Port Description From MasterDC Security Alerts


Indroduction

MasterDC’s automated monitoring system delivers security alerts to customers, informing them about detected threats and vulnerabilities within the network. Additionally, all provided services are scanned for vulnerabilities.

Each message sent contains the service ID for which the vulnerability is relevant, the IP address, and the number and name of the compromised service port. However, a more detailed description of the individual ports is provided below.

Port Description

Port 17 – Quote of the Day (QODT) Protocol

This protocol responds to a connection by sending a text string and then closes the connection. However, the protocol has never been widespread, but its services are implemented within older operating systems even today. Therefore, this is a potentially exploitable vulnerability.

Port 19 – Character Generator (CHARGEN) Protocol

This protocol was designed for testing and debugging. However, it is rarely used due to its vulnerability. A chargen-enabled server responds to an established connection with a stream of random characters that is sent until the connection is terminated. In the case of a UDP connection, a one-time response occurs, and its size can reach up to 512 bytes.

Port 53 – DNS

An open domain name resolver. If DNS resolving is not running on the server on purpose, it is a security risk exploitable by reflexive attacks.

Port 69 – Trivial File Transfer Protocol (TFTP)

TFTP is a simpler version of the FTP data transfer protocol. Servers use it to boot diskless stations, terminals, or routers. However, the problem is that TFTP does not use any authentication. Instead, files are publicly available within the network to anyone who requests them.

Port 123 – Network Time Protocol (NTP)

This protocol is designed to synchronise the time between computers and network systems. It provides information and is a gateway for attackers. Information collected from this port includes, for example, system uptime, server time, and memory statistics.

Port 137, 138, and 139 – NetBIOS

Network Basic Input Output System is a program that allows applications on different computers to communicate within a LAN (Local Area Network). NetBIOS is also embedded in the Samba package, which can be used over the internet. However, it is suitable for Resolve Names Services, error reporting, or broadcast-type communication to all interfaces on the network.

Port 161 – Simple Network Management Protocol (SNMP)

This protocol was designed for monitoring and remote server management. However, the port itself should only be accessible from specifically allowed sources.

Port 1900 – Universal Plug and Play (UPnP)

The building block of the UPnP protocol is the Simple Service Discovery Protocol created for use in small networks. As a result, whenever a device connects to the network, it can automatically obtain information about the local network, audio systems, and TV or internet gateways. Unfortunately, the insecure protocol version, which comes pre-installed on all devices, is easily exploitable for reflexive attacks.

Port 3702 – Web Services Discovery (WSD)

A network protocol designed to discover and locate services. By default, it sends so-called probes to multicast group services that respond directly to the interrogator with a specific return value. Therefore, to avoid network congestion, the target must self-report entering and leaving the network if it wants to be mapped. However, in multicast groups, extreme amplification attacks can be generated this way.

Port 11211 – Memcached

A universally distributed memory caching system is often used to speed up dynamic, database-driven websites. The system caches data and objects in RAM to reduce the number of reads to an external resource. Unfortunately, the popular mechanism can cause inconsistencies and errors and is often abused to amplify attacks when used incorrectly.

Port 111 – Portmap

The purpose of Remote Procedure Call services (RPC services) is to call and return the port number reserved for the service. However, not all ports are reserved in advance. When an RPC service starts, the individual ports are registered using a port mapper. A port mapper is a program that keeps track of the port numbers used. Upon request, a list of ports is sent to the client, including a list of all consumed services. However, the response contains a lot of easily exploitable information.

Port 389 – Lightweight Directory Access Protocol (LDAP)

LDAP servers have multiple directories and are accessed by many users. Therefore, it is necessary to separate and authenticate each access, which is what an LDAP is used for. However, it is not just about maintaining permissions for specific users but also for groups of users. Furthermore, these rights, permissions, and users are stored in an easy-to-read and editable form. Therefore, external access to LDAP services should always be secured.


Any suggestions for improving the tutorial?

Let us know by sending a message