Let's start with the basics. In the TCP/IP protocol stack, messages associated with the common application protocols that most of us are familiar with — such as HTTP for the Web; SMTP, POP, and IMAP for e-mail; Telnet and SSH for remote logon; and FTP for file transfers — operate over the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP); TCP and UDP messages, in turn, are carried inside Internet Protocol (IP) packets. The primary difference between TCP and UDP is that TCP is connection-oriented and UDP is connectionless. When using TCP, then, two hosts must first establish a logical connection before they can exchange data (analogous to establishing a telephone connection) while hosts using UDP do not require a logical connection before the exchange of information (analogous to sending a letter through the postal service).
Both TCP and UDP employ port numbers to identify the higher layer applications at the hosts that are communicating with each other. End-to-end data communications on the Internet, in fact, are uniquely identified by the source and destination host IP addresses and the source and destination TCP/UDP port numbers.
TCP/IP applications generally employ a client/server model, exemplified by the relationship between your Web client software (i.e., the browser) and a Web server; the user "points" their browser at the Web server which is usually listening on port 80. Port numbers can take on a value between 1 and 65535, with server applications generally being assigned a value below 1024.
There are a large number of so-called well-known ports, including:
TCP 20 and 21 (File Transfer Protocol, FTP)
TCP 22 (Secure Shell, SSH)
TCP 23 (Telnet)
TCP 25 (Simple Mail Transfer Protocol, SMTP)
TCP and UDP 53 (Domain Name System, DNS)
UDP 69 (Trivial File Transfer Protocol, tftp)
TCP 79 (finger)
TCP 80 (Hypertext Transfer Protocol, HTTP)
TCP 110 (Post Office Protocol v3, POP3)
TCP 119 (Network News Protocol, NNTP)
UDP 161 and 162 (Simple Network Management Protocol, SNMP)
UDP 443 (Secure Sockets Layer over HTTP, https)
A complete list of port numbers can be found at the Internet Assigned Numbers Authority (IANA) list of port numbers at http://www.iana.org/assignments/port-numbers.
Next quetion arises, how do you find out which port is being used , or if that port is listening or free.
For Windows - most handy command is - netstat -a (This works for UNIX as well)
For Linux - Apart from netstat -a , there are more.
1. netstat -an grep 'portnumber' (There is a pipe between grep and portnumber)
2. netstat -a grep 'portnumber' (There is a pipe between grep and portnumber)
3. lsof -i: 'portnumber'
A port scanner, most simply, probes a computer system running TCP/IP to determine which TCP and UDP ports are open and listening, which indicates all of the services that this system is offering to other TCP/IP hosts. As an example, you would expect an e-mail server to be listening on the SMTP and POP3 ports, and a Web server to be listening on the HTTP, and perhaps the SSL/HTTPS, ports. For good or for bad, however, most systems have many more open ports than intended. You can use the netstat -a command to find out which ports are open on a local Linux/Unix or Windows system but netstat can't be used remotely across a network.
Port scanners can also be used to examine hosts for known Trojan horses, distributed denial-of-service (DDoS) tools, or other malicious services running on a host.
A short list of some of the default "bad" ports are:
1243/tcp: SubSeven server (default for V1.0-2.0)
6346/tcp: Gnutella
6667/tcp: Trinity intruder-to-master and master-to-daemon
6667/tcp: SubSeven server (default for V2.1 Icqfix and beyond)
12345/tcp: NetBus 1.x
12346/tcp: NetBus 1.x
16660/tcp: Stacheldraht intruder-to-master
18753/udp: Shaft master-to-daemon
20034/tcp: NetBus Pro
20432/tcp: Shaft intruder-to-master
20433/udp: Shaft daemon-to-master
27374/tcp: SubSeven server (default for V2.1-Defcon)
27444/udp: Trinoo master-to-daemon
27665/tcp: Trinoo intruder-to-master
31335/udp: Trinoo daemon-to-master
31337/tcp: Back Orifice
33270/tcp: Trinity master-to-daemon
33567/tcp: Backdoor rootshell via inetd (from Lion worm)
33568/tcp: Trojaned version of SSH (from Lion worm)
40421/tcp: Masters Paradise Trojan horse
60008/tcp: Backdoor rootshell via inetd (from Lion worm)
65000/tcp: Stacheldraht master-to-daemon
http://www.garykessler.net/library/bad_ports.html
Courtesy : http://www.garykessler.net/
