Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 208 |
tcp,udp |
at-8 |
not scanned |
AppleTalk uses these ports:
201 (TCP/UDP) - AppleTalk Routing Maintenance
202 (TCP/UDP) - AppleTalk Name Binding
203 (TCP/UDP) - AppleTalk Unused
204 (TCP/UDP) - AppleTalk Echo
205 (TCP/UDP) - AppleTalk Unused
206 (TCP/UDP) - AppleTalk Zone Information
207 (TCP/UDP) - AppleTalk Unused
208 (TCP/UDP) - AppleTalk Unused |
| 211 |
tcp |
trojan |
Premium scan |
One Windows Trojan
Texas Instruments 914C/G Terminal (TCP/UDP) (IANA official) |
| 212 |
tcp |
trojan |
Premium scan |
One Windows Trojan
ATEXSSTR (TCP/UDP) (IANA official) |
| 214 |
tcp,udp |
vmpwscs |
not scanned |
VM PWSCS (IANA official) |
| 215 |
tcp,udp |
softpc |
not scanned |
Insignia Solutions (IANA official) |
| 216 |
tcp,udp |
CAIlic |
not scanned |
Computer Associates Int'l License Server (IANA official) |
| 217 |
tcp,udp |
dbase |
not scanned |
dBASE Unix (IANA official) |
| 219 |
tcp,udp |
uarps |
not scanned |
Unisys ARPs (IANA official) |
| 221 |
tcp,udp |
fln-spx |
not scanned |
Port is IANA registered for Berkeley rlogind with SPX auth
Trojans that use this port: Snape |
| 222 |
tcp,udp |
rsh-spx |
not scanned |
IANA registered for Berkeley rshd with SPX auth
Trojans that use this port: NeuroticKat, Snape
MicroWorld Technologies eScan could allow a remote attacker to execute arbitrary commands on the system, caused by improper access control by the eScan Agent Application (MWAGENT.EXE). By sending a specially-crafted request to TCP port 222, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
References: [CVE-2018-18388], [XFDB-154568]
Backdoor.Win32.Spion4 / Insecure Transit - SPION 4 Server terminal listens on TCP port 222 and passes its messages in unencrypted plaintext across the network.
References: [MVID-2021-0225] |
| 223 |
tcp,udp |
cdc |
not scanned |
Certificate Distribution Center (IANA official) |
| 224 |
tcp,udp |
masqdialer |
not scanned |
ADSL Road Runner modem in the Annex A family has a service running on port 224, which allows remote attackers to login to the modem with a blank password and gain unauthorized access.
References: [CVE-2005-2862]
masqdialer (IANA official) |
| 230 |
tcp |
trojan |
Premium scan |
Skun trojan |
| 230 |
udp |
games |
not scanned |
Dungeon Siege II |
| 231 |
tcp |
trojan |
Premium scan |
Skun trojan |
| 232 |
tcp |
trojan |
Premium scan |
Skun trojan |
| 242 |
tcp,udp |
direct |
not scanned |
Direct (IANA official) |
| 243 |
tcp,udp |
sur-meas |
not scanned |
Survey Measurement (IANA official) |
| 244 |
tcp,udp |
inbusiness |
not scanned |
inbusiness (IANA official) |
| 245 |
tcp,udp |
link |
not scanned |
LINK (IANA official) |
| 246 |
tcp,udp |
dsp3270 |
not scanned |
Display Systems Protocol (IANA official) |
| 247 |
tcp,udp |
subntbcst-tftp |
not scanned |
SUBNTBCST_TFTP (IANA official) |
| 248 |
tcp,udp |
bhfhs |
not scanned |
bhfhs |
| 254 |
tcp,udp |
applications |
not scanned |
The Hawking Technologies HAR11A modem/router allows remote attackers to obtain sensitive information by connecting to port 254, which displays a management interface and information on established connections.
References: [CVE-2004-1637] [BID-11543]
Origo ASR-8100 ADSL Router 3.21 has an administration service running on port 254 that does not require a password, which allows remote attackers to cause a denial of service by restoring the factory defaults.
References: [CVE-2003-1515] [BID-8855] |
| 256 |
udp |
trojans |
not scanned |
Trojan.SpBot [Symantec-2005-040512-2941-99] (2005.04.05) - trojan horse that opens a compromised computer to be used as an email relay. Opens a backdoor on port 256/udp.
