Registered Port

User Datagram Protocol

Walter Goralski , in The Illustrated Network (Second Edition), 2017

Well-Known Ports

Port numbers tin can run from 0 to 65353. Port numbers from 0 to 1023 are reserved for mutual TCP/IP applications and are called well-known ports . The apply of well-known ports allows client applications to easily locate the corresponding server application processes on other hosts. For example, a client process wanting to contact a DNS process running on a server must send the datagram to some destination port. The well-known port number for DNS is 53, and that'south where the server process should be listening for client requests. These ports are sometimes chosen "privileged" ports, although a number of applications that formerly ran in "privileged" style, such as HTTP servers, do not run this way anymore except when binding to the port. It should be noted that it is getting harder and harder to register new applications in the infinite beneath 1023 (these frequently use registered ports in the range 1024 to 49151).

Ports used on servers are persistent in the sense that they final for a long time, or at least equally long as the application is running. Ports used on clients are ephemeral ("lasting a brusque time," although the term technically means "lasting a twenty-four hours") in the sense that they "come up and go" as the user runs client applications.

Technically, UDP port numbers are independent from TCP port numbers. In practice, most of the applications indexed by port numbers are the same in UDP or TCP (although a few applications can use either protocol), excepting a handful that are maintained for historical reasons. This does non imply that applications can use TCP or UDP as they cull. It just means that it's easier to maintain one listing rather than 2. But no thing what port numbers are used, UDP port 1000 is a dissimilar application than TCP port yard, fifty-fifty though both applications might perform the aforementioned office.

Some of the more mutual well-known port numbers are shown in Table 11.i. In the table, the UDP and TCP port numbers are identical.

Table 11.i. Some Well-Known Ports Used by UDP and TCP Services and Functions

Port Number Service Meaning
7 Repeat Used to echo data back to the sender
9 Discard Used to discard information at receiver
13 Daytime Reports time information in user-friendly format
17 Quote Returns a "quote of the twenty-four hours" (rarely used today)
19 Chargen Character generator
53 DNS Domain Name Service
67 DHCP server Server port used to ship configuration information
68 DHCP client Client port used to receive configuration information
69 TFTP Piffling file transfer
161 SNMP Used to receive network management queries
162 SNMP traps Used to receive network trouble reports
1011–1023 Reserved Reserved for future use

Port numbers in a higher place 1023 can be either registered or dynamic (also called private or not-reserved). Registered ports are in the range 1024 to 49151. Dynamic ports are in the range 49152 to 65535. As mentioned, most new port assignments are in the range from 1024 to 49151.

Registered port numbers are non–well-known ports that are used by vendors for their ain server applications. After all, not every possible application adequacy volition exist reflected in a well-known port, and software vendors should be costless to innovate. Of course, if some other vendor chooses the aforementioned port number for a server process, and they are run on the aforementioned organisation, there would be no fashion to distinguish between these 2 seemingly identical applications.

Well-known ports—Ports in the range 0 to 1023 are assigned and controlled.

Registered ports—Ports in the range 1024 to 49151 are not assigned or controlled, but tin can exist registered to prevent duplication.

Dynamic ports—Ports in the range 49152 to 65535 are not assigned, controlled, or registered. They are used for temporary or private ports. They are also known as private or non-reserved ports. Clients should cull ephemeral port numbers from this range, merely many systems do non.

Vendors can annals their awarding'southward ports with ICANN. Other software vendors are supposed to respect these registered values and register their own server application port numbers from the pool of unused values. Some registered UDP and TCP protocol numbers are shown in Table xi.2.

Table 11.2. Selected Registered UDP and TCP Ports with Service and Brief Description of Meaning

Port Number Service Brief Description of Apply
1024 Reserved Reserved for future use
1025 Blackjack Network version of blackjack
1026 CAP Calendar access protocol
1027 Exosee ExoSee
1029 Solidmux Solid Mux Server
1102 Adobe 1 Adobe Server 1
1103 Adobe two Adobe Server ii
44553 Rbr-debug REALBasic Remote Debug
46999 Mediabox MediaBox Server
47557 Dbbrowse Databeam Corporation
48620–49150 Unassigned These ports have non been registered
49151 Reserved Reserved for future use

The private, or dynamic, port numbers are used past clients and not servers. Datagrams sent from a client to a server are typically just sent to well-known or registered ports (although there are exceptions). Server applications are usually long lived, while client processes come up and go as users run them. Customer applications therefore are free to choose about whatever port number non used for some other purpose (hence the term "dynamic"), and many apply unlike source port numbers every time they are run. The server has no trouble replying to the proper client considering the server can just contrary the source and destination port numbers to transport a reply to the right customer (assuming the IP address of the client is right).

All TCP/IP implementations must know the range of well-known, registered, and private ports when choosing a port number to apply. Unix systems hold this information is the /etc/services file. Windows users can find this C:\%SystemRoot%\system32\drivers\etc\SERVICES file, where %SystemRoot% will exist automatically referred to a folder such every bit WinNT or WINDOWS. UDP or TCP, but some are unique to one or the other. For example, FTP control uses TCP port 21.

