In-depth understanding of computer port

zhaozj2021-02-16  167

Readers who have some hacker attacks will know that in fact, those so-called hackers are not as far as people think, but they are truthful from your computer "gate". The "gate" of the computer is what we usually say "port", which includes physical ports of the computer, such as computer serial port, parallel port, input / output device, and adapter interface, etc. (these ports are visible), but more It is an invisible software port that is described in this article refers to "software port", but for convenience, it is still collectively referred to as "port". This article only introduces the basic knowledge of the port,

First, the port introduction

With the development of computer network technology, the original physical interface (such as keyboard, mouse, network card, display card and other input / output interface) can not meet the requirements of network communication, the TCP / IP protocol is solved as the standard protocol of network communication. This communication problem. The TCP / IP protocol integrates into the kernel of the operating system, which is equivalent to introducing a new input / output interface technology in the operating system, because in the TCP / IP protocol introduced a "Socket) Linked) "Application interface. With such an interface technology, a computer can communicate with any computer with a socket interface by software. The port is "Socket Interface" on the computer.

After these ports, how do these ports work? For example, why can a server can be a web server, or an FTP server, or a mail server, etc. One of the important reasons is that various services provide different services, such as: TCP / IP protocol specified the WEB using an 80-port port, FTP uses ports, etc., and the mail server is a 25th port. In this way, through different ports, the computer can interfere with each other with the outside world.

According to experts, the number of server ports can have a maximum of 65535, but in fact, dozens of ports that are often used, thereby seeing that unsearable ports are quite. This is so many hacker programs to use some way to define a special port to achieve the purpose of the invasion. To define this port, you must rely on some program to automatically load into memory before the computer starts, and forcibly control the computer to open that special port. This program is the "back door" program, which is often the Trojan. Simply put, these Trojans are first implanted in a personal computer before the invasion, open a particular port, commonly known as "backdoor", make this computer change A FTP server that is extremely open (user has high permissions), and then the purpose of invading from the back door.

Second, the classification of ports

The classification of the port has different division methods depending on its reference object. If the nature of the port is nature, it can usually be divided into the following three categories:

(1) Well Known Ports: This type of port is also known as "common port". The port numbers of such ports are from 0 to 1024, which are closely brought to some specific services. Usually the communication of these ports clearly indicates a protocol for a service, which is not redefined to redefine its role object. For example, the 80 port is actually used by HTTP communication, and the 23 port is dedicated to Telnet service. These ports usually do not use hackers such as Trojans. In order to make everyone aware of these common ports, the services of these ports should be listed in this chapter, and the services of these ports will be detailed for all understanding and reference.

(2) Registered ports: The port number ranges from 1025 to 49151. They are loosely bound to some services. Also, many services are bound to these ports, which are also used in many other purposes. Most of these ports do not have a clear definition of service objects. Different programs can be defined according to actual needs, as defined in the remote control software and Trojans to be described later. Remember that these common program ports are very necessary to protect and kill in Trojans. The port used by common Trojans will have a detailed list later.

(3) Dynamic and / or private ports (Dynamic and / or Private Ports): The port number is from 49152 to 65535. In theory, the commonly used services should not be assigned to these ports. In fact, some of the more special procedures, especially some Trojans, very much like to use these ports, because these ports often do not pay attention, easy to hide.

If the port can be divided into "TCP Protocol Port" and "UDP protocol port" in accordance with the provided service method provided. Because the communication between the computer is generally used in these two communication protocols. The "connection mode" described above is a connection to the receiver. After sending information, it can confirm whether the information arrives, this method uses the TCP protocol; the other is directly connected to the receiver, only Place the information on the Internet, regardless of whether the information arrives, is the "unconnected manner" described in the previous. Most of this approach use UDP protocols, the IP protocol is also a connectionless way. The port provided by the service provided by these two communication protocols is divided into "TCP Protocol Port" and "UDP Protocol Port."

The common ports using the TCP protocol have the following:

(1) FTP: Defines the file transfer protocol and use the 21 port. It is often said that a computer has opened an FTP service to start the file transfer service. Download the file, upload the home page, you have to use the FTP service.

(2) Telnet: It is a port for remote login, and the user can connect to the computer with its own identity, and can provide a communication service based on DOS mode through this port. If the previous BBS is a pure character interface, the server that supports BBS opens 23 ports and provides services.

(3) SMTP: Defines a simple mail delivery protocol, and now many mail servers are used by this protocol, which is used to send mail. If the common free mail service is this mail service port, so you often see this box in the email settings, the server is open is the 25th port.

(4) POP3: It corresponds to SMTP, and POP3 is used to receive mail. Typically, the POP3 protocol is used in the 110 port. Also, as long as you have a corresponding program using the POP3 protocol (such as Foxmail or Outlook), you can not log in to the mailbox interface in a web method. You can receive the email directly (if you don't have to enter Netease first. Website, then enter your own mailbox to receive it).

Using the UDP protocol port is common:

(1) http: This is the most used agreement, which is often the "hypertext transmission protocol". When browsing the web online, you have to open the 80 number on the computer that provides a web page to provide services. It often said that "WWW service", "web server" is this port.

