In network technology, port has two meanings: one is a port in the physical sense, such as ADSL Modem, hub, switch, router interface used to connect to other network devices, such as RJ-45 port, SC port, etc. The second is the port in the logical sense, which generally refers to the port in the TCP/IP protocol. The port number ranges from 0 to 65535, such as port 80 for browsing web services, port 21 for FTP services, etc. What we are going to introduce here is the port in the logical sense.

View the port

To view the port in Windows 2000/XP/Server 2003, you can use the Netstat command:

Click "Start → Run" and type "cmd" and press Enter to open the command prompt window. Type "netstat -a -n" in the command prompt and press the Enter key to see the port number and status of the TCP and UDP connections displayed in numerical form.

Close/Open Ports

Before introducing the functions of various ports, here is an introduction to how to close/open ports in Windows, because by default, there are many unsafe Some or useless ports are open, such as port 23 of the Telnet service, port 21 of the FTP service, port 25 of the SMTP service, port 135 of the RPC service, etc. In order to ensure the security of the system, we can close/open the port through the following methods.

Close the port

For example, to close port 25 of the SMTP service in Windows 2000/XP, you can do this: first open the "Control Panel", double-click "Administrative Tools", and then double-click " Serve". Then find and double-click the "Simple Mail Transfer Protocol (SMTP)" service in the service window that opens, click the "Stop" button to stop the service, then select "Disabled" in the "Startup Type", and finally click "OK" ” button. In this way, closing the SMTP service is equivalent to closing the corresponding port.

Open the port

If you want to open the port, just select "Automatic" in the "Startup type", click the "OK" button, then open the service, and select "Service Status" Click the "Start" button to enable the port, and finally, click the "OK" button.

Tip: There is no "Service" option in Windows 98. You can use the firewall's rule setting function to close/open the port.

Port classification

There are many classification standards for ports in a logical sense. Two common classifications will be introduced below:

1. Classification according to port number distribution

(1) Well-Known Ports

Well-Known Ports are well-known port numbers, ranging from 0 to 1023. These port numbers are generally assigned to some services. For example, port 21 is assigned to the FTP service, port 25 is assigned to the SMTP (Simple Mail Transfer Protocol) service, port 80 is assigned to the HTTP service, port 135 is assigned to the RPC (Remote Procedure Call) service, and so on.

(2) Dynamic Ports (Dynamic Ports)

Dynamic ports range from 1024 to 65535. These port numbers are generally not assigned to a certain service, which means that many services are These ports can be used. As long as the running program requests the system to access the network, the system can allocate one of these port numbers for the program to use. For example, port 1024 is assigned to the first program that applies to the system. After the program process is closed, the occupied port number will be released.

However, dynamic ports are often used by virus Trojans. For example, the default connection port of Glacier is 7626, WAY 2.4 is 8011, Netspy 3.0 is 7306, YAI virus is 1024, etc.

2. Divided by protocol type

Divided by protocol type, it can be divided into ports such as TCP, UDP, IP and ICMP (Internet Control Message Protocol). The following mainly introduces TCP and UDP ports:

(1) TCP port

TCP port, the transmission control protocol port, needs to establish a connection between the client and the server, which can provide Reliable data transfer. Common ones include port 21 of the FTP service, port 23 of the Telnet service, port 25 of the SMTP service, and port 80 of the HTTP service, etc.

(2) UDP port

UDP port, that is, the user data packet protocol port, does not need to establish a connection between the client and the server, and security cannot be guaranteed. Common ones include port 53 for the DNS service, port 161 for the SNMP (Simple Network Management Protocol) service, ports 8000 and 4000 used by QQ, etc.

Common network ports

Network basics! Port comparison

Port: 0

Service: Reserved

Description: Usually used to analyze operating systems. This method works because "0" is an invalid port on some systems and will produce different results when you try to connect to it using a normally closed port. A typical scan uses IP address 0.0.0.0, sets the ACK bit and broadcasts at the Ethernet layer.

Port: 1

Service: tcpmux

Description: This shows that someone is looking for an SGI Irix machine. Irix is ??the main provider of tcpmux implementation, which is turned on by default in such systems. Irix machines are released with several default passwordless accounts, such as: IP, GUEST UUCP, NUUCP, DEMOS, TUTOR, DIAG, OUTOFBOX, etc. Many administrators forget to delete these accounts after installation. So HACKER searches for tcpmux on the INTERNET and exploits these accounts.

Port: 7

Service: Echo

Description: You can see the information sent to X.X.X.0 and X.X.X.255 when many people search for Fraggle amplifier.

Port: 19

Service: Character Generator

Description: This is a service that only sends characters. The UDP version will respond to packets containing garbage characters after receiving UDP packets. When a TCP connection is made, a data stream containing garbage characters will be sent until the connection is closed. HACKER can use IP spoofing to launch DoS attacks. Forge UDP packets between two chargen servers. The same Fraggle DoS attack broadcasts a packet with a fake victim IP to this port of the target address, and the victim is overloaded in response to this data.

Port: 21

Service: FTP

Description: The port opened by the FTP server is used for uploading and downloading. The most common attackers use to find ways to open anonymous FTP servers. These servers come with directories that are readable and writable. Ports opened by Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash and Blade Runner.

Port: 22

Service: Ssh

Explanation: The TCP connection established by PcAnywhere and this port may be to find ssh.

This service has many weaknesses. If configured in a specific mode, many versions using the RSAREF library will have many vulnerabilities.

Port: 23

Service: Telnet

Description: Remote login, the intruder is searching for remote login UNIX services. In most cases this port is scanned to find the operating system the machine is running. There are also other techniques in which intruders can find passwords. The Trojan Tiny Telnet Server opens this port.

