What are they? Why are they important to me?
We (IT folk) install applications on our machines regularly, yet many still donít fully understand what is really happening to make the communications between a client and a server work. I hope to illustrate in words and pictures the communications process of some Internet applications. I will try to make this explanation as simple as possible so that even non-IT folk may understand. I will be using a few examples; HTTP, FTP, and an Telnet Client session to a Telnet Server.
First lets begin with a brief introduction to TCP/IP. TCP/IP is not a single protocol but actually a suite of protocols. What this means is that TCP/IP is a collection of protocols. To think of TCP/IP in a graphical sense can be helpful, TCP/IP can be pictured as a stack of blocks on top of each other.
Each Layer can only communicate to the layers directly in contact with it. Layer 1 cannot communicate with layer 3 without passing the contents to layer 2. This ingenious architecture allows for specialization amongst the layers. This design also allows for the introduction of other intermediate layers. You may already be using an application that inserts itself into your TCP/IP stack. Maybe you are using ZoneAlarm or Intel NetStructure VPNor something like it. These applications place themselves in the TCP/IP stack and intercept your packets and interpret whether it is destined for the Public Internet or to a Private Network using a VPN connection.
So what does this all mean to you? Well it means that the TCP/IP Suite is important and if you really want to harness the power of TCP/IP you must understand it further.
Introduction to commonly known ports
Before we jump in. What is a port? A port can be thought of as a doorway into a computer. Network Applications that use the TCP/IP suite utilize sockets to communicate with one another. A socket is the combination of an IP address and a port.
You can envision a socket like the following illustration:
So, on the one hand you have an IP address, say 10.1.1.1 and a service port like 25 for SMTP. When a client connects to 10.1.1.1 on port 25 a "Socket" is created. This socket is an agreed upon pathway for communications made up of an IP address and a port number. In this case 10.1.1.1:25
If you have worked in IT for any amount of time you will be familiar with all if not most of the following ports. If you are not familiar with these ports, make your self comfortable with them now. If you can memorize any number of ports these are the key ones to remember.
Some of the more common port numbers are 21, 25, 53, 80 110, 443
21 = FTP: File Transfer Protocol
23 = Telnet: Telnet
25 = SMTP: Simple Mail Transfer Protocol
53 = DNS: Domain Name System
80 = HTTP: Hyper Text Transfer Protocol
110 = POP3: Post Office Protocol version 3
119 = NNTP: Net News Transport Protocol
443 = SSL: Secure Sockets Layer
Sometimes protocols are merged into an existing application. For example the Web Brower. The web browser sometimes acts as an ftp client. Whenever a web browser acts as an ftp client the URL typically looks something like ftp://ftp.ortizonline.com. Notice how its not http?
Whenever we send email using outlook express or some other email client, SMTP is almost definitely your tranfer protocol. There are exceptions like old MS-Mail clients and Old Lotus systems. Some companies use Outlook with only the Exchange service installed and this makes it unnecessary for the clients to communicate via SMTP. Although any server that wishes to be able to send email to ANYONE will need to speak SMTP.
Lets go on to analyze a sample Web Browsing Session.
Why is this useful to know?
One of the techniques commonly used with firewalls is the blocking of ports in order to conform to corporate security policies. For example, a company may block all connections to port 23 if telnet is not allowed to machines outside of the corporate network. Firewalls are a whole separate subject all together. I'll cover them in a future article. To learn more about firewalls check out Building Internet Firewalls by Brent Chapman ISBN 1565928717. Excellent book.
Lets use an example of a persistent client application such as telnet. telnet is a client application used to test that communications with a Telnet server is possible.
Assuming the Telnet server is installed to listen on its default port of 23(, we would do the following to connect with telnet.
1. Launch telnet and login to the system.
2. Run netstat to see what connection was made. You should see something like;
TCP mirage:1163 EMACHINE:23 ESTABLISHED
A. Will telnet on Laptop 1 be able to connect to Telnet Server 1 in this configuration?
B. Will telnet on Laptop 2 be able to connect to Telnet Server 2 in this configuration?
C. Will the Web Browser on Laptop 2 be able to look at web pages on Web Server 2 (assuming that Web Server 2 has been configured to use the default HTTP port)
D. Will the Web Browser on Laptop 1 be able to look at web pages on Web Server 1 (assuming that Web Server 1 has been configured to use the default HTTP port)
E. What needs to be configured on the firewall in order for telnet and Web Surfing to work in both directions?
Answers at the bottom of page.
Lets take a look at a simple telnet connection.
1. The telnet client connects to port 23 on the Telnet Server.
2. The port assigned for this connection is 2324. This means that when you type commands and send them to the Telnet Server any responses will be sent back to you via port 2324.
3. The connection from the Telnet Client would establish a socket connection which would be the Telnet Servers IP address and the port number (23). i.e 10.1.1.1:23
4. What would happen if the Telnet Server was reconfigured so that it listened on port 65? What would it look like?
5. The Telnet Client on the PC would have to be changed so that it created a "socket" using the IP address of the Telnet server and the new port number (65). i.e 10.1.1.1:65
How do hackers(crackers) leverage this knowledge of ports?
There are many port scanning tools, SuperScan is one of those such tools.
Here we have a screenshot of SuperScan
The machine scanned in this example is 192.168.1.254. By the results of the scan of 192.168.1.254 we can see that the ports available are:
By the number of ports on this machine, its possible to see this machine is running many, many services. By running SuperScan against 192.168.1.254, its clear to see exactly what services are servicing requests. So what information does this reveal? Lets try using telnet to telnet to port 23.
This telnet session reveals that the IP address 192.168.1.254 is a SUN 5.8 server.
The hacker(cracker) can then very easily go to http://www.cert.org/ and look up "SUN 5.8" or "uucpd" to see what vulnerabilities have already been discovered and reported. If the admin of 192.168.1.254 doesn't keep up with the patches, this machine will be fair game for the cracker.
So you see TCP/IP ports are an integral part of communications and security on the Internet.
Feel free to download a complete downloadable list of TCP/IP ports.
Comments? Questions? Rants? Raves? Please send to the number6 at ortizonline dot com
A. No B. Yes C. No D. Yes E. Enable Ports 23 & 80 to both sides