(2) DNS: For domain name resolution services, this service is used in the Windows NT system. Each computer on the Internet has a network address with the corresponding IP address, which is represented in pure digital ".". However, this is inconvenient to remember, so there is a domain name. When accessing the computer, you only need to know the domain name, the change between the domain name, and the IP address is completed by the DNS server. The DNS is used for the 53th port. (3) SNMP: Simple network management protocol, use 161 port, is used to manage network devices. Due to many network devices, unconnected services reflect their advantages.

(4) OICQ: OICQ program accepts both services, but also serves, so that two chats are equal. OICQ is unconnected protocol, but it is used to use the UDP protocol. The OICQ server is a port of 8000, and if there is information, the client uses the 4000 port and send information outward. If the above two ports are being used (there are many people chatting with several friends), they will be added in order.

With more than 60,000 ports of the computer, the port number 1024 is typically referred to as a common port, and the services corresponding to these common ports are typically fixed. Table 1 is all of the server default ports, which are not allowed, and the general communication process is mainly used for these ports.

Table 1

Service Type Default Port Service Type Default Port

Echo 7 Daytime 13

FTP 21 Telnet 23

SMTP 25 TIME 37

WHOIS 43 DNS 53

Gopher 70 finger 79

WWW 80 POP3 110

NNTP 119 IRC 194

Different proxy servers often use the following ports:

(1). HTTP protocol proxy server common port number: 80/8080/3128/8081/9080

(2). SOCKS agent protocol server common port number: 1080

(3). FTP protocol proxy server common port number: 21

(4). Telnet protocol proxy server common port: 23

A hacking program like Trojans is to achieve its purpose by intrusion of ports. On the use of ports, hacker programs usually have two ways, that is, "port listening" and "port scan".

"Port Listening" and "Port Scan" are two port technologies that are often used in hacker attacks and protection. Use them in hacker attacks to find their targets, access useful information, in terms of personal and network protection Through this type of port technology, the hacker attack and some security vulnerabilities can be found in time. Let's first briefly introduce the difference in the two port technology.

"Port Listening" is to monitor the port of the target computer using some programs. It can be used in the target computer. By listening can also capture other people useful information, mainly in hacker software, but it is also very useful for individuals, you can use the listener to protect your own computer, monitor the selected port of your computer. This can be found and intercept some hackers' attacks. You can also listen to the specified port of the computer, see if it is idle, so that the invasion.

"Port Scanning" is to determine what the service is running and then obtain the corresponding user information by connecting to the TCP protocol or UDP protocol port of the target system. There are now many people to mix "port listening" and "port scan" as a talk, and if they are unclear, they should use listening technology, and what kind of scanning technology should be used. However, this type of software now seems to be a bit blurred on these two technologies, and some simply integrate two functions in one. "Port Saire" is similar to "Port Scan", there is also a difference, similar places can monitor the target computer, the local area is "port listening" belongs to a passive process, waiting for others The appearance of the connection, through the other party's connection to detect the information required. In a personal application, if it is set to report this function to the user immediately when it is listened to the user, it can effectively listen to the hacker's connection attempt, and the Trojans reside on this unit are cleared. This listener is generally installed on the target computer. "Port listening" in hackers is usually the information that the hacker sends a server-side to capture hackers when the server is waiting for normal activity, and then transmits it through the UDP protocol. "Port Scan" is an active process, which is actively scanning the selected port of the target computer, discovers all activities of the selected port in real time (especially for some online activities). Scanners are typically installed on the client, but it is also mainly connected to the server-side connection to the UDP protocol connection without connection.

In the network, when the information is propagated, the tool can be used to set the network interface to the listening mode, and the network can be accepted or captured in the network, thereby attacking. Port listens can be performed in any of the locations in the network, and hackers generally use port listening to intercept user passwords.

Fourth, port listening principle

The Ethernet protocol is a way to send the data to which you want to send towards all your computers connected. The correct address of the computer that should receive the packet should be received in the header, as only the computer that is consistent with the target address in the packet can receive the packet. However, when the computer works in listening mode, the computer will be able to receive it regardless of the target physical address in the packet. When two computers in the same network communicate, the source computer directs the packet of the computer address directly to the purpose, or when a computer in the network communicates with the external computer, the source computer will write a purpose. The data package of the computer IP address is sent to the gateway. However, this packet does not send it directly to the high level of the protocol stack, and the packet to be sent must be handed over to the network interface from the IP protocol layer of the TCP / IP protocol. The network interface does not recognize the IP address, in the network interface, the data package with IP address from the IP protocol layer adds a part of the Ethernet frame header information. In the frame head, there are two domains for the source computer and the physical address of the destination computer that can be identified by the network interface. This is a 48-bit address, which corresponds to the IP address. In other words, an IP address will also correspond to a physical address. For a computer as a gateway, because it is connected to multiple networks, it also has many IP addresses, which have one in each network. The relay relay, relay, relay, is carried by the physical address of the gateway.