Port: 25

Service: SMTP

Description: The port opened by the SMTP server is used to send emails. Intruders look for SMTP servers to deliver their SPAM. The intruder's account is closed, and they need to connect to a high-bandwidth E-MAIL server to deliver simple messages to different addresses. Trojans Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, WinPC, and WinSpy all open this port.

Port: 31

Service: MSG Authentication

Description: Trojans Master Paradise and Hackers Paradise open this port.

Port: 42

Service: WINS Replication

Description: WINS Replication

Port: 53

Service : Domain Name Server (DNS)

Description: The port opened by the DNS server, the intruder may try to perform zone transfer (TCP), spoof DNS (UDP) or hide other communications. Therefore firewalls often filter or log this port.

Port: 67

Service: Bootstrap Protocol Server

Note: Firewalls through DSL and Cable modem often see a large amount of data sent to the broadcast address 255.255.255.255 . These machines are requesting an address from the DHCP server. HACKER often enters them, assigns an address, acts as a local router and launches a large number of man-in-middle attacks. The client broadcasts a configuration request to port 68, and the server broadcasts a response request to port 67. This response uses a broadcast because the client does not yet know the IP address to which it can send.

Port: 69

Service: Trival File Transfer

Description: Many servers provide this service together with bootp to facilitate downloading startup code from the system. But they are often misconfigured, allowing intruders to steal any file from the system. They can also be used by the system to write files.

Port: 79

Service: Finger Server

Description: Intruders use it to obtain user information, query the operating system, and detect known buffer overflow errors. , respond to Finger scans from your own machine to other machines.

Port: 80

Service: HTTP

Description: Used for web browsing. Trojan Executor opens this port.

Port: 99

Service: Metagram Relay

Description: The backdoor program ncx99 opens this port.

Port: 102

Service: Message transfer agent (MTA)-X.400 over TCP/IP

Description: Message transfer agent.

Port: 109

Service: Post Office Protocol -Version3

Description: The POP3 server opens this port for receiving mail, and the client accesses the mail on the server side Serve. POP3 services have many recognized weaknesses. There are at least 20 vulnerabilities related to username and password exchange buffer overflows, which means an intruder can enter the system before actually logging in. There are other buffer overflow errors after successful login.

Port: 110

Service: All ports of SUN's RPC service

Note: Common RPC services include rpc.mountd, NFS, rpc.statd, rpc .csmd, rpc.ttybd, amd, etc.

Port: 113

Service: Authentication Service

Description: This is a protocol running on many computers, used Used to identify users of TCP connections. Information about many computers can be obtained using this standard service. But it can be used as a logger for many services, especially services such as FTP, POP, IMAP, SMTP and IRC. Typically if you have many clients accessing these services through a firewall, you will see many connection requests for this port. Remember, if you block this port, the client will experience a slow connection to the E-MAIL server on the other side of the firewall. Many firewalls support sending RST back during blocking of TCP connections. This will stop slow connections.

Port: 119

Service: Network News Transfer Protocol

Description: NEWS news group transfer protocol, carrying USENET communication. This port is usually where people are looking for USENET servers to connect to. Most ISPs restrict access to their newsgroup servers to only their customers. Opening a newsgroup server will allow anyone to post/read messages, access restricted newsgroup servers, post anonymously, or send SPAM messages.

Port: 135

Service: Location Service

Description: Microsoft runs the DCE RPC end-point mapper on this port for its DCOM service. This is very similar to the function of UNIX port 111. Services using DCOM and RPC register their locations with the end-point mapper on the computer. When remote clients connect to a computer, they look for the end-point mapper to find the location of the service. Is HACKER scanning this port of the computer to find the Exchange Server running on this computer? What version? There are also some DOS attacks that directly target this port.

Ports: 137, 138, 139

Service: NETBIOS Name Service

Description: 137 and 138 are UDP ports, when transferring files through Network Neighborhood Use this port. And port 139: Connections entering through this port attempt to obtain NetBIOS/SMB services. This protocol is used for Windows file and printer sharing and SAMBA. WINS Regisrtation also uses it.

Port: 143

Service: Interim Mail Access Protocol v2

Note: Like the security issues of POP3, many IMAP servers have buffer overflow vulnerabilities. Remember: a LINUX worm (admv0rm) breeds through this port, so many scans of this port come from unsuspecting already infected users. These vulnerabilities became popular when REDHAT allowed IMAP by default in their Linux distributions.

This port is also used for IMAP2, but is not very popular.

Port: 161

Service: SNMP

Description: SNMP allows remote management of devices. All configuration and operation information are stored in the database, which can be obtained through SNMP

With the development of computer network technology, the original physical interfaces (such as keyboard, mouse, network card, display card, etc. input/ Output interface) can no longer meet the requirements of network communication. The TCP/IP protocol, as the standard protocol for network communication, solves this communication problem. The TCP/IP protocol is integrated into the kernel of the operating system, which is equivalent to the introduction of a new input/output interface technology in the operating system, because a new input/output interface technology called "Socket" is introduced in the TCP/IP protocol. interface)"application programming interface. With such an interface technology, a computer can communicate with any computer with a Socket interface through software. The port is also the "Socket interface" in computer programming.

After having these ports, how do these ports work? For example, why can a server be a Web server, an FTP server, a mail server, etc. at the same time? One of the important reasons is that various services use different ports to provide different services. For example, usually the TCP/IP protocol stipulates that the Web uses port 80, FTP uses port 21, etc., while the mail server uses port 25. In this way, through different ports, the computer can communicate with the outside world without interfering with each other.