If you plan on taking the Security+ exam you should have a good understanding of TCP/IP including some application protocols. This blog covers many application protocols that you should understand for the Security+ exam.
Note: This blog is an excerpt from the
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide.
Many different applications protocols are used on the Internet and within an intranet. A common protocol that you probably use frequently is HTTP to access web pages on the Internet. Some of the more commonly used application protocols are:
- HTTP. Hypertext Transfer Protocol is used for web traffic on the Internet and in intranets. Web servers use HTTP to transmit web pages to client’s web browsers. Hypertext Markup Language (HTML) is the common language used to display the web pages. HTTP uses port 80.
- HTTPS. HTTP Secure secures web traffic by transmitting it in an encrypted format. Web browsers commonly indicate that a secure session is using HTTPS by displaying a lock icon and with HTTPS in the URL. HTTPS is encrypted with either SSL or TLS and it uses port 443.
- FTP. File Transfer Protocol uploads and downloads files to and from an FTP server. By default, FTP transmits data in clear text, making it easy for an attacker to capture and read FTP data with a sniffer or protocol analyzer. FTP active mode uses port 20 for data and port 21 for control signals. FTP passive mode uses port 21 for control signals and a random port for data. FTP uses TCP.
- SFTP. Secure FTP is a secure implementation of FTP. It is an extension of Secure Shell (SSH) using SSH to transmit the files in an encrypted format. SFTP transmits data using port 22.
- FTPS. FTP Secure is an extension of FTP and uses SSL or TLS to encrypt FTP traffic. Some implementations of FTPS use ports 989 and 990.
- TFTP. Trivial File Transfer Protocol uses UDP and is used to transfer smaller amounts of data, such as when communicating with network devices. Many attacks have used TFTP, but it is not an essential protocol and can often be disabled. TFTP uses UDP port 69. In contrast, FTP uses TCP ports 20 and 21.
HTTP and HTTPS use ports 80 and 443 and transmit data over the Internet in unencrypted and encrypted formats, respectively. FTP supports uploading and downloading files to and from an FTP server using ports 20 and 21. FTP uses TCP (ports 20 and 21) and TFTP uses UDP (ports 69). SFTP uses SSH to encrypt FTP traffic and uses port 22. FTPS uses SSL to encrypt FTP traffic.
- Telnet. Telnet is frequently used to connect to remote systems or network devices over a network. Telnet has a command line interface, and many administrators use Telnet to connect to routers and make configuration changes. Telnet transmits data in clear text, making it vulnerable to sniffing attacks, but you can use SSH to encrypt Telnet. Telnet uses port 23, or port 22 when encrypted with SSH.
- SNMP. Simple Network Management Protocol is used to monitor and manage network devices such as routers or switches. This includes using SNMP to modify the configuration of the devices or have network devices report status back to a central network management system. SNMP agents installed on devices send information to an SNMP manager via notifications known as traps (sometimes called device traps). The first version of SNMP had vulnerabilities, such as passing passwords across the network in clear text. SNMP v2 and SNMP v3 are much more secure. SNMP uses port 161.
- DNS. Domain Name System is a service that resolves host names to IP addresses on the Internet and internal networks. DNS servers host the DNS service and respond to DNS queries. DNS uses port 53.
Telnet is often used to connect to network devices (such as routers) to make configuration changes. It uses port 23 and sends data in clear text. You can encrypt Telnet traffic with SSH, and it uses port 22 when encrypted with SSH. SNMP monitors and manages network devices such as routers or switches, and SNMP agents report information via notifications known as SNMP traps (also called SNMP device traps).
- NetBIOS. Network Basic Input/Output System is a name resolution service for NetBIOS names on internal networks. In contrast, DNS resolves host names on the Internet and internal networks. NetBIOS also includes session services for both TCP and UDP communication. NetBIOS uses ports 137 through 139.
- LDAP. Lightweight Directory Access Protocol is the language used to communicate with directories such as Microsoft’s Active Directory or Novell’s Netware Directory Services (NDS). LDAP provides a single location for object management and it uses port 389. LDAP can be encrypted with either TLS or SSL and uses port 636 when encrypted.
- Kerberos. Kerberos (presented in chapter 1) is the authentication protocol used in Windows domains and some UNIX environments. It uses a KDC to issue time-stamped tickets. Kerberos uses port 88.
- Microsoftss SQL Server. SQL server is a server application that hosts databases accessible from web servers and a wide array of applications. SQL server uses port 1433 by default.
- Remote Administration, Terminal Services, or Remote Desktop Services. Remote administration allows a client to remotely access another system. Microsoft previously called this Terminal Services and then renamed it in Server 2008 R2 to Remote Desktop Services. Microsoft’s Remote Assistance allows one user to assist another user remotely. Microsoft’s Remote Desktop Protocol (RDP) allows an administrator to remotely administer servers from desktop computers. Terminal Services (and Remote Desktop Services) uses port 3389. Additionally, remote assistance uses the same protocol and port.
NetBIOS is used on internal servers and uses ports 137 & 139. Microsoft’s SQL Server hosts databases and uses port 1433. Remote Desktop Services uses port 3389. SMTP is used to send e-mail and it uses port 25.