A Hacker's Guide to Common Ports
A no-fluff guide to the ports you'll actually run into during a pentest. Forget the textbook definitions - this is about what they are, why they're interesting, and how to poke at them with Nmap.
Port 21: FTP (File Transfer Protocol)
What is it? An old-school way to move files around.
Why we care:
Anonymous Login: Often, you can just log in with the username
anonymousand no password. It's the first thing you should always try.Sniffable Passwords: It sends everything, including credentials, in plain text. Easy to grab with a network sniffer.
Nmap Scripts:
# Check for anonymous login and common FTP vulnerabilities nmap -p 21 --script ftp-anon,ftp-vuln-* <target>
Port 22: SSH (Secure Shell)
What is it? The modern, secure way to get a remote command line.
Why we care:
Weak Passwords: People are lazy. Brute-forcing common or default credentials is a classic way in.
Version Info: Knowing the SSH version can sometimes reveal if it's vulnerable to a specific exploit.
Nmap Scripts:
# See what authentication methods are allowed and grab the host key nmap -p 22 --script ssh-auth-methods,ssh-hostkey <target>
Port 23: Telnet
What is it? The insecure granddaddy of SSH. If you see this, you're looking at a very old system.
Why we care:
Everything's Unencrypted: Usernames, passwords, every single keystroke—it's all sent in clear text. Game over if you're on the same network.
Nmap Scripts:
Port 25: SMTP (Simple Mail Transfer Protocol)
What is it? The protocol that sends emails across the internet.
Why we care:
Username Enumeration: You can use commands like
VRFYandEXPNto guess and confirm valid usernames on the server, which is great for phishing or password spraying later.
Nmap Scripts:
Port 53: DNS (Domain Name System)
What is it? The internet's phone book. It turns names like
google.cominto IP addresses.Why we care:
Zone Transfers: A badly configured server will just hand you its entire list of records (all subdomains, server names, etc.) if you ask nicely. This is a goldmine for mapping out a target's infrastructure.
Nmap Scripts:
Port 80: HTTP (Hypertext Transfer Protocol)
What is it? The protocol that powers the web.
Why we care: Web servers are a massive attack surface.
Web App Bugs: SQL injection, XSS, RCE... the list is endless. This is where you'll spend a lot of your time.
Hidden Files & Dirs: Look for sensitive files like
.gitfolders,.envconfig files, and admin panels.
Nmap Scripts:
Port 111 & 2049: RPCbind & NFS (Network File System)
What is it? A way for Linux/Unix systems to share folders over the network.
Why we care:
Exposed Shares: Admins often misconfigure NFS, letting anyone mount and read (or write to) sensitive folders. You can find internal documents, user home directories, and more.
Nmap Scripts:
Port 139 & 445: SMB (Server Message Block)
What is it? The main protocol for file and printer sharing in Windows networks.
Why we care:
A Pentester's Dream: SMB is notoriously insecure. You can often connect with no password (a "null session") to list users, shares, and system info.
Legendary Exploits: It's the home of critical vulnerabilities like EternalBlue (MS17-010) that give instant remote code execution.
Nmap Scripts:
Port 161: SNMP (Simple Network Management Protocol)
What is it? Used by network admins to monitor devices like routers and switches.
Why we care:
Default Passwords: It uses "community strings" as passwords. They are often left as the defaults:
public(read-only) andprivate(read-write). If you guesspublic, you can learn tons about the network. If you guessprivate, you might be able to change device configs.
Nmap Scripts:
Port 389: LDAP (Lightweight Directory Access Protocol)
What is it? The address book for corporate networks, most famously used by Microsoft Active Directory.
Why we care:
Anonymous Queries: If you can connect without credentials, you can dump tons of info: usernames, group memberships, computer names, and the entire structure of the company's internal network.
Nmap Scripts:
Port 443: HTTPS (HTTP Secure)
What is it? The encrypted version of HTTP.
Why we care:
Same Bugs, Just Encrypted: The web application running here is just as likely to have vulnerabilities as one on port 80.
Weak Crypto: Check for expired certificates and weak SSL/TLS ciphers. This can sometimes lead to downgrade attacks.
Nmap Scripts:
Port 1433: MS-SQL Server
What is it? Microsoft's main database server.
Why we care:
Weak 'sa' Password: The default system administrator account (
sa) is a prime target for brute-force attacks.
Nmap Scripts:
Port 3306: MySQL / MariaDB
What is it? The most popular open-source database in the world.
Why we care:
Weak 'root' Password: Just like MS-SQL, the
rootuser is the main target for password guessing.
Nmap Scripts:
Port 3389: RDP (Remote Desktop Protocol)
What is it? The built-in Windows tool for getting a remote graphical desktop.
Why we care:
Brute-Force Heaven: Exposed RDP is a massive target for attackers trying to guess passwords.
BlueKeep: The infamous RDP vulnerability that allows for code execution without any credentials. Always check if a system is patched for this.
Nmap Scripts:
Port 5900: VNC (Virtual Network Computing)
What is it? A cross-platform remote desktop system.
Why we care:
No Password: It's shockingly common to find VNC servers running with no password at all, giving you instant access to the desktop.
Nmap Scripts:
Port 8080 / 8000 / 8888: HTTP-Alt
What is it? Web servers, proxies, and APIs hiding on non-standard ports.
Why we care:
Forgotten Services: These often host admin panels (like Apache Tomcat, Jenkins) or development versions of apps that are less secure than the main site. Always check for default credentials.
Nmap Scripts:
Last updated