A Hacker's Guide to Common Ports

A no-fluff guide to the ports you'll actually run into during a pentest. Forget the textbook definitions - this is about what they are, why they're interesting, and how to poke at them with Nmap.

Port 21: FTP (File Transfer Protocol)

• What is it? An old-school way to move files around.

• Why we care:

  • Anonymous Login: Often, you can just log in with the username anonymous and no password. It's the first thing you should always try.

  • Sniffable Passwords: It sends everything, including credentials, in plain text. Easy to grab with a network sniffer.

• Nmap Scripts:

  # Check for anonymous login and common FTP vulnerabilities
  nmap -p 21 --script ftp-anon,ftp-vuln-* <target>
  

Port 22: SSH (Secure Shell)

• What is it? The modern, secure way to get a remote command line.

• Why we care:

  • Weak Passwords: People are lazy. Brute-forcing common or default credentials is a classic way in.

  • Version Info: Knowing the SSH version can sometimes reveal if it's vulnerable to a specific exploit.

• Nmap Scripts:

  # See what authentication methods are allowed and grab the host key
  nmap -p 22 --script ssh-auth-methods,ssh-hostkey <target>
  

Port 23: Telnet

• What is it? The insecure granddaddy of SSH. If you see this, you're looking at a very old system.

• Why we care:

  • Everything's Unencrypted: Usernames, passwords, every single keystroke—it's all sent in clear text. Game over if you're on the same network.

• Nmap Scripts:

  # Try to grab banner and NTLM info (for Windows)
  nmap -p 23 --script telnet-ntlm-info <target>
  

Port 25: SMTP (Simple Mail Transfer Protocol)

• What is it? The protocol that sends emails across the internet.

• Why we care:

  • Username Enumeration: You can use commands like VRFY and EXPN to guess and confirm valid usernames on the server, which is great for phishing or password spraying later.

• Nmap Scripts:

  # Try to enumerate users and see supported commands
  nmap -p 25 --script smtp-enum-users,smtp-commands <target>
  

Port 53: DNS (Domain Name System)

• What is it? The internet's phone book. It turns names like google.com into IP addresses.

• Why we care:

  • Zone Transfers: A badly configured server will just hand you its entire list of records (all subdomains, server names, etc.) if you ask nicely. This is a goldmine for mapping out a target's infrastructure.

• Nmap Scripts:

  # Try to perform a zone transfer
  nmap -p 53 --script dns-zone-transfer --script-args dns-zone-transfer.domain=example.com <target>
  

Port 80: HTTP (Hypertext Transfer Protocol)

• What is it? The protocol that powers the web.

• Why we care: Web servers are a massive attack surface.

  • Web App Bugs: SQL injection, XSS, RCE... the list is endless. This is where you'll spend a lot of your time.

  • Hidden Files & Dirs: Look for sensitive files like .git folders, .env config files, and admin panels.

• Nmap Scripts:

  # Find common directories, get the page title, and check for vulnerabilities
  nmap -sV -p 80 --script http-enum,http-title,http-vuln-* <target>
  

Port 111 & 2049: RPCbind & NFS (Network File System)

• What is it? A way for Linux/Unix systems to share folders over the network.

• Why we care:

  • Exposed Shares: Admins often misconfigure NFS, letting anyone mount and read (or write to) sensitive folders. You can find internal documents, user home directories, and more.

• Nmap Scripts:

  # List the available NFS shares
  nmap -p 111 --script nfs-showmount <target>
  

Port 139 & 445: SMB (Server Message Block)

• What is it? The main protocol for file and printer sharing in Windows networks.

• Why we care:

  • A Pentester's Dream: SMB is notoriously insecure. You can often connect with no password (a "null session") to list users, shares, and system info.

  • Legendary Exploits: It's the home of critical vulnerabilities like EternalBlue (MS17-010) that give instant remote code execution.

