• In Linux systems, SSH is generally used for remote access, and the sensitive data transmitted is encrypted. However, telnet under Windows is vulnerable because it is transmitted over the network without any encryption by default. Using sniffing tools such as cain, remote login passwords can be easily intercepted.

(3) Port 53 penetration analysis

Port 53 is the communication port of the DNS domain name server, which is usually used for domain name resolution. It is also one of the most critical servers in the network. This type of server is vulnerable to attacks. There are generally three ways to penetrate this port.

• Use the DNS remote overflow vulnerability to directly launch an overflow attack on its host, and if successful, you can directly obtain system permissions.
• Using DNS spoofing attacks, the DNS domain name server can be deceived. If hackers use web Trojans to launch Trojan attacks, it is undoubtedly a very lethal attack. Hackers can easily control most of the hosts in the intranet. This is also one of the common techniques for intranet penetration.
• Denial of service attacks can quickly cause the target server to run slowly or even paralyze the network. If a DNS server is attacked using a denial of service attack, users who use the server for domain name resolution will not be able to access the Internet normally.

(4) Port 80 penetration analysis

Port 80 usually provides web services. Currently, hackers typically use SQL injection to attack port 80. Script penetration technology is also a highly comprehensive web penetration technology, and script penetration technology also poses a serious threat to port 80.

• For the IIS5.0 version of Windows2000, hackers use remote overflow to directly launch overflow attacks on remote hosts, and directly obtain system permissions if successful.
• For IIS5.0 in Windows 2000, hackers also try to exploit the 'Microsoft IISCGI' file name decoding error vulnerability. Using X-SCAN can directly detect IIS vulnerabilities.
• IIS write permission vulnerability is a security issue caused by improper IIS configuration. Attackers can upload malicious code to servers with such vulnerabilities, such as uploading script Trojans to expand control permissions.
• Ordinary http packets are transmitted on the network without encryption, so sensitive data can be intercepted by sniffing tools, such as using Cain tools to complete this type of penetration.
• Attacks on port 80 are more likely to use script penetration technology, and exploiting vulnerabilities in web applications is currently a very popular attack method.
• It is very difficult to penetrate a server that only opens port 80. Using port multiplexing tools can solve this technical problem.
• The effect of CC attack is not as obvious as DDOS, but it is still useful for attacking some small web sites. CC attack can make the target site run slowly, the page cannot be opened, and sometimes the absolute path of the web program will be exposed.

(5) Penetration analysis of port 135

Port 135 is mainly used to use the RPC protocol and provide DCOM services. RPC can ensure that programs running on one computer can successfully execute codes on the remote computer; using DCOM can communicate directly through the network and can be transmitted across multiple networks including the HTTP protocol. At the same time, this port has also exposed many vulnerabilities, the most serious of which is the buffer overflow vulnerability. The once popular "Shockwave" virus used this vulnerability to spread. For the penetration of port 135, the hacker's penetration method is:

• Find the host with RPC overflow, perform remote overflow attack, and directly obtain system permissions. For example, use 'DSScan' to scan the host with this vulnerability. For the host with the vulnerability, use 'ms05011.exe' to overflow, and obtain system permissions after the overflow is successful.
• Scan 135 hosts with weak passwords, use RPC remote procedure call to enable telnet service and log in to telnet to execute system commands. System weak passwords are usually scanned using X-SCAN and SHCAN. To enable telnet service, use the tool Recton.

(6) 139/445 port penetration analysis

Port 139 is provided for 'NetBIOS Session Service', which is mainly used to provide Windows file and printer sharing and Samba service in UNIX. Port 445 is also used to provide Windows file and printer sharing, which is widely used in intranet environment. These two ports are also the focus of attack, and many serious vulnerabilities have appeared in ports 139/445.

The following is an analysis of the basic ideas of penetrating such ports.

