Common Ports and Protocols Reference
A comprehensive reference of network ports and protocols relevant to ethical hacking and penetration testing. Entries include service descriptions, common vulnerabilities, and default credentials where applicable.
How to Use This Reference
- Port: The default port number the service listens on.
- Protocol: TCP, UDP, or both.
- Service: The application or protocol name.
- Description: What the service does and why it matters for security testing.
- Common Vulnerabilities/Attack Vectors: Known weaknesses and testing approaches.
- Default Credentials: Factory defaults (where applicable and commonly encountered).
Well-Known Ports (1-1023)
Port 20-21 / TCP — FTP (File Transfer Protocol)
Description: FTP uses port 21 for control commands and port 20 for data transfer. Designed before security was a priority, FTP transmits all data (including credentials) in cleartext.
Vulnerabilities/Attack Vectors:
- Anonymous login (user: anonymous, password: any email)
- Cleartext credential sniffing
- FTP bounce attacks (port scanning via FTP server)
- Known vulnerabilities in vsftpd 2.3.4 (backdoor), ProFTPD, etc.
- Directory traversal if misconfigured
- Writable directories for payload upload
Default Credentials: anonymous / anonymous@ (when anonymous access is enabled)
Port 22 / TCP — SSH (Secure Shell)
Description: Encrypted remote access protocol replacing Telnet. Provides secure command-line access, file transfer (SCP/SFTP), and port forwarding.
Vulnerabilities/Attack Vectors: - Brute force / password spraying (Hydra, Medusa) - Weak or default passwords - Key-based authentication bypass if private keys are found - Version-specific exploits (libssh auth bypass CVE-2018-10933) - SSH agent forwarding abuse - Port forwarding for lateral movement
Default Credentials: Varies by distribution and appliance. Common: root/root, admin/admin
Port 23 / TCP — Telnet
Description: Unencrypted remote access protocol. All communication, including credentials, is transmitted in cleartext. Should never be used in production.
Vulnerabilities/Attack Vectors: - Cleartext credential capture - Brute force attacks - Banner grabbing for version identification - Commonly found on IoT devices, network equipment, and embedded systems
Default Credentials: Varies widely. Common on network devices: admin/admin, cisco/cisco, root/root
Port 25 / TCP — SMTP (Simple Mail Transfer Protocol)
Description: Protocol for sending email. SMTP servers relay email between mail systems.
Vulnerabilities/Attack Vectors: - Open relay testing (can send email to/from any address) - User enumeration via VRFY and EXPN commands - Email spoofing if SPF/DKIM/DMARC not configured - SMTP injection - Brute force authentication (if AUTH enabled) - Command injection in mail parameters
Default Credentials: Typically requires domain-level credentials
Port 53 / TCP/UDP — DNS (Domain Name System)
Description: Translates domain names to IP addresses. Uses UDP for queries and TCP for zone transfers and large responses.
Vulnerabilities/Attack Vectors:
- Zone transfer (AXFR): dig axfr @nameserver domain.com
- DNS cache poisoning
- DNS tunneling for data exfiltration and C2
- DNS rebinding attacks
- Subdomain enumeration
- Amplification attacks (DDoS)
Default Credentials: N/A (protocol-level, no authentication)
Port 67-68 / UDP — DHCP (Dynamic Host Configuration Protocol)
Description: Automatically assigns IP addresses and network configuration to devices on a network.
Vulnerabilities/Attack Vectors: - DHCP starvation (exhaust IP pool) - Rogue DHCP server (redirect traffic, set attacker as gateway) - DHCP snooping bypass
Default Credentials: N/A
Port 69 / UDP — TFTP (Trivial File Transfer Protocol)
Description: Simple file transfer protocol with no authentication mechanism. Often used for PXE boot and firmware updates on network devices.
Vulnerabilities/Attack Vectors: - No authentication — any accessible TFTP server allows file retrieval - Configuration file theft (router/switch configs) - Firmware extraction and analysis
Default Credentials: N/A (no authentication)
Port 80 / TCP — HTTP (Hypertext Transfer Protocol)
Description: The foundation of web communication. Unencrypted by default.
Vulnerabilities/Attack Vectors: - All OWASP Top 10 web vulnerabilities - SQL injection, XSS, CSRF, SSRF, file inclusion - Directory brute forcing - Default web application credentials - Information disclosure (server headers, error pages) - Virtual host enumeration
Default Credentials: Application-dependent. Common: admin/admin, admin/password
Port 88 / TCP — Kerberos
Description: Network authentication protocol used by Active Directory. Issues tickets for service authentication.
