Determining What’s Running on Open Ports
As a security professional, you need to gather the things that count when scanning your systems. You can often identify the following information:
- Protocols in use, such as IP, domain name system (DNS), and NetBIOS (Network Basic Input/Output System)
- Services running on the hosts, such as e-mail, web servers, and database applications
- Available remote access services, such as Remote Desktop Protocol (RDP), telnet, and Secure Shell (SSH)
- Virtual Private Network (VPN) services, such as PPTP, SSL/TLS, and IPsec
- Permissions and authentication requirements for network shares
You can look for the following sampling of open ports (your network-scanning program reports these as accessible or open):
- Ping (ICMP echo) replies, showing that ICMP traffic is allowed to and from the host
- TCP port 21, showing that FTP is running
- TCP port 23, showing that telnet is running
- TCP ports 25 or 465 (SMTP and SMPTS), 110 or 995 (POP3 and POP3S), or 143 or 993 (IMAP and IMAPS), showing that an e-mail server is running
- TCP/UDP port 53, showing that a DNS server is running
- TCP ports 80, 443, and 8080, showing that a web server or web proxy is running
- TCP/UDP ports 135, 137, 138, 139 and, especially, 445, showing that a Windows host is running