Port Numbers

A port number is a number assigned to a service. Ports operate at the transport layer of the Open Systems Interconnect (OSI) model and allow communication to be accomplished using specific services such as:

  • Telnet (port 23)

  • Simple Mail Transfer Protocol (SMTP) (port 25)

  • Post Office Protocol 3 (POP3) (port 110)

  • Hypertext Transfer Protocol (HTTP) (port 80)

HTTP is the protocol used by the World Wide Web (WWW). Every time URL information is entered into a web browser (as seen in Figure B.1), the HTTP service is being used across the Internet to access web pages on web servers. This service corresponds to a specific port assigned by way of the following standards organizations:

  • http://www.iana.org/

  • http://www.icann.org/

click to expand
Figure B.1: Viewing a Web Browser Using the HTTP Service

Think of the process this way:

  1. At your web browser enter http://www.syngress.com.

  2. HTTP (layer 7 of the OSI model) uses Transmission Control Protocol (TCP) port 80 (layer 4 of the OSI model). The port number is set by convention. Web servers are not required to listen for HTTP requests on TCP port 80.

  3. Because the Web server is listening on port 80, a connection is made.

  4. Before making the connection, the browser must resolve the name www.syngress.com to an Internet Protocol (IP) address. This is accomplished by sending a query to a Domain Name System (DNS) server requesting that www.syngress.com be resolved to an IP address. The DNS server sends back the IP address: 216.238.8.44

  5. The connection is made via the IP address and TCP port number to create a "socket." A socket is a combination of the transport layer protocol, the port, and the IP address.

  6. A socket is denoted as the IP and the port is: 216.238.8.44:80

Note 

Most Web servers have their ports set to 8080. Where this is the case, the correct socket connection would be: 216.238.8.44:8080

Think of the IP address and port number as being the street address and apartment number, respectively. If not for apartment numbers, it would be difficult to know whom in an apartment building a particular letter was for. This is the same concept behind IP addresses and port numbers. The port number is used by a particular service. When a request is made, the port number tells the computer which service it wants to talk to. The port number defines the endpoints of a connection. The Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for managing port numbers.

There are three ports ranges equaling a total of 65535 ports:

  • Well-known port numbers range from 0 to 1023 (equaling 1024 ports in total)

  • Registered port numbers range from 1024 to 49151

  • Dynamic and private port numbers range from 49152 to 65535

Note 

There are 1024 total ports available for use. It is easy to forget that the range starts with "0". The values 0 through 1023 inclusive makes 1024 ports available.

There are three categories of ports:

  • Well-Known Port Numbers  Most systems use the well-known port numbers to run system processes or privileged programs such as HTTP, SMTP, FTP and POP3.

  • Registered Port Numbers  Registered port numbers are not controlled by ICANN. They are commonly used with non-system processes or nonprivileged programs, such as an ordinary user running a program.

  • Dynamic/Private Port Numbers  Used for either privately or dynamically assigned ports. Dynamic means that programs simply select an available port from the range. Also, these port numbers can be specified for use because they are not registered.

Table B.1 presents the following:

  • Port number

  • TCP/User Datagram Protocol (UDP) or both

  • A description of the service

  • Common attacks

Note 

This is just a small selection of commonly attacked ports. All network services are at risk from some type of attack.

Table B.1: Well-Known Port Numbers

Port Number

Protocol

Description

Attacks

19

TCP, UDP

Character Generator

One of the most common attacks-the Chargen attack-can be run from a host allowing for connection via port 19. Simply run a Telnet connection to the device via port 19 to run the attack. (Telnet 10.0.0.1 19)

20

TCP, UDP

FTP (Default Data)

FTP can be exploited because the credentials (username and password) are sent in cleartext. If eavesdropping is taking place (packet sniffing), credentials can be found and used, thus opening the door for the attacker.

21

TCP, UDP

FTP (Control)

FTP can be exploited because the credentials (username and password) are sent in cleartext. If eavesdropping is taking place (packet sniffing), credentials can be found and used, thus opening the door for the attacker.

22

TCP, UDP

Secure Shell (SSH) Remote Login Protocol

SSH is the alternative to Telnet. It is used to create an encrypted con- nection for terminal emulation

23

TCP, UDP

Telnet

Telnet can be exploited because the credentials (username and password) are sent in cleartext. If eavesdropping is taking place (packet sniffing), credentials can be found and used, thus opening the door for the attacker.

25

TCP, UDP

SMTP

SMTP can be manipulated via Telnet. You can Telnet to the SMTP service and run commands on the server you connect to. Simply run a Telnet connection to the device via port 25 to run the attack. (Telnet 10.0.0.1 25)

53

TCP, UDP

DNS

DNS is highly susceptible to zone transfers via TCP. This is unfortunate because an attacker can take DNS information and learns massive amounts of information about a system via this gathered data. You must be extra careful with this port when configuring DNS on your DMZ.

69

TCP, UDP

Trivial File Transfer Protocol (TFTP)

TFTP is highly dangerous as it allows for the upload and download of data without the checking of credentials.

79

TCP, UDP

Finger

Finger is and old service that provides information on people who are users of a given computer. This port is usually left open by default and can be easily hacked by either the command "finger" or via Telnet to port 79.

80

TCP, UDP

WWW HTTP

HTTP can be manipulated very easily. Because of the free-willing nature of the Internet, most traffic is passed on port 80. The problem with this is, unless you specifically search for and stop data coming over the Internet, harmful applets and code can be downloaded to a users web browser via HTTP.

109

TCP, UDP

Post Office Protocol - Version 2 (POP2)

POP2 can be manipulated via Telnet. You can Telnet to the POP2 service and run commands on the server you connect to. Simply run a Telnet connection to the device via port 109 to run the attack. (Telnet 10.0.0.1 109)

110

TCP, UDP

Post Office Protocol - Version 3 (POP3)

POP3 can be manipulated via Telnet. You can Telnet to the POP3 service and run commands on the server you connect to. Simply run a Telnet connection to the device via port 110 to run the attack. (Telnet 10.0.0.1 110)

137

TCP, UDP

Network Basic Input/ Output System (NetBIOS) Name Service

NetBIOS should not be allowed to function on any server facing the Internet. This allows Internet-based attackers to see file share information as well as computer names and other important information about the machine.

138

TCP, UDP

NetBIOS Datagram Service

NetBIOS should not be allowed to function on any server facing the Internet. This allows Internet-based attackers to see file share information as well as computer names and other important information about the machine.

139

TCP, UDP

NetBIOS Session Service

NetBIOS should not be allowed to function on any server facing the Internet. This allows Internet-based attackers to see file share information as well as computer names and other important information about the machine.

156

TCP, UDP

Structured Query Language (SQL) Service

Knowing that an SQL service is run- ning is an open invitation to attacks on database systems.

161

TCP, UDP

Simple Network Management Protocol (SNMP)

SNMP is used to allow for the man- agement of network and system Management Information Bases (MIBs) by a network management system. Since SNMP sends information in cleartext (like community string credentials), you should consider this protocol open to attack. Another common attack is when an attacker uses the default public and private community strings that are assigned by default and very rarely changed, to gain management of the systems.



MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net