Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 710 |
tcp,udp |
entrust-ash |
not scanned |
Entrust Administration Service Handler (IANA official) |
| 712 |
tcp,udp |
tbrpf |
not scanned |
TBRPF (IANA official) [RFC 3684] |
| 714 |
tcp,udp |
iris-xpcs |
not scanned |
IRIS over XPCS (IANA official) [RFC 4992] |
| 715 |
tcp,udp |
iris-lwz |
not scanned |
IRIS-LWZ (IANA official) [RFC 4993] |
| 716 |
udp |
pana |
not scanned |
PANA Messages (IANA official) [RFC 5191] |
| 722 |
tcp,udp |
applications |
not scanned |
A FreeBSD patch for SSH on 2000-01-14 configures ssh to listen on port 722 as well as port 22, which might allow remote attackers to access SSH through port 722 even if port 22 is otherwise filtered.
References: [CVE-2000-0532], [BID-1323] |
| 729 |
tcp,udp |
netviewdm1 |
not scanned |
IBM NetView DM/6000 Server/Client (IANA official) |
| 730 |
tcp,udp |
netviewdm2 |
not scanned |
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
IBM NetView DM/6000 send/tcp (IANA official) |
| 731 |
tcp,udp |
netviewdm3 |
not scanned |
IBM NetView DM/6000 receive/tcp (IANA official) |
| 741 |
tcp,udp |
netgw |
not scanned |
netGW (IANA official) |
| 742 |
tcp,udp |
netrcs |
not scanned |
Network based Rev. Cont. Sys. (IANA official) |
| 744 |
tcp,udp |
flexlm |
not scanned |
Flexible License Manager (IANA official) |
| 747 |
tcp,udp |
fujitsu-dev |
not scanned |
Fujitsu Device Control (IANA official) |
| 748 |
tcp,udp |
ris-cm |
not scanned |
Russell Info Sci Calendar Manager (IANA official) |
| 749 |
tcp,udp |
kerberos |
not scanned |
Kerberos administration
Related ports: 88,464,543,544,751 |
| 751 |
tcp,udp |
pump |
not scanned |
Port used by kerberos_master, Kerberos 'kadmin' (v4) authentication.
IANA assigned to: pump |
| 758 |
tcp,udp |
nlogin |
not scanned |
nlogin (IANA official) |
| 759 |
tcp,udp |
con |
not scanned |
con (IANA official) |
| 760 |
tcp,udp |
ns |
not scanned |
ns |
| 761 |
tcp |
kpasswd |
not scanned |
Kerberos Password (kpasswd, kpwd), rxe |
| 762 |
tcp,udp |
quotad |
not scanned |
Quotad |
| 763 |
tcp,udp |
cycleserv |
not scanned |
Cycleserv |
| 764 |
tcp,udp |
omserv |
not scanned |
Omserv |
| 765 |
tcp,udp |
webster |
not scanned |
Webster Network Dictionary |
| 767 |
tcp,udp |
phonebook |
not scanned |
phone (IANA official) |
| 769 |
tcp,udp |
vid |
not scanned |
Vid |
| 770 |
tcp,udp |
cadlock |
not scanned |
Cadlock |
| 771 |
tcp,udp |
rtip |
not scanned |
Rtip |
| 772 |
tcp,udp |
cycleserv2 |
not scanned |
Cycleserv2 |
| 773 |
tcp |
submit |
not scanned |
Submit |
| 773 |
udp |
notify |
not scanned |
Notify |
| 774 |
udp |
acmaint-dbd |
not scanned |
Acmaint_dbd (IANA official) |
| 774 |
tcp |
rpasswd |
not scanned |
Rpasswd |
| 775 |
udp |
acmaint-transd |
not scanned |
Acmaint_transd (IANA official) |
| 775 |
tcp |
entomb |
not scanned |
Entomb |
| 776 |
tcp,udp |
wpages |
not scanned |
Wpages |
| 777 |
tcp |
multiling-http |
Members scan |
Trojans that use this port: AimSpy (AIM trojan), Un-Detected ( a.k.a. Backdoor.TDS, 4Fuk, Trojan.Win32.TrojanRunner.Levil, U4 ).
Heap-based buffer overflow in HistorySvr.exe in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a long request to TCP port 777.