Here is the beginning of the file from winsrv2:

# Copyright (c) 1993-2004 Microsoft Corp.

#

# This file contains port numbers for well-known services defined by IANA

#

# Format:

#

# <service name> <port number>/<protocol> [aliases...] [#<comment>]

#

echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink nix
systat eleven/tcp users #Agile users
systat 11/tcp users #Agile users
daytime 13/tcp
daytime thirteen/udp
qotd 17/tcp quote #Quote of the day
qotd 17/udp quote #Quote of the mean solar day
chargen 19/tcp ttytst source #Character generator
chargen 19/udp ttytst source #Character generator
ftp-data 20/tcp #FTP, data
ftp 21/tcp #FTP. control
telnet 23/tcp

[many more lines not shown...]

For the latest global list of well-known, registered, and private port numbers, encounter www.iana.org/assignments/port-numbers. The port numbers are the same for IPv4 and IPv6.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128110270000114

User Datagram Protocol

Walter Goralski , in The Illustrated Network, 2009

PORT NUMBERS

Each awarding running above UDP (and TCP) and IP is indexed by its port number, allowing for the multiplexing of the IP layer. Just as frames with different types of packets within (on Ethernet, IPv4 is 0x0800 and IPv6 is 0x86DD) are multiplexed onto a single LAN interface, the individual IPv4 or IPv6 packets are multiplexed and distributed by the protocol number (UDP is IP protocol number 17, and TCP is half-dozen).

The port numbers in turn multiplex and distribute datagrams from applications, allowing them to share a single UDP or TCP process, which is unremarkably integrated closely with the operating organisation. This function of frame Ethertype, packet protocol, and datagram port is shown in Figure 10.v. The figure shows how IPv4 data for DNS makes its way from frame through IPv4 through UDP to the DNS application listening on UDP port 53.

Figure 10.5. UDP port multiplexing and distribution, showing how a single IP layer (IPv6 in this case) can be used by multiple transport protocols and applications.

Well-Known Ports

Port numbers tin run from 0 to 65353. Port numbers from 0 to 1023 are reserved for common TCP/IP applications and are chosen well-known ports. The use of well-known ports allows customer applications to easily locate the corresponding server application processes on other hosts. For example, a client procedure wanting to contact a DNS process running on a server must send the datagram to some destination port. The well-known port number for DNS is 53, and that's where the server process should be listening for customer requests. These ports are sometimes chosen "privileged" ports, although a number of applications that formerly ran in "privileged" way, such as HTTP servers, practice non run this way anymore except when binding to the port. Information technology should exist noted that information technology is getting harder and harder to register new applications in the space below 1023 (these often use registered ports in the range 1024 to 49151).

Ports used on servers are persistent in the sense that they last for a long time, or at least as long equally the awarding is running. Ports used on clients are ephemeral ("lasting a short fourth dimension," although the term technically means "lasting a day") in the sense that they "come and go" as the user runs client applications.

Technically, UDP port numbers are contained from TCP port numbers. In practice, most of the applications indexed by port numbers are the aforementioned in UDP or TCP (although a few applications can use either protocol), excepting a handful that are maintained for historical reasons. This does not imply that applications can use TCP or UDP as they choose. It just means that it's easier to maintain i list rather than 2. But no matter what port numbers are used, UDP port 1000 is a different application than TCP port thousand, fifty-fifty though both applications might perform the aforementioned function.

Some of the more than mutual well-known port numbers are shown in Table 10.one. In the table, the UDP and TCP port numbers are identical.

Tabular array 10.1. Some Well-Known Ports Used past UDP and TCP Services and Functions

Port Number Service Meaning
7 Echo Used to echo data back to the sender
9 Discard Used to discard data at receiver
13 Daytime Reports time information in user-friendly format
17 Quote Returns a "quote of the day" (rarely used today)
xix Chargen Character generator
53 DNS Domain Proper noun Service
67 DHCP server Server port used to send configuration data
68 DHCP client Client port used to receive configuration information
69 TFTP Trivial file transfer
161 SNMP Used to receive network management queries
162 SNMP traps Used to receive network problem reports
1011–1023 Reserved Reserved for time to come use

Port numbers in a higher place 1023 can be either registered or dynamic (also called private or non-reserved). Registered ports are in the range 1024 to 49151. Dynamic ports are in the range 49152 to 65535. As mentioned, most new port assignments are in the range from 1024 to 49151.

Registered port numbers are not–well-known ports that are used by vendors for their own server applications. After all, not every possible application capability volition exist reflected in a well-known port, and software vendors should be gratis to innovate. Of class, if another vendor chooses the same port number for a server process, and they are run on the same system, there would be no mode to distinguish betwixt these 2 seemingly identical applications.

Well-known ports—Ports in the range 0 to 1023 are assigned and controlled.

Registered ports—Ports in the range 1024 to 49151 are non assigned or controlled, but can exist registered to forbid duplication.

