Ports + Protocols

Question 1

What ports does FTP use and what is it for?

Answer 1

20 (active mode) and 21 (control) - File Transfer Protocol is a generic way to transfer files between systems.

FTP authenticates with a username and password. It’s fully featured functionality allows you to list,add,delete files as you choose.

FTP isn’t secure - SFTP is because it uses SSH tcp/22 to encrypt files in transit.

Question 2

What protocol uses port tcp/22 and what does it do?

Answer 2

SSH - Secure Shell - is an encrypted way of communicating to a remote device from a console. E.g. SSH into a firewall device.

tcp/22 is also used for SFTP - Secure File Transfer Protocol via SSH encryption.

Question 3

What port does SFTP use and what is it for?

Answer 3

SECURE File Transfer Protocol is used to securely transfer files with encryption via SSH tcp/22.

Question 4

What port is Telnet and what’s the problem with it?

Answer 4

Telnet udp/23 is a way of accessing remote devices but the connection is “in the clear”/unencrypted/unsecure.

Question 5

What protocol uses port tcp/587?

Answer 5

SMTP with TLS encryption uses port tcp/587 to SEND MAIL.

Simple Mail Transfer Protocol - server to server and client to server email transfers.

Question 6

What are the FOUR ports you can use to receive/retrieve emails from the server onto a client device?

Answer 6

tcp/143 - IMAP
tcp/993 - IMAPS (Secure)

tcp/110 - POP3
tcp/995 - POP3S (Secure)

Question 7

What ports does DNS use?

Answer 7

udp/53 or tcp/53 (for large transfers of one DNS server to another) - converts names to IP addresses

Question 8

What ports does DHCP use?

Answer 8

udp/67 udp/68 are used for DHCP - Dynamic Host Control Protocol - automatic assignment of IP addresses/subnet masks from a pool with a lease time that renews at T1 (50%) and T2 (88%) of the lease time. If DHCP server can’t be contacted at either of those times then the device sends out for a new IP address across the network.

You can assign DHCP reservation to certain devices using their MAC address so that they always have the same IP address assigned to them.

Question 9

TFTP port?

Answer 9

udp/69 ;) Trivial File Transfer Protocol - used for simple unsecure small file transfer like config. files at high speed.

Question 10

What are the two main web server communicating ports and protocols?

Answer 10

HTTP tcp/80 - web server communication.
HTTPS tcp/443 - encrypted web server communication.

Question 11

What port/protocol manages time syncing across devices?

Answer 11

NTP udp/123 Network Time Protocol - precisely (within 1ms) syncs up the time across devices on a network. This is crucial for authentication information, usually happens a few times a day (the syncing)

Question 12

What ports does SNMP use?

Answer 12

udp161 for network device statistics and udp162 for traps/alerts - trigger when a statistic hits a pre-defined threshold.

Question 13

Which version of SNMP udp/161 uses Authentication and Encryption to send network statistics securely?

Answer 13

Version 3 of SNMP udp/161 uses encryption, authentication and message integrity checks to keep network statistics safe.

V3 uses Encrypted Community Strings (login required to access SNMP caches on net devices)

Question 14

What protocol uses port tcp/389 and what does it do?

Answer 14

LDAP tcp/389 - Lightweight Directory Access Protocol - stores/accesses/retrieves data from a network directory (e.g. Active Directory on Windows).

Question 15

What port does LDAPS use?

Answer 15

tcp/636 is used by LDAPS - Lightweight Directory Access Protocol Secure - LDAP encrypted over SSL encryption.

Question 16

What port does SMB/CIFS use and what for?

Answer 16

Server Message Block/Common Internet File System - uses tcp/445 (NetBIOS-less) to share files/printers across Windows operating systems.

Question 17

What is a SIEM?

Answer 17

Security Information and Event Manager (SIEM) is a server that consolidates syslog files received across the network via port udp/514 syslog.

They need a lot of disk space!

Question 18

What port is commonly used to transfer syslog files across a network?

Answer 18

udp/514 SYSLOG - generally syslog files are sent to a SIEM for centralised consolidation and management.

Question 19

What port does Microsoft SQL use?

Answer 19

tcp/1433 - Structured Query Language (SQL) is sent via tcp/1433 for Microsoft Servers (MS-SQL).

Question 20

What is port tcp/3389 associated with?

Answer 20

RDP - tcp/3389.

Question 21

What’s ICMP?

Answer 21

Internet Control Message Protocol (ICMP) - send and receive requests to devices on the network to check they are connected and functional.

When TTL=0 an ICMP message “time exceeded” is sent to the source to let them know.

E.g. ping cmd uses ICMP.

Question 22

What is GRE? Does it have encryption by default?

Answer 22

Generic Routing Encapsulation (GRE) is the tunnel created between two endpoints that makes them appear as directly connected to each other.

No inherent/built-in encryption so should use a VPN concentrator (software or hardware) to encrypt and decrypt traffic at either end of the GRE tunnel via an encryption protocol such as IPSec.

Question 23

What is IPSec?

Answer 23

A standardised group/suite of Network (layer 3) protocols: Core protocols are Authentication Header (AH) and Encapsulation Security Payload (ESP)

Question 24

What is a Security Association?

