Each computer has 65535 possible ports.[^1] The exposed internet ports acts as an external fingerprint of an attacker.[^1] For instance if you see Cobalt Strike and Metasploit running on the same server.[^1] This can also show how attackers set up their infrastructure.[^1] You should disable unused ports on your networks.[^2] Port scanning tools include:
- [[Nmap]]
- [[Zmap]]
- [[MASSCAN]]
[[HTTP]] – always on port 80 or 443 (HTTPS)
[[NETBIOS]] – always on port 139
[[SMB]] – always on port 445
[[SSDP]] – Always on Port 1900
[[Remote Desktop Protocol (RDP)]] – port 3389
[[FTP]] – port 21
[[SSH]] – port 22
[[Telnet]] – Port 23
[[SFTP]] – Port 115
[[SQL]] – 1433
[[Firebird]] – 3050
[[MySQL]] – 3306
[[Remote Desktop Protocol (RDP)]] – 3389
[[fscan.exe]] – can discover internet ports
[[Bvp47]] – used port 8081 of a mail server
[[Port Scanning]] – scans available ports on a system
[[Stopping Ransomware]] – disable ports that are not being used for business purposes
[[LocalOlive]] – default port of 250
[[L2TP Tunneling Protocol]] – uses Port 1701
[[Wireshark]] – you can filter by the specific internet port with the filter tcp.port eq <port number>
[[Apache Server]] – uses ports 443 and 80
[[Nginx]] – uses ports 443 and 80
[[Real Time Streaming Protocol]] – uses TCP Port 554
[[May 2025 DDoS Attack]] – targeted 22,000 ports per second on a single IP
[[Redis]] – uses port 6379
[[rsync]] – Port 873
[[Blue Teaming]] – make sure that you know what ports should be open
[[PPTP Tunneling Protocol]] – used 1723
[[Data Exfiltration]] – non-standard ports are used for hiding data exfiltration
[[MsSQL]] – uses port 1433
[[iSCSI]] – uses port 3260
[[SilentRaid]] – sets up port forwarding
Backlinks
[[Cobalt Strike]]
IP Addresses
[[Metasploit Framework]]
[[Nmap]]
Sources
[1]tryhackme
[2]ic3_250312