Dynamic ports—Ports in the range 49152 to 65535 are not assigned, controlled, or registered. They are used for temporary or individual ports. They are also known as private or non-reserved ports. Clients should choose ephemeral port numbers from this range, but many systems do not.

Vendors can register their awarding's ports with ICANN. Other software vendors are supposed to respect these registered values and register their ain server application port numbers from the pool of unused values. Some registered UDP and TCP protocol numbers are shown in Table 10.2.

Table x.2. Selected Registered UDP and TCP Ports with Service and Cursory Clarification of Meaning

Port Number Service Brief Clarification of Apply
1024 Reserved Reserved for futurity utilize
1025 Blackjack Network version of blackjack
1026 CAP Calendar access protocol
1027 Exosee ExoSee
1029 Solidmux Solid Mux Server
1102 Adobe one Adobe Server 1
1103 Adobe 2 Adobe Server ii
44553 Rbr-debug REALBasic Remote Debug
46999 Mediabox MediaBox Server
47557 Dbbrowse Databeam Corporation
48620–49150 Unassigned These ports accept not been registered
49151 Reserved Reserved for time to come utilise

The private, or dynamic, port numbers are used past clients and not servers. Datagrams sent from a client to a server are typically merely sent to well-known or registered ports (although there are exceptions). Server applications are usually long lived, while customer processes come and go as users run them. Client applications therefore are free to cull almost whatever port number not used for some other purpose (hence the term "dynamic"), and many use unlike source port numbers every fourth dimension they are run. The server has no problem replying to the proper client because the server tin just reverse the source and destination port numbers to send a reply to the correct client (bold the IP address of the customer is correct).

All TCP/IP implementations must know the range of well-known, registered, and private ports when choosing a port number to utilize. Unix systems agree this information is the /etc/services file. Windows users can observe this C:\%SystemRoot%\system32\drivers\etc\SERVICES file, where %SystemRoot% volition exist automatically referred to a folder such as WinNT or WINDOWS. Most ports are the same for UDP or TCP, but some are unique to one or the other. For case, FTP command uses TCP port 21.

For the latest global listing of well-known, registered, and individual port numbers, see www.iana.org/assignments/port-numbers . The port numbers are the same for IPv4 and IPv6.

The Socket

The combination of IPv4 or IPv6 address and port numbers forms an abstract concept called a socket. Nosotros've mentioned the socket concept briefly earlier, and will do so once again and once more in later capacity. The socket concept is important for many reasons, and a afterwards chapter will explore some of them more than completely. For now, all that is important to mention is that, for each client–server interaction, there is a socket on each host at the endpoints of the network. The sockets at each stop uniquely identify that particular customer–server interaction, although the same sockets can be used for subsequent interactions.

Sockets are usually written in IPv4 and IPv6 by adding a colon (:) to the IP address, although sometimes a dot (.) is used instead. In IPv6, it is also necessary to add brackets to avoid confusion with the :: notation, such as in [FC00:490:f100:1000::ane]:lxxx. A UDP socket on lnxclient, for instance, would exist 10.10.12.166:17, while one on bsdserver would exist 10.10.12.77:17.

Read total chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B978012374541550016X

Configuring the Base of operations Organization

Graham Speake , in Eleventh Hour Linux+, 2010

TCP/IP Ports

There are a number of mutual networking ports that are used frequently. Ports 0 through 1023 are defined also-known ports. Registered ports are from 1024 to 49151. The remainder of the ports from 49152 to 65535 can be used dynamically by applications. A brief description of these are every bit follows:

Port 20 and 21: FTP data and FTP command, respectively

Port 22: Remote login protocol secure vanquish (SSH)

Port 23: Telnet, used for accessing organization remotely just is not very secure

Port 25: Unproblematic Mail Transfer Protocol (SMTP) used past electronic mail servers

Port 53: DNS protocol

Port lxxx: Used for accessing Web servers

Port 110: The POP service or Post Office Protocol used past local e-mail clients to retrieve mail from servers

Port 123: NTP to synchronize time with remote time servers

Port 143: E-mail clients tin use the Internet Bulletin Access Protocol (IMAP) to remember mail from servers

Port 443: This is the Hypertext Transfer Protocol (HTTP) Secure that combines the HTTP with a cryptographic protocol, which tin can be used for payment transactions and other secure transmission of information from Spider web pages.

Port 631: The Cyberspace Press Protocol (IPP) used to print to printers located remotely on the network

Port 3306: The standard port for MySQL

These ports are divers in the /etc/services file on Linux systems.

Read full affiliate

URL:

https://www.sciencedirect.com/science/commodity/pii/B9781597494977000074

Securing the Infrastructure

Lauren Collins , in Cyber Security and IT Infrastructure Protection, 2014

Ports and Protocols

Between the protocols User Datagram Protocol (UDP) and Transmission Control Protocol (TCP), there are 65,535 ports available for communication betwixt devices. Amidst this impressive number are three classes of ports:

1.

Well-known ports: Range from 0–1,023

two.

Registered ports: Range from 1,024–49,151

3.

Dynamic/Individual ports: Range from 49,152–65,535

Understandably, non all of the ports listed in those three categories are secure. Equally a result, reference Table 10.1, which enumerates the nearly ordinarily used ports and the service/protocol that utilizes the port.

