One of the most frequently fielded questions among security analysts is, "Do I have a Trojan-horse program if I've found a port open on my computer?" Variations of this question litter security mailing lists, but the answer is always the same: Trace the port number to the program that's opening the port, and investigate the program. The process of tracing an open port to its causative agent is called port enumeration (or port mapping). Of course, the answer assumes that you have an adequate understanding of port numbers, a good port-enumeration tool, and the ability to research whether the found program is malicious. Let's take a look at port enumeration in general, then review 11 Windows port enumerators.
TCP/UDP Tutorial
To investigate ports, you need to know a little bit about TCP/IP and network connections. Today, most computers use the TCP/IP network protocol to communicate. TCP/IP's two main upper-layer (Open System Interconnection—OSI—Layer 4) transport protocols are TCP and UDP. One of these two protocols is typically responsible for sending information that travels between two computers (or between two processes on the same computer). Both TCP and UDP rely on the lower-level IP protocol to route packets from one computer to another. An IP packet header contains the source and destination IP addresses (or multicast or broadcast addresses, when appropriate) of the two computers and the protocol number (i.e., 6 for TCP or 17 for UDP), among other bits of information. The lower-layer protocol, IP, routes the packet from the source to the destination over the logical network. When the packet arrives at its eventual destination, the IP stack associated with the NIC removes the IP packet frame and inspects the upper-level protocol (i.e., TCP or UDP). For information about the differences between TCP and UDP, see the Web-exclusive sidebar, "UDP vs. TCP," http://www.secadministrator.com, InstantDoc ID 40315.
A Lesson in Ports
TCP and UDP packets contain source and destination port numbers. A port is a network I/O opening into an application (or service or daemon). Ports are numbered from 0 to 65,535. The reason for that numbering scheme is that TCP and UDP packet headers permit 16 bits (216) for both the source and destination port numbers (216 equals 65,536 possible port numbers). Numbering I/O openings is a handy way for computers and users to keep track of which port belongs to what program.
Early in the Internet's history, the Internet Assigned Numbers Authority (IANA) decided to reserve the first 1024 port numbers (i.e., 0 to 1023) for requesting entities. The IANA assigns these so-called well-known port numbers. (See Table 1 for some common well-known port numbers.) Although most lists of well-known port numbers are now old and not 100 percent accurate, popular port numbers for the most widespread protocol services have remained unchanged for over a decade.
Port numbers 1024 through 49,151 are called registered port numbers, and ports 49,152 through 65,535 are called dynamic or private port numbers. In practice, ports 1024 through 65,535 are dynamically generated, and any application can use them. When an application or service starts, it typically checks whether it can use a particular port number, and if that port number isn't already taken, it opens the port. The port numbers that an application opens might always be the same, or they might be randomly generated. The more popular the application, the more likely that Internet software developers will let the program use an exclusive port number. Table 2 lists some sample port numbers for popular applications, and Table 3 lists common Windows port numbers.
Communication Example
Understanding the difference between source and destination port numbers is essential. In most cases, when you look at port traffic, you're concerned with destination port numbers. Destination traffic typically goes to a well- known port, whereas origination (aka source) ports can be any randomly generated number above 1023. In practice, however, the randomly generated port number falls between 1024 and 3000. For example, when you use Microsoft Internet Explorer (IE) to connect to a Web site, the destination port number is 80, whereas the origination port is randomly generated. Figure 1 shows a sample session that started when I browsed to http://www.secadministrator.com. The destination IP address is 63.88.172.127, and the port number is TCP 80. The origination IP address is 192.168.168.160, and the port number is TCP 2335.
The 192.168.168.160 private IP address is present because my PC sits behind a firewall, which connects to the Internet with its public IP address. Each browser connection or refresh generates a new (typically higher) source port number. Also, because a Web page might have embedded links and advertisements hosted on other Web sites, one browser page might have a multitude of open port connections, all pointing to the same IP address or to different IP addresses.