According to the port number, it can be divided into 3 categories:
(1) Well Known Ports: From 0 to 1023, they are closely bound to some services. Usually the communication of these ports clearly shows the protocol of some service. For example: 80 ports are actually HTTP communication.
(2) Registered ports: from 1024 to 49151. They are loosely bound to some services. That is to say, many services are bound to these ports, which are also used in many other purposes. For example: Many systems processes the dynamic port starting from around 1024.
(3) Dynamic and / or private ports (Dynamic and / or Private Ports): from 49152 to 65535. In theory, these ports should not be assigned to the service. In fact, the machine usually allocates a dynamic port from 1024. But there are also exceptions: Sun's RPC port begins with 32768.
0 usually used to analyze the operating system. This method can work because "0" in some systems is invalid port, which will produce different results when you try to use a usual closing port to connect it. A typical scan: Use the IP address of 0.0.0.0 to set the ACK bit and broadcast in Ethernet layer.
1 TCPMUX TCP Port Service Multiplexer Transfer Control Protocol Port Services Multi-Switch Selector
2 CompressNet Management Utility CompressNet Management Utility
3 CompressNet Compression Process Compression Process
5 RJE Remote Job Entry Remote Job Login
7 echo echo return
9 Discard Discard Discard
11 SYSTAT ACTIVE USERS online user
13 DayTime Daytime Time
17 qotd quote of the day daily reference
18 MSP Message Send Protocol Message Send Agreement
19 Chargen Character Generator Character Generator
20 FTP-DATA File Transfer [Default Data] File Transfer Protocol (Default Data Port)
21 FTP File Transfer [Control] File Transfer Protocol (Control)
22 SSH SSH Remote Login Protocol SSH Remote Login Protocol
23 Telnet Telnet Terminal Simulation Agreement
24 Any Private Mail System reserved for personal mail system
25 SMTP SIMPLE MAIL TRANSFER Simple Mail Send Agreement
27 NSW-Fe NSW User System FE NSW User System Field Engineer
29 MSG-ICP MSG ICP MSG ICP
31 MSG-Auth MSG Authentication MSG Verification
33 DSP Display Support Protocol Display Support Protocol
35 Any Private Printer Server Reserved to Personal Printer Services
37 Time Time Time
38 Rap Route Access Protocol Route Access Protocol
39 RLP Resource Location Protocol Resource Location Protocol
41 Graphics Graphics Graphics
42 Nameserver Wins Host Name Server WINS Host Name Service
43 NICName WHO IS "Nickname" WHO IS Service
44 MPM-Flags MPM Flags Protocol MPM (Message Processing Module) Sign Protocol
45 MPM Message Processing Module [RECV] Message Processing Module
46 MPM-SND MPM [Default Send] Message Process Module (Default Send Port)
47 NI-FTP NI FTP NI FTP
48 Auditd Digital Audit Daemon Digital Audio Background Service 49 TACACS Login Host Protocol (TACACS) TACACS Login Host Protocol 50 RE-MAIL-CK Remote Mail Checking Protocol Remote Mail Check Protocol [Unbeate]
51 la-maint IMP logical address maintenance IMP logical address maintenance
52 XNS-TIME XNS TIME PROTOCOL SETW Network Service System Time Agreement
53 Domain Domain Name Server Domain Name Server
54 XNS-CH XNS Clearinghouse Xerox Network Service System Bill Exchange 55 ISI-GL ISI Graphics Language ISI Graphic Language