Table x.1. Well-Known Port Numbers and Their Respective Service Clarification and Protocol.

Port Service/Protocol
7 Echo/TCP &amp; UDP
nine Systat/TCP &amp; UDP
xv Netstat/TCP &amp; UDP
20 FTP information transfer/TCP
21 FTP command/TCP
22 SSH/TCP
23 Telnet/TCP
24 Individual mail/TCP &amp; UDP
25 SMT{/TCP
39 RLP/TCP &amp; UDP
42 ARPA/TCP &amp; UDP
42 Windows Internet Name Service/TCP &amp; UCP
43 WHOIS/TCP
49 TACACS/TCP &amp; UDP
53 DNS/TCP &amp; UDP
69 TFTP/UDP
80 HTTP/TCP
88 Kerbos/TCP &amp; UDP
101 NIC hostname/TCP
110 POP3/TCP
115 SFTP/TCP
119 Network News Transfer Protocol/TCP
123 NTP/UDP
143 IMAP/TCP
152 Groundwork File Transfer Protocol/TCP &amp; UDP
156 SQL Service/TCP &amp; UDP
161 SNMP/UDP
162 SNMPTRAP/TCP &amp; UDP
175 VMNET/TCP
179 BGP/TCP
220 IMAP/TCP &amp; UDP
264 Border Gateway Multicast Protocol/TCP &amp; UDP
280 http-mgmt/TCP &amp; UDP
389 LDAP/TCP &amp; UDP
443 HTTPS/TCP
500 Net Security Assoc and Primal Mgmt (ISAKMP)/UDP

Ideally, when architecting a organisation, i should plan out the intent for the environment and should just configure the services necessary for the network to pass traffic and servers to perform their intended functions.

Table 10.1 reflects protocols that may be open past default, every bit well as some that are necessary for the intended purpose of the surroundings. When installing equipment in Section I, information technology is imperative that the engineer be enlightened of the ports that need to be open up for each device or piece of software and, if needed, tin exist referenced in the device white paper. It is also essential to recognize the variation between the numerous types of attacks and the respective ports on which such attacks would be executed. It is necessary to monitor the ports that are open in an attempt to detect protocols that may get out the network vulnerable. Running netstat on a workstation will permit 1 to view the ports that are running and that are open. In addition, running a local port scan will also portray which ports are exposed.

Many protocols may still be used during an installation where system administrators and users are non enlightened, and those may leave the network vulnerable. Simple Network Management Protocol (SNMP) and Domain Naming Service (DNS) were deployed years agone, yet all the same present security risks. SNMP can exist utilized for monitoring the health of network equipment, servers, and other peripheral equipment. However, susceptibilities associated with the SNMP derive from use of SNMP v1. Although such vulnerabilities were raised years ago (well-nigh 10 years), exposures are still reported while utilizing the current version of SNMP. Liabilities allow for authentication evasion and execution of proprietary code when utilizing SNMP. The SNMP infrastructure has three components:

1.

SNMP managed connections

2.

SNMP instruments

3.

SNMP network direction servers

Where the devices are concerned, they load the amanuensis, which in turn assembles data and frontwards it to the management servers. Network management servers collect a substantial corporeality of significant network information and are peradventure targets of attacks due to their utilize of SNMP v1, which is non secure. A customs name is a point of security; however, it may be similar to a password. Usually, the community name is public and is not secure, nor is it changed, thus permitting information to leak out to invasions. Conversely, SNMP v2 uses Message Digest Version 5 (MD5) for authentication. The transmission tin also be encrypted. SNMP v three is used across firms as the criteria; however, a number of devices are not compatible and are left to use SNMP v1 or SNMP v2.

SNMP assists spiteful users to learn as well much well-nigh a organisation, making password speculations easier. SNMP is often disregarded when checking for vulnerabilities due to the User Datagram Protocol (UDP) ports 161 and 162. Ensure network direction servers are physically secured and secured on the network layer. Consider utilizing a segregate management subnet, protecting information technology by using a router with an access list. Unless the service is required, it should be close off past default. In social club to defend a network infrastructure from incidents aimed at obsolete or unfamiliar ports and/or protocols, remove whatever unnecessary protocols while creating access-control lists to allow traffic on defined ports. This eliminates the possibility of whatsoever obscure protocols being utilized, while minimizing the danger of an incident.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9780124166813000100

Layer 4: The Ship Layer

In Hack the Stack, 2006

Source and Destination Ports

Ports are ports. Irrespective of whether you are talking almost TCP or UDP a port number is a 16-bit binary integer that identifies a program currently executing on a given host. The range of possible values is 0 to 65,535; however, the value 0 is reserved and implies an unspecified source or destination (run into Effigy 5.one ). Equally a practical matter you volition usually see random or dynamic port numbers used on the client side of an exchange. Well-known and registered port numbers generally reverberate the server side of the conversation (e.thousand., your Web browser connecting to a Web server). Web servers generally mind on port number 80. Your browser volition probably use a random port number on the client side.