RAP (TCP/UDP) (IANA official) |
| 257 |
tcp,udp |
set |
not scanned |
Secure Electronic Transaction (IANA official) |
| 258 |
tcp,udp |
yak-chat |
not scanned |
Yak Winsock Personal Chat |
| 259 |
tcp,udp |
applications |
not scanned |
FW1 VPN
Check Point VPN-1/FireWall-1 4.1 base.def contains a default macro, accept_fw1_rdp, which can allow remote attackers to bypass intended restrictions with forged RDP (internal protocol) headers to UDP port 259 of arbitrary hosts.
References: [CVE-2001-1158], [BID-2952]
Check Point ports:
259 udp - MEP configuration
264 tcp - Topology download
500 tcp/udp - IKE
2746 udp - UDP Encapsulation.
18231 tcp - Policy Server logon, when the client is inside the network
18232 tcp - Distribution server when the client is inside the network
18233 udp - Keep-alive protocol when the client is inside the network
18234 udp - Performing tunnel test, when the client is inside the network
18264 tcp - ICA certificate registration |
| 260 |
tcp,udp |
openport |
not scanned |
Openport (IANA official) |
| 261 |
tcp,udp |
nsiiops |
not scanned |
IIOP Name Service over TLS/SSL (IANA official) |
| 262 |
tcp,udp |
arcisdms |
not scanned |
Arcisdms (IANA official) |
| 263 |
tcp,udp |
hdap |
not scanned |
HDAP |
| 264 |
tcp,udp |
bgmp |
not scanned |
Check Point FireWall-1 allows remote attackers to cause a denial of service (high CPU) via a flood of packets to port 264.
References: [CVE-2000-1201]
Check Point ports:
259 udp - MEP configuration
264 tcp - Topology download
500 tcp/udp - IKE
2746 udp - UDP Encapsulation.
18231 tcp - Policy Server logon, when the client is inside the network
18232 tcp - Distribution server when the client is inside the network
18233 udp - Keep-alive protocol when the client is inside the network
18234 udp - Performing tunnel test, when the client is inside the network
18264 tcp - ICA certificate registration
BGMP, Border Gateway Multicast Protocol (IANA official) |
| 265 |
tcp,udp |
x-bone-ctl |
not scanned |
X-Bone CTL (IANA official) |
| 266 |
tcp,udp |
sst |
not scanned |
SCSI on ST (IANA official) |
| 267 |
tcp,udp |
td-service |
not scanned |
Tobit David Service Layer (TCP/UDP) |
| 268 |
tcp,udp |
td-replica |
not scanned |
Tobit David Replica (IANA official) |
| 269 |
tcp,udp |
manet |
not scanned |
IANA registered for MANET Protocols [RFC 5498] |
| 270 |
udp |
gist |
not scanned |
Port 270 UDP is IANA registered for GIST (General Internet Signalling Transport). It is assigned by the IETF to pass signaling traffic for GIST, see [RFC 5971] |
| 271 |
tcp,udp |
pl-tls |
not scanned |
Port is IANA reserved for: IETF Network Endpoint Assessment (NEA) Posture Transport Protocol over TLS (PT-TLS) [IESG][draft-ietf-nea-pt-tls-06] [RFC 6876] |
| 281 |
tcp,udp |
personal-link |
not scanned |
Personal Link (IANA official) |
| 282 |
tcp,udp |
cableport-ax |
not scanned |
Cable Port A/X (IANA official) |
| 283 |
tcp,udp |
rescap |
not scanned |
rescap (IANA official) |
| 284 |
tcp,udp |
corerjd |
not scanned |
corerjd (IANA official) |
| 285 |
tcp |
trojans |
Premium scan |
Delf, WCTrojan |
| 286 |
tcp |
trojan |
Premium scan |
WCTrojan
FXP Communication (TCP/UDP) (IANA official) |
| 287 |
tcp,udp |
k-block |
not scanned |
K-BLOCK (IANA official) |
| 299 |
tcp |
trojan |
Premium scan |
One Windows Trojan
Battlefield 2 also uses this port. |
| 300 |
tcp |
applications |
not scanned |
Spartan protocol
ThinLinc Web Access |
| 309 |
tcp,udp |
entrusttime |
not scanned |
EntrustTime (IANA official) |
| 310 |
udp |
games |
not scanned |
Delta Force
bhmds (TCP/UDP) (IANA official) |
| 311 |
tcp |
asip-webadmin |
Members scan |
Mac OS X Server Admin (officially AppleShare IP Web administration)