56 XNS-Auth XNS Authentication Xerox Network Service System Verification
57? Any Private Terminal Access Reserved Personal Terminal Access
58 XNS-Mail XNS Mail Xerox Network Service System Mail
59 Any Private File Service Reserved personal file service
60 unassigned undefined
61 NI-mail ni mail ni mail?
62 ACAS ACA Services Asynchronous Communication Adapter Service
63 WHOIS WHOIS WHOIS
64 COVIA Communications Integrator (CI) Communication Interface
65 TACACS-DS TACACS-Database Service TACACS Database Services
66 SQL * NET ORACLE SQL * NET ORACLE SQL * NET
67 Bootps Bootstrap Protocol Server Boot Protocol Service
68 Bootpc Bootstrap Protocol Client Boot Protocol Client
69 TFTP Trivial File Transfer Small File Transfer Protocol
70 GOPHER GOPHER Information Retrieval Agreement
71 NETRJS-1 Remote Job Service Remote Job Service
72 NETRJS-2 Remote Job Service Remote Job Services
73 NETRJS-3 Remote Job Service Remote Job Service
74 NETRJS-4 Remote Job Service Remote Job Service
75 ANY Private Dial Out Service Reserved to Personal Dial
76 DEOS Distributed External Object Store Distributed External Object Storage
77 Any Private RJE Service Reserved to Personal Remote Job Enter Service
78 VETTCP VETTCP Fix TCP?
79 Finger Finger query remote host online user, etc.
80 HTTP World Wide Web HTTP Global Information Network Hypertext Transfer Protocol 81 Hosts2-NS Hosts2 Name Server Host2 Name Service
82 XFER XFER Utility Transfer Utility
83 mit-ml-dev mit ml Device Modular Intelligent Terminal ML Equipment
84 CTF Common Trace Facility Public Tracking Equipment 85 ML DEVICE Modular Intelligent Terminal ML Device
86 MFCOBOL Micro Focus Cobol Micro Focus Cobol Programming Language
87 Any Private Terminal LINK reserved to a personal terminal connection
88 Kerberos Kerberos Kerberros Security Authentication System
89 SU-MIT-TG SU / MIT TELNET GATEWAY SU / MIT Terminal Simulation Gateway
90 DNSIX DNSIX Securit Attribute Token Map DNSIx Security Properties Tags 91 Mit-Dov Mit Dover Spooler Mit Dover Spiked
92 NPP Network Printing Protocol Network Print Protocol
93 DCP Device Control Protocol Device Control Protocol
94 Objcall Tivoli Object Dispatcher Tivoli Object Scheduling
95 Supdup SuPDUP
96 DIXIE DIXIE PROTOCOL SPECification DIXIE Agreement Specification
97 SWIFT-RVF (SWIFT Remote Virtural File Protocol) Quick Remote Virtual File Agreement 98 Tacnews Tac News TAC News Protocol
99 Metagram Metagram RELAY
100 NewAcct [Unauthorized USE]
101 = Nic Host Name Server
102 = ISO-TSAP
103 = Genesis Point-to-Point Trans Net
104 = Acr-Nema Digital Imag. & Comm. 300
105 = Mailbox Name Nameserver
106 = 3com-TSMUX3COM-TSMUX
107 = Remote Telnet Service
108 = SNA Gateway Access Server
109 = Post Office Protocol - Version 2
110 = Post Office Protocol - Version 3
111 = Sun RPC
112 = MCIDAS Data Transmission Protocol
113 = Authentication Service
114 = Audio News Multicast
115 = Simple File Transfer Protocol
116 = Ansa Rex Notify
117 = UUCP PATH Service
118 = SQL Servicesqlserv
119 = NetWork News Transfer Protocol
120 = cfdptktcfdptkt
121 = Encore Expedited Remote Pro.Call
122 = SMAKYNETSMAKYNET
123 = NetWork Time Protocol
124 = Ansa Rex Trader
125 = LOCUS PC-Interface Net Map Ser
126 = Unisys Unityary Login
127 = LOCUS PC-Interface Conn Server
128 = GSS X License Verification
129 = Password Generator Protocol
130 = Cisco Fnative
131 = Cisco Tnative132 = Cisco Sysmaint
133 = Statistics Service
134 = INGRES-NET Service
135 = Location Service
136 = Profile Naming System
137 = NetBIOS Name Service
138 = NetBIOS DataGram Service
139 = Netbios Session Service
140 = EMFIS DATA Service
141 = EMFIS Control Service
142 = BRITTON-Lee IDM
143 = Interim Mail Access Protocol V2
144 = Newsnews
145 = UAAC Protocoluaac
146 = ISO-IP0ISO-TP0
147 = ISO-IPISO-IP
148 = cronus-support
149 = AED 512 Emulation Service
150 = SQL-NetSQL-NET
151 = Hemshems
152 = Background File Transfer Program
153 = SGMPSGMP
154 = Netscnetsc-Prod
155 = Netscnetsc-dev
156 = SQL Service
157 = KNET / VM Command / Message Protocol
158 = PCMAIL Serverpcmail-SRV
159 = NSS-RoutingNSS-ROUTING
160 = SGMP-TRAPSSGMP-TRAPS
161 = SNMP
162 = SNMP TRAP
163 = CMIP / TCP Manager
164 = CMIP / TCP Agent
165 = Xeroxxns-Courier
166 = sirius systems
167 = Nampnamp
168 = RSVDRSVD
169 = Send
170 = NetWork PostScript
170 = NetWork PostScript
171 = NetWork Innovations Multiplex
172 = NetWork Innovations CL / 1
173 = XYPLEXXYPLEX-MUX
174 = Mailq
175 = VMNET
176 = Genrad-Muxgenrad-MUX
177 = x Display Manager Control Protocol
178 = NextStep Window Server
179 = Border Gateway Protocol
180 = Intergraphris
181 = Unifyunify
182 = Unisys Audit Sitp
183 = Ocbinderocbinder
184 = OCSERVEROCSERVER
185 = Remote-Kis
186 = Kis Protocolkis
187 = Application Communication Interface
188 = Plus FIVE
401 = Uninterruptible Power Supply
402 = Genie Protocol
403 = DecapDecap
404 = ncednced
405 = nCldNCLD
406 = INTERACTIVE MAIL Support Protocol
407 = Timbuktutimbuktu408 = Prospero Resource Manager Sys .man.
409 = Prospero Resource Manager Node Man.
