Network Addressing
Network and internet Transport Control Protocol/Internet Protocol connections are made from one IP address to another. For convenience, we may use a website name like cloudsavvyit.com, but it’s the underlying IP address that is used to route your connection to the appropriate webserver. The same thing works in reverse, too. The network traffic that arrives at your computer has been directed towards its IP address.
Your computer will have lots of programs and services running inside it. You might have an email application and a browser open on your desktop. Perhaps you use a chat client like Slack or Microsoft Teams. If you’re administering remote machines you might be using a secure shell (SSH) connection. If you’re working from home and need to connect to your office you might use a Remote Desktop Protocol (RDP) connection or a Virtual Private Network (VPN) connection.
The IP address only identifies the computer. It cannot be any more granular than that. But the real end-point for a network connection is an application or service run. So how does your computer know which application to send each network packet to? The answer is by using ports.
When a courier delivers a parcel to a hotel, the street address identifies the building. The room number identifies the room, and the hotel guest. The street address is like the IP address, and the room number is like the port address. Applications and services use specific, numbered ports. So the actual destination for a network packet is to a port at an IP address. That is enough to identify the application or service on a particular computer that the packet is destined for.
Standard Port Numbering
Some ports are dedicated to specific types of traffic. These are called the well-known ports. Other ports are registered by applications and reserved for their use. These are the registered ports. There’s a third set of ports that are available for any application to use. They are requested, allocated, used, and freed up on an ad hoc basis. These are called ephemeral ports.
A mixture of ports will be used in a connection. The network connection needs a port at the local end of the connection—in the computer—to connect to the remote end of the connection—a webserver, for example. If the webserver is using Hypertext Transfer Protocol Secure (HTTPS) the remote port will be port 443. Your computer will use any of the free ephemeral ports to make a connection to port 443 at the IP address of the webserver.
There are 65535 TCP/IP ports (and the same number of User Datagram Protocol (UDP) ports).
0 – 1023: Well-known ports. These are allocated to services by the Internet Assigned Numbers Authority (IANA). For example, SSH uses port 22 by default, webservers listen for secure connections on port 443, and Simple Mail Transfer Protocol (SMTP) traffic uses port 25. 1024 – 49151: Registered Ports. Organizations can make requests to the IANA for a port that will be registered to them and assigned for use with an application. Although these registered ports are called semi-reserved they should be considered reserved. They’re called semi-reserved because it is possible that the registration of a port is no longer required and the port is freed up for reuse. However—even though it is currently unregistered—the port is still in the list of registered ports. It is held in readiness to be registered by another organization. An example of a registered port is port 3389. This is the port associated with RDP connections. 49152 – 65535: Ephemeral ports. These are used on an ad-hoc basis by client programs. You are free to use these in any application you write. Typically they are used as the local port inside the computer when it is transmitting to a well-known or reserved port on another device in order to request and establish a connection.
No Port is Inherently Safe
Any given port is no more secure or at risk than any other port. A port is a port. It is the use the port is put to, and how securely that use is managed, that dictates whether a port is secure.
The protocol that is used to communicate through a port, the service or application that consumes or generates the traffic that passes through the port needs to be current implementations, and within their manufacturer’s support period. They must receive security and bug fix updates and these should be applied in a timely fashion.
Here are some common ports and how they can be abused.
Port 21, File Transfer Protocol
An insecure FTP port hosting an FTP server is a huge security flaw. Many FTP servers have vulnerabilities that can allow anonymous authentication, lateral movement within the network, access to privilege escalation techniques, and—because many FTP servers can be controlled via scripts—a means to deploy cross-site scripting.
Malware programs such as Dark FTP, Ramen, and WinCrash have made use of insecure FTP ports and services.
Port 22, Secure shell
Secure Shell accounts (SSH) configured with short, non-unique, re-used, or predictable passwords are insecure and liable to easy compromise by password dictionary attacks. Many vulnerabilities in past implementations of SSH services and daemons have been discovered, and are still being discovered. Patching is vital to maintain security with SSH.
Port 23, Telnet
Telnet is a legacy service and one which should be retired. There is no justification for using this ancient and insecure means of text-based communication. All the information it sends and receives through port 23 is sent in plain text. There is no encryption at all.
Threat actors can eavesdrop on any Telnet communication and can easily pick out authentication credentials. They can perform man-in-the-middle attacks by injecting specially-crafted malicious packets into the unmasked text streams.