Xsan (Apple's storage area network, or clustered filesystem for macOS) uses these ports:
311 TCP - Xsan secure server administration (server app, xsan server admin, workgroup manager, server monitor)
312 TCP - Xsan administration
626 UDP - server serial number registration (Xsan, Mac OS X Server v10.3 – v10.6)
49152-65535 TCP - Xsan Filesystem Access |
| 312 |
tcp |
xsan |
Members scan |
Xsan (Apple's storage area network, or clustered filesystem for macOS) uses these ports:
311 TCP - Xsan secure server administration (server app, xsan server admin, workgroup manager, server monitor)
312 TCP - Xsan administration
626 UDP - server serial number registration (Xsan, Mac OS X Server v10.3 – v10.6)
49152-65535 TCP - Xsan Filesystem Access
VSLMP (TCP/UDP) (IANA official) |
| 313 |
tcp,udp |
magenta-logic |
not scanned |
Magenta Logic (IANA official) |
| 314 |
tcp,udp |
opalis-robot |
not scanned |
Opalis Robot (IANA official) |
| 315 |
tcp |
trojan |
Premium scan |
The Invasor trojan horse
DPSI (TCP/UDP) (IANA official) |
| 316 |
tcp,udp |
decauth |
not scanned |
decAuth (IANA official) |
| 317 |
tcp,udp |
zannet |
not scanned |
Zannet (IANA official) |
| 321 |
tcp |
trojans |
Members scan |
W32.Looksky.A@mm [Symantec-2005-102511-3240-99] (2005.10.24) - a mass-mailing worm that lowers security settings and logs keystrokes on the compromised computer. It also gathers and sends out personal information. Opens a backdoor and listens for remote commands on port 321/tcp. It also periodically connects to proxy4u.ws on port 8080/tcp to check for updates.
Port also used by other variants:
W32.Looksky.E@mm [Symantec-2005-120910-5842-99] (2005.10.24)
W32.Looksky.H@mm [Symantec-2006-011812-1823-99] (2006.01.17)
PIP (TCP/UDP) (IANA official) |
| 322 |
tcp,udp |
rtsps |
not scanned |
RTSPS (IANA official) |
| 323 |
tcp |
rpki-rtr |
not scanned |
Resource PKI to Router Protocol (IANA official) [RFC 6810] |
| 333 |
tcp,udp |
texar |
not scanned |
Backdoor.Win32.Optix.03.b / Unauthenticated Remote Command Execution - the malware listens on TCP port 333. Third-party attackers who can reach the system can execute commands made available by the malware.
References: [MVID-2021-0387]
BuilderRevengeRAT - (Revenge-RAT v0.3) / XML External Entity Injection - the malware listens on TCP port 333. There is a Config.xml file used by the RAT builder to specify port, notification, webcam etc. The XML parser used by the RAT is vulnerable to XML Injection, this can allow local file exfiltration to a remote attacker server and or Geo location disclosure of the RAT builder.
References: [MVID-2022-0521]
Texar Security Port (IANA official) |
| 334 |
tcp |
trojan |
Premium scan |
Backage Trojan |
| 335 |
tcp |
trojan |
Premium scan |
Nautical |
| 344 |
tcp,udp |
pdap |
not scanned |
Prospero Data Access Protocol (IANA official) |
| 345 |
tcp,udp |
pawserv |
not scanned |
Perf Analysis Workbench (IANA official) |
| 346 |
tcp,udp |
zserv |
not scanned |
Zebra server (IANA official) |
| 347 |
tcp |
games |
not scanned |
Operation Flashpoint
Fatmen Server (TCP/UDP) (IANA official) |
| 348 |
tcp,udp |
csi-sgw |
not scanned |
Cabletron Management Protocol (IANA official) |
| 349 |
tcp,udp |
mftp |
not scanned |
mftp (IANA official) |
| 350 |
tcp,udp |
matip-type-a |
not scanned |
MATIP Type A (IANA official) [RFC 2351] |
| 351 |
tcp,udp |
matip-type-b |
not scanned |
MATIP Type B (IANA official) [RFC 2351]
bhoetty (IANA official) - unassigned but widespread use |
| 353 |
tcp |
applications |
not scanned |
Remote attackers can cause a denial of service in Novell BorderManager 3.6 and earlier by sending TCP SYN flood to port 353.