410 = DECLADEBUG Remote Debug Protocol
411 = Remote MT Protocol
412 = TRAP Convention Port
413 = SMSPSMSP
414 = INFOSEEKINFOSEEK
415 = BNETBNET
416 = SilverPlattersilverPlatter
417 = ONMUXONMUX
418 = Hyper-ghyper-g
419 = Arielariel1
420 = SMPTESMPTE
421 = Arielariel2
422 = Arielariel3
423 = IBM Operations Planning and Control Start
424 = IBM Operations Planning and Control TRACK
425 = ICADICAD-EL
426 = smartsdpsmartsdp
427 = Server Location
429 = OCS_AMU
430 = utsdutmpsd
431 = utmpcdutmpcd
432 = IASDIASD
433 = NNSPNNSP
434 = MobileIP-Agent
435 = mobilip-mn
436 = DNA-CMLDNA-CML
437 = comscmcomscm
439 = DASP, Thomas Obermair
440 = SGCPSGCP
441 = decvms-sysmgtdecvms-sysmgt
442 = CVC_HostDCVC_HOSTD
443 = https
444 = SIMPLE NetWork Paging Protocol
445 = Microsoft-DS
446 = DDM-RDBDDM-RDB
447 = DDM-RFMDDM-DFM
448 = DDM-BYTEDDM-BYTE
449 = AS Server Mapper
450 = TSERVERTSERVER
512 = EXEC, Remote Process Execution
513 = login, Remote Login
514 = cmd, Exec with auto auth.
514 = syslog
515 = Printer Spooler
516 = unassigned
517 = Talk
519 = Unixtime
520 = Extended File Name Server
521 = unassigned
522 = unassigned
523 = Unassigned
524 = unassigned
526 = newdate
530 = RPC Courier
531 = Chatconference
532 = readnewsnetNetNews
533 = for EMERGENCY BROADCASTS
539 = Apertus Technologies Load Determination
540 = uucp
541 = uucp-rlogin
542 = unassigned
543 = klogin
544 = kshell
545 = unassigned
546 = unassigned
547 = unassigned
548 = unassigned549 = unassigned
550 = New-WHO
551 = unassigned
552 = unassigned
553 = unassigned
554 = unassigned
555 = DSF
556 = Remotefs
557-559 = RMonitor
560 = rmonitord
561 = DMONITOR
562 = CHCMD
563 = Unassigned
564 = Plan 9 File Service
565 = WhoAmi
566-569 unassigned
570 = DEMONMETER
571 = udemonmeter
572-599 Unassigned IPC Server
600 = Sun IPC Server
607 = NQS
606 = CRAY UNIFIED RESOURCE MANAGER
608 = sender-initiated / unsolicited file transfer
609 = NPMP-TRAPNPMP-TRAP
610 = npmp-localnpmpmpmp-local
611 = NPMP-GuinPmpMP-GUI
634 = GINADGINAD
666 = DOM ID Software
704 = Errlog COPY / Server Daemon
709 = entrustManager
729 = IBM NetView DM / 6000 Server / Client
730 = IBM NetView DM / 6000 SEND / TCP
731 = IBM NetView DM / 6000 Receive / TCP
741 = NetGwNetGW
742 = NetWork based Rev. Cont. Sys.
744 = flexible license Manager
747 = Fujitsu Device Control
748 = Russell Info Sci Calendar Manager
749 = Kerberos Administration
751 = PUMP
752 = qrh
754 = Send
758 = NLOGIN
759 = con
760 = ns
762 = quotad
763 = CycleServ
765 = Webster
767 = PhonePhonebook
769 = VID
771 = RTIP
772 = CycleServ2
774 = ACMAINT_DBD
775 = ACMAINT_TRANSD
780 = WPGS
786 = ConcertConcert
800 = mdbs_daemon
996 = Central Point Software
997 = Maitrd
999 = PuProuter
1023 = Reserved
1024 = Reserved
1025 = NetWork BlackJack
1030 = BBN IAD
1031 = BBN IAD
1032 = BBN IAD
1067 = Installation Bootstrap Proto. Serv.
1068 = Installation Bootstrap Proto. CLI.
