| ||||||||||||
| |||||
The first important objective for Windows honeypot emulation is to avoid running ports and services that aren’t typical for a Windows host. Most Windows hosts aren’t running Secure Shell (SSH), finger, Extensible Name Service (XNS), Unix-to-Unix Copy Protocol (UUCP), Syslog, or AppleTalk. Most popular Unix programs have related Windows cousins, but if the program isn’t very common on a Windows platform, why open the port and confuse the hacker? Odds are a Windows host will be running IIS rather than Apache. Most Windows shops use Exchange Server, not Sendmail, as their mail server. Most companies running Microsoft software use IIS’s FTP service, rather than an additional third-party FTP server product.
Even when you choose to emulate a Microsoft product or service, you need to make sure it fits the scenario. For example, Windows NT Server 4.0 computers running IIS must run IIS version 4.0. They cannot run version 5.0, 5.1, or 6.0. Windows Server 2003 can run only version 6.0, not an older version. Early desktop OSs, like Windows 98 and Me, cannot run IIS, but they may be running Microsoft’s Personal Web Server application.
Depending on the platform and services installed, Microsoft Windows can have dozens of open and active ports. Table 3-1 lists the common Windows port numbers in ascending order and briefly describes each service. Microsoft has hundreds of programs and services, including add-ons for Unix, Macintosh, and web commerce. These services add dozens or more ports, but most of those are not included in Table 3-1, because they aren’t as widely used. See http://www.iana.org/assignments/port-numbers for a more comprehensive listing of TCP/IP ports.
Port | UDP or TCP | Description |
---|---|---|
7 | UDP and TCP | Echo—echos back any message sent to it. Like a ping, except you can choose the text. Optionally installed as part of Simple TCP/IP Services (see the “Simple TCP/IP Services” section later in this chapter). |
9 | UDP and TCP | Discard—discards anything sent to it without a response or acknowledgment. Optionally installed as part of Simple TCP/IP Services (see the “Simple TCP/IP Services” section later in this chapter). |
13 | UDP and TCP | Daytime— returns the day of the week, month, day, year, and current time in the hh:mm:ss format. Optionally installed as part of Simple TCP/IP Services (see the “Simple TCP/IP Services” section later in this chapter). |
17 | UDP and TCP | Quote of the Day—returns a random quote taken from a text file located at \%systemroot%\system32\Drivers\ Etc\Quotes. Optionally installed as part of Simple TCP/IP Services (see the the “Simple TCP/IP Services” section later in this chapter). This can also be Line Printer Daemon (LPD) installed as part of Unix or TCP/IP Printing Services. |
19 | UDP and TCP | Character Generator—sends data made up of 95 printable ASCII characters in response to any problem. Optionally installed as part of Simple TCP/IP Services (see the “Simple TCP/IP Services” section later in this chapter). |
20, 21 | TCP | FTP—part of IIS. Port 21 is the advertised open port. Once an active client connection is established, port 20 is used to transfer data (such as a file transfer or directory listing). Port 20 will close soon after the data connection is ended. Microsoft Personal Web Server can also use these ports. |
23 | TCP | Telnet Server—expects NTLM authentication by default (see the “Telnet Server” section later in this chapter). |
25 | TCP | SMTP—part of Exchange Server and IIS 5 and above (see the “IIS” and “Exchange Server” sections later in this chapter). |
42 | TCP and UDP | WINS replication port. |
53 | UDP and TCP | DNS—converts domain names into IP addresses. It uses UDP for DNS resolution queries and TCP for zone transfers. DNS is complex to emulate. A few emulated honeypots allow you to hand off DNS services to a real DNS server. |
68 | UDP | DHCP—used for DHCP IP address leasing. Clients use port 67. |
69 | UDP | TFTP—used in Microsoft RIS and a few other Windows components. |
70 | TCP | Gopher—an early Internet predecessor of FTP, HTTP, and search engines, used in early versions of IIS, but removed in IIS 5.0 and IIS 6.0. |
80 | TCP | HTTP—used by IIS. Outlook for Web Access (OWA) may also use this port because it runs using IIS, too. Microsoft Personal Web Server, Windows Media Services, and SharePoint Services can use this port, too. |
88 | TCP/UDP | Kerberos network authentication. |
102 | TCP | X.400 MTA over TCP/IP—used on Exchange Server computers only with X.400 Message Transfer Agent (MTA) enabled. |
110 | TCP | POP3—used on Exchange Server computers with POP3 enabled. Exchange Server 5.0 and above supports POP3. Used by e-mail client to retrieve messages. Exchange Server offers three different authentication methods: Basic, NTLM, and SSL (see the port 995 listing in this table). |
119 | TCP | NNTP—used to retrieve Usenet messages. This service can be installed with Exchange Server. |
123 | UDP | Windows Time Service (W32TIME)—Microsoft version of the NTP necessary for Kerberos operations. |
135 | UDP and TCP | RPC endpoint mapper. |
137 | UDP | NetBIOS Name Service. |
138 | UDP | NetBIOS Datagram Service. |
139 | TCP | NetBIOS Session Service. |
143 | TCP | IMAP—a superset of POP3 used on Exchange Server computers with IMAP enabled only. Unlike POP3, messages can be left on the server. |
161, 162 | TCP | SNMP—Available in Windows 2000 and above, but not enabled by default. |
379, 389 | UDP or TCP | LDAP—used as the primary access method to Microsoft’s Active Directory service. Port 389 is the default port for LDAP. |
443 | TCP | HTTP over SSL/TLS. |
445 | UDP and TCP | SMB over TCP/IP, also known as CIFS. |
464 | TCP and UDP | Kerberos Password version 5.0. |
500 | UDP | ISAKMP for IPSec. |
515 | TCP | Unix or TCP/IP Printing Services. |
560 | TCP | Content Replication Service. |
563 | TCP | NNTP over SSL/TLS (SNEWS). |
593 | TCP | RPC over HTTP—used for COM+ Internet services. Requires IIS to operate. |
636 | TCP | LDAP over SSL/TLS. |
993 | TCP | IMAP4 over SSL/TLS. |
995 | TCP | POP3 over SSL/TLS. |
1067, 1068 | TCP | IBS—used by various Microsoft programs, including SMS and RIS. |
1433 | TCP | Microsoft SQL Server. |
1434 | UDP | Microsoft SQL Server. |
1645, 1646, 1812, 1813 | UDP | IAS—Microsoft’s implementation of RADIUS. |
1701 | UDP | L2TP—a protocol for encrypting PPP. |
1723 | TCP | PPTP. |
1900 | UDP | Universal Plug and Play. |
3268 and 3269 | TCP | Microsoft Global Catalog—part of Active Directory. |
3389 | TCP | Terminal Services—An RDP connecting a remote client to Microsoft Terminal Services (or Citrix Metaframe products). |
4500 | UDP | IPSec. |
5000 | TCP | Universal Plug and Play. |
8080 | UDP or TCP | Proxy server port—used for ISA Server. |
| |||||