Random port numbers (sometimes called ephemeral port numbers) accept values greater than 1024, which are assigned arbitrarily using TCP or UDP when the port used is not important. This is commonly the customer side of a client-server exchange. When a customer sends something to the server, the server replies to whatever port number initiated the communication.

Another mode to handle this scenario is to assign a dynamic port number in the range of 49,152 through 65,535 (sometimes referred to as private port numbers). Values in this range are handed out by newer protocol stack implementations instead of the older random port numbers. The latter values can be hands confused with the registered values. Likewise, yous might see values in this range used in Port Address Translation (PAT) schemes on the outbound side of the translation process.

Registered port numbers in the 1,025 through 49,151 range reverberate network services provided by a particular hardware or software developer's products (eastward.thou., the value i,512 was registered by Microsoft for apply by its NetBIOS Name Services implementation, normally known as Windows Net Name Services [WINS]). The Net Assigned Numbers Authority (IANA) maintains this list of registered values as a service to the internetworking community. To see the details, go to their Web site at world wide web.iana.org , follow the link to "Protocol Number Assignment Services," and find the port numbers in RFC 2780.

The well-known port numbers reverberate arrangement or network services that are normally active on a network host (due east.g., port 25 for Unproblematic Mail Transfer Protocol (SMTP) servers, port 53 for Domain Proper name Services (DNS) servers, and port 22 for Secure Beat (SSH).

Agreement these port numbers is very important from a hacking perspective. When trying to form a TCP connection with a well-known port number, we can ascertain whether the associated network service is active on the host being probed.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597491099500095

Network Forensics

Chet Hosmer , in Python Forensics, 2014

Network investigation basics

Investigating modernistic network environments can be fraught with difficulties. This is true whether you are responding to a breach, investigating insider activities, performing vulnerability assessments, monitoring network traffic, or validating regulatory compliance.

Many professional tools and technologies exist from major vendors like McAfee, Symantec, IBM, Saint, Tenable, and many others. However, a deep understanding of what they practice, how they do it, and whether the investigative value is complete can exist somewhat of a mystery. There are also free tools similar Wireshark that perform network parcel capture and analysis.

In lodge to uncloak some of the underpinnings of these technologies, I will examine the basics of network investigation methods. I will be leveraging the Python Standard Library, along with a couple of tertiary-party libraries to accomplish the cookbook examples. I will be walking through the examples in considerable detail, so if this is your starting time interaction with network programming y'all will accept sufficient detail to expand upon the examples.

What are these sockets?

When interacting with a network, sockets are the cardinal edifice cake allowing us to leverage the underlying operating system capabilities to interface with the network. Sockets provide an information channel for communicating betwixt network endpoints, for example, between a client and server. You can retrieve almost sockets as the endpoint of the connectedness betwixt a client and a server. Applications developed in languages similar Python, Coffee, C++, and C# interface with network sockets utilizing an awarding programming interface (API). The sockets API on nigh systems today is based upon the Berkeley sockets. Berkeley sockets were originally provided with UNIX BSD Version 4.2 back in 1983. Subsequently around 1990, Berkeley released a license-costless version that is the basis of today's socket API across most operating systems (Linux, Mac Bone, and Windows). This standardization provides consistency in implementation across platforms.

Figure 8.1 depicts a sample network where multiple hosts (endpoints) are connected to a network hub. Each host has a unique Internet Protocol (IP) address, and for this simple network we encounter that each host has a unique IP address.

Figure 8.one. Simplest local area network.

These IP addresses are the near common that you will see in local area network setting. These specific addresses are based on the Internet Protocol Version 4 (IPv4) standard and represent a Class C network accost. The Course C address is ordinarily written in a dotted notation such as 192.168.0.1. Breaking the address downwardly into the component parts, the offset three octets or the first 24 bits are considered the network address (aka the Network Identifier, or NETID). The fourth and final octet or 8 bits are considered the Local Host Address (aka the Host Identifier, or HOSTID).

In this example each host, network device, router, firewall, etc., on the local network would have the same network address portion of the IP address (192.168.0), merely each volition accept a unique host address ranging from 0 to 255. This allows for 256 unique IP addresses inside the local environment. Thus the range would be: 192.168.0.0-192.168.0.255. However, simply 254 addresses are usable, this is because 192.168.0.0 is the network address and cannot be assigned to a local host, and 192.168.0.255 is dedicated as the circulate address.

Based on this, I could use a few simple congenital-in Python language capabilities to create a list of IP addresses that stand for the complete range. These linguistic communication capabilities include a Cord, a List, the range office, and a "for loop."

# Specify the Base Network Address (the start 3 octets)

ipBase = '192.168.0.'