References: [CVE-2001-0486], [BID-2623]
Port is also IANA registered for NDSAUTH |
| 365 |
tcp |
games |
not scanned |
Railroad Tycoon 3 |
| 370 |
tcp |
trojan |
Premium scan |
NeuroticKat |
| 371 |
tcp |
applications |
not scanned |
Rational ClearCase 4.1, 2002.05, and possibly other versions allows remote attackers to cause a denial of service (crash) via certain packets to port 371, e.g. via nmap.
References: [CVE-2002-1322], [BID-6228]
Port is also IANA registered for Clearcase |
| 376 |
tcp,udp |
nip |
not scanned |
IANA registered for: Amiga Envoy Network Inquiry Protocol |
| 382 |
tcp |
trojan |
Premium scan |
W32.Rotor |
| 388 |
tcp,udp |
unidata-ldm |
not scanned |
IANA registered for: Unidata LDM |
| 389 |
tcp |
LDAP |
Basic scan |
LDAP (Lightweight Directory Access Protocol) - an Internet protocol, used my MS Active Directory,as well as some email programs to look up contact information from a server.
Both Microsoft Exchange and NetMeeting install a LDAP server on this port.
Siemens Openstage and Gigaset phones use the following ports:
389/tcp LDAP
636/tcp LDAPS
5010/tcp - RTP
5060/tcp - SIP gateway, backup proxy
8085/tcp - DLS
18443/TCP and 18444/TCP - provisioning over TLS (HTTPS)
IBM Lotus Domino Server 7.0 allows remote attackers to cause a denial of service (segmentation fault) via a crafted packet to the LDAP port (389/TCP).
References: [CVE-2006-0580], [BID-16523]
Rockliffe MailSite 7.0 and earlier allows remote attackers to cause a denial of service by sending crafted LDAP packets to port 389/TCP, as demonstrated by the ProtoVer LDAP testsuite.
References: [CVE-2006-0790] [BID-16675] [SECUNIA-18888]
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 is vulnerable to denial of service via a crafted request to TCP port 389. The request will force the slideshow to transition into a "stopped" state. A remote, unauthenticated attacker can use this vulnerability to stop an active slideshow.
References: [CVE-2019-3936], [XFDB-160475]
An issue was discovered on Alcatel-Lucent OmniVista 8770 devices before 4.1.2. An authenticated remote attacker, with elevated privileges in the Web Directory component on port 389, may upload a PHP file to achieve Remote Code Execution as SYSTEM.
References: [CVE-2019-20048], [EDB-47761] |
| 390 |
tcp |
zoom |
not scanned |
Zoom Video Conferencing uses these ports:
TCP: 80,443, 8801, 8802 - Zoom clients to Zoom meetings outbound connections.
UDP 3478, 3479, 8801-8810 Zoom meetings
Zoom Phone also uses outbound ports 390/tcp and 5091/tcp |
| 399 |
tcp,udp |
iso-tsap-c2 |
not scanned |
Digital Equipment Corporation DECnet (Phase V+)
ISO Transport Class 2 Non-Control over TCP/UDP [Yanick_Pouffary] (IANA official) |
| 400 |
tcp |
trojan |
Premium scan |
Argentino
Oracle Secure Backup (TCP/UDP) (IANA official) |
| 401 |
tcp |
trojan |
Premium scan |
One Windows Trojan |
| 402 |
tcp |
trojan |
Premium scan |
One Windows Trojan |
| 407 |
tcp,udp |
applications |
not scanned |
Buffer overflow in Netopia Timbuktu 7.0.3 allows remote attackers to cause a denial of service (server process crash) via a certain data string that is sent to multiple simultaneous client connections to TCP port 407.
References: [CVE-2004-0810] [BID-11714]
The authentication protocol in Timbuktu Pro 2.0b650 allows remote attackers to cause a denial of service via connections to port 407 and 1417.
