In network technology, port has two meanings: one is physical port, for example, ADSL modem, Hub, switch, router is used to connect other network equipment interface, such as RJ-45 port, SC port and so on. The second is the logical port, which generally refers to the port in the TCP/IP protocol. The port number ranges from 0 to 65535, for example, port 80 used to browse Web Services, port 21 for the FTP service. Here we will introduce the logical port. To view the port in Windows 2000/XP/Server 2003, run the netstat command: Click Start> Run, type cmd, and press enter to open the Command Prompt window. Type "netstat-a-n" in the command prompt. Press the Enter key to view the TCP and UDP connection port numbers and statuses displayed in numbers. Before introducing the functions of various ports, we will first introduce how to disable/enable ports in windows, many insecure or useless ports are enabled, for example, port 23 of the Telnet service, port 21 of the FTP service, port 25 of the SMTP service, and port 135 of the RPC service. To ensure system security, we can disable/enable the port through the following methods. To close the port, for example, to disable port 25 of the SMTP service in Windows 2000/XP, open "Control Panel", double-click "Administrative Tools", and then double-click "service ". In the displayed service window, find and double-click the "Simple Mail Transfer Protocol (SMTP)" service and click "stop" to stop the service, select "disabled" in "Start type" and click "OK. In this way, closing the SMTP service is equivalent to closing the corresponding port. To enable a port, select "Auto" in "Start type", click "OK", and then open the service, in "service status", click "start" to enable the port. Finally, click "OK. Tip: the "service" option is not available in Windows 98. You can use the firewall rule setting function to disable/enable the port. In the logic sense, port classification has multiple classification standards. The following describes two common classifications: 1. by distribution of port numbers (1) well-known ports (well-known ports) are well-known port numbers ranging from 0 to 1023. These ports are usually allocated to some services. For example, port 21 is allocated to the FTP service, port 25 is allocated to the SMTP (Simple Mail Transfer Protocol) service, port 80 is allocated to the HTTP service, and port 135 is allocated to the RPC (Remote process call) service) services. (2) The range of dynamic ports is from 1024 to 65535. These ports are generally not allocated to a service, that is, many services can use these ports. As long as the program runs to the system to request access to the network, the system can assign a port number for the program to use. For example, port 1024 is allocated to the first application to the system. After the program process is closed, the occupied port number is released. However, dynamic ports are often used by viruses and Trojans. For example, the default connection ports of glaciers are 7626, way 2.4 is 8011, NetSpy 3.0 is 7306, and Yai is 1024. 2. Divided by protocol type, can be divided into TCP, UDP, IP, ICMP (Internet Control Message Protocol) and other ports. The following describes TCP and UDP ports: (1) TCP port: namely, the transmission control protocol port. A connection must be established between the client and the server to provide reliable data transmission. Common include port 21 of the FTP service, port 23 of the Telnet service, port 25 of the SMTP service, and port 80 of the HTTP service. (2) UDP port: user data packet protocol port. You do not need to establish a connection between the client and the server, and the security is not guaranteed. Common services include DNS Service port 53, SNMP (Simple Network Management Protocol) Service port 161, and QQ port 8000 and port 4000. Common network port Basics! Port Control port: 0 service: Reserved Description: usually used to analyze the operating system. This method works because "0" is an invalid port in some systems and will produce different results when you try to connect to it using a normally closed port. A typical scan uses the IP address 0.0.0.0 to set the ACK bit and broadcast it on the Ethernet layer. Port: 1 service: tcpmux Note: This shows someone is looking for an sgi irix machine. IRIX is the main provider for implementing tcpmux. By default, tcpmux is enabled in this system. IRIX machines are released with several default password-free accounts, such as IP, guest uucp, nuucp, demos, tutor, DIAG, and outofbox. Many administrators forget to delete these accounts after installation. Therefore, hacker searches for tcpmux on the Internet and uses these accounts. Port: 7 service: Echo Note: when many people search for the Fraggle amplifier, the information sent to x. x. x.0 and x. x. x.255 is displayed. Port: 19 service: character generator Description: This is a service that only sends characters. The UDP version will respond to packets containing spam characters after receiving the UDP packet. When a TCP connection is established, data streams containing spam characters are sent until the connection is closed. Hacker uses IP spoofing to launch DoS attacks. Forge a UDP packet between two chargen servers. Similarly, the Fraggle DoS attack broadcasts a packet with a spoofed IP address to the port of the target address. The victim is overloaded to respond to