Ultimate Guide to Common Network Ports, Attack Vectors, and Defense Strategies

Understanding Network Ports

In computer networking a port is an endpoint identified by a number (0‑65535) on an IP address, used to differentiate services such as HTTP (80), HTTPS (443) or FTP (21). Ports are divided into well‑known (0‑1023), registered (1024‑49151) and dynamic/private (49152‑65535) ranges.

Common Port‑Scanning Tools

Tools like Nmap and Netcat can enumerate open ports.

Example commands:

nmap -sS 192.168.1.1

nc -zv 192.168.1.1 20-80

Typical Attack Techniques

1. Port Scanning

Attackers first scan to discover services, then choose exploits. Examples include TCP SYN scan ( nmap -sS) and UDP scan ( nmap -sU).

2. Buffer‑Overflow

Sending oversized payloads to vulnerable services (e.g., FTP on port 21) can overwrite memory and execute arbitrary code.

Sample exploit command:

python exploit.py 192.168.1.1 21

3. Denial‑of‑Service (DoS/DDoS)

Flooding a target with SYN or UDP packets exhausts resources.

Example commands:

hping3 -S -p 80 --flood 192.168.1.1

hping3 --udp -p 53 --flood 192.168.1.1

4. Man‑in‑the‑Middle (MITM)

Techniques such as ARP spoofing or SSL stripping intercept and alter traffic.

Example command:

arpspoof -i eth0 -t 192.168.1.1 192.168.1.254

5. Packet Injection

Injecting malicious packets into legitimate sessions, for example injecting commands into an FTP session to hijack file transfers.

6. Credential Brute‑Force

Tools like Hydra try many password combinations against services such as SSH (22) or FTP (21).

hydra -l root -P password_list.txt ssh://192.168.1.1

Defensive Measures

Firewall configuration – restrict which ports are exposed to the Internet and limit internal access.

Intrusion Detection Systems (IDS) – monitor traffic for suspicious patterns (e.g., Snort).

Strong authentication – use multi‑factor authentication, public‑key SSH, and disable password logins where possible.

Frequently Attacked Ports (21‑39)

Each port below lists typical usage, common vulnerabilities and recommended hardening steps.

Port 21 – FTP

Clear‑text transmission; vulnerable to brute‑force.

Mitigation: use FTPS/SFTP, restrict access with firewall, enforce strong passwords.

Port 22 – SSH

Brute‑force attacks; possible agent‑forwarding abuse.

Mitigation: disable password login, use key‑based authentication, whitelist IPs, keep software updated.

Port 23 – Telnet

Unencrypted traffic; easy to sniff and brute‑force.

Mitigation: replace with SSH, disable Telnet service, restrict access via firewall.

Port 25 – SMTP

Open relay risk; email content can be intercepted.

Mitigation: enforce SMTP authentication, use STARTTLS, firewall restrict.

Port 53 – DNS

DNS amplification attacks; possible DNS hijacking.

Mitigation: limit recursive queries, enable DNSSEC, monitor traffic.

Port 80 – HTTP

Unencrypted traffic; vulnerable to eavesdropping and MITM.

Mitigation: redirect to HTTPS, firewall restrict, keep server patched.

Port 443 – HTTPS

Certificate mis‑management; outdated TLS versions.

Mitigation: use latest TLS (1.3), maintain valid certificates, enable HSTS.

Port 3074 – Xbox Live

Target for DDoS; possible network sniffing.

Mitigation: firewall restrict, monitor traffic, keep firmware updated.

Port 5060 – SIP

SIP relay and spoofing attacks.

Mitigation: use SIP over TLS, strong authentication, firewall restrict.

Port 8080 – HTTP Proxy

Unauthorized access and data leakage.

Mitigation: configure access control, use HTTPS proxy, audit regularly.

Port 135 – RPC

Legacy RPC vulnerabilities; information disclosure.

Mitigation: firewall restrict, apply patches, disable unnecessary services.

Port 139 – NetBIOS

Information leakage; insecure file sharing.

Mitigation: disable NetBIOS if unused, firewall restrict, secure sharing settings.

