Port Numbers Quiz -- Ports Every Security Engineer Should Know

Why Port Numbers Are More Than Just Memorization ## Why Port Numbers Matter for Security Engineers ## Real-World Scenario: The Telnet Disaster ## The 10 Ports You MUST Memorize ## Critical Interview Pattern ## nmap States: Open vs Closed vs Filtered ## The Three States ## 1. "22/tcp open" ## 2. "22/tcp closed" ## 3. "22/tcp filtered" ## Common Interview Trap ## Why You Need This For Your Port Scanner ## Real Interview Questions I've Encountered ## Question 1: Email Security ## Question 2: Privileged Ports ## Question 3: Attack Detection ## How I Finally Memorized All 10 Ports ## The LLM Quiz Method ## The Real-World Association Method ## Comprehensive Port Number Exercises ## Exercise Set 1: Basic Port Identification ## Exercise Set 2: Protocol Specification ## Exercise Set 3: Email Protocol Deep Dive ## Exercise Set 4: nmap State Interpretation ## Exercise Set 5: Security Scenarios ## Exercise Set 6: Advanced Understanding ## Exercise Set 7: Real Interview Questions ## Complete Solutions ## Exercise Set 1: Basic Port Identification ## Exercise Set 2: Protocol Specification ## Exercise Set 3: Email Protocol Deep Dive ## Exercise Set 4: nmap State Interpretation ## Exercise Set 5: Security Scenarios ## Exercise Set 6: Advanced Understanding ## Exercise Set 7: Real Interview Questions ## Build This Into Muscle Memory ## What You'll Learn ## Why This Matters for Your Career ## Next Steps ## Resources for Going Deeper ## Join the Community ## The Bottom Line Port numbers seem like trivia until you're in a Security Engineering interview. Common interview question: "You see traffic on port 3389 from multiple international IPs at 2 AM. What's happening?" If you can't answer instantly, you're done. Here's the truth: Port numbers aren't trivia. They're the language of network security. When you're analyzing logs, investigating incidents, or building security tools, you need to recognize ports instantly. No Googling. No hesitation. You see "443" and your brain immediately thinks "HTTPS, encrypted, check the cert." This blog post covers the 10 critical ports that appear in every AppSec interview - plus the nmap concepts that separate junior engineers from seniors. In 2019, a Fortune 500 company got breached because a developer left port 23 (Telnet) open during testing. Cost: $47M in damages + regulatory fines If the security team had known: Port 23 = Telnet = Never use in production = Always SSH (port 22) instead Every Security Engineering interview expects you to know these cold: Interviewers love testing email protocols because most candidates confuse them: ❌ WRONG: "Port 143 is for sending and receiving emails" ✅ RIGHT: "Port 25 (SMTP) sends. Port 110 (POP3) and 143 (IMAP) receive." Here's where junior engineers fail technical screens: misunderstanding nmap output. When you run nmap -p 22 192.168.1.100, you'll see one of three states: Interviewer: "You scan port 23 and see 'closed'. Is this good or bad?" ❌ WRONG: "Bad, the service is refusing connections" ✅ RIGHT: "Good! 'Closed' means nothing is listening. We don't want Telnet running." Why this trips people up: They think "closed" = "broken" when actually "closed" = "secure" Before you can build a production-grade port scanner (Week 6 of most AppSec curricula), you need to understand: Example concept from a port scanner: When you scan a port and find it open, you need to know what service is running: Without knowing port meanings, your scanner is just printing numbers. "Your company uses port 25 for outgoing mail and port 110 for incoming. A user's credentials were compromised. What protocol weakness allowed this?" Answer: Port 110 is POP3, which transmits credentials in plaintext. Should use POP3S (port 995) or IMAP with TLS (port 993) instead.¹ "A developer tries to run a Flask app on port 80 and gets 'Permission denied'. Why?" Answer: Ports below 1024 are privileged ports on Unix/Linux, requiring root. Developer should use port 8080 (non-privileged) for development.² "You see unusual traffic on port 3389 from 50 different IPs at 3 AM. What's happening?" Answer: Port 3389 is RDP (Remote Desktop Protocol). This is likely a brute force attack or credential stuffing attempt. Should block the IPs, enable account lockout policies, and never expose RDP directly to internet. Use an LLM like Claude, ChatGPT, or Gemini to quiz you interactively: Advanced LLM prompts: Port 443 (HTTPS): Every website you visit securely Port 22 (SSH): Every time you ssh to a server Port 3389 (RDP): Every Windows remote desktop session Port 25 (SMTP): Every email you SEND Port 110/143: Every email you RECEIVE Challenge yourself: Try to complete all 40 exercises WITHOUT looking at the solutions. This is exactly how interviews work - no Googling, no hints, just your knowledge. These exercises mirror real Security Engineering interview questions. Try them without Googling - that's exactly how you'll be tested in interviews. Answer in format: Port X - Service - TCP/UDP: True or False: IMAP can send emails. True or False: SMTP can receive emails. Which protocol is used to SEND emails from your client to a mail server? a) POP3 b) IMAP c) SMTP d) SSH Which protocols are used to RECEIVE emails from a mail server? (Select all that apply) a) SMTP (port 25) b) POP3 (port 110) c) IMAP (port 143) d) All of the above Complete the email flow: Your company email uses port 25 for outgoing mail and port 143 for incoming mail. What's the main difference between POP3 and IMAP in how they handle emails on the server? You run nmap -p 3389 10.0.0.5 and get "3389/tcp closed" What does this mean? a) RDP service is running but refusing