Readers who have some hacker attacks will know that in fact, those so-called hackers are not as far as people think, but they are truthful from your computer "gate". The "gate" of the computer is what we usually say "port", which includes physical ports of the computer, such as computer serial port, parallel port, input / output device, and adapter interface, etc. (these ports are visible), but more It is an invisible software port that is described in this article refers to "software port", but for convenience, it is still collectively referred to as "port". This article only introduces the basic knowledge of the port,
First, the port introduction
With the development of computer network technology, the original physical interface (such as keyboard, mouse, network card, display card and other input / output interface) can not meet the requirements of network communication, the TCP / IP protocol is solved as the standard protocol of network communication. This communication problem. The TCP / IP protocol integrates into the kernel of the operating system, which is equivalent to introducing a new input / output interface technology in the operating system, because in the TCP / IP protocol introduced a "Socket) Linked) "Application interface. With such an interface technology, a computer can communicate with any computer with a socket interface by software. The port is "Socket Interface" on the computer.
After these ports, how do these ports work? For example, why can a server can be a web server, or an FTP server, or a mail server, etc. One of the important reasons is that various services provide different services, such as: TCP / IP protocol specified the WEB using an 80-port port, FTP uses ports, etc., and the mail server is a 25th port. In this way, through different ports, the computer can interfere with each other with the outside world.
According to experts, the number of server ports can have a maximum of 65535, but in fact, dozens of ports that are often used, thereby seeing that unsearable ports are quite. This is so many hacker programs to use some way to define a special port to achieve the purpose of the invasion. To define this port, you must rely on some program to automatically load into memory before the computer starts, and forcibly control the computer to open that special port. This program is the "back door" program, which is often the Trojan. Simply put, these Trojans are first implanted in a personal computer before the invasion, open a particular port, commonly known as "backdoor", make this computer change A FTP server that is extremely open (user has high permissions), and then the purpose of invading from the back door.
Second, the classification of ports
The classification of the port varies from differently divided methods depending on its reference object. If the nature of the port is usually divided into three categories: (1) Well Known Ports: This type of port is also known as "commonly used port". The port numbers of such ports are from 0 to 1024, which are closely brought to some specific services. Usually the communication of these ports clearly indicates a protocol for a service, which is not redefined to redefine its role object. For example, the 80 port is actually used by HTTP communication, and the 23 port is dedicated to Telnet service. These ports usually do not use hackers such as Trojans. In order to make everyone aware of these common ports, the services of these ports should be listed in this chapter, and the services of these ports will be detailed for all understanding and reference. (2) Registered ports: The port number ranges from 1025 to 49151. They are loosely bound to some services. Also, many services are bound to these ports, which are also used in many other purposes. Most of these ports do not have a clear definition of service objects. Different programs can be defined according to actual needs, as defined in the remote control software and Trojans to be described later. Remember that these common program ports are very necessary to protect and kill in Trojans. The port used by common Trojans will have a detailed list later. (3) Dynamic and / or private ports (Dynamic and / or Private Ports): The port number is from 49152 to 65535. In theory, the commonly used services should not be assigned to these ports. In fact, some of the more special procedures, especially some Trojans, very much like to use these ports, because these ports often do not pay attention, easy to hide. If the port can be divided into "TCP Protocol Port" and "UDP protocol port" in accordance with the provided service method provided. Because the communication between the computer is generally used in these two communication protocols. The "connection mode" described above is a connection to the receiver. After sending information, it can confirm whether the information arrives, this method uses the TCP protocol; the other is directly connected to the receiver, only Place the information on the Internet, regardless of whether the information arrives, is the "unconnected manner" described in the previous. Most of this approach use UDP protocols, the IP protocol is also a connectionless way. The port provided by the service provided by these two communication protocols is divided into "TCP Protocol Port" and "UDP Protocol Port."
