Basics of Ports

The concept of "port" is often seen when surfing the Internet. So, what is a port and what is its significance in the network?

Let’s start with some common services provided by the Internet.

When it comes to services, we must first understand the concepts of "connection" and "no connection". The simplest example is to call and write. If two people want to talk to the phone, they must first establish a connection - that is, dialing, and wait for an answer before they can transmit information to each other. Finally, they must release the connection - that is, hang up the phone. Writing a letter is not that complicated. After filling in the address and name, throw it directly into the mailbox and the recipient can receive it.

The most popular protocol on the Internet is the TCP/IP protocol. It should be noted that the TCP/IP protocol is connected at the network layer (data packets are only sent to the Internet, and how they are transmitted and arrived and whether they are arrived is managed by the network equipment). Once we talk about "port", we have already reached the transport layer. Ports below 1024 in the protocol are clearly defined, and they correspond to some common services on the Internet. These common services can be divided into two types: using TCP ports (for connections such as making calls) and using UDP ports (for connections such as writing letters).

Common people using TCP ports are:
ftp: Defines the file transfer protocol and uses port 21. It is often said that if a certain host opens the ftp service, it is a file transfer service. To download files and upload home page, you must use the ftp service.

telnet: Are you on BBS? The previous BBS had a pure character interface. Servers that support BBS will open port 23 and provide services to the outside world. In fact, Telnet really means remote login: users can remotely connect to the host as their own identity.

smtp: Defines a simple mail delivery protocol. Many mail servers now use this protocol to send emails. The server is open to port 25.

http: This is the most used protocol - the hypertext transmission protocol. It is necessary to browse the web page online, so the host that provides web page resources must open its port 80 to provide services. We often say "providing www services" and "web server" means this.

pop3: Corresponding to smtp, pop3 is used to receive emails. Normally, the pop3 protocol uses port 110. In free emails such as 263, almost all pop3 receives the function. In other words, as long as you have a corresponding program that uses the pop3 protocol (such as Foxmail or Outlook), you do not need to log in to the email interface from the web to receive messages.

Common use of UDP ports are:

DNS: Domain name resolution service. Every computer on the Internet has a network address corresponding to it. This address is what we often call an IP address, which is represented in pure numbers. However, this is inconvenient to remember, so the domain name appears. When accessing the host, you only need to know the domain name. The transformation between the domain name and IP address is completed by the DNS server. DNS uses port 53.

snmp: Simple network management protocol, using port 161, is used to manage network devices. Because there are many network equipment, connectionless services reflect their advantages.

Chat software Oicq: Oicq’s program accepts services and provides services, so that the two chat people are equal. oicq uses a connectionless protocol. Its server uses port 8000 to listen for information to arrive; the client uses port 4000 to send information out. If the above two ports are in use (many people chat with several friends at the same time), add them in order.

It can be said that a port is the way for computers to communicate with external ones. Without it, computers will be deaf and dumb.

Ports can be divided into 3 categories:
1) Well Known Ports: From 0 to 1023, they are closely bound to some services. Usually communications on these ports clearly indicate the protocol of a certain service. For example: Port 80 is actually always HTTP communication.
2) Registered Ports: from 1024 to 49151. They are loosely bound to some services. That is to say, there are many services bound to these ports, which are also used for many other purposes. For example: Many systems handle dynamic ports starting from around 1024.
3) Dynamic and/or Private Ports: from 49152 to 65535. In theory, these ports should not be assigned to the service. In fact, machines usually allocate dynamic ports from 1024. But there are exceptions: SUN's RPC port starts at 32768.

Where to get more comprehensive port information:
1?img align=absmiddle src=pic/>ftp:///in-notes/iana/assignments/port-numbers ;
"Assigned Numbers" RFC, the official source of port allocation.
2?img align=absmiddle src=pic/>/advice/Exploits/Ports/ ;
Port database, containing ports with many system weaknesses.
3．/etc/services
The file /etc/services in UNIX systems contains a list of UNIX port allocations that are commonly used. This file in Windows NT is located in %systemroot%/system32/drivers/etc/services.
4?img align=absmiddle src=pic/>/~triemer/network/ ;
Specific protocols and ports.
5?img align=absmiddle src=pic/>/~rakerman/ ;
Many ports are described.
6?img align=absmiddle src=pic/>/ ;
* port list for TLSecurity. Unlike other people's collections, the author examines all the ports in it.
7?img align=absmiddle src=pic/>/ ;
* Horse Detection.

