Network Utilities | codeworld

Common ports reference

Port number, protocol, service, and security notes for 60+ commonly encountered ports

Port	Proto	Service	Description / Notes
22	TCP	SSH	Secure Shell — encrypted remote access, SFTP, tunneling ⚠ Default port — change in hardened configs. Brute-force magnet.
23	TCP	Telnet	Unencrypted remote terminal ⚠ Cleartext credentials. Never use. Presence = legacy or misconfigured system.
3389	TCP	RDP	Remote Desktop Protocol — Windows remote desktop ⚠ High-value lateral movement target. BlueKeep (CVE-2019-0708). NLA bypass attacks.
5985	TCP	WinRM HTTP	Windows Remote Management (HTTP) ⚠ PowerShell remoting. Evil-WinRM for lateral movement. Often overlooked in firewall rules.
5986	TCP	WinRM HTTPS	Windows Remote Management (HTTPS)
5900	TCP	VNC	Virtual Network Computing — remote desktop ⚠ Often weak/no authentication on IoT and legacy systems. Shodan-exposed frequently.
80	TCP	HTTP	Hypertext Transfer Protocol — unencrypted web ⚠ Cleartext. Modern sites redirect to 443. Intercept with Burp/mitmproxy.
443	TCP	HTTPS	HTTP over TLS — encrypted web
8080	TCP	HTTP-alt	Alternative HTTP — dev servers, proxies, Tomcat ⚠ Commonly unauthenticated admin interfaces. Tomcat manager default.
8443	TCP	HTTPS-alt	Alternative HTTPS — dev/admin panels
8888	TCP	HTTP-alt	Jupyter notebooks, various dev servers ⚠ Jupyter often runs without auth on default config.
3000	TCP	HTTP-dev	Node.js/React dev servers, Grafana
25	TCP	SMTP	Simple Mail Transfer Protocol — MTA to MTA relay ⚠ Open relay = spam source. Should only accept from authorized MTAs.
587	TCP	SMTP-sub	SMTP Submission — client to MTA (STARTTLS)
465	TCP	SMTPS	SMTP over SSL (deprecated but still used)
110	TCP	POP3	Post Office Protocol v3 — email retrieval (cleartext) ⚠ Cleartext credentials. Use POP3S (995) instead.
995	TCP	POP3S	POP3 over SSL
143	TCP	IMAP	Internet Message Access Protocol — email (cleartext) ⚠ Cleartext. Use IMAPS (993).
993	TCP	IMAPS	IMAP over SSL
21	TCP	FTP	File Transfer Protocol control channel — cleartext ⚠ Cleartext credentials and data. Anonymous FTP common on old systems. Use SFTP/FTPS.
20	TCP	FTP-data	FTP active mode data channel
990	TCP	FTPS	FTP over SSL (implicit)
69	UDP	TFTP	Trivial FTP — no auth, used for PXE boot, network device config ⚠ No authentication. Used by network devices for config/firmware. Often forgotten.
445	TCP	SMB	Server Message Block — Windows file sharing, AD ⚠ EternalBlue/WannaCry (CVE-2017-0144). Relay attacks (NTLM). Block at perimeter always.
139	TCP	NetBIOS-SSN	NetBIOS Session — legacy SMB over NetBIOS
2049	TCP/UDP	NFS	Network File System ⚠ Often misconfigured with world-readable exports. Check /etc/exports.
389	TCP/UDP	LDAP	Lightweight Directory Access Protocol — cleartext ⚠ Cleartext. LDAP null bind often allowed. Enumerate AD with ldapsearch.
636	TCP	LDAPS	LDAP over SSL
3268	TCP	GC LDAP	Active Directory Global Catalog
88	TCP/UDP	Kerberos	Kerberos authentication — Active Directory ⚠ Kerberoasting: request TGS for SPNs → crack offline. AS-REP roasting targets no-preauth accounts.
464	TCP/UDP	Kerberos PW	Kerberos password change
53	TCP/UDP	DNS	Domain Name System — UDP for queries, TCP for zone transfers and large responses ⚠ DNS tunneling C2 (iodine, dnscat2). Zone transfer (AXFR) exposes all records. DNS exfil via subdomains.
67	UDP	DHCP-server	DHCP server — assigns IP addresses ⚠ Rogue DHCP server can redirect traffic. DHCP starvation attack.
68	UDP	DHCP-client	DHCP client
123	UDP	NTP	Network Time Protocol ⚠ NTP amplification DDoS. Monlist command exposes client list.
161	UDP	SNMP	Simple Network Management Protocol — monitoring ⚠ Community string "public" default. v1/v2c cleartext. SNMP walk reveals full device config.
162	UDP	SNMP-trap	SNMP trap receiver
514	UDP	Syslog	System log forwarding — cleartext ⚠ Cleartext UDP. Log injection possible. TCP syslog (514/TCP) more reliable.
1433	TCP	MSSQL	Microsoft SQL Server ⚠ xp_cmdshell for RCE if sysadmin. SA account brute-force common.
1434	UDP	MSSQL-mon	MSSQL Browser/Monitor
3306	TCP	MySQL	MySQL / MariaDB ⚠ Root with no password default on some installs. UDF injection for code execution.
5432	TCP	PostgreSQL	PostgreSQL database
6379	TCP	Redis	Redis in-memory database ⚠ No auth by default. Write SSH keys, cron jobs, or webshells via Redis CONFIG SET.
27017	TCP	MongoDB	MongoDB database ⚠ No auth by default. Massive data breaches from exposed instances.
9200	TCP	Elasticsearch	Elasticsearch REST API ⚠ No auth by default. Read/write all data via HTTP.
5601	TCP	Kibana	Elasticsearch Kibana UI
500	UDP	IKE	IPsec IKE — VPN key exchange
4500	UDP	IPsec NAT-T	IPsec NAT traversal
1194	TCP/UDP	OpenVPN	OpenVPN
51820	UDP	WireGuard	WireGuard VPN
1723	TCP	PPTP	Point-to-Point Tunneling Protocol — deprecated ⚠ Cryptographically broken. Do not use.
179	TCP	BGP	Border Gateway Protocol — internet routing
520	UDP	RIP	Routing Information Protocol
2181	TCP	ZooKeeper	Apache ZooKeeper — distributed coordination ⚠ No auth by default. Access = read/write all ZK data including Kafka configs.
9092	TCP	Kafka	Apache Kafka message broker
2375	TCP	Docker	Docker daemon API (unencrypted) ⚠ Exposed Docker socket = root on host. Trivial container escape → host access.
2376	TCP	Docker TLS	Docker daemon API (TLS)
6443	TCP	K8s API	Kubernetes API server ⚠ Unauthenticated access = cluster takeover. Often exposed in cloud misconfigs.
10250	TCP	Kubelet	Kubernetes Kubelet API ⚠ Unauthenticated kubelet allows exec into any pod on the node.
111	TCP/UDP	RPCbind	RPC portmapper ⚠ Enumerate NFS/NIS services. Often a pivot point for NFS exploitation.
135	TCP	MS-RPC	Microsoft RPC endpoint mapper ⚠ WMI, DCOM, PsExec all use this. Required for many Windows remote operations.
137	UDP	NetBIOS-NS	NetBIOS name service ⚠ NBNS poisoning with Responder. Should not be exposed outside LAN.
138	UDP	NetBIOS-DGM	NetBIOS datagram service
623	UDP	IPMI	Intelligent Platform Management Interface ⚠ IPMI 2.0 RAKP auth flaw allows offline hash crack. Cipher 0 bypass. High-value target.

64 / 64 ports · amber rows have security notes