The common ports using the TCP protocol have the following: (1) FTP: Defines the file transfer protocol, use 21 ports. It is often said that a computer has opened an FTP service to start the file transfer service. Download the file, upload the home page, you have to use the FTP service. (2) Telnet: It is a port for remote login, and the user can connect to the computer with its own identity, and can provide a communication service based on DOS mode through this port. If the previous BBS is a pure character interface, the server that supports BBS opens 23 ports and provides services. (3) SMTP: Defines a simple mail delivery protocol, and now many mail servers are used by this protocol, which is used to send mail. If the common free mail service is this mail service port, so you often see this box in the email settings, the server is open is the 25th port. (4) POP3: It corresponds to SMTP, and POP3 is used to receive mail. Typically, the POP3 protocol is used in the 110 port. Also, as long as you have a corresponding program using the POP3 protocol (such as Foxmail or Outlook), you can not log in to the mailbox interface in a web method. You can receive the email directly (if you don't have to enter Netease first. Website, then enter your own mailbox to receive it). Using the UDP protocol port is common: (1) http: This is the most useful protocol, which is often the "Hypertext Transfer Protocol". When browsing the web online, you have to open the 80 number on the computer that provides a web page to provide services. It often said that "WWW service", "web server" is this port. (2) DNS: For domain name resolution services, this service is used in the Windows NT system. Each computer on the Internet has a network address with the corresponding IP address, which is represented in pure digital ".". However, this is inconvenient to remember, so there is a domain name. When accessing the computer, you only need to know the domain name, the change between the domain name, and the IP address is completed by the DNS server. The DNS is used for the 53th port. (3) SNMP: Simple network management protocol, use 161 port, is used to manage network devices. Due to many network devices, unconnected services reflect their advantages. (4) OICQ: OICQ program accepts both services, but also serves, so that two chats are equal. OICQ is unconnected protocol, but it is used to use the UDP protocol. The OICQ server is a port of 8000, and if there is information, the client uses the 4000 port and send information outward. If the above two ports are being used (there are many people chatting with several friends), they will be added in order.
With more than 60,000 ports of the computer, the port number 1024 is typically referred to as a common port, and the services corresponding to these common ports are typically fixed. Table 1 is all of the server default ports, which are not allowed, and the general communication process is mainly used for these ports.
Table 1
Service Type Default Port Service Type Default Port Echo 7daytime 13FTP 21TELNET 23SMTP 25TIME 37WHOIS 43DNS 53GOPHER 70Finger 79www 80pop3 110nNTP 119IRC 194
Additional proxy servers often use the following ports: (1). HTTP protocol proxy server common port number: 80/8080/3128/8081/9080 (2). SOCKS Agent Protocol Server Common port number: 1080 (3). FTP protocol proxy server is commonly used Port number: 21 (4). Telnet protocol proxy server common port: 23, port in hackers
A hacking program like Trojans is to achieve its purpose by intrusion of ports. On the use of ports, hacker programs usually have two ways, that is, "port listening" and "port scan".
"Port Listening" and "Port Scan" are two port technologies that are often used in hacker attacks and protection. Use them in hacker attacks to find their targets, access useful information, in terms of personal and network protection Through this type of port technology, the hacker attack and some security vulnerabilities can be found in time. Let's first briefly introduce the difference in the two port technology.
"Port Listening" is to monitor the port of the target computer using some programs. It can be used in the target computer. By listening can also capture other people useful information, mainly in hacker software, but it is also very useful for individuals, you can use the listener to protect your own computer, monitor the selected port of your computer. This can be found and intercept some hackers' attacks. You can also listen to the specified port of the computer, see if it is idle, so that the invasion.
"Port Scanning" is to determine what the service is running and then obtain the corresponding user information by connecting to the TCP protocol or UDP protocol port of the target system. There are now many people to mix "port listening" and "port scan" as a talk, and if they are unclear, they should use listening technology, and what kind of scanning technology should be used. However, this type of software now seems to be a bit blurred on these two technologies, and some simply integrate two functions in one.
"Port Saire" is similar to "Port Scan", there is also a difference, similar places can monitor the target computer, the local area is "port listening" belongs to a passive process, waiting for others The appearance of the connection, through the other party's connection to detect the information required. In a personal application, if it is set to report this function to the user immediately when it is listened to the user, it can effectively listen to the hacker's connection attempt, and the Trojans reside on this unit are cleared. This listener is generally installed on the target computer. "Port listening" in hackers is usually the information that the hacker sends a server-side to capture hackers when the server is waiting for normal activity, and then transmits it through the UDP protocol. "Port Scan" is an active process, which is actively scanning the selected port of the target computer, discovers all activities of the selected port in real time (especially for some online activities). Scanners are typically installed on the client, but it is also mainly connected to the server-side connection to the UDP protocol connection without connection.
In the network, when the information is propagated, the tool can be used to set the network interface to the listening mode, and the network can be accepted or captured in the network, thereby attacking. Port listens can be performed in any of the locations in the network, and hackers generally use port listening to intercept user passwords.
