Who can tell me about the computer port?

Readers who have some knowledge about hacker attacks will know that in fact, those so-called hackers do not fall from the sky as people imagine, but actually come and go freely from the "door" of your computer. The "door" of the computer is what we usually call "port", which includes the physical ports of the computer, such as the computer's serial port, parallel port, input/output device and adapter interface (these ports are all visible), but more It is an invisible software port. What is introduced in this article refers to "software port", but for the convenience of explanation, it is still collectively referred to as "port". This article only introduces the basic knowledge of ports.

1. Introduction to ports

With the development of computer network technology, the original physical interfaces (such as keyboard, mouse, network card, display Input/output interfaces such as cards) can no longer meet the requirements of network communication. The TCP/IP protocol, as the standard protocol for network communication, solves this communication problem. The TCP/IP protocol is integrated into the kernel of the operating system, which is equivalent to the introduction of a new input/output interface technology in the operating system, because a new input/output interface technology called "Socket" is introduced in the TCP/IP protocol. interface)"application programming interface. With such an interface technology, a computer can communicate with any computer with a Socket interface through software. The port is also the "Socket interface" in computer programming.

After having these ports, how do these ports work? For example, why can a server be a Web server, an FTP server, a mail server, etc. at the same time? One of the important reasons is that various services use different ports to provide different services. For example: Usually the TCP/IP protocol stipulates that the Web uses port 80, FTP uses port 21, etc., while the mail server uses port 25. In this way, through different ports, the computer can communicate with the outside world without interfering with each other.

According to expert analysis, the maximum number of server ports can be 65535, but in fact there are only dozens of commonly used ports, which shows that there are quite a lot of undefined ports. This is the reason why so many hacker programs can use a certain method to define a special port to achieve the purpose of intrusion. In order to define this port, it is necessary to rely on a certain program to be automatically loaded into the memory before the computer starts, and to force the computer to open that special port. This program is a "backdoor" program, and these backdoor programs are often referred to as Trojan horse programs. To put it simply, before invading, these Trojan programs first use some means to implant a program in a personal computer and open a specific port(s), commonly known as a "backdoor" (BackDoor), turning the computer into a It becomes an FTP server with extremely high openness (users have extremely high permissions), and then the purpose of intrusion can be achieved through the backdoor.

2. Classification of ports

Ports are classified in different ways according to their reference objects. If classified from the nature of the port, it can usually be divided into the following three categories:

p>

(1) Well Known Ports: This type of port is also often called "common port". The port numbers of such ports range from 0 to 1024, and they are tightly bound to some specific services. Usually the communication of these ports clearly indicates the protocol of a certain service. This kind of port cannot redefine its role. For example: Port 80 is actually always used for HTTP communication, while port 23 is dedicated to the Telnet service. These ports are generally not exploited by hacker programs such as Trojans. In order to give everyone a better understanding of these commonly used ports, the services corresponding to these ports will be listed in detail later in this chapter for your understanding and reference.

(2) Registered Ports: Port numbers range from 1025 to 49151. They are loosely tied to some services. That is to say, there are many services bound to these ports, and these ports are also used for many other purposes. Most of these ports do not have clearly defined service objects. Different programs can define them according to actual needs. For example, the remote control software and Trojan horse programs to be introduced later will have the definition of these ports. It is very necessary to remember these common program ports in the protection and killing of Trojan programs.

The ports used by common Trojans will be listed in detail later.

(3) Dynamic and/or Private Ports: Port numbers range from 49152 to 65535. In theory, commonly used services should not be assigned to these ports. In fact, some more special programs, especially some Trojan programs, like to use these ports because these ports are often not noticed and are easy to hide.

