Essential Guide to Common Network Ports and Their Security Implications

When learning computers, the 65535 TCP/UDP ports can be overwhelming; this article compiles a comprehensive list of commonly used and less common ports, their associated services, and typical security considerations.

Commonly Used Ports

80 – IIS (HTTP)

1433 – SQL Server

1521 – Oracle

3306 – MySQL

21 – FTP

22 – SSH

8080 – Tomcat

Port Catalog

Port 0 – Reserved – Usually used for OS analysis; scanning this port can produce unusual results.

Port 1 – tcpmux – Used by SGI Irix machines; default accounts can be exploited by attackers.

Port 7 – Echo – Often seen in Fraggle amplification attacks.

Port 19 – Character Generator – Sends garbage characters; can be abused for DoS attacks.

Port 21 – FTP – Open for file upload/download; attackers look for anonymous FTP servers.

Port 22 – SSH – Vulnerable configurations can expose RSA‑based weaknesses.

Port 23 – Telnet – Remote login; often scanned to discover OS and passwords.

Port 25 – SMTP – Used for sending email; attackers use it to relay spam.

Port 31 – MSG Authentication – Exploited by certain trojans.

Port 42 – WINS Replication – Used for WINS replication.

Port 53 – DNS – Attackers may attempt zone transfers or DNS spoofing.

Port 67 – DHCP Server – Broadcasts address requests; can be used for MITM attacks.

Port 68 – DHCP Client – Receives configuration from DHCP server.

Port 69 – TFTP – Often misconfigured, allowing file theft.

Port 79 – Finger – Used to gather user information and probe for vulnerabilities.

Port 80 – HTTP – Web browsing; sometimes opened by malicious backdoors.

Port 99 – Metagram Relay – Opened by certain backdoors.

Port 102 – Message Transfer Agent (MTA) – X.400 over TCP/IP.

Port 109 – POP3 – Email retrieval; many known buffer‑overflow flaws.

Port 110 – RPC Services – Various RPC services run on this port.

Port 113 – Authentication Service – Provides user authentication for many protocols; can be a target for scanning.

Port 119 – NNTP – News transfer; often restricted by ISPs.

Port 135 – DCE RPC Endpoint Mapper – Used by Microsoft DCOM services; frequently scanned.

Port 137‑139 – NetBIOS – Name service, datagram service, and session service; used for Windows file/printer sharing.

Port 143 – IMAP v2 – Similar security issues to POP3.

Port 161 – SNMP – Simple Network Management Protocol; default community strings are common attack vectors.

Port 177 – X Display Manager Control – Used by attackers to access X‑Windows.

Port 389 – LDAP – Lightweight Directory Access Protocol.

Port 443 – HTTPS – Encrypted web traffic.

Port 456 – [NULL] – Opened by certain trojans.

Port 513 – Login/Remote Login – Broadcasts from cable/DSL modems can reveal system information.

Port 544 – [NULL] – Kerberos kshell.

Port 548 – AFP – Macintosh file services.

Port 553 – CORBA IIOP (UDP) – Object‑oriented RPC system.

Port 555 – DSF – Opened by various trojans.

Port 568 – Membership DPA – Membership protocol.

Port 569 – Membership MSN – Membership protocol.

Port 635 – mountd – Linux mount daemon; can run on any port but defaults to 635.

Port 636 – LDAP over SSL.

Port 666 – Doom Id Software – Opened by certain backdoors.

Port 993 – IMAP over SSL.

Port 1001, 1011 – [NULL] – Opened by various trojans.

Port 1024‑1025 – Reserved/Dynamic – Starting range for dynamically assigned ports.

Port 1080 – SOCKS – Proxy protocol; misconfigurations can allow external attacks.

Port 1170 – [NULL] – Opened by audio/streaming trojans.

Port 1234, 1243, 6711, 6776 – [NULL] – Opened by various trojans.

Port 1245 – [NULL] – Opened by trojan Vodoo.

Port 1433 – Microsoft SQL Server.

Port 1492 – stone‑design‑1 – Opened by FTP‑related trojan.

Port 1500‑1503 – RPC/NetMeeting – Various RPC and NetMeeting services.

Port 1524 – ingress – Backdoor shell for SUN Sendmail/RPC vulnerabilities.

Port 1600 – issd – Opened by trojan Shivka‑Burka.

Port 1720 – NetMeeting – H.233 call setup.

Port 1731 – NetMeeting Audio Call Control.

Port 1807 – [NULL] – Opened by trojan SpySender.

Port 1981 – [NULL] – Opened by trojan ShockRave.

Port 1999 – Cisco identification – Opened by backdoor trojan.

Port 2000‑2001 – [NULL] – Opened by various trojans.

Port 2023 – xinuexpansion 4 – Opened by trojan Pass Ripper.

Port 2049 – NFS – Network File System.

Port 2115 – [NULL] – Opened by trojan Bugs.

Port 2140, 3150 – [NULL] – Opened by trojan Deep Throat.

Port 2500 – RPC client fixed‑port session replication.

Port 2583 – [NULL] – Opened by trojan Wincrash.

Port 2801 – [NULL] – Opened by trojan Phineas Phucker.

Port 3024, 4092 – [NULL] – Opened by trojan WinCrash.

Port 3128 – Squid – Default HTTP proxy port.

Port 3129 – [NULL] – Opened by trojan Master Paradise.