Port 1433 – Microsoft SQL Server

SQL injection and brute‑force.

Mitigation: strong passwords, firewall restrict to trusted IPs, keep server patched.

Port 1521 – Oracle DB

Database exposure and configuration flaws.

Mitigation: firewall restrict, strong passwords, enable auditing.

Port 1723 – PPTP VPN

Weak encryption; brute‑force.

Mitigation: replace with L2TP/IPsec or OpenVPN, firewall restrict, strong passwords and MFA.

Port 1900 – UPnP

Unauthorized device access; DDoS amplification.

Mitigation: disable UPnP if not needed, firewall restrict, keep firmware updated.

Port 2302 – DayZ Game Server

DDoS and information leakage.

Mitigation: firewall restrict, monitor traffic, keep server software updated.

Port 3389 – RDP

Brute‑force and unauthorized access.

Mitigation: strong passwords, MFA, firewall whitelist, enable Network Level Authentication.

Port 3306 – MySQL

SQL injection and brute‑force.

Mitigation: strong passwords, firewall restrict, keep MySQL patched.

Port 4000 – Elasticsearch

Information leakage; DDoS target.

Mitigation: access control, TLS encryption, keep updated.

Port 4444 – Metasploit Listener

Potential malicious use; unauthorized access.

Mitigation: firewall restrict, monitor usage, keep framework patched.

Port 5000 – Python Flask Development Server

Default configuration insecure; possible information leakage.

Mitigation: use production WSGI server, enable HTTPS, firewall restrict.

Port 5555 – Android Debug Bridge (ADB)

Unauthorized remote debugging; data leakage.

Mitigation: disable remote ADB in production, firewall restrict, strong passwords if needed.

Port 5900 – VNC

Brute‑force; unencrypted traffic.

Mitigation: enable encryption, strong passwords, firewall restrict.

Port 6667 – IRC

Unencrypted communication; malware distribution.

Mitigation: use IRC over TLS, firewall restrict, monitor traffic.

Port 6697 – IRC over SSL

Certificate management issues; outdated TLS.

Mitigation: use latest TLS, keep certificates valid, enable HSTS.

Port 8000 – Alternate HTTP (development)

Default development configuration insecure; accidental exposure.

Mitigation: avoid using in production, firewall restrict, use HTTPS.

Port 8081 – Alternate HTTP Proxy

Unauthorized access; data leakage.

Mitigation: proper access control, HTTPS proxy, regular audits.

Port 9100 – Printer (JetDirect)

Unauthorized printing; information leakage.

Mitigation: restrict access, use encryption if supported, keep firmware updated.

Port 9090 – Web Debugging Interface

Debug service exposed; information leakage.

Mitigation: firewall restrict, disable debug mode in production, use HTTPS.

Port 445 – SMB

Ransomware propagation; unauthorized file sharing.

Mitigation: firewall restrict, apply latest patches, disable unnecessary shares.

Port 5985/5986 – WinRM

Brute‑force; unencrypted (5985) communication.

Mitigation: use HTTPS on 5986, firewall restrict, strong passwords and MFA.

Port 6379 – Redis

Unauthenticated access; data leakage.

Mitigation: enable password protection, firewall restrict, enable TLS if possible.

Port 6666 – IRC (alternative)

Unencrypted traffic; malware distribution.

Mitigation: use IRC over TLS, firewall restrict, monitor traffic.

Port 993 – IMAP over SSL

Certificate and outdated protocol issues.

Mitigation: use latest TLS, keep certificates updated, enforce encrypted connections.

Port 995 – POP3 over SSL

Certificate and protocol problems.

Mitigation: latest TLS, valid certificates, encrypted connections.

Port 1434 – Microsoft SQL Browser

Information leakage; unauthorized access.

Mitigation: firewall restrict, disable if not needed, keep server patched.

Port 27017 – MongoDB

Unauthenticated access; data exposure.

Mitigation: enable authentication, firewall restrict, enable data encryption, keep updated.

Port 28017 – MongoDB HTTP Interface

Unauthenticated access; information leakage.

Mitigation: restrict with firewall, use HTTPS, strong passwords, disable if unnecessary.