According to the different service methods provided, ports can be divided into two types: "TCP protocol port" and "UDP protocol port". Because computers generally use these two communication protocols to communicate with each other. The "connection method" introduced earlier is a direct connection with the receiver. After sending the information, you can confirm whether the information has arrived. This method mostly uses the TCP protocol; the other method is to connect directly with the receiver. Sending information on the Internet regardless of whether the information arrives is the "connectionless method" introduced earlier. This method mostly uses UDP protocol, and IP protocol is also a connectionless method. Corresponding to the ports provided by services using the above two communication protocols, they are divided into "TCP protocol ports" and "UDP protocol ports".

The common ports using the TCP protocol mainly include the following:

(1) FTP: Defines the file transfer protocol and uses port 21. It is often said that when a certain computer turns on the FTP service, it means that the file transfer service is started. Downloading files and uploading homepages all require FTP services.

(2) Telnet: It is a port used for remote login. Users can remotely connect to the computer as their own identity. Through this port, a communication service based on DOS mode can be provided. . For example, the previous BBS had a pure character interface, and servers that support BBS would open port 23 to provide services to the outside world.

(3) SMTP: Defines the Simple Mail Transfer Protocol, which is now used by many mail servers for sending mails. For example, this mail service port is used in common free mail services, so you often see this SMTP port setting column in the email settings. The server opens port 25.

(4) POP3: It corresponds to SMTP, and POP3 is used to receive emails. Normally, the POP3 protocol uses port 110. In other words, as long as you have a corresponding program that uses the POP3 protocol (such as Foxmail or Outlook), you can directly use the mail program to receive mails without logging in to the mailbox interface through the Web (for example, if it is a 163 mailbox, there is no need to log into NetEase first. website, and then enter your own mailbox to receive the mail).

Common UDP protocol ports are:

(1) HTTP: This is the most commonly used protocol, and it is often referred to as the "Hypertext Transfer Protocol". When browsing the Internet, port 80 must be opened on the computer that provides web resources to provide services. It is often said that "WWW service" and "Web server" use this port.

(2) DNS: used for domain name resolution service, this service is most commonly used in Windows NT systems. Every computer on the Internet has a corresponding network address. This address is often referred to as an IP address, which is expressed in the form of pure numbers + "." However, this is inconvenient to remember, so domain names appeared. When accessing a computer, you only need to know the domain name. The conversion between the domain name and the IP address is completed by the DNS server. DNS uses port 53.

(3) SNMP: Simple Network Management Protocol, using port 161, is used to manage network devices. Since there are many network devices, connectionless services have their advantages.

(4) OICQ: The OICQ program not only accepts services, but also provides services, so that the two chatting talents are equal. OICQ uses a connectionless protocol, which means it uses the UDP protocol. The OICQ server uses port 8000 to listen for incoming information, and the client uses port 4000 to send information out. If the above two ports are in use (many people are chatting with several friends at the same time), add them in order.

Of the more than 60,000 ports on a computer, those with port numbers within 1024 are usually called common ports. The services corresponding to these common ports are usually fixed. Listed in Table 1 are the default ports of the server, which are not allowed to be changed. These ports are mainly used in general communication processes.

Table 1

Service type default port Service type default port

Echo 7 Daytime 13

FTP 21 Telnet 23

SMTP 25 Time 37

Whois 43 DNS 53

Gopher 70 Finger 79

WWW 80 POP3 110

NNTP 119 IRC 194

In addition, the following ports are commonly used by proxy servers:

(1). Common port numbers for HTTP protocol proxy servers: 80/8080/3128/8081/9080

(2). Common port number for SOCKS proxy protocol server: 1080

(3). Common port number for FTP protocol proxy server: 21

(4). Common port number for Telnet protocol proxy server ：23

3. Application of ports in hackers

Hacker programs such as Trojans achieve their goals by invading ports. When it comes to port utilization, hacker programs usually have two methods, namely "port listening" and "port scanning".

"Port listening" and "port scanning" are two port technologies that are often used in hacker attacks and protection. They can be used in hacker attacks to accurately find the target of the attack and obtain useful information. , In terms of personal and network protection, through the application of this port technology, hacker attacks and some security loopholes can be discovered in time. Let's first briefly introduce the similarities and differences between these two port technologies.

