Appendix A. TCP, UDP Ports, and ICMP Message Types
I list useful TCP, UDP ports, and ICMP message types in this appendix. A comprehensive list of registered TCP and UDP services may be found at http://www.iana.org/assignments/port-numbers. The nmap-services list of ports provided with Nmap is also a good reference, particularly for backdoors and other unregistered services.
TCP Ports
TCP ports of interest from a remote security assessment perspective are listed in Table A-1. I have included references to chapters within this book, along with other details that I deem appropriate, including MITRE CVE references to known issues.
Port | Name | Notes |
1 | tcpmux | TCP port multiplexer, indicates the host is running IRIX |
11 | systat | System status service |
15 | netstat | Network status service |
21 | ftp | File Transfer Protocol (FTP) service; see Chapter 8 |
22 | ssh | Secure Shell (SSH); see Chapter 8 |
23 | telnet | Telnet service; see Chapter 8 |
25 | smtp | Simple Mail Transfer Protocol (SMTP); see Chapter 11 |
42 | wins | Microsoft WINS name service; see Chapter 5 |
43 | whois | WHOIS service; see Chapter 3 |
53 | domain | Domain Name Service (DNS); see Chapter 5 |
79 | finger | Finger service, used to report active users; see Chapter 5 |
80 | http | Hypertext Transfer Protocol (HTTP); see Chapter 6 |
88 | kerberos | Kerberos distributed authentication mechanism |
98 | linuxconf | Linuxconf service, remotely exploitable under older Linux distributions; see CVE-2000-0017 |
109 | pop2 | Post Office Protocol 2 (POP2), rarely used |
110 | pop3 | Post Office Protocol 3 (POP3); see Chapter 11 |
111 | sunrpc | RPC portmapper (also known as rpcbind); see Chapter 13 |
113 | auth | Authentication service (also known as identd); see Chapter 5 |
119 | nntp | Network News Transfer Protocol (NNTP) |
135 | loc-srv | Microsoft RPC server service; see Chapter 10 |
139 | netbios-ssn | Microsoft NetBIOS session service; see Chapter 10 |
143 | imap | Internet Message Access Protocol (IMAP); see Chapter 11 |
179 | bgp | Border Gateway Protocol (BGP), found on routing devices |
264 | fw1-sremote | Check Point SecuRemote VPN service (FW-1 4.1 and later); see Chapter 12 |
389 | ldap | Lightweight Directory Access Protocol (LDAP); see Chapter 5 |
443 | https | SSL-wrapped HTTP web service; see Chapter 6 |
445 | cifs | Common Internet File System (CIFS); see Chapter 10 |
464 | kerberos | Kerberos distributed authentication mechanism |
465 | ssmtp | SSL-wrapped SMTP mail service; see Chapter 11 |
512 | exec | Remote execution service (in.rexecd); see Chapter 8 |
513 | login | Remote login service (in.rlogind); see Chapter 8 |
514 | shell | Remote shell service (in.rshd); see Chapter 8 |
515 | printer | Line Printer Daemon (LPD) service; commonly exploitable under Linux and Solaris |
540 | uucp | Unix-to-Unix copy service |
554 | rtsp | Real Time Streaming Protocol (RTSP) service, vulnerable to a serious remote exploit; see CVE-2003-0725 |
593 | http-rpc | Microsoft RPC over HTTP port; see Chapter 10 |
636 | ldaps | SSL-wrapped LDAP service; see Chapter 5 |
706 | silc | Secure Internet Live Conferencing (SILC) chat service |
873 | rsync | Linux rsync service, remotely exploitable in some cases; see CVE-2002-0048 |
993 | imaps | SSL-wrapped IMAP mail service; see Chapter 11 |
994 | ircs | SSL-wrapped Internet Relay Chat (IRC) service |
995 | pop3s | SSL-wrapped POP3 mail service; see Chapter 11 |
1080 | socks | SOCKS proxy service |
1352 | lotusnote | Lotus Notes service |
1433 | ms-sql | Microsoft SQL Server; see Chapter 9 |
1494 | citrix-ica | Citrix ICA service; see Chapter 8 |
1521 | oracle-tns | Oracle TNS Listener; see Chapter 9 |
1526 | oracle-tns | Alternate Oracle TNS Listener port; see Chapter 9 |
1541 | oracle-tns | Alternate Oracle TNS Listener port; see Chapter 9 |
1720 | videoconf | H.323 video conferencing service |
1723 | pptp | Point-to-Point Tunneling Protocol (PPTP); see Chapter 12 |
1999 | cisco-disc | Discovery port found on Cisco IOS devices |
2301 | compaq-dq | Compaq diagnostics HTTP web service |
2401 | cvspserver | Unix CVS service, vulnerable to a number of attacks |
2433 | ms-sql | Alternate Microsoft SQL Server port; see Chapter 9 |
2638 | sybase | Sybase database service |
3128 | squid | SQUID web proxy service |
3268 | globalcat | Active Directory Global Catalog service; see Chapter 5 |
3269 | globalcats | SSL-wrapped Global Catalog service; see Chapter 5 |
3306 | mysql | MySQL database service; see Chapter 9 |
3372 | msdtc | Microsoft Distributed Transaction Coordinator (MSDTC) |
3389 | ms-rdp | Microsoft Remote Desktop Protocol (RDP); see Chapter 8 |
4110 | wg-vpn | WatchGuard branch office VPN service |
4321 | rwhois | NSI rwhoisd service, remotely exploitable in some cases; see CVE-2001-0913 |
4480 | proxy+ | Proxy+ web proxy service |
5000 | upnp | Windows XP Universal Plug and Play (UPNP) service |
5432 | postgres | PostgreSQL database service |
5631 | pcanywhere | pcAnywhere service |
5632 | pcanywhere | pcAnywhere service |
5800 | vnc-http | Virtual Network Computing (VNC) web service; see Chapter 8 |
5900 | vnc | VNC service; see Chapter 8 |
6000 | x11 | X Windows service; see Chapter 8 |
6103 | backupexec | VERTIAS Backup Exec service |
6112 | dtspcd | Unix CDE window manager Desktop Subprocess Control Service Daemon (DTSPCD), vulnerable on multiple commercial platforms; see CVE-2001-0803 |
6588 | analogx | AnalogX web proxy |
7100 | font-service | X Server font service |
8890 | sourcesafe | Microsoft Source Safe service |
9100 | jetdirect | HP JetDirect printer management port |
UDP Ports
UDP ports of interest from a remote security assessment perspective are listed in Table A-2. I have included references to chapters within this book, along with other details that I deem appropriate, including MITRE CVE references to known issues.