Vulnerabilities/Attack Vectors: - AS-REP Roasting (accounts without pre-authentication) - Kerberoasting (crack service ticket hashes) - Golden Ticket attacks (forged TGTs) - Silver Ticket attacks (forged TGS) - Pass-the-Ticket - Unconstrained/constrained delegation abuse
Default Credentials: N/A (ticket-based authentication)
Port 110 / TCP — POP3 (Post Office Protocol v3)
Description: Email retrieval protocol. Transmits credentials and email content in cleartext.
Vulnerabilities/Attack Vectors: - Cleartext credential sniffing - Brute force authentication - Email content retrieval
Default Credentials: Requires user mail credentials
Port 111 / TCP/UDP — RPCBind / Portmapper
Description: Maps RPC program numbers to port numbers. Acts as a directory for RPC services.
Vulnerabilities/Attack Vectors:
- Service enumeration: rpcinfo -p target
- NFS share discovery
- Exploit RPC services (NFS, NIS, mountd)
Default Credentials: N/A
Port 135 / TCP — MSRPC (Microsoft Remote Procedure Call)
Description: Windows endpoint mapper for DCOM services. Provides access to various Windows management interfaces.
Vulnerabilities/Attack Vectors: - Endpoint enumeration - Remote code execution via DCOM - Impacket tools (rpcdump.py) - Information disclosure
Default Credentials: Uses Windows authentication
Port 137-139 / TCP/UDP — NetBIOS
Description: Legacy Windows networking services. Port 137 (name service), 138 (datagram), 139 (session service for SMB over NetBIOS).
Vulnerabilities/Attack Vectors: - NetBIOS name enumeration (nbtscan) - Null session enumeration - SMB over NetBIOS for legacy systems - Banner grabbing and OS fingerprinting
Default Credentials: Uses Windows authentication
Port 143 / TCP — IMAP (Internet Message Access Protocol)
Description: Email retrieval protocol that keeps messages on the server. More feature-rich than POP3.
Vulnerabilities/Attack Vectors: - Cleartext credential sniffing - Brute force authentication - IMAP injection
Default Credentials: Requires user mail credentials
Port 161-162 / UDP — SNMP (Simple Network Management Protocol)
Description: Network management protocol for monitoring and configuring network devices. Port 161 for queries, 162 for traps.
Vulnerabilities/Attack Vectors:
- Default community strings: public (read), private (read/write)
- SNMP v1/v2c community string brute force
- System information disclosure (OIDs)
- SNMP write access for configuration changes
- Network device enumeration
Default Credentials: Community strings public (read-only), private (read-write)
Port 389 / TCP — LDAP (Lightweight Directory Access Protocol)
Description: Protocol for accessing directory services, most commonly Active Directory.
Vulnerabilities/Attack Vectors: - Anonymous bind enumeration - LDAP injection - User and group enumeration - Domain information disclosure - Cleartext credential transmission
Default Credentials: May allow anonymous bind
Port 443 / TCP — HTTPS (HTTP over TLS/SSL)
Description: Encrypted web traffic using TLS/SSL certificates.
Vulnerabilities/Attack Vectors: - All OWASP Top 10 (encryption protects transport, not application logic) - SSL/TLS vulnerabilities (Heartbleed, POODLE, BEAST, CRIME) - Weak cipher suites - Expired/self-signed certificates - Certificate transparency log enumeration for subdomain discovery
Default Credentials: Application-dependent
Port 445 / TCP — SMB (Server Message Block)
Description: Windows file and printer sharing protocol. Modern SMB operates directly over TCP without NetBIOS.
Vulnerabilities/Attack Vectors: - EternalBlue (MS17-010) / CVE-2017-0144 - SMBGhost (CVE-2020-0796) - Null session enumeration - Share enumeration and access - Pass-the-hash / NTLM relay - SMB signing disabled (relay attacks) - Brute force authentication - Sensitive file discovery in shares
Default Credentials: Uses Windows authentication; null sessions may work
Port 464 / TCP — Kpasswd (Kerberos Password Change)
Description: Kerberos password change service in Active Directory environments.
Vulnerabilities/Attack Vectors: Targeted in password-change based attacks.
Port 500 / UDP — ISAKMP/IKE (VPN)
Description: Internet Security Association and Key Management Protocol, used for VPN establishment (IPsec).