1080 = SOCKS
1083 = Anasoft license Manager
1084 = Anasoft license Manager
1155 = NetWork File Access
1222 = SNI R & D NetWork1248 = HERMES
1346 = Alta Analytics License Manager
1347 = Multi Media Conferencing
1347 = Multi Media Conferencing
1348 = Multi Media Conferencing
1349 = Registration Network Protocol
1350 = Registration Network Protocol
1351 = Digital Tool Works (MIT)
1352 = / Lotus Notelotusnote
1353 = Relief Consulting
1354 = Rightbrain Software
1355 = INTUTIVE EDGE
1356 = Cuillamartin Company
1357 = Electronic Pegboard
1358 = connlcliconnlcli
1359 = ftsrvftsrv
1360 = mimermimimer
1361 = LINX
1362 = Timefliestimeflies
1363 = Network DataMover Requester
1364 = NetWork DataMover Server
1365 = NetWork Software Associates
1366 = Novell NetWare Comm Service Platform
1367 = DCSDCS
1368 = ScreencastScreencast
1369 = GlobalView to Unix Shell
1370 = UNIX Shell to GlobalView
1371 = Fujitsu config protocol
1372 = Fujitsu Config Protocol
1373 = chromagrafxchromagrafx
1374 = EPI Software Systems
1375 = BYTEXBYTEX
1376 = IBM Person to Person Software
1377 = Cichlid License Manager
1378 = Elan license Manager
1379 = INTEGRITY SOLUTIONS
1380 = Telesis Network license Manager
1381 = Apple Network License Manager
1382 = UDT_OS
1383 = GW Hannaway Network license Manager
1384 = Objective Solutions license Manager
1385 = Atex Publishing License Manager
1386 = Checksum License Manager
1387 = Computer Aided Design Software Inc LM
1388 = Objective Solutions Database Cache
1389 = Document Manager
1390 = Storage Controller
1391 = Storage Access Server
1392 = Print ManagericLPV-PM
1393 = NetWork log Server
1394 = NetWork log client
1395 = PC Workstation Manager Software
1396 = DVL ACTIVE MAIL1397 = Audio Active Mail
1398 = Video Active Mail
1399 = Cadkey License Manager
1400 = CADKEY TABLET DAEMON
1401 = Goldleaf License Manager
1402 = Prospero Resource Manager
1403 = Prospero Resource Manager
1404 = Infinite Graphics License Manager
1405 = IBM Remote EXECUTION STARTER
1406 = NetLabs license Manager
1407 = DBSA License Manager
1408 = Sophia License Manager
1409 = Here License Manager
1410 = HIQ LICENSE Manager
1411 = Audiofileaf
1412 = InnosysInnosys
1413 = Innosys-Aclinnosys-ACL
1414 = IBM MQSerIBM-MQSeries
1415 = dbstardbstar
1416 = novell lu6.2novell-lu6.2
1417 = TIMBUKTU Service 1 Port
1417 = TIMBUKTU Service 1 Port
1418 = Timbuktu Service 2 Port
1419 = Timbuktu Service 3 Port
1420 = Timbuktu Service 4 Port
1421 = Gandalf License Manager
1422 = Autodesk License Manager
1423 = EssBase Arbor Software
1424 = Hybrid Encryption Protocol
1425 = Zion Software License Manager
1426 = Satellite-Data Acquisition System 1
1427 = MLOADD MONITORING TOOL
1428 = Informatik License Manager
1429 = Hypercom NMSNMS
1430 = Hypercom TPDUTPDU
1431 = REVERSE GOSIP TRANSPORT
1432 = Blueberry Software License Manager
1433 = Microsoft-SQL-Server
1434 = Microsoft-SQL-MONITOR
1435 = IBM CISCIBM-CICS
1436 = Satellite-Data Acquisition System 2
1437 = Tabulatabula
1438 = Eicon Security Agent / Server
1439 = EICON X25 / SNA GATEWAY
1440 = Eicon Service Location Protocol
1441 = CADIS license Management
1442 = CADIS license management
1443 = INTEGRATED ENGINEERING SOFTWARE
1444 = Marcam License Management
1445 = Proxima license Manager
1446 = Optical Research Associate License Manager1447 = Applied Parallel Research LM
1448 = OpenConnect License Manager
1449 = PeportPeport
1450 = Tandem Distributed Workbench Facility
1451 = IBM INFORMATION management MANAGEMENT
1452 = GTE GOVERNMENT SYSTEMS license Man
1453 = Genie License Manager
1454 = InterhDL License Manager
1454 = InterhDL License Manager
1455 = ESL LICENSE MANAGER
1456 = DCADCA
1457 = ValiSys license Manager
1458 = Nichols Research Corp.
1459 = Proshare Notebook Application
1460 = ProShare Notebook Application
1461 = IBM Wireless LAN
1462 = World License Manager
1463 = NucleusNucleus
1464 = MSL License Manager
1465 = Pipes Platform
1466 = Ocean Software License Manager
1467 = CSDMBaseCSDMBase
1468 = CSDMCSDM
1469 = ACTIVE ANALYSIS LIMITED LICENSE MANAGER
1470 = Universal Analytics
1471 = CSDMBaseCSDMBase
1472 = CSDMCSDM
1473 = OpenMathOpenMathMath
1474 = TelefindertElefinder
1475 = Taligent License Manager
1476 = CLVM-CFGCLVM-CFG
1477 = MS-SNA-Server
1478 = MS-SNA-BASE
1479 = DberegisterDberegister
1480 = PACERFORUMPACERFORUM
1481 = Airsairs
1482 = MITEKSYS LICENSE Manager
1483 = AFS license Manager
1484 = Confluent License Manager
1485 = LansourceLansource
1486 = NMS_TOPO_SERV
1487 = Localinfosrvr
1488 = DOCSTORDOCSTOR
1489 = DMDocBrokerdmdocbroker
1490 = INSITU-Confinsitu-Conf
1491 = AnynetGateway
1492 = stone-design-1
1493 = netmap_lmnetmap_lm
1494 = ICAICA
1495 = CVCCVC
1496 = Liberty-LMLIBERTY-LM
1497 = RFX-LMRFX-LM
1498 = Watcom-Sqlwatcom-SQL
1499 = Federico Heinz Consultora
1500 = VLSI License Manager
1501 = Satellite-Data Acquisition System 31502 = ShivashivAdiscovery
1503 = DATABEAMIMTC-MCS
1504 = EVB Software Engineering License Manager
1505 = funk Software, Inc.