"Port listening" is to use a certain program to monitor the ports of the target computer to see which ports on the target computer are free and available. You can also capture useful information about others through listening. This is mainly used in hacker software, but it is also very useful for individuals. You can use listening programs to protect your own computer and monitor selected ports on your computer. , which can detect and intercept some hacker attacks. You can also listen to the designated port of other people's computers to see if it is free for intrusion.

"Port scanning" is to determine what services are running by connecting to the TCP protocol or UDP protocol port of the target system, and then obtain the corresponding user information. Nowadays, many people confuse "port listening" and "port scanning", and they can't tell when listening technology should be used and under what circumstances scanning technology should be used. However, the current software seems to be a bit vague about these two technologies, and some simply integrate the two functions into one.

"Port listening" and "port scanning" have similarities and differences. The similarity is that both can monitor the target computer. The difference is that "port listening" belongs to the same category. A passive process, waiting for other people's connections to appear, and only through the other party's connections can the required information be heard. In personal applications, if the function is set to report to the user immediately when an abnormal connection is detected, the hacker's connection attempt can be effectively listened to and the Trojan horse program residing on the local machine can be removed in a timely manner. This listening program is usually installed on the target computer. The "port listening" used by hackers usually means that the hacker program resides on the server side, waiting for the server side to capture the information needed by the hacker during normal activities, and then sends it out in a connectionless manner through the UDP protocol. "Port scanning" is an active process. It actively scans the selected port of the target computer and discovers all activities on the selected port in real time (especially some online activities). The scanner is generally installed on the client, but its connection with the server is mainly through the connectionless UDP protocol connection.

In the network, when information is propagated, you can use tools to set the network interface in listening mode to intercept or capture the information being propagated in the network, so as to carry out attacks. Port listening can be implemented in any location mode on the network, and hackers generally use port listening to intercept user passwords.

4. Principle of port listening

The way the Ethernet protocol works is to send the data packets to be sent to all computers connected together. The correct address of the computer that should receive the data packet is included in the packet header, because only the computer with the same destination address in the data packet can receive the information packet. But when the computer is working in listening mode, the computer will be able to receive it regardless of the destination physical address in the data packet. When two computers in the same network communicate, the source computer will send the data packet with the destination computer address directly to the destination computer, or when a computer in the network communicates with an outside computer, the source computer will write the destination computer address. The data packet with the computer's IP address is sent to the gateway. However, this kind of data packet cannot be sent directly at the upper level of the protocol stack. The data packet to be sent must be handed over from the IP protocol layer of the TCP/IP protocol to the network interface-the data link layer. The network interface does not recognize the IP address. In the network interface, the data packet with the IP address from the IP protocol layer adds a part of the Ethernet frame header information. In the frame header, there are two fields, which are the physical addresses of the source computer and the destination computer that can only be recognized by the network interface. This is a 48-bit address. This 48-bit address corresponds to the IP address. In other words, an IP address also corresponds to a physical address. For the computer that serves as a gateway, since it is connected to multiple networks, it also has many IP addresses at the same time, one in each network. The frame relay sent out of the network carries the physical address of the gateway.

Frames filled with physical addresses in Ethernet are sent out from the network port (or from the gateway port) and transmitted to the physical line. If the local area network is connected by a thick coaxial cable or a thin coaxial cable, then the digital signal transmitted on the cable can reach every computer on the line. When using a hub, the signal sent out reaches the hub, and is then sent by the hub to each line connected to the hub. In this way, the digital signals transmitted on the physical line can reach each computer connected to the hub. When a digital signal reaches the network interface of a computer, under normal conditions the network interface checks the read data frame. If the physical address carried in the data frame is its own or the physical address is a broadcast address, then the data frame will be handed over. To IP protocol layer software. This process is performed for each data frame arriving at the network interface. But when the computer is working in listening mode, all data frames will be handed over to the upper layer protocol software for processing.