Fourth, port listening principle
The Ethernet protocol is a way to send the data to which you want to send towards all your computers connected. The correct address of the computer that should receive the packet should be received in the header, as only the computer that is consistent with the target address in the packet can receive the packet. However, when the computer works in listening mode, the computer will be able to receive it regardless of the target physical address in the packet. When two computers in the same network communicate, the source computer directs the packet of the computer address directly to the purpose, or when a computer in the network communicates with the external computer, the source computer will write a purpose. The data package of the computer IP address is sent to the gateway. However, this packet does not send it directly to the high level of the protocol stack, and the packet to be sent must be handed over to the network interface from the IP protocol layer of the TCP / IP protocol. The network interface does not recognize the IP address, in the network interface, the data package with IP address from the IP protocol layer adds a part of the Ethernet frame header information. In the frame head, there are two domains for the source computer and the physical address of the destination computer that can be identified by the network interface. This is a 48-bit address, which corresponds to the IP address. In other words, an IP address will also correspond to a physical address. For a computer as a gateway, because it is connected to multiple networks, it also has many IP addresses, which have one in each network. The relay relay, relay, relay, is carried by the physical address of the gateway. The frame of the physical address is filled out from the network port (or from the gateway port), transferred to the physical line from the network port. If the local area network is connected by a coarse coaxial cable or a thin-shaft cable, the digital signal transmits the signal on the cable to reach each computer on the line. When the hub is used, the transmitted signal reaches the hub, and the hub is then forwarded to each line connected to the hub. This allows the digital signal transmitted on the physical line to reach each computer connected to the hub. When the digital signal arrives at a network interface of a computer, the network interface checks the data frame in the normal state, such as the physical address carried in the data frame is your own or physical address is a broadcast address, then the data frame will be confused. Give IP protocol layer software. This process is performed for each data frame that reaches the network interface. But when the computer works in listening mode, all data frames will be handed over to the upper protocol software processing.
When a computer connected to the same cable or hub is logically divided into several subnets, if there is a computer in a listening mode, it can receive the swirpion and you are not in the same subnet (using different masks) The data packet of the computer of the code, IP address, and gateway, all information transmitted on the same physical channel can be received.
On the UNIX system, when a user with super-permissions wants to enable the computer that you control into the listening mode, you only need to send an I / O control command to the interface (network interface), you can set the computer to the listening mode. In the Windows 9x system, you can be implemented by directing the listening tool by using the user if the user has permission.
When the port is in a listener, a large amount of information is often saved (also contains a lot of spam), and will make a lot of information to the collected information, which will make the computer that is listening to the request of other users. very slow. At the same time, the listener needs to consume a lot of processor time when it is running. If you have a detailed analysis package, many packages will not be received and received. So the listening process will make the listened package in the file waiting later. Analysis of the detected data package is a very headache, because the packets in the network are very complicated. Continuously transmit and receive data packets between the two computers, which must add some other computer interactions in the result of the listening. The listener will be quite easy to consolidate the package of the same TCP protocol session, if you still expect to organize the user's detailed information, you need a lot of analysis based on the protocol.
The protocol used in the network is designed earlier, and many of the implementations of the agreement are based on a very friendly and communicative basis. Under the usual network environment, the user's information includes passwords to be transmitted online in a clear text, so port listening is performed to obtain user information is not a difficult thing, as long as you have a preliminary TCP / IP protocol knowledge It can easily detect the desired information. V. Port scanning principle
"Port Scan" typically refers to the transmission of all the desired scanned ports of the target computer, and then analyzes whether the port of the target computer is opened according to the return port state. An important feature of the "port scan" is: there are many packages from the same source address to different destination ports during a short period of time.
For those who attack with port scans, an attacker can always do it, which makes it difficult to discovery or difficult to be backward while obtaining the scan results. In order to hide the attack, the attacker can slowly scan. Unless the target system is usually idle (such a data packet that does not have a Listen port caused by administrator), it is difficult to identify. The way to hide the source address is to send a large number of spoofing port scan packages (1000), only one of which is from the real source address. In this way, even if all the packages (1000) are perceived, they are recorded, and no one knows which is the true source address. It is only "once scanned". It is also because such hackers will not continue to use this port scan technology to reach the target computer information and make malicious attacks.
Tools that typically perform port scans currently use port scanning software, also known as "Port Scanner", port scanning can provide three uses: (1) Identify TCP protocol and UDP protocol services running on the target system . (2) Identify the operating system type of the target system (Windows 9X, Windows NT, or UNIX, etc.). (3) Identify the version number of an application or a particular service.
