From d21404df8e6e3e5457214bf9a61a285eac17fd4c Mon Sep 17 00:00:00 2001 From: webbreacher Date: Sun, 12 Jan 2014 07:13:02 -0500 Subject: [PATCH 1/5] Added content from the issues page. --- references/ports.md | 111 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100755 references/ports.md diff --git a/references/ports.md b/references/ports.md new file mode 100755 index 0000000..2016afe --- /dev/null +++ b/references/ports.md @@ -0,0 +1,111 @@ +# Networking Port Reference # +*TODO* - Switch the NAME: and the PORT # so the port numbers go first. + +## TCP Discovery Ports: ## + * easy copy - `7,21,22,23,25,80,88,110,111,139,143,389,443,445,514,515,631,1352,2049,3000,3389,4949,5060,5631,5632,5666,5900-5905,6000-6009,8000,8006,8080,8089,8443,8834,9080,9100,9443,17500` + * FTP: 21 + * SSH: 22 + * Telnet: 23 + * SMTP: 25 + * Finger: 7 + * HTTP: 80 + * Kerberos: 88 + * POP3: 110 + * SUNRPC (Unix RPC): 111 (think: rpcinfo) + * NetBIOS: 139 + * IMAP 143 + * LDAP: 389 + * HTTPS: 443 + * LotusNotes: 1352 + * Microsoft DS: 445 + * RSH: 514 + * CUPS: 631 + * NFS: 2049 + * Webrick(Ruby Webserver): 3000 + * RDP: 3389 + * Munin: 4949 + * SIP: 5060 + * PCAnywhere: 5631 (5632) + * NRPE (*nix) /NSCLIENT++ (win): 5666 (evidence of Nagios server on network) + * Alt-HTTP: 8080 + * Alt-HTTP tomcat: 9080 + * Another HTTP: 8000 (mezzanine in development mode for example) + * Nessus HTTPS: 8834 + * Proxmox: 8006 + * Splunk: 8089 (also on 8000) + * Alt HTTPS: 8443 + * vSphere: 9443 + * X11: 6000-6009 (+1 to portnum for additional displays) (see xspy, xwd, xkey for exploitation) + * VNC: 5900, 5901+ (Same as X11; +1 to portnum for each user/dipslay over VNC. SPICE is usually in this range as well) +Printers: 9100, 515 + * Dropbox lansync: 17500 + +## UDP Discovery: ## + * easy copy - `53,123,161,1434` + * DNS: 53 + * XDMCP: 177 (via NSE script --script broadcast-xdmcp-discover, discover nix boxes hosting X) + * OpenVPN: 1194 + * MSSQL Ping: 1434 + * SUNRPC (Unix RPC): 111 (yeah, it's UDP, too) + * SNMP 161 + * Network Time Protocol (NTP): 123 + * syslog : 514 + * UPNP: 1900 + * Isakmp - 500 (ike PSK Attack) + * vxworks debug: 17185 (udp) + +## Authentication Ports (other than ones already listed): ## + * easy copy - `1494` + * Citrix: 1494 + * WinRM: 80,5985 (HTTP), 5986 (HTTPS) + * VMware Server: 8200, 902, 9084 + * DameWare: 6129 + +## Easy-win Ports: ## + * Java RMI - 1099, 1098 + * coldfusion default stand alone - 8500 + * IPMI UDP(623) (easy crack or auth bypass) + * 6002, 7002 (sentinel license monitor (reverse dir traversal, sometimes as SYSTEM)) + * GlassFish: 4848 + * easy copy - `9060` + * IBM Web Sphere: 9060 + * Webmin or BackupExec: 10000 + * memcached: 11211 + * DistCC: 3632 + * SAP Router: 3299 + +## Database Ports: ## + * easy copy - `3306,1521-1527,5432,5433,1433,3050,3351,1583,8471,9471` + * MySQL: 3306 + * PostgreSQL: 5432 + * PostgreSQL 9.2: 5433 + * Oracle TNS Listener: 1521-1527 + * Oracle XDB: 2100 + * MSSQL: 1433 + * Firebird / Interbase: 3050 + * PervasiveSQL: 3351, 1583 + * DB2/AS400 8471, 9471 + * Sybase 5000 + +## SCADA / ICS:## +(source: http://www.digitalbond.com/tools/the-rack/control-system-port-list/ ) + * BACnet/IP: UDP/47808 + * DNP3: TCP/20000, UDP/20000 + * EtherCAT: UDP/34980 + * Ethernet/IP: TCP/44818, UDP/2222, UDP/44818 + * FL-net: UDP/55000 to 55003 + * Foundation Fieldbus HSETCP/1089 to 1091, UDP/1089 to 1091 + * ICCP: TCP/102 + * Modbus TCP: TCP/502 + * OPC UA Binary: Vendor Application Specific + * OPC UA Discovery Server: TCP/4840 + * OPC UA XML: TCP/80, TCP/443 + * PROFINET: TCP/34962 to 34964, UDP/34962 to 34964 + * ROC PLus: TCP/UDP 4000 + +## Interesting Port Ranges: ## + * HTTP(S) Ports: 8000-9000 + +## Web easy-win URLs: ## +(moved to: https://etherpad.mozilla.org/weburl-easywins ) +`awk '$2~/tcp$/' nmap-services | sort -r -k3 | head -n 1000` # same for udp \ No newline at end of file From c72a02d96b6ac1c92f130ef980a2cd172eccd170 Mon Sep 17 00:00:00 2001 From: webbreacher Date: Sun, 12 Jan 2014 08:19:48 -0500 Subject: [PATCH 2/5] Swapping the port number and the descriptions. Adding to the easy ports lists. --- references/ports.md | 103 ++++++++++++++++++++++---------------------- 1 file changed, 52 insertions(+), 51 deletions(-) diff --git a/references/ports.md b/references/ports.md index 2016afe..296104c 100755 --- a/references/ports.md +++ b/references/ports.md @@ -3,61 +3,62 @@ ## TCP Discovery Ports: ## * easy copy - `7,21,22,23,25,80,88,110,111,139,143,389,443,445,514,515,631,1352,2049,3000,3389,4949,5060,5631,5632,5666,5900-5905,6000-6009,8000,8006,8080,8089,8443,8834,9080,9100,9443,17500` - * FTP: 21 - * SSH: 22 - * Telnet: 23 - * SMTP: 25 - * Finger: 7 - * HTTP: 80 - * Kerberos: 88 - * POP3: 110 - * SUNRPC (Unix RPC): 111 (think: rpcinfo) - * NetBIOS: 139 - * IMAP 143 - * LDAP: 389 - * HTTPS: 443 - * LotusNotes: 1352 - * Microsoft DS: 445 - * RSH: 514 - * CUPS: 631 - * NFS: 2049 - * Webrick(Ruby Webserver): 3000 - * RDP: 3389 - * Munin: 4949 - * SIP: 5060 - * PCAnywhere: 5631 (5632) - * NRPE (*nix) /NSCLIENT++ (win): 5666 (evidence of Nagios server on network) - * Alt-HTTP: 8080 - * Alt-HTTP tomcat: 9080 - * Another HTTP: 8000 (mezzanine in development mode for example) - * Nessus HTTPS: 8834 - * Proxmox: 8006 - * Splunk: 8089 (also on 8000) - * Alt HTTPS: 8443 - * vSphere: 9443 - * X11: 6000-6009 (+1 to portnum for additional displays) (see xspy, xwd, xkey for exploitation) - * VNC: 5900, 5901+ (Same as X11; +1 to portnum for each user/dipslay over VNC. SPICE is usually in this range as well) -Printers: 9100, 515 - * Dropbox lansync: 17500 + * 7 Finger + * 21 FTP + * 22 SSH + * 23 Telnet + * 25 SMTP + * 80 HTTP + * 88 Kerberos + * 110 POP3 + * 111 SUNRPC(UnixRPC) + * 139 NetBIOS + * 143 IMAP + * 389 LDAP + * 443 HTTPS + * 445 MicrosoftDS + * 514 RSH + * 515 Printers + * 631 CUPS + * 1352 LotusNotes + * 2049 NFS + * 3000 Webrick (Ruby Webserver) + * 3389 RDP + * 4949 Munin + * 5060 SIP + * 5631-5632 PCAnywhere + * 5666(evidence of Nagios server on network) NRPE(*nix)/NSCLIENT++(win) + * 5900-5906 (Same as X11; display over VNC. SPICE is usually in this range as well) VNC + * 6000-6009 (seexspy, xwd, xkeyforexploitation) X11 + * 8006 Proxmox + * 8080 Alt-HTTP + * 8089(also on 8000) Splunk + * 8000(mezzanine in development mode for example) AnotherHTTP + * 8834 Nessus HTTPS + * 8443 AltHTTPS + * 9080 Alt-HTTPtomcat + * 9443 vSphere + * 9100 Printers + * 17500 Dropbox lansync ## UDP Discovery: ## - * easy copy - `53,123,161,1434` - * DNS: 