Answer 24

SA - Security Association/Agreement - An agreement on what encryption/decryption keys are to be used between two endpoints when forming a tunnel. (The key isn’t sent across the network). This is called an Internet Key Exchange (IKE).

Question 25

What ports does the DORA process use and what is it for?

Answer 25

udp67/68 are used for the DORA process which is the four step setup process for DHCP for a new device connecting to a network.

Question 26

What are the four DORA steps in DHCP initialisation when a new device joins a network?

Answer 26

D=Discover - the new device sends out a broadcast to all devices on the subnet. O=Offer - all DHCP servers that receive the broadcast will offer an IP address back to the device. R=Request/accept - the device selects one of the offered IP addresses and responds to the DHCP server that offered it saying it wants to use it. A=Acknowledgement - the DHCP sends confirmation back to the device saying its received the Request to use it's IP address and sends any other relevant IP information along with the Acknowledgement of request.

Question 27

What router functionality/feature allows DHCP broadcasts to extend past the local subnet the new device is on? (e.g. can broadcast to other DHCP servers distributed around the network or centralised instead of just being able to reach the router in the current subnet)

Answer 27

DHCP relay = is the feature that allows DHCP broadcasts past the local subnet to reach other DHCP servers (e.g. for redundancy). DHCP relay works by the router changing the destination broadcast address on the packet to the address of a DHCP server on its network and changes the source address to that of the router running the DHCP relay - in this way it becomes a middle man in the communication.

Question 28

What are DHCP options?

Answer 28

DHCP Options are special fields/vendor extensions within DHCP messages (254 set usable options provided they are supported by the DHCP server) that contain more information for devices such as: -subnet mask -HTTP proxy -DNS Server - streamlines DNS lookups -Static Route Option -Domain Name for the network This reduces the need for manual input and therefore manual input errors, DHCP options are configured on the DHCP server.

Question 29

What port do NTP servers listen on for updated time requests from devices on their network?

Answer 29

udp/123 is the port NTP servers listen on.

Question 30

What is PTP/Precision Time Protocol?

Answer 30

PTP - Precision Time Protocol = is a very precise (to the nanosecond/1 billionth of a second precision) specialised hardware-based time protocol used in financial trading and other areas that need very precise timings.

Question 31

What is the purpose of a VPN?

Answer 31

VPN = Virtual Private Network is a way of encrypting data sent across a public network for security.

Question 32

What is a Clientless VPN?

Answer 32

An in-browser VPN using HTML5 to support a web cryptography API, thus eliminating the need to install any client software. However, it's generally limited to web based applications only.

Question 33

What's the difference between full and split tunnel vpn?

Answer 33

Full tunnel VPN configuration is where ALL traffic is sent through the tunnel/is encrypted across public network. Split tunnel config. has VPN traffic going through the tunnel securely but non-VPN traffic being sent normally. E.g. important info sent securely through the tunnel to your site but your funny gifs send separately directly to facebook servers (not routed via your site first).

Question 34

What is the port for SMB protocol and what is it for?

Answer 34

SMB - Server Message Block protocol runs on port tcp/445 (netbios-LESS) and is used for file sharing/printing services on Windows systems.

Question 35

What port does Syslog use and what is its function?

Answer 35

Syslog uses port tcp or udp 514 for network message logging, e.g. -error messages -startup/shutdown messages -system messages Syslog 514 is crucial for troubleshooting and security auditing/examining.

Question 36

What protocol uses port tcp1433?

Answer 36

tcp1433 is used by SQL - Structured Query Language which communicates to and from SQL servers/databases (RDBMS).

Question 37

What does Session Initiation Protocol (SIP) manage?

Answer 37

SIP manages the initiation and maintaining/modifying/terminating of real-time sessions such as VOIP. SIP runs on 5060 (unsecure) and 5061 (secured with TLS)

Question 38

What is ICMP?

Answer 38

ICMP - Internet Control Message Protocol is a way of sending diagnostic/control messages between network devices to establish that they are reachable (e.g. ping command uses ICMP). It helps in troubleshooting network issues by running directly on top of IP with connection statistics/data such as TTL, packet information etc.

Question 39

What tunnelling protocol do VPN's commonly use?

Answer 39

VPN's use GRE (Generic Routing Encapsulation) protocol commonly that encapsulates a large variety of network layer protocol packet types such as IPv4 packets, multicast traffic packets (EIGRP, OSPF).

Question 40

What is GRE?

Answer 40

GRE (Generic Routing Encapsulation) is a TUNNELLING protocol commonly that encapsulates a large variety of network layer protocol packet types such as IPv4 packets, multicast traffic packets (EIGRP, OSPF) GRE creates a virtual point-to-point (VPN basically) over an IP network. GRE encapsulates and transports data across an IP network.

Question 41

What is IPSec?

Answer 41

IPSec (IP network communication Security) is a suite of protocols/rules to allow for secure communication over IP networks. IPSec ensures: -data confidentiality -data integrity (hasn't been tampered with en route etc) -data authentication (from a legitimate/trusted source)

Question 42

What are the two modes of IPSec?

