Ports + Protocols Flashcards
What ports does FTP use and what is it for?
20 (active mode) and 21 (control) - File Transfer Protocol is a generic way to transfer files between systems.
FTP authenticates with a username and password. It’s fully featured functionality allows you to list,add,delete files as you choose.
FTP isn’t secure - SFTP is because it uses SSH tcp/22 to encrypt files in transit.
What protocol uses port tcp/22 and what does it do?
SSH - Secure Shell - is an encrypted way of communicating to a remote device from a console. E.g. SSH into a firewall device.
tcp/22 is also used for SFTP - Secure File Transfer Protocol via SSH encryption.
What port does SFTP use and what is it for?
SECURE File Transfer Protocol is used to securely transfer files with encryption via SSH tcp/22.
What port is Telnet and what’s the problem with it?
Telnet udp/23 is a way of accessing remote devices but the connection is “in the clear”/unencrypted/unsecure.
What protocol uses port tcp/587?
SMTP with TLS encryption uses port tcp/587 to SEND MAIL.
Simple Mail Transfer Protocol - server to server and client to server email transfers.
What are the FOUR ports you can use to receive/retrieve emails from the server onto a client device?
tcp/143 - IMAP
tcp/993 - IMAPS (Secure)
tcp/110 - POP3
tcp/995 - POP3S (Secure)
What ports does DNS use?
udp/53 or tcp/53 (for large transfers of one DNS server to another) - converts names to IP addresses
What ports does DHCP use?
udp/67 udp/68 are used for DHCP - Dynamic Host Control Protocol - automatic assignment of IP addresses/subnet masks from a pool with a lease time that renews at T1 (50%) and T2 (88%) of the lease time. If DHCP server can’t be contacted at either of those times then the device sends out for a new IP address across the network.
You can assign DHCP reservation to certain devices using their MAC address so that they always have the same IP address assigned to them.
TFTP port?
udp/69 ;) Trivial File Transfer Protocol - used for simple unsecure small file transfer like config. files at high speed.
What are the two main web server communicating ports and protocols?
HTTP tcp/80 - web server communication.
HTTPS tcp/443 - encrypted web server communication.
What port/protocol manages time syncing across devices?
NTP udp/123 Network Time Protocol - precisely (within 1ms) syncs up the time across devices on a network. This is crucial for authentication information, usually happens a few times a day (the syncing)
What ports does SNMP use?
udp161 for network device statistics and udp162 for traps/alerts - trigger when a statistic hits a pre-defined threshold.
Which version of SNMP udp/161 uses Authentication and Encryption to send network statistics securely?
Version 3 of SNMP udp/161 uses encryption, authentication and message integrity checks to keep network statistics safe.
V3 uses Encrypted Community Strings (login required to access SNMP caches on net devices)
What protocol uses port tcp/389 and what does it do?
LDAP tcp/389 - Lightweight Directory Access Protocol - stores/accesses/retrieves data from a network directory (e.g. Active Directory on Windows).
What port does LDAPS use?
tcp/636 is used by LDAPS - Lightweight Directory Access Protocol Secure - LDAP encrypted over SSL encryption.
What port does SMB/CIFS use and what for?
Server Message Block/Common Internet File System - uses tcp/445 (NetBIOS-less) to share files/printers across Windows operating systems.
What is a SIEM?
Security Information and Event Manager (SIEM) is a server that consolidates syslog files received across the network via port udp/514 syslog.
They need a lot of disk space!
What port is commonly used to transfer syslog files across a network?
udp/514 SYSLOG - generally syslog files are sent to a SIEM for centralised consolidation and management.
What port does Microsoft SQL use?
tcp/1433 - Structured Query Language (SQL) is sent via tcp/1433 for Microsoft Servers (MS-SQL).
What is port tcp/3389 associated with?
RDP - tcp/3389.
What’s ICMP?
Internet Control Message Protocol (ICMP) - send and receive requests to devices on the network to check they are connected and functional.
When TTL=0 an ICMP message “time exceeded” is sent to the source to let them know.
E.g. ping cmd uses ICMP.
What is GRE? Does it have encryption by default?
Generic Routing Encapsulation (GRE) is the tunnel created between two endpoints that makes them appear as directly connected to each other.
No inherent/built-in encryption so should use a VPN concentrator (software or hardware) to encrypt and decrypt traffic at either end of the GRE tunnel via an encryption protocol such as IPSec.
What is IPSec?
A standardised group/suite of Network (layer 3) protocols: Core protocols are Authentication Header (AH) and Encapsulation Security Payload (ESP)
What is a Security Association?