The frame of the physical address is filled out from the network port (or from the gateway port), transferred to the physical line from the network port. If the local area network is connected by a coarse coaxial cable or a thin-shaft cable, the digital signal transmits the signal on the cable to reach each computer on the line. When the hub is used, the transmitted signal reaches the hub, and the hub is then forwarded to each line connected to the hub. This allows the digital signal transmitted on the physical line to reach each computer connected to the hub. When the digital signal arrives at a network interface of a computer, the network interface checks the data frame in the normal state, such as the physical address carried in the data frame is your own or physical address is a broadcast address, then the data frame will be confused. Give IP protocol layer software. This process is performed for each data frame that reaches the network interface. But when the computer works in listening mode, all data frames will be handed over to the upper protocol software processing. When a computer connected to the same cable or hub is logically divided into several subnets, if there is a computer in a listening mode, it can receive the swirpion and you are not in the same subnet (using different masks) The data packet of the computer of the code, IP address, and gateway, all information transmitted on the same physical channel can be received.

On the UNIX system, when a user with super-permissions wants to enable the computer that you control into the listening mode, you only need to send an I / O control command to the interface (network interface), you can set the computer to the listening mode. In the Windows 9x system, you can be implemented by directing the listening tool by using the user if the user has permission.

When the port is in a listener, a large amount of information is often saved (also contains a lot of spam), and will make a lot of information to the collected information, which will make the computer that is listening to the request of other users. very slow. At the same time, the listener needs to consume a lot of processor time when it is running. If you have a detailed analysis package, many packages will not be received and received. So the listening process will make the listened package in the file waiting later. Analysis of the detected data package is a very headache, because the packets in the network are very complicated. Continuously transmit and receive data packets between the two computers, which must add some other computer interactions in the result of the listening. The listener will be quite easy to consolidate the package of the same TCP protocol session, if you still expect to organize the user's detailed information, you need a lot of analysis based on the protocol.

The protocol used in the network is designed earlier, and many of the implementations of the agreement are based on a very friendly and communicative basis. Under the usual network environment, the user's information includes passwords to be transmitted online in a clear text, so port listening is performed to obtain user information is not a difficult thing, as long as you have a preliminary TCP / IP protocol knowledge It can easily detect the desired information.

V. Port scanning principle

"Port Scan" typically refers to the transmission of all the desired scanned ports of the target computer, and then analyzes whether the port of the target computer is opened according to the return port state. An important feature of the "port scan" is: there are many packages from the same source address to different destination ports during a short period of time.

For those who attack with port scans, an attacker can always do it, which makes it difficult to discovery or difficult to be backward while obtaining the scan results. In order to hide the attack, the attacker can slowly scan. Unless the target system is usually idle (such a data packet that does not have a Listen port caused by administrator), it is difficult to identify. The way to hide the source address is to send a large number of spoofing port scan packages (1000), only one of which is from the real source address. In this way, even if all the packages (1000) are perceived, they are recorded, and no one knows which is the true source address. It is only "once scanned". It is also because such hackers will not continue to use this port scan technology to reach the target computer information and make malicious attacks. Tools that typically perform port scans currently primarily use port scanning software, also known as "port scanner", port scanning can provide three purposes:

(1) Identify TCP protocols and UDP protocol services running on the target system.

(2) Identify the operating system type of the target system (Windows 9X, Windows NT, or UNIX, etc.).

(3) Identify the version number of an application or a particular service.

The port scanner is a program that automatically detects remote or local computer security weaknesses. By using the scanner you can discover the allocation and service of the various TCP protocol ports of the remote server, you can also learn what they are using Software version! This will make indirect understanding of security issues in remote computers.

The port scanner records the answers to the target computer port by selecting the service different from the remote TCP / IP protocol, which can collected a lot of useful information about the target computer (such as: Is there a port in listening? Anonymous login? Do you have a writable FTP directory, whether you can use Telnet or the like.

The port scanner is not a program that directly attacks the network vulnerability, which only helps find some intrinsic weaknesses of the target machine. A good scanner can also analyze the data it get to help find the vulnerability of the target computer. But it does not provide a system detailed steps.

The port scanner has the following three aspects of the scanning process:

(1) Discover the ability of a computer or network;

(2) Once a computer is found, there is the ability to find what service is running;

(3) The ability to exist vulnerabilities by testing these services on the target computer.

Writing scanners must have many TCP / IP protocol programs to write and c, perl, and or shell language knowledge. There is a need for some socket programming, a method of developing a client / service application.

6. Common port

With more than 60,000 ports of the computer, the port number is typically referred to as a common port, and the services corresponding to these common ports are typically fixed, so it is understood that these common ports are very necessary on certain procedures. Here Table 2 lists the services corresponding to the common port of the computer (Note: The numbers in the "=" in this list are port numbers, "=", and "=" is the corresponding port service.).

1 = TCPMUX (TCP Protocol Port Service Multiplexer)

401 = UPS (Uninterruptible Power Supply)

2 = compressNet = management utility

402 = genie (Genie Protocol) 3 = compressNet = Compression Process

403 = DECAP

5 = RJE (Remote Job Entry)

404 = nced

7 = echo = echo

405 = NCLD

9 = Discard

406 = IMSP (Interactive Mail Support Protocol)

11 = SYSTAT, ACTIVE USERS

407 = TIMBUKTU

13 = daytime

408 = PRM-SM (ProSpero Resource Manager Sys. Man.)

