Ports and associated Vectors

Port	Use case	Abuse Case
21	21 FTP (File Transfer Protocol)	Exploited for brute force attacks to gain unauthorized access to file shares and potentially upload malicious scripts or files.
22	SSH (Secure Shell)	Targeted for brute force or dictionary attacks to gain remote control of systems. Often scanned for vulnerable or default credentials.
23	Telnet	Because it's unencrypted, attackers could eavesdrop on communications, capturing credentials for unauthorized access.
25	SMTP (Simple Mail Transfer Protocol)	Used for sending spam or phishing emails if the SMTP server is compromised or misconfigured.
53	DNS (Domain Name System)	Exploited in DNS amplification attacks to overwhelm a network with DNS response traffic, leading to DDoS attacks.
80/443	HTTP/HTTPS (Web Services)	Web servers on these ports can be targeted with various web application attacks such as SQL injection, XSS, or CSRF.
110/995	POP3/POP3S (Email Retrieval)	Attackers could intercept unencrypted POP3 traffic to steal email credentials or use compromised accounts to spread malware.
135-139/445	Windows RPC/NetBIOS/SMB	Exploited by malware like WannaCry for spreading within networks or to execute remote code.
143/993	IMAP/IMAPS (Email Retrieval)	Similar to POP3, IMAP traffic can be intercepted to gain unauthorized access to email accounts.
161/162	SNMP (Simple Network Management Protocol)	Misused to gather detailed network information or, in some configurations, to modify device settings.
389/636	LDAP/LDAPS (Directory Services)	Attackers could exploit vulnerabilities to perform directory traversal attacks or gain unauthorized access to directory listings.
1433/1434	Microsoft SQL Server	SQL injection attacks or unauthorized access for data theft or manipulation. Exploited for executing remote commands.
1521	Oracle Database	Attackers may attempt to exploit vulnerabilities for unauthorized database access or to inject malicious SQL queries.
1812/1813	RADIUS (Remote Authentication Dial-In User Service)	Used for network authentication. Vulnerable to brute force attacks or exploited for unauthorized network access if poorly configured.
3306	MySQL	If accessible from externally, it can be brute-forced or exploited to gain access to databases, leading to data theft or loss.
3389	RDP (Remote Desktop Protocol)	Often targeted for brute force attacks or BlueKeeplike vulnerabilities to gain remote control of systems.
3899	Radmin (Remote Administrator)	A remote control software that can be abused for unauthorized remote access if left exposed or if weak credentials are used.
4444	Metasploit Framework’s default port for payloads	Often used by attackers after exploiting a vulnerability to establish a reverse shell or gain control over a system.
4848	GlassFish Server Administration Console	Can be targeted for unauthorized access or remote code execution if not secured with strong authentication.
5000	UPnP (Universal Plug and Play)	Can be exploited to open other ports or for denialof-service attacks due to its capability to configure network devices.
5060/5061	SIP (Session Initiation Protocol)	Utilized in VoIP environments, vulnerable to eavesdropping, toll fraud, or DDoS attacks targeting communication infrastructure.
5555	Android Debug Bridge	If left open, can be exploited to install malicious applications, exfiltrate data, or control the device remotely without user consent.
5601	Kibana	Exposed instances without proper authentication can lead to unauthorized access to data indexed by Elasticsearch.
5900/5901	VNC (Virtual Network Computing)	Vulnerable to brute force attacks or unauthorized access if not properly secured with strong passwords and encryption.
5985/5986	WinRM (Windows Remote Management)	If improperly configured, can be exploited for remote code execution or lateral movement within a network.
6379	Redis	Unsecured instances may lead to data theft, ransomware, or unauthorized use of the server for malicious purposes.
6667	IRC (Internet Relay Chat)	Historically used by botnets as command and control channels. Vulnerable to eavesdropping and man-in-the-middle attacks if not encrypted.
7547	CWMP (TR-069) - CPE WAN Management Protocol	Exploited in mass-scale attacks to remotely manage home routers and modems. Vulnerabilities can lead to device compromise.
8000/8001	Common alternative HTTP ports	Often used for web servers running in non-standard configurations, which may be less monitored and therefore vulnerable to web application attacks
8080/8443	Alternate HTTP/HTTPS	Often used for web applications and services, which could be targeted with various web-based exploits if not secured.
8081	Proxy or web server alternative port	Similar to port 8080, but less commonly monitored, making services hosted here potential targets for unnoticed exploitation.
8089	Splunkd	Exposed management ports can lead to unauthorized access to Splunk datasets or system compromise.
8291	MikroTik RouterOS Winbox	Vulnerabilities could allow attackers to bypass authentication and gain remote access to the device.
8444	Bitmessage	A decentralized messaging protocol that can be abused for exfiltrating data or command and control if not properly secured.
9001/9030	Tor network entry/exit nodes	Used by Tor for anonymous communication. Misconfigured Tor services can be exploited for malicious purposes or data exfiltration.
9100	PDL (Printer Description Language) Data Stream	Vulnerable to printing denial of service or unauthorized document printing if exposed to a public network.
9200/9300	Elasticsearch	Open ports can be misused for unauthorized data access, deletion, or index manipulation if not properly secured.
10000	Webmin	A web-based interface for system administration for Unix. Vulnerable to exploitation if not regularly updated or properly secured
10050/10051	Zabbix Agent/Server	Open Zabbix agents or servers could be compromised to gain information on monitored systems or to execute commands.
11211	Memcached	Exploited in reflection DDoS attacks due to its high bandwidth amplification factor when left exposed to the internet.
27015	Valve's Source Dedicated Server	Could be targeted for DDoS attacks, disrupting game servers and other services running on this port.