The port scanner is a program that automatically detects remote or local computer security weaknesses. By using the scanner you can discover the allocation and service of the various TCP protocol ports of the remote server, you can also learn what they are using Software version! This will make indirect understanding of security issues in remote computers.
The port scanner records the answers to the target computer port by selecting the service different from the remote TCP / IP protocol, which can collected a lot of useful information about the target computer (such as: Is there a port in listening? Anonymous login? Do you have a writable FTP directory, whether you can use Telnet or the like.
The port scanner is not a program that directly attacks the network vulnerability, which only helps find some intrinsic weaknesses of the target machine. A good scanner can also analyze the data it get to help find the vulnerability of the target computer. But it does not provide a system detailed steps.
The port scanner has the ability to have the following three aspects during the scanning process: (1) Discover a computer or network capability; (2) Once a computer is found, there is an ability to discover what services running in the target computer; (3) By testing these services on the target computer, it is found to discover the ability to exist.
Writing scanners must have many TCP / IP protocol programs to write and c, perl, and or shell language knowledge. There is a need for some socket programming, a method of developing a client / service application.
6. Common port
With more than 60,000 ports of the computer, the port number is typically referred to as a common port, and the services corresponding to these common ports are typically fixed, so it is understood that these common ports are very necessary on certain procedures. Here Table 2 lists the services corresponding to the common port of the computer (Note: The numbers in the "=" in this list are port numbers, "=", and "=" is the corresponding port service.).
1 = tcpmux (TCP Protocol Port Service Multiplexer) 401 = ups (Uninterruptible Power Supply) 2 = compressnet = Management Utility402 = genie (Genie Protocol) 3 = compressnet = Compression Process403 = decap5 = rje (Remote Job Entry) 404 = nced7 = echo = Echo405 = ncld9 = discard406 = imsp (Interactive Mail Support Protocol) 11 = systat, Active Users407 = timbuktu13 = daytime408 = prm-sm (Prospero Resource Manager Sys. Man.) 17 = qotd (Quote of the Day) 409 = prm- nm (Prospero Resource Manager Node Man.) 18 = msp (Message Send Protocol) 410 = decladebug (DECLadebug Remote Debug Protocol) 19 = Character Generator411 = rmt (Remote MT Protocol) 20 = FTP-data (File Transfer [Default Data]) 412 = synoptics-trap (Trap Convention Port) 21 = FTP (File Transfer [Control]) 413 = smsp22 = ssh414 = infoseek23 = telnet415 = bnet24private mail system416 = silverplatter25 = smtp (Simple mail Transfer) 417 = onmux27 = nsw-fe ( NSW User System FE) 418 = hyper-g29 = msg-icp419 = ariel131 = msg-auth420 = smpte33 = Display Support Protocol421 = ariel235 = private printer server422 = ariel337 = time423 = opc-job-start (IBM Operations Planning a nd Control Start) 38 = rap (Route Access Protocol) 424 = opc-job-track (IBM Operations Planning and Control Track) 39 = rlp (Resource Location Protocol) 425 = icad-el (ICAD) 41 = graphics426 = smartsdp42 = nameserver (Wins Host Name Server)
