ArticlesToolsContact

A Hacker's Guide to Common Ports

A no-fluff guide to the ports you'll actually run into during a pentest. Forget the textbook definitions - this is about what they are, why they're interesting, and how to poke at them with Nmap.

Port 21: FTP (File Transfer Protocol)

  • What is it? An old-school way to move files around.

  • Why we care:

    • Anonymous Login: Often, you can just log in with the username anonymous and no password. It's the first thing you should always try.

    • Sniffable Passwords: It sends everything, including credentials, in plain text. Easy to grab with a network sniffer.

  • Nmap Scripts:

    # Check for anonymous login and common FTP vulnerabilities
nmap -p 21 --script ftp-anon,ftp-vuln-* <target>

Port 22: SSH (Secure Shell)

  • What is it? The modern, secure way to get a remote command line.

  • Why we care:

    • Weak Passwords: People are lazy. Brute-forcing common or default credentials is a classic way in.

    • Version Info: Knowing the SSH version can sometimes reveal if it's vulnerable to a specific exploit.

  • Nmap Scripts:

    # See what authentication methods are allowed and grab the host key
nmap -p 22 --script ssh-auth-methods,ssh-hostkey <target>

Port 23: Telnet

  • What is it? The insecure granddaddy of SSH. If you see this, you're looking at a very old system.

  • Why we care:

    • Everything's Unencrypted: Usernames, passwords, every single keystroke—it's all sent in clear text. Game over if you're on the same network.

  • Nmap Scripts:

    # Try to grab banner and NTLM info (for Windows)
nmap -p 23 --script telnet-ntlm-info <target>

Port 25: SMTP (Simple Mail Transfer Protocol)

  • What is it? The protocol that sends emails across the internet.

  • Why we care:

    • Username Enumeration: You can use commands like VRFY and EXPN to guess and confirm valid usernames on the server, which is great for phishing or password spraying later.

  • Nmap Scripts:

    # Try to enumerate users and see supported commands
nmap -p 25 --script smtp-enum-users,smtp-commands <target>

Port 53: DNS (Domain Name System)

  • What is it? The internet's phone book. It turns names like google.com into IP addresses.

  • Why we care:

    • Zone Transfers: A badly configured server will just hand you its entire list of records (all subdomains, server names, etc.) if you ask nicely. This is a goldmine for mapping out a target's infrastructure.

  • Nmap Scripts:

    # Try to perform a zone transfer
nmap -p 53 --script dns-zone-transfer --script-args dns-zone-transfer.domain=example.com <target>

Port 80: HTTP (Hypertext Transfer Protocol)

  • What is it? The protocol that powers the web.

  • Why we care: Web servers are a massive attack surface.

    • Web App Bugs: SQL injection, XSS, RCE... the list is endless. This is where you'll spend a lot of your time.

    • Hidden Files & Dirs: Look for sensitive files like .git folders, .env config files, and admin panels.

  • Nmap Scripts:

    # Find common directories, get the page title, and check for vulnerabilities
nmap -sV -p 80 --script http-enum,http-title,http-vuln-* <target>

Port 111 & 2049: RPCbind & NFS (Network File System)

  • What is it? A way for Linux/Unix systems to share folders over the network.

  • Why we care:

    • Exposed Shares: Admins often misconfigure NFS, letting anyone mount and read (or write to) sensitive folders. You can find internal documents, user home directories, and more.

  • Nmap Scripts:

    # List the available NFS shares
nmap -p 111 --script nfs-showmount <target>

Port 139 & 445: SMB (Server Message Block)

  • What is it? The main protocol for file and printer sharing in Windows networks.

  • Why we care:

    • A Pentester's Dream: SMB is notoriously insecure. You can often connect with no password (a "null session") to list users, shares, and system info.

    • Legendary Exploits: It's the home of critical vulnerabilities like EternalBlue (MS17-010) that give instant remote code execution.

