Network Ports Reference
Network Ports Reference
Purpose
Provide quick reference for TCP/UDP port numbers and their associated protocols during reconnaissance, enumeration, and security assessments. Enable rapid identification of services running on target systems and support port-based attack surface mapping.
Inputs/Prerequisites
- Target IP address or hostname for port scanning
- Network access to the target system
- Port scanning tools (nmap, masscan, netcat)
- Basic understanding of TCP/IP networking
Outputs/Deliverables
- Identified open ports and associated services
- Protocol-specific enumeration data
- Service version information
- Attack surface documentation
- Port-to-vulnerability mapping
Core Workflow
1. Identify Common Service Ports
Reference these critical ports during reconnaissance:
| Port | Protocol | Service |
|---|---|---|
| 20 | TCP | FTP Data Transfer |
| 21 | TCP | FTP Control |
| 22 | TCP | SSH |
| 23 | TCP | Telnet |
| 25 | TCP | SMTP |
| 53 | TCP/UDP | DNS |
| 67-68 | UDP | DHCP |
| 69 | UDP | TFTP |
| 80 | TCP | HTTP |
| 88 | TCP | Kerberos |
| 110 | TCP | POP3 |
| 111 | TCP/UDP | RPC Portmapper |
| 119 | TCP | NNTP |
| 123 | UDP | NTP |
| 135 | TCP | MS RPC |
| 137-139 | TCP/UDP | NetBIOS |
| 143 | TCP | IMAP |
| 161-162 | UDP | SNMP |
| 389 | TCP | LDAP |
| 443 | TCP | HTTPS |
| 445 | TCP | SMB/CIFS |
| 465 | TCP | SMTPS |
| 500 | UDP | IKE/IPSec |
| 514 | UDP | Syslog |
| 587 | TCP | SMTP Submission |
| 636 | TCP | LDAPS |
| 993 | TCP | IMAPS |
| 995 | TCP | POP3S |
| 1433 | TCP | MS SQL |
| 1521 | TCP | Oracle DB |
| 2049 | TCP | NFS |
| 3306 | TCP | MySQL |
| 3389 | TCP | RDP |
| 5432 | TCP | PostgreSQL |
| 5900 | TCP | VNC |
| 6379 | TCP | Redis |
| 8080 | TCP | HTTP Proxy |
| 8443 | TCP | HTTPS Alt |
2. Perform Port Discovery
Scan for open ports on target systems:
# Quick TCP SYN scan of common ports
nmap -sS -T4 192.168.1.1
# Comprehensive port scan (all 65535 ports)
nmap -p- -sS -T4 192.168.1.1
# UDP port scan
nmap -sU -T4 --top-ports 100 192.168.1.1
# Service version detection
nmap -sV -sC 192.168.1.1
# Fast scan with masscan
masscan -p1-65535 192.168.1.0/24 --rate=1000
# Check specific port with netcat
nc -zv 192.168.1.1 22
3. Enumerate Services by Port
Perform targeted enumeration based on discovered ports:
# FTP (21) - Check anonymous access
ftp 192.168.1.1
nmap --script ftp-anon 192.168.1.1
# SSH (22) - Grab banner and check versions
ssh -v 192.168.1.1
nmap --script ssh-hostkey 192.168.1.1
# SMTP (25) - Enumerate users
nmap --script smtp-enum-users 192.168.1.1
# DNS (53) - Zone transfer
dig axfr @192.168.1.1 domain.com
# HTTP (80/443) - Web enumeration
nikto -h http://192.168.1.1
gobuster dir -u http://192.168.1.1 -w /usr/share/wordlists/dirb/common.txt
# SMB (445) - Share enumeration
smbclient -L //192.168.1.1 -N
enum4linux -a 192.168.1.1
# SNMP (161) - Community string discovery
snmpwalk -c public -v1 192.168.1.1
onesixtyone 192.168.1.1 public
# LDAP (389) - Query directory
ldapsearch -x -h 192.168.1.1 -s base
# MySQL (3306) - Database enumeration
nmap --script mysql-enum 192.168.1.1
4. Map Attack Surface
Document findings for exploitation:
# Generate port scan report
nmap -sV -sC -oA scan_results 192.168.1.1
# Create service inventory
nmap -sV 192.168.1.1 -oG - | grep open
Quick Reference
High-Value Target Ports
| Port | Why It Matters |
|---|---|
| 21 | Anonymous FTP access, file upload |
| 22 | SSH brute force, key-based auth bypass |
| 23 | Telnet cleartext credentials |