the data. Port: 21 Service: ftp Description: port opened by the FTP server for uploading and downloading. The most common attacker is used to find the method to open the FTP server of anonymous. These servers have read/write directories. Ports opened by Doly Trojan, fore, invisible FTP, WebEx, WinCrash, and Blade Runner. Port: 22 Service: SSH note: the connection between TCP established by pcAnywhere and this port may be used to find ssh. This service has many vulnerabilities. If configured in a specific mode, many versions using the rsaref library may have many vulnerabilities. Port: 23 service: Telnet Description: Remote logon. Intruders are searching for remote logon to UNIX services. In most cases, this port is scanned to find the operating system on which the machine runs. There are other technologies that allow intruders to find their passwords. The Tiny Telnet server of the Trojan opens this port. Port: 25 service: SMTP Description: port opened by the SMTP server for sending emails. Intruders look for SMTP servers to pass their spam. The intruder's account is closed and they need to connect to a high-bandwidth E-MAIL server, passing simple information to different addresses. This port is available for trojans such as antigen, email password sender, haebu coceda, shtrilitz stealth, winpc, and winspy. Port: 31 service: MSG authentication Description: this port is enabled for Trojan master paradise and Hackers Paradise. Port: 42 service: WINS replication Description: WINS replication port: 53 service: Domain Name Server (DNS) Description: The port opened by the DNS server, intruders may attempt to perform regional transmission (TCP), spoof DNS (UDP), or hide other communications. Therefore, firewalls often filter or record this port. Port: 67 service: Bootstrap Protocol server Description: Through the DSL and cable modem firewalls, you will often see a large amount of data sent to the broadcast address 255.255.255. These machines are requesting an address from the DHCP server. Hacker often enters them and assigns an address to act as a local router to initiate a large number of man-in-middle attacks. The client broadcasts the request configuration to port 68, and the server broadcasts the response to the request to port 67. This response uses broadcast because the client does not know the IP address that can be sent. Port: 69 service: trival File Transfer Description: many servers provide this service together with BOOTP to download startup code from the system. However, they often enable intruders to steal any files from the system due to misconfiguration. They can also be used to write files to the system. Port: 79 service: Finger server Description: Intruders are used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scans from their machines to other machines. Port: 80 service: HTTP Description: used for Web browsing. The trojan executor opens this port. Port: 99 service: metemedirelay Description: The backdoor program ncx99 opens this port. Port: 102 Service: Message Transfer Agent (MTA)-x.400 over TCP/IP Description: message transmission agent. Port: 109 service: Post Office Protocol-version3 Description: The POP3 Server opens this port for receiving mails and the client accesses the mail service on the server. POP3 services have many common vulnerabilities. There are at least 20 vulnerabilities in username and password exchange buffer overflow, which means that intruders can log on to the system. There are other buffer overflow errors after successful login. Port: 110 service: all ports of Sun's RPC service description: Common RPC services include RPC. mountd, NFS, RPC. STATD, RPC. csmd, RPC. port 113, such as ttybd and AMD: Authentication Service Description: This is a protocol running on many computers and is used to identify users with TCP connections. Using standard services, you can obtain information from many computers. However, it can serve as a recorder for many services, especially FTP, Pop, IMAP, SMTP, IRC and other services. If many customers access these services through the firewall, they will see many connection requests on this port. Remember, if you block this port, the client will feel a slow connection to the E-MAIL server on the other side of the firewall. Many firewalls support the release of RST during TCP connection blocking. This will stop the slow connection. Port: 119 service: Network News Transfer Protocol Description: News news group transmission protocol, which carries Usenet communication. The connection to this port is usually found on Usenet servers. Most ISP restrictions allow only their customers to access their newsgroup servers. Opening the newsgroup server will allow you to send/read any post, access the restricted newsgroup server, and post anonymously or send spam messages. Port: 135 service: location service description: Microsoft runs dce rpc end-point mapper for its DCOM Service on this port. This is similar to the function of UNIX port 111. Services using DCOM and RPC use end-point mapper on the computer to register their locations. When remote customers connect to a computer, they find the end-point Mapper to locate the service location. Hacker scans the computer's port to find the computer that runs the Exchange server? What version? Some DoS attacks directly target this port. Port: 137, 138, 139 service: NetBIOS Name Service Description: 137 