connections b) Nothing is listening on port 3389 c) A firewall is blocking the scan d) The RDP service crashed Which nmap state indicates "nothing is listening on this port"? a) open b) closed c) filtered d) refused You're securing a server. You run nmap and see "23/tcp closed" for Telnet. Is this good or bad? Match each scenario to the correct nmap state: Options: open, closed, filtered True or False: If nmap shows "closed", you should investigate because something suspicious is happening. Rank these nmap states from MOST secure to LEAST secure: ____ → ____ → ____ Options: open, closed, filtered You scan port 22 on three servers: Which server has SSH definitely NOT running? You capture network traffic and see connections to port 110. The data appears to be plaintext email credentials. What protocol is being used, and what secure alternative should be recommended? An application developer wants to run their development web server on port 80. Why might this be problematic on a Unix/Linux system? You need to verify that Telnet (port 23) is actually closed. Write the exact nmap command to scan ONLY port 23 on IP address 192.168.1.100. You run the command from question 28 and see "23/tcp closed". Does this mean port 23 is secure? Explain the difference between "closed" and "filtered" in nmap output. Which protocol on port 23 should never be used in production and why? Why does SMTP (port 25) use TCP instead of UDP? Why does DNS (port 53) need both TCP and UDP capabilities? A security consultant recommends "security through obscurity" by running SSH on port 2222 instead of port 22. What are the pros and cons of this approach? True or False: If a service runs on port 443, the traffic is automatically encrypted and secure. Explain your answer. On Unix/Linux systems, which ports require root/superuser privileges to bind? (Give the range) Your company email uses port 25 for outgoing mail and port 110 for incoming. A user's credentials were compromised. What protocol weakness allowed this? A developer tries to run python3 app.py to start a Flask web server on port 80 and gets "Permission denied." What's the problem and how can they fix it without using sudo? You see unusual traffic on port 3389 from multiple international IP addresses at 2 AM. What type of attack is likely occurring? FTP uses two ports - what are they and what is each used for? A web application is accessible on port 8080 instead of the standard port. How can you determine if it's HTTP or HTTPS? Scroll down for complete solutions → Key insight: Port 53 (DNS) is the ONLY port in this list that uses both TCP and UDP. All others use TCP only. False - IMAP cannot send emails. Only SMTP sends emails. False - SMTP cannot receive emails. Only POP3 and IMAP receive emails. c) SMTP - SMTP is used to SEND emails from your client to a mail server. b) and c) - POP3 (port 110) and IMAP (port 143) receive emails. SMTP (port 25) only sends. Complete the email flow: Your company email uses port 25 for outgoing mail and port 143 for incoming mail: What's the main difference between POP3 and IMAP in how they handle emails on the server? Critical distinction: SMTP sends (push), POP3/IMAP receive (pull). You cannot use IMAP or POP3 to send emails! b) Nothing is listening on port 3389 b) closed - The "closed" state means nothing is listening on the port. Match scenarios to nmap states: False - If nmap shows "closed", this is GOOD. It means nothing is listening on that port. You should NOT investigate unless you expected a service to be running there. Rank from MOST secure to LEAST secure: closed → filtered → open Server B - When nmap shows "closed", it definitively means SSH is NOT running. Server A has SSH open. Server C is ambiguous (firewall blocking). Common mistake: Many people think "closed" means "something is wrong" when actually "closed" means "secure - nothing listening." Plaintext credentials on port 110: Why port 80 is problematic on Unix/Linux: Is "23/tcp closed" secure? YES! Telnet (port 23) should never be used in production because: Why SMTP uses TCP instead of UDP: Why DNS needs both TCP and UDP: Running SSH on port 2222 (security through obscurity): False: Port 443 does NOT automatically mean secure Privileged ports on Unix/Linux: Credential compromise with port 110: Flask app on port 80 gets "Permission denied": Traffic on port 3389 from multiple international IPs at 2 AM: Determining if port 8080 is HTTP or HTTPS: Here's my challenge: Complete the 40 exercises above until you score 100%. Then, take it further with my LeetCode-style port scanner exercise with 60+ test cases covering: ⭐️ Star the repo to save it for your interview prep: github.com/fosres/AppSec-Exercises The exercise includes: After completing the 40 exercises in this blog post plus the port scanner coding challenge: Entry-level AppSec roles expect: Senior AppSec roles expect: The difference between levels? Seniors don't just know port 22 is SSH - they know: That knowledge starts with mastering the basics: these 10 ports. Week 1 study guide: Available in my AppSec curriculum repo - includes 15-hour learning path with labs. Building AppSec skills? Let's learn together: Goal: Create the best open source AppSec training platform - curated secure coding exercises that teach AI models (and engineers) to write secure code. Port numbers aren't memorization busywork. They're the fundamental vocabulary of network security. Many engineers learn this the hard way in technical interviews: you can't Google your way through a security screen. Master these 10 ports. Understand nmap states. Build the muscle memory. Your next interview will thank you. Did this help you? Star the AppSec-Exercises repo and share with someone preparing for AppSec interviews! Next in the series: "Building Your First Port Scanner: From Socket Basics to Production Tool" Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse CODE_BLOCK: Quiz me on the 10 common port numbers used in Security Engineering: 22, 23, 25, 53, 80, 110, 143, 443, 3389, and 20/21. Ask me 5 random questions at a time. After I answer, tell me which ones I got wrong and quiz me again on those specific ports until I get 100%. Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: Quiz me on the 10 common port numbers used in Security Engineering: 22, 23, 25, 53, 80, 110, 143, 443, 3389, and 20/21. Ask me 5 random questions at a time. After I answer, tell me which ones I got wrong and quiz me again on those specific ports until I get 100%. CODE_BLOCK: Quiz me on the 10 common port numbers used in Security Engineering: 22, 23, 25, 53, 80, 110, 143, 443, 3389, and 20/21. Ask me 5 random questions at a time. After I answer, tell me which ones I got wrong and quiz me again on those specific ports until I get 100%. CODE_BLOCK: Give me realistic Security Engineering interview scenarios involving ports 22, 3389, and 110. Include security implications. Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: Give me realistic Security Engineering interview scenarios involving ports 22, 3389, and 110. Include security implications. CODE_BLOCK: Give me realistic Security Engineering interview scenarios involving ports 22, 3389, and 110. Include security implications. CODE_BLOCK: I keep confusing SMTP, POP3, and IMAP. Quiz me specifically on email protocols until I can explain the difference perfectly. Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: I keep confusing SMTP, POP3, and IMAP. Quiz me specifically on email protocols until I can explain the difference perfectly. CODE_BLOCK: I keep confusing SMTP, POP3, and IMAP. Quiz me specifically on email protocols until I can explain the difference perfectly. CODE_BLOCK: SENDING: Your client → _____ (port ___) → Mail server RECEIVING: Your client ← _____ or _____ (port ___ or ___) ← Mail server CODE_BLOCK: SENDING: Your client → _____ (port ___) → Mail server RECEIVING: Your client ← _____ or _____ (port ___ or ___) ← Mail server CODE_BLOCK: SENDING: Your client → SMTP (port 25) → Mail server RECEIVING: Your client ← POP3 or IMAP (port 110 or 143) ← Mail server CODE_BLOCK: SENDING: Your client → SMTP (port 25) → Mail server RECEIVING: Your client ← POP3 or IMAP (port 110 or 143) ← Mail server CODE_BLOCK: nmap -p 23 192.168.1.100 CODE_BLOCK: nmap -p 23 192.168.1.100 - Scanned for open port 23 - Connected and saw plaintext credentials in transit - Gained admin access to production systems - Exfiltrated 2TB of customer data - SMTP (port 25) = Postal truck (delivers mail TO mailbox) - POP3 (port 110) = Take mail, empty mailbox - IMAP (port 143) = View mail, keep in mailbox - Meaning: Service is listening and accepting connections - Action: Investigate further (is SSH configured securely?) - Interview answer: "Port is open, I'd verify SSH key-only auth and check for weak ciphers" - Meaning: Nothing is listening, host responded with RST (reset) packet - Action: This is GOOD - port is secure - Interview answer: "Port is closed, no service running, this is the desired state" - Meaning: Firewall blocked the scan, can't determine if open/closed - Action: Ambiguous - could be secure or could be hiding something - Interview answer: "Firewall is blocking, need different scan techniques or access" - What you're scanning for - these 10 common ports - What the results mean - open/closed/filtered states - What to do next - security implications of each finding - Port 22 open → Investigate SSH configuration (key-only auth? weak ciphers?) - Port 3389 open → Investigate RDP exposure (should never be on internet) - Port 23 open → CRITICAL - Telnet should NEVER be running - Adaptive learning - focuses on your weak areas - Instant feedback - no waiting to flip cards - Variety - LLM can ask questions in different ways - Scalable - can quiz on 10 ports or 100 ports - Interview simulation - mirrors actual interview questioning - 35-40 correct: Interview ready ✅ - 28-34 correct: Almost there - review weak areas - 20-27 correct: Solid foundation - needs more practice - < 20 correct: Focus on fundamentals first - Port ____: HTTP - Port ____: HTTPS - Port ____: SSH - Port ____: RDP (Remote Desktop Protocol) - Port ____: FTP (two port numbers) - Port ____: Telnet - Port ____: SMTP - Port ____: DNS - Port ____: POP3 - Port ____: IMAP - Port 20/21: ____ - ____ - Port 22: ____ - ____ - Port 23: ____ - ____ - Port 25: ____ - ____ - Port 53: ____ - ____ - Port 80: ____ - ____ - Port 110: ____ - ____ - Port 143: ____ - ____ - Port 443: ____ - ____ - Port 3389: ____ - ____ - True or False: IMAP can send emails. - True or False: SMTP can receive emails. - Which protocol is used to SEND emails from your client to a mail server? a) POP3 b) IMAP c) SMTP d) SSH - Which protocols are used to RECEIVE emails from a mail server? (Select all that apply) a) SMTP (port 25) b) POP3 (port 110) c) IMAP (port 143) d) All of the above - Fill in the blanks: To SEND an email: Use ____ protocol on port ____ To RECEIVE an email: Use ____ or ____ protocols on ports ____ or ____ - To SEND an email: Use ____ protocol on port ____ - To RECEIVE an email: Use ____ or ____ protocols on ports ____ or ____ - Complete the email flow: SENDING: Your client → _____ (port ___) → Mail server RECEIVING: Your client ← _____ or _____ (port ___ or ___) ← Mail server - Your company email uses port 25 for outgoing mail and port 143 for incoming mail. Outgoing uses: ____ protocol Incoming uses: ____ protocol - Outgoing uses: ____ protocol - Incoming uses: ____ protocol - What's the main difference between POP3 and IMAP in how they handle emails on the server? POP3: ____ IMAP: ____ - To SEND an email: Use ____ protocol on port ____ - To RECEIVE an email: Use ____ or ____ protocols on ports ____ or ____ - Outgoing uses: ____ protocol - Incoming uses: ____ protocol - You run nmap -p 3389 10.0.0.5 and get "3389/tcp closed" What does this mean? a) RDP service is running but refusing connections b) Nothing is listening on port 3389 c) A firewall is blocking the scan d) The RDP service crashed - Which nmap state indicates "nothing is listening on this port"? a) open b) closed c) filtered d) refused - You're securing a server. You run nmap and see "23/tcp closed" for Telnet. Is this good or bad? Good or Bad: ____ Why: ____ - Good or Bad: ____ - Match each scenario to the correct nmap state: SSH service is running and accepting connections: ____ Nothing is listening on the port, host responded with RST: ____ Firewall dropped the packet, nmap can't tell: ____ Options: open, closed, filtered - SSH service is running and accepting connections: ____ - Nothing is listening on the port, host responded with RST: ____ - Firewall dropped the packet, nmap can't tell: ____ - True or False: If nmap shows "closed", you should investigate because something suspicious is happening. - Rank these nmap states from MOST secure to LEAST secure: ____ → ____ → ____ Options: open, closed, filtered - You scan port 22 on three servers: Server A: "22/tcp open" Server B: "22/tcp closed" Server C: "22/tcp filtered" Which server has SSH definitely NOT running? - Server A: "22/tcp open" - Server B: "22/tcp closed" - Server C: "22/tcp filtered" - Good or Bad: ____ - SSH service is running and accepting connections: ____ - Nothing is listening on the port, host responded with RST: ____ - Firewall dropped the packet, nmap can't tell: ____ - Server A: "22/tcp open" - Server B: "22/tcp closed" - Server C: "22/tcp filtered" - You capture network traffic and see connections to port 110. The data appears to be plaintext email credentials. What protocol is being used, and what secure alternative should be recommended? Protocol being used: ____ Secure alternative protocol: ____ Secure alternative port: ____ - Protocol being used: ____ - Secure alternative protocol: ____ - Secure alternative port: ____ - An application developer wants to run their development web server on port 80. Why might this be problematic on a Unix/Linux system? - You need to verify that Telnet (port 23) is actually closed. Write the exact nmap command to scan ONLY port 23 on IP address 192.168.1.100. - You run the command from question 28 and see "23/tcp closed". Does this mean port 23 is secure? Explain the difference between "closed" and "filtered" in nmap output. - Which protocol on port 23 should never be used in production and why? - Protocol being used: ____ - Secure alternative protocol: ____ - Secure alternative port: ____ - Why does SMTP (port 25) use TCP instead of UDP? - Why does DNS (port 53) need both TCP and UDP capabilities? - A security consultant recommends "security through obscurity" by running SSH on port 2222 instead of port 22. What are the pros and cons of this approach? - True or False: If a service runs on port 443, the traffic is automatically encrypted and secure. Explain your answer. - On Unix/Linux systems, which ports require root/superuser privileges to bind? (Give the range) - Your company email uses port 25 for outgoing mail and port 110 for incoming. A user's credentials were compromised. What protocol weakness allowed this? - A developer tries to run python3 app.py to start a Flask web server on port 80 and gets "Permission denied." What's the problem and how can they fix it without using sudo? - You see unusual traffic on port 3389 from multiple international IP addresses at 2 AM. What type of attack is likely occurring? - FTP uses two ports - what are they and what is each used for? - A web application is accessible on port 8080 instead of the standard port. How can you determine if it's HTTP or HTTPS? - Port 80: HTTP - Port 443: HTTPS - Port 22: SSH - Port 3389: RDP (Remote Desktop Protocol) - Port 20, 21: FTP (two port numbers) - Port 23: Telnet - Port 25: SMTP - Port 53: DNS - Port 110: POP3 - Port 143: IMAP - Port 20/21: FTP - TCP - Port 22: SSH - TCP - Port 23: Telnet - TCP - Port 25: SMTP - TCP - Port 53: DNS - TCP/UDP - Port 80: HTTP - TCP - Port 110: POP3 - TCP - Port 143: IMAP - TCP - Port 443: HTTPS - TCP - Port 3389: RDP - TCP - False - IMAP cannot send emails. Only SMTP sends emails. - False - SMTP cannot receive emails. Only POP3 and IMAP receive emails. - c) SMTP - SMTP is used to SEND emails from your client to a mail server. - b) and c) - POP3 (port 110) and IMAP (port 143) receive emails. SMTP (port 25) only sends. - Fill in the blanks: To SEND an email: Use SMTP protocol on port 25 To RECEIVE an email: Use POP3 or IMAP protocols on ports 110 or 143 - To SEND an email: Use SMTP protocol on port 25 - To RECEIVE an email: Use POP3 or IMAP protocols on ports 110 or 143 - Complete the email flow: SENDING: Your client → SMTP (port 25) → Mail server RECEIVING: Your client ← POP3 or IMAP (port 110 or 143) ← Mail server - Your company email uses port 25 for outgoing mail and port 143 for incoming mail: Outgoing uses: SMTP protocol Incoming uses: IMAP protocol - Outgoing uses: SMTP protocol - Incoming uses: IMAP protocol - What's the main difference between POP3 and IMAP in how they handle emails on the server? POP3: Downloads emails to your device and typically deletes them from the server