27017-27019	MongoDB	Exposed databases can be targeted for unauthorized access, data leakage, or ransomware attacks due to misconfiguration or lack of authentication.
27018	MongoDB default port for Sharded clusters	Similar risks as the default MongoDB port (27017), but specific to Sharded clusters. Misconfiguration can lead to unauthorized data access.
32400	Plex Media Server	If improperly secured, can be accessed without authorization, potentially exposing personal media collections or being used for bandwidth theft.

Port

Use case

Abuse Case

21 FTP (File Transfer Protocol)

Exploited for brute force attacks to gain unauthorized access to file shares and potentially upload malicious scripts or files.

SSH (Secure Shell)

Targeted for brute force or dictionary attacks to gain remote control of systems. Often scanned for vulnerable or default credentials.

Telnet

Because it's unencrypted, attackers could eavesdrop on communications, capturing credentials for unauthorized access.

SMTP (Simple Mail Transfer Protocol)

Used for sending spam or phishing emails if the SMTP server is compromised or misconfigured.

DNS (Domain Name System)

Exploited in DNS amplification attacks to overwhelm a network with DNS response traffic, leading to DDoS attacks.

80/443

HTTP/HTTPS (Web Services)

Web servers on these ports can be targeted with various web application attacks such as SQL injection, XSS, or CSRF.

110/995

POP3/POP3S (Email Retrieval)

Attackers could intercept unencrypted POP3 traffic to steal email credentials or use compromised accounts to spread malware.

135-139/445

Windows RPC/NetBIOS/SMB

Exploited by malware like WannaCry for spreading within networks or to execute remote code.

143/993

IMAP/IMAPS (Email Retrieval)

Similar to POP3, IMAP traffic can be intercepted to gain unauthorized access to email accounts.

161/162

SNMP (Simple Network Management Protocol)

Misused to gather detailed network information or, in some configurations, to modify device settings.

389/636

LDAP/LDAPS (Directory Services)

Attackers could exploit vulnerabilities to perform directory traversal attacks or gain unauthorized access to directory listings.

1433/1434

Microsoft SQL Server

SQL injection attacks or unauthorized access for data theft or manipulation. Exploited for executing remote commands.

1521

Oracle Database

Attackers may attempt to exploit vulnerabilities for unauthorized database access or to inject malicious SQL queries.

1812/1813

RADIUS (Remote Authentication Dial-In User Service)

Used for network authentication. Vulnerable to brute force attacks or exploited for unauthorized network access if poorly configured.