53 - * XDMCP: 177 (via NSE script --script broadcast-xdmcp-discover, discover nix boxes hosting X) - * OpenVPN: 1194 - * MSSQL Ping: 1434 - * SUNRPC (Unix RPC): 111 (yeah, it's UDP, too) - * SNMP 161 - * Network Time Protocol (NTP): 123 - * syslog : 514 - * UPNP: 1900 - * Isakmp - 500 (ike PSK Attack) - * vxworks debug: 17185 (udp) + * easy copy - `53,111,123,161,177,500,514,1194,1434,1900,17185` + * 53 DNS + * 111 SUNRPC (Unix RPC) + * 123 Network Time Protocol (NTP) + * 161 SNMP + * 177 XDMCP (via NSE script --script broadcast-xdmcp-discover, discover *nix boxes hosting X) + * 500 Isakmp (ike PSK Attack) + * 514 syslog + * 1194 OpenVPN + * 1434 MSSQL Ping + * 1900 UPNP + * 17185 vxworks debug -## Authentication Ports (other than ones already listed): ## - * easy copy - `1494` +## Authentication Ports: ## + * easy copy - `80,902,1494,5985,5986,6129,8200,9084` * Citrix: 1494 - * WinRM: 80,5985 (HTTP), 5986 (HTTPS) + * WinRM: 80, 5985 (HTTP), 5986 (HTTPS) * VMware Server: 8200, 902, 9084 * DameWare: 6129 From e3bd9f3473c56af58553e0f0730108ca7bdd575e Mon Sep 17 00:00:00 2001 From: webbreacher Date: Sun, 12 Jan 2014 08:46:10 -0500 Subject: [PATCH 3/5] Fixing up content. Making it look purdy --- references/ports.md | 70 ++++++++++++++++++++++----------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/references/ports.md b/references/ports.md index 296104c..480ee60 100755 --- a/references/ports.md +++ b/references/ports.md @@ -11,29 +11,29 @@ * 80 HTTP * 88 Kerberos * 110 POP3 - * 111 SUNRPC(UnixRPC) + * 111 SUNRPC (UnixRPC) * 139 NetBIOS * 143 IMAP * 389 LDAP * 443 HTTPS - * 445 MicrosoftDS + * 445 Microsoft DS * 514 RSH * 515 Printers * 631 CUPS - * 1352 LotusNotes + * 1352 Lotus Notes * 2049 NFS * 3000 Webrick (Ruby Webserver) * 3389 RDP * 4949 Munin * 5060 SIP * 5631-5632 PCAnywhere - * 5666(evidence of Nagios server on network) NRPE(*nix)/NSCLIENT++(win) - * 5900-5906 (Same as X11; display over VNC. SPICE is usually in this range as well) VNC - * 6000-6009 (seexspy, xwd, xkeyforexploitation) X11 + * 5666 Nagios server/NRPE(*nix)/NSCLIENT++(win) + * 5900-5906 VNC (Same as X11; display over VNC. SPICE is usually in this range as well) + * 6000-6009 Xll (seexspy, xwd, xkeyforexploitation) * 8006 Proxmox * 8080 Alt-HTTP - * 8089(also on 8000) Splunk - * 8000(mezzanine in development mode for example) AnotherHTTP + * 8089 Splunk (also on 8000) + * 8000 Another HTTP (mezzanine in development mode for example) * 8834 Nessus HTTPS * 8443 AltHTTPS * 9080 Alt-HTTPtomcat @@ -42,7 +42,7 @@ * 17500 Dropbox lansync ## UDP Discovery: ## - * easy copy - `53,111,123,161,177,500,514,1194,1434,1900,17185` + * easy copy - `53,111,123,161,177,500,514,623,1194,1434,1900,17185` * 53 DNS * 111 SUNRPC (Unix RPC) * 123 Network Time Protocol (NTP) @@ -50,6 +50,7 @@ * 177 XDMCP (via NSE script --script broadcast-xdmcp-discover, discover *nix boxes hosting X) * 500 Isakmp (ike PSK Attack) * 514 syslog + * 623 IPMI (easy crack or auth bypass) * 1194 OpenVPN * 1434 MSSQL Ping * 1900 UPNP @@ -57,36 +58,35 @@ ## Authentication Ports: ## * easy copy - `80,902,1494,5985,5986,6129,8200,9084` - * Citrix: 1494 - * WinRM: 80, 5985 (HTTP), 5986 (HTTPS) - * VMware Server: 8200, 902, 9084 - * DameWare: 6129 + * 