IMAP: Syncs emails with your device and keeps them on the server permanently - POP3: Downloads emails to your device and typically deletes them from the server - IMAP: Syncs emails with your device and keeps them on the server permanently - To SEND an email: Use SMTP protocol on port 25 - To RECEIVE an email: Use POP3 or IMAP protocols on ports 110 or 143 - Outgoing uses: SMTP protocol - Incoming uses: IMAP protocol - POP3: Downloads emails to your device and typically deletes them from the server - IMAP: Syncs emails with your device and keeps them on the server permanently - b) Nothing is listening on port 3389 "closed" means the host responded with a RST (reset) packet This indicates no service is running on that port This is the SECURE state you want - "closed" means the host responded with a RST (reset) packet - This indicates no service is running on that port - This is the SECURE state you want - b) closed - The "closed" state means nothing is listening on the port. - Good or Bad: Good Why: "Closed" means nothing is listening on port 23. Since Telnet (port 23) should never be used in production due to plaintext transmission, having it closed is exactly what you want. - Why: "Closed" means nothing is listening on port 23. Since Telnet (port 23) should never be used in production due to plaintext transmission, having it closed is exactly what you want. - Match scenarios to nmap states: SSH service is running and accepting connections: open Nothing is listening on the port, host responded with RST: closed Firewall dropped the packet, nmap can't tell: filtered - SSH service is running and accepting connections: open - Nothing is listening on the port, host responded with RST: closed - Firewall dropped the packet, nmap can't tell: filtered - False - If nmap shows "closed", this is GOOD. It means nothing is listening on that port. You should NOT investigate unless you expected a service to be running there. - Rank from MOST secure to LEAST secure: closed → filtered → open closed = Nothing listening (most secure) filtered = Can't tell due to firewall (ambiguous) open = Service listening (investigate further) - closed = Nothing listening (most secure) - filtered = Can't tell due to firewall (ambiguous) - open = Service listening (investigate further) - Server B - When nmap shows "closed", it definitively means SSH is NOT running. Server A has SSH open. Server C is ambiguous (firewall blocking). - "closed" means the host responded with a RST (reset) packet - This indicates no service is running on that port - This is the SECURE state you want - Why: "Closed" means nothing is listening on port 23. Since Telnet (port 23) should never be used in production due to plaintext transmission, having it closed is exactly what you want. - SSH service is running and accepting connections: open - Nothing is listening on the port, host responded with RST: closed - Firewall dropped the packet, nmap can't tell: filtered - closed = Nothing listening (most secure) - filtered = Can't tell due to firewall (ambiguous) - open = Service listening (investigate further) - Plaintext credentials on port 110: Protocol being used: POP3 Secure alternative protocol: POP3S Secure alternative port: 995 (or use IMAP with TLS on port 993) - Protocol being used: POP3 - Secure alternative protocol: POP3S - Secure alternative port: 995 (or use IMAP with TLS on port 993) - Why port 80 is problematic on Unix/Linux: Ports below 1024 are privileged ports that require root/superuser privileges to bind Running a development server with root privileges is a security risk (unnecessary privilege escalation) Solution: Use port 8080 (non-privileged) for development, or use containers - Ports below 1024 are privileged ports that require root/superuser privileges to bind - Running a development server with root privileges is a security risk (unnecessary privilege escalation) - Solution: Use port 8080 (non-privileged) for development, or use containers - Exact nmap command: nmap -p 23 192.168.1.100 - Is "23/tcp closed" secure? YES! "closed" means nothing is listening on the port - the host responded with RST (reset) This is GOOD - it confirms Telnet is not running "filtered" means a firewall dropped the packet - we can't tell if service is running or not Key difference: "closed" is definitive (no service), "filtered" is ambiguous (can't tell) - "closed" means nothing is listening on the port - the host responded with RST (reset) - This is GOOD - it confirms Telnet is not running - "filtered" means a firewall dropped the packet - we can't tell if service is running or not - Key difference: "closed" is definitive (no service), "filtered" is ambiguous (can't tell) - Telnet (port 23) should never be used in production because: Transmits all data (including credentials) in plaintext No encryption whatsoever Trivial for attackers to intercept credentials via packet sniffing Always use SSH (port 22) instead - provides encrypted communication - Transmits all data (including credentials) in plaintext - No encryption whatsoever - Trivial for attackers to intercept credentials via packet sniffing - Always use SSH (port 22) instead - provides encrypted communication - Protocol being used: POP3 - Secure alternative protocol: POP3S - Secure alternative port: 995 (or use IMAP with TLS on port 993) - Ports below 1024 are privileged ports that require root/superuser privileges to bind - Running a development server with root privileges is a security risk (unnecessary privilege escalation) - Solution: Use port 8080 (non-privileged) for development, or use containers - "closed" means nothing is listening on the port - the host responded with RST (reset) - This is