Cyber Security Base 2024
MOOC.fi
Module 2.1

Ports and Applications

Each computer has a series of communication points that are called ports. If a computer has a software process — a program — running on it and the program has control of a port and listens to the data sent to it, then the program can be communicated with. The communication follows a protocol, which lists the commands that the program understands.

The other party of the communication can reside on the same machine — another program on the same machine may be the source of a message — or the message can originate from a separate computer. For this to happen, the computer must be connected to a network, which allows computers to exchange data using a data link. The most prominent example of such a network is the internet, which has essentially become ubiquitous during the last decade.

Computers use IP addresses to identify other computers. In principle, each computer that is connected to the internet has an IP address that associates to it. An IP Address is a set of four numbers between 0 and 255 separated by a period (e.g. 127.0.0.1, which corresponds to your own computer). As there are only 232 possible options for the address, these are slowly running short due to the emergence of coffee pots with IP addresses and accompanying software -- the internet of things. A more recent version called IPv6 also exists; it has 2128 different address possibilities and essentially solves this issue.

Stepping up to the Task

From the programmer's point of view, communication between two computers is done using a socket. A socket is essentially a handle — similar to a file handle — that the programmer can use for both reading and writing. However, instead of working with a file, the "writing" is done to a given port at the remote machine, and "reading" is done from a stream of data that the remote machine sends.

Programming languages typically come with libraries which typically reduce the amount of code that a programmer must write to achieve a specific task. For example, accessing a remote computer in Python can be done using the socket module. In principle, the programmer only needs to create an instance of socket, connect it to the target (ip and the port of the target machine is given as parameters), and then — for example — read the data from the target machine.

address = "127.0.0.1"
port = 12321

s = socket.socket()
s.connect((address, port))
data = s.recv(1024)         # Attempt to read at most 1024 bytes

The above example will — depending on the target server — throw an exception if the port cannot be connected to. See Python tutorial on Exceptions for how to handle exceptions. Alternatively you can use connect_ex instead of connect.

Note that connect parameters are wrapped in a additional parentheses. The reason for this is that connect takes one parameter, and in our case it is a tuple of form (address, port).

Port scanners are a common tool that security researchers use to identify services available on a given machine. Port scanners work by iterating through a range of ports, and attempting to connect to each of the ports. If a connection is successful, something has responded to the request, and it can be investigated further.

Loading

Note that port scanning can be seen as a preparation for a cyber attack. It may be also that your internet service provider (ISP) has prohibited making port scans. Before participating in the following quiz, verify that you are allowed to do so.

Talking with the remote program

If a computer has a port open, the program listening to that port can likely be talked with. One of the simplest approaches for trying out such discussion is the use of Telnet, which is available in most of the operating systems: if not, you can always download e.g. PuTTY (with PuTTY make sure that your connection type is raw). Modern MacOS no longer has built-in Telnet but you can use netcat (nc) like demonstrated here.

Telnet connections are made to a specific address and to a specific port. For example, a connection to the F-Secure web server could be initiated through the address f-secure.com and the port 80.

When discussing with an application, it is important to know the protocol — discussion format — that the application follows. One such example is the HTTP-protocol, which is used by web servers.

The basic command for retrieving the root content from a web-server is as follows.

GET / HTTP/1.1
Host: f-secure.com

In the above example, we first tell the server that we want to get the resource at "/", and that we are following version 1.1. of the HTTP. The next line describes the address we want to access — this is entered as servers may host multiple web sites. An HTTP request is ended by two empty lines.

When launching telnet and retrieving the content from f-secure -site, we see something similar to the following.

username@machine:~$ telnet f-secure.com 80
Trying 104.126.172.25...
Connected to f-secure.com.
Escape character is '^]'.
GET / HTTP/1.1

Host: f-secure.com
HTTP/1.1 302 Moved Temporarily
Server: AkamaiGHost
Content-Length: 0
Location: http://f-secure.com/fi_FI/
...

In the above example, instead of returning the content of the page, the F-Secure web server asks us to look for the content from the address http://f-secure.com/fi_FI/.

You have reached the end of this section! Continue to the next section:
2. Web Servers and Web Applications

Remember to check your points from the ball on the bottom-right corner of the material!