Port number---The identification number of the application software that has network functionality. Note that the port number is not fixed, that is, it can be manually assigned by the user (and, of course, is generally defined when the software is written). Of course, there are a number of applications with recognized default ports, such as FTP:20 and 21,http:80,telnet:23, and so on, here are not listed. A software can have multiple port numbers, which proves that the software has more than one network function.
0-1023 is the accepted port number, which is a well-established definition or reserved for the software to be recognized, while 1024-65535 is not a publicly defined port number, and users can define the role of these ports themselves.
So what is the effect of the port number? Please continue to look down.
When a computer starts a program that allows remote access to other computers, it needs to open at least one port number for external access. We can see the computer without the port number as a sealed room, the sealed room is certainly not acceptable to the outside world, so when the system opened a program to allow access to the outside world it naturally needs to open a window in the room to accept access from the outside, this window is the port.
So why do you want to differentiate between port numbers, since a program has a port, then the external information can be accessed through this open port. The answer is no. Why, then? Because the data is using the port number to notify the Transport layer protocol to which software to deal with, data is not intelligent, if many programs share a port to accept data, then when the outside of a packet sent to the transport layer does not know which software to deal with, this will lead to confusion.
The previous reference to the reference to the fourth-level header of a data segment encapsulated by the fourth layer of the OSI layer contains two port numbers, the source port number and destination port number, and the effect of the destination port number is described above, let's take a look at the original port number.
The source port number is typically generated by the system itself dynamically from a 1024-65535 number, when a computer A is accessing computer B over the network, it also randomly creates a port greater than 1023, telling B which port to send the data to when it returns data, if it needs to return data. The software then starts listening to the port and waits for the data to return. and b receives the data and reads the packet's source port number and destination port number. Then, when the software creates the data to be returned, the original port number in the original packet is used as the destination port number, and the port number is used as the original port number, which means that the original and the destination in the received packet is reversed and then sent back to a, A repeat the process so repeatedly until the data transfer is complete. The source port is released when the data is fully transmitted, so the same software does not necessarily have to be the same source-port number each time it transmits data.
21/TCP FTP File Transfer Protocol
22/TCP SSH Secure Login, File transfer (SCP), and port redirection
23/tcp Telnet Unsecured Text transfer
25/tcp SMTP Simple Mail Transfer Protocol (e-mail)
69/UDP TFTP Trivial File Transfer Protocol
79/tcp finger Finger
80/TCP HTTP Hypertext Transfer Protocol (WWW)
88/TCP Kerberos Authenticating Agent
110/tcp POP3 Post Office Protocol (e-mail)
113/TCP ident Old Identification Server system
119/tcp NNTP used for Usenet newsgroups
220/tcp IMAP3
443/tcp HTTPS used for securely transferring web pages
Port: 0
Service: Reserved
Description: Typically used to analyze the operating system. This approach works because "0" is an invalid port in some systems and will produce different results when you try to connect to it using the usual closed ports. A typical scan, using an IP address of 0.0.0.0, sets the ACK bit and broadcasts over the Ethernet layer.
PORT: 1
Service: Tcpmux
Description: This shows someone looking for a SGI IRIX machine. IRIX is the primary provider of implementation Tcpmux, and Tcpmux is opened in this system by default. The IRIX machine is published with several default password-free accounts, such as IP, GUEST UUCP, NUUCP, DEMOS, TUTOR, DIAG, Outofbox, and so on. Many administrators forgot to delete these accounts after installation. So hacker searches the internet for Tcpmux and uses these accounts.
Port: 7
Service: Echo
Description: To be able to see many people searching for Fraggle amplifiers, send information to x.x.x.0 and x.x.x.255.
Port: 19
Service: Character Generator
Description: This is a service that sends only characters. The UDP version will respond to packets that contain junk characters after the UDP packet is received. A TCP connection sends a stream of data that contains a garbage character until the connection is closed. Hacker uses IP spoofing to launch a Dos attack. Fake UDP packets between two Chargen servers. The same Fraggle DOS attack broadcasts a packet of spoofed victim IP to this port on the destination address, and the victim is overloaded in response to the data.
Port: 21
Services: FTP
Description: FTP server open port, for upload, download. The most common use of attackers is to find ways to open anonymous FTP servers. These servers have a read-write directory. Trojans doly ports open to Trojan, Fore, invisible FTP, WebEx, Wincrash, and Blade Runner.
Port: 22
Services: Ssh
Description: Pcanywhere established TCP and this end port connection may be to find SSH. There are many weaknesses in this service, and if configured in a specific pattern, many of the versions using the RSAREF library will have a number of vulnerabilities.
Port: 23
Services: Telnet
Description: Telnet, an intruder searches for UNIX services remotely. In most cases, this port is scanned to find the operating system on which the machine is running. And with other techniques, intruders will also find passwords. Trojan Tiny Telnet Server to open this port.
Port: 25
Services: SMTP
Description: The port that the SMTP server is open for sending messages. Intruders are looking for SMTP servers to pass on their spam. The intruders ' accounts are closed and they need to be connected to a high-bandwidth e-mail server to deliver simple information to different addresses. Trojan antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, WINPC, winspy all open this port.