• Nmap Scripts:

  # The ultimate SMB enumeration scan
  nmap -p 445 --script smb-os-discovery,smb-enum-shares,smb-enum-users,smb-vuln-* <target>
  

Port 161: SNMP (Simple Network Management Protocol)

• What is it? Used by network admins to monitor devices like routers and switches.

• Why we care:

  • Default Passwords: It uses "community strings" as passwords. They are often left as the defaults: public (read-only) and private (read-write). If you guess public, you can learn tons about the network. If you guess private, you might be able to change device configs.

• Nmap Scripts:

  # Use UDP scan (-sU) and try to get system description and network interfaces
  nmap -sU -p 161 --script snmp-sysdescr,snmp-interfaces <target>
  

Port 389: LDAP (Lightweight Directory Access Protocol)

• What is it? The address book for corporate networks, most famously used by Microsoft Active Directory.

• Why we care:

  • Anonymous Queries: If you can connect without credentials, you can dump tons of info: usernames, group memberships, computer names, and the entire structure of the company's internal network.

• Nmap Scripts:

  # Try to pull information from the directory anonymously
  nmap -p 389 --script ldap-search --script-args ldap.maxobjects=-1 <target>
  

Port 443: HTTPS (HTTP Secure)

• What is it? The encrypted version of HTTP.

• Why we care:

  • Same Bugs, Just Encrypted: The web application running here is just as likely to have vulnerabilities as one on port 80.

  • Weak Crypto: Check for expired certificates and weak SSL/TLS ciphers. This can sometimes lead to downgrade attacks.

• Nmap Scripts:

  # Check SSL certificate, enumerate ciphers, and run web scripts
  nmap -sV -p 443 --script ssl-cert,ssl-enum-ciphers,http-enum <target>
  

Port 1433: MS-SQL Server

• What is it? Microsoft's main database server.

• Why we care:

  • Weak 'sa' Password: The default system administrator account (sa) is a prime target for brute-force attacks.

• Nmap Scripts:

  # Get server info and check for an empty 'sa' password
  nmap -p 1433 --script ms-sql-info,ms-sql-empty-password <target>
  

Port 3306: MySQL / MariaDB

• What is it? The most popular open-source database in the world.

• Why we care:

  • Weak 'root' Password: Just like MS-SQL, the root user is the main target for password guessing.

• Nmap Scripts:

  # Get server info and check for an empty 'root' password
  nmap -p 3306 --script mysql-info,mysql-empty-password <target>
  

Port 3389: RDP (Remote Desktop Protocol)

• What is it? The built-in Windows tool for getting a remote graphical desktop.

• Why we care:

  • Brute-Force Heaven: Exposed RDP is a massive target for attackers trying to guess passwords.

  • BlueKeep: The infamous RDP vulnerability that allows for code execution without any credentials. Always check if a system is patched for this.

• Nmap Scripts:

  # Get NTLM info and check for the MS12-020 vulnerability
  nmap -p 3389 --script rdp-ntlm-info,rdp-vuln-ms12-020 <target>
  

Port 5900: VNC (Virtual Network Computing)

• What is it? A cross-platform remote desktop system.

• Why we care:

  • No Password: It's shockingly common to find VNC servers running with no password at all, giving you instant access to the desktop.

• Nmap Scripts:

  # Get VNC server info and check for a known auth bypass
  nmap -p 5900 --script vnc-info,realvnc-auth-bypass <target>
  

Port 8080 / 8000 / 8888: HTTP-Alt

• What is it? Web servers, proxies, and APIs hiding on non-standard ports.

• Why we care:

  • Forgotten Services: These often host admin panels (like Apache Tomcat, Jenkins) or development versions of apps that are less secure than the main site. Always check for default credentials.

• Nmap Scripts:

  # Use the same scripts as for port 80, just specify the different ports
  nmap -sV -p 8080,8000,8888 --script http-enum,http-title <target>