Beginner → Intermediate ⏱ 45 Minutes Layer 4: Transport

Ports & Protocols

If IP addresses are the buildings of the internet, Ports are the specific apartment numbers. Understanding ports is the single most important skill for service enumeration and vulnerability scanning.

1. What Is a Port?

A port is a logical communication endpoint used by the Transport Layer (TCP/UDP) to identify a specific service running on a device.

192.168.1.10 IP Address (Building)
:
80 Port (Apartment)

The IP address ensures the data reaches the correct computer. The Port number ensures the data reaches the correct application (like SSH, Web Browser, or Email Client) inside that computer.

2. Why Ports Exist

Without ports, computers would be limited to running a single network service at a time. You couldn't browse the web while listening to Spotify.

Multiplexing

Ports allow multiplexing: multiple applications transmitting data simultaneously over the same physical network connection. The OS uses the port number to sort incoming packets to the right process.

3. Port Number Ranges

Port numbers range from 0 to 65535. The IANA (Internet Assigned Numbers Authority) divides them into three categories.

3.1 Well-Known Ports (0–1023)

Reserved for core system services. Requires root/admin privileges to bind.

PortServiceDescription
20/21FTPFile Transfer (Unsecure)
22SSHSecure Shell (Remote Access)
25SMTPEmail Sending
53DNSDomain Name Resolution
80HTTPWeb Traffic (Unencrypted)
443HTTPSWeb Traffic (Encrypted)
445SMBWindows File Sharing

3.2 Registered Ports (1024–49151)

Used by user applications and games. (e.g., MySQL uses 3306, RDP uses 3389).

3.3 Ephemeral Ports (49152–65535)

Temporary ports assigned automatically by the OS for client-side connections. Ephemeral ports are chosen dynamically from a range defined by the operating system.

# View local port range on Linux
cat /proc/sys/net/ipv4/ip_local_port_range

⚠️ Crucial Distinction: Port ≠ Service

A port number does not guarantee which service is running. An attacker can run a web server on port 9999 or SSH on port 80. Always verify using service detection:

nmap -sV 192.168.1.10

4. How Services Bind (Sockets)

A Socket is the unique combination of: IP Address + Port + Protocol.

LISTEN State

The service is awake and waiting for new connections.
Example: Web Server on Port 80.

ESTABLISHED State

An active data connection exists between two sockets.
Example: You downloading a file.

The Full Connection (4-Tuple)

A TCP connection is uniquely identified by four values:

  • Source IP
  • Source Port
  • Destination IP
  • Destination Port

This "4-Tuple" is why multiple users can connect to the same web server (Port 443) simultaneously without their data getting mixed up.

5. TCP vs UDP Ports

Ports behave differently depending on the protocol used.

TCP Ports

Connection-Oriented. Uses a handshake (SYN, SYN-ACK, ACK). Reliable, but slower. Used for HTTP, SSH, FTP, SMTP.

UDP Ports

Connectionless. "Fire and forget." Unreliable but fast.

Examples: DNS (53), DHCP (67/68), NTP (123), SNMP (161).

6. Port States (The Scanner's View)

When you scan a target with Nmap, ports will return one of three primary states:

root@kali:~# nmap -p 22,80,999 192.168.1.10
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
999/tcp closed garcon
  • Open: Application is listening. Target acquired.
  • Closed: No application listening. Host replied with "Reset".
  • Filtered: Firewall blocked the probe. Often means the firewall is silently dropping packets (no reply), which is common in perimeter defense.

7. Security Perspective

🛡️

The Attack Surface

Every open port is a potential door for hackers. Security hardening implies the "Principle of Least Privilege": Close everything that is not strictly needed.

High-Risk Ports

  • Port 23 (Telnet): Sends passwords in cleartext.
  • Port 21 (FTP): Vulnerable to anonymous login.
  • Port 445 (SMB): Famous for EternalBlue/WannaCry exploits.
  • Port 3389 (RDP): Target for brute-force attacks.

8. Firewalls & Ports

Firewalls control traffic based on port rules. A secure firewall uses the Default Deny policy.

# Firewall Logic Example
ALLOW TCP Port 80 (Web)
ALLOW TCP Port 22 (SSH) from 10.0.0.5 (Admin)
DENY ALL (Block everything else)

9. Practical Commands

Use these commands to inspect ports on your own machine.

# Linux: Show listening ports
root@kali:~# ss -tulnp

# Windows: Show active connections
C:\> netstat -ano

# Scan local machine
root@kali:~# nmap localhost

🧠 Knowledge Check

Test your understanding of ports and protocols.

1. Why can two services run on the same IP?
Because of Multiplexing. The unique port number allows the OS to direct traffic to the specific application responsible for it.
2. What is an ephemeral port?
A temporary, high-numbered port (49152+) assigned by the OS for outbound connections (like your browser visiting a website).
3. Why is Port 23 (Telnet) dangerous?
It transmits all data, including login credentials, in plaintext, making it easy for attackers to sniff passwords.
4. What does "Filtered" mean in Nmap?
It means a Firewall is dropping the packets. The scanner cannot determine if the port is open or closed because it gets no response.

📌 Module Recap

  • Ports act as logical doors for specific services on an IP address.
  • Socket = IP Address + Port Number + Protocol.
  • Well-Known Ports (0-1023) are reserved for core services like SSH (22) and HTTP (80).
  • TCP is reliable and connection-oriented; UDP is fast and connectionless.
  • Open Ports increase attack surface; firewalls should block everything by default.
← Back to Roadmap
Next: Routing Fundamentals
Module 08 →