Port: 31
Service: MSG Authentication
Description: Trojan Master Paradise, Hackers Paradise Open this port.
Port: 42
Services: WINS Replication
Description: WINS replication
Port: 53
Services: Domain Name Server (DNS)
Description: A port that is open to a DNS server, an intruder may be attempting to perform zone transfer (TCP), spoof DNS (UDP), or hide other traffic. Therefore, firewalls often filter or record this port.
Port: 67
Service: Bootstrap Protocol Server
Description: Firewalls from DSL and cable modems often see large numbers of data sent to broadcast address 255.255.255.255. These machines are requesting an address from the DHCP server. Hacker often enter them, assigning an address that initiates a large number of man-in-the-middle (man-in-middle) attacks as a local router. The client broadcasts the request configuration to the 68-port broadcast, and the servers broadcast the response request to port 67. This response uses the broadcast because the client is unaware of the IP address that can be sent.
Port: 69
Service: Trival File Transfer
Description: Many servers together with BOOTP provide this service to facilitate downloading of boot code from the system. But they often cause intruders to steal any file from the system because of misconfigured configuration. They can also be used for system write files.
Port: 79
Services: Finger Server
Description: An intruder is used to obtain user information, query the operating system, detect known buffer overflow errors, and respond from its own machine to other machine finger scans.
PORT: 80
Services: HTTP
Description: For Web browsing. Trojan Executor open this port.
PORT: 99
Service: Gram Relay
Description: Backdoor program ncx99 Open this port.
Port: 102
Service: Message transfer agent (MTA)-x.400 over TCP/IP
Description: Message transfer agent.
Port: 109
Services: Post Office Protocol-version3
Description: The POP3 server opens this port for receiving mail and client access to server-side mail services. The POP3 service has many recognized weaknesses. There are at least 20 weaknesses in the user name and password Exchange buffer overflow, which means the intruder can enter the system before a real login. There were other buffer overflow errors after the successful landing.
Port: 110
Services: All ports of sun company RPC Service
Note: Common RPC services are RPC.MOUNTD, NFS, RPC.STATD, RPC.CSMD, RPC.TTYBD, AMD, etc.
Port: 113
Services: Authentication Service
Description: This is a protocol that is running on many computers to authenticate users of a TCP connection. Using a standard service of this kind can obtain information on many computers. However, it can serve as a logger for many services, especially FTP, POP, IMAP, SMTP, and IRC services. Usually if there are many customers accessing these services through the firewall, they will see many connection requests for this port. Remember, if this port is blocked, the client will feel a slow connection to the e-mail server on the other side of the firewall. Many firewalls support the blocking of TCP connections by sending back rst. This will stop the slow connection.
Port: 119
Service: Network News Transfer Protocol
Description: News newsgroup transmission protocol, bearer Usenet communication. This port is usually connected by people looking for Usenet servers. Most ISP restrictions, only their clients can access their newsgroup servers. Opening a newsgroup server will allow you to send/read anyone's posts, visit a Restricted newsgroup server, post anonymously, or send spam.
Port: 135
Services: Location Service
Description: Microsoft runs DCE RPC end-point Mapper for its DCOM service on this port. This is similar to the capabilities of UNIX 111 ports. Services that use DCOM and RPC use the end-point mapper on the computer to register their location. When remote clients connect to the computer, they look for the location where the end-point mapper find the service. Hacker scan the computer for this port to find running Exchange Server on this computer. What version. Some Dos attacks are also directed at this port.
Ports: 137, 138, 139
Service: NETBIOS Name Service
Description: 137, 138 are UDP ports, which are used when transferring files through the Network Neighborhood. and port 139: Access through this port attempts to obtain the NETBIOS/SMB service. This protocol is used for Windows file and printer sharing and samba. And WINS regisrtation also use it.
Port: 143
Service: Interim Mail Access Protocol v2
Description: As with POP3 security issues, many IMAP servers have buffer overflow vulnerabilities. Remember: a Linux worm (ADMV0RM) will breed through this port, so many of this port scans come from unsuspecting, infected users. These vulnerabilities become popular when REDHAT allows IMAP by default in their Linux release versions. This port is also used for IMAP2, but it is not popular.
Port: 161
Services: SNMP
Description: SNMP allows remote management of devices. All configuration and running information is stored in the database and can be obtained through SNMP. Many administrator errors are configured to be exposed to the Internet. Cackers will attempt to use the default password public, private access system. They may experiment with all possible combinations. SNMP packets may be incorrectly pointing to the user's network.
PORT: 177
Service: X Display Manager Control Protocol
Description: Many intruders use it to access the X-windows console, which also needs to open port 6000.
PORT: 389
Services: LDAP, ILS
Description: The Lightweight Directory Access Protocol and the NetMeeting Internet Locator server share this port.
Port: 443
Services: Https
Description: A Web browsing port that provides encryption and another HTTP for transmission over a secure port.