17 = qotd (quote of the day)

409 = PRM-NM (Prospero Resource Manager Node Man.)

18 = MSP (Message Send Protocol)

410 = DecladeBug (Decladebug Remote Debug Protocol)

19 = Character Generator

411 = RMT (Remote MT Protocol)

20 = ftp-data (File Transfer [Default Data])

412 = Synoptics-Trap (TRAP Convention Port)

21 = ftp (file transfer [control])

413 = SMSP

22 = SSH

414 = INFOSEEK

23 = Telnet

415 = BNET

24Private Mail System

416 = SilverPlatter

25 = SMTP (Simple Mail Transfer)

417 = ONMUX

27 = NSW-Fe (NSW User System Fe)

418 = Hyper-g

29 = MSG-ICP

419 = Ariel1

31 = msg-auth

420 = SMPTE

33 = DISPLAY Support Protocol

421 = Ariel2

35 = Private Printer Server

422 = Ariel3

37 = TIME

423 = OPC-Job-Start (IBM Operations Planning and Control Start)

38 = RAP (Route Access Protocol)

424 = OPC-JOB-TRACK (IBM Operations Planning and Control TRACK)

39 = RLP (Resource Location Protocol)

425 = ICAD-EL (ICAD)

41 = graphics

426 = smartsdp

42 = Nameserver (Wins Host Name Server)

427 = SVRLOC (Server location)

43 = nicname (WHO IS) 428 = OCS_CMU

44 = MPM-FLAGS (MPM Flags Protocol)

429 = OCS_AMU

45 = MPM (Message Processing Module [RECV])

430 = UTMPSD

46 = MPM-SND (MPM [Default Send])

431 = UTMPCD

47 = Ni-ftp

432 = IASD

48 = Digital Audit Daemon

433 = NNSP

49 = TACACS (Login Host Protocol (TACACS))

434 = MobileIP-Agent

50 = RE-MAIL-CK (Remote Mail Checking Protocol)

435 = mobilip-mn

51 = la-maint (IMP Logical Address Maintenance)

436 = DNA-CML

52 = xns-time (XNS Time Protocol)

437 = COMSCM

53 = Domain Name Server

438 = DSFGW

54 = XNS-CH (Xns clearinghouse)

439 = DASP (DASP THOMAS OBERMAIR)

55 = ISI-GL (ISI Graphics Language)

440 = SGCP

56 = xns-auth (xns authent)

441 = DECVMS-SYSMGT

57 = Private Terminal Access

442 = CVC_Hostd

58 = xns-mail (xns mail)

443 = HTTPS (HTTPS MCOM)

59 = private file service

444 = SNPP (Simple Network Paging Protocol)

61 = ni-mail (ni mail)

445 = Microsoft-DS

62 = ACAS (ACA Services)

446 = DDM-RDB

63 = WHOIS WHOIS

447 = DDM-DFM

64 = COVIA (Communications Integrator (CI))

448 = DDM-BYTE

65 = TACACS-DS (TACACS-Database Service)

449 = as-servermap

66 = SQL * NET (Oracle SQL * NET)

450 = TSERVER

67 = bootps (Bootstrap Protocol Server)

451 = SFS-SMP-Net (CRAY NETWORK SEMAPHORE Server)

68 = BootPC (Bootstrap Protocol Client)

452 = SFS-Config (Cray SFS Config Server) 69 = TFTP (TRIVIAL FILE Transfer)

453 = Creative Server

70 = gopher

454 = ContentServer

71 = Netrjs-1, Remote Job Service

455 = CreativePartnr

72 = Netrjs-2, Remote Job Service

456 = Macon-TCP

73 = Netrjs-3, Remote Job Service

457 = scohelp

74 = Netrjs-4, Remote Job Service

458 = AppleQTC (Apple Quick Time)

75 = Private Dial Out Service

459 = AMPR-RCMD

76 = Deos (Distributed External Object Store)

460 = SKRONK

77 = Private RJE Service

461 = DataSurfsrv

78 = vettcp

462 = DataSurfsrvsec

79 = Finger

463 = Alpes

80 = HTTP (World Wide Web HTTP)

464 = kpasswd

81 = HOSTS2-NS (Hosts2 Name Server)

465 = SSMTP

82 = XFER (XFer Utility)

466 = DIGITAL-VRC

83 = MIT-ML-DEV (MIT ML DEVICE)

467 = Mylex-mapd

84 = CTF (Common TRACE FACILITY)

468 = Photuris

85 = mit-ml-dev (MIT ML DEVICE)

469 = RCP (Radio Control Protocol)

86 = MFCOBOL (Micro Focus COBOL)

470 = SCX-Proxy

87 = Private Terminal Link

471 = Mondex

88 = Kerberos

472 = LJK-Login

89 = SU-MIT-TG (SU / MIT TELNET GATEWAY)