References: [CVE-2000-0142]
Port is also IANA registered for Timbuktu Pro Mac |
| 411 |
tcp |
trojan |
Premium scan |
Backage trojan |
| 420 |
tcp |
trojans |
Members scan |
W32.Kibuv.Worm [Symantec-2004-051411-1858-99] (2004.05.14) - a worm that exploits the LSASS vulnerability (described in Microsoft Security Bulletin [MS04-011]) and the DCOM RPC vulnerability described in (Microsoft Security Bulletin [MS03-026]). Starts an FTP server on TCP port 9604, also listens on TCP port 420, and attempts to exploit the DCOM RPC vulnerability on TCP port 135.
Other trojans that also use this port: Breach, Incognito
Port is IANA registered for: SMPTE |
| 421 |
tcp |
trojan |
Premium scan |
TCP Wrappers
City of Heroes also uses this port. |
| 427 |
tcp,udp |
applications |
not scanned |
SLP (Service Location Protocol, used by MacOS and NetWare)
ExtremeZ-IP.exe in ExtremeZ-IP File and Print Server does not verify that a certain "number of URLs" field is consistent with the packet length, which allows remote attackers to cause a denial of service (daemon crash) via a large integer in this field in a packet to the Service Location Protocol (SLP) service on UDP port 427, triggering an out-of-bounds read.
References: [CVE-2008-0767] [BID-27718]
srvloc.sys in Novell Client for Windows before 4.91 SP3 allows remote attackers to cause an unspecified denial of service via a crafted packet to port 427 that triggers an access of pageable or invalid addresses using a higher interrupt request level (IRQL) than necessary.
References: [CVE-2006-6307] [BID-21430] [SECUNIA-23244]
OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.
References: [CVE-2020-3992]
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.
References: [CVE-2021-21974]
OpenSLP as used in ESXi has a denial-of-service vulnerability due a heap out-of-bounds read issue. A malicious actor with network access to port 427 on ESXi may be able to trigger a heap out-of-bounds read in OpenSLP service resulting in a denial-of-service condition.
References: [CVE-2021-21995] |
| 432 |
udp |
games |
not scanned |
Command and Conquer Generals |
| 443 |
tcp |
HTTPS |
Basic scan |
HTTPS / SSL - encrypted web traffic, also used for VPN tunnels over HTTPS.
Apple applications that use this port: Secured websites, iTunes Store, FaceTime, MobileMe (authentication) and MobileMe Sync.
ASUS AiCloud routers file sharing service uses ports 443 and 8082. There is a vulnerability in AiCloud with firmwares prior to 3.0.4.372 , see [CVE-2013-4937]
Ubiquiti UniFi Cloud Access uses ports 443 TCP/UDP, 3478 UDP, 8883 TCP.
SoftEther VPN (Ethernet over HTTPS) uses TCP Ports 443, 992 and 5555
Ooma VoIP - uses UDP port 1194 (VPN tunnel to the Ooma servers for call/setup control), ports 49000-50000 for actual VoIP data, and ports TCP 443, UDP 514, UDP 3480
Open Mobile Alliance (OMA) Device Management uses port 443/TCP.
Cisco Webex Teams services uses these ports:
443,444,5004 TCP
53, 123, 5004, 33434-33598 UDP (SIP calls)
Syncthing listens on TCP ports 443, 22067, 22070
AnyDesk remote desktop software uses TCP ports 80, 443, 6568, 7070 (direct line connection)
Call of Duty World at War uses this port.
Trojans that use this port:
W32.Kelvir.M [Symantec-2005-040417-3944-99] (2005.04.04) - worm that spreads through MSN Messanger and drops a variant of the W32.Spybot.Worm [Symantec-2003-053013-5943-99]. Connects to IRC servers on the s.defonic2.net and s.majesticwin.com domains, and listens for commands on port 443/tcp.
Directory traversal vulnerability in Cisco Network Admission Control (NAC) Manager 4.8.x allows remote attackers to read arbitrary files via crafted traffic to TCP port 443, aka Bug ID CSCtq10755.
References: [CVE-2011-3305] [BID-49954]
Multiple buffer overflows in the authentication functionality in the web-server module in Cisco CiscoWorks Common Services before 4.0 allow remote attackers to execute arbitrary code via a session on TCP port (1) 443 or (2) 1741, aka Bug ID CSCti41352.