Port: 456
Services: [NULL]
Description: Trojan Hackers paradise open this port.
Port: 513
Service: Login,remote Login
Description: A broadcast from a UNIX computer that logs into a subnet using the cable modem or DSL. These people provide information for intruders entering their systems.
Port: 544
Services: [NULL]
Description: Kerberos Kshell
Port: 548
Service: Macintosh,file Services (AFP/IP)
Description: Macintosh, File services.
Port: 553
Service: CORBA IIOP (UDP)
Description: Use the cable modem, DSL, or VLAN to see the broadcast of this port. CORBA is an object-oriented RPC system. Intruders can use this information to enter the system.
Port: 555
Service: DSF
Description: Trojan PhAse1.0, Stealth Spy, Inikiller Open this port.
Port: 568
Service: Membership DPA
Description: Membership DPA.
Port: 569
Service: Membership MSN
Description: Membership MSN.
Port: 635
Service: MOUNTD
Description: Linux mountd bugs. This is a popular bug in the scan. Most scans of this port are based on UDP, but TCP-based mountd have increased (Mountd runs on two ports at the same time). Remember that MOUNTD can run on any port (which is the port where you need to do PORTMAP queries on port 111), but the Linux default port is 635, just as NFS typically runs on port 2049.
Port: 636
Services: LDAP
Description: SSL (Secure Sockets layer)
Port: 666
Service: Doom Id Software
Description: Trojan attack FTP, Satanz backdoor Open this port
Port: 993
Service: IMAP
Description: SSL (Secure Sockets layer)
Ports: 1001, 1011
Services: [NULL]
Description: Trojan silencer, WebEx Open 1001 ports. Trojan Doly Trojan open 1011 ports.
PORT: 1024
Service: Reserved
Description: It is the beginning of a dynamic port, and many programs do not care which port to connect to the network, they request the system to assign them the next idle port. Based on this point, the assignment starts with port 1024. This means that the first request to the system is assigned to port 1024. You can reboot the machine, turn on Telnet, and then open a window to run Natstat-a will see Telnet assigned 1024 ports. There are also SQL sessions with this port and 5000 ports.
Ports: 1025, 1033
Service: 1025:network Blackjack 1033:[null]
Description: Trojan Netspy open these 2 ports.
Port: 1080
Service: SOCKS
Description: This protocol passes through the firewall in a channel way, allowing people behind the firewall to access the Internet via an IP address. Theoretically, it should only allow internal communication to reach the Internet. However, because of the wrong configuration, it will allow attacks outside the firewall to pass through the firewall. This Wingate often happens when you join an IRC chat room.
PORT: 1170
Services: [NULL]
Description: Trojan streaming Audio Trojan, Psyber Stream Server, voice open this port.
Ports: 1234, 1243, 6711, 6776
Services: [NULL]
Description: Trojan SubSeven2.0, Ultors Trojan open 1234, 6776 ports. Trojan subseven1.0/1.9 Open 1243, 6711, 6776 ports.
Port: 1245
Services: [NULL]
Description: Trojan Vodoo Open this port.
Port: 1433
Services: SQL
Description: Microsoft's SQL Services open ports.
Port: 1492
Service: Stone-design-1
Description: Trojan ftp99cmp Open this port.
PORT: 1500
Service: RPC client Fixed port session queries
Description: RPC Client fixed port session query
Port: 1503
Service: NetMeeting T.120
Description: NetMeeting T.120
Port: 1524
Service: Ingress
Description: Many attack scripts will install a backdoor shell on this port, especially for SendMail and RPC service vulnerabilities in Sun systems. If you have just installed a firewall to see the connection attempt on this port, most likely this is the reason. Try to telnet to this port on the user's computer to see if it will give you a shell. Connecting to 600/pcserver also has this problem.
Port: 1600
Service: ISSD
Description: Trojan Shivka-burka Open this port.
Port: 1720
Service: NetMeeting
Description: NetMeeting h.233 call Setup.
Port: 1731
Service: NetMeeting Audio Call Control
Description: NetMeeting audio call control.
Port: 1807
Services: [NULL]
Description: Trojan Spysender Open this port.
Port: 1981
Services: [NULL]
Description: Trojan Shockrave Open this port.
Port: 1999
Service: Cisco identification port
Description: Trojan Backdoor open this port.
Port: 2000
Services: [NULL]
Description: Trojan Girlfriend 1.3, Millenium 1.0 Open this port.
Port: 2001
Services: [NULL]
Description: Trojan Millenium 1.0, Trojan Cow Open this port.
Port: 2023
Service: Xinuexpansion 4
Description: Trojan Pass Ripper Open this port.
Port: 2049
Services: NFS
Description: NFS programs often run on this port. You typically need to access the Portmapper query which port this service runs on.
Port: 2115
Services: [NULL]
Description: Trojan bugs open this port.
Ports: 2140, 3150
Services: [NULL]
Description: Trojan Deep Throat 1.0/3.0 open this port.
PORT: 2500
Service: RPC client using a fixed port session replication
Description: RPC clients that apply fixed-port session replication