Windows Server entry-level series port 16, connection and port scanning

Port and connection are two basic concepts in the network. This article will introduce some basic knowledge.

1. Port

When studying network technology, we often mention port 80 and port 21. What do these ports actually mean? Note that they are not physical interfaces like vrouters or vswitches, but pure logical interfaces. That is to say, they are all concepts in the operating system.

The port is actually the connection channel between the Application Layer Program and the transport layer TCP or UDP protocol.

According to the TCP/IP model, all data generated by the application layer program must be handed down to the transport layer for further processing. There are only two transport layer protocols: reliable TCP and unreliable UDP. The application layer protocols are diverse, such as http for Web browsing, ftp for file transmission, smtp for mail sending and receiving, and pop3.

Our operating system allows multiple programs to run at the same time, which creates a problem: how does the transport layer protocol distinguish which protocol on the application layer generates the data it receives? Therefore, a mechanism must be provided to enable the transport layer protocol to distinguish different application applications. This mechanism is the port.

Each port corresponds to an Application Layer Program. When an application needs to communicate with an application on a remote host, the transport layer protocol assigns a port for the application, different applications have different ports so that the incoming and outgoing data does not interfere with each other.
650) this. width = 650; "title =" 1.jpg" alt = "152340432.jpg" src =" http://www.bkjia.com/uploads/allimg/131227/23534I193-0.jpg "/>

Each port has a unique number. In TCP/IP protocol, a 16-bit binary number is used as the port number. Therefore, the value range of the port number is 0 ~ 65535. In this case, port 0 is not used. In order to reasonably allocate the port used, they are classified as follows:

• 1 ~ Ports between 1023 are allocated to some common applications, which are called fixed ports. For example, http uses port 80, FTP uses port 21, and Telnet uses port 23.

• 
  1024 ~ The ports between 65535 are randomly allocated to the applications that send network connection requests, which are called random ports. For example, port 1024 is allocated to the first program that requests the system to access the network, after the program is closed, the occupied port is released and can be assigned to other programs.

In addition, according to the transport layer protocol used, ports can be divided into TCP port and UDP port. Therefore, the accurate description of the port should be: Transport Layer Protocol + port number. For example, HTTP uses TCP port 80 by default, FTP uses TCP port 21 by default, SMTP uses TCP port 25 by default, and POP3 uses TCP port 110 by default, HTTPS uses TCP port 443 by default, DNS uses UDP port 53, Remote Desktop Protocol RDP) uses TCP port 3389 by default, telnet uses TCP port 23, windows uses TCP port 445 to access shared resources. Note these common fixed ports.

650) this. width = 650; "title =" 1.jpg" alt = "152556943.jpg" src =" http://www.bkjia.com/uploads/allimg/131227/23534H416-1.jpg "/>

2. Connection

When we open a browser on a computer to access a website such as Baidu, this requires the http protocol. As mentioned earlier, http uses port 80 of tcp, is it necessary to open the TCP80 port on both our computer client and Baidu server, and then use it to transmit data?

In fact, the so-called fixed port is mainly used on the server side, that is, Baidu server uses the TCP80 port, while our client uses the random port. The reason is very simple. After we open the browser, we are likely to access many different websites. If the client only uses one TCP80 port, how can we differentiate these websites?

Therefore, the actual situation is that all website servers open the TCP80 port, and each time our client accesses a website, a random port is opened to connect to their TCP80 port. In this way, the websites are separated by different port numbers on the client.

For communication between the client and the server, data must be sent and received through their respective ports. Therefore, we can regard the communication between them as data exchange on the Logical Channel established between the two ports. This logical channel is called a "connection ".
650) this. width = 650; "title =" 1.jpg" alt = "152647344.jpg" src =" http://www.bkjia.com/uploads/allimg/131227/23534J263-2.jpg "/>

For example, ClientA establishes a connection between the TCP1234 port and the TCP80 port of the Server. ClientB establishes a connection between the TCP1234 port and the TCP21 port of the Server.

For servers, as long as the data is sent to their own TCP80 port, it is handed over to the Web Service for processing; as long as the data is sent to their own TCP21 port, it is handed over to the FTP service for processing.