427 = svrloc (Server Location) 43 = nicname (Who Is) 428 = ocs_cmu44 = mpm-flags (MPM FLAGS Protocol) 429 = ocs_amu45 = mpm (Message Processing Module [recv]) 430 = utmpsd46 = mpm-snd (MPM [default send]) 431 = utmpcd47 = ni-ftp432 = iasd48 = Digital Audit Daemon433 = nnsp49 = tacacs (Login Host Protocol (TACACS)) 434 = mobileip-agent50 = re-mail-ck (Remote mail Checking Protocol) 435 = mobilip-mn51 = la-maint (IMP Logical Address Maintenance) 436 = dna-cml52 = xns-time (XNS Time Protocol) 437 = comscm53 = Domain Name Server438 = dsfgw54 = xns-ch (XNS Clearinghouse) 439 = dasp (dasp Thomas Obermair) 55 = isi-gl (ISI Graphics Language) 440 = sgcp56 = xns-auth (XNS Authentication) 441 = decvms-sysmgt57 = private terminal access442 = cvc_hostd58 = xns-mail (XNS mail) 443 = https (https Mcom) 59 = private file service444 = snpp (Simple Network Paging Protocol) 61 = ni-mail (NI mAIL) 445 = microsoft-ds62 = acas (ACA Services) 446 = ddm-rdb63 = whois whois 447 = ddm-dfm64 = covia (Communications Integrator ( Ci)) 448 = ddm-byte65 = TACACS-DS (TACACS-Database Service) 449 = as-servermap66 = SQL * NET (ORACLE SQL * NET) 450 = TSER Ver67 = bootps (Bootstrap Protocol Server) 451 = SFS-SMP-Net (Cray Network Semaphore Server) 68 = BootPC (Bootstrap Protocol Client) 452 = SFS-Config Server
69 = tftp (Trivial File Transfer) 453 = creativeserver70 = gopher454 = contentserver71 = netrjs-1, Remote Job Service455 = creativepartnr72 = netrjs-2, Remote Job Service456 = macon-tcp73 = netrjs-3, Remote Job Service457 = scohelp74 = netrjs- 4, Remote Job Service458 = appleqtc (apple quick time) 75 = private dial out service459 = ampr-rcmd76 = deos (Distributed External Object Store) 460 = skronk77 = private RJE service461 = datasurfsrv78 = vettcp462 = datasurfsrvsec79 = finger463 = alpes80 = http ( World Wide Web HTTP) 464 = KPASSWD81 = HOSTS2-NS (Hosts2 Name Server) 465 = SSMTP82 = XFER (XFER Utility) 466 = Digital-VRC83 = MIT-ML-dev (ml device) 467 = Mylex-mapd84 = CTF ( Common Trace Facility) 468 = photuris85 = mit-ml-dev (MIT mL Device) 469 = rcp (Radio Control Protocol) 86 = mfcobol (Micro Focus Cobol) 470 = scx-proxy87 = private terminal link471 = mondex88 = kerberos472 = ljk- Login89 = su-mit-tg (SU / MIT TELNET GATEWAY) 473 = hybrid-pop90 = DNSIX (DNSIX Securit Attribute Token Map) 474 = TN-TL-W191 = Mit-DOV (Mit Dover Spooler) 475 = TCPNETHASPSRV92 = NPP ( NetWork Printing Protocol 476 = TN-TL-FD193 = DC p (Device Control Protocol) 477 = ss7ns94 = objcall (Tivoli Object Dispatcher) 478 = spsc95 = supdup479 = iafserver96 = dixie (DIXIE Protocol Specification) 480 = iafdbase97 = swift-rvf (Swift Remote Virtural File Protocol) 481 = ph (Ph service ) 98 =
tacnews482 = bgs-nsi99 = metagram, Metagram Relay483 = ulpnet100 = newacct, [unauthorized use] 484 = integra-sme (Integra Software Management Environment) 101 = hostname, NIC Host Name Server485 = powerburst (Air Soft Power Burst) 102 = iso- TSAP (ISO-TSAP Class 0) 486 = avian103 = gppitnp (Genesis Point-to-Point Trans Net) 487 = SAFT104 = ACR-NEMA (Acr-Nema Digital Imag. & Comm. 300) 488 = GSS-http105 = mailbox name Nameserver489 = nest-protocol106 = 3com-tsmux (3COM-TSMUX) 490 = micom-pfs107 = rtelnet (Remote Telnet Service) 491 = go-login108 = snagas (SNA Gateway Access Server) 492 = ticf-1 (Transport Independent Convergence for FNA ) 109 = pop2 (Post Office Protocol - Version 2) 493 = ticf-2 (Transport Independent Convergence for FNA) 110 = pop3 (Post Office Protocol - Version 3) 494 = pov-ray111 = sunrpc (SUN Remote Procedure Call) 495 = intecourier112 = mcidas (McIDAS Data Transmission Protocol) 496 = pim-rp-disc113 = auth (Authentication Service) 497 = dantz114 = audionews (Audio News Multicast) 498 = siam115 = sftp (Simple File Transfer Protocol) 499 = iso-ill (ISO Ill Protocol 116 = ANSA notify (ANSA REX Notify) 500 = isakmp117 = uucp-path (UUCP Path Service) 501 = stmf118 = sqlserv502 = asa-appl-proto119 = nntp (Network News Transfer Protocol) 503 = intrinsa120 = cfdptkt504 = citadel121 = erpc (Encore Expedited Remote Pro.Call 505 = mailbox-lm122 =