1) What are the TCP/UDP port scans for firewalls?

This section describes the information that TCP/UDP ports are usually scanned in firewall records. Remember: There is no so-called ICMP port. If you are interested in interpreting ICMP data, please refer to the other sections of this article.

0 is usually used to analyze operating systems. This method works because in some systems "0" is an invalid port, and when you try to connect it with a usual closed port, it will produce different results. A typical scan: use the IP address of 0.0.0.0, set the ACK bit and broadcast at the Ethernet layer.

1 tcpmux This shows someone looking for an SGI Irix machine. Irix is the main provider of implementing tcpmux, and by default tcpmux is turned on in such systems. Iris machines have several default password-free accounts when they are released, such as lp, guest, uucp, nuucp, demos, tutor, diag, EZsetup, OutOfBox, and 4Dgifts. Many administrators forget to delete these accounts after installation. So Hackers search tcpmux on the Internet and use these accounts.

7 Echo You can see many people sending information to .0 and .255 when searching for Fraggle amplifiers.

A common DoS attack is an echo-loop where an attacker forged UDP packets sent from one machine to another, and the two machines responded to these packets in their fastest way. (See Chargen)

Another thing is the TCP connection established by DoubleClick on the word port. There is a product called "Resonate Global Dispatch", which connects to this port of DNS to determine the closest route.

Harvest/squid cache will send UDP echo from port 3130: "If the cache's source_ping on option is turned on, it will respond to a HIT reply to the original host's UDP echo port." This will generate many such packets.

11 sysstat This is a UNIX service that lists all running processes on the machine and what started them. This provides intruders with much information that threatens the security of the machine, such as programs that expose certain known weaknesses or accounts. This is similar to the result of the "ps" command in UNIX system

Again: ICMP has no port, ICMP port 11 is usually ICMP type=11

19 charge This is a service that only sends characters. The UDP version will respond to the package containing junk characters after receiving the UDP package. When TCP is connected, a data stream containing spam characters will be sent to know that the connection is closed. Hacker uses IP spoofing to launch DoS attacks. Forged UDP packets between two charger servers. A charger and echo will cause the server to overload because the server attempts to respond to the infinite round-trip data communication between the two servers. Similarly, the fraggle DoS attack broadcasts a packet with a fake victim's IP to this port of the target address, and the victim is overloaded in response to this data.

21 ftp The most common way to find a ftp server that opens anonymous. These servers come with readable and writeable directories. Hackers or Crackers use these servers as nodes that deliver warez (private programs) and pr0n (intentionally misspelled words to avoid being classified by search engines).

22 ssh PcAnywhere establishes the connection between TCP and this port, which may be to find ssh. This service has many weaknesses. If configured in a specific mode, many versions using the RSAREF library have many vulnerabilities. (It is recommended to run ssh on other ports)

It should also be noted that the ssh toolkit comes with a program called make-ssh-known-hosts. It will scan the ssh host for the entire domain. You can sometimes be accidentally scanned by people using this program.

UDP (rather than TCP) is connected to port 5632 on the other end which means there is a scan to search for pcAnywhere. 5632 (0x1600 in hexadecimal) bit exchange is 0x0016 (22 in the actuation).

23 Telnet intruders are searching for services that log in to UNIX remotely. In most cases, intruders scan this port to find the operating system running on the machine. Also using other technologies, the intruder will find the password.

25 smtp attackers (spammers) look for SMTP servers to pass their spam. The intruders' accounts are always closed and they need to dial up to connect to a high-bandwidth e-mail server to pass simple information to different addresses. SMTP servers (especially sendmail) are one of the most common ways to get into the system, because they must be fully exposed to the Internet and the route of mail is complex (exposed + complex = weakness).

53 DNS Hacker or crackers may be attempting to perform zone delivery (TCP), spoof DNS (UDP), or hide other communications. Therefore, the firewall often filters or records port 53.

It should be noted that you often see port 53 as the UDP source port. Unstable firewalls usually allow this communication and assume that this is a response to a DNS query. Hacker often uses this method to penetrate the firewall.