Two connection modes are available: active connection and passive connection. Active connection refers to the connection established by the process through the port when the port is enabled. The Passive connection refers to the connection established after the port is enabled, the process waits for a connection request from another computer on this port to establish the connection.

In the network architecture of the Client/Server mode, the connection is generally established by the Client requesting a dynamic port to initiate an active connection, and the server must always open the corresponding fixed port, wait for a passive connection with the client.

3. view the port and Connection

How can I check the opened ports or established connections on my computer? The easiest way is to use the netstat command in the system. The netstat command is widely used. Here we mainly use two parameters:-a and-n, which are usually used together: "netstat-".
-The role of parameter a is to display all active TCP connections and TCP and UDP ports listened by the computer. The role of parameter-n is to display the address and port, that is, the IP address, otherwise, the computer name is displayed ).

For example, we first open Baidu's webpage in a browser, then execute the "pingwww.baidu.com" command to parse Baidu's IP address 61.135.169.105, and then execute the "netstat-an" command, find the connection between us and Baidu.

650) this. width = 650; "title =" 2.jpg" alt = "161058365.jpg" src =" http://www.bkjia.com/uploads/allimg/131227/23534G241-3.jpg "/>

In the marked part, 10.12.13.160 is the IP address of my local machine, and the port number 50977 behind it is the random port opened on my client; 61.135.169.105: 80, representing the Baidu server and its TCP80 port, the last ESTABLISHED indicates that this is a ESTABLISHED connection.

Using the "netstat-an" command, you can not only view the connection, but also the ports opened on our computer.

650) this. width = 650; "title =" 2.jpg" alt = "161645332.jpg" src =" http://www.bkjia.com/uploads/allimg/131227/23534K262-4.jpg "/>

The port number contained in the record in the "LISTENING" listener) is the port currently open.

These ports are waiting for other computers to establish connections with them, that is, they are waiting to provide services to other computers at any time. For example, the TCP445 port is used to provide file sharing services.

In the execution result of the "netstat-an" command, "Local Address" may have three different manifestations: local IP address, 0.0.0.0, and 127.0.0.1.

• The port following the IP address of the local machine is generally opened by the application running by the user. For example, if the browser is opened, a random port after 1024 is opened.
  

• 0.0.0.0 indicates the ports opened by default on the local machine. These ports are generally enabled by some system services by default, but can also be disabled. For example, port 135 is the "Microsoft Windows Management Specification" of WMI ") this service enables remote management of computers. These default open ports have the corresponding external addresses 0.0.0.0, indicating that they are open to all external machines. They are in the Listening status and are in the Listening status.
  

• The ports after 127.0.0.1 are usually enabled by some programs that need to call the local service, and the external addresses are also 127.0.0.1.

In the "status" section, the two most common statuses are: "Listening" listener) and "Established" created ). In addition, there are many other States, which are usually closely related to the three-way handshake process for establishing a TCP connection.

4. Port Scanning

Port scanning is an important step in the process of network intrusion or network security detection. Through port scanning, you can understand which ports are open to the target computer, and each port corresponds to a service, so you can launch targeted intrusion based on the corresponding services. On the other hand, you can also find security risks by checking which ports are opened on your computer.
There are many port scanning tools. Some tools are relatively simple, such as L-ScanPort. After you set the IP address range to be scanned and the port list, you can scan computers in the specified network segment.

650) this. width = 650; "title =" 1.jpg" alt = "1628442.16.jpg" src =" http://www.bkjia.com/uploads/allimg/131227/23534M921-5.jpg "/>

Another kind of scanning software has powerful functions. In addition to being able to Scan open ports, it also has weak password guessing functions, such as X-Scan.
You can set the IP address range and Scan module in the X-Scan parameters.
650) this. width = 650; "title =" 1.jpg" alt = "162928549.jpg" src =" http://www.bkjia.com/uploads/allimg/131227/23534HO3-6.jpg "/>

If the target computer has a vulnerability, the scan result is displayed.

650) this. width = 650; "title =" 1.jpg" alt = "163001455.jpg" src =" http://www.bkjia.com/uploads/allimg/131227/23534J2A-7.jpg "/>

This article is from the "one pot of turbidity wine" blog. For more information, please contact the author!