1524 = ingres
1525 = Oracle
1525 = Prospero Directory Service Non-Priv
1526 = Prospero Data Access Prot Non-Priv
1527 = ORACleTLISRV
1529 = Oraclecoauthor
1600 = ISSD
1651 = Proshare conf Audio
1652 = ProShare conf video
1653 = Proshare conf Data
1654 = Proshare conf renest
1655 = ProShare conf Notify
1661 = NetView-AIX-1NetView-AIX-1
1662 = NetView-AIX-2NetView-AIX-2
1663 = NETVIEW-AIX-3NetView-AIX-3
1664 = NETVIEW-AIX-4NetView-AIX-4
1665 = NETVIEW-AIX-5NetView-AIX-5
1666 = NetView-AIX-6NetView-AIX-6
1986 = Cisco License Management
1987 = Cisco Rsrb Priority 1 Port
1988 = Cisco Rsrb Priority 2 Port
1989 = Cisco Rsrb Priority 3 port
1989 = MHSNET SystemMshnet
1990 = Cisco Stun Priority 1 Port
1991 = Cisco Stun Priority 2 Port
1992 = Cisco Stun Priority 3 Port
1992 = ipsendmsgipsendmsg
1993 = Cisco SNMP TCP Port
1994 = Cisco Serial Tunnel Port
1995 = Cisco Perf Port
1996 = Cisco Remote SRB Port
1997 = Cisco Gateway Discovery Protocol
1998 = Cisco X.25 Service (XOT)
1999 = Cisco IDENTIFICATION Port
2009 = WhoscodaMi
2010 = PIPE_SERVER
2011 = RAID
2012 = RAID-AC
2013 = RAD-AM
2015 = RAID-CS
2016 = bootserver
2017 = TerminalDB
2018 = RelPack
2019 = About
2019 = xinupageserver
2020 = xinupageserver
2021 = xinuexpansion1
2021 = DOWN
2022 = xinuexpansion2
2023 = xinuexpansion3
2023 = xinuexpansion4
2024 = xinuexpansion4
2025 = XRIBS
2026 = Scrabble
2027 = ShadowServer
2028 = SubmitServer2039 = Device2
2032 = Blackboard
2033 = Glogger
2034 = scoremgr
2035 = IMSLDOC
2038 = ObjectManager
2040 = LAM
2041 = Interbase
2042 = ISIS
2043 = ISIS-BCAST
2044 = Primsl
2045 = CDFUNC
2047 = DLS
2048 = DLS-MONITOR
2065 = Data Link Switch Read Port Number
2067 = Data Link Switch Write Port Number
2201 = Advanced Training System Program
2500 = Resource TRACKING SYSTEM Server
2501 = Resource TRACKING SYSTEM Client
2564 = HP 3000 NS / VT Block Mode Telnet
2784 = World Wide Web - Developments
3049 = Ccmail
3264 = Ccmail, CC: Mail / Lotus
3333 = DEC-Notes
3984 = Mapper Network Node Manager
3985 = Mapper TCP / IP Server
3986 = Mapper Workstation Server
3421 = BULL APPRISE Portmapper
3900 = Unidata UDT OS
4132 = nuts daemnuts_dem
4133 = NUTS BOOTP SERVER
4343 = unicarl
4444 = KRB524
4672 = Remote File Access Server
5002 = Radio Free Ethernet
5010 = TelepathStarttelelPathStart
5011 = TELEPATHACK
5050 = MultiMedia Conference Control Tool
5145 = rmonitor_secure
5190 = aol, America-online
5300 = ha cluster heartbeat
5301 = HACL-GS # ha cluster general services
5302 = ha cluster configuration
5303 = HACL-PROBE HA Cluster Probing
5305 = HACL-TEST
6000-6063 = x11 x window system
6111 = Sub-Process HP SoftBench Sub-Process Control
6141 / = Meta-Corp Meta Corporation License Manager
6142 = Aspentec-LM Aspen Technology License Manager
6143 = WaterShed-LM Watershed License Manager
6144 = Statsci1-LM Statsci License Manager - 1
6145 = Statsci2-LM Statsci License Manager - 2
6146 = LONEWOLF-LM LONE WOLF SYSTEMS LICENSE Manager
6147 = Montage-LM Montage License Manager7000 = AFS3-FILESERVER FILE Server Itself
7001 = AFS3-CALLBACK CALLBACKS to Cache Managers
7002 = AFS3-PRSERVER USERS & GROUROUPS DATABASE
7003 = AFS3-VLSERVER VOLUME LOCATION DATABASE
7004 = AFS3-Kaserver AFS / KERBEROS Authentication Service
7005 = AFS3-VOLSER VOLUME MANAGMENT Server
7006 = AFS3-ERRORS ERROR Interpretation Service
7007 = AFS3-BOS BASIC OVERSEER Process
7008 = AFS3-UPDATE Server-to-Server Updater
7009 = AFS3-RMTSYS Remote Cache Manager Service
7010 = UPS-ONLINE ONLINET Uninterruptable Power Supplies
7100 = x font service
7200 = FODMS FLIP
7626 = Ice
8010 = Wingate
8181 = iMail
9535 = Man
45576 = E Gene Meat Professional Agent Port
The more specific and supplement explained below.