When computers connected to the same cable or hub are logically divided into several subnets, then if a computer is in listening mode, it can receive messages sent to a computer that is not on the same subnet as itself. All information transmitted on the same physical channel can be received from computers using different masks, IP addresses, and gateways.

On a UNIX system, when a user with super privileges wants to put the computer he controls into listening mode, he only needs to send an I/O control command to the Interface (network interface) to make the computer Set to listening mode. In Windows 9x systems, this can be achieved by running the listening tool directly regardless of whether the user has permission or not.

When the port is listening, it is often necessary to save a large amount of information (including a lot of junk information), and to organize a large amount of the collected information, so that the listening computer will The response to other users' requests becomes very slow. At the same time, the listening program consumes a lot of processor time when running. If the contents of the packets are analyzed in detail at this time, many packets will not be received in time and will be missed. Therefore, the listening program often stores the intercepted packets in files for later analysis. Analyzing the intercepted data packets is a headache because the data packets in the network are very complex. When two computers continuously send and receive data packets, some interactive data packets from other computers will inevitably be added to the listening results.

It is not easy for the listening program to put together the packets of the same TCP protocol session. If you also want to sort out the user's detailed information, you need to conduct a lot of analysis on the packets according to the protocol.

The protocols used in the network today were all designed earlier. The implementation of many protocols is based on a very friendly basis with full trust between the two parties in the communication. In a normal network environment, user information including passwords are transmitted in clear text on the Internet. Therefore, it is not difficult to perform port listening to obtain user information, as long as you have preliminary knowledge of the TCP/IP protocol. You can easily listen to the information you want.

5. Principle of port scanning

"Port scanning" usually refers to sending the same information to all the ports that need to be scanned on the target computer, and then analyzing the target computer based on the returned port status. Whether the port is open and available. An important characteristic of "port scanning" behavior is that there are many packets from the same source address to different destination ports in a short period of time.

For those who use port scanning to attack, the attacker can always obtain the scanning results while making it difficult to be discovered or reversely traced. To hide the attack, the attacker can scan slowly. Unless the target system is usually idle (so that a packet with no listening port will attract the attention of the administrator), port scans performed at large intervals are difficult to identify. The method to hide the source address is to send a large number of deceptive port scan packets (1000), only one of which comes from the real source address. In this way, even if all the packets (1000) are detected and recorded, no one knows which is the real source address. All that can be found is "ever scanned". It is precisely because of this that hackers continue to use this port scanning technology in large quantities to obtain target computer information and conduct malicious attacks.

The most commonly used tool for port scanning is port scanning software, also commonly known as "port scanner". Port scanning can provide three purposes:

(1 ) identifies the TCP protocol and UDP protocol services running on the target system.

(2) Identify the operating system type of the target system (Windows 9x, Windows NT, or UNIX, etc.).

(3) Identify the version number of an application or a specific service.

A port scanner is a program that automatically detects security vulnerabilities of remote or local computers. By using the scanner, you can discover the allocation of various TCP protocol ports and the services provided by the remote server without leaving any traces. You can also find out the software versions they use! This allows you to indirectly understand the security issues that exist on the remote computer.

The port scanner can collect a lot of useful information about the target computer (such as: whether it has Is the port listening? Is there a writable FTP directory? Can TELNET be used?

The port scanner is not a program that directly attacks network vulnerabilities, it can only help discover targets. There are some inherent weaknesses in the machine. A good scanner can also analyze the data it obtains to help find vulnerabilities in the target computer, but it will not provide a detailed procedure for port scanning. The scanner mainly has the following three capabilities during the scanning process:

(1) The ability to discover a computer or network;

(2) Once a computer is discovered, The ability to discover what services are running on the target computer;

(3) The ability to discover existing vulnerabilities by testing these services on the target computer

Writing a scanner program requires a lot. TCP/IP protocol programming and knowledge of C, Perl and/or SHELL languages. Requires some background in Socket programming, a method for developing client/service applications.

Reference: Article Source: Author. : Wang Da Source: Tianji Business Application Channel