Casing the Joint
First of all let’s look at ports and what they are. When two machines across a TCP/IP network communicate with each other via a service (such as NetBIOS, HTTP, FTP, etc…) each machine will need to know not only the IP address but the port number that translates to the service that is being used. For instance, when someone is “surfing the web” the service that they will be using will be HTTP, which uses port number 80 by default.
Most port numbers can be changed so that vulnerable services can be disguised by using a non-standard port number. For instance, if you knew that certain software exposed a vulnerability in a service, you could try to change the port number in order to circumvent that weakness. However, you would need to be sure all machines on the network are configured as such in order to continue using the service.
Unfortunately, a hacker will likely have a port scanner and will be able to see which services are being run on which ports even if you change the port number. In other words, simply changing a port number will not hide the susceptible service. Additionally, you may create connectivity problems by using these non-standard ports. In general, it is considered to be poor practice to change default ports unless you have a good reason to do so. A better solution would be to determine which services are necessary to keep your network up and running and then uninstall all services that you are not using and close all ports associated with these unused services.
Let’s suppose you are setting up a web server on a Windows NT/2000 Server based machine. By default, Windows will install NetBEUI (NetBIOS Extended User Interface), which is a non-routable protocol and unnecessary for your web server to perform its duties. NetBIOS is also at risk for Denial of Service attacks, which may or may not hurt your data but will prevent your server from perfoming its job (i.e. web serving).
Another point to consider, some ports that show up in a port scan can identify the operating system of the machine that is being scanned. NetBIOS, which operates on ports 137-139, is a good example of this. Most Unix/Linux boxes don’t use NetBIOS (unless they are Samba servers, and you wouldn’t want that on an external web server), and are not going to be using ports 137-139. When a hacker sees these ports open he has a good idea that the operating system being used is Windows, and thus knows which tools to use for his attack. In summary, if you do not use a particular service or protocol, uninstall it or, at minimum, block the port.
Once you have disabled all unused ports, you will need to take a closer look at the ports that you have left. IP filtering is required in these types of scenarios and is an option on all popular operating systems. Linux offers extensive filtering capabilities, as does its Unix counterpart, without the need for costly third party software solutions. You may be able to further lock down these open ports and services by restricting traffic to certain subnets. For example, if you must use FTP, do not allow anonymous FTP traffic unless you are fully aware of the security risks. I cannot imagine a situation when an anonymous user should ever have FTP write access on a machine. If someone is sharing files with you, helping you with your web site, or needs the ability to upload to your machine for any reason, give them an account on the server. It is too easy for someone to upload malicious software to your machine otherwise.
Another thing to consider with ports is the complexity of the service that utilizes each port. In most cases the more complex the service, the more likely it is to be exploited. As an example, consider SMTP. This is a complex service that allows for many methods of exploitation from attached executables to scripts embedded in HTML email. Spammers will also use weakly protected SMTP ports to redirect their junk mail so that it cannot be traced back to them. We have all seen the effects of Trojans, virii, and other types of attacks propagated by email. These attacks can spread around the internet very quickly and in some cases can even use so many resources that the entire internet can be affected.
In contrast, take a look at port 7, which by default is echo. The echo service is a very simple service that echoes whatever has been sent to it. Although it is not nearly as susceptible to attack, it can be used in a Denial of Service attack against another server. This is accomplished by forging the header information on a TCP packet so that it appears to have come from somewhere that it did not. When packets like this are sent to many servers, these servers will echo these packets back to where it appears as though they had originated, flooding the victim’s server with so many packets that connectivity to that server is disrupted. This is a popular attack for IRC based chat room servers. These types of attacks are much less of a problem than something like the I Love You virus, which utilizes the complex capabilities of email.
Following is a table of some of the most common port numbers and their related services:
Port# UDP/TCP Description
7 UDP Echo
9 UDP/TCP Discard
13 UDP Daytime
17 UDP QOTD (Quote of the Day)
19 UDP/TCP Chargen (Character Generator)
20/21 TCP FTP
23 TCP Telnet
25 TCP SMTP
53 UDP DNS
67/68 UDP BootP/DHCP
69 UDP TFTP
70 TCP Gopher
79 TCP Finger
80 TCP HTTP
110 TCP POP3
111 UDP RPC(sun)
123 UDP NTP
137/138/139 TCP NetBIOS
143 TCP IMAP
161 UDP SNMP
389 UDP/TCP LDAP
514 TCP RSH
2049 UDP/TCP NFS
If you are really serious about learning about ports and would like to read some more, be sure to check out Richard Akerman’s page on TCP/IP ports.
To read about the most common ports associated with trojans, check here.
In order to determine the vulnerabilities in your network, you will need at least one port scanner. I recommend nmap. It is available for most popular operating systems (although some operating systems will have less functionality than others). It runs incredibly nice on Linux and is thoroughly configurable. It is also free. This is a must have tool for testing for vulnerabilities and proper intrusion detection on your network. The guys over at Insecure.org (the authors of nmap) have compiled one of the best network security software lists that I have seen. Check them out here. For you Windows admistrators, some of the best free network tools that I have seen can be found at Foundstone. Check them out here.
I do not condone the use of these types of tools for anything illegal. Please, if you are not in charge of your network, get permission to use these types of tools before you use them. You can get in trouble for using these tools; just get permission.
Jay Fougere is the IT manager for the iEntry network. He also writes occasional articles. If you have any IT questions, please direct them to Jay@ientry.com.