0 usually used to analyze the operating system. This method can work because "0" in some systems is invalid port, which will produce different results when you try to use a usual closing port to connect it. A typical scan: Use the IP address of 0.0.0.0 to set the ACK bit and broadcast in Ethernet layer.
1 TCPMUX This shows that someone is looking for SGI IRIX machines. IRIX is the main provider of TCPMUX, which is opened in this system by default. IRIS machines are published in the release of several default unconsored accounts such as LP, Guest, UUCP, NUUCP, DEMOS, TUTOR, DIAG, EZSETUP, OUTOFBOX, and 4DGIFTS. Many administrators have forgotten to delete these accounts. Therefore, Hacker searches for TCPMUX on the Internet and uses these accounts.
7 Echo You can see how many people searches for the Fraggle amplifier, sent to XX.x.0 and X.x.x.255. Common DOS Attacks are echo-loops, and an attacker is forged from a UDP packet from one machine to another, and the two machines respond to these packets in their fastest way. Another thing is a TCP connection established by DoubleClick in the word port. There is a product called "Resonate Global Dispatch", which is connected to this port of DNS to determine the nearest route. Harvest / Squid Cache will send UDP Echo from the 3130 port: "If you open the cache's Source_Ping ON option, it will respond to a hit reply on the UDP ECHO port of the original host." This will generate a lot of such packets.
11 SysStat This is a UNIX service that lists all the running processes on the machine and what is started. This provides many information for intruders and threats to the machine, such as exposing programs known to certain weaknesses or accounts. This is similar to the results of the "PS" command in the UNIX system. Again: ICMP has no port, ICMP Port 11 is usually ICMP Type = 11.
19 Chargen This is a service that only sends characters. The UDP version will respond to the package containing the spam after receiving the UDP package. When the TCP connection is connected, the data stream containing the spam will be sent to the connection to close. Hacker uses IP spoof to launch a DOS attack. Forged two UDP packages between two Chargen servers. Since the server attempts to respond to unlimited round-trip data communication between the two servers A Chargen and Echo will cause the server to overload. The same Fraggle DOS attack is broadcast to this port of the target address with a packet with counterfeit victim IP, and the victim is overloaded in order to respond to this data. 21 FTP's most common attacker is used to find ways to open "Anonymous" FTP server. These servers have a readable and writable directory. Hackers or Crackers uses these servers as a node that transmits Warez (private programs) and PR0n (intentional tangle words).
22 SSH PCANYwhere Establishing TCP and this connection can be to find SSH. This service has many weaknesses. If configured as specific modes, many have many vulnerabilities using the RSAREF library. (It is recommended to run SSH in other ports). It should also be noted that the SSH toolkit has a program called make-ssh-known-hosts. It scans the SSH host of the entire domain. You sometimes be used in unintentional scanning. UDP (rather than TCP) is connected to the 5632 port of the other means that there is a scanning of PCANywhere. 5632 (Hexadecimal 0x1600) After the interchange is 0x0016 (22).
23 Telnet invaders are searching for remote landing UNIX. In most cases, the invaders scan this port is to find the operating system that is running. In addition, use other technologies, invaders will find a password.
25 SMTP Against (Spammer) Finding the SMTP server is to deliver their spam. The invader's account is always turned off, and they need to dial to connect to the high-bandwidth E-mail server to pass simple information to different addresses. SMTP servers (especially Sendmail) are one of the most common methods of entering the system, as they must be completely exposed to the Internet and the route of mail is complex (exposed complex = weaknesses).
53 DNS HACKER or CRACKERS may be attempt to perform regional delivery (TCP), deceive DNS (UDP) or hidden other communications. Therefore, the firewall often filters or records 53 ports. It should be noted that you often see the 53 port as the UDP source port. Unstable firewalls typically allow this communication and assume that this is a reply to DNS queries. Hacker often uses this method to penetrate the firewall.
67 & 68 BootP and Bootp / DHCP on DHCP UDP: The firewall that is often sent to broadcast addresses 255.255.255.255 via DSL and Cable-Modem often see data from the broadcast address 255.255.255.255. These machines request an address assignment to the DHCP server. Hacker often enters them allocated an address to initiate a large number of "man-in-middle) attacks as partial routers. The client is configured to the 68-port (Bootps) broadcast request, and the server responds to the 67-port (Bootpc) broadcast. This response uses broadcast because the client still does not know the IP address that can be sent.
69 TFTP (UDP) Many servers are provided with BootP to facilitate download startup code from the system. But they often configure any files from the system, such as password files. They can also be used to write files to the system.
79 Finger Hacker is used to obtain user information, query the operating system, and detect known buffers overflow errors, responding to the machine to other machine finger scans.
