Question about ports??

Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
Hi, so i had a question about ports, basically i ran advanced port scanner on my PC and it said that my router had only ports 53 and 80 open and my actual PC had every known port up to 65000+ blocked, yet i can still access the internet for HTTP and HTTPS etc... I ran wireshark and it show'd that the packets are going to the respected web pages google etc on ports 443, 80 etc... as destination ports and the regular 1000+ numbered local source port as the source port. I dont know if advanced port scanner is just wrong here but i went on other websites and asked if port 80 was open and it said NO! This is really confusing, perhaps someone can shed some light on this confusing situation??? icon_cry.gif


Cheers

Comments

  • OctalDumpOctalDump Member Posts: 1,722
    So, when your PC makes a connection to a server, it will connect TO one of the well known or registered ports, eg when it connects to a webserver it will connect to port 80 (or 443 in the case of HTTPS). Now, that connection will come FROM a random high port on your computer (eg 62891). Your computer is clever enough to track what connections are open. So when the web server responds to your computer to send the web page, it will send it back to the FROM port (eg 62891). The source (from) and destination (to) ports are in the header of each UDP or TCP packet, which you will be able to see with Wireshark.

    Your router will also be clever enough to track sources and destinations, ie Established connections. This means that it will allow traffic back in to a port from the server, since it knows that there is established communication between your computer and that server on those particular ports. But if another computer was to try to connect to the same port on your computer, it would be rejected because the source IP would be wrong (unless they are spoofing).

    The easiest way to check if a server is listening on a particular TCP port is to try telneting to that port eg telnet Free MCTS MCITP CCNA CISSP and Network+ practice exams, study notes and forums 80
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    OctalDump wrote: »
    So, when your PC makes a connection to a server, it will connect TO one of the well known or registered ports, eg when it connects to a webserver it will connect to port 80 (or 443 in the case of HTTPS). Now, that connection will come FROM a random high port on your computer (eg 62891). Your computer is clever enough to track what connections are open. So when the web server responds to your computer to send the web page, it will send it back to the FROM port (eg 62891). The source (from) and destination (to) ports are in the header of each UDP or TCP packet, which you will be able to see with Wireshark.

    Your router will also be clever enough to track sources and destinations, ie Established connections. This means that it will allow traffic back in to a port from the server, since it knows that there is established communication between your computer and that server on those particular ports. But if another computer was to try to connect to the same port on your computer, it would be rejected because the source IP would be wrong (unless they are spoofing).

    The easiest way to check if a server is listening on a particular TCP port is to try telneting to that port eg telnet Free MCTS MCITP CCNA CISSP and Network+ practice exams, study notes and forums 80

    Thanks for the reply but i was wondering you if you had a thought on the sort of things i mentioned in my first post as well? Is it just advanced port scanner that is wrong or is it something else i am missing to. I have no idea why the software and websites to would suggest that ports are closed when they must be open because they're being used.

    Also, would you be able to confirm i have an understanding of how ports all work as well with my explantion now to?
    So basically a PC wants to connect to Google, it will send the packet via a source port on the PC which could be a high number around 3000 with a destination port of 443 ( and that would be the port on the servers side so it doesnt matter if 443 is closed on my PC as well?). The server on the other side sees the request and destination port and if the port is open on the server side then the packet will be accepted. The traffic is then sent back through the same source port it has in the packet from the original PC and is able to pass through the firewall because of "stateful remembering" ??


    Thanks
  • OctalDumpOctalDump Member Posts: 1,722
    So, are you scanning a webserver with a port scanner and it is saying that port 80 is closed on the webserver? Or are you trying to scan your router/computer from a server on the internet?
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    OctalDump wrote: »
    So, are you scanning a webserver with a port scanner and it is saying that port 80 is closed on the webserver? Or are you trying to scan your router/computer from a server on the internet?

    The latter, and it'll say that literally every port i type in is closed and when i use advanced port scanner on my local PC to scan all the devices on my local network it will say all the devices on there have all 65000 ports closed and the router has only port 80 and 53 open, slightly confusing haha.
  • OctalDumpOctalDump Member Posts: 1,722
    So, from your internal network you see that the router has port 80 and 53 responding. This is very likely because your router is providing DNS (port 53) and a web management console. These are likely only available on the inside (LAN) network. If you scanned your router from outside (the internet) you would expect that no ports would be open.