References: [CVE-2010-3036] [BID-44468] [SECUNIA-42011] [OSVDB-68927]
Buffer overflow in the logging functionality of the HTTP server in IBM Tivoli Provisioning Manager for OS Deployment (TPMfOSD) before 5.1.0.3 Interim Fix 3 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via an HTTP request with a long method string to port 443/tcp.
References: [CVE-2008-0401] [BID-27387] [SECUNIA-28604]
The administrative web interface on Cisco TelePresence Immersive Endpoint Devices before 1.7.4 allows remote authenticated users to execute arbitrary commands via a malformed request on TCP port 443, aka Bug ID CSCtn99724.
References: [CVE-2012-3075]
Cisco Identity Services Engine (ISE) 1.x before 1.1.1 allows remote attackers to bypass authentication, and read support-bundle configuration and credentials data, via a crafted session on TCP port 443, aka Bug ID CSCty20405.
References: [CVE-2013-5531]
The web framework in Cisco Identity Services Engine (ISE) 1.0 and 1.1.0 before 1.1.0.665-5, 1.1.1 before 1.1.1.268-7, 1.1.2 before 1.1.2.145-10, 1.1.3 before 1.1.3.124-7, 1.1.4 before 1.1.4.218-7, and 1.2 before 1.2.0.899-2 allows remote authenticated users to execute arbitrary commands via a crafted session on TCP port 443, aka Bug ID CSCuh81511.
References: [CVE-2013-5530]
Siemens SCALANCE S613 allows remote attackers to cause a denial of service (web-server outage) via traffic to TCP port 443.
References: [CVE-2016-3963]
Siemens SIMATIC S7-1200 is vulnerable to a denial of service, caused by an error when handling specially-crafted HTTPS traffic passed to TCP port 443. By sending specially-crafted packets to TCP port 443, a remote attacker could exploit this vulnerability to cause the device to go into defect mode.
References: [CVE-2014-2258] [XFDB-92059]
A vulnerability was discovered in Siemens OZW672 (all versions) and OZW772 (all versions) that could allow an attacker to read and manipulate data in TLS sessions while performing a man-in-the-middle (MITM) attack on the integrated web server on port 443/tcp.
References: [CVE-2017-6873], [BID-99473]
A vulnerability was discovered in Siemens ViewPort for Web Office Portal before revision number 1453 that could allow an unauthenticated remote user to upload arbitrary code and execute it with the permissions of the operating-system user running the web server by sending specially crafted network packets to port 443/TCP or port 80/TCP.
References: [CVE-2017-6869], [BID-99343]
A vulnerability has been identified in SCALANCE X300 (All versions < V4.0.0), SCALANCE X408 (All versions < V4.0.0), SCALANCE X414 (All versions). The web interface on port 443/tcp could allow an attacker to cause a Denial-of-Service condition by sending specially crafted packets to the web server. The device will automatically reboot, impacting network availability for other devices. An attacker must have network access to port 443/tcp to exploit the vulnerability. Neither valid credentials nor interaction by a legitimate user is required to exploit the vulnerability. There is no confidentiality or integrity impact, only availability is temporarily impacted. This vulnerability could be triggered by publicly available tools.
References: [CVE-2018-13807], [BID-105331]
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows information disclosure of memory contents to be achieved by an authenticated user. Essentially, uninitialized data can be retrieved via an approach in which a sessionid is obtained but not used.
References: [CVE-2023-22897]
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface.
References: [CVE-2023-22620] |
| 443 |
udp |
games |
not scanned |
Port used by Google talk.
Games that use this port: Final Fantasy XI |
| 444 |
tcp |
webex |
not scanned |
Cisco Webex Teams services uses these ports:
443,444,5004 TCP
53, 123, 5004, 33434-33598 UDP (SIP calls)
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports
Cortex Data Lake (Paloaltonetworks) and Panorama Connect use ports 444 and 3978 for logging
Cortex XDR (Paloaltonetworks) uses port 33221 as the default P2P content update distribution port for their security agents
|
| 445 |
tcp |
microsoft-ds |
Basic scan |
TCP port 445 is used for direct TCP/IP MS Networking access without the need for a NetBIOS layer. The SMB (Server Message Block) protocol is used for file sharing in Windows NT/2K/XP and later. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP, ports 137, 139 and 138/udp). In Windows 2K/XP and later, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra NetBT layer, for this they use TCP port 445.