Port | Name | Notes |
53 | domain | Domain Name Service (DNS); see Chapter 5 |
67 | bootps | BOOTP (commonly known as DHCP) server port |
68 | bootpc | BOOTP (commonly known as DHCP) client port |
69 | tftp | Trivial File Transfer Protocol (TFTP), a historically weak protocol used to upload configuration files to hardware devices |
111 | sunrpc | RPC portmapper (also known as rpcbind); see Chapter 13 |
123 | ntp | Network Time Protocol (NTP); see Chapter 5 |
135 | loc-srv | Microsoft RPC server service; see Chapter 10 |
137 | netbios-ns | Microsoft NetBIOS name service; see Chapter 10 |
138 | netbios-dgm | Microsoft NetBIOS datagram service; see Chapter 10 |
161 | snmp | Simple Network Management Protocol (SNMP); see Chapter 5 |
445 | cifs | Common Internet File System (CIFS); see Chapter 10 |
500 | isakmp | IPsec key management service, used to maintain IPsec VPN tunnels; see Chapter 12 |
513 | rwho | Unix rwhod service; see Chapter 5 |
514 | syslog | Unix syslogd service for remote logging over a network |
520 | route | Routing Information Protocol (RIP) service. BSD-derived systems, including IRIX, are susceptible to a routed trace file attack; see CVE-1999-0215 |
1434 | ms-sql-ssrs | SQL Server Resolution Service (SSRS); see Chapter 9 |
1900 | upnp | Universal Plug and Play (UPNP) service used by SOHO routers and other devices |
2049 | nfs | Unix Network File System (NFS) server port; see Chapter 13 |
4045 | mountd | Unix NFS mountd server port; see Chapter 13 |
ICMP Message Types
ICMP message types of interest from a remote security assessment perspective are listed in Table A-3. Both the message types and individual codes are listed, along with details of RFCs and other standards in which these message types are discussed.
Type | Code | Notes |
0 | 0 | Echo reply (RFC 792) |
3 | 0 | Destination network unreachable |
3 | 1 | Destination host unreachable |
3 | 2 | Destination protocol unreachable |
3 | 3 | Destination port unreachable |
3 | 4 | Fragmentation required, but don't fragment bit was set |
3 | 5 | Source route failed |
3 | 6 | Destination network unknown |
3 | 7 | Destination host unknown |
3 | 8 | Source host isolated |
3 | 9 | Communication with destination network is administratively prohibited |
3 | 10 | Communication with destination host is administratively prohibited |
3 | 11 | Destination network unreachable for type of service |
3 | 12 | Destination host unreachable for type of service |
3 | 13 | Communication administratively prohibited (RFC 1812) |
3 | 14 | Host precedence violation (RFC 1812) |
3 | 15 | Precedence cutoff in effect (RFC 1812) |
4 | 0 | Source quench (RFC 792) |
5 | 0 | Redirect datagram for the network or subnet |
5 | 1 | Redirect datagram for the host |
5 | 2 | Redirect datagram for the type of service and network |
5 | 3 | Redirect datagram for the type of service and host |
8 | 0 | Echo request (RFC 792) |
9 | 0 | Normal router advertisement (RFC 1256) |
9 | 16 | Does not route common traffic (RFC 2002) |
11 | 0 | Time to live (TTL) exceeded in transit (RFC 792) |
11 | 1 | Fragment reassembly time exceeded (RFC 792) |
13 | 0 | Timestamp request (RFC 792) |
14 | 0 | Timestamp reply (RFC 792) |
15 | 0 | Information request (RFC 792) |
16 | 0 | Information reply (RFC 792) |
17 | 0 | Address mask request (RFC 950) |
18 | 0 | Address mask reply (RFC 950) |
30 | 0 | Traceroute (RFC 1393) |