3306

MySQL

If accessible from externally, it can be brute-forced or exploited to gain access to databases, leading to data theft or loss.

3389

RDP (Remote Desktop Protocol)

Often targeted for brute force attacks or BlueKeeplike vulnerabilities to gain remote control of systems.

3899

Radmin (Remote Administrator)

A remote control software that can be abused for unauthorized remote access if left exposed or if weak credentials are used.

4444

Metasploit Framework’s default port for payloads

Often used by attackers after exploiting a vulnerability to establish a reverse shell or gain control over a system.

4848

GlassFish Server Administration Console

Can be targeted for unauthorized access or remote code execution if not secured with strong authentication.

5000

UPnP (Universal Plug and Play)

Can be exploited to open other ports or for denialof-service attacks due to its capability to configure network devices.

5060/5061

SIP (Session Initiation Protocol)

Utilized in VoIP environments, vulnerable to eavesdropping, toll fraud, or DDoS attacks targeting communication infrastructure.

5555

Android Debug Bridge

If left open, can be exploited to install malicious applications, exfiltrate data, or control the device remotely without user consent.

5601

Kibana

Exposed instances without proper authentication can lead to unauthorized access to data indexed by Elasticsearch.

5900/5901

VNC (Virtual Network Computing)

Vulnerable to brute force attacks or unauthorized access if not properly secured with strong passwords and encryption.

5985/5986

WinRM (Windows Remote Management)

If improperly configured, can be exploited for remote code execution or lateral movement within a network.

6379

Redis

Unsecured instances may lead to data theft, ransomware, or unauthorized use of the server for malicious purposes.

6667

IRC (Internet Relay Chat)

Historically used by botnets as command and control channels. Vulnerable to eavesdropping and man-in-the-middle attacks if not encrypted.

7547

CWMP (TR-069) - CPE WAN Management Protocol

Exploited in mass-scale attacks to remotely manage home routers and modems. Vulnerabilities can lead to device compromise.

8000/8001

Common alternative HTTP ports

Often used for web servers running in non-standard configurations, which may be less monitored and therefore vulnerable to web application attacks

8080/8443

Alternate HTTP/HTTPS

Often used for web applications and services, which could be targeted with various web-based exploits if not secured.

8081

Proxy or web server alternative port

Similar to port 8080, but less commonly monitored, making services hosted here potential targets for unnoticed exploitation.

8089

Splunkd

Exposed management ports can lead to unauthorized access to Splunk datasets or system compromise.

8291

MikroTik RouterOS Winbox

Vulnerabilities could allow attackers to bypass authentication and gain remote access to the device.

8444

Bitmessage

A decentralized messaging protocol that can be abused for exfiltrating data or command and control if not properly secured.

9001/9030

Tor network entry/exit nodes

Used by Tor for anonymous communication. Misconfigured Tor services can be exploited for malicious purposes or data exfiltration.

9100

PDL (Printer Description Language) Data Stream

Vulnerable to printing denial of service or unauthorized document printing if exposed to a public network.

9200/9300

Elasticsearch

Open ports can be misused for unauthorized data access, deletion, or index manipulation if not properly secured.

10000

Webmin

A web-based interface for system administration for Unix. Vulnerable to exploitation if not regularly updated or properly secured

10050/10051

Zabbix Agent/Server

Open Zabbix agents or servers could be compromised to gain information on monitored systems or to execute commands.

11211

Memcached

Exploited in reflection DDoS attacks due to its high bandwidth amplification factor when left exposed to the internet.

27015

Valve's Source Dedicated Server

Could be targeted for DDoS attacks, disrupting game servers and other services running on this port.

27017-27019

MongoDB

Exposed databases can be targeted for unauthorized access, data leakage, or ransomware attacks due to misconfiguration or lack of authentication.

27018

MongoDB default port for Sharded clusters

Similar risks as the default MongoDB port (27017), but specific to Sharded clusters. Misconfiguration can lead to unauthorized data access.

32400

Plex Media Server

If improperly secured, can be accessed without authorization, potentially exposing personal media collections or being used for bandwidth theft.

PreviousCommon Web Attack and Prevention List NextDNS

Last updated 28 days ago