smakynet506 = ohimsrv123 = ntp (Network Time Protocol) 507 = crs124 = ansatrader (ANSA REX Trader) 508 = xvttp125 = locus-map (Locus PC-Interface Net Map Ser) 509 = snare126 = unitary (Unisys Unitary Login) 510 = fcp ( FirstClass Protocol) 127 = locus-con (locus PC-Interface Conn Server) 511 = mynet (mynet-as) 128 = gss-xlicen (GSS X License Verification) 512 = exec (remote process execution) 129 = pwdgen (Password Generator Protocol ) 513 = login (remote login a la telnet) 130 = cisco-fna (cisco FNATIVE) 514 = shell, cmd131 = cisco-tna (cisco TNATIVE) 515 = printer, spooler132 = cisco-sys (cisco SYSMAINT) 516 = videotex133 = statsrv (Statistics Service) 517 = talk (like tenex link) 134 = ingres-net (INGRES-NET Service) 518 = ntalk135 = epmap (DCE endpoint resolution) 519 = utime (unixtime) 136 = profile (PROFILE Naming System) 520 = efs (extended file name server) 137 = netbios-ns (NETBIOS name Service) 521 = ripng138 = netbios-dgm (NETBIOS Datagram Service) 522 = ulp139 = netbios-ssn (NETBIOS Session Service) 523 = ibm-db2140 = emfis-data (EMFIS DATA Service) 524 = NCP141 = EMFIS-CNTL (EMFIS Control Service) 525 = Timed (TimeServer) 142 = BL-IDM (BRITTON-Lee IDM) 526 = Tempo (NewDate) 143 = IMAP (Internet Message Access Protocol) 527 = STX (stock ixchange) 144 =
news528 = custix (Customer IXChange) 145 = uaac (UAAC Protocol) 529 = irc-serv146 = iso-tp0530 = courier, rpc147 = iso-ip531 = conference, chat148 = jargon532 = netnews149 = aed-512 (AED 512 Emulation Service) 533 = netwall (for emergency broadcasts) 150 = sql-net534 = mm-admin (MegaMedia Admin) 151 = hems535 = iiop152 = bftp (Background File Transfer Program) 536 = opalis-rdv153 = sgmp537 = nmsp (Networked Media Streaming Protocol) 154 = netsc-prod, NETSC538 = gdomap155 = netsc-dev, NETSC539 = apertus-ldp (apertus Technologies Load Determination) 156 = sqlsrv (SQL Service) 540 = uucp157 = knet-cmp (KNET / VM Command / Message Protocol) 541 = uucp- rlogin158 = pcmail-srv542 = commerce159 = nss-routing543 = klogin160 = sgmp-traps544 = kshell, krcmd161 = snmp545 = appleqtcsrvr162 = snmptrap546 = dhcpv6-client163 = cmip-man547 = dhcpv6-server164 = cmip-agent548 = afpovertcp (AFP over TCP protocol ) 165 = xns-courier (Xerox) 549 = idfp166 = s-net (Sirius Systems) 550 = new-rwho167 = namp551 = cybercash168 = rsvd552 = deviceshare169 = send553 = pirp170 = print-srv (Network PostScript) 554 = rtsp (Real Time Stream Control Protocol 171 = MULTIP lex (Network Innovations Multiplex) 555 = dsf172 = cl / 1 (Network Innovations CL / 1) 556 = remotefs (rfs server) 173 = xyplex-mux (Xyplex) 557 = openvms-sysipc174 = mailq558 = sdnskmp175 = vmnet559 = teedtap176 = genrad -Mux560 = rmonitor177 =
xdmcp (X Display Manager Control Protocol) 561 = monitor,? 178 = nextstep (NextStep Window Server) 562 = chshell, chcmd179 = bgp (Border Gateway Protocol) 563 = snews180 = ris (Intergraph) 564 = 9pfs (plan 9 file service) 181 = unify565 = whoami182 = audit (Unisys Audit SITP) 566 = streettalk183 = ocbinder567 = banyan-rpc184 = ocserve568 = ms-shuttle (microsoft shuttle) 185 = remote-kis569 = ms-rome (microsoft rome) 186 = kis (KIS Protocol ) 570 = meter, demon187 = aci (Application Communication Interface) 571 = meter, udemon188 = mumps (Plus Five's mUMPS) 572 = sonar189 = qft (Queued File Transport) 573 = banyan-vip190 = gacp (Gateway Access