Bitcoin - Port 8333, 18333, 38333, 18444

Basic info

What is a Bitcoin Node?

A Bitcoin node is a computer running Bitcoin software that:

• Validates transactions and blocks against consensus rules

• Maintains a copy of the blockchain (full nodes)

• Relays transactions and blocks to other nodes

• Serves data to lightweight clients (SPV wallets)

• Participates in network consensus without mining (non-mining nodes)

Node Types

Full Node:

• Stores complete blockchain history

• Validates all transactions and blocks

• Serves data to other nodes

• ~500GB+ storage required (as of 2024)

Pruned Node:

• Validates all transactions

• Only keeps recent blockchain data

• Reduces storage to ~10GB

• Cannot serve full blockchain to others

Light/SPV Node:

• Does not download full blockchain

• Relies on full nodes for data

• Minimal storage requirements

• Used in mobile wallets

Mining Node:

• Full node + mining capability

• Creates new blocks

• Requires significant computational power

Bitcoin Network Types

Default Ports

Port 8333 - Bitcoin Mainnet

• Production network

• Real Bitcoin transactions

• Peer-to-peer communication

Port 18333 - Bitcoin Testnet

• Public test network

• Test coins with no value

• Mirrors mainnet functionality

Port 38333 - Bitcoin Signet

• Newer test network

• Signed blocks (centralized validation)

• More reliable than testnet

Port 18444 - Bitcoin Regtest

• Local regression test network

• Private development environment

• Instant block generation

Port 8332 - Bitcoin RPC (JSON-RPC API)

• Not covered in this guide but important

• Requires authentication

• Administrative interface

Bitcoin Protocol Overview

Protocol Basics

Bitcoin P2P Protocol:

• Binary protocol over TCP

• No encryption by default (plaintext)

• Message-based communication

• Peer discovery via DNS seeds and addr messages

Message Structure:

Magic Bytes by Network:

Common Protocol Messages

version:

• Sent during handshake

• Contains node information

• Protocol version, services, timestamp, user agent

verack:

• Acknowledges version message

• Completes handshake

addr:

• Shares peer addresses

• Helps with peer discovery

• Contains IP:Port pairs

inv (inventory):

• Announces new transactions/blocks

• Type + hash

getdata:

• Requests full transaction/block data

• Response to inv

getblocks:

• Requests block inventory

• Used for synchronization

ping/pong:

• Keep-alive mechanism

• Latency measurement

getaddr:

• Requests peer addresses

• For network topology mapping

Reconnaissance & Enumeration

Port Scanning

Basic Nmap Scan

Sample Output:

Bitcoin-Specific Nmap Scripts

bitcoin-info Script

Sample Output:

bitcoin-getaddr Script

Sample Output:

Combined Scan:

Manual Protocol Interaction

Using Netcat (Binary Protocol Challenge)

Using Python for Protocol Interaction

Shodan Queries

Find exposed Bitcoin nodes:

Advanced Shodan Queries:

Information Gathering

Node Fingerprinting

Extract User Agent:

Identify Node Type:

Network Topology Mapping

Peer Discovery:

Visualize Network:

Blockchain Analysis

Query Node Blockchain Info:

Without RPC Access:

Information limited to what P2P protocol reveals:

• Last block height (from version message)

• Protocol version

• Services advertised

• Peer addresses

Attack Vectors

1. Information Disclosure

Version Disclosure:

Peer Address Disclosure:

Block Height Disclosure:

2. Denial of Service (DoS)

Connection Exhaustion:

Resource Exhaustion - Memory:

Resource Exhaustion - Disk:

Protocol-Level DoS:

3. Eclipse Attack

Concept: Isolate a node from the honest network

Attack Steps:

Implementation Difficulty:

• Requires many IP addresses

• Bitcoin Core has eclipse attack mitigations

• Needs sustained effort over time

Mitigation in Bitcoin Core:

• Diverse peer selection

• Anchor connections

• Address manager diversity

• Feeler connections

4. Transaction/Block Relay Manipulation

Selfish Mining:

• Withhold mined blocks

• Release strategically

• Gain unfair mining advantage

Transaction Censorship:

• If controlling peer connections

• Can filter specific transactions

• Prevents victim from seeing them

Double-Spend Relay:

• Send conflicting transactions

• One to victim, one to network

• Exploits zero-confirmation acceptance

5. Privacy Attacks

Address Clustering:

Transaction Origin Tracking:

Network Topology Mapping:

Known Vulnerabilities & CVEs

Historical Vulnerabilities

CVE-2012-2459 - Block Validation DoS

• Affected: Bitcoin Core < 0.6.1

• Impact: Remote DoS via crafted blocks

• Fixed: Block validation improvements

CVE-2013-2292 - Remote Crash

• Affected: Bitcoin Core < 0.8.1

• Impact: Malformed messages crash node

• Fixed: Input validation

CVE-2013-2293 - Resource Exhaustion

• Affected: Bitcoin Core < 0.8.1

• Impact: Memory exhaustion via orphan transactions

• Fixed: Orphan transaction limits

CVE-2015-3641 - DoS via Memory Exhaustion

• Affected: Bitcoin Core < 0.10.1

• Impact: Remote DoS

• Fixed: Memory management improvements

CVE-2017-18350 - Buffer Overflow

• Affected: Bitcoin Core < 0.15.1

• Impact: Remote code execution potential

• Fixed: Buffer handling fixes

CVE-2018-17144 - Inflation Vulnerability

• Affected: Bitcoin Core 0.14.x - 0.16.2

• Impact: Could create Bitcoin out of thin air

• Severity: Critical (never exploited on mainnet)

• Fixed: Version 0.16.3

CVE-2021-31876 - DoS via Malformed Messages

• Affected: Various implementations

• Impact: Node crashes

• Fixed: Message validation

Modern Attack Surface

Current Concerns (2024):

1. Eclipse Attacks - Still theoretical threat

2. Privacy Issues - IP address linkage

3. Resource Exhaustion - Always a concern

4. Zero-day vulnerabilities - Unknown bugs

5. Implementation bugs - Non-Core clients

Best Practices:

• Keep Bitcoin Core updated

• Use latest stable release

• Monitor security announcements

• Consider using Tor for privacy

Bitcoin RPC Security (Port 8332)

RPC Interface Overview

Note: RPC is not covered by P2P ports but is critical

Default Configuration:

RPC Enumeration

Check if RPC is Accessible:

Default Credentials (Very Rare):

Brute Force RPC:

Defense & Hardening

Node Configuration Security

bitcoin.conf Security Settings:

Generate Secure RPC Credentials:

Network-Level Protection

Firewall Rules:

Rate Limiting:

Privacy & Anonymity

Using Tor:

Using VPN:

Dandelion++ Protocol:

Monitoring & Detection

Monitor Connections:

Log Analysis:

Intrusion Detection:

Regular Security Practices

Tools & Scripts

Essential Tools

1. Bitcoin Core - Official full node implementation

2. nmap - Port scanning with Bitcoin scripts

3. bitcoin-cli - Command-line interface

4. Wireshark - Protocol analysis

5. btcd - Alternative Go implementation

Custom Enumeration Script

Network Mapper Script

Cheat Sheet

Quick Reference

Important Ports

Common User Agents

Protocol Magic Bytes

Additional Resources

• Bitcoin Developer Documentation

• Bitcoin Core GitHub

• Bitcoin Protocol Specification

• Bitcoin Security Best Practices

• HackTricks Bitcoin

• Bitcoin Improvement Proposals (BIPs)