Question

Many moons ago, I taught the CompTIA classes for Iron Horse University at Fort Carson in Colorado Springs. My soldiers would sit in my classroom for two weeks of instruction and hands‐on learning. So, if someone wanted to talk to one of my soldiers, they would come down the hall and into classroom 4. They needed a specific person, so they would go to that person's seat so they could talk to him or her.

As an example, let's say the soldier's name was Carla, who was seated in seat 23. So, Carla's socket was classroom.4:23. A socket is a point of ingress or egress. The combination of an IP address and a port is called an endpoint. A socket is one of the endpoints in a two‐way conversation between two programs communicating over a network. A socket is bound to a port number so we know which application that data is destined for.

The person sitting in seat 23 is like the program that is registered with the operating system to listen at that port. What if Carla was absent? What if someone else was sitting in seat 23? Programs listening on a certain port may or may not be the usual listener. You need to know whether Carla and Robert swapped seats. Table 3.1 describes the most common ports and the services that should be running on them.

Table 3.1 : Top Ports Defined

PORT NUMBER	NAME	DEFINED	USED FOR
20	FTP‐data	File Transfer Protocol	Moving files between client and server
21	FTP‐control	File Transfer Protocol	Control information for moving files
22	SSH	Secure Shell	Security for logging in and file transfer
23	Telnet	Telnet Protocol	Obsolete unencrypted communication
25	SMTP	Simple Mail Transfer Protocol	Sending/routing email
53	DNS	Domain Name System	Phonebook of the Internet; translates names of websites to IP addresses
80	HTTP	Hypertext Transfer Protocol	Foundation of the World Wide Web
110	POP3	Post Office Protocol	Receiving email by downloading to your host
123	NTP	Network Time Protocol	Synchronizes the clocks on computers on your network
143	IMAP	Internet Message Access Protocol	View email messages from any device; does not download to a host
161	SNMP	Simple Network Management Protocol	Collects information and configures different network devices
443	HTTPS	Hypertext Transfer Protocol Secure	The secure version of HTTP; information between a browser and website is encrypted
445	Microsoft DS	Microsoft‐Directory Services	SMB over IP; preferred port for Windows file sharing
465	SMTPS	Secure SMTP	Authenticated SMTP over SSL
1433	MSSQL	Microsoft SQL	Microsoft SQL database management system
3389	RDP	Remote Desktop Protocol	Application sharing protocol

If you want to run a services scan against the machines in your ecosystem, Nmap will tell you which of the hundreds of thousands of ports might be open on a host. If a port is open, communication can occur. Sometimes that communication is unwanted and is what you are trying to protect against. For example, in Figure 3.3 you see the Nmap scan report showing the ports that are open, the service, the state, and the version.

Figure 3.3 : Nmap scan report

To launch a services scan on a network segment, use the following command:

>nmap -sV <target addresses>

When you do a service scan with Nmap, it will tell you which ports are open and will use a database that lists more than 2,000 well‐known services that are typically running on those ports. It has been my experience that network administrators are opinionated and will have their own ideas of how services in their enterprise environment should be configured, so sometimes that database and reality do not match up. If you are doing inventory or vulnerability management, you want to be as accurate as possible and know the version and patch level of systems whenever available.

Version detection investigates those ports to figure out what is actually running. The nmap‐services‐probes database contains certain probe packets for discovering services and matching them to responses. Nmap will attempt to determine the service, application, version number, hostname, device type, and operating system.