Listen to this Post

Introduction:
In the intricate world of networking, communication relies on a structured language of protocols and numerical gateways known as ports. For cybersecurity professionals, understanding these combinations is not merely academic; it is the foundation of threat modeling, firewall rule configuration, and incident response. While a protocol defines the rules of data transmission, the port acts as the specific endpoint for a service, making this knowledge critical for identifying attack surfaces, troubleshooting connectivity issues during a breach, and ensuring that encrypted services (HTTPS, SSH) are prioritized over their insecure predecessors.
Learning Objectives:
- Understand the functional relationship between core network protocols, their default ports, and transport layer protocols (TCP/UDP).
- Learn to identify and mitigate risks associated with insecure legacy protocols.
- Acquire practical command-line skills for port scanning, service enumeration, and firewall configuration across Linux and Windows environments.
You Should Know:
1. The Web Gateways: HTTP (80/TCP, 443/TCP)
HTTP (Hypertext Transfer Protocol) and HTTPS (HTTP Secure) are the foundation of data communication on the World Wide Web. While HTTP transmits data in plaintext, making it vulnerable to interception, HTTPS wraps this communication in TLS/SSL encryption.
- Why it matters: Any network without forced HTTPS is susceptible to Man-in-the-Middle (MITM) attacks where session cookies or credentials can be stolen (sidejacking).
- Step‑by‑step guide: Testing for HTTPS Enforcement
To verify if a web server is redirecting HTTP traffic to HTTPS, you can use `curl` from a Linux terminal. This simulates a user accessing the site over an insecure connection.Check the response headers of the HTTP endpoint curl -I http://example.com
Look for a `301 Moved Permanently` or `302 Found` response containing `Location: https://example.com…`. If the server responds with a `200 OK` on port 80, the site is serving content over unencrypted HTTP, which is a critical security flaw.
- The Email Backbone & Its Risks: SMTP, POP3, IMAP
Email relies on a trio of protocols: SMTP (Simple Mail Transfer Protocol) for sending (port 25), and POP3 (Post Office Protocol, port 110) or IMAP (Internet Message Access Protocol, port 143) for receiving. The “S” variants (SMTP over SSL on 465, POP3S on 995, IMAPS on 993) add encryption.
- Why it matters: Legacy configurations using standard ports transmit credentials and email bodies in cleartext. Furthermore, open SMTP relays (port 25) are frequently abused by attackers to send spam and phishing emails.
- Step‑by‑step guide: Manual SMTP Enumeration (Telnet)
You can manually connect to an SMTP server to enumerate users (a common recon technique) if the server is misconfigured.On Linux/Windows (if Telnet client is enabled) telnet mail.target-domain.com 25
Once connected, issue the following commands:
HELO test.com MAIL FROM: <a href="mailto:attacker@test.com">attacker@test.com</a> RCPT TO: <a href="mailto:realuser@target-domain.com">realuser@target-domain.com</a>
If the server returns `250 OK` for `RCPT TO` and `550 No such user` for a fake user, you have successfully enumerated a valid email address. Defenders should ensure SMTP servers do not reveal user existence.
- The Administrator’s Dilemma: SSH vs. Telnet (22/TCP & 23/TCP)
SSH (Secure Shell) provides encrypted remote access and command execution, while Telnet offers the same functionality but over an insecure channel. Despite being deprecated for decades, Telnet is sometimes found on legacy networking gear or IoT devices.
- Why it matters: Traffic on port 23 can be fully captured and read by anyone on the same network segment using a packet sniffer, revealing login credentials and configuration changes.
- Step‑by‑step guide: Analyzing Traffic with tcpdump
To demonstrate the danger, a security auditor can capture traffic on a network to see if Telnet credentials are exposed.On a Linux machine, capture traffic on interface eth0 for port 23 sudo tcpdump -i eth0 -A port 23
The `-A` flag prints the packet contents in ASCII. When a user logs in via Telnet, you will see the username and password in plaintext in your terminal. Conversely, capturing traffic on port 22 will show only encrypted, unreadable data.