473 = Hybrid-Pop

90 = DNSIX (Dnsix Securit Attribute Token Map)

474 = TN-TL-W1

91 = Mit-DOV (Mit Dover Spooler)

475 = TCPNETHASPSRV

92 = NPP (NetWork Printing Protocol)

476 = TN-TL-FD1

93 = DCP (Device Control Protocol)

477 = SS7NS

94 = ObjCall (Tivoli Object Dispatcher)

478 = SPSC

95 = SUPDUP

479 = Iafserver

96 = DIXIE (DIXIE Protocol Specification 480 = iafdbase

97 = SWIFT-RVF (SWIFT Remote Virtural File Protocol)

481 = pH (pH service)

98 = tacnews

482 = BGS-NSI

99 = Metagram, Metagram RELAY

483 = ULPNET

100 = newAcct, [unauthorized use]

484 = INTEGRA-SME (Integra Software Management Environment Environment)

101 = Hostname, Nic Host Name Server

485 = Powerburst (Air Soft Power Burst)

102 = ISO-TSAP (ISO-TSAP Class 0)

486 = avian

103 = GPPITNP (Genesis Point-to-Point Trans Net)

487 = SAFT

104 = ACR-NEMA (Acr-Nema Digital Imag. & Comm. 300)

488 = GSS-HTTP

105 = Mailbox Name Nameserver

489 = Nest-Protocol

106 = 3COM-TSMUX (3COM-TSMUX)

490 = MICOM-PFS

107 = RTELNET (REMOTE TELNET Service)

491 = Go-login

108 = SNAGAS (SNA Gateway Access Server)

492 = TiCF-1 (Transport Independent Convergence for FNA)

109 = POP2 (Post Office Protocol - Version 2)

493 = TiCF-2 (Transport Independent Convergence for FR)

110 = POP3 (Post Office Protocol - Version 3)

494 = POV-ray

111 = SunRPC (Sun Remote Procedure Call)

495 = INTECOOURIER

112 = MCIDAS (Mcidas Data Transmission Protocol)

496 = PIM-RP-DISC

113 = Authentication Service

497 = DANTZ

114 = AudionEws (Audio News Multicast)

498 = SIAM

115 = SFTP (Simple File Transfer Protocol)

499 = ISO-ILL (ISO ILL Protocol)

116 = ansanotify (Ansa Rex Notify)

500 = isakmp

117 = uucp-path (uucp path service) 501 = STMF

118 = SQLSERV

502 = Asa-Appl-Proto

119 = NNTP (NetWork News Transfer Protocol)

503 = Intrinsa

120 = cfdptkt

504 = CITADEL

121 = ERPC (Encore Expedified Remote Pro.Call)

505 = Mailbox-LM

122 = SMAKYNET

506 = OHIMSRV

123 = NTP (NetWork Time Protocol)

507 = CRS

124 = Ansatrader (Ansa Rex Trader)

508 = XVTTP

125 = LOCUS-MAP (Locus PC-Interface Net Map Ser)

509 = SNARE

126 = Unisys Unity Login

510 = FCP (FirstClass Protocol)

127 = Locus-conn (Locus PC-Interface CONN Server)

511 = MyNet (MyNet-AS)

128 = GSS-XLICEN (GSS X License Verification)

512 = EXEC (Remote Process Execution)

129 = PWDGEN (Password Generator Protocol)

513 = login (Remote Login a La Telnet)

130 = Cisco-FNA (Cisco Fnative)

514 = shell, cmd

131 = Cisco-TNA (Cisco TNATIVE)

515 = Printer, Spooler

132 = Cisco-Sys (Cisco Sysmaint)

516 = Video Videotex

133 = STATSRV (STATISTICS Service)

517 = Talk (Like Tenex Link)

134 = INGRES-NET (Ingres-Net Service)

518 = NTALK

135 = EPMAP (DCE EndPoint Resolution)

519 = Utime (UnixTime)

136 = Profile (Profile Naming System)

520 = EFS (Extended File Name Server)

137 = NetBIOS-NS (Netbios Name Service)

521 = RIPNG

138 = NetBIOS-DGM (NetBIOS DataGram Service)

522 = ULP

139 = NetBIOS-SSN (Netbios Session Service) 523 = IBM-DB2

140 = EMFIS-DATA (EMFIS DATA Service)

524 = NCP

141 = EMFIS-CNTL (EMFIS Control Service)

525 = TIMED (TIMESERVER)

142 = BL-IDM (Britton-Lee IDM)

526 = Tempo (NewDate)

143 = IMAP (Internet Message Access Protocol)

527 = STX (stock ixchange)

144 = News

528 = Custix (Customer IXChange)

145 = UAAC (UAAC Protocol)

529 = IRC-Serv

146 = ISO-TP0

530 = Courier, RPC

147 = ISO-IP

531 = Conference, Chat

148 = jargon

532 = NetNews

149 = AED-512 (AED 512 Emulation Service)

533 = NetWall (for Emergency Broadcasts)

150 = SQL-NET

534 = mm-admin (megamedia admin)

151 = HEMS

535 = IIOP

152 = BFTP (Background File Transfer Program)