GOOD - it confirms Telnet is not running - "filtered" means a firewall dropped the packet - we can't tell if service is running or not - Key difference: "closed" is definitive (no service), "filtered" is ambiguous (can't tell) - Transmits all data (including credentials) in plaintext - No encryption whatsoever - Trivial for attackers to intercept credentials via packet sniffing - Always use SSH (port 22) instead - provides encrypted communication - Why SMTP uses TCP instead of UDP: Email delivery requires reliability - messages cannot be lost TCP provides: Guaranteed delivery (retransmission of lost packets) Ordered delivery (messages arrive in correct sequence) Error checking (corrupted packets detected and resent) UDP would risk losing emails entirely, which is unacceptable for messaging - Email delivery requires reliability - messages cannot be lost - TCP provides: Guaranteed delivery (retransmission of lost packets) Ordered delivery (messages arrive in correct sequence) Error checking (corrupted packets detected and resent) - Guaranteed delivery (retransmission of lost packets) - Ordered delivery (messages arrive in correct sequence) - Error checking (corrupted packets detected and resent) - UDP would risk losing emails entirely, which is unacceptable for messaging - Why DNS needs both TCP and UDP: UDP (default): Fast, connectionless queries for normal DNS lookups under 512 bytes TCP: Used for: Zone transfers between DNS servers Responses larger than 512 bytes UDP provides speed for common queries, TCP provides reliability for large transfers - UDP (default): Fast, connectionless queries for normal DNS lookups under 512 bytes - TCP: Used for: Zone transfers between DNS servers Responses larger than 512 bytes - Zone transfers between DNS servers - Responses larger than 512 bytes - UDP provides speed for common queries, TCP provides reliability for large transfers - Running SSH on port 2222 (security through obscurity): Pros: Reduces automated bot scans targeting default port 22 May reduce noise in logs from random scans Can be part of defense-in-depth strategy Cons: Not a substitute for real security (strong keys, key-only auth, fail2ban) Determined attackers will still find it (port scans) Adds operational complexity (need to document non-standard port) Security through obscurity is NOT a security control Verdict: Can be useful as one layer, but never rely on it alone - Pros: Reduces automated bot scans targeting default port 22 May reduce noise in logs from random scans Can be part of defense-in-depth strategy - Reduces automated bot scans targeting default port 22 - May reduce noise in logs from random scans - Can be part of defense-in-depth strategy - Cons: Not a substitute for real security (strong keys, key-only auth, fail2ban) Determined attackers will still find it (port scans) Adds operational complexity (need to document non-standard port) Security through obscurity is NOT a security control - Not a substitute for real security (strong keys, key-only auth, fail2ban) - Determined attackers will still find it (port scans) - Adds operational complexity (need to document non-standard port) - Security through obscurity is NOT a security control - Verdict: Can be useful as one layer, but never rely on it alone - False: Port 443 does NOT automatically mean secure Just because a service runs on port 443 doesn't guarantee encryption You must verify with: openssl s_client -connect example.com:443 Scenarios where port 443 ≠ secure: Misconfigured TLS (weak ciphers, expired certificates) Self-signed certificates (MITM vulnerability) TLS stripping attacks HTTP running on port 443 (non-standard but possible) Always verify - don't assume based on port alone - Just because a service runs on port 443 doesn't guarantee encryption - You must verify with: openssl s_client -connect example.com:443 - Scenarios where port 443 ≠ secure: Misconfigured TLS (weak ciphers, expired certificates) Self-signed certificates (MITM vulnerability) TLS stripping attacks HTTP running on port 443 (non-standard but possible) - Misconfigured TLS (weak ciphers, expired certificates) - Self-signed certificates (MITM vulnerability) - TLS stripping attacks - HTTP running on port 443 (non-standard but possible) - Always verify - don't assume based on port alone - Privileged ports on Unix/Linux: Ports < 1024 (ports 0-1023) require root/superuser privileges to bind This is a security feature to prevent unprivileged users from running potentially malicious services on well-known ports Ports ≥ 1024 can be bound by any user - Ports < 1024 (ports 0-1023) require root/superuser privileges to bind - This is a security feature to prevent unprivileged users from running potentially malicious services on well-known ports - Ports ≥ 1024 can be bound by any user - Email delivery requires reliability - messages cannot be lost - TCP provides: Guaranteed delivery (retransmission of lost packets) Ordered delivery (messages arrive in correct sequence) Error checking (corrupted packets detected and resent) - Guaranteed delivery (retransmission of lost packets) - Ordered delivery (messages arrive in correct sequence) - Error checking (corrupted packets detected and resent) - UDP would risk losing emails entirely, which is unacceptable for messaging - Guaranteed delivery (retransmission of lost packets) - Ordered delivery (messages arrive in correct sequence) - Error checking (corrupted packets detected and resent) - UDP (default): Fast, connectionless queries for normal DNS lookups under 512 bytes - TCP: Used for: Zone transfers between DNS servers Responses larger than 512 bytes - Zone transfers between DNS servers - Responses larger than 512 