• For hosts with open ports 139/445, attempts are generally made to exploit overflow vulnerabilities to launch overflow attacks on remote hosts, and if successful, system permissions are directly obtained.
• To attack hosts that only have port 445 open, hackers usually use tools like 'MS06040' or 'MS08067'. You can use a dedicated 445 port scanner to scan. The NS08067 overflow tool is very effective for overflowing Windows 2003 systems. The basic usage parameters of the tool will be prompted in cmd.
• For hosts with open ports 139/445, hackers usually use IPC$ to penetrate. When there is no special account and password for empty connection, the authority is minimal. Obtaining system-specific accounts and passwords becomes the key to escalating permissions, such as obtaining the password of the administrator account.
• For hosts with open ports 139/445, sensitive information can be obtained through sharing, which is also the basic way to collect information during intranet penetration.

(7) Analysis of port 1433 penetration

1433 is the default port of SQL Server. SQL Server service uses two ports: TCP-1433 and UDP-1434. 1433 is used for SQL Server to provide external services, and 1434 is used to return to the requester which TCP/IP ports SQL Server uses. Port 1433 is often attacked by hackers, and the attack methods are endless. The most serious is the remote overflow vulnerability. For example, due to the rise of SQL injection attacks, various databases are always facing security threats. Using SQL injection technology to penetrate the database is currently a popular attack method, which belongs to script penetration technology.

• For SQL Server 2000 database servers with port 1433 open, hackers try to use remote overflow vulnerabilities to perform overflow tests on the host and directly obtain system permissions if successful.
• Brute force cracking is a classic technique. Generally, the target of cracking is SA users. SA passwords can be cracked quickly through dictionary cracking.
• Sniffing technology can also sniff the SQL Server login password.
• Due to the lack of strict scripting, for example, the programmer does not filter parameters strictly, which will cause serious injection vulnerabilities. SQL injection can indirectly penetrate the database server by calling some stored procedures to execute system commands. This can be done using SQL comprehensive utilization tools.

(8) Analysis of port 1521 penetration

1521 is the default listening port of the large database Oracle. It is estimated that novices are still unfamiliar with this port. Usually, the three databases that people are more familiar with are Access, MSSQL and MYSQL. Generally, large sites will deploy such expensive database systems. To penetrate such a complex database system, the hacker's ideas are as follows:

• Oracle has a lot of default user names and passwords. In order to gain access to the database system, cracking the database system user and password is a security line that hackers must break through.
• SQL injection is also very effective against Oracle, and sensitive information of the database can be obtained through injection, including administrator passwords.
• Create java directly at the injection point and execute system commands.

(9) Port 3306 penetration analysis

3306 is the default listening port of MYSQL database, which is usually deployed in medium-sized web systems. In China, LAMP configuration is very popular, and attacks on PHP+MySQL architecture are also a hot topic. MySQL database allows users to use custom functions, which allows hackers to write malicious custom functions to penetrate the server and finally obtain the highest authority of the server. For the penetration of port 3306, the hacker's method is as follows:

• Because administrators have a weak sense of security, they usually set too simple management passwords, or even empty passwords. Such passwords can be easily cracked using cracking software, and the cracked passwords can be used to log in to the remote MySQL database, upload the constructed malicious UDF custom function code for registration, and execute system commands by calling the registered malicious function. Or malicious scripts can be exported to the web directory to control the entire web system.
• The powerful 'cain' also supports sniffing of port 3306. Sniffing is also a penetration method.
• SQL injection also poses a huge threat to MySQL database. It can not only obtain sensitive information of the database, but also use the load_file() function to read sensitive configuration files of the system or obtain the root password from the web database link file, export malicious code to the specified path, etc.

(10) Port 3389 penetration analysis

3389 is the default listening port of Windows Remote Desktop Service. Administrators can maintain the server through Remote Desktop, which brings great convenience to management. Usually this port is also one of the ports that hackers are more interested in. It can be used to control the remote server without installing additional software. The implementation method is relatively simple. Of course, this is also a legitimate service of the system and is usually not detected by antivirus software. Use the "input method vulnerability" to penetrate.