SA - Security Association/Agreement - An agreement on what encryption/decryption keys are to be used between two endpoints when forming a tunnel. (The key isn’t sent across the network). This is called an Internet Key Exchange (IKE).
What ports does the DORA process use and what is it for?
udp67/68 are used for the DORA process which is the four step setup process for DHCP for a new device connecting to a network.
What are the four DORA steps in DHCP initialisation when a new device joins a network?
D=Discover - the new device sends out a broadcast to all devices on the subnet.
O=Offer - all DHCP servers that receive the broadcast will offer an IP address back to the device.
R=Request/accept - the device selects one of the offered IP addresses and responds to the DHCP server that offered it saying it wants to use it.
A=Acknowledgement - the DHCP sends confirmation back to the device saying its received the Request to use it’s IP address and sends any other relevant IP information along with the Acknowledgement of request.
What router functionality/feature allows DHCP broadcasts to extend past the local subnet the new device is on? (e.g. can broadcast to other DHCP servers distributed around the network or centralised instead of just being able to reach the router in the current subnet)
DHCP relay = is the feature that allows DHCP broadcasts past the local subnet to reach other DHCP servers (e.g. for redundancy).
DHCP relay works by the router changing the destination broadcast address on the packet to the address of a DHCP server on its network and changes the source address to that of the router running the DHCP relay - in this way it becomes a middle man in the communication.
What are DHCP options?
DHCP Options are special fields/vendor extensions within DHCP messages (254 set usable options provided they are supported by the DHCP server) that contain more information for devices such as:
-subnet mask
-HTTP proxy
-DNS Server - streamlines DNS lookups
-Static Route Option
-Domain Name for the network
This reduces the need for manual input and therefore manual input errors, DHCP options are configured on the DHCP server.
What port do NTP servers listen on for updated time requests from devices on their network?
udp/123 is the port NTP servers listen on.
What is PTP/Precision Time Protocol?
PTP - Precision Time Protocol = is a very precise (to the nanosecond/1 billionth of a second precision) specialised hardware-based time protocol used in financial trading and other areas that need very precise timings.
What is the purpose of a VPN?
VPN = Virtual Private Network is a way of encrypting data sent across a public network for security.
What is a Clientless VPN?
An in-browser VPN using HTML5 to support a web cryptography API, thus eliminating the need to install any client software. However, it’s generally limited to web based applications only.
What’s the difference between full and split tunnel vpn?
Full tunnel VPN configuration is where ALL traffic is sent through the tunnel/is encrypted across public network.
Split tunnel config. has VPN traffic going through the tunnel securely but non-VPN traffic being sent normally. E.g. important info sent securely through the tunnel to your site but your funny gifs send separately directly to facebook servers (not routed via your site first).
What is the port for SMB protocol and what is it for?
SMB - Server Message Block protocol runs on port tcp/445 (netbios-LESS) and is used for file sharing/printing services on Windows systems.
What port does Syslog use and what is its function?
Syslog uses port tcp or udp 514 for network message logging, e.g.
-error messages
-startup/shutdown messages
-system messages
Syslog 514 is crucial for troubleshooting and security auditing/examining.
What protocol uses port tcp1433?
tcp1433 is used by SQL - Structured Query Language which communicates to and from SQL servers/databases (RDBMS).
What does Session Initiation Protocol (SIP) manage?
SIP manages the initiation and maintaining/modifying/terminating of real-time sessions such as VOIP. SIP runs on 5060 (unsecure) and 5061 (secured with TLS)
What is ICMP?
ICMP - Internet Control Message Protocol is a way of sending diagnostic/control messages between network devices to establish that they are reachable (e.g. ping command uses ICMP). It helps in troubleshooting network issues by running directly on top of IP with connection statistics/data such as TTL, packet information etc.
What tunnelling protocol do VPN’s commonly use?
VPN’s use GRE (Generic Routing Encapsulation) protocol commonly that encapsulates a large variety of network layer protocol packet types such as IPv4 packets, multicast traffic packets (EIGRP, OSPF).
What is GRE?
GRE (Generic Routing Encapsulation) is a TUNNELLING protocol commonly that encapsulates a large variety of network layer protocol packet types such as IPv4 packets, multicast traffic packets (EIGRP, OSPF)
GRE creates a virtual point-to-point (VPN basically) over an IP network.
GRE encapsulates and transports data across an IP network.
What is IPSec?
IPSec (IP network communication Security) is a suite of protocols/rules to allow for secure communication over IP networks.