bytes - UDP provides speed for common queries, TCP provides reliability for large transfers - Zone transfers between DNS servers - Responses larger than 512 bytes - Pros: Reduces automated bot scans targeting default port 22 May reduce noise in logs from random scans Can be part of defense-in-depth strategy - Reduces automated bot scans targeting default port 22 - May reduce noise in logs from random scans - Can be part of defense-in-depth strategy - Cons: Not a substitute for real security (strong keys, key-only auth, fail2ban) Determined attackers will still find it (port scans) Adds operational complexity (need to document non-standard port) Security through obscurity is NOT a security control - Not a substitute for real security (strong keys, key-only auth, fail2ban) - Determined attackers will still find it (port scans) - Adds operational complexity (need to document non-standard port) - Security through obscurity is NOT a security control - Verdict: Can be useful as one layer, but never rely on it alone - Reduces automated bot scans targeting default port 22 - May reduce noise in logs from random scans - Can be part of defense-in-depth strategy - Not a substitute for real security (strong keys, key-only auth, fail2ban) - Determined attackers will still find it (port scans) - Adds operational complexity (need to document non-standard port) - Security through obscurity is NOT a security control - Just because a service runs on port 443 doesn't guarantee encryption - You must verify with: openssl s_client -connect example.com:443 - Scenarios where port 443 ≠ secure: Misconfigured TLS (weak ciphers, expired certificates) Self-signed certificates (MITM vulnerability) TLS stripping attacks HTTP running on port 443 (non-standard but possible) - Misconfigured TLS (weak ciphers, expired certificates) - Self-signed certificates (MITM vulnerability) - TLS stripping attacks - HTTP running on port 443 (non-standard but possible) - Always verify - don't assume based on port alone - Misconfigured TLS (weak ciphers, expired certificates) - Self-signed certificates (MITM vulnerability) - TLS stripping attacks - HTTP running on port 443 (non-standard but possible) - Ports < 1024 (ports 0-1023) require root/superuser privileges to bind - This is a security feature to prevent unprivileged users from running potentially malicious services on well-known ports - Ports ≥ 1024 can be bound by any user - Credential compromise with port 110: Port 110 is POP3, which transmits credentials in plaintext This protocol weakness allowed credential interception Fix: Use POP3S (port 995) or IMAP with TLS (port 993) - Port 110 is POP3, which transmits credentials in plaintext - This protocol weakness allowed credential interception - Fix: Use POP3S (port 995) or IMAP with TLS (port 993) - Flask app on port 80 gets "Permission denied": Problem: Port 80 is a privileged port (< 1024) requiring root privileges Solutions without sudo: Run on port 8080 (recommended for dev): python3 app.py --port 8080 Use setcap (advanced): sudo setcap cap_net_bind_service=+ep /usr/bin/python3 Use containers (Docker/Podman) which handle port mapping Never run development servers with sudo - unnecessary privilege escalation - Problem: Port 80 is a privileged port (< 1024) requiring root privileges - Solutions without sudo: Run on port 8080 (recommended for dev): python3 app.py --port 8080 Use setcap (advanced): sudo setcap cap_net_bind_service=+ep /usr/bin/python3 Use containers (Docker/Podman) which handle port mapping - Run on port 8080 (recommended for dev): python3 app.py --port 8080 - Use setcap (advanced): sudo setcap cap_net_bind_service=+ep /usr/bin/python3 - Use containers (Docker/Podman) which handle port mapping - Never run development servers with sudo - unnecessary privilege escalation - Traffic on port 3389 from multiple international IPs at 2 AM: Port 3389 is RDP (Remote Desktop Protocol) This pattern indicates a brute force attack or credential stuffing Response: Block the attacking IPs immediately Enable account lockout policies Never expose RDP directly to internet (use VPN) Check for any successful authentications Review logs for compromise indicators - Port 3389 is RDP (Remote Desktop Protocol) - This pattern indicates a brute force attack or credential stuffing - Response: Block the attacking IPs immediately Enable account lockout policies Never expose RDP directly to internet (use VPN) Check for any successful authentications Review logs for compromise indicators - Block the attacking IPs immediately - Enable account lockout policies - Never expose RDP directly to internet (use VPN) - Check for any successful authentications - Review logs for compromise indicators - FTP uses two ports: Port 21: FTP Control/Command channel (authentication, directory navigation, file commands) Port 20: FTP Data channel (actual file transfer) Think of it: Port 21 is the "brain" (commands), Port 20 is the "muscle" (data) - Port 21: FTP Control/Command channel (authentication, directory navigation, file commands) - Port 20: FTP Data channel (actual file transfer) - Think of it: Port 21 is the "brain" (commands), Port 20 is the "muscle" (data) - Determining if port 8080 is HTTP or HTTPS: You CANNOT definitively tell from port number alone Port 8080 is conventionally used for HTTP, but it's not guaranteed How to actually determine: Check the URL scheme: http:// vs https:// Use curl -I http://example.com:8080 to inspect headers Use nmap with SSL detection: nmap -p 8080 --script ssl-enum-ciphers <target> Use Wireshark - HTTP shows plaintext, HTTPS shows encrypted TLS records Key principle: Conventions ≠ guarantees. Always verify. - You CANNOT definitively