TCP/IP port numbers
The TCP/IP protocol suite (or stack) utilizes not only IP addresses but numbered ports to manage and maintain connections between network hosts. While IP addressing is used by the Internet Protocol (IP) at Layer 3 of the Open Systems Interconnection (OSI) model, ports are used by transport layer protocols like Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) at Layer 4. As the name implies, transport layer protocols are designed to transport or deliver data to network hosts during communication sessions.
As network interface cards, switches, and routers have physical ports into which you can plug network cables, think of transport layer ports as “virtual ports” that are used to classify and segregate data traffic between communicating hosts. For example, if your computer initiates an FTP connection with an FTP server, it sends data to port 21 on the server using TCP. If your computer sends an HTTP request to a web server, it does so on port 80 on the server using TCP. If your PC queries a DNS server for a host’s IP address, it does so on port 53 of the DNS server using UDP. Simultaneously, ports numbered higher than 1023 are opened on your PC to receive traffic from the servers (the TCP/IP protocol suite can support ports numbered from 0 to 65,535).
An example of why port numbers are so necessary would be when you browse multiple websites simultaneously. Your web browser would be sending out HTTP GET requests to port 80 on multiple web servers. When these web servers respond, they send back HTTP data to the corresponding listening ports on your PC, allowing your web browser to properly display content from multiple web servers. Below you will see the results of the netstat -n command issued while my browser was loading data from multiple websites; my laptop’s port number is to the right of the colon after my IP address of 192.168.10.100 (go here to brush up on your netstat knowledge).
Proto Local Address Foreign Address
TCP 192.168.10.100:1124 126.96.36.199:443
TCP 192.168.10.100:2856 188.8.131.52:443
TCP 192.168.10.100:2857 184.108.40.206:80
TCP 192.168.10.100:2858 220.127.116.11:80
TCP 192.168.10.100:2859 18.104.22.168:80
TCP 192.168.10.100:2860 22.214.171.124:80
TCP 192.168.10.100:2868 126.96.36.199:80
TCP 192.168.10.100:2871 188.8.131.52:80
As you can see, my laptop is listening on ports 1124, 2856, 2857, 2858, etc. during these HTTP sessions. Ports (along with IP addresses) let networked computers using TCP/IP keep track of the different types of data traffic they send and receive.
What’s important to remember is that in client/server networking, the server running various protocol-based services (such as DNS, DHCP, HTTP, SNMP, etc) listens for incoming connection requests on pre-determined well known ports, while the clients making the requests open registered or dynamic ports on themselves to facilitate the communication session.
The well known and registered ports are maintained by the Internet Assigned Numbers Authority, or IANA. IANA is a department of the Internet Corporation for Assigned Names and Numbers (ICANN) that is responsible for coordinating some of the key elements that keep the Internet running smoothly, including the root DNS namespace, public IP address allocation, communication protocol parameters, etc.
IANA’s registry of assigned port numbers is freely available to the public on Wikipedia and IANA’s own website, so I won’t reproduce them here (fair warning: this IANA link made my browser repeatedly freeze for 20-30 seconds). My preferred resource for quick and easily readable access to the well known and registered ports can be found on Gasmi.net; TCP port assignments are here and UDP port assignments are here. Stengel.net isn’t bad, either.
During your networking studies you will encounter the term socket. A TCP/IP socket is not the same as a port. Rather, it is a combination of a host’s IP address and the port on which it is listening to a particular stream of traffic. Sockets allow messages to be transferred between applications (unrelated processes) on different network hosts. Technically a socket consists of a protocol, a local address, a local port, a remote address, and a remote port.
It is very important for all IT professionals (ethical hackers in particular) to have a crystal clear understanding of ports and how they work. It is also critical to commit to memory the ports used by common and important protocols and services. Below you will see a table of such port numbers. Not only will these ports show up for you in the real world, but many IT certification exams will test your knowledge of them. If you are unfamiliar with any of the services listed below, it’s highly recommended that you read up on them as well.
Common ports, protocols, and services
Port and Protocol (UDP/TCP)
|53/TCP||DNS zone transfer|
|111/TCP||SUN Remote Procedure Call. Recommended reading.|
|111/UDP||SUN Remote Procedure Call. Recommended reading.|
|135/TCP||Remote Procedure Call (RPC)
|137/UDP||NetBIOS name query packets|
|138/UDP||NetBIOS datagram packets|
|139/TCP||NetBIOS session, Windows File and Printer Sharing
|443/TCP||HTTPS (HTTP over SSL)|
|445/TCP||Microsoft Directory Services:
Active Directory, Windows shares
|445/UDP||Microsoft Directory Services: SMB file sharing|
|1494/TCP||Citrix Independent Computing Architecture (ICA)|
|1521/TCP||Oracle default listener|
|3268/TCP||Global Catalog (Active Directory)|
|3389/TCP||Windows Terminal Server (Remote Desktop)|
|4500/UDP||NAT Traversal (NAT-T)|
|5800/TCP||Virtual Network Computing (VNC)|
|5900/TCP||Virtual Network Computing (VNC)|
|6660-6669/TCP||Internet Relay Chat (IRC)|
|12222-12223/UDP||Lightweight Access Point Protocol (LWAPP)|
The Sans Institute maintains a list of ports known to be used by Trojan horse malware.
If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!