Services and Ports of Interest: As we wade into the enumeration phase, let’s make sure you understand more details about ports.
You should expect during your scanning phase to uncover a number of ports, some of which may be useful to you for enumeration and other less so. Here are several that you should pay close attention to:
TCP 21—FTP: Port 21 is used for the File Transfer Protocol, which is used to transfer files from client to server or vice versa. The protocol is supported by all major operating systems in use today.
TCP 23—Telnet: Telnet is a long-standing protocol and software used to remotely connect to systems and run processes on the target systems. Telnet is available on many systems and devices, but has seen decreased usage over the years because of a lack of security features; for example, passwords are sent in the clear.
TCP 25—SMTP: This port is used specifically for Simple Mail Transport Protocol, which is used to send messages (usually email) from client to server and from server to server.
TCP 53—DNS: This port is used for DNS zone transfers, the mechanism through which the DNS system keeps servers up to date with the latest zone data.
UDP 53—DNS: Pay attention to the fact that we are talking about port 53 UDP and not TCP. The UDP port is used for name queries about name-to-IP and IP-to-name mappings.
TCP 80—HTTP: HyperText Transport Protocol is a common protocol used in all web browsers and many web applications.
TCP 135—RPC: This port is used during client-server communications, such as allowing Microsoft Outlook to communicate with Microsoft Exchange. Specifically, this port is used by the Remote Procedure Call service in Windows.
TCP 137—NetBIOS: This port associated with NetBIOS Name Service (NBNS) is a mechanism designed to provide name resolution services involving the NetBIOS protocol.
The service allows NetBIOS to associate names and IP addresses of individuals systems and services. It is important to note that this service is a natural and easy target for many attackers.
TCP 139—NetBIOS: NetBIOS Session Service, also known as SMB over NetBIOS, lets you manage connections between NetBIOS-enabled clients and applications and is associated with port TCP 139.
The service is used by NetBIOS to establish connections and tear them down when they are no longer needed.
TCP 445—SMB over TCP: SMB over TCP, or Direct Host, is a service designed to improve network access and bypass NetBIOS use.
This service is available only in version of Windows starting at Windows 2000 and later. SMB over TCP is closely associated with TCP 445.
UDP 161 and 162—SNMP: SNMP is a protocol used to manage and monitor network devices and hosts. The protocol is designed to facilitate messaging, monitoring, auditing, and other capabilities.
SNMP works on two ports: 161 and 162. Listening takes place on 161 and traps are received on 162.
TCP/UDP 389—LDAP: Lightweight Directory Access Protocol (LDAP) is used by many applications; two of the most common are Active Directory and Exchange.
The protocol is used to exchange information between two parties. If the TCP/UDP 389 port is open, it indicates that one of these or a similar product may be present.
TCP/UDP 3268—Global Catalog Service: Global Catalog Service is associated with Microsoft’s Active Directory and runs on port 3368 on Windows 2000 systems and later.
The service is used to locate information within Active Directory.
NOTE: I can’t stress this enough: You must known your ports for the exam as well as in the field. Fortunately, for the exam there are only a handful of ports that you must remember (including their TCP/UPD status).
In the field you will frequently be presented with port numbers that aren’t mentioned on the CEH, and in those cases you must be prepared by having a list of ports printed out or in a document on your computer or Smartphone.
Just because CEH doesn’t test on a topic doesn’t mean you won’t run into it.
Remember, getting certified is one thing, but you must also have practical knowledge.