What is the port?

Summary

I wanted to write a tutorial on port for a long time, and I finally put it into practice today. In fact, there are many tutorials on port introduction on the Internet, but I haven't seen any articles that really tell you what port is (maybe I didn't really see it). If you have read a lot of port tutorials, what is the port? You may not be able to answer this question for a moment. It doesn't matter. Come with me!

What is a port?

On the Internet, each host sends and receives data packets through the TCP/TP protocol. Each data packet selects a route in the Internet based on the IP address of the target host. It can be seen that it is no problem to smoothly transmit the datagram to the target host. Where is the problem? We know that most operating systems support simultaneous running of multiple programs (processes). Which of the following processes should the target host transmit the received datagram? Obviously, this problem needs to be solved, and the port mechanism is introduced.

The local operating system will allocate protocol ports (protocal port, which we usually call) to the processes that need them. Each protocol port is identified by a positive integer, such as 80,139,445. After receiving the datagram, the target host sends the data to the corresponding port based on the destination port number of the packet header, the process corresponding to this port will receive data and wait for the arrival of the next group of data. Speaking of this, the concept of port seems to be abstract, so continue to come with me, don't go away.

The port is actually a team, and the operating system allocates different teams for each process. The datagram is pushed into the corresponding team according to the destination port, waiting for access by the process. Under special circumstances, this team may also overflow, but the operating system allows various processes to specify and adjust their own team size.
Not only does the process that accepts the datagram need to open its own port, but also the process that sends the datagram need to open the port, so that the datagram will identify the source port, this allows the receiver to report data to this port smoothly.

Classification of three ports

On the Internet, according to the protocol type, ports are classified into TCP ports and UDP ports. Although they are all identified by positive integers, this does not cause ambiguity, for example, TCP's port 80 and UDP's port 80 indicate the port type while the datagram identifies the port.

From the port distribution perspective, ports are divided into two categories: fixed ports and dynamic ports (some tutorials also classify frequently used high ports into the third category: private ports ):
Fixed ports (0-1023 ):
A centralized management mechanism is used to authorize a management organization to assign ports. Because these ports are bound to some services, we often scan these ports to determine whether the other party has enabled these services, such as TCP 21 (ftp), 80 (http ), 139 (netbios), UDP 7 (echo), 69 (tftp) and other well-known ports;
Dynamic port (1024-49151 ):
These ports are not bound to a service. The operating system dynamically allocates these ports to various processes. The same process may allocate them to different ports twice. However, some applications do not want to use dynamic ports allocated by the operating system. They have their own 'trademark ports', such as port 4000 of the oicq client, mu Ma glacier's port 7626 is fixed and well-known.

Role of port 4 in Intrusion

Someone once compared a server to a house, and a port to a door to a different room (service). If you don't consider the details, this is a good metaphor. When intruders want to occupy the house, they are bound to break through the door (physical intrusion is also said). For intruders, they know how many doors the House has opened, what is behind the door is crucial.

Intruders usually use scanners to scan the ports of the target host to determine which ports are open. From the opened ports, intruders can know which services the target host provides, further, we can guess possible vulnerabilities. Therefore, port scanning can help us better understand the target host. for administrators, scanning open ports on the local host is also the first step in security defense.

5. Introduction to common ports
Due to my limited knowledge, I will only introduce some simple content here.

1) 21 ftp
This port is opened, indicating that the server provides the FTP service. Intruders usually scan this port and determine whether anonymous login is allowed. If a writable directory can be found, they can upload some hacker programs for intrusion. To disable this port, you must disable the FTP service.

2) 23 Telnet
This port is opened, indicating that the server provides the remote login service. If you have an administrator's username and password, you can use this service to fully control the host (but you must first handle NTLM authentication ), obtain a shell under the command line. Many intruders prefer to enable this service as a backdoor. To disable this port, you must disable the Telnet service.

3) 25 smtp

This port is opened, indicating that the server provides the SMTP service. Some servers that do not support authentication allow intruders to send emails to any location. The SMTP server (especially sendmail) it is also one of the most common methods to enter the system. To disable this port, you must disable the SMTP service.

