Welcome to Day 3! Today, we'll dive into the fundamental concepts of ports and protocols - the building blocks of network communication. Understanding these concepts is crucial for effective network scanning and security analysis.
By completing Day 03, you will be able to:
- Understand what ports and protocols are
- Identify common port numbers and their services
- Explain how different protocols work
- Recognize port states and their meanings
- Apply port knowledge in practical scanning scenarios
Ports are virtual endpoints for network communications on a computer. Think of them like apartment numbers in a large building:
- IP Address = Building address (e.g., 192.168.1.1)
- Port Number = Apartment number (e.g., 80, 443, 22)
Ports are divided into three main ranges:
-
Well-Known Ports (0-1023)
- Reserved for fundamental internet services
- Require special privileges to use
- Standardized by IANA (Internet Assigned Numbers Authority)
-
Registered Ports (1024-49151)
- Assigned to specific applications
- Used by user-level applications
- Also registered with IANA
-
Dynamic/Private Ports (49152-65535)
- Used for temporary connections
- Assigned dynamically by operating systems
- Often used for client-side communications
Here are the most commonly encountered ports, explained for beginners:
Port 21 - FTP (File Transfer Protocol)
- Function: Transfers files between computers
- Common Use: Uploading/downloading website files
- Security Note: Often unencrypted - use SFTP (port 22) instead
- Example:
ftp://example.com
Port 22 - SSH (Secure Shell)
- Function: Secure remote access to servers
- Common Use: System administration, secure file transfer (SFTP)
- Security: Encrypted communication
- Default Service: OpenSSH, PuTTY
Port 23 - Telnet
- Function: Remote terminal access (unencrypted)
- Common Use: Legacy system management
- Security Risk: All data sent in plain text - avoid in production
- Modern Replacement: SSH (port 22)
Port 25 - SMTP (Simple Mail Transfer Protocol)
- Function: Sends email between mail servers
- Common Use: Outgoing email delivery
- Note: Usually only for server-to-server communication
- Alternative: Port 587 for email submission
Port 53 - DNS (Domain Name System)
- Function: Translates domain names to IP addresses
- Common Use:
google.com→142.250.74.206 - Protocol: Both TCP and UDP
- Importance: Critical for internet functionality
Port 80 - HTTP (Hypertext Transfer Protocol)
- Function: Standard web page delivery
- Common Use: Regular website browsing (http://)
- Security: Unencrypted - all data visible
- Default Service: Apache, Nginx, IIS
Port 110 - POP3 (Post Office Protocol v3)
- Function: Retrieves email from servers
- Common Use: Email client connections
- Behavior: Downloads emails to local device
- Alternative: IMAP (port 143) for server-side storage
Port 143 - IMAP (Internet Message Access Protocol)
- Function: Manages email on mail servers
- Common Use: Email synchronization across devices
- Advantage: Keeps emails on server
- Secure Version: IMAPS on port 993
Port 443 - HTTPS (HTTP Secure)
- Function: Encrypted web page delivery
- Common Use: Secure websites (https://)
- Security: Encrypted with SSL/TLS
- Importance: Standard for all modern websites
Port 445 - SMB (Server Message Block)
- Function: Windows file and printer sharing
- Common Use: Network drives, shared folders
- Protocol: Used by Windows networks
- Security History: Multiple vulnerabilities (EternalBlue)
Port 3306 - MySQL
- Function: MySQL database communication
- Common Use: Website databases (WordPress, etc.)