80,5985,5986 WinRM (5985 (HTTP), 5986 (HTTPS)) + * 902,8200,9084 VMware Server + * 1494 Citrix + * 6129 DameWare ## Easy-win Ports: ## - * Java RMI - 1099, 1098 - * coldfusion default stand alone - 8500 - * IPMI UDP(623) (easy crack or auth bypass) - * 6002, 7002 (sentinel license monitor (reverse dir traversal, sometimes as SYSTEM)) - * GlassFish: 4848 - * easy copy - `9060` - * IBM Web Sphere: 9060 - * Webmin or BackupExec: 10000 - * memcached: 11211 - * DistCC: 3632 - * SAP Router: 3299 + * easy copy - `1098-1099,3299,3632,4848,6002,7002,8500,9060,10000,11211` + * 1098-1099 Java RMI + * 3299 SAP Router + * 3632 DistCC + * 4848 GlassFish + * 6002,7002 (Sentinel license monitor (reverse dir traversal, sometimes as SYSTEM)) + * 8500 Coldfusion default stand alone + * 9060 IBM Web Sphere + * 10000 Webmin or BackupExec + * 11211 memcached ## Database Ports: ## - * easy copy - `3306,1521-1527,5432,5433,1433,3050,3351,1583,8471,9471` - * MySQL: 3306 - * PostgreSQL: 5432 - * PostgreSQL 9.2: 5433 - * Oracle TNS Listener: 1521-1527 - * Oracle XDB: 2100 - * MSSQL: 1433 - * Firebird / Interbase: 3050 - * PervasiveSQL: 3351, 1583 - * DB2/AS400 8471, 9471 - * Sybase 5000 + * easy copy - `1433,1521-1527,1583,3351,2100,3050,3306,5000,5432,5433,8471,9471` + * 1433 MSSQL + * 1521-1527 Oracle TNS Listener + * 1583,3351 PervasiveSQL + * 2100 Oracle XDB + * 3050 Firebird/Interbase + * 3306 MySQL + * 5000 Sybase + * 5432 PostgreSQL + * 5433 PostgreSQL 9.2 + * 8471,9471 DB2/AS400 ## SCADA / ICS:## (source: http://www.digitalbond.com/tools/the-rack/control-system-port-list/ ) From 1e8f4ea564a123a2b08940b07080fc3cb8093114 Mon Sep 17 00:00:00 2001 From: webbreacher Date: Sun, 12 Jan 2014 08:47:39 -0500 Subject: [PATCH 4/5] Done --- references/ports.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/references/ports.md b/references/ports.md index 480ee60..563c34c 100755 --- a/references/ports.md +++ b/references/ports.md @@ -94,18 +94,18 @@ * DNP3: TCP/20000, UDP/20000 * EtherCAT: UDP/34980 * Ethernet/IP: TCP/44818, UDP/2222, UDP/44818 - * FL-net: UDP/55000 to 55003 - * Foundation Fieldbus HSETCP/1089 to 1091, UDP/1089 to 1091 + * FL-net: UDP/55000-55003 + * Foundation Fieldbus HSETCP/1089-1091, UDP/1089-1091 * ICCP: TCP/102 * Modbus TCP: TCP/502 * OPC UA Binary: Vendor Application Specific * OPC UA Discovery Server: TCP/4840 * OPC UA XML: TCP/80, TCP/443 - * PROFINET: TCP/34962 to 34964, UDP/34962 to 34964 + * PROFINET: TCP/34962-34964, UDP/34962-34964 * ROC PLus: TCP/UDP 4000 ## Interesting Port Ranges: ## - * HTTP(S) Ports: 8000-9000 + * 8000-9000 HTTP(S) Ports ## Web easy-win URLs: ## (moved to: https://etherpad.mozilla.org/weburl-easywins ) From 84ced892d313d0d8772233154d1353f19d8e543d Mon Sep 17 00:00:00 2001 From: webbreacher Date: Sun, 12 Jan 2014 16:50:35 -0500 Subject: [PATCH 5/5] adding the link to the ports page --- navigation.md | 1 + 1 file changed, 1 insertion(+) diff --git a/navigation.md b/navigation.md index e832b4d..7b0a063 100644 --- a/navigation.md +++ b/navigation.md @@ -68,6 +68,7 @@ * [How to Contribute](references/contribute.md) * [Links](references/links.md) + * [Network Ports](references/ports.md) * [Unix Rosetta Stone](references/rosetta.htm) [gimmick:themechooser](Wiki Theme)