Anti-Hacker Tool Kit, Third Edition
| < Day Day Up > |
|
Overview
The majority of TCP/IP services rely on a client/server method for establishing connections. For a packet to reach its destination, it must have a destination IP address (a single host on a network) and a destination port (a single “socket” on a host). TCP/IP allows 16-bit port numbers. This means that socket connections assign port numbers between 0 and 65535 from a pool. Most servers try to use well-known ports, otherwise known as port numbers from 0 through 1023, to make it easier for a client to know how to connect to a service. A web server, for example, listens for HTTP communications on TCP port 80 by default or 443 if secured with SSL. An e-mail server listens for SMTP traffic on TCP port 25 by default.
Note | Many operating systems use only a small window of port numbers. Windows 2000, for example, uses ports 1024 through 5000 by default for dynamic port assignment. Linux uses the values defined in /proc/sys/net/ipv4/ip_local_port_range (1024–4999 by default). |
Port numbers above 1023 (1024 through 49151) are referred to as registered or dynamic ports. These ports may have established service assignments (such as TCP port 26000 for Quake), but they are also used as an end point for client connections. The range from 49152 through 65535 contains the dynamic ports.
Note | The Internet Assigned Numbers Authority (IANA) assigns services to port numbers. In practice, only the well-known port range has avoided the problem of multiple services claiming a single port number. |
When you enter a URL in your web browser, you are instructing the browser to connect to TCP port 80 at a particular IP address. When the web server receives a packet from your system, it knows the IP address and port number on which to return data. Whereas a web server always listens for HTTP requests on TCP port 80 by default, a web client originates its request from a random port above 1023. The web server never knows to what port it is going to transmit data. The port number remains the same for the entire session (such as a single GET /index.html request), but the number may change: for example, the first port combination might be 1066 from the client to 80 on the server, the next request might be 1067 from the client to 80 on the server. (If you’re cramming for a CompSci exam, the technical term for the IP and port connection pair is Transmission Control Block.)
A Secure Shell server listens on TCP port 22 by default. Server Message Block Protocol (SMB), which handles most Windows networking, listens on TCP port 139 (as well as 445 on Windows 2000 and XP). Most Telnet servers listen on TCP port 23, SSH on 22, and FTP on TCP port 21. Network access controls, whether set by a router or a firewall, determine what ports are open or closed between two networks. Hosts on the Internet might be able to access port 80 on a company’s web server, but a network security device is most likely going to block access to port 139. A significant portion of network security relies on determining which hosts are allowed to access which ports.
Tip | Use the netstat –na command to view current IP connections and the port numbers each one uses. |
| < Day Day Up > |
|