67 and 68 Bootp/DHCP on Bootp and DHCP UDP: A large amount of data sent to the broadcast address 255.255.255.255 through the DSL and cable-modem firewalls are often seen. These machines are requesting an address assignment from the DHCP server. Hackers often enter them to assign an address to use themselves as a local router and launch a large number of "man-in-middle" attacks. The client broadcasts the configuration to port 68 (bootps) and the server broadcasts the request to port 67 (bootpc). This response uses broadcast because the client does not yet know the IP address that can be sent.

69 TFTP (UDP) Many servers provide this service with bootp to facilitate downloading startup code from the system. But they are often misconfigured to provide any file, such as password files, from the system. They can also be used to write files to the system.

79 finger Hacker is used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to scans from your own machine to other machines.

98 linuxconf This program provides simple management of linux boxen. Provides web interface-based services on port 98 through an integrated HTTP server. It has found that there are many security issues. Some versions setuid root, trust the LAN, create Internet-accessible files under /tmp, and LANG environment variables have buffer overflow. Furthermore, because it contains integrated servers, many typical HTTP vulnerabilities may exist (buffer overflow, going through directories, etc.)

109 POP2 is not as famous as POP3, but many servers provide two services at the same time (backward compatible). The vulnerability of POP3 on the same server also exists in POP2.

110 POP3 is used for client access to server-side mail service. POP3 services have many recognized weaknesses. There are at least 20 weaknesses regarding username and password exchange buffer overflow (which means Hacker can enter the system before actually logging in). After successful login, there are other buffer overflow errors.

111 sunrpc portmap rpcbind Sun RPC PortMapper/RPCBIND. Accessing the portmapper is the earliest step to scan the system to see which RPC services are allowed. Common RPC services include:, NFS,,,,,,amd, etc. The intruder discovered a vulnerability to the specific port testing of the allowed RPC services that will turn to the service.

Remember to keep logging daemon, IDS, or sniffer in the line, you can discover what program the intruder is using to access it in order to discover what exactly is going on.

113 Ident auth This is a protocol running on many machines to identify users connected to TCP. Using standard services can obtain information from many machines (which will be exploited by Hacker). But it can serve as a logger for many services, especially FTP, POP, IMAP, SMTP and IRC. Usually if many customers access these services through a firewall, you will see many connection requests for this port. Remember, if you block this port client will feel a slow connection to the e-mail server on the other side of the firewall. Many firewalls support sending back RST during blocking of TCP connections, and stopping this slow connection.

119 NNTP news News group transmission protocol, carrying USENET communication. When you link to something like:news:///This port is usually used when addressing . The attempt to connect to this port is usually people looking for USENET servers. Most ISPs restrict only their customers to access their newsgroup servers. Opening the News Group Server will allow posting/reading anyone's posts, accessing restricted news group servers, posting anonymously or sending spam.

135 oc-serv MS RPC end-point mapper Microsoft runs DCE RPC end-point mapper on this port for its DCOM service. This is very similar to the functionality of the UNIX 111 port. Services using DCOM and/or RPC register their locations using end-point mapper on the machine. When remote clients connect to the machine, they query the end-point mapper to find the location of the service. Also Hacker scans this port of the machine to find such as: Is Exchange Server running on this machine? What version is it?

This port can also be used for direct attacks in addition to querying services (such as using epdump). There are some DoS attacks that target this port directly.

137 NetBIOS name service nbtstat (UDP) This is the most common information for firewall administrators. Please read the NetBIOS section at the end of the article carefully.

139 NetBIOS
File and Print Sharing connects through this port to try to obtain NetBIOS/SMB service. This protocol is used for Windows "File and Printer Sharing" and SAMBA. Sharing your own hard drive on the Internet is probably the most common problem.

A large number of targets for this port began in 1999 and gradually decreased. There was another rebound in 2000. Some VBSs (IE5 VisualBasic Scripting) start copying them themselves to this port, trying to breed on this port.

143 IMAP Like the security issues of POP3 above, many IMAP servers have buffer overflow vulnerabilities that enter during login. Remember: a Linux worm (admw0rm) breeds through this port, so many scans of this port are from uninformed infected users. These vulnerabilities became popular when RadHat allowed IMAP by default in their Linux releases. This is the first time that the Morris worm has been widely spread.