536 = OPALIS-RDV

153 = SGMP

537 = NMSP (NetWorked Media Streaming Protocol)

154 = Netsc-Prod, Netsc

538 = GDOMAP

155 = Netsc-dev, Netsc

539 = Apertus-LDP (Apertus Technologies Load Determination)

156 = SQLSRV (SQL Service)

540 = uucp

157 = KNET-CMP (KNET / VM Command / Message Protocol)

541 = uucp-rlogin

158 = PCMAIL-SRV

542 = Commerce

159 = NSS-Routing

543 = klogin

160 = SGMP-TRAPS

544 = kshell, krcmd

161 = SNMP

545 = AppleQTCSRVR

162 = SNMPTRAP

546 = DHCPV6-Client

163 = CMIP-Man

547 = DHCPV6-Server

164 = CMIP-Agent

548 = afpovertcp (AFP over TCP protocol)

165 = XNS-Courier (Xerox)

549 = IDFP

166 = S-Net (Sirius Systems)

550 = new-rwho

167 = namp551 = cybercash

168 = RSVD

552 = Deviceshare

169 = Send

553 = PIRP

170 = Print-SRV (Network PostScript)

554 = RTSP (Real Time Stream Control Protocol)

171 = Multiplex (NetWork Innovations Multiplex)

555 = DSF

172 = CL / 1 (Network Innovations CL / 1)

556 = Remotefs (RFS Server)

173 = XYPLEX-MUX (XYPLEX)

557 = OpenVMS-SYSIPC

174 = Mailq

558 = SDNSKMP

175 = VMNET

559 = TEEDTAP

176 = Genrad-MUX

560 = rmonitor

177 = XDMCP (X Display Manager Control Protocol)

561 = Monitor,?

178 = NextStep (NextStep Window Server)

562 = Chshell, CHCMD

179 = BGP (Border Gateway Protocol)

563 = SNEWS

180 = RIS (Intergraph)

564 = 9PFS (Plan 9 file service)

181 = Unify

565 = WhoAmi

182 = AUDIT (Unisys Audit Sitp)

566 = streettalk

183 = OCBINDER

567 = Banyan-RPC

184 = OCserve

568 = MS-Shuttle (Microsoft Shuttle)

185 = Remote-Kis

569 = MS-ROME (Microsoft Rome)

186 = KIS (Kis Protocol)

570 = meter, Demon

187 = ACI (Application Communication Interface)

571 = meter, udemon

188 = MUMPS (Plus Five's Mumps)

572 = Sonar

189 = QFT (Queued File Transport)

573 = Banyan-VIP

190 = GATEWAY Access Control Protocol

574 = ftp-agent (ftp Software agent system)

191 = Prospero (ProSpero Directory Service)

575 = vemmi

192 = OSU-NMS (OSU NetWork Monitoring System)

576 = IPCD

193 = SRMP (Spider Remote Monitoring Protocol) 577 = VNAS

194 = IRC (Internet Relay Chat Protocol)

578 = ipdd

195 = DN6-NLM-AUD (DNSIX Network Level Module Audit)

579 = DECBSRV

196 = DN6-SMM-Red (DNSIX Session Mgt Module Audit Redir)

580 = SNTP-HeartBeat = SNTP HeartBeat

197 = DLS (Directory Location Service)

581 = BDP (Bundle Discovery Protocol)

198 = DLS-MON (Directory Location Service Monitor)

600 = IPCSERVER (Sun IP Protocol C Server)

199 = SMUX

606 = URM (CRAY UNIFIED RESOURCE MANAGER)

200 = SRC (IBM System Resource Controller)

607 = NQS

201 = AT-RTMP (AppleTalk Routing Maintenance)

608 = NSIFT-UFT (Sender-Initiated / UnsolicIn

202 = AT-NBP (AppleTalk Name Binding)

609 = NPMP-TRAP

203 = AT-3 (AppleTalk Unused)

610 = NPMP-LOCAL

204 = At-echo (AppleTalk Echo)

611 = NPMP-GUI

205 = AT-5 (AppleTalk Unused)

612 = HMMP-IND (HMMP IND)

206 = At-Zis (AppleTalk Zone Information)

613 = HMMP-OP (HMMP Operation)

207 = AT-7 (AppleTalk Unused)

614 = SSHELL (SSLSHELL)

208 = AT-8 (AppleTalk Unused)

615 = SCO-INETMGR (Internet Configuration Manager)

209 = QMTP (THE Quick Mail Transfer Protocol)

616 = SCO-SYSMGR (SCO System Administration Server)

210 = Z39.50 (ANSI Z39.50)

617 = SCO-DTMGR (SCO Desktop Administration Server)

211 = 914C / G (Texas Instruments 914C / G Terminal) 618 = DEI-ICDA

212 = ANET (ATEXSSTR)

619 = DIGITAL-EVM

213 = IPX

620 = SCO-Websrvrmgr (SCO Webserver Manager)

214 = VMPWSCS

633 = ServStat (Service Status Update (Sterling Software))

215 = SOFTPC (Insignia Solutions)

634 = GINAD

216 = Cailic (Computer Associates Int'l License Server)