Port 3150 – [NULL] – Opened by trojan The Invasor.

Port 3210, 4321 – [NULL] – Opened by trojan SchoolBus.

Port 3333 – dec‑notes – Opened by trojan Prosiak.

Port 3389 – Remote Desktop – Windows 2000 terminal service.

Port 3700 – [NULL] – Opened by trojan Portal of Doom.

Port 3996, 4060 – [NULL] – Opened by trojan RemoteAnything.

Port 4000 – QQ client – Opened by Tencent QQ.

Port 4092 – [NULL] – Opened by trojan WinCrash.

Port 4590 – [NULL] – Opened by trojan ICQTrojan.

Port 5000‑50505 – [NULL] – Opened by various trojans.

Port 5400‑5402 – [NULL] – Opened by trojan Blade Runner.

Port 5550 – [NULL] – Opened by trojan xtcp.

Port 5569 – [NULL] – Opened by trojan Robo‑Hack.

Port 5632 – pcAnywere – Scanned for proxy agents; sometimes carries UDP 22 traffic.

Port 5742 – [NULL] – Opened by trojan WinCrash1.03.

Port 6267 – [NULL] – Opened by trojan 广外女生.

Port 6400 – [NULL] – Opened by trojan The tHing.

Port 6670‑6671 – [NULL] – Opened by trojan Deep Throat.

Port 6883 – [NULL] – Opened by trojan DeltaSource.

Port 6969 – [NULL] – Opened by trojan Gatecrasher, Priority.

Port 6970 – RealAudio – Audio streaming.

Port 7000 – [NULL] – Opened by trojan Remote Grab.

Port 7300‑7308 – [NULL] – Opened by trojan NetMonitor.

Port 7323 – [NULL] – Sygate server.

Port 7626 – [NULL] – Opened by trojan Giscier.

Port 7789 – [NULL] – Opened by trojan ICKiller.

Port 8000 – OICQ – Tencent QQ server.

Port 8010 – Wingate – Proxy.

Port 8080 – Proxy – General HTTP proxy.

Port 9400‑9402 – [NULL] – Opened by trojan Incommand 1.0.

Port 9872‑9875, 10067, 10167 – [NULL] – Opened by trojan Portal of Doom.

Port 9989 – [NULL] – Opened by trojan iNi‑Killer.

Port 11000 – [NULL] – Opened by trojan SennaSpy.

Port 11223 – [NULL] – Opened by trojan Progenic.

Port 12076, 61466 – [NULL] – Opened by trojan Telecommando.

Port 12223 – [NULL] – Opened by trojan Hack’99 KeyLogger.

Port 12345‑12346 – [NULL] – Opened by trojan NetBus.

Port 12361 – [NULL] – Opened by trojan Whack‑a‑mole.

Port 13223 – PowWow – Tribal Voice chat program.

Port 16969 – [NULL] – Opened by trojan Priority.

Port 17027 – Conducent – Advertising service for shared software.

Port 19191 – [NULL] – Opened by trojan Blue Flame.

Port 20000‑20001 – [NULL] – Opened by trojan Millennium.

Port 20034 – [NULL] – Opened by trojan NetBus Pro.

Port 21554 – [NULL] – Opened by trojan GirlFriend.

Port 22222 – [NULL] – Opened by trojan Prosiak.

Port 23456 – [NULL] – Opened by trojan Evil FTP.

Port 26274, 47262 – [NULL] – Opened by trojan Delta.

Port 27374 – [NULL] – Opened by trojan Subseven 2.1.

Port 30100 – [NULL] – Opened by trojan NetSphere.

Port 30303 – [NULL] – Opened by trojan Socket23.

Port 30999 – [NULL] – Opened by trojan Kuang.

Port 31337‑31338 – [NULL] – Opened by trojan Back Orifice and DeepBO.

Port 31339 – [NULL] – Opened by trojan NetSpy DK.

Port 31666 – [NULL] – Opened by trojan BOWhack.

Port 33333 – [NULL] – Opened by trojan Prosiak.

Port 34324 – [NULL] – Opened by trojan Tiny Telnet Server.

Port 40412 – [NULL] – Opened by trojan The Spy.

Port 40421‑40426 – [NULL] – Opened by trojan Masters Paradise.

Port 43210, 54321 – [NULL] – Opened by trojan SchoolBus.

Port 44445 – [NULL] – Opened by trojan Happypig.

Port 50766 – [NULL] – Opened by trojan Fore.

Port 53001 – [NULL] – Opened by trojan Remote Windows Shutdown.

Port 65000 – [NULL] – Opened by trojan Devil 1.03.

Port 88 – Kerberos (krb5).

Port 137 – SQL Named Pipes encryption, Wins NetBT name service, etc.

Port 161 – Simple Network Management Protocol (SNMP).

Port 162 – SNMP Trap.

Port 445 – Common Internet File System (CIFS).

Port 464 – Kerberos kpasswd (v5).

Port 500 – Internet Key Exchange (IKE).

Port 1645, 1812 – RADIUS authentication.

Port 1646, 1813 – RADIUS accounting.

Port 1701 – Layer Two Tunneling Protocol (L2TP).

Port 1801, 3527 – Microsoft Message Queue Server.

Port 2504 – Network Load Balancing.

Proxy Server Common Ports

HTTP proxy – 80, 8080, 3128, 8081, 9080

SOCKS proxy – 1080

FTP proxy – 21

Telnet proxy – 23