This port is also used for IMAP2, but is not popular.

There have been some reports that some attacks on port 0 to 143 are derived from scripts.

161 SNMP(UDP) Port often detected by intruders. SNMP allows remote management of devices. All configuration and operation information are stored in the database and obtained through SNMP customers. Many administrators misconfigure expose them to the Internet. Crackers will attempt to access the system using the default password "public" and "private". They may experiment with all possible combinations.

SNMP packets may be pointed to your network incorrectly. Windows machines often use SNMP for HP JetDirect remote management software due to incorrect configuration. HP OBJECT IDENTIFIER will receive the SNMP packet. The new version of Win98 uses SNMP to resolve domain names, and you will see this package broadcasting (cable modem, DSL) in the subnet to query sysName and other information.

162 SNMP trap may be due to misconfiguration

177 xdmcp Many Hackers access the X-Windows console through it, and it also needs to open port 6000.

513 rwho may be a broadcast sent from a UNIX machine in a subnet logged in with cable modem or DSL. These people provide interesting information for Hacker to enter their system.

553 CORBA
IIOP (UDP) If you use cable modem or DSL VLAN, you will see the broadcast of this port. CORBA is an object-oriented RPC (remote procedure call) system. Hacker uses this information to enter the system.

600 Pcserver backdoor Please check port 1524

Some children who play script think they have completely broken through the system by modifying the inculcl and pcserver files - Alan J. Rosenthal.

635 mountd mountd bug for Linux. This is a popular bug that people scan. Most scans of this port are based on UDP, but TCP-based mountd has increased (mountd runs on both ports at the same time). Remember, mountd can run on any port (which port is on, and you need to do portmap query on port 111), but Linux defaults to port 635, just like NFS usually runs on port 2049.

1024 Many people ask what this port is for. It is the beginning of a dynamic port. Many programs don't care which port to connect to the network, and they ask the operating system to assign them "the next idle port". Based on this, the allocation starts from port 1024. This means that the first program requesting the system to assign a dynamic port will be assigned to port 1024. To verify this, you can restart the machine, turn on Telnet, and then open a window to run "natstat -a", and you will see that Telnet is assigned to port 1024. The more programs you request, the more dynamic ports you will have. The ports allocated by the operating system will gradually become larger. Once again, when you browse the web page, you use "netstat" to view it, each web page needs a new port.

1080 SOCKS
This protocol passes through the firewall in a pipeline, allowing many people behind the firewall to access the Internet through an IP address. In theory it should only allow internal communication to reach the Internet outward. But due to the wrong configuration, it will allow Hacker/Cracker's attacks outside the firewall to pass through the firewall. Or simply respond to computers located on the Internet to mask their direct attacks on you. WinGate is a common Windows personal firewall, and the above misconfigurations often occur. This is often seen when joining the IRC chat room.

1114 SQL
The system itself rarely scans this port, but it is often part of the sscan script.

1243 Sub-7 * (TCP)
See the Subseven section.

1524 ingreslock backdoor
Many attack scripts will install a backdoor shell on this port (especially those that target Sendmail and RPC service vulnerabilities in Sun systems, such as statd, ttdbserver and cmsd). If you just installed your firewall and saw an attempt to connect on this port, it is likely that the above reasons are. You can try Telnet to this port on your machine and see if it will give you a shell. This problem also exists when connecting to 600/pcserver.

2049 NFS
NFS programs often run on this port. Usually, you need to access the portmapper to check which port this service runs on, but most of the time, NFS runs on this port after installation. Hacker/Cracker can close the portmapper and directly test this port.

3128 squid
This is the default port for the Squid HTTP proxy server. The attacker scanned this port to access the Internet anonymously to search for a proxy server. You will also see the ports searching for other proxy servers: 8000/8001/8080/8888. Another reason for scanning this port is that the user is entering the chat room. Other users (or the server itself) will also verify this port to determine whether the user's machine supports proxy. Please check section 5.3.

5632 pcAnywere
You will see a lot of scans for this port, which depends on where you are. When the user opens pcAnywere, it will automatically scan the LAN C-type network for possible agents (translator: refers to agent instead of proxy). Hacker/cracker will also look for machines that open this service, so you should check the source address of this scan. Some scans searching for pcAnywere often contain UDP packets on port 22. See Dial-up Scan.