Vulnerabilities/Attack Vectors:
- VPN enumeration: ike-scan target
- Aggressive mode hash capture
- Weak pre-shared keys
Default Credentials: Varies by VPN appliance
Port 512-514 / TCP — R-Services (rlogin, rsh, rexec)
Description: Legacy Unix remote access services with trust-based authentication (.rhosts).
Vulnerabilities/Attack Vectors: - Trust relationship exploitation - No encryption - Remote command execution without passwords - .rhosts file manipulation
Default Credentials: Trust-based (no password if trusted)
Port 548 / TCP — AFP (Apple Filing Protocol)
Description: Apple's file sharing protocol for macOS.
Vulnerabilities/Attack Vectors: - Authentication brute force - Guest access enumeration - Information disclosure
Port 554 / TCP — RTSP (Real-Time Streaming Protocol)
Description: Controls streaming media servers, commonly used by IP cameras and media services.
Vulnerabilities/Attack Vectors: - Default credentials on IP cameras - Unauthorized stream access - Stream enumeration
Default Credentials: admin/admin, admin/12345 (varies by manufacturer)
Port 587 / TCP — SMTP Submission
Description: Mail submission port for authenticated email sending. Preferred over port 25 for client-to-server email.
Vulnerabilities/Attack Vectors: - Brute force authentication - Credential stuffing - Email spoofing if improperly configured
Port 593 / TCP — HTTP RPC Endpoint Mapper
Description: MS-RPC over HTTP, used when RPC is tunneled through HTTP.
Vulnerabilities/Attack Vectors: RPC enumeration through HTTP.
Port 623 / UDP — IPMI (Intelligent Platform Management Interface)
Description: Remote server management interface for bare-metal hardware (out-of-band management).
Vulnerabilities/Attack Vectors: - IPMI 2.0 password hash disclosure (no authentication required to retrieve) - Default credentials - Cipher zero bypass (no authentication) - KVM console access
Default Credentials: ADMIN/ADMIN (SuperMicro), admin/admin (many vendors), root/calvin (Dell iDRAC)
Port 636 / TCP — LDAPS (LDAP over SSL)
Description: Encrypted LDAP communications.
Vulnerabilities/Attack Vectors: - Certificate validation issues - LDAP injection (encryption does not prevent application-level attacks) - Downgrade attacks
Port 873 / TCP — Rsync
Description: File synchronization utility and protocol.
Vulnerabilities/Attack Vectors:
- Anonymous module access: rsync --list-only target::
- Sensitive file retrieval
- Writable modules for payload upload
Default Credentials: May allow anonymous access to modules
Port 993 / TCP — IMAPS (IMAP over SSL)
Description: Encrypted IMAP email retrieval.
Vulnerabilities/Attack Vectors: Brute force authentication, credential stuffing.
Port 995 / TCP — POP3S (POP3 over SSL)
Description: Encrypted POP3 email retrieval.
Vulnerabilities/Attack Vectors: Brute force authentication.
High Ports (1024+)
Port 1080 / TCP — SOCKS Proxy
Description: SOCKS proxy protocol for routing network traffic.
Vulnerabilities/Attack Vectors: - Open proxy for pivoting/anonymization - Unauthenticated proxy access
Port 1099 / TCP — Java RMI Registry
Description: Java Remote Method Invocation registry for distributed computing.
Vulnerabilities/Attack Vectors: - Deserialization attacks - Remote code execution via RMI - RMI enumeration tools
Port 1433 / TCP — Microsoft SQL Server (MSSQL)
Description: Microsoft's relational database management system.
Vulnerabilities/Attack Vectors:
- Default SA account with weak/empty password
- xp_cmdshell for OS command execution
- SQL injection from web applications
- Linked server abuse for lateral movement
- UNC path injection for hash capture
Default Credentials: sa / (blank or sa), application-specific accounts
Port 1521 / TCP — Oracle Database (TNS Listener)
Description: Oracle database TNS Listener service.
Vulnerabilities/Attack Vectors: - Default SID enumeration (odat, oscanner) - Default credentials for system accounts - TNS listener poisoning - SQL injection through web applications
Default Credentials: SYSTEM/manager, SYS/change_on_install, SCOTT/tiger, DBSNMP/dbsnmp
Port 1723 / TCP — PPTP VPN
Description: Point-to-Point Tunneling Protocol for VPN connections.
Vulnerabilities/Attack Vectors: - MS-CHAPv2 weak encryption (crackable) - GRE protocol manipulation - Credential brute force
Port 2049 / TCP/UDP — NFS (Network File System)
Description: Unix/Linux network file sharing protocol.