    This won't affect your ability to connect from your computer out to the internet, since the connection is going the other way. Established traffic will be passed by the router.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    OctalDump wrote: »
    So, from your internal network you see that the router has port 80 and 53 responding. This is very likely because your router is providing DNS (port 53) and a web management console. These are likely only available on the inside (LAN) network. If you scanned your router from outside (the internet) you would expect that no ports would be open.

    This won't affect your ability to connect from your computer out to the internet, since the connection is going the other way. Established traffic will be passed by the router.

    Right i think i understand a bit more now. Feel free to correct me but for example would HTTPS traffic be achieved then this way.... wanting to connect to Google, my computers crafts a packet and puts the source port as a high number that we mentioned and the destination port as 443 so that 443 must be open at Googles end for the packet to work?

    Also why would my router be providing a web management console etc... and how does traffic still travel if all ports are closed except for 53 and 80 (how are the high source ports available when they're blocked as well or am i mixing it up here and are those ports closed for people coming from the outside of the network?).

    Thanks, this is all really helpful if a bit repetitive for you, sorry.
  • OctalDumpOctalDump Member Posts: 1,722
    Robbo777 wrote: »
    Right i think i understand a bit more now. Feel free to correct me but for example would HTTPS traffic be achieved then this way.... wanting to connect to Google, my computers crafts a packet and puts the source port as a high number that we mentioned and the destination port as 443 so that 443 must be open at Googles end for the packet to work?

    Yep, that's correct.
    Robbo777 wrote: »
    Also why would my router be providing a web management console etc... and how does traffic still travel if all ports are closed except for 53 and 80 (how are the high source ports available when they're blocked as well or am i mixing it up here and are those ports closed for people coming from the outside of the network?).

    Well, open a browser and put in the IP address of your router. It will likely give you a page to log into to configure the router.
    Traffic will still flow, because of the destination address is somewhere else. The router simply 'routes' the packet to the destination. It doesn't need to worry about what ports are involved unless firewalls or NAT is involved, and then it only needs to apply the appropriate firewall rules and keep track of established traffic.

    The ports being closed on the router means that the router itself won't respond to queries on that port. In most cases because no service is running on that port. The router often provides a limited number of features, like responding to pings, DNS resolution, DHCP and a management interface via telnet, ssh and/or http/https, and usually these are just available on the "inside" of the router. So to provide those features, those ports need to be open on the router, on the interface (inside or outside) which needs them.
    Robbo777 wrote: »
    Thanks, this is all really helpful if a bit repetitive for you, sorry.

    It's helpful for me, too, to explain this. It helps me get it all straight in my head. Like they say, if you can't explain something you don't fully understand it.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    OctalDump wrote: »

    Well, open a browser and put in the IP address of your router. It will likely give you a page to log into to configure the router.
    Traffic will still flow, because of the destination address is somewhere else. The router simply 'routes' the packet to the destination. It doesn't need to worry about what ports are involved unless firewalls or NAT is involved, and then it only needs to apply the appropriate firewall rules and keep track of established traffic.

    The ports being closed on the router means that the router itself won't respond to queries on that port. In most cases because no service is running on that port. The router often provides a limited number of features, like responding to pings, DNS resolution, DHCP and a management interface via telnet, ssh and/or http/https, and usually these are just available on the "inside" of the router. So to provide those features, those ports need to be open on the router, on the interface (inside or outside) which needs them.

    The only thing i don't understand i suppose now then is how if you say the router wont respond to ports that aren't open, is how does it respond or "let in" responses from the respected connections who reply with their destination port as a high number which came from the PC originally. If these ports are closed on the router (and the local PC for that matter) then how does the router accept them?

    You've been really helpful here as well!
  • OctalDumpOctalDump Member Posts: 1,722
    Robbo777 wrote: »
    The only thing i don't understand i suppose now then is how if you say the router wont respond to ports that aren't open, is how does it respond or "let in" responses from the respected connections who reply with their destination port as a high number which came from the PC originally. If these ports are closed on the router (and the local PC for that matter) then how does the router accept them?

