Common Ports and Services

skip navigation

honeypots for windows
Chapter 3 - Windows Honeypot Modeling
Honeypots for Windows
by Roger A. Grimes
Apress 2005
progress indicator progress indicatorprogress indicator progress indicator

The first important objective for Windows honeypot emulation is to avoid running ports and services that aren’t typical for a Windows host. Most Windows hosts aren’t running Secure Shell (SSH), finger, Extensible Name Service (XNS), Unix-to-Unix Copy Protocol (UUCP), Syslog, or AppleTalk. Most popular Unix programs have related Windows cousins, but if the program isn’t very common on a Windows platform, why open the port and confuse the hacker? Odds are a Windows host will be running IIS rather than Apache. Most Windows shops use Exchange Server, not Sendmail, as their mail server. Most companies running Microsoft software use IIS’s FTP service, rather than an additional third-party FTP server product.

Even when you choose to emulate a Microsoft product or service, you need to make sure it fits the scenario. For example, Windows NT Server 4.0 computers running IIS must run IIS version 4.0. They cannot run version 5.0, 5.1, or 6.0. Windows Server 2003 can run only version 6.0, not an older version. Early desktop OSs, like Windows 98 and Me, cannot run IIS, but they may be running Microsoft’s Personal Web Server application.

Depending on the platform and services installed, Microsoft Windows can have dozens of open and active ports. Table 3-1 lists the common Windows port numbers in ascending order and briefly describes each service. Microsoft has hundreds of programs and services, including add-ons for Unix, Macintosh, and web commerce. These services add dozens or more ports, but most of those are not included in Table 3-1, because they aren’t as widely used. See http://www.iana.org/assignments/port-numbers for a more comprehensive listing of TCP/IP ports.

Table 3-1: Common Microsoft Windows Ports and Services

Port

UDP or TCP

Description

7

UDP and TCP

Echo—echos back any message sent to it. Like a ping, except you can choose the text. Optionally installed as part of Simple TCP/IP Services (see the “Simple TCP/IP Services” section later in this chapter).

9

UDP and TCP

Discard—discards anything sent to it without a response or acknowledgment. Optionally installed as part of Simple TCP/IP Services (see the “Simple TCP/IP Services” section later in this chapter).

13

UDP and TCP

Daytime— returns the day of the week, month, day, year, and current time in the hh:mm:ss format. Optionally installed as part of Simple TCP/IP Services (see the “Simple TCP/IP Services” section later in this chapter).

17

UDP and TCP

Quote of the Day—returns a random quote taken from a text file located at \%systemroot%\system32\Drivers\ Etc\Quotes. Optionally installed as part of Simple TCP/IP Services (see the the “Simple TCP/IP Services” section later in this chapter). This can also be Line Printer Daemon (LPD) installed as part of Unix or TCP/IP Printing Services.

19

UDP and TCP

Character Generator—sends data made up of 95 printable ASCII characters in response to any problem. Optionally installed as part of Simple TCP/IP Services (see the “Simple TCP/IP Services” section later in this chapter).

20, 21

TCP

FTP—part of IIS. Port 21 is the advertised open port. Once an active client connection is established, port 20 is used to transfer data (such as a file transfer or directory listing). Port 20 will close soon after the data connection is ended. Microsoft Personal Web Server can also use these ports.

23

TCP

Telnet Server—expects NTLM authentication by default (see the “Telnet Server” section later in this chapter).

25

TCP

SMTP—part of Exchange Server and IIS 5 and above (see the “IIS” and “Exchange Server” sections later in this chapter).

42

TCP and UDP

WINS replication port.

53

UDP and TCP

DNS—converts domain names into IP addresses. It uses UDP for DNS resolution queries and TCP for zone transfers. DNS is complex to emulate. A few emulated honeypots allow you to hand off DNS services to a real DNS server.

68

UDP

DHCP—used for DHCP IP address leasing. Clients use port 67.

69

UDP

TFTP—used in Microsoft RIS and a few other Windows components.

70

TCP

Gopher—an early Internet predecessor of FTP, HTTP, and search engines, used in early versions of IIS, but removed in IIS 5.0 and IIS 6.0.

80

TCP

HTTP—used by IIS. Outlook for Web Access (OWA) may also use this port because it runs using IIS, too. Microsoft Personal Web Server, Windows Media Services, and SharePoint Services can use this port, too.

88

TCP/UDP

Kerberos network authentication.

102

TCP

X.400 MTA over TCP/IP—used on Exchange Server computers only with X.400 Message Transfer Agent (MTA) enabled.

110

TCP

POP3—used on Exchange Server computers with POP3 enabled. Exchange Server 5.0 and above supports POP3. Used by e-mail client to retrieve messages. Exchange Server offers three different authentication methods: Basic, NTLM, and SSL (see the port 995 listing in this table).

119

TCP

NNTP—used to retrieve Usenet messages. This service can be installed with Exchange Server.

123

UDP

Windows Time Service (W32TIME)—Microsoft version of the NTP necessary for Kerberos operations.

135

UDP and TCP

RPC endpoint mapper.

137

UDP

NetBIOS Name Service.

138

UDP

NetBIOS Datagram Service.

139

TCP

NetBIOS Session Service.

143

TCP

IMAP—a superset of POP3 used on Exchange Server computers with IMAP enabled only. Unlike POP3, messages can be left on the server.

161, 162

TCP

SNMP—Available in Windows 2000 and above, but not enabled by default.

379, 389

UDP or TCP

LDAP—used as the primary access method to Microsoft’s Active Directory service. Port 389 is the default port for LDAP.

443

TCP

HTTP over SSL/TLS.

445

UDP and TCP

SMB over TCP/IP, also known as CIFS.

464

TCP and UDP

Kerberos Password version 5.0.

500

UDP

ISAKMP for IPSec.

515

TCP

Unix or TCP/IP Printing Services.

560

TCP

Content Replication Service.

563

TCP

NNTP over SSL/TLS (SNEWS).

593

TCP

RPC over HTTP—used for COM+ Internet services. Requires IIS to operate.

636

TCP

LDAP over SSL/TLS.

993

TCP

IMAP4 over SSL/TLS.

995

TCP

POP3 over SSL/TLS.

1067, 1068

TCP

IBS—used by various Microsoft programs, including SMS and RIS.

1433

TCP

Microsoft SQL Server.

1434

UDP

Microsoft SQL Server.

1645, 1646, 1812, 1813

UDP

IAS—Microsoft’s implementation of RADIUS.

1701

UDP

L2TP—a protocol for encrypting PPP.

1723

TCP

PPTP.

1900

UDP

Universal Plug and Play.

3268 and 3269

TCP

Microsoft Global Catalog—part of Active Directory.

3389

TCP

Terminal Services—An RDP connecting a remote client to Microsoft Terminal Services (or Citrix Metaframe products).

4500

UDP

IPSec.

5000

TCP

Universal Plug and Play.

8080

UDP or TCP

Proxy server port—used for ISA Server.

progress indicator progress indicatorprogress indicator progress indicator


Honeypots for Windows
Honeypots for Windows (Books for Professionals by Professionals)
ISBN: 1590593359
EAN: 2147483647
Year: 2006
Pages: 119

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net