Vulnerabilities/Attack Vectors:
- Show exported mounts: showmount -e target
- no_root_squash misconfiguration (SUID binary upload)
- Accessing sensitive files via mounted shares
- UID/GID spoofing for access control bypass
Default Credentials: N/A (UID/GID based access)
Port 2375-2376 / TCP — Docker API
Description: Docker daemon REST API. Port 2375 is unencrypted, 2376 is TLS encrypted.
Vulnerabilities/Attack Vectors: - Unauthenticated Docker API access - Container escape to host - Privileged container creation for root access - Image manipulation
Default Credentials: Often no authentication when exposed
Port 3000 / TCP — Various (Grafana, Node.js, Gitea)
Description: Common port for web applications and development servers.
Vulnerabilities/Attack Vectors: Application-specific. Grafana default creds, Node.js debug ports.
Default Credentials: Grafana: admin/admin
Port 3306 / TCP — MySQL
Description: MySQL and MariaDB database service.
Vulnerabilities/Attack Vectors:
- Default root with no password
- Remote root login enabled
- SQL injection from web applications
- User-defined functions (UDF) for OS command execution
- File read/write via LOAD_FILE() and INTO OUTFILE
Default Credentials: root / (blank), root/root
Port 3389 / TCP — RDP (Remote Desktop Protocol)
Description: Windows remote desktop access protocol.
Vulnerabilities/Attack Vectors:
- BlueKeep (CVE-2019-0708) — unauthenticated RCE
- Brute force (Hydra, Crowbar)
- Password spraying
- Session hijacking (tscon without password)
- NLA bypass on older systems
- Credential theft via keylogging once connected
Default Credentials: Requires Windows credentials
Port 4369 / TCP — EPMD (Erlang Port Mapper Daemon)
Description: Service discovery for Erlang distributed systems (used by RabbitMQ, CouchDB).
Vulnerabilities/Attack Vectors: - Erlang cookie brute force for remote code execution - Node enumeration
Default Credentials: Default Erlang cookie may be predictable
Port 4443 / TCP — HTTPS Alternative
Description: Alternative HTTPS port, commonly used by web appliances and management interfaces.
Port 5432 / TCP — PostgreSQL
Description: Open-source relational database.
Vulnerabilities/Attack Vectors:
- Default postgres user with weak password
- COPY TO/FROM PROGRAM for OS command execution
- Large object functions for file read/write
- SQL injection from web applications
Default Credentials: postgres/postgres, postgres / (blank)
Port 5555 / TCP — Android Debug Bridge (ADB)
Description: Android device debugging interface.
Vulnerabilities/Attack Vectors: - Unauthenticated shell access to Android devices - Install/remove applications - Full device control
Default Credentials: No authentication when exposed
Port 5900-5901 / TCP — VNC (Virtual Network Computing)
Description: Remote desktop access protocol.
Vulnerabilities/Attack Vectors: - No authentication or weak passwords - Brute force (Hydra) - VNC authentication bypass on some versions - Cleartext password in configuration files - Screenshot capture without authentication
Default Credentials: VNC password only (no username), often password or blank
Port 5985-5986 / TCP — WinRM (Windows Remote Management)
Description: HTTP-based remote management protocol for Windows. Port 5985 (HTTP), 5986 (HTTPS).
Vulnerabilities/Attack Vectors: - Remote PowerShell execution - Pass-the-hash authentication - Credential brute force (CrackMapExec) - Evil-WinRM for interactive shell
Default Credentials: Requires Windows credentials (local or domain)
Port 6379 / TCP — Redis
Description: In-memory data structure store used as database, cache, and message broker.
Vulnerabilities/Attack Vectors:
- No authentication by default
- Remote code execution via CONFIG SET and module loading
- SSH key writing via CONFIG SET dir/dbfilename
- Web shell writing
- Data exfiltration
- Lua scripting abuse
Default Credentials: No authentication by default
Port 6667 / TCP — IRC (Internet Relay Chat)
Description: Text-based chat protocol, sometimes used for botnet C2 communication.
Vulnerabilities/Attack Vectors: - IRC botnet C2 channels - Service enumeration - UnrealIRCd backdoor (CVE-2010-2075)
Port 8000 / TCP — HTTP Alternative
Description: Common alternative HTTP port for development servers, Django, and various applications.
Port 8080 / TCP — HTTP Proxy / Alternative
Description: Common alternative HTTP port. Used by web proxies, Tomcat, Jenkins, and many web applications.