80 Web site default 80 is the service port, using TCP or UDP protocol.
98 LinuxConf This program provides simple management of Linux Boxen. Provide a web-based service in the 98 port by integrated HTTP servers. It has found many security issues. Some versions setuid root, trust local area network, build Internet accessible files, and the LANG environment variable has buffer overflow. Also because it contains integrated servers, many typical HTTP vulnerabilities may exist (buffer overflow, overhead directory, etc.) 109 POP2 is not as named by POP3, but many servers provide two services (backward compatible). The vulnerability of POP3 on the same server exists in POP2.
110 POP3 is used for the client access to the server side. POP3 services have many recognized weaknesses. There are at least 20 weaknesses overflow over the username and password switching buffer (this means that Hacker can enter the system before logging in). There are other buffers overflow errors after successfully logging in.
111 SunRPC Portmap Rpcbind Sun RPC portmapper / rpcbind. Access Portmapper is the first step for the scanning system to view which RPC services allowed. Common RPC services include: rpc.mountd, nfs, rpc.statd, rpc.csmd, rpc.ttybd, AMD, etc. The invader found that the allowed RPC service will turn to the specific port test vulnerability of the service. Remember to record Daemon, IDS, or Sniffer in the line, and you can find what program access to the invader is to find what happened.
113 Ident Auth This is a multi-machine running protocol for identifying TCP connections. This service using standard can obtain information of many machines (will be utilized by Hacker). But it can serve as many services, especially those such as FTP, POP, IMAP, SMTP, and IRC. Usually if you have many customers access these services through the firewall, you will see the connection requests for this port. Remember, if you block this port client feels slow connection with the E-mail server on the other side of the firewall. Many firewalls support back RST during the blocking of TCP connections, and will stop this slow connection back.
119 NNTP News News Group Transmission Protocol to carry the USEnet communication. When you link to such as:
News: //comp.security.firewalls/. This port is usually used. The connection at this port is usually looking for a USENET server. Most ISP limits only their customers can access their newsgroup servers. Open the newsgroup server will allow / read anyone's post, access the restricted newsgroup server, post anonymous to post or send a spam.
135 OC-SERV MS RPC END-POINT MAPPER Microsoft runs DCE RPC End-Point Mapper for this port for its DCOM service. This is similar to the functionality of UNIX 111 ports. Use DCOM and / or RPC services to register their location using end-point mapper on your machine. When remote customers are connected to the machine, they queries end-point mapper to find the location of the service. The same HACKER scanning machine is to find Exchange Server on this machine? What version is it? This port can also be used for direct attacks in addition to query services (such as using EPDUMP). There are some DOS attacks directly for this port.
137 NetBIOS Name Service NBTSTAT (UDP) This is the most common information of the firewall administrator.
139 NetBIOS File and Print Sharing Attempts to access the NetBIOS / SMB through this port. This protocol is used for Windows file and printer sharing and Samba. Sharing your own hard drive on the Internet is the most common problem. A large number of ports were started at 1999, and later became less. In 2000, there was a rebound. Some VBS (IE5 VisualBasic scripting) starts copying themselves to this port and trying to breed this port. 143 IMAP and Safety of POP3 above, many IMAP servers have buffer overflow vulnerabilities running in the login process. Remember: A Linux worm (ADMW0RM) will reproduce this port, so many of this port scans from uninformed users who are infected. These vulnerabilities become popular when Radhat allows IMAP by default in their Linux release versions. This is also a widely spread worm after Morris worm. This port is also used in IMAP2, but it is not popular. Some reports have found that some 0 to 143 ports have stem from script.
161 SNMP (UDP) invaders often detect ports. SNMP allows remote management devices. All configurations and running information are stored in the database and are available through SNMP guests. Many administrator error configurations are exposed to the Internet. Crackers will try to use the default password "public" "private" access system. They may test all possible combinations. The SNMP package may be incorrect to point to your network. The Windows machine often uses SNMP for the HP JetDirect Remote Management software because the error configuration. HP Object Identifier will receive an SNMP package. The new version of Win98 uses SNMP to resolve domain names, you will see this package in subnet broadcast (Cable Modem, DSL) query sysname and other information.
162 SNMP TRAP may be due to error configuration
177 XDMCP Many Hackers Access the X-Windows console through it, it needs to open the 6000 port.
513 RWHO may be broadcast from UNIX machines from the subnet using Cable Modem or DSL. These people provide very interesting information for Hacker into their system.
553 CORBA IIOP (UDP) If you use Cable Modem or DSL VLAN, you will see the broadcast of this port. CORBA is an object-oriented RPC (Remote Procedure Call) system. Hacker will use this information to enter the system.
600 PCServer Backdoor Please see the 1524 port.
Some children who play Script think they have completely broken the system through the modification of the Ingreslock and the PCServer file - Alan J. Rosenthal.
635 mountd Linux MountD bug. This is a popular bug that people scan. Most of this port scan is UDP based, but TCP-based mountD has increased (MountD runs on two ports). Remember, MountD can run in any port (which port is in the end, you need to do a portmap query at the port 111), just Linux defaults to 635 port, just like NFS usually runs on the 2049 port.