6776 Sub-7 artifact
This port is a port separated from the Sub-7 main port for transferring data. For example, you will see this when the controller controls another machine through the telephone line and the controlled machine is hung up. So when another person dials in with this IP, they will see a continuous, connection attempt at this port. (Translator: When you see a firewall report a connection attempt on this port, it does not mean that you have been controlled by Sub-7.)

6970 RealAudio
RealAudio customers will receive audio data streams from the UDP port of 6970-7170 of the server. This is set by the TCP7070 port outward control connection.

13223 PowWow
PowWow is a chat program for Tribal Voice. It allows users to open connections to private chat on this port. This program is very "offensive" for establishing connections. It will "stay" on this TCP port waiting for a response. This creates a connection attempt similar to the heartbeat interval. If you are a dialer user and "inherit" the IP address from another chatter, this will happen: it seems like many different people are testing this port. This protocol uses "OPNG" as the first four bytes of its connection attempt.

17027 Conducent
This is an outward connection. This is because someone inside the company installed shareware with Conducent "adbot". Conducent "adbot" is used to display ads for shareware. One popular software that uses this service is Pkware. Someone tried: There will be no problem blocking this outgoing connection, but blocking the IP address itself will cause adbots to continue to try to connect multiple times per second, resulting in connection overload:
The machine will constantly try to parse the DNS name—that is, IP address 216.33.210.40; 216.33.199.77; 216.33.199.80; 216.33.199.81; 216.33.210.41. (Translator: I wonder if the Radiate used by NetAnts also has this phenomenon)

27374 Sub-7 * (TCP)
See the Subseven section.

30100 NetSphere * (TCP)
Usually, the scan of this port is to find the NetSphere *.

31337 Back Orifice “elite”
In Hacker, 31337 is read as "elite"/ei'li:t/ (Translator: French, translated as backbone, essence. That is, 3=E, 1=L, 7=T). Therefore, many backdoor programs run on this port. The most famous of them is Back Orifice. It used to be the most common scan on the Internet for a while. Now it is becoming less and less popular, and other * programs are becoming more and more popular.

31789 Hack-a-tack
UDP communication on this port is usually due to the "Hack-a-tack" remote access * (RAT, Remote Access *). This * contains a built-in 31790 port scanner, so any connection to port 31789 to port 317890 means that there has been such an intrusion. (Port 31789 is the control connection, and port 317890 is the file transfer connection)

32770~32900 RPC service
Sun Solaris' RPC service is within this range. To put it in detail: Early versions of Solaris (before 2.5.1) placed portmapper in this range, allowing Hacker/cracker to access this port even if the low port is enclosed by the firewall. Scan the ports in this range either to find portmappers or to find known RPC services that can be attacked.

33434~33600 traceroute
If you see UDP packets within this port range (and only within this range) it may be due to traceroute. See the traceroute section.

41508 Inoculan
Early versions of Inoculan would generate a large amount of UDP communication within the subnet to identify each other. See
/~jelson/software/ ;
/nss/tips/inoculan/ ;

(II) What do the following source ports mean?

Ports 1~1024 are reserved ports, so they are hardly source ports. But there are some exceptions, such as connections from NAT machines.

You often see ports immediately after 1024, which are "dynamic ports" assigned by the system to applications that do not care which port to connect to.
Server Client Service Description
1-5/tcp Dynamic FTP port 1-5 means sscan script
20/tcp Dynamic FTP The port of the FTP server to transfer files
53 Dynamic FTP DNS sends UDP responses from this port. You may also see TCP connections for the source/destination port.
123 Dynamic S/NTP Port where the Simple Network Time Protocol (S/NTP) server runs. They will also be sent to the broadcast on this port.
27910~27961/udp Dynamic Quake Quake or Quake engine-driven games run their servers on this port. Therefore, UDP packets from this port range or UDP packets sent to this port range are usually games.
61000 or above Dynamics Ports above FTP 61000 or above may come from Linux NAT server (IP Masquerade)