Vulnerabilities/Attack Vectors: - Application-specific vulnerabilities - Management interface exposure - Tomcat Manager: WAR file deployment for RCE - Jenkins: Groovy script console for RCE
Default Credentials: Tomcat: tomcat/tomcat, admin/admin. Jenkins: varies (may have no auth initially)
Port 8443 / TCP — HTTPS Alternative
Description: Common alternative HTTPS port for management interfaces and web applications.
Vulnerabilities/Attack Vectors: Application-specific. Management console access.
Default Credentials: Application-dependent
Port 8888 / TCP — HTTP Alternative / Jupyter
Description: Alternative HTTP port, commonly used by Jupyter Notebook.
Vulnerabilities/Attack Vectors: - Unauthenticated Jupyter access allows arbitrary code execution - Token-based authentication bypass
Default Credentials: Jupyter may not require authentication
Port 9090 / TCP — Various Management Consoles
Description: Used by Cockpit (Linux management), WebSphere, Prometheus, and others.
Vulnerabilities/Attack Vectors: Management console access, default credentials.
Default Credentials: Application-dependent
Port 9200-9300 / TCP — Elasticsearch
Description: Distributed search and analytics engine. Port 9200 (HTTP API), 9300 (transport/cluster).
Vulnerabilities/Attack Vectors:
- No authentication by default (pre-8.x)
- Full database access and data exfiltration
- Remote code execution via Groovy scripting (older versions)
- Index enumeration: curl http://target:9200/_cat/indices
- Snapshot repository access
Default Credentials: No authentication (pre-8.x). Elastic 8.x+: elastic / (auto-generated)
Port 9389 / TCP — Active Directory Web Services
Description: AD Web Services used by PowerShell AD module.
Vulnerabilities/Attack Vectors: AD enumeration and querying.
Port 10000 / TCP — Webmin
Description: Web-based system administration tool for Unix-like systems.
Vulnerabilities/Attack Vectors: - Default credentials - Command injection (CVE-2019-15107) - Authenticated RCE
Default Credentials: admin/admin or system root credentials
Port 11211 / TCP/UDP — Memcached
Description: Distributed memory caching system.
Vulnerabilities/Attack Vectors:
- No authentication by default
- Data exfiltration: stats, stats slabs, stats items
- UDP amplification DDoS attacks (amplification factor: 51,000x)
- Key enumeration and value dump
Default Credentials: No authentication
Port 11211 / TCP — Memcached
See above.
Port 27017-27018 / TCP — MongoDB
Description: NoSQL document database. Port 27017 (default), 27018 (shardsvr).
Vulnerabilities/Attack Vectors: - No authentication by default (pre-configured installations) - Full database enumeration and dump - NoSQL injection from web applications - Server-side JavaScript execution - Data ransom attacks
Default Credentials: No authentication by default on many installations
Port 28017 / TCP — MongoDB Web Interface (deprecated)
Description: Legacy MongoDB HTTP status interface.
Vulnerabilities/Attack Vectors: Information disclosure, unauthenticated access.
Port 50000 / TCP — SAP / Jenkins Agent
Description: SAP management console or Jenkins agent communication port.
Vulnerabilities/Attack Vectors: Application-specific RCE, management access.
Quick Port Reference by Service Category
Web Services
80, 443, 8000, 8080, 8443, 8888, 3000, 4443, 9090
Databases
1433 (MSSQL), 1521 (Oracle), 3306 (MySQL), 5432 (PostgreSQL), 6379 (Redis), 9200 (Elasticsearch), 27017 (MongoDB), 11211 (Memcached)
Remote Access
22 (SSH), 23 (Telnet), 3389 (RDP), 5900 (VNC), 5985/5986 (WinRM)
File Transfer
20/21 (FTP), 69 (TFTP), 445 (SMB), 873 (Rsync), 2049 (NFS)
25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS), 995 (POP3S)
Active Directory / Windows
88 (Kerberos), 135 (MSRPC), 139 (NetBIOS), 389 (LDAP), 445 (SMB), 464 (Kpasswd), 636 (LDAPS), 3389 (RDP), 5985 (WinRM), 9389 (ADWS)
Network Services
53 (DNS), 67/68 (DHCP), 111 (RPCBind), 161/162 (SNMP), 500 (IKE/VPN), 1723 (PPTP)
Management Interfaces
623 (IPMI), 10000 (Webmin), 2375/2376 (Docker), 9090 (Cockpit)
Port assignments follow IANA standards, but services may run on non-standard ports. Always perform comprehensive port scanning (nmap -p-) during engagements to detect services on unexpected ports.