Control Protocol) 574 = ftp-agent (FTP Software Agent System) 191 = prospero (Prospero Directory Service) 575 = vemmi192 = osu-nms (OSU Network Monitoring System) 576 = ipcd193 = srmp (Spider Remote Monitoring Protocol) 577 = vnas194 = irc (Internet Relay Chat Protocol) 578 = ipdd195 = dn6-nlm-aud (DNSIX Network Level Module Audit) 579 = decbsrv196 = dn6-smm-red (DNSIX Session Mgt Module Audit Redir) 580 = sntp-heartbeat = SNTP HEARTBEAT197 = dls (Directory Location Servic e) 581 = BDP (Bundle Discovery Protocol) 198 = DLS-MON (Directory Location Service Monitor) 600 = IPCServer (Sun IP Protocol C Server) 199 = SMUX606 = URM (CRAY UNIFIED Resource Manager) 200 = SRC (
IBM System Resource Controller) 607 = nqs201 = at-rtmp (AppleTalk Routing Maintenance) 608 = nsift-uft (Sender-Initiated / Unsolicited File Transfer) 202 = at-nbp (AppleTalk Name Binding) 609 = npmp-trap203 = at-3 (AppleTalk unused) 610 = npmp-local204 = at-echo (appletalk echo) 611 = npmp-gui205 = AT-5 (AppleTalk Unused) 612 = HMMP-IND (HMMP Indication) 206 = At-Zis (AppleTalk Zone Information) 613 = HMMP-OP (HMMP Operation) 207 = AT-7 (AppleTalk Unused) 614 = SSHELL (SSLSHELL) 208 = AT-8 (AppleTalk Unused) 615 = SCO-INETMGR (Internet Configuration Manager) 209 = QMTP (The Quick Mail Transfer Protocol) 616 = sco-sysmgr (SCO System Administration Server) 210 = z39.50 (ANSI Z39.50) 617 = sco-dtmgr (SCO Desktop Administration Server) 211 = 914c / g (Texas Instruments 914C / G Terminal) 618 = dei-icda212 = anet (ATEXSSTR) 619 = digital-evm213 = ipx620 = sco-websrvrmgr (SCO WebServer Manager) 214 = vmpwscs633 = servstat (Service Status update (Sterling Software)) 215 = softpc (Insignia Solutions) 634 = ginad216 = CAIlic (Computer Associates Int'l license Server) 635 = rlzdbase217 = dbase (DBASE UNIX) 636 = SSL-L DAP218 = MPP (Netix Message Posting Protocol) 637 = lanserver219 = UARPS (UNISYS ARPS) 666 = MDQS220 = IMAP3 (Interactive Mail Access Protocol v3) 667 = Disclose
campaign contribution disclosures - SDR Technologies) 221 = fln-spx (Berkeley rlogind with SPX auth) 668 = mecomm222 = rsh-spx (Berkeley rshd with SPX auth) 669 = meregister223 = cdc (Certificate Distribution Center) 670 = vacdsm-sws242 = direct671 = vacdsm-app243 = sur-meas (Survey Measurement) 672 = vpps-qua244 = dayna673 = cimplex245 = link674 = acap246 = dsp3270 (Display Systems Protocol) 704 = elcsd (errlog copy / server daemon) 256 = rap705 = agentx257 = set ( Secure Electronic Transaction) 709 = entrust-kmsh (Entrust Key Management Service Handler) 258 = yak-chat (Yak Winsock Personal Chat) 710 = entrust-ash (Entrust Administration Service Handler) 259 = esro-gen (Efficient Short Remote Operations) 729 = netviewdm1 (IBM NetView DM / 6000 Server / Client) 260 = openport730 = netviewdm2 (IBM NetView DM / 6000 send) 261 = naming-iiop-ssl (IIOP Naming Service (SSL)) 731 = netviewdm3 (IBM NetView DM / 6000 receive 262 = arcisdms741 = NETGW263 = HDAP742 = NETRCS (NetWork based Rev. Cont. Sys. 280 = http-mgmt744 = flexlm (flexible license manager) 281 = personal-link747 = fujitsu-dev (Fujitsu Device) Control) 282 = cableport-ax748 = ris-cm (Russell Info Sci Calendar Manager) 309 = entrusttime749 = kerberos-adm (kerberos administration) 1435 = ibm-cics750 = rfile344 = pdap (Prospero Data Access Protocol) 751 = pump345 = pawserv ( Perf analyysis Workbench) 752 =