• For the old system version of Windows 2000, use the 'input method vulnerability' to penetrate.
• A password cracking program for Windows 2000 Terminal Services. This program is recommended by Microsoft to users to check the strength of the Terminal Services password. The program uses msrdp space to create a local virtual remote terminal connection window and crack passwords using a password dictionary. You can specify multiple parameters, which is flexible to use. The cracking speed depends on the network bandwidth between the attacking host and the attacked host. Wait a minute, the virtual machine is a bit stuck. Let's look at the third method first.
• Cain is a super penetration tool that also supports sniffing port 3389.
• Image hijacking is used in conjunction with shift pasting keys. Usually, when security personnel configure server security, they will consider using powerful group policies. For example, preventing illegal attackers from executing cmd commands and denying unauthorized remote login users (we have already explained the detailed setting method of group policy in the Information System Security Engineer course). Even if you have administrator privileges, you cannot log in. The secret to hackers breaking through group policies is in the 3389 login box, that is, image hijacking is used in conjunction with shift pasting keys. Call out the task manager and then open the Group Policy Editor in the task manager, which can be modified according to the actual couple.
• Social engineering is usually the most terrifying attack technology. If all the habits and rules of a manager are understood by hackers, the network system he manages will be penetrated due to his weaknesses.

(11) Analysis of 4899 port penetration

Port 4899 is the default listening port of remoteadministrator remote control software, which is commonly referred to as radmini shadow. radmini currently supports TCP/IP protocol and is widely used. The shadow of this software will be seen on many servers. For the penetration of this software, the idea is as follows:

• Radmini also has many hosts with weak passwords, and this type of host with vulnerability can be detected through a dedicated scanner.
• The connection password and port of radmini remote control are written to the registry system. By using the webshell registry reading function, you can read the key value content of radmini in the registry, thereby cracking the encrypted password hash.

(12) Analysis of 5631 port penetration

Port 5631 is the default listening port of the famous remote control software symantecpcanywhere, and is also the world's leading remote control software. With this software, users can effectively manage computers and quickly solve technical support problems. Due to the design defects of the software, hackers can download the *.cif file that saves the connection password at will, and crack it through special cracking software. These operations must be completed with certain permissions, at least a webshell obtained through script penetration. Usually these operations are called pcanywhere privilege raising technology in the hacker community.

(13) Analysis of 5900 port penetration

Port 5900 is the default listening port of the excellent remote control software VNC. This software was developed by the famous AT&T European Research Laboratory. VNC is a free open source software based on Unix and Linux operating systems. It has powerful remote control capabilities, efficient and practical, and its performance can be comparable to any control software in Windows and MAC. For the penetration of this port, the idea is as follows:

• VNC software has a password verification bypass vulnerability, which can enable malicious attackers to log in to a remote system without requiring a password.
• cain also supports sniffing of VNC and also supports port modification.
• The configuration information of VNC is also written to the registry system, including the connection password and port. The registry reading function of webshell is used to read the encryption algorithm and then crack it.

(14) Analysis of 8080 port penetration

Port 8080 is usually the default listening port of apache_Tomcat server. Apache is the world's number one web server. Many large domestic systems use apache server. For the penetration of such large servers, there are mainly the following methods:

• apache tomcatUTF-8 directory traversal vulnerability. Tomcat has a vulnerability when processing encoding in requests. If allowlinking is set to true in context.xml or server.xml, and the connector is configured as URIEncoding=UTF-8, if a hacker submits a malicious request to apache, he can read any file on the server through directory traversal attack, including /etc/passwd, etc.
• Apache background weak password vulnerability, which hackers can use a dedicated scanner to detect.
• JSP explodes source code vulnerability. For some old versions of tomcat, hackers try to find source code and directory files by submitting some injections of .jsP.Jsp, etc. Find upload files and directly upload their JSP script backdoor.
• Apache is started with system permissions in the Windows environment. JSP scripts also inherit this permission and can directly execute any system commands.