    You've been really helpful here as well!

    The router can accept these because it knows that they aren't addressed to the router. It won't open the envelope to read the letter and follow the instructions. It just passes the envelope on to the computer. The computer can then decide if it will read the letter, throw it away, or return to send "not known at this address".
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    OctalDump wrote: »
    The router can accept these because it knows that they aren't addressed to the router. It won't open the envelope to read the letter and follow the instructions. It just passes the envelope on to the computer. The computer can then decide if it will read the letter, throw it away, or return to send "not known at this address".


    Ah right, so what would happen if the destination port was 22 for the local PC? Would the router accept that as well because its not addressed to the router? Also, if there is not one port open on the local PC as well, then how does the PC accept the packet with incoming packet having a destination port of whatever... 4000 for example?
  • OctalDumpOctalDump Member Posts: 1,722
    So, if the router is just a router, then yes the router accepts the packet and passes it onto the local PC. If the PC does not have ports open, then it will reject the packet. However, if it is an established conversation eg the PC had completed a TCP handshake and given the destination the source address, then the PC is listening on that port for packets from that destination. So, it would appear closed to other computers, but open to the computer it had initiated the conversation with. How the computer actually deals with a packet to a port that isn't open depends on some factors, like if it has a firewall running, and the configuration of the TCP/IP stack on the computer. It might just drop the packet, or it might send an ICMP message back to the source saying "this port is unreachable on this host". This is what your port scanner is listening for. Depending on the exact response, the port scanner might be able to tell you interesting things about the host, including what version of a service is running and what the OS probably is.

    However, there is a complication in practice in all of this, which is that home routers are nearly always also doing NAT/PAT and might also have a firewall running. NAT/PAT translates internal, private/non-routable address (like 192.168.x.x), into a public IP address. In practice this means that to the outside world, all your internal traffic appears to be coming directly from the router. All the traffic sent into your network is actually sent to the public IP address of the router. The router running NAT/PAT keeps track of the conversations, of who has sent what from what port, and where replies need to go. This also means that if you don't have an established conversation, and the router receives a packet it won't know what to do with it unless you have told it.

    So, if you had a server (a computer running a service) inside your network with a private address listening on port 22, for it to be reachable through NAT/PAT, you would need to tell the router - if you get a packet for port 22 then forward it to this private address. You could have many different computers inside your network, each running different services, and configure different translations in the router for each port eg send all traffic for port 22 to 192.168.1.87, send all traffic for port 25 to 192.168.1.20, send all traffic for port 80 to 192.168.1.6. From the internet, it looks like all these services are actually on the same device (your router), but your router is just passing on the traffic according to the rules you have given it.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    OctalDump wrote: »
    So, if the router is just a router, then yes the router accepts the packet and passes it onto the local PC. If the PC does not have ports open, then it will reject the packet. However, if it is an established conversation eg the PC had completed a TCP handshake and given the destination the source address, then the PC is listening on that port for packets from that destination. So, it would appear closed to other computers, but open to the computer it had initiated the conversation with. How the computer actually deals with a packet to a port that isn't open depends on some factors, like if it has a firewall running, and the configuration of the TCP/IP stack on the computer. It might just drop the packet, or it might send an ICMP message back to the source saying "this port is unreachable on this host". This is what your port scanner is listening for. Depending on the exact response, the port scanner might be able to tell you interesting things about the host, including what version of a service is running and what the OS probably is.

    However, there is a complication in practice in all of this, which is that home routers are nearly always also doing NAT/PAT and might also have a firewall running. NAT/PAT translates internal, private/non-routable address (like 192.168.x.x), into a public IP address. In practice this means that to the outside world, all your internal traffic appears to be coming directly from the router. All the traffic sent into your network is actually sent to the public IP address of the router. The router running NAT/PAT keeps track of the conversations, of who has sent what from what port, and where replies need to go. This also means that if you don't have an established conversation, and the router receives a packet it won't know what to do with it unless you have told it.