Even an unauthenticated, remote attacker can exploit a buffer-overflow vulnerability in the Telnet daemon or service and, by crafting malicious packets and injecting them into the text stream, execute processes on the remote server. This is a technique known as Remote (or abitrary) Code Execution (RCE).
Port 80, Hypertext Transport Protocol
Port 80 is used for unsecured Hypertext Transport Protocol (HTTP) traffic. HTTPS has all but replaced HTTP, but some HTTP still exists out on the web. Other ports commonly used with HTTP are ports 8080, 8088, 8888. These tend to be used on older HTTP servers and web proxies.
Unsecured web traffic and the associated ports are susceptible to cross-site scripting and forgeries, buffer-overflow attacks, and SQL injection attacks.
Port 1080, SOCKS Proxies
SOCKS is a protocol used by SOCKS proxies to route and forward network packets on TCP connections to IP addresses. Port 1080 was one of the ports of choice at one time, for malware such as Mydoom and many worm and denial of service attacks.
Port 4444, Transport Control Protocol
Some rootkit, backdoor, and Trojan horse software opens and uses port 4444. It uses this port to eavesdrop on traffic and communications, for its own communications, and to exfiltrate data from the compromised computer. It is also used to download new malicious payloads. Malware such as the Blaster worm and its variants used port 4444 to establish backdoors.
Port 6660 – 6669, Internet Relay Chat
Internet Relay Chat (IRC) started in 1988 in Finland, and it is still going. You’d need to have a cast-iron business case to allow IRC traffic into your organization these days.
There have been countless IRC vulnerabilities discovered and exploited down through the 20-something years it has been in use. The UnrealIRCD daemon had a flaw in its 2009 that made remote code execution a trivial matter.
Port 161, Small Network Messaging Protocol
Some ports and protocols can give attackers a lot of information about your infrastructure. UDP port 161 is attractive to threat actors because it can be used to poll information from servers—both about themselves and about the hardware and users that sit behind them.
Port 161 is used by the Simple Network Management Protocol which allows the threat actors to request information such as infrastructure hardware, user names, network share names, and other sensitive information that is, to the threat actor, actionable intelligence.
Port 53, Domain Name Service
Threat actors need to consider the exfiltration route their malware will use to transmit data and files from within your organization to their own servers.
Port 53 has been used as the exfiltration port of choice because traffic through the Domain Name Service is rarely monitored. Threat actors would loosely disguise the stolen data as DNS traffic and send it to their own fake DNS server. The phony DNS server accepted the traffic and restored the data to its original format.
Memorable Numbers
Some malware authors pick easy to remember sequences of numbers or repeated numbers to use as ports. Ports 234, 6789, 1111, 666, and 8888 have all been used for this. Detecting any of these odd-looking port numbers in use on your network should instigate a deeper investigation.
Port 31337, which spells elite in leet speak, is another common port number for malware to use. It has been used by at least 30 malware variants including Back Orifice and Bindshell.
How To Secure These Ports
All ports should be closed unless there is a documented, reviewed, and approved business case. Do the same for exposed services. Default passwords must be changed and replaced with robust, unique passwords. If possible, two-factor authentication should be used.
All services, protocols, firmware, and applications must still be within the manufacturers’ support life-cycles, and security and bug fix patches must be available for them.
Monitor the ports that are in use on your network and investigate any oddities or inexplicably open ports. Understand what your normal port usage looks like so that unusual behavior can be identified. Perform port scans and penetration tests.
Close port 23 and stop using Telnet. Seriously. Just stop.
SSH ports can be secured by using public-key authentication and two-factor authentication. Configuring your network to use a different port number for SSH traffic will help too.
If you must use IRC make sure it is behind a firewall and require IRC users to VPN into your network to connect to use it. Allow no outside traffic to directly hit your IRC.
Monitor and filter DNS traffic. Nothing should leave port 53 other than genuine DNS requests.
Adopt a defense- in-depth strategy, and make your defenses multi-layered. Use host-based and network-based firewalls. Consider an intrusion detection system (IDS) such as the free and open source Snort.
Disable any proxies that you didn’t set up or that you no longer need.
Some SNMP return strings have plain-text default credentials in them. Disable this.
Remove unwanted HTTP and HTTPS response headers, and turn off the banners that get included by default in the responses from some networking hardware. These needlessly give away information that only benefits the threat actors.