and 138 are UDP ports, which are used when files are transmitted through network neighbors. Port 139: the connection through this port tries to obtain the NetBIOS/smb service. This protocol is used for Windows file and printer sharing and samba. Also, wins regisrtation also uses it. Port: 143 service: Interim mail access protocol V2 Description: Like POP3 security issues, many IMAP servers have buffer overflow vulnerabilities. Remember: a Linux worm (admv0rm) will multiply through this port, so many scans of this port come from unknown infected users. When RedHat allows IMAP by default in their Linux releases, these vulnerabilities become very popular. This port is also used for imap2, but is not popular. Port: 161 service: SNMP Description: SNMP allows remote device management. All configuration and operation information is stored in the database and can be obtained through SNMP. Many administrator error configurations will be exposed on the Internet. Cackers tries to use the default password public and private to access the system. They may test all possible combinations. The SNMP package may be incorrectly directed to the user's network. Port: 177 service: X Display Manager Control Protocol Description: many intruders use it to access the X-Windows console. It also needs to open port 6000. Port: 389 service: LDAP, ils Description: The light Directory Access Protocol and Netmeeting Internet locator server share this port. Port: 443 service: https Description: Web browsing port, which provides encryption and transmission over secure ports. Port: 456 service: [null] Description: Hackers Paradise opens this port. Port: 513 service: Login, remote login Description: broadcast from using cable modem or DSL to a Unix computer in the subnet. These provide information for intruders to access their systems. Port: 544 service: [null] Description: Kerberos kshell port: 548 service: Macintosh, file services (AFP/IP) Description: Macintosh, file service. Port: 553 service: corba iiop (UDP) Description: Cable Modem, DSL, or VLAN can be used to view the broadcast of this port. CORBA is an object-oriented RPC system. Intruders can use this information to access the system. Port: 555 service: DSF Description: This port is enabled for Trojan phase1.0, Stealth Spy, and inikiller. Port: 568 service: Membership DPA Description: Membership DPA. Port: 569 service: Membership MSN Description: Member qualification MSN. Port: 635 service: MOUNTD Description: MOUNTD bug of Linux. This is a popular scanning bug. Most of the scans for this port are based on UDP, but the TCP-based mountd is increased (mountd runs on both ports at the same time ). Remember that mountd can run on any port (which port is used in port 111 for Portmap query), but the default port of Linux is 635, just as NFS usually runs on port 2049. Port: 636 service: LDAP Description: SSL (Secure Sockets Layer) Port: 666 service: Doom ID Software Description: Trojan attack FTP, satanz backdoor open this port: 993 service: IMAP Description: SSL (Secure Sockets Layer) Port: 1001, 1011 service: [null] Description: Trojan silencer, WebEx open port 1001. Trojan Doly Trojan open port 1011. Port: 1024 service: Reserved Description: it is the beginning of a dynamic port, many programs do not care which port is used to connect to the network, they request the system to allocate them an idle port. From port 1024. This means that the first request to the system will be allocated to port 1024. You can restart the machine, open telnet, and then open a window to run natstat-A. the telnet port is allocated to port 1024. In addition, SQL session also uses this port and 5000 port. Port: 1025, 1033 service: 1025: Network blackjack 1033: [null] Description: The Trojan NetSpy opens these two ports. Port: 1080 service: SOCKS Description: This Protocol passes through the firewall through a channel, allowing people behind the firewall to access the Internet through an IP address. Theoretically, it should only allow internal communication to reach the internet. However, due to incorrect configuration, it allows attacks outside the firewall to pass through the firewall. This error often occurs in Wingate, which is often seen when you join the IRC chat room. Port: 1170 service: [null] Description: This port is enabled for Trojan streaming audio Trojan, psyber stream server, and voice. Port: 1234, 1243, 6711, 6776 service: [null] Description: Trojan subseven2.0, Ultors Trojan open ports 1234, 6776. Trojan subseven1.0/1.9 opens ports 1243, 6711, and 6776. Port: 1245 service: [null] Description: This port is enabled for Trojan vodoo. Port: 1433 service: SQL Description: port opened by Microsoft SQL service. Port: 1492 service: Stone-design-1 Description: This port is enabled for Trojan ftp99cmp. Port: 1500 Service: RPC client fixed port session queries Description: RPC client fixed port session query port: 1503 service: netmeeting t.120 Description: netmeeting t.120 port: 1524 service: Ingress description: many attack scripts will install a backdoor shell on this port, especially for Sendmail and RPC vulnerabilities in Sun systems. If the connection attempt on this port is displayed after the firewall is installed, it is probably because of the above reasons. Try telnet to the port on your computer to see if it will give you a shell. This problem also exists when you connect to the 600/pcserver.