    So, if you had a server (a computer running a service) inside your network with a private address listening on port 22, for it to be reachable through NAT/PAT, you would need to tell the router - if you get a packet for port 22 then forward it to this private address. You could have many different computers inside your network, each running different services, and configure different translations in the router for each port eg send all traffic for port 22 to 192.168.1.87, send all traffic for port 25 to 192.168.1.20, send all traffic for port 80 to 192.168.1.6. From the internet, it looks like all these services are actually on the same device (your router), but your router is just passing on the traffic according to the rules you have given it.

    Very clear and useful information dude, thanks!!

    One more thing then i suppose, when you mentioned that all the traffic that needs to be routed BACK to the local PC say from google, because of NAT the source address does not apply its the address of the router, so how does that work in terms of how the packet is formed? Does the router add on top of it another address such as the router address as well as the address of the local PC or is the router address added on at the ISP end, otherwise Google couldn't get back to the local PC?
  • OctalDumpOctalDump Member Posts: 1,722
    The router will keep track of the traffic by port number. There are 65,535 ports. If two different computers want to use the same source port, then the router will translate one of them to a different port.

    Say your router is 8.8.8.8, and computer 1 is 192.168.1.20 and computer 2 is 192.168.1.25. 192.168.1.20 connects to Google on port 443, and sets its source port as 50123. The computer sends it to the default gateway, NAT/PAT will change the IP address to 8.8.8.8 and if port 50123 is not currently in use, will keep that. The router then remembers that when it gets a response from Google on port 50123, that it needs to change the destination address to 192.168.1.20.

    Computer 2, then connects to a mail server on the internet on port 993, and by coincidence also chooses port 50123 as its source port. The packet arrives at the NAT/PAT in the router, which realises port 50123 is already in use, so it changes the source port to 50124 and changes the source IP address to 8.8.8.8. The mail server responds, sending back to 8.8.8.8 on port 50124, the NAT/PAT then changes the destination address AND destination port.

    So using NAT/PAT the packet coming back to router using NAT/PAT from the internet will always have the NAT/PAT public address, and might keep or change the port. The server on the internet only needs to know how to reach your router running NAT/PAT, and then NAT/PAT will translate to the devices inside your network.

    This is different from regular routing where the neither the port nor IP address will change.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    OctalDump wrote: »
    The router will keep track of the traffic by port number. There are 65,535 ports. If two different computers want to use the same source port, then the router will translate one of them to a different port.

    Say your router is 8.8.8.8, and computer 1 is 192.168.1.20 and computer 2 is 192.168.1.25. 192.168.1.20 connects to Google on port 443, and sets its source port as 50123. The computer sends it to the default gateway, NAT/PAT will change the IP address to 8.8.8.8 and if port 50123 is not currently in use, will keep that. The router then remembers that when it gets a response from Google on port 50123, that it needs to change the destination address to 192.168.1.20.

    Computer 2, then connects to a mail server on the internet on port 993, and by coincidence also chooses port 50123 as its source port. The packet arrives at the NAT/PAT in the router, which realises port 50123 is already in use, so it changes the source port to 50124 and changes the source IP address to 8.8.8.8. The mail server responds, sending back to 8.8.8.8 on port 50124, the NAT/PAT then changes the destination address AND destination port.

    So using NAT/PAT the packet coming back to router using NAT/PAT from the internet will always have the NAT/PAT public address, and might keep or change the port. The server on the internet only needs to know how to reach your router running NAT/PAT, and then NAT/PAT will translate to the devices inside your network.

    This is different from regular routing where the neither the port nor IP address will change.


    Thank you very much, you've been really really helpful here dude :)

    So, just out of curiosity now more than anything because this is interesting, say if someone obtained my public IP and port 80 is open on the router side, what could someone potentially do with that if anything?
  • OctalDumpOctalDump Member Posts: 1,722
    Robbo777 wrote: »
    So, just out of curiosity now more than anything because this is interesting, say if someone obtained my public IP and port 80 is open on the router side, what could someone potentially do with that if anything?

    It depends what is running on port 80, what is responding. If it was the admin console for the router, then probably it would have some kind of exploitable vulnerability, in which case they could change the DNS servers to redirect you to malicious websites, or possibly alter the routing table to pass all traffic through a device they control to sniff traffic.