- The Invisible Enablers: DNS (53/TCP-UDP) and NTP (123/UDP)
DNS (Domain Name System) translates domain names to IP addresses, primarily using UDP for speed, falling back to TCP for large responses. NTP (Network Time Protocol) synchronizes clocks across devices, which is vital for accurate log timestamps during forensic investigations.
- Why it matters: DNS can be hijacked, and NTP can be abused for massive DDoS amplification attacks if servers are misconfigured.
- Step‑by‑step guide: Querying DNS Securely
Using `dig` to query DNS helps verify resolution and spot anomalies (like unexpected IPs) that might indicate DNS cache poisoning.Query a specific DNS server (e.g., Cloudflare's 1.1.1.1) for a record dig @1.1.1.1 google.com A
- Windows Command:
Flush the local DNS cache to prevent poisoning persistence ipconfig /flushdns
5. Network Management & Monitoring: SNMP (161/UDP)
Simple Network Management Protocol (SNMP) is used to collect data from network devices like routers, switches, and printers.
- Why it matters: Older versions (SNMPv1 and v2c) use “community strings” as passwords, which are transmitted in plaintext. A common security misconfiguration is leaving the default read/write community strings (e.g., “public”, “private”) unchanged.
- Step‑by‑step guide: Enumerating SNMP (Linux)
Attackers use tools like `snmpwalk` to query the Management Information Base (MIB) and extract sensitive data about the device.Attempt to query a device using the default public community string snmpwalk -v 2c -c public 192.168.1.1
If successful, this command can reveal running processes, network interfaces, and user accounts. Defenders should disable SNMP if unused, or upgrade to SNMPv3 with authentication and privacy.
6. Hardening the Perimeter: Firewall Rule Design
Understanding ports allows security teams to implement the Principle of Least Privilege at the network layer.
- Step‑by‑step guide: Creating a Basic Stateful Firewall Rule (Linux iptables)
Instead of allowing all traffic, a hardened server should only accept incoming traffic on necessary ports.Allow established/related traffic iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Allow SSH from a specific management subnet only iptables -A INPUT -p tcp --dport 22 -s 192.168.10.0/24 -j ACCEPT Allow web traffic from anywhere iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT Set default policy to DROP iptables -P INPUT DROP
- Windows PowerShell (Windows Firewall):
Block incoming Telnet traffic New-NetFirewallRule -DisplayName "Block_Telnet_In" -Direction Inbound -LocalPort 23 -Protocol TCP -Action Block
What Undercode Say:
- Key Takeaway 1: Memorizing port numbers is the first step; the critical skill is understanding the security posture of the service running on that port. Knowing that port 143 (IMAP) exists is basic, but knowing that it transmits credentials in plaintext unless upgraded to IMAPS is cybersecurity.
- Key Takeaway 2: Network protocols are living attack surfaces. Legacy protocols like Telnet and SNMPv2c remain in enterprise environments longer than expected, often lurking on printers, IPMI interfaces, or decommissioned servers, providing a stealthy entry point for attackers.
Analysis: The table presented by Er. Afnan Ali serves as a crucial mnemonic device for the IT industry. However, in the current threat landscape, simply opening these ports is negligent without corresponding security controls. For instance, while port 3389 (RDP) is not in the original list, it follows the same logic—it is a management protocol that has been the primary vector for ransomware attacks (e.g., Ryuk) when exposed to the internet without Multi-Factor Authentication or VPNs. The modern professional must view this list not as a configuration checklist, but as a risk register.
Prediction:
As network architectures evolve towards Zero Trust, the traditional model of “trust but verify” based on port numbers will diminish. We will see a significant decline in the use of wide-open ephemeral ports and a rise in port randomization and service anonymity techniques (e.g., Moving Target Defense). Furthermore, with the adoption of DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), standard network monitoring on port 53/UDP will become blind spots, forcing security teams to adapt their detection capabilities to encrypted channels. The future lies not in blocking ports, but in deeply inspecting the traffic that flows through them, regardless of the port number.
▶️ Related Video (90% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Er Afnan – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