IPSec ensures:
-data confidentiality
-data integrity (hasn’t been tampered with en route etc)
-data authentication (from a legitimate/trusted source)
What are the two modes of IPSec?
IPSec has two modes of operation:
Transport Mode - encrypts the data/payload only of each packet - used for point-to-point communication e.g. server to client.
Tunnel Mode - encapsulates and encrypts both the data/payload and header inside a new IP packet. This is used for VPN connections e.g. site to site. You have to control all the routers between them otherwise the packet gets lost/destroyed as IP header is encrypted (because IP addresses are encrypted as well so if packet arrives at a router that can’t decrypt it then it gets stuck/destroyed).
What do AH and ESP (IPSec protocols) do?
AH - Authentication Header = provides data integrity and authentication for IP packets.
ESP - Encapsulating Security Payload = encrypts data and provides data integrity and authentication.
So ESP is better and generally used more but both can be used together.
Both AH and ESP protocols are configured when setting up Network devices.
AH provides authentication but NO encryption.
What does a DHCP relay do?
DHCP relay forwards client DHCP requests (broadcasts) from their local subnet to another subnet to find a DHCP server and get assigned an IP and other configuration settings (like subnet mask, default gateway, etc) needed to get the device connected to the internet.
What protocol is more precise for network time synchronisation NTP or PTP?
PTP (Precision Time Protocol) udp/319 is a lot more precise (sub-microsecond) than NTP (Network Time Protocol udp/123)
What are the default ports for File Transfer Protocol (FTP)?
Ports 20/21
FTP uses port 21 for command/control and port 20 for data transfer.
What is the default port for Secure File Transfer Protocol (SFTP)?
Port 22
SFTP, which is SSH-based, uses port 22 for secure file transfer.
What is the default port for Secure Shell (SSH)?
SSH uses port 22 for secure, encrypted remote access to systems.
What is the default port for Telnet?
Port 23
Telnet uses port 23 for unencrypted communication, typically for remote access to systems.
What is the default port for Simple Mail Transfer Protocol (SMTP)?
Port 25
SMTP uses port 25 for sending email between mail servers.
What is the default port for Domain Name System (DNS)?
Port 53
DNS uses port 53 for resolving domain names to IP addresses.
What are the default ports for Dynamic Host Configuration Protocol (DHCP)?
Ports 67/68
DHCP uses port 67 for server-side communication and port 68 for client-side communication.
What is the default port for Trivial File Transfer Protocol (TFTP)?
Port 69
TFTP uses port 69 for simple file transfers, often in environments like routers or switches.
What is the default port for Hypertext Transfer Protocol (HTTP)?
Port 80
HTTP uses port 80 for unencrypted web traffic.
What is the default port for Network Time Protocol (NTP)?
Port 123
NTP uses port 123 for time synchronization across devices.
What are the default ports for Simple Network Management Protocol (SNMP)?
Ports 161/162
SNMP uses port 161 for data requests and port 162 for receiving traps (notifications/alerts).
What is the default port for Lightweight Directory Access Protocol (LDAP)?
Port 389
LDAP uses port 389 for accessing directory services over a network.
What is the default port for Hypertext Transfer Protocol Secure (HTTPS)?
Port 443
HTTPS uses port 443 for secure web traffic (encrypted HTTP).
What is the default port for Server Message Block (SMB)?
Port 445
SMB uses port 445 for file and printer sharing on Windows networks.
What is the default port for Syslog?
Port 514
Syslog uses port 514 for sending system log messages.
What is the default port for Simple Mail Transfer Protocol Secure (SMTPS)?
Port 587
SMTPS uses port 587 for sending email securely, usually with STARTTLS.
What is the default port for Lightweight Directory Access Protocol over SSL (LDAPS)?
Port 636
LDAPS uses port 636 for secure LDAP communications over SSL/TLS.
What is the default port for Structured Query Language (SQL) Server?
Port 1433
SQL Server uses port 1433 for database connections.
What is the default port for Remote Desktop Protocol (RDP)?
Port 3389
RDP uses port 3389 for remote desktop access to Windows systems.
What are the default ports for Session Initiation Protocol (SIP)?
Ports 5060/5061
SIP uses port 5060 for unencrypted communication and 5061 for secure communication (encrypted with TLS).
What is the difference between SNMP v2c and SNMP v3?
SNMP v2c only uses community strings (public (read only) and private (read/write) passwords) to allow access to SNMP data stored in network device MIB’s. However no encryption or STRONG authentication (AES) is used.
SNMPv3 uses strong authentication based on AES and usernames, passwords and keys. It also encrypts all data in transit between the MIB/SNMP database of the device and the device accessing it.
