Open Ports Changing

1. 2017-01-30 at 12:38 AM UTC

   #21
   

   SBTlauien African Astronaut

   Originally posted by TreyGowdy When you connect to a website at say niggasin.space:80 (wtf lanny no ssl?), your computer will pick a random source port to use. I don't know how it works, but these don't show up as open. I'm not really sure how it works and how these don't show open but still recieve packets.

   
   Actually, they do show up as open in /proc/net/{tcp, tcp6}, not with 'netstat' though.
   
   It appears as if the browser checks to make sure the port isn't aleady open and then uses it. It also seems that browsers likes to start in the 5xxx range. "Keep-alive" will actually use the same port for multiple requests, up to a specific time(this is based on the server and I read somewhere that there is a general time limit but can't remember. It's like 10 seconds or something).
   
   I've since made my program so that I can press a little play button and it'll refresh the contents of the four files(/proc/net/{tcp, tcp6, udp, udp6} and keep track of what is opening and what is closing. I just don't understand why there is so much activity even though I'm not doing anything.
2. 2017-01-30 at 2:40 AM UTC

   #22
   

   TreyGowdy Houston

   Originally posted by SBTlauien Actually, they do show up as open in /proc/net/{tcp, tcp6}, not with 'netstat' though.
   
   It appears as if the browser checks to make sure the port isn't aleady open and then uses it. It also seems that browsers likes to start in the 5xxx range. "Keep-alive" will actually use the same port for multiple requests, up to a specific time(this is based on the server and I read somewhere that there is a general time limit but can't remember. It's like 10 seconds or something).
   
   I've since made my program so that I can press a little play button and it'll refresh the contents of the four files(/proc/net/{tcp, tcp6, udp, udp6} and keep track of what is opening and what is closing. I just don't understand why there is so much activity even though I'm not doing anything.

   
   I see it in both... Either way it is being used, but I wouldn't consider it open. I have tons of established connections to remote servers, none of these ever show up in nmap or other scans. And the ports in question are only apparent when scanning locally. I still would guess a partial connection from scan1 is being completed by scan2. I could be wrong, I really don't know what types of guards are in place to prevent this. The host, source, and destination, would be good, the only check is the packet isn't corrupted.
3. 2017-01-30 at 6:44 AM UTC

   #23
   

   -SpectraL coward [the spuriously bluish-lilac bushman]
   The local ports are sequentially opened, starting from whatever, right up to 65535, but usually not that high.
4. 2017-01-30 at 7:50 AM UTC

   #24
   

   SBTlauien African Astronaut

   Originally posted by -SpectraL The local ports are sequentially opened, starting from whatever, right up to 65535, but usually not that high.

   
   On my phone they skip a few ports each time.
5. 2017-01-30 at 1:37 PM UTC

   #25
   The Self Taught Man Black Hole
   sudo rm -rf /
6. 2017-01-30 at 2:01 PM UTC

   #26
   

   -SpectraL coward [the spuriously bluish-lilac bushman]

   Originally posted by SBTlauien On my phone they skip a few ports each time.

   
   That way, a possible attacker cannot predict which port will be opened next.
7. 2017-01-31 at 11:10 PM UTC

   #27
   

   SBTlauien African Astronaut

   Originally posted by Hash Slinging Slasher sudo rm -rf /

   
   Damn you!