qrh346 = zserv (Zebra server) 753 = rrh347 = fatserv (Fatmen Server) 754 = tell, send348 = csi-sgwp (Cabletron Management Protocol) 758 = nlogin349 = mftp759 = con350 = matip-type-a760 = ns351 = matip-type- b761 = rxe371 = clearcase762 = quotad372 = ulistproc (ListProcessor) 763 = cycleserv373 = legent-1 (Legent Corporation) 764 = omserv374 = legent-2 (Legent Corporation) 765 = webster375 = hassle767 = phonebook, phone376 = nip (Amiga Envoy Network Inquiry proto) 769 = vid377 = tnETOS (NEC Corporation) 770 = cadlock378 = dsETOS (NEC Corporation) 771 = rtip379 = is99c (TIA / EIA / IS-99 modem client) 772 = cycleserv2380 = is99s (TIA / EIA / IS-99 modem server) 773 = submit381 = hp-collector (hp performance data collector) 774 = rpasswd382 = hp-managed-node (hp performance data managed node) 775 = entomb383 = hp-alarm-mgr (hp performance data alarm manager) 776 = wpages384 = arns (A Remote Network Server System) 780 = wpgs385 = ibm-app (IBM Application) 786 = concert386 = asa (ASA Message Router Object Def.) 800 = mdbs_daemon387 = aurp (Appletalk Update-Based Routing Pro.) 801 = device388 = Unidata-LDM (UNIDATA LDM Version 4) 8 86 = iclcnet-locate (ICL coNETion locate server) 389 = ldap (Lightweight Directory Access Protocol) 887 = iclcnet_svinfo (ICL coNETion server info) 390 = uis888 = accessbuilder391 = synotics-relay (SynOptics SNMP Relay Port) 911 =
xact-backup392 = synotics-broker (SynOptics Port Broker Port) 991 = nas (Netnews Administration System) 393 = dis (Data Interpretation System) 995 = spop3 (SSL based POP3) 394 = embl-ndt (EMBL Nucleic Data Transfer) 996 = vsinet395 = netcp (NETscout Control protocol) 997 = maitrd396 = netware-ip (Novell Netware over IP protocol) 998 = busboy397 = mptn (Multi protocol Trans. Net.) 999 = garcon398 = kryptolan1000 = cadlock399 = iso-tsap-c2 (ISO TRANSPORT CLASS 2 NON-Control Over TCP Protocol) 1023 = Reserved (reserved) 400 = Work-Sol (Workstation Solutions) 1024 = Reserved (reserved) Seven, common Trojan used ports
Trojans are usually attacked by a specific port, so it is very useful to find some computer ports used in common Trojans, which is very useful for the attack of the Hummer hacking program. Table 3 below lists some common Trojan programs. The port used.
Domestic common Trojan uses port 31338 = Back Orifice8102 = network Thief 31338 = DeepBO2000 = 200031339 = NetSpy DK2001 = black hole black hole 200131666 = BOWhack6267 = wide outside the girls 34324 = BigGluck7306 = Network Wizard 3.0, netspy3.040412 = The Spy7626 = 40421 = Masters Paradise8011 Ice = wry, Lai Xiaozi, Phoenix 40422 = Masters Paradise 1.x23444 = network Bulls, netbull40423 = Masters Paradise 2.x23445 = network Bulls, netbull40426 = Masters Paradise 3.x19191 = blue flame 50505 = Sockets de Troie27374 = Sub Seven 2.0 , 77, 50766 = Fore Eastern Eye of the common foreign trojan using port 53001 = Remote Windows Shutdown121 = BO jammerkillahV61466 = Telecommando666 = Satanz Backdoor65000 = Devil1001 = Silencer6400 = The tHing1600 = Shivka-Burka12346 = NetBus 1.x1807 = SpySender20034 = NetBus Pro1981 = Shockrave1243 = SubSeven1001 = WebEx30100 = NetSphere1011 = Doly Trojan1001 = Silencer1170 = Psyber Stream Server20000 = Millenium1234 = Ultors Trojan65000 = Devil 1.031245 = VooDoo Doll7306 = NetMonitor1492 = FTP99CMP1170 = Streaming Audio Trojan1999 = BackDoor30303 = Socket232001 = Trojan Cow6969 = Gatecrasher2023 = Ripper61466 = Telecommando2115 = Bugs12076 = Gjamer2140 = deep throat4950 = icqtrojen2140 = t he Invasor16969 = Priotrity2801 = Phineas Phucker1245 = Vodoo30129 = Masters Paradise5742 = Wincrash3700 = Portal of Doom2583 = Wincrash24092 = WinCrash1033 = Netspy4590 = ICQTrojan1981 = ShockRave5000 = Sockets de Troie555 = Stealth Spy5001 = Sockets de Troie 1.x2023 = Pass Ripper5321 = Firehotcker666 = Attack FTP5400 = Blade runner21554 = girlfriend5401 = blade runner 1.x50766 = fore =