| 25 | Mail relay, user enumeration |
| 53 | DNS zone transfer, cache poisoning |
| 80/443 | Web vulnerabilities (SQLi, XSS, RCE) |
| 135/445 | SMB exploits (EternalBlue) |
| 139 | NetBIOS enumeration |
| 161 | SNMP default communities |
| 389/636 | LDAP injection, AD enumeration |
| 1433/3306 | Database access, SQL injection |
| 3389 | RDP brute force, BlueKeep |
| 5985/5986 | WinRM remote execution |
| 6379 | Redis unauthenticated access |
Database Ports
| Port | Database |
|---|---|
| 1433 | Microsoft SQL Server |
| 1521 | Oracle |
| 3306 | MySQL/MariaDB |
| 5432 | PostgreSQL |
| 5984 | CouchDB |
| 6379 | Redis |
| 27017 | MongoDB |
Remote Access Ports
| Port | Service |
|---|---|
| 22 | SSH |
| 23 | Telnet |
| 3389 | RDP |
| 5900 | VNC |
| 5985/5986 | WinRM |
Constraints
- Always verify port assignments as services can run on non-standard ports
- Some ports are registered but rarely used in practice
- Firewalls may filter or redirect traffic
- NAT and port forwarding can obscure actual service locations
- Service banners can be spoofed for deception
Examples
Example 1: Quick Web Server Identification
# Scan common web ports
nmap -p 80,443,8080,8443 192.168.1.0/24
# Get HTTP headers
curl -I http://192.168.1.1
Example 2: Database Discovery
# Scan for common database ports
nmap -p 1433,1521,3306,5432,27017 192.168.1.0/24 -sV
# Test MySQL connection
mysql -h 192.168.1.1 -u root -p
Example 3: Full Port Audit
# Comprehensive scan with service detection
nmap -p- -sV -sC -A 192.168.1.1 -oA full_audit
Troubleshooting
| Issue | Solution |
|---|---|
| Ports appear filtered | Try different scan techniques (-sA, -sW) |
| Service detection fails | Use more aggressive version probing (-sV --version-all) |
| UDP scan too slow | Reduce port range or increase timing (-T5) |
| False positives | Verify with manual connection (nc, telnet) |
| Firewall blocking scans | Use fragmentation (-f) or decoys (-D) |
| Service on non-standard port | Always perform full port scans (-p-) |
More from zebbern/secops-cli-guides
hacking fundamentals
This skill should be used when the user asks to "understand hacking basics", "learn about hacker types", "understand network protocols", "learn DNS concepts", "understand attack types", or "explore security tool categories". It provides foundational cybersecurity knowledge.
16jwt security testing
This skill should be used when the user asks to "test JWT security", "hack JWT tokens", "bypass JWT authentication", "crack JWT secrets", or "exploit JWT vulnerabilities". It provides comprehensive JSON Web Token attack techniques and security assessment methodologies.
15mobile application security testing
This skill should be used when the user asks to "perform mobile application penetration testing", "test Android app security", "bypass SSL pinning", "analyze APK files", "reverse engineer mobile apps", "test for insecure data storage", or "assess mobile app vulnerabilities". It provides comprehensive techniques for Android application security assessment.
12networking essentials
|
10buffer overflow exploitation
This skill should be used when the user asks to "exploit buffer overflow vulnerabilities", "develop stack-based exploits", "find EIP offset", "identify bad characters", "create shellcode payloads", "perform fuzzing for crashes", or "gain remote code execution via memory corruption". It provides comprehensive techniques for discovering and exploiting buffer overflow vulnerabilities in Windows applications.
9phishing attacks
|
9