- Default Service: MySQL Server
- Security: Often left exposed - should be restricted
Port 3389 - RDP (Remote Desktop Protocol)
- Function: Remote GUI access to Windows systems
- Common Use: Remote Windows administration
- Client Software: Windows Remote Desktop, mstsc.exe
- Security Risk: Frequent target for brute force attacks
Port 5432 - PostgreSQL
- Function: PostgreSQL database communication
- Common Use: Advanced database applications
- Popularity: Growing in enterprise applications
- Security: Similar concerns to MySQL
Port 5900 - VNC (Virtual Network Computing)
- Function: Remote desktop sharing
- Common Use: Cross-platform remote access
- Variant: Often uses 5901, 5902, etc. for multiple sessions
- Security: Often unencrypted - use SSH tunnel
Port 8080 - HTTP Alternate
- Function: Alternative web server port
- Common Use: Development servers, proxy servers
- Typical Service: Apache Tomcat, development web servers
- Reason: Port 80 may be blocked or in use
Port 8443 - HTTPS Alternate
- Function: Alternative HTTPS port
- Common Use: Development, internal services
- Typical Service: Apache Tomcat with SSL
- Use Case: When port 443 is unavailable
Port 27017 - MongoDB
- Function: MongoDB database communication
- Common Use: NoSQL database applications
- Default: MongoDB's default port
- Security: Often exposed with default credentials
Port 5000 - UPnP (Universal Plug and Play)
- Function: Device discovery and configuration
- Common Use: Home routers, IoT devices
- Protocol: Automates network device setup
- Security Concern: Can be exploited for attacks
TCP (Transmission Control Protocol) - The "Reliable" One
Characteristics of TCP:
- Connection-oriented (handshake required)
- Guaranteed delivery
- Error checking and correction
- Ordered data delivery
- Flow control (manages speed)
Example: Like sending a registered letter with tracking
Use Cases: Web browsing (HTTP/HTTPS), email, file transferUDP (User Datagram Protocol) - The "Fast" One
Characteristics of UDP:
- Connectionless (no handshake)
- No delivery guarantees
- Minimal error checking
- Unordered data delivery
- Faster than TCP
Example: Like shouting a message in a crowded room
Use Cases: Video streaming, DNS queries, online gamingExample: Loading a Web Page
Step 1: DNS Query (Port 53 UDP)
Your computer: "What's the IP for google.com?"
DNS Server: "It's 142.250.74.206"
Step 2: TCP Handshake (Port 443 TCP)
Your computer: SYN (Can we talk?)
Google Server: SYN-ACK (Yes, let's talk)
Your computer: ACK (Great, let's start)
Step 3: HTTPS Request (Port 443 TCP)
Your computer: "Send me the homepage"
Google Server: "Here's the encrypted homepage"
Step 4: TCP Teardown
Your computer: FIN (I'm done)
Google Server: FIN-ACK (Okay, goodbye)"The Web Trio" - Essential Web Ports
- 80: HTTP - Regular web traffic
- 443: HTTPS - Secure web traffic
- 8080/8443: Development/alternative ports
"The Remote Access Group" - Administration Ports
- 22: SSH - Secure command line
- 23: Telnet - Insecure command line
- 3389: RDP - Windows remote desktop
- 5900: VNC - Cross-platform remote desktop
"The Database Cluster" - Database Ports
- 1433: Microsoft SQL Server
- 3306: MySQL
- 5432: PostgreSQL
- 27017: MongoDB
"The File Transfer Family"
- 21: FTP - Basic file transfer
- 22: SFTP - Secure file transfer (via SSH)
- 69: TFTP - Trivial file transfer (no auth)
- 445: SMB - Windows file sharing
When Nmap scans ports, it reports one of these states:
Open: Service is actively accepting connections
- Example:
80/tcp open http - Meaning: Web server is running and accessible
Closed: Port is accessible but no service listening
- Example:
81/tcp closed - Meaning: Port is reachable but nothing's there
Filtered: Firewall/security device blocking access
- Example:
22/tcp filtered ssh - Meaning: Something is preventing connection attempts
Unfiltered: Port is accessible but state unknown
- Example: Rarely seen in basic scans
- Meaning: Requires further testing
# Scan your localhost and identify services
nmap 127.0.0.1
# Questions to answer:
1. How many ports are open?
2. What services are running?
3. Which ports are well-known vs registered?
4. Are there any unexpected open ports?- Pick 5 open ports from your scan
- Research each service online:
- What does it do?
- Is it necessary for your system?
- What are common security concerns?