# Next Create an Empty Listing that will hold the completed

# Listing of IP Addresses

ipList = []

# Finally, loop through the possible list of local host

# addresses 0-255 using the range role

# And so append each complete address to the ipList

# Observe that I use the str(ip) function in order

# concatenate the string ipBase with list of numbers 0-255

for ip in range(0,256):

  ipList.append(ipBase+str(ip))

  print ipList.pop()

Programme Output Abbreviated

192.168.0.0

192.168.0.i

192.168.0.2

192.168.0.3

….. skipped items

192.168.0.252

192.168.0.253

192.168.0.254

192.168.0.255

Equally you can come across, manipulating IP addresses with standard Python language elements is straightforward. I volition employ this technique in the Ping Sweep section later in this chapter.

The simplest network client server connect using sockets

Equally a way of an introduction to the sockets API provided by Python, I volition create a unproblematic network server and client. To practice this I will use the aforementioned host (in other words the client and server will utilize the aforementioned IP address executing on the same machine), I volition specifically use the special purpose and reserved localhost loopback IP address 127.0.0.i. This standard loopback IP is the same on virtually all systems and any messages sent to 127.0.0.1 never attain the exterior world, and instead are automatically returned to the localhost. As you begin to experiment with network programming, use 127.0.0.i as your IP address of choice until you lot perfect your code and are gear up to operate on a existent network (Effigy 8.ii).

Effigy 8.2. Isolated localhost loopback.

In order to attain this, I volition actually create two Python programs: (1) server.py and (ii) customer.py. In order to make this work, the ii applications must agree on a port that will be used to support the advice aqueduct. (We already have decided to apply the localhost loopback IP address 127.0.0.1.) Port numbers range betwixt 0 and 65,535 (basically, any unsigned 16-bit integer value). You should stay away from lower numbered ports < 1024 every bit they are assigned to standard network services (really the registered ports now range equally loftier equally 49,500 but none of those are on my current system). For this application I will use port 5555 every bit it is easy to remember. Now that I have defined the IP accost and port number, I have all the information that I need to brand a connectedness.

IP Address and Port: One fashion to think virtually this in more than physical terms. Remember of the IP Address as the street address of a post office and the Port equally the specific post-office box inside the mail service role that I wish to address.

server.py code

#

# Server Objective

# one) Setup a Simple listening Socket

# ii) Wait for a connection request

# 3) Take a connexion on port 5555

# 4) Upon a successful connection ship a bulletin to the customer

#

import socket   # Standard Library Socket Module

# Create Socket

myServerSocket = socket.socket()

# Go my local host address

localHost = socket.gethostname()

# Specify a local Port to take connections on

localPort = 5555

# Bind myServerSocket to localHost and the specified Port

# Annotation the bind phone call requires one parameter, but that

# parameter is a tuple (observe the parenthesis usage)

myServerSocket.bind((localHost, localPort))

# Brainstorm Listening for connections

myServerSocket.listen(1)

# Wait for a connection asking

# Note this is a synchronous Call

# meaning the program will halt until

# a connection is received.

# Once a connexion is received

# nosotros will take the connection and obtain the

# ipAddress of the connector

impress 'Python-Forensics .... Waiting for Connection Request'

conn, clientInfo = myServerSocket.take()

# Print a bulletin to betoken we have received a connectedness

print 'Connectedness Received From: ', clientInfo

# Send a bulletin to connector using the connexion object 'conn'

# that was returned from the myServerSocket.accept() call

# Include the client IP Accost and Port used in the response

conn.send('Connexion Confirmed: '+ 'IP: ' + clientInfo[0] + ' Port: ' + str(clientInfo[1]))

customer.py code

Next, the client code that volition make a connectedness to the server

#

# Customer Objective

# one) Setup a Client Socket

# two) Effort a connection to the server on port 5555

# 3) Look for a reply

# 4) Print out the message received from the server

#

import socket   # Standard Library Socket Module

MAX_BUFFER = 1024   # Set the maximum size to receive

# Create a Socket

myClientSocket = socket.socket()

# Get my local host address

localHost = socket.gethostname()

# Specify a local Port to attempt a connection

localPort = 5555

# Attempt a connectedness to my localHost and localPort

myClientSocket.connect((localHost, localPort))

# Wait for a respond

# This is a synchronous call, meaning

# that the plan will halt until a response is received

# or the program is terminated

msg = myClientSocket.recv(MAX_BUFFER)

print msg

# Shut the Socket, this will terminate the connection

myClientSocket.close()

server.py and customer.py program execution

Effigy 8.3 depicts the program execution. I created two terminal windows, the top is the execution of server.py (which I started outset) and the lesser is the execution of client.py. Find that the client communicated from the source port 59,714, this was chosen by the socket service and not specified in the client code. The server port 5555 in this example is the destination port.

Figure 8.iii. server.py/client.py program execution.

I realize this does not provide any investigative value, however it does provide a good foundational understanding of how network sockets function and this is a prerequisite to understanding some of the probative or investigative programs.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780124186767000086

What You lot DON'T Know Nearly Your Network

Chet Hosmer , in Python Passive Network Mapping, 2015

What Open Ports or Services Don't You Know About?