References: [CVE-2011-0406], [BID-45727]
Port also IANA registered for Multiling HTTP |
| 778 |
tcp |
trojan |
Premium scan |
BackDoor.Netcrack.B [Symantec-2004-041311-0342-99] |
| 780 |
tcp,udp |
wpgs |
not scanned |
Wpgs |
| 781 |
tcp,udp |
hp-collector |
not scanned |
HP Performance Data - Collector |
| 782 |
tcp,udp |
hp-managed-node |
not scanned |
HP Performance Data - Managed Node |
| 783 |
tcp,udp |
hp-alarm-mgr |
not scanned |
HP Performance Data - Alarm Manager
SpamAssassin spamd daemon |
| 785 |
tcp |
trojan |
Premium scan |
NetworkTerrorist |
| 786 |
tcp,udp |
concert |
not scanned |
Concert |
| 787 |
tcp,udp |
qsc |
not scanned |
QSC |
| 798 |
tcp |
trojan |
Premium scan |
Oracle |
| 799 |
tcp |
applications |
not scanned |
Remotely Possible (ControlIT) |
| 800 |
tcp |
trojan |
Premium scan |
NeuroticKitten |
| 801 |
tcp |
games |
not scanned |
Dark Ages of Camelot
Stack consumption vulnerability in WebContainer.exe 1.0.0.336 and earlier in SLMail Pro 6.3.1.0 and earlier allows remote attackers to cause a denial of service (daemon crash) via a long request header in an HTTP request to TCP port 801.
References: [CVE-2008-1689], [BID-28505]
WebContainer.exe 1.0.0.336 and earlier in SLMail Pro 6.3.1.0 and earlier allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a long URI in HTTP requests to TCP port 801. NOTE: some of these details are obtained from third party information.
References: [CVE-2008-1690] [BID-28505] [SECUNIA-29614]
device (IANA official) |
| 804 |
tcp |
sparx |
not scanned |
Enterprise Architect (Sparx Systems) WebConfig uses port 804 for http and 805 for https traffic by default.
|
| 805 |
tcp |
sparx |
not scanned |
Enterprise Architect (Sparx Systems) WebConfig uses port 804 for http and 805 for https traffic by default.
|
| 808 |
tcp |
trojan |
Premium scan |
Port used by Microsoft Net.TCP Port Sharing Service
Citrix StoreFront Server uses port 808 TCP for subscription replication services between associated clusters.
WinHole trojan
Progea Movicon is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when handling the Content-Length header. By sending a specially-crafted request to TCP port 808, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2011-3491], [BID-49605]
Backdoor.Win32.BO2K.09.b / Unauthenticated Remote Command Execution - backdoor BO2K.09.b listens on TCP ports 707 and 808. Third party adversarys who can reach the system, can execute any command on the infected host using sockets or get a remote shell using telnet, curl etc.
References: [MVID-2021-0120] |
| 809 |
tcp,udp |
applications |
not scanned |
Wingate VPN |
| 810 |
tcp |
fcp-udp |
not scanned |
Backdoor.Win32.Augudor.b / Remote File Write Code Execution - the malware drops an empty file named "zy.exe" and listens on TCP port 810. Third-party adversaries who can reach the infected host can write executable code to the empty "zy.exe" file on the system via a socket program and it will execute as soon as the binary transfer has completed. Successfully tested with a 880 byte executable.
References: [MVID-2022-0644]
FCP (IANA official) |
| 810 |
udp |
fcp-udp |
not scanned |
FCP Datagram (IANA official) |
| 815 |
tcp,udp |
trojan |
not scanned |
Everyone's Darling trojan horse |
| 828 |
tcp,udp |
itm-mcell-s |
not scanned |
itm-mcell-s (IANA official) |
| 829 |
tcp |
trojans |
Premium scan |
Backdoor.Uzbet (2003.07.17) - a trojan that runs as a proxy server under Windows 2000/XP
Port used by CMP (Certificate Management Protocol) (unofficial) for managing Public Key Infrastrictures (PKI) based on X.509v3 certificates.
Port also IANA registered for PKIX-3 CA/RA |
| 830 |
tcp,udp |
netconf-ssh |
not scanned |
NETCONF over SSH (IANA official) [RFC 6242] |
| 831 |
tcp |
trojan |
Premium scan |
NeuroticKat
NETCONF over BEEP (IANA official) [RFC 4744] |
| 832 |
tcp,udp |
netconfsoaphttp |
not scanned |
NETCONF for SOAP over HTTPS (IANA official) [RFC 4743] |
| 833 |
tcp,udp |
netconfsoapbeep |
not scanned |
NETCONF for SOAP over BEEP (IANA official) [RFC 4743] |
| 843 |
tcp |
applications |
not scanned |
Adobe Flash socket policy server |
| 848 |
udp |
applications |
not scanned |
The default configuration of the Group Encrypted Transport VPN (GET VPN) feature on Cisco IOS uses an improper mechanism for enabling Group Domain of Interpretation (GDOI) traffic flow, which allows remote attackers to bypass the encryption policy via certain uses of UDP port 848, aka Bug ID CSCui07698.