635 = rlzdbase

217 = DBASE (DBASE UNIX)

636 = SSL-LDAP

218 = MPP (Netix Message Posting Protocol)

637 = lanserver

219 = UARPS (Unisys ARPS)

666 = MDQS

220 = IMAP3 (Interactive Mail Access Protocol v3)

667 = Disclose (Campaign Contribution Disclosures - SDR Technologies)

221 = FLN-SPX (Berkeley Rlogind with SPX Auth)

668 = mecomm

222 = RSH-SPX (Berkeley RSHD with SPX Auth)

669 = meregister

223 = CDC (CERTIFICATE DISTRIBUTION center)

670 = VACDSM-SWS

242 = Direct

671 = VACDSM-APP

243 = surremement

672 = VPPS-qua

244 = dayna

673 = CIMPLEX

245 = LINK

674 = ACAP

246 = DSP3270 (Display Systems Protocol)

704 = Elcsd (Errlog Copy / Server Daemon)

256 = RAP

705 = Agentx

257 = SET (Secure Electronic Transaction)

709 = Entrust-KMSH (Entrust Key Management Service Handler)

258 = Yak-chat (Yak Winsock Personal Chat)

710 = Entrust-ASH (Entrust Administration Service Handler)

259 = ESRO-GEN (Efficient Short Remote Operations)

729 = NetViewDM1 (IBM NetView DM / 6000 Server / Client) 260 = OpenPort

730 = NetViewDM2 (IBM NETVIEW DM / 6000 Send)

261 = Naming-IIOP-SSL (IIOP Naming Service (SSL))

731 = NetViewDM3 (IBM NetView DM / 6000 Receive)

262 = arcisdms

741 = NETGW

263 = HDAP

742 = NETRCS (NetWork Based Rev. Cont. Sys.)

280 = http-mgmt

744 = flexlm (flexible license manager)

281 = Personal-Link

747 = Fujitsu-dev (Fujitsu Device Control)

282 = CABLEPORT-AX

748 = RIS-CM (Russell Info Sci Calendar Manager)

309 = entrusttime

749 = Kerberos-ADM (Kerberos Administration)

1435 = IBM-CICS

750 = RFILE

344 = PDAP (Prospero Data Access Protocol)

751 = PUMP

345 = Pawserv (Perf Analysis Workbench)

752 = qrh

346 = ZSERV (Zebra Server)

753 = RRH

347 = FatServ (Fatmen Server)

754 = Tell, Send

348 = CSI-SGWP (Cabletron Management Protocol)

758 = NLOGIN

349 = MFTP

759 = con

350 = Matip-Type-a

760 = ns

351 = Matip-Type-B

761 = RXE

371 = CLEARCASE

762 = quotad

372 = ulistproc (listprocessor)

763 = CycleServ

373 = Legent-1 (Legent Corporation)

764 = OMserve

374 = legent-2 (Legent Corporation)

765 = Webster

375 = hasle

767 = Phonebook, Phone

376 = NIP (Amiga Envoy Network Inquiry Proto)

769 = VID

377 = TNETOS (NEC Corporation)

770 = CADLOCK

378 = Dsetos (NEC Corporation)

771 = RTIP

379 = IS99C (TIA / EIA / IS-99 MODEM Client)

772 = CycleServ2

380 = IS99S (TIA / EIA / IS-99 MODEM Server)

773 = SUBMIT

381 = HP-Collector (HP Performance Data Collector)

774 = rpasswd

382 = hp-managed-node (HP Performance Data Managed Node)

775 = ENTOMB

383 = HP-ALARM-MGR (HP Performance Data Alarm Manager)

776 = WPAGES

384 = arns (a Remote Network Server System)

780 = WPGS

385 = IBM-APP (IBM Application)

786 = Concert

386 = ASA (ASA Message Router Object DEF.)

800 = mdbs_daemon

387 = AURP (AppleTalk Update-Based Routing Pro.)

801 = Device

388 = Unidata-LDM (Unidata LDM Version 4)

886 = ICLCNET-LOCATE (ICL CONETION LOCATE SERVER)

389 = LDAP (LightWeight Directory Access Protocol)

887 = ICLCNET_SVINFO (ICL CONETION Server Info)

390 = uis

888 = AccessBuilder

391 = SYNOTICS-RELAY (SYNOPTICS SNMP RELAY Port)

911 = XACT-BACKUP

392 = SYNOTICS-BROKER (Synoptics Port Broker Port)

991 = NAS (NETNews Administration System)

393 = DIS (Data Interpretation System)

995 = SPOP3 (SSL Based POP3)

394 = EMBL-NDT (EMBL Nucleic Data Transfer)

996 = vsinet

395 = Netcp (NetScout Control Protocol)

997 = Maitrd

396 = NetWare-IP (Novell NetWare Over IP protocol)

998 = busboy

397 = MPTN (Multi Protocol Trans. Net.)