    If it's a web server like IIS or Apache in a default configuration, then there might also exist some exploit which could lead to them having root access on the computer running the web server.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    OctalDump wrote: »
    It depends what is running on port 80, what is responding. If it was the admin console for the router, then probably it would have some kind of exploitable vulnerability, in which case they could change the DNS servers to redirect you to malicious websites, or possibly alter the routing table to pass all traffic through a device they control to sniff traffic.

    If it's a web server like IIS or Apache in a default configuration, then there might also exist some exploit which could lead to them having root access on the computer running the web server.


    Am not quite sure what you mean by "running" on port 80. How could the admin console run on port 80?, is it kind of like when you mention a web server running you mean you have a server in your network that operates on port 80?

    In theory couldn't you just block every port on the router and have servers in the network with their local ports open to specific traffic?

    If port 22 was open on a router would that mean that if i knew the public IP that i could initiate a connection with that router via ssh if i knew the passwords or if there wasn't a password on the for example also?
  • OctalDumpOctalDump Member Posts: 1,722
    Robbo777 wrote: »
    Am not quite sure what you mean by "running" on port 80. How could the admin console run on port 80?, is it kind of like when you mention a web server running you mean you have a server in your network that operates on port 80?

    Applications can be bound to sockets (a combination of IP and Port), and then take input from those sockets, a bit like a command line. So if you have a service running on port 80, it means that you have an application listening for input on port 80. If it's a web server, then the input it is listening for is HTTP. If it gets a message on that port, then it will process the message and do something (usually respond with a web page to the client).
    Robbo777 wrote: »
    In theory couldn't you just block every port on the router and have servers in the network with their local ports open to specific traffic?
    Yes. The router doesn't need to be doing anything besides routing. If you were using a Cisco router, you could close all the ports and manage it using a console cable via a serial port on a computer.

    Robbo777 wrote: »
    If port 22 was open on a router would that mean that if i knew the public IP that i could initiate a connection with that router via ssh if i knew the passwords or if there wasn't a password on the for example also?

    Yes. Although SSH also allows you a set up which uses keys rather than passwords, so you would need to have the key in that case.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    Oh right, so ports can be open both ways? For example in the example before, if port 22 was open on the OUTSIDE interface of the router then someone could connect etc... but it can be closed on the outside and open on the INSIDE for internal users to potentially connect to?

    Thanks again
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    Your computer doesn't just sit there with open ports...if there isn't a service running why would there be a port in use? For instance, on a web server when I scan I will see port 80 open because that service is running. Related to security, when you harden a system you are removing unnecessary services because those ports are open and not needed...thus decreasing the attack surface. This is a little different than network appliances allowing traffic through certain ports.

    Try using the netstat command on your computer and you can see open ports (more importantly listening or established connections).
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    TechGuru80 wrote: »
    Your computer doesn't just sit there with open ports...if there isn't a service running why would there be a port in use? For instance, on a web server when I scan I will see port 80 open because that service is running. Related to security, when you harden a system you are removing unnecessary services because those ports are open and not needed...thus decreasing the attack surface. This is a little different than network appliances allowing traffic through certain ports.

    Try using the netstat command on your computer and you can see open ports (more importantly listening or established connections).


    I understand what you're saying but that wasn't exactly what i asked in my last question, i was wondering if the same port can be open and closed at the same time from different interfaces? For example the INSIDE could have port 22 access while the OUTSIDE interfaces wouldn't be able to see port 22 open or have access to it?

    Also! is that what the port scan is seeing when i scan because I'm obviously on the INSIDE of my network? That all ports are closed on all devices and that only 80 and 53 are open and when i scan on the internet port 80 etc... are all shut?
  • OctalDumpOctalDump Member Posts: 1,722
    Robbo777 wrote: »
    Oh right, so ports can be open both ways? For example in the example before, if port 22 was open on the OUTSIDE interface of the router then someone could connect etc... but it can be closed on the outside and open on the INSIDE for internal users to potentially connect to?

    Thanks again

    Yes. A port is associated with an IP address, so that it can be open on an 'inside' IP address, and closed on an 'outside' IP address.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    OctalDump wrote: »
    Yes. A port is associated with an IP address, so that it can be open on an 'inside' IP address, and closed on an 'outside' IP address.


    Thanks very much for all your help
Sign In or Register to comment.