4) 69 TFTP (UDP)
This port is opened, indicating that the server provides the TFTP service. It allows downloading files from the server or writing files. If the Administrator misconfigures the file, intruders can even download the password file. Many intruders can transmit files to the target machine by running this service on their own machines. To disable this port, you must disable the TFTP service.

5) 79 finger

It is used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scans from its own machine to other machines.
　　
6) 80 http
This port is opened, indicating that the server provides HTTP services, allowing visitors to browse their web pages. Most of the overflow attacks against the IIS server are through this port, it can be said that the port is the most frequently attacked by intruders. To disable this port, you must disable the HTTP service.

7) 110 POP3

The client is used to access the mail service on the server. POP3 services have many common vulnerabilities. There are at least 20 vulnerabilities in the user name and password exchange buffer overflow, which means that intruders can log on to the system and there are other buffer overflow errors after successful logon.

(This series of tutorials occasionally updated, to get the latest version, please log on to the official website: caocainiao community http://ccbirds.yeah.net)

8) TCP 139 and 445
Many people are very concerned about these two ports. Let me introduce them in detail:

First, let's take a look at some basic knowledge:
1 SMB: (Server Message Block) Windows protocol family, used for file printing and sharing services;
2 NBT: (NETBios Over TCP/IP) use the 137 (UDP) 138 (UDP) 139 (TCP) port to implement NETBIOS network interconnection based on the TCP/IP protocol.
3. In WindowsNT, SMB is implemented based on NBT, that is, port 139 (TCP) is used. In Windows2000, SMB is implemented based on NBT and port 445.

With these basic knowledge, we can further discuss the port selection for access network sharing:

For the win2000 client (initiator:
1. If NBT is allowed to connect to the server, the client tries to access ports 139 and 445 at the same time. If port 445 has a response, the client sends an RST packet to port 139 to disconnect, when port 455 is used for a session, port 445 is used only when port 139 does not respond. If neither port responds, the session fails;
2. If NBT is prohibited from connecting to the server, the client only attempts to access port 445. If port 445 does not respond, the session fails.

For the win2000 Server:
1 If NBT is allowed, UDP port 137,138 and TCP port 139,445 will be open (LISTENING );
2. If NBT is disabled, only port 445 is enabled.

Our ipc $ session port selection also complies with the above principles. Obviously, if the remote server does not listen to port 139 or port 445, the ipc $ session cannot be established. So how do I disable the two ports on port 2000?

Port 139 can be blocked by disabling NBT.
Local Connection-TCP/IT properties-advanced-WINS-select 'Disable NETBIOS on TCP/IT'

Port 445 can be blocked by modifying the Registry
Add a key value
Hive: HKEY_LOCAL_MACHINE
Key: System \ Controlset \ Services \ NetBT \ Parameters
Name: SMBDeviceEnabled
Type: REG_DWORD
Value: 0
Restart the machine after modification.

9) 3389 Terminal Services
This port is opened, indicating that the server provides terminal services. If you have obtained the Administrator's username and password, you can use this service to completely control the host in the graphic interface, this is indeed a desirable thing, but you will feel helpless if you cannot get a password and cannot find the Input Method Vulnerability. To disable this port, you must disable the terminal service.

Tools related to port 6

1 netstat-
Indeed, this is not a tool, but it is the most convenient way to view the opened port. Enter this command in cmd. As follows:
C: \> netstat-

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0: 135 0.0.0.0: 0 LISTENING
TCP 0.0.0.0: 445 0.0.0.0: 0 LISTENING
TCP 0.0.0.0: 1025 0.0.0.0: 0 LISTENING
TCP 0.0.0.0: 1026 0.0.0.0: 0 LISTENING
TCP 0.0.0.0: 1028 0.0.0.0: 0 LISTENING
TCP 0.0.0.0: 3372 0.0.0.0: 0 LISTENING
UDP 0.0.0.0: 135 *:*
UDP 0.0.0.0: 445