tell from port number alone - Port 8080 is conventionally used for HTTP, but it's not guaranteed - How to actually determine: Check the URL scheme: http:// vs https:// Use curl -I http://example.com:8080 to inspect headers Use nmap with SSL detection: nmap -p 8080 --script ssl-enum-ciphers <target> Use Wireshark - HTTP shows plaintext, HTTPS shows encrypted TLS records - Check the URL scheme: http:// vs https:// - Use curl -I http://example.com:8080 to inspect headers - Use nmap with SSL detection: nmap -p 8080 --script ssl-enum-ciphers <target> - Use Wireshark - HTTP shows plaintext, HTTPS shows encrypted TLS records - Key principle: Conventions ≠ guarantees. Always verify. - Port 110 is POP3, which transmits credentials in plaintext - This protocol weakness allowed credential interception - Fix: Use POP3S (port 995) or IMAP with TLS (port 993) - Problem: Port 80 is a privileged port (< 1024) requiring root privileges - Solutions without sudo: Run on port 8080 (recommended for dev): python3 app.py --port 8080 Use setcap (advanced): sudo setcap cap_net_bind_service=+ep /usr/bin/python3 Use containers (Docker/Podman) which handle port mapping - Run on port 8080 (recommended for dev): python3 app.py --port 8080 - Use setcap (advanced): sudo setcap cap_net_bind_service=+ep /usr/bin/python3 - Use containers (Docker/Podman) which handle port mapping - Never run development servers with sudo - unnecessary privilege escalation - Run on port 8080 (recommended for dev): python3 app.py --port 8080 - Use setcap (advanced): sudo setcap cap_net_bind_service=+ep /usr/bin/python3 - Use containers (Docker/Podman) which handle port mapping - Port 3389 is RDP (Remote Desktop Protocol) - This pattern indicates a brute force attack or credential stuffing - Response: Block the attacking IPs immediately Enable account lockout policies Never expose RDP directly to internet (use VPN) Check for any successful authentications Review logs for compromise indicators - Block the attacking IPs immediately - Enable account lockout policies - Never expose RDP directly to internet (use VPN) - Check for any successful authentications - Review logs for compromise indicators - Block the attacking IPs immediately - Enable account lockout policies - Never expose RDP directly to internet (use VPN) - Check for any successful authentications - Review logs for compromise indicators - Port 21: FTP Control/Command channel (authentication, directory navigation, file commands) - Port 20: FTP Data channel (actual file transfer) - Think of it: Port 21 is the "brain" (commands), Port 20 is the "muscle" (data) - You CANNOT definitively tell from port number alone - Port 8080 is conventionally used for HTTP, but it's not guaranteed - How to actually determine: Check the URL scheme: http:// vs https:// Use curl -I http://example.com:8080 to inspect headers Use nmap with SSL detection: nmap -p 8080 --script ssl-enum-ciphers <target> Use Wireshark - HTTP shows plaintext, HTTPS shows encrypted TLS records - Check the URL scheme: http:// vs https:// - Use curl -I http://example.com:8080 to inspect headers - Use nmap with SSL detection: nmap -p 8080 --script ssl-enum-ciphers <target> - Use Wireshark - HTTP shows plaintext, HTTPS shows encrypted TLS records - Key principle: Conventions ≠ guarantees. Always verify. - Check the URL scheme: http:// vs https:// - Use curl -I http://example.com:8080 to inspect headers - Use nmap with SSL detection: nmap -p 8080 --script ssl-enum-ciphers <target> - Use Wireshark - HTTP shows plaintext, HTTPS shows encrypted TLS records - ✅ Port number identification - ✅ Protocol distinction (TCP vs UDP) - ✅ nmap output interpretation - ✅ Security implications of each service - ✅ Real-world attack scenarios - 60 comprehensive test cases (not just 10 basic ones) - Instant feedback with colored output (✅/❌) - Progressive hints based on your score - Real interview questions from top security companies - ✅ Instant port recognition (no Googling) - ✅ Understand TCP vs UDP trade-offs - ✅ Interpret nmap output like a senior engineer - ✅ Explain security implications in interviews - ✅ Build production-grade security tools - Memorization of 10+ common ports - Understanding of TCP/UDP protocols - Basic nmap proficiency - Security implications of each service - Instant port recognition (20+ ports) - Advanced nmap techniques (NSE scripts, firewall evasion) - Custom tool building (port scanners, traffic analyzers) - Threat modeling from port scan results - Common SSH misconfigurations (weak ciphers, password auth) - How to detect SSH brute force attacks - When to use port knocking or VPN instead - How attackers pivot from SSH to lateral movement - Memorize the 10 ports (use the LLM quiz method above) - Install nmap (sudo apt install nmap on Linux) - Scan your local network (legally! only scan systems you own) - Complete the port scanner exercise (github.com/fosres/AppSec-Exercises) - Practice explaining out loud (use the "rubber duck" method) - High Performance Browser Networking (Chapter 2: TCP, Chapter 3: UDP)³ - Omnisecu TCP/IP Tutorial (OSI Model, IP Addressing)³ - Beej's Guide to Network Programming (socket programming)³ - Hacking APIs by Corey Ball (API security fundamentals) - Full Stack Python Security (web application security) - 🌟 Star the repo: github.com/fosres/AppSec-Exercises - 💬 Share your port scanner results in the comments - 🔥 Follow me on Dev.to for weekly AppSec challenges - 🐛 Contribute exercises via pull requests - Week 1 Networking Study Guide - Common Port Numbers Reference - Beej's Guide to Network Programming - Socket Programming Fundamentals - High Performance Browser Networking (O'Reilly) - https://hpbn.co/