  • Nmap Scripts:

    # The ultimate SMB enumeration scan
nmap -p 445 --script smb-os-discovery,smb-enum-shares,smb-enum-users,smb-vuln-* <target>

Port 161: SNMP (Simple Network Management Protocol)

  • What is it? Used by network admins to monitor devices like routers and switches.

  • Why we care:

    • Default Passwords: It uses "community strings" as passwords. They are often left as the defaults: public (read-only) and private (read-write). If you guess public, you can learn tons about the network. If you guess private, you might be able to change device configs.

  • Nmap Scripts:

    # Use UDP scan (-sU) and try to get system description and network interfaces
nmap -sU -p 161 --script snmp-sysdescr,snmp-interfaces <target>

Port 389: LDAP (Lightweight Directory Access Protocol)

  • What is it? The address book for corporate networks, most famously used by Microsoft Active Directory.

  • Why we care:

    • Anonymous Queries: If you can connect without credentials, you can dump tons of info: usernames, group memberships, computer names, and the entire structure of the company's internal network.

  • Nmap Scripts:

    # Try to pull information from the directory anonymously
nmap -p 389 --script ldap-search --script-args ldap.maxobjects=-1 <target>

Port 443: HTTPS (HTTP Secure)

  • What is it? The encrypted version of HTTP.

  • Why we care:

    • Same Bugs, Just Encrypted: The web application running here is just as likely to have vulnerabilities as one on port 80.

    • Weak Crypto: Check for expired certificates and weak SSL/TLS ciphers. This can sometimes lead to downgrade attacks.

  • Nmap Scripts:

    # Check SSL certificate, enumerate ciphers, and run web scripts
nmap -sV -p 443 --script ssl-cert,ssl-enum-ciphers,http-enum <target>

Port 1433: MS-SQL Server

  • What is it? Microsoft's main database server.

  • Why we care:

    • Weak 'sa' Password: The default system administrator account (sa) is a prime target for brute-force attacks.

  • Nmap Scripts:

    # Get server info and check for an empty 'sa' password
nmap -p 1433 --script ms-sql-info,ms-sql-empty-password <target>

Port 3306: MySQL / MariaDB

  • What is it? The most popular open-source database in the world.

  • Why we care:

    • Weak 'root' Password: Just like MS-SQL, the root user is the main target for password guessing.

  • Nmap Scripts:

    # Get server info and check for an empty 'root' password
nmap -p 3306 --script mysql-info,mysql-empty-password <target>

Port 3389: RDP (Remote Desktop Protocol)

  • What is it? The built-in Windows tool for getting a remote graphical desktop.

  • Why we care:

    • Brute-Force Heaven: Exposed RDP is a massive target for attackers trying to guess passwords.

    • BlueKeep: The infamous RDP vulnerability that allows for code execution without any credentials. Always check if a system is patched for this.

  • Nmap Scripts:

    # Get NTLM info and check for the MS12-020 vulnerability
nmap -p 3389 --script rdp-ntlm-info,rdp-vuln-ms12-020 <target>

Port 5900: VNC (Virtual Network Computing)

  • What is it? A cross-platform remote desktop system.

  • Why we care:

    • No Password: It's shockingly common to find VNC servers running with no password at all, giving you instant access to the desktop.

  • Nmap Scripts:

    # Get VNC server info and check for a known auth bypass
nmap -p 5900 --script vnc-info,realvnc-auth-bypass <target>

Port 8080 / 8000 / 8888: HTTP-Alt

  • What is it? Web servers, proxies, and APIs hiding on non-standard ports.

  • Why we care:

    • Forgotten Services: These often host admin panels (like Apache Tomcat, Jenkins) or development versions of apps that are less secure than the main site. Always check for default credentials.

  • Nmap Scripts:

    # Use the same scripts as for port 80, just specify the different ports
nmap -sV -p 8080,8000,8888 --script http-enum,http-title <target>
PreviousPowerShell BibleNextPentesting cheatsheet

Last updated