Answer 42

IPSec has two modes of operation: Transport Mode - encrypts the data/payload only of each packet - used for point-to-point communication e.g. server to client. Tunnel Mode - encapsulates and encrypts both the data/payload and header inside a new IP packet. This is used for VPN connections e.g. site to site. You have to control all the routers between them otherwise the packet gets lost/destroyed as IP header is encrypted (because IP addresses are encrypted as well so if packet arrives at a router that can't decrypt it then it gets stuck/destroyed).

Question 43

What do AH and ESP (IPSec protocols) do?

Answer 43

AH - Authentication Header = provides data integrity and authentication for IP packets. ESP - Encapsulating Security Payload = encrypts data and provides data integrity and authentication. So ESP is better and generally used more but both can be used together. Both AH and ESP protocols are configured when setting up Network devices. AH provides authentication but NO encryption.

Question 44

What does a DHCP relay do?

Answer 44

DHCP relay forwards client DHCP requests (broadcasts) from their local subnet to another subnet to find a DHCP server and get assigned an IP and other configuration settings (like subnet mask, default gateway, etc) needed to get the device connected to the internet.

Question 45

What protocol is more precise for network time synchronisation NTP or PTP?

Answer 45

PTP (Precision Time Protocol) udp/319 is a lot more precise (sub-microsecond) than NTP (Network Time Protocol udp/123)

Question 46

What are the default ports for File Transfer Protocol (FTP)?

Answer 46

Ports 20/21 FTP uses port 21 for command/control and port 20 for data transfer.

Question 47

What is the default port for Secure File Transfer Protocol (SFTP)?

Answer 47

Port 22 SFTP, which is SSH-based, uses port 22 for secure file transfer.

Question 48

What is the default port for Secure Shell (SSH)?

Answer 48

SSH uses port 22 for secure, encrypted remote access to systems.

Question 49

What is the default port for Telnet?

Answer 49

Port 23 Telnet uses port 23 for unencrypted communication, typically for remote access to systems.

Question 50

What is the default port for Simple Mail Transfer Protocol (SMTP)?

Answer 50

Port 25 SMTP uses port 25 for sending email between mail servers.

Question 51

What is the default port for Domain Name System (DNS)?

Answer 51

Port 53 DNS uses port 53 for resolving domain names to IP addresses.

Question 52

What are the default ports for Dynamic Host Configuration Protocol (DHCP)?

Answer 52

Ports 67/68 DHCP uses port 67 for server-side communication and port 68 for client-side communication.

Question 53

What is the default port for Trivial File Transfer Protocol (TFTP)?

Answer 53

Port 69 TFTP uses port 69 for simple file transfers, often in environments like routers or switches.

Question 54

What is the default port for Hypertext Transfer Protocol (HTTP)?

Answer 54

Port 80 HTTP uses port 80 for unencrypted web traffic.

Question 55

What is the default port for Network Time Protocol (NTP)?

Answer 55

Port 123 NTP uses port 123 for time synchronization across devices.

Question 56

What are the default ports for Simple Network Management Protocol (SNMP)?

Answer 56

Ports 161/162 SNMP uses port 161 for data requests and port 162 for receiving traps (notifications/alerts).

Question 57

What is the default port for Lightweight Directory Access Protocol (LDAP)?

Answer 57

Port 389 LDAP uses port 389 for accessing directory services over a network.

Question 58

What is the default port for Hypertext Transfer Protocol Secure (HTTPS)?

Answer 58

Port 443 HTTPS uses port 443 for secure web traffic (encrypted HTTP).

Question 59

What is the default port for Server Message Block (SMB)?

Answer 59

Port 445 SMB uses port 445 for file and printer sharing on Windows networks.

Question 60

What is the default port for Syslog?

Answer 60

Port 514 Syslog uses port 514 for sending system log messages.

Question 61

What is the default port for Simple Mail Transfer Protocol Secure (SMTPS)?

Answer 61

Port 587 SMTPS uses port 587 for sending email securely, usually with STARTTLS.

Question 62

What is the default port for Lightweight Directory Access Protocol over SSL (LDAPS)?

Answer 62

Port 636 LDAPS uses port 636 for secure LDAP communications over SSL/TLS.

Question 63

What is the default port for Structured Query Language (SQL) Server?

Answer 63

Port 1433 SQL Server uses port 1433 for database connections.

Question 64

What is the default port for Remote Desktop Protocol (RDP)?

Answer 64

Port 3389 RDP uses port 3389 for remote desktop access to Windows systems.

Question 65

What are the default ports for Session Initiation Protocol (SIP)?

Answer 65

Ports 5060/5061 SIP uses port 5060 for unencrypted communication and 5061 for secure communication (encrypted with TLS).

Question 66

What is the difference between SNMP v2c and SNMP v3?

Answer 66

SNMP v2c only uses community strings (public (read only) and private (read/write) passwords) to allow access to SNMP data stored in network device MIB's. However no encryption or STRONG authentication (AES) is used. SNMPv3 uses strong authentication based on AES and usernames, passwords and keys. It also encrypts all data in transit between the MIB/SNMP database of the device and the device accessing it.