3. Finally, how do we protect our ports?

The computer has opened too many ports, and what should I do if I worry about the ports of the backdoor program and the infiltration? Then just do the following:

• View: Use commands or software to check the local open ports to see if there are suspicious ports;
• Judgment: If there are any information you are not familiar with in the open port, you should immediately search for the port collection or common Trojan ports and other information to see the description of the role of your suspicious port, or use the software to view the process that opens this port to make a judgment;
• Restrictions: If it is really a Trojan port or there is no description of this port in the information, then this port should be closed. You can use a firewall to block this port, or you can use local connection - TCP/IP - Advanced - Options - TCP/IP filtering, and enable the filtering mechanism to filter ports;

The methods to restrict ports are as follows:

For users who use Windows, there is no need to install any other software. You can use "Modify Group Policy" or "TCP/IP Filtering Function" to limit the ports of the server.

The specific settings are as follows:

(1) The first method - "Modify Group Policy":

• In the first step, enter gpedit.msc in "Run", enter "Group Policy", select "IP Security Policy, on Local Computer" in the Windows Settings-Security Settings in Group Policy, right-click the mouse in the blank space on the right pane, a shortcut menu pops up, select "Create IP Security Policy", and a wizard pops up. Click the "Next" button in the wizard to name the new security policy; then press "Next", and the "Secure Communication Request" screen will be displayed, remove the hook on the left of "Activate Default Corresponding Rules" on the screen, and click the "Finish" button to create a new IP security policy.
• The second step is to right-click the IP security policy, in the "Properties" dialog box, remove the hook on the left of "Use Add Wizard", then click the "Add" button to add new rules, then the "New Rule Properties" dialog box pops up, click the "Add" button on the screen to pop up the IP filter list window; in the list, first remove the hook on the left of "Use Add Wizard", and then click the "Add" button on the right to add new filters.
• : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :
• Step 4, in the "New Rule Properties" dialog box, select "New IP Filter List", and then click on the circle to add a point to indicate that it has been activated, and finally click the "Filter Action" tab. In the "Filter Action" tab, remove the hook on the left of "Use the Add Wizard", click the "Add" button, and add the "Block" operation: In the "Safety Measures" tab of "New Filter Action Properties", select "Block", and then click the "OK" button.
• Step 5, enter the "New Rule Properties" dialog box, click "New Filter Operation". A dot will be added to the circle on the left, indicating that it has been activated. Click the "Close" button to close the dialog box; finally return to the "New IP Security Policy Properties" dialog box, chew on the left of the "New IP Filter List" and press the "OK" button to close the dialog box. In the "Local Security Policy" window, right-click the newly added IP security policy with the mouse, and then select "Assign".

So after restarting, the above-mentioned network ports in the computer are closed, and viruses and hackers can no longer connect to these ports, thus protecting your computer.

(2) The second method - "TCP/IP filtering function":

• Right-click "Online Neighbor", select "Properties", and then double-click "Local Connection" (if you are a dial-up user, select the "My Connection" icon), and the "Local Connection Status" dialog box pops up.
• Click the [Properties] button to pop up "Local Connection Properties", select "Internet Protocol (TCP/IP)" in "This connection uses the following items", and then click the [Properties] button.
• Click the [Advanced] button in the "Internet Protocol (TCP/IP)" dialog box that pops up. In the "Advanced TCP/IP Settings" that pops up, select the "Options" tab, select "TCP/IP Filter", and then click the [Properties] button.
• In the pop-up "TCP/IP Filter" dialog box, select the "Enable TCP/IP Filter" check box, and then select "Allow only" on the "TCP Port" on the left.

This way, you can add or delete various ports of your TCP or UDP or IP by yourself.

After adding or deleting it, after restarting the machine, your server will be protected.