1024 Many people ask what this port is dry. It is the beginning of a dynamic port. Many programs do not care which port connection network, they request operating systems to assign them "next idle port". Based on this allocation starts from port 1024. This means that the first program that requests the dynamic port to the system will be assigned port 1024. To verify this, you can restart the machine, open Telnet, open a window to run "natstat -a", you will see Telnet assigned 1024 port. The more programs requested, the more dynamic ports. The port assigned by the operating system will gradually become large. Come again, when you browse the web page, use "NetStat" to view, each web page requires a new port. 1025, 1026 See 1024
1080 SOCKS The protocol passes through the firewall in a pipeline, allowing many people behind the firewall to access the Internet through an IP address. In theory it should only allow the internal communication to reach the Internet. However, due to the wrong configuration, it allows the HACKER / CRACKER to pass an attack outside the firewall through the firewall. Or simply respond to a computer located on the Internet, enabling them to attack your direct attack. Wingate is a common Windows personal firewall that often occurs the above error configuration. This will often see this when joining the IRC chat room.
1114 SQL system itself rarely scans this port, but is often part of the SSCAN script.
1243 SUB-7 Trojans (TCP)
1524 Ingreslock Land Door Many Attack Scripts will install a back door shell at this port (especially those for Sendmail and RPC service vulnerabilities in the Sun system, such as STATD, TTDBSERVER, and CMSD). If you just installed your firewall, you see the connection at this port, which is probably the above reasons. You can try Telnet to this port on your machine to see if it will give you a shell. This issue is also available to 600 / PCServer.
2049 NFS NFS program is often running on this port. It usually needs to access portmapper query which port is running, but most of the case is installed after installation, and Hacker / Cracker can pass the portmapper directly to test this port.
3128 Squid This is the default port of the Squid HTTP proxy server. The attacker scans this port is to search for an anonymous access to the Internet. You will also see the ports of other proxy servers: 8000/8001/8080/8888. Another reason for scan this port is that users are entering the chat room. Other users (or server itself) also verify this port to determine if the user's machine supports the agent.
5632 PCANYWERE You will see a lot of this port scan, depending on your location. When the user opens PCAnyWere, it automatically scans the local area network C-class network to find the possible agent (the translator: refers to Agent instead of proxy). Hacker / Cracker will also find a machine that open this service, so you should check the source address of this scan. Some scanning of PCANYWERE often contains the UDP packet of port 22.
6776 SUB-7 Artifact This port is a port that is used to transmit data from the SUB-7 host port. For example, when the controller controls another machine through the telephone line, you will see this when the controlled machine is hung up. Therefore, when another person is dial in this IP, they will see continuous, attempting at this port. (Translator: That is to see the connection attempt of the firewall report, do not mean that you have been controlled by SUB-7.)
6970 Reaudio ReaSuDio receives audio data streams from the UDP port of the server's 6970-7170. This is set by the TCP7070 port externally control connection.
13223 Powwow Powwow is a chat program for TRIBAL VOICE. It allows users to open private chats at this port. This process is very "offensive" for establishing a connection. It will "station" waiting for response in this TCP port. This causes a connection attempt to a heartbeat interval. If you are a dial user, "inherit" from another chat, this is what the IP address is: It seems that many different people are testing this port. This protocol uses "OPNG" as the first four bytes of its connection attempt. 17027 Conducent This is an outgoing connection. This is because someone has a shared software with Conducent "ADBOT" inside the company. Conducent "Adbot" is an advertising service for shared software. A popular software using this service is pkware. Some people test: Blocking this external connection does not have any problems, but the IP address itself will cause the ADBOTS to try to connect multiple times in each second:
The machine will continue to analyze DNS name -ads.conducent.com, ie IP address 216.33.210.40; 216.33.199.77; 216.33.199.80; 216.33.199.81; 216.33.210.41. (Translator: I don't know if Netants used in Radiate also has this phenomenon)
27374 SUB-7 Trojans (TCP)
30100 NetSphere Trojan (TCP) usually this port scan is to find NetSphere Trojans.
31337 Back Orification "Elite" HACKER 31337 reads "Elite" / Ei'li: T / (Translator: French, translated as backbone, essence. That is, 3 = E, 1 = L, 7 = T). So many rear door programs are running on this port. The most famous is Back Orific. This is the most common scan on the Internet for a while. Now it's getting less and less, other Trojans are increasingly popular.
31789 Hack-A-TACK This port UDP communication is usually due to the "HACK-A-TACK" remote access to Trojan (RAT, Remote Access Trojan). This Trojan includes a built-in 31790 port scanner, so any 31789 port to 317890 port means that this invasion is already. (31789 port is control connection, 317890 port is file transfer connection)
32770 ~ 32900 RPC Services The RPC service of Sun Solaris is within this range. Detailed: Early versions of Solaris (2.5.1) placed portmapper in this range even if the low port was closed by the firewall, still allowed Hacker / Cracker to access this port. Scanning this range is not to find portmapper, just to find known RPC services that can be attacked.
33434 ~ 33600 Traceroute If you see the UDP packet within this port (and within this range) may be due to Traceroute.
