View port
To view the port in Windows 2000/XP/Server 2003, run the Netstat command:
Click Start> Run, type cmd, and press enter to open the Command Prompt window. Type "netstat-a-n" in the command prompt. Press the Enter key to view the TCP and UDP connection port numbers and statuses displayed in numbers.
TIPS: Netstat command usage
Command Format: Netstat-a-e-n-o-s-
-A indicates that all active TCP connections and TCP and UDP ports listened by the computer are displayed.
-E indicates the number of bytes sent and received over the Ethernet, and the number of packets.
-N indicates that only the active TCP connection addresses and port numbers are displayed in numbers.
-O indicates that active TCP connections are displayed and the process ID (PID) of each connection is included ).
-S indicates that statistics of various connections are displayed by protocol, including the port number.
-An: view all open ports
Close/enable port
Before introducing the functions of various ports, we will first introduce how to disable/enable ports in Windows, because the default situation is, many insecure or useless ports are enabled, for example, port 23 of the Telnet service, port 21 of the FTP service, port 25 of the SMTP service, and port 135 of the RPC service. To ensure system security, we can disable/enable the port through the following methods.
Close the port
For example, to disable port 25 of the SMTP service in Windows 2000/XP, you can do this: first open "Control Panel", double-click "Administrative Tools", and then double-click "service ". In the displayed service window, find and double-click the "Simple Mail Transfer Protocol (SMTP)" service and click "stop" to stop the service, select "disabled" in "Start type" and click "OK. In this way, closing the SMTP service is equivalent to closing the corresponding port.
Enable Port
If you want to enable this port, you only need to select "Auto" in "Start type", click "OK", and then open the service, in "service status", click "start" to enable the port. Finally, click "OK.
Tip: the "service" option is not available in Windows 98. You can use the firewall rule setting function to disable/enable the port.
Port category
Logically speaking, ports have multiple classification standards. The following describes two common classifications:
1. Distribution by port number
(1) Well-Known Ports)
A well-known port is a well-known port number ranging from 0 to 1023. These ports are usually allocated to some services.
For example, port 21 is allocated to the FTP service, port 25 is allocated to the SMTP (Simple Mail Transfer Protocol) service, port 80 is allocated to the HTTP service, and port 135 is allocated to the RPC (Remote process call) service) services.
(2) Dynamic Ports)
The range of dynamic ports is from 1024 to 65535. These ports are generally not allocated to a service,
That is to say, many services can use these ports. As long as the program runs to the system to request access to the network, the system can assign a port number for the program to use.
For example, port 1024 is allocated to the first application to the system. After the program process is closed, the occupied port number is released.
However, dynamic ports are often used by viruses and Trojans. For example, the default connection ports of glaciers are 7626, WAY 2.4 is 8011, Netspy 3.0 is 7306, and YAI is 1024.
2. Divided by protocol type
Divided by protocol type, can be divided into TCP, UDP, IP, ICMP (Internet Control Message Protocol) and other ports. The following describes TCP and UDP ports:
(1) TCP port
TCP port, that is, the transmission control protocol port, must be connected between the client and the server to provide reliable data transmission.
Common include port 21 of the FTP service, port 23 of the Telnet service, port 25 of the SMTP service, and port 80 of the HTTP service.
(2) UDP port
UDP port, that is, the user data packet protocol port, does not need to establish a connection between the client and the server, security is not guaranteed.
Common services include DNS Service port 53, SNMP (Simple Network Management Protocol) Service port 161, and QQ port 8000 and port 4000.
Common Network Ports
Basic network knowledge! Port Control
Port: 0
Service: Reserved
Description: it is usually used to analyze the operating system. This method works because "0" is an invalid port in some systems and will produce different results when you try to connect to it using a normally closed port. A typical scan uses the IP address 0.0.0.0 to set the ACK bit and broadcast it on the Ethernet layer.
Port: 1
Service: tcpmux
Note: This shows someone is looking for an SGI Irix machine. Irix is the main provider for implementing tcpmux. By default, tcpmux is enabled in this system. Irix machines are released with several default password-free accounts, such as IP, guest uucp, NUUCP, DEMOS, TUTOR, DIAG, and OUTOFBOX. Many administrators forget to delete these accounts after installation. Therefore, HACKER searches for tcpmux on the INTERNET and uses these accounts.
Port: 7
Service: Echo
Note: When many people search for the Fraggle amplifier, the information sent to X. X. X.0 and X. X. X.255 is displayed.
Port: 19
Service: Character Generator
Note: This is a service that only sends characters. The UDP version will respond to packets containing spam characters after receiving the UDP packet. When a TCP connection is established, data streams containing spam characters are sent until the connection is closed. HACKER uses IP spoofing to launch DoS attacks. Forge a UDP packet between two chargen servers. Similarly, the Fraggle DoS attack broadcasts a packet with a spoofed IP address to the port of the target address. The victim is overloaded to respond to the data.
Port: 21
Service: FTP
Description: The port opened by the FTP server for uploading and downloading. The most common attacker is used to find the method to open the FTP server of anonymous. These servers have read/write directories. Ports opened by Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash, and Blade Runner.
Port: 22
Service: Ssh
Note: The TCP Connection established by PcAnywhere to this port may be used to search for ssh. This service has many vulnerabilities. If configured in a specific mode, many versions using the RSAREF library may have many vulnerabilities.
Port: 23
Service: Telnet
Description: Remote logon. Intruders are searching for remote logon to UNIX services. In most cases, this port is scanned to find the operating system on which the machine runs. There are other technologies that allow intruders to find their passwords. The Tiny Telnet Server of the Trojan opens this port.
Port: 25
Service: SMTP
Description: The port opened by the SMTP server for sending emails. Intruders look for SMTP servers to pass their SPAM. The intruder's account is closed and they need to connect to a high-bandwidth E-MAIL server, passing simple information to different addresses. This port is available for trojans such as Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, WinPC, and WinSpy.
Port: 31
Service: MSG Authentication
Note: This port is enabled for Trojan Master Paradise and Hackers Paradise.
Port: 42
Service: WINS Replication
Note: WINS replication
Port: 53
Service: Domain Name Server (DNS)
Description: The port opened by the DNS server. Intruders may attempt to pass through the region (TCP), spoof DNS (UDP), or hide other communications. Therefore, firewalls often filter or record this port.
Port: 67
Service: Bootstrap Protocol Server
Note: Through the DSL and Cable modem firewalls, you will often see a large amount of data sent to the broadcast address 255.255.255.255. These machines are requesting an address from the DHCP server. HACKER often enters them and assigns an address to act as a local router to initiate a large number of man-in-middle attacks. The client broadcasts the request configuration to port 68, and the server broadcasts the response to the request to port 67. This response uses broadcast because the client does not know the IP address that can be sent.
Port: 69
Service: Trival File Transfer
Note: many servers and bootp provide this service to download startup code from the system. However, they often enable intruders to steal any files from the system due to misconfiguration. They can also be used to write files to the system.
Port: 79
Service: Finger Server
Note: Intruders are used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to Finger scans from their own machines to other machines.
Port: 80
Service: HTTP
Description: used for Web browsing. The trojan Executor opens this port.
Port: 99
Service: metemedirelay
Note: The backdoor program ncx99 opens this port.
Port 102
Service: Message transfer agent (MTA)-X.400 over TCP/IP
Description: message transmission proxy.