As was recently seen with the OpenSSL 'Heartbleed' (CVE-2014-0160) and Shellshock (CVE-2014-6271) vulnerabilities, the ability to know what services are operating and on what systems is quite useful. Once again we could use tools like NMAP to discover open ports (at least during the snapshot) with the previously discussed risks. Standard network ports are assigned by the Internet Assigned Numbers Authority (IANA) via the Service Proper noun and Transport Protocol Port Number Registry. Generally (as there is contend) an agreed upon port classification is as follows:

Service Ports: 1-1023 are considered well-known ports that represent services that near of us concord to bide by.

Service Ports: 1024 to 49151 are recognized equally registered ports . They are assigned by IANA upon application and approval.

Service Ports: 49152–65535 are considered Dynamic, Private or Imperceptible (i.e. lasting for a short fourth dimension or transient). For example, ports in this range are commonly used by clients making a connection to a server.

One way to leverage this knowledge of course is to detect traffic originating from, or going to one of these defined ports. By doing so we tin deduce services that are running on these hosts and clients that are utilizing them.

In addition to the "agreed upon" port definitions to a higher place, organizations such as the SANS Internet Storm Center take created lists of known malicious ports. For instance, one compiled list contains default ports utilized past Trojans. Therefore, if you find that one these ports is being probed, it may possibly indicate that someone is attempting to communicate with a Trojan that is running on your network. Thus mapping both the asking, and potentially the response to i or more of these ports would exist useful in mapping as well.

How is This Useful?

Based on the simple capture443.py script I presented earlier in this affiliate, along with the results shown, we could deduce the following:

Local Client 192.168.0.13 has made a secure web folio connection to the following servers:

199.16.156.201, 23.73.162.234, 66.153.250.229, 66.153.250.234, 66.153.250.238, 66.153.250.241, 74.125.137.132, 74.125.137.154, 74.125.196.99, 74.125.230.127

This deduction was made based on the post-obit facts:

1.

IP address 192.168.0.13 is a Class C private address block. According to RFC 1918, whatsoever Class C address in the range 192.168.0.0-192.168.255.255 (which can also exist denoted 192.168.0.0/16) should be considered individual and non-routable. This means that I cannot directly address any Course C address within that range unless I'm continued to that very same Form C concrete network.

ii.

Each of the other IP addresses can be geographically located. For example, addresses 199.16.156.201 is located in the Mountain View, California expanse. The IP addresses 66.153.25 are located in Southward Carolina. Each of these IP addresses communicated with the customer over service port 443, which by default is the http protocol running over a secure TLS or SSL connexion.

In addition, I could infer that client 192.168.0.13 performed a web search that provided a link to the other servers identified. I tin can brand this inference considering IP addresses 74.125.137.x belongs to Google, and it is likely that customer 192.168.0.xiii performed the suggested search using Google.

Deductive vs Inductive Reasoning

Deductive reasoning is based on the premise that if the predicates are true, and the logic is sound the determination must exist valid.

The classic instance is

"All men are mortal"

"Socrates was a man"

Therefore: Socrates was mortal

Inductive reasoning, on the other mitt, seeks a probable or a likely explanation. A archetype case of an inductive argument is:

"All politicians I have met are deceitful"

"I have simply met David and he is a politician"

Therefore: David must exist deceitful

Much like the inductive argument that was made:

"IP 192.168.0.13 connected to Google"

"Google is the search engine that provides links to other web sites"

Therefore: the subsequent server IP addresses must have come from Google

In both of these cases the likelihood is probable, still unlike the deductive arguments other possible conclusions exist.

In order to perform Passive Network Mapping we volition exist using both deductive and inductive methods throughout the process. The quality of our arguments, premises, observations and logic will determine how authentic our results will be. Based on that, it will be of import to arts and crafts these arguments and observations such that they can be improved with time.

Annotation: Agile Network Mapping also uses both methods particularly during the process of OS Fingerprinting.

Read total chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128027219000028

Security Standards and Services

Naomi J. Alpern , Robert J. Shimonski , in Eleventh Hour Network+, 2010

Firewalls

A firewall blocks admission to an internal network from outside and blocks users of the internal network from accessing potentially unsafe external networks or ports. At that place are 3 distinct firewall technologies:

Packet filtering A network layer firewall or packet-filtering firewall works at the network layer of the Open Systems Interconnection (OSI) model and can be configured to deny or let access to specific ports or Net Protocol (IP) addresses. It is designed to operate rapidly by either allowing or denying packets simply based on source and destination IP accost and port data. This is the simplest and fastest form of traffic-filtering firewall technologies.

It works in 2 directions: to keep intruders at bay and to restrict access to the external network from internal users.

Two singled-out firewall base policies are as follows:

Allow by default – it allows all traffic to pass through the firewall except traffic that is specifically denied.

Deny by default – it blocks all traffic from passing through the firewall except for traffic that is explicitly immune.

Ports 0 through 1023 are considered well-known ports. These ports are used for specific network services and should be considered the only ports allowed to transmit traffic through a firewall.

Ports outside the range of 0 through 1023 are either registered ports or dynamic/individual ports.

User ports range from 1024 to 49,151.

Dynamic/private ports range from 49,152 to 65,535.

Since only the header of a packet is examined, a packet-filtering firewall has speed.