1. What is SUBSEVEN (sub-7)

Sub-7 is one of the most famous remote control *s. Now it has become an easy-to-use, powerful *. The reason is:
1] It is easy to obtain and upgrade quickly. Most *s are generated and their development stops except for modifying bugs.
2] This program not only contains a scanner, but also uses the controlled machine to scan.
3] The producer once competed to use sub-7 to control the website.
4] Supports "port redirection", so any attacker can use it to control the victim's machine.
5〕 It has a large number of functions related to ICQ, AOL IM, MSN Messager and Yahoo messenger, including password sniffing, sending messages, etc.
6] It has a large number of UI-related functions, such as reverse the screen, making sounds with the victim's megaphone, and peeping at the victim's screen.
In short, it is not only a hacking tool but a toy, a toy that intimidates victims.

Sub-7 was written by a man who called himself "Mobman", whose site?img align=absmiddle src=pic//.
Sub-7 may use the following ports:

1243 The default connection port of the old version
2772 Screen capture port
2773 Keyboard record port
6711 ???
6776 I don't know what this port is for, but it is used as a backdrop of some versions (i.e., it can be connected without a password).
7215 "matrix" chat program
27374 v2.0 default port
54283 Spy port

DNS package from low port
Q: I see many DNS requests from below port 1024. Are these services "reserved"? Shouldn't they use port 1024-65535?
A: They come from the machine behind the NAT firewall. NAT does not need to retain ports. (Ryan Russell/）

Q: My firewall discards many packets with source ports below 1024, so the DNS query fails.
A: Do not filter this way. Many firewalls have similar rules, but this is misleading. Because Hacker/Cracker can forge any port.

Q: Do these NAT firewalls work abnormally?
A: It is not theoretically, but it actually leads to failure. The correct way is to fully guarantee DNS communication under any circumstances. (especially in those cases where "proxy" DNS and force DNS to pass through port 53)

Q: I think DNS query should use random ports above port 1024?
A: In fact, general DNS customers will use non-reserved ports. But there are many programs that use port 53. In any case, NAT will be completely different because it changes all SOCKETs (IP + port combo)

VI) Once I dialed and connected to the ISP, my personal firewall started warning "someone is probing your xxxx port".
This is very common. Because you use the IP assigned to you by the ISP, and someone just used it before you use it. What you see is the "remaining" information from the previous user.
A common example is a chat program. If someone just hung up, the person who was chatting with him just now would continue to try to connect. Some programs have very long "timeout" settings. Such as POWWOW or ICQ.
Another example is multiplayer online gaming. You will see newsletters from game providers (such as MPlayer), or other unknown game servers. These games are usually based on UDP, so connections cannot be established. But in order to gain a better user feeling, they are very "persistent" in establishing connections. Here are some of the game's ports:

7777 Unreal, Klingon Honor Guard
7778 Unreal Tournament
22450 Sin
26000 Quake
26900 Hexen 2
26950 HexenWorld
27015 Half-life, Team Fortress Classic (TFC)
27500 QuakeWorld
27910 Quake 2
28000-28008 Starsiege TRIBES ()
28910 Heretic 2

Another example is multimedia radio and television. For example, the RealAudio client uses port 6970-7170 to receive sound data.

You need to connect to the source. For example, the ICQ server runs on port 4000, while its clients use higher random ports. That said you'll see UDP packets from port 4000 to high-end random ports. In other words, don't try to query the port list to find the purpose of a random high-end port. What matters is the source port.

Sub-7 also has similar problems. It uses different TCP connections for different services. If the victim's machine goes offline, it will continue to attempt to connect to the victim's machine's port, especially port 6776.

Another example is multimedia radio and television. For example, the RealAudio client uses port 6970-7170 to receive sound data.

I still don't understand what I should do when someone tries to connect to one of my ports?
You can use Netcat to create a listening process. For example, you want to listen on port 1234:
NETCAT －L －p 1234
Many protocols send data at the beginning of the connection. When listening for a port using Netcat, you can find a way to figure out what protocol you are using. If you are lucky, you will find it is the HTTP protocol, which will provide you with a lot of information that allows you to track what is happening.
The "-L" parameter is to make Netcat listen continuously. Normally, Netcat will accept a connection, copy its contents, and exit. With this parameter added, it can run continuously to listen for multiple connections.

Article entry: dnbm Editor: dnbm