 "Ports
to Watch";
by Laura Chappell [Released
7/12/00]
So you've set up your analyzer to gather
a gazillion packets and give you some clue about which applications
are running on your network... uh... ok. What next?
The following provides a list of some
port numbers that you watch carefully. They are often associated
with lax security and security breaches.
Identify the systems that are using these
ports. If the application is a trusted, well-behaved application
that should be loaded on that system, breathe a sigh of relief.
If, however, the application is unnecessary or poorly behaved
- dump it!
For more information, take the "Introduction
to Cyber Crime course."
- 7 echo
- 19 chargen
- 20 FTP data
- 21 FTP connection
- 22 ssh
- 23 telnet
- 25 SMTP
- 37 time
- 53 domain
- 110 POP3
- 111 SUNRPC
- 666 hack favorite
- 999 Winsatan
- 27444 Trinoo
- 27665 Trinoo
- 31335 Trinoo
- 31337 Back Orifice
Dont' forget to check for any packets
that are illogical in their structure. For example, packets
sent to the NetBIOS-SSN port (139) with the Urgent flag set
in the TCP header just doesn't make sense. This may cause an
unpatched, older version of windows to belly-up and die -- this
type of attack is called WinNuke or OOBNuke (out of bounds nuke).
There's more on this stuff in
the Cyber Crime course -- take the course, take the test,
get your course certificate.
Laura Chappell
Sr. Protocol Analyst
Copyright 2000 Protocol Analysis Institute, L.L.C.
Other Articles:
• Catching
the Lovsan Worm in Action [PDF]
• Time is of the Essence
• The Wonderful Thing About Triggers...
[PDF]
• The Pain of Gnutella
• About the 2301 Traffic
• 10 Cool Things You Can Do with the EtherPeek
Demo [PDF]
• Basic Packet Filtering [PDF]
• Advanced Packet Filtering [PDF]
• Looking at the Sniffer Dashboard [PDF]
• TrenchTime: Ports to Watch
• Did Your Know: Wireless Networks are Not Immune
to Sniffing? [PDF]
• The 10 Truths of Network Troubleshooting
[PDF]
• Carnivore? [PDF]
• Sniffer: Using the Capture Panel [PDF]
|