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports
Port 445 should be blocked at the firewall level. It can also be disabled by deleting the HKLM\System\CurrentControlSet\Services \NetBT\Parameters\TransportBindName (value only) in the Windows Registry.
Leaving port 445 open leaves Windows machines vulnerable to a number of trojans and worms:
W32.HLLW.Deloder [Symantec-2003-030812-5056-99]
IraqiWorm (aka Iraq_oil.exe )
W32.HLLW.Moega [Symantec-2003-080813-3234-99]
W32.Korgo.AB [Symantec-2004-092415-4853-99] (2004.09.24)
Backdoor.Rtkit.B [Symantec-2004-100115-0426-99] (2004.10.01)
W32.Sasser.Worm [Symantec-2004-050116-1831-99] - exploits port 445 vulnerabilities, opens TCP ports 5554,9996.
Trojan.Netdepix.B [Symantec-2005-011715-5404-99] (2005.01.16.) - trojan uses port 445, opens port 15118/tcp.
Backdoor.IRC.Cirebot [Symantec-2003-080214-3019-99] (2003.08.02) - trojan that exploits the MS DCOM vulnerability, uses ports 445 & 69, opens backdoor on port 57005.
Windows Null Session Exploit.
MS Security Bulletin [MS03-026] outlines a critical RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
See also: Microsoft Security Bulletin [MS03-049] and Microsoft Security Bulletin [MS03-043]
W32.Zotob.C@mm [Symantec-2005-081516-4417-99] (2005.08.16) - mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port 33333/tcp. Same ports are used by the W32.Zotob.A [Symantec-2005-081415-0646-99] and W32.Zotob.B [Symantec-2005-081415-0741-99] variants of the worm as well.
W32.Zotob.D [Symantec-2005-081609-4733-99] (2005.08.16) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. Connects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.E [Symantec-2005-081615-4443-99] (2005.08.16) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8594/tcp.
W32.Zotob.H [Symantec-2005-081717-2017-99]
W32.Conficker.worm - a worm with multiple variants. It exploits a buffer overflow vulnerability in the Server Service on Windows computers. McAfee has named the most recently discovered variant of this worm as W32/Conficker.worm.gen.d. The original W32.Conficker.worm attacks port 445, the port that Microsoft Directory Service uses, and exploits Microsoft Windows vulnerability [MS08-067].
Buffer overflow in a certain driver in Cisco Security Agent 4.5.1 before 4.5.1.672, 5.0 before 5.0.0.225, 5.1 before 5.1.0.106, and 5.2 before 5.2.0.238 on Windows allows remote attackers to execute arbitrary code via a crafted SMB packet in a TCP session on port (1) 139 or (2) 445.
References: [CVE-2007-5580] [BID-26723] [SECUNIA-27947] [OSVDB-39521]
LANMAN service on Microsoft Windows 2000 allows remote attackers to cause a denial of service (CPU/memory exhaustion) via a stream of malformed data to microsoft-ds port 445.
References: [CVE-2002-0597] [BID-4532] [OSVDB-5179] |
| 448 |
tcp |
lync |
not scanned |
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports
IANA Registered for: DDM-Remote DB Access Using Secure Sockets |
| 449 |
tcp |
trojans |
Premium scan |
Backdoor.Krei [Symantec-2003-013114-0104-99] (2003.01.31) - a backdoor trojan that uses Trojan.Slanret to hide its malicious activities. Backdoor.Krei opens a listening port (port 449 by default) on the infected computer and it gives a hacker full access to the infected system.
Port is also IANA registered for AS Server Mapper |
| 452 |
tcp,udp |
trojans |
not scanned |
Backdoor.Ompnmagic [Symantec-2002-082914-4826-99] (2002.08.29) - a backdoor trojan that gives an attacker unauthorized access to a compromised computer. By default it opens port 452 on the compromised computer.
Port is also IANA registered for Cray SFS config server |
| 455 |
tcp |
trojan |
Premium scan |
Fatal Connections |
| 456 |
tcp |
trojans |
Premium scan |
used by Hackers Paradise trojan (also uses port 31) |
Vulnerabilities listed: 100 (some use multiple ports)
|
