Hello, and welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.
Today we are taking another learning approach with regards to knowledge for new members to the information technology or cybersecurity industries. We’re going to define ports and protocols! Ooooh, SO exciting, isn’t it? All joking aside, port and protocol knowledge is a very important part of being in these industries. These help understand how different aspects of the technologies communicate, thereby providing useful knowledge on the processes and ways to troubleshoot if something is amiss.
So, let’s answer a couple of questions right out of the gate. What, exactly, is a port? A port is a specific virtual location where network connections start and end. Think of them as roads throughout cyberspace that only specific traffic is permitted to travel on. There are 65536 available ports of travel, all numbered accordingly.
Wonderful, so then, what is a protocol? A protocol (in the world of IT and computing, not to be confused with medical protocols) is an established set of rules that determine how data is transmitted between different devices in the same network. So, the port is the road, the protocol is the rules of that road (hence the specific traffic permitted statement made earlier).
Ok, I think we now have a general grasp of the port and protocol concepts. So, let’s dive in to different ports and protocols that an information technology or cybersecurity analyst would work with on a routine (or sometimes routine) basis. Some of this information may seem like a slight repeat from last weeks’ TomCast on acronyms, but now you will hear what or where those acronyms apply with regards to network traffic or paths of travel:
Port 21, reserved for FTP (or, File Transfer Protocol) traffic.
Port 22, reserved for SSH (or, Secure Shell) traffic.
Port 23, reserved for Telnet traffic.
Port 25 and 587, reserved for SMTP (or, Simple Mail Transfer Protocol) traffic. This is used frequently with email.
Port 53, reserved for DNS (Domain Name System) traffic.
Ports 67 and 68, reserved for DHCP (Dynamic Host Configuration Protocol) and BOOTP (Bootstrap Protocol traffic)
Port 80, reserved for HTTP (Hyper Text Transfer Protocol) traffic, basically unencrypted internet/web traffic.
Ports 88 and 464, reserved for Kerberos traffic
Port 110, reserved for POP3 (Post Office Protocol) traffic, another common email protocol.
Port 123, reserved for NTP (Network Time Protocol)
Ports 135 and 1025, reserved for Microsoft RPC (Remote Procedure Call) traffic.
Port 389, reserved for LDAP (Lightweight Directory Access Protocol)
Port 443, reserved for HTTPS (Hyper Text Transfer Protocol Secure) traffic, basically secure internet/web traffic.
Port 465, reserved for Secure SMTP traffic
Port 514, reserved for Syslog traffic
Port 636, reserved for Secure LDAP traffic
Now, this is a VERY small sampling of some of the most common ports and protocols you may see as an analyst in the information technology or cybersecurity career fields. Also something to note that is useful to understand is that malicious software, or malware, has a tendency to use their own ports as well. Here are some past-known malware examples and the ports they used:
Port 1080 and 3127 – MyDoom malware
Port 2745 – Bagle.H malware
Port 4444 – Blaster malware
Port 5554 – Sasser malware
Port 8866 – Bagle.B malware
Port 9898 – Dabber malware
Port 9988 – Spybot malware
Port 12345 – NetBus malware
Port 27374 – Sub7 malware
Port 31337 – BackOrifice malware
So, as you can surmise, valid software and applications have specific ports and protocols, but malicious software can also have specific ports, all of which can be handy when working towards a root cause analysis or when performing a threat hunt, for example.
We here at GuardSight thank you for taking the time to listen to this TomCast. If you are listening to this on LinkedIn, please share with others in your contact list and leave a comment on ways we can improve. If you are hearing this on our website and are interested in more information about GuardSight, head on over to the Contact Us page and connect with us. We’d love to hear from you! Thanks!