999 = GARCON

398 = Kryptolan

1000 = CADLOCK

399 = ISO-TSAP-C2 (ISO Transport Class 2 Non-Control Over TCP protocol)

1023 = Reserved (reserved)

400 = Work-Sol (Workstation Solutions)

1024 = reserved (reserved) Seven, common Trojans used ports

Trojans are usually attacked by a specific port, so it is very useful to find some computer ports used in common Trojans, which is very useful for the attack of the Hummer hacking program. Table 3 below lists some common Trojan programs. The port used.

Domestic common Trojan use port

31338 = BACK OrIr

8102 = Network Cabin

31338 = Deepbo

2000 = Black Cave 2000

31339 = Netspy DK

2001 = Black Hole 2001

31666 = Bowhack

6267 = Guangxiang girl

34324 = Biggluck

7306 = Network Elf 3.0, Netspy3.0

40412 = the spy

7626 = Ice

40421 = MASTERS PARADISE

8011 = Wry, Lai Xiaozi, Fire Phoenix

40422 = MASTERS Paradise 1.x

23444 = Network Bull, NetBull

40423 = MASTERS Paradise 2.x

23445 = Network Bull, NetBull

40426 = MASTERS Paradise 3.x

19191 = Blue flame

50505 = Sockets de Troie

27374 = Sub Seven 2.0 , 77, Oriental Magic

50766 = Fore

Frequent Trojans

53001 = Remote Windows Shutdown

121 = bo jammerkillahv

61466 = Telecommando

666 = Satanz Backdoor

65000 = Devil

1001 = Silencer

6400 = The Thing

1600 = Shivka-Burka

12346 = Netbus 1.x

1807 = spysender

20034 = NetBus Pro

1981 = shockrave

1243 = SUBSEVEN

1001 = Webex

30100 = NetSphere

1011 = Doly Trojan

1001 = Silencer

1170 = Psyber Stream Server

20000 = Millenium

1234 = Ultors Trojan

65000 = Devil 1.03

1245 = VOODOO DOLL

7306 = NetMonitor

1492 = ftp99cmp

1170 = streaming audio trojan

1999 = Backdoor

30303 = Socket23

2001 = Trojan COW

6969 = GATCRASHER

2023 = RIPPER

61466 = Telecommando

2115 = BUGS

12076 = gjamer

2140 = Deep Throat

4950 = ICQTROJEN

2140 = The Invasor

16969 = PriTrity

2801 = phineas phucker

1245 = VODOO

30129 = MASTERS PARADISE

5742 = WinCrash

3700 = Portal of Doom

2583 = WinCrash2

4092 = WinCrash1033 = Netspy

4590 = ICQTROJAN

1981 = shockrave

5000 = Sockets de Troie

555 = stealth spy

5001 = Sockets de Troie 1.x

2023 = Pass Ripper

5321 = Firehotcker

666 = attack ftp

5400 = Blade Runner

21554 = Girlfriend

5401 = Blade Runner 1.x

50766 = fore = SCHWINDLER

5402 = Blade Runner 2.x

34324 = Tiny Telnet Server

5569 = ROBO-HACK

30999 = Kuang

6670 = Deepthroat

11000 = SENNA SPY TROJANS

6771 = Deepthroat

23456 = WHACKJOB

6969 = GATCRASHER

555 = PHASE0

6969 = priority

5400 = Blade Runner

7000 = Remote Grab

4950 = ICQTROJAN

7300 = NetMonitor

9989 = INIKILLER

7301 = NetMonitor 1.x

9872 = Portal of Doom

7306 = NetMonitor 2.x

11223 = Progenic Trojan

7307 = NetMonitor 3.X

22222 = Prosiak 0.47

7308 = NetMonitor 4.x

53001 = Remote Windows Shutdown

7789 = ICKILLER

5569 = Robohack

9872 = Portal of Doom

1001 = Silencer

9873 = Portal of Doom 1.x

2565 = Striker

9874 = Portal of Doom 2.x

40412 = theespy

9875 = Portal of doom 3.x

2001 = TROJANCOW

10067 = Portal of Doom 4.x

23456 = UGLYFTP

10167 = Portal of Doom 5.x

1001 = Webex

9989 = ini-killer

1999 = Backdoor

11000 = SENNA SPY

2801 = phineas

11223 = Progenic Trojan

1509 = psyber streaming server

12223 = HACK? 99 Keylogger

6939 = IndocTrination

1245 = Gabanbus

456 = HACKERS PARADISE

1245 = Netbus

1011 = Doly Trojan

12361 = WHACK-A-MOLE

1492 = ftp99cmp

12362 = WHACK-A-MOLE 1.X

1600 = Shiva Burka

16969 = priority

53001 = Remote Windows Shutdown

20001 = MILLENNIUM

34324 = Biggluck = 20034 = Netbus 2 Pro

31339 = Netspy DK

21544 = Girlfriend

12223 = HACK? 99 Keylogger

22222 = Prosiak

9989 = ini-killer

33333 = Prosiak

7789 = ICQKiller

23456 = Evil FTP

9875 = Portal of Doom

23456 = UGLY FTP

5321 = Firehotcker

26274 = DELTA

40423 = Master Paradise

转载请注明原文地址:https://www.9cbs.com/read-8177.html

New Post(0)