In that location are two major drawbacks to packet filtering:

A port is either open or airtight.

It does not empathize the contents of any packet beyond the header.

Stateful inspection Stateful inspection operates at the network and the transport layers of the OSI model, but it has the ability to monitor land information regarding a connection. In effect, when a connection is established between 2 hosts, the firewall volition initially determine if the connectedness is allowable based on a set of rules about source and destination ports and IP addresses. Once the connection is deemed to be adequate, the firewall remembers this. Therefore, subsequent traffic can be examined as either permissible or non within the context of the entire session. Information technology then functions by checking each packet to verify that it is an expected response to a current communications session.

Application-layer gateways They are also called as application-layer gateway devices or application filtering. Awarding-layer gateways are more advanced than packet filtering, operate at the application layer of the OSI model, and examine the unabridged packet to determine what should be done with the packet based on specific defined rules. They use complex rules to determine the validity of any given parcel, and part of analyzing each packet includes verifying that it contains the right type of information for the specific application it is attempting to communicate with.

The drawbacks to application-layer gateway engineering are equally follows:

Application-layer gateways are much slower than package filters.

A limited set of awarding rules are predefined and any application not included in the predefined list must take custom rules defined and loaded into the firewall.

Awarding-layer gateways must then rebuild packets from the top down and send them back out. This breaks the concept backside the customer/server architecture and slows the firewall downward even further.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597494281000084

Network Forensics

Chet Hosmer , in Python Forensics, 2014

Python Silent Network Mapping Tool (PSNMT)

Now that nosotros have the nuts for sniffing a network parcel, I need to parse the data and extract the data I demand. For this case, I am not interested in collecting packets and merely printing the results, rather I want to achieve the following objectives:

(1)

Collect IP addresses that are active on the network I am monitoring. (I plan to leave the monitor in place for a long menstruum of time to capture network devices that only plough on periodically or sporadically.)

(2)

Collect IP addresses of remote computers that are interacting with my local network. These could exist web, mail, or a plethora of Cloud services.

(3)

Collect service ports being used by local and/or remote computers. Specifically, I am interested in "Well Defined Ports": 0-1023 or "Registered Ports": 1024-49151.

(iv)

Next I wish to report only unique entries. In other words, if the local host 192.168.0.5 is discovered and is plant to exist using host port 80, I just want to meet that unique entry one time, non each fourth dimension information technology is discovered.

(5)

Finally, to limit the scope of the program, I want to collect only TCP or UDP packets within an IPv4 environment. The program tin be hands expanded to handle other protocols and IPv6 in the future.

In gild to see the requirements stated above I only need to extract the post-obit fields from the headers:

(1)

Protocol

(ii)

Source IP accost

(3)

Destination IP address

(four)

Source port

(5)

Destination port

Examining Figures 9.4 and 9.5, the Protocol field, along with the Source and Destination IP addresses exist in the IPv4 header, while the Source and Destination ports are in the TCP header. This ways I will have to parse out both headers to obtain the needed information. I have also included Figure 9.6 which depicts the UDP header, which I likewise use to handle UDP package extraction.

Figure ix.6. Typical UDP packet header.

In that location are several technical bug that need to be addressed along with the high level requirements:

(1)

What type of data element should I use to store the information nerveless?

a.

I am going to apply a simple list to hold the data collected from the packets and suspend data to the lists for each packet received.

  ipObservations  = []

(ii)

Since the socket.recvfrom() method is synchronous, how will I signal when to terminate drove, and how will I limit the time of the collection activities?

a.

I am going to utilize the Python Standard Library signal module and integrate this into the collection loop. I set this up by beginning creating a class myTimeout that will be raised by a handler when a specified time has expired. I and so integrate the myTimeout exception handler into the effort/except handler of the receive package loop.

class myTimeout(Exception):

  pass

def handler(signum, frame):

  print 'timeout received', signum

  raise myTimeout()

# Ready the signal handler

signal.bespeak(signal.SIGALRM, handler)

# set the signal to expire in northward seconds

betoken.alarm(n)

endeavor:

  while Truthful:

  recvBuffer, addr  = mySocket.recvfrom(65535)

  src,dst   =   decoder.PacketExtractor(recvBuffer,\ False)

  sourceIPObservations.append(src)

  destinationIPObservations.append(dst)

except myTimeout:

  pass

(three)

How will I create just unique entries?

a.

The code higher up volition tape every pair of source IP/Port and destination IP/Port, with a result being an unsorted list and will comprise indistinguishable entries. To solve this problem, once the drove is complete, I will use a petty knowledge of Python data types to help here. Once drove is completed (for the unabridged fourth dimension frame), I start convert the list into a set, this will immediately plummet any duplicates (as this is a fundamental property of sets). And so I will convert the set back to a list then sort the list.

uniqueSrc  = set(map(tuple, ipObservations))

finalList  =   list(uniqueSrc)

finalList.sort()

(4)

How should I output the results?

a.

In order to provide a workable listing, the program volition generate a comma-separated value (CSV) file that can so be further processed or examined in a worksheet.

Read full chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B9780124186767000098