- Document your findings
# Test TCP vs UDP behavior
# TCP scan (default)
nmap -sT 127.0.0.1
# UDP scan (slower, different results)
sudo nmap -sU 127.0.0.1 -p 53,67,123
# Compare the results and timing# Scan specific port ranges
# Well-known ports only
nmap -p 1-1024 127.0.0.1
# Common web ports
nmap -p 80,443,8080,8443 127.0.0.1
# Database ports
nmap -p 1433,3306,5432,27017 127.0.0.1
# Compare the results| Port | Service | Protocol | Common Use | Security Notes |
|---|---|---|---|---|
| 21 | FTP | TCP | File Transfer | Unencrypted - use SFTP |
| 22 | SSH | TCP | Secure Remote Access | Encrypted - secure |
| 23 | Telnet | TCP | Remote Access | Unencrypted - avoid |
| 25 | SMTP | TCP | Email Sending | Server-to-server |
| 53 | DNS | TCP/UDP | Domain Resolution | Critical service |
| 80 | HTTP | TCP | Web Pages | Unencrypted |
| 110 | POP3 | TCP | Email Retrieval | Downloads to client |
| 143 | IMAP | TCP | Email Management | Syncs across devices |
| 443 | HTTPS | TCP | Secure Web | Encrypted - standard |
| 445 | SMB | TCP | File Sharing | Windows networks |
| 3306 | MySQL | TCP | Database | Common web DB |
| 3389 | RDP | TCP | Remote Desktop | Windows remote access |
| 5432 | PostgreSQL | TCP | Database | Advanced applications |
| 8080 | HTTP Alt | TCP | Web Dev | Development servers |
Some services use multiple ports:
- Main Port: Primary communication (e.g., 80 for HTTP)
- Admin Port: Management interface (e.g., 8080 for Tomcat admin)
- Cluster Ports: Communication between instances
- Backup Ports: Failover or alternative access
Home Router Scenario:
External Request: Internet → Router:80
Port Forwarding: Router redirects to → PC:8080
Result: External users access internal development server- Temporary ports assigned to clients
- Range: Usually 49152-65535
- Used for response routing
- Recycled after connection closes
Port 445 (SMB)
- Risk: EternalBlue exploit
- Attack: WannaCry ransomware
- Protection: Keep Windows updated, disable if unused
Port 3389 (RDP)
- Risk: Brute force attacks
- Attack: Credential stuffing
- Protection: Strong passwords, 2FA, change default port
Port 22 (SSH)
- Risk: Brute force, weak keys
- Attack: Password guessing
- Protection: Key-based auth, fail2ban, non-standard port
Port 80/443 (Web)
- Risk: Web application attacks
- Attack: SQL injection, XSS
- Protection: WAF, input validation, HTTPS
Principle of Least Privilege
- Only open necessary ports
- Close everything else
- Regular port audits
Network Segmentation
- Separate services by network zones
- DMZ for public-facing services
- Internal networks for sensitive services
Monitoring and Alerting
- Monitor for new open ports
- Alert on unexpected changes
- Regular vulnerability scans
- Start with Common Ports: Focus on ports 1-1024 first
- Use Nmap's Service Detection:
-sVflag gives detailed service info - Document Everything: Keep notes of what should be open
- Test Changes: Verify security measures actually work
- Learn Continuously: New services and ports emerge regularly
Tomorrow (Day 04) will cover:
- Basic host discovery techniques
- Different host discovery methods
- Practical scanning exercises
- Understanding network responses
- Which ports were most surprising on your system?
- How does understanding ports help with security?
- What's the difference between TCP and UDP in practical terms?
- Which services would you consider disabling on your system?
- Use
nmap -hfor command help - Check Nmap documentation online
- Join cybersecurity learning communities
- Practice in isolated lab environments
🎉 Congratulations on completing Day 03! You now understand the fundamental building blocks of network communication. This knowledge will be invaluable as we progress to actual scanning techniques.
"To master the network, first master its doors and windows - the ports and protocols."