References: [CVE-2013-3436]
GDOI (TCP/UDP) (IANA official) [RFC 3547] |
| 853 |
tcp,udp |
domain-s |
not scanned |
DNS over QUIC / TLS uses port 853/udp
DNS query-response protocol [IESG] [RFC7858]
DNS-over-QUIC via 853/udp (IANA official) |
| 854 |
tcp,udp |
dlep |
not scanned |
IANA registered for: Dynamic Link Exchange Protocol (DLEP) |
| 860 |
tcp,udp |
iscsi |
not scanned |
iSCSI (IANA official) [RFC 7143] |
| 861 |
tcp,udp |
owamp-control |
not scanned |
OWAMP-Control (IANA official) [RFC 4656] |
| 862 |
tcp,udp |
twamp-control |
not scanned |
Two-way Active Measurement Protocol (TWAMP) Control (IANA official) [RFC 5357] |
| 871 |
tcp |
supfilesrv |
not scanned |
SUP server |
| 873 |
tcp |
applications |
not scanned |
QNAP NAS uses the following ports:
Web server: 80,8081 TCP and 443,8080 TCP (web admin)
FTP/SFTP/SSH: 20,21,22 TCP and 13131 TCP (telnet)
Remote Replication: 873,8899 TCP
VPN server: 1723 TCP (PPTP), 1194 UDP (OpenVPN)
CloudLink: port 20001 UDP (optional, only required for access without manual port forwarding)
The ANTlabs InnGate firmware on IG 3100, IG 3101, InnGate 3.00 E, InnGate 3.01 E, InnGate 3.02 E, InnGate 3.10 E, InnGate 3.01 G, and InnGate 3.10 G devices does not require authentication for rsync sessions, which allows remote attackers to read or write to arbitrary files via TCP traffic on port 873.
References: [CVE-2015-0932]
F5 BIG-IP could allow a remote attacker to execute arbitrary code on the system, caused by an error within the ConfigSync Access Control Handler component. By connecting to the rsync service on TCP port 873, an attacker could exploit this vulnerability to gain read or write access to the system and execute arbitrary code on the system with root privileges.
References: [XFDB-95624], [EDB-34465], [CVE-2014-2927]
rsync (TCP/UDP) (IANA official) |
| 876 |
tcp,udp |
applications |
not scanned |
ICL coNETion locate server |
| 877 |
tcp,udp |
applications |
not scanned |
ICL coNETion server info |
| 880 |
tcp |
trojan |
not scanned |
Common Port for phishing scam sites |
| 881 |
tcp |
lync |
not scanned |
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports
McAfee ePO uses these ports:
80, 443, 8443, 8444 TCP - HTTP(S) traffic
389, 646 - LDAP, LDAPS
881 TCP - receiving security threat feed
1433 TCP, 1434 UDP - communication with SQL server
8081 TCP - outbound wakeup requests from the McAfee ePO server
8082 UDP - outbound traffic from superagents forwarding server messages |
| 888 |
tcp,udp |
accessbuilder |
not scanned |
Mediaserver.exe in ALLMediaServer 1.6 has a stack-based buffer overflow that allows remote attackers to execute arbitrary code via a long string to TCP port 888, a related issue to CVE-2017-17932.
References: [CVE-2022-28381]
AccessBuilder (IANA official) |
| 890 |
tcp |
trojans |
not scanned |
Backdoor.Dsklite [Symantec-2003-070113-4113-99] (2003.07.01) - a backdoor trojan horse that gives the author of the trojan full access to an infected computer. By default, this trojan listens on port 890.
Trojan-Dropper.Win32.Hamer.10 / Remote Floating-point Exception DoS - Trojan Hamer.10 listens on TCP port 890, after receiving a SYN packet it also opens up TCP port 891. Sending an arbitrary junk payload to port 891 results in Floating-point exception and malware crash. Therefore, to exploit this issue we can send two consecutive packets one to port 890 which will in turn open port 891.
References: [MVID-2021-0125] |
| 891 |
tcp,udp |
malware |
not scanned |
Trojan-Dropper.Win32.Hamer.10 / Remote Floating-point Exception DoS - Trojan Hamer.10 listens on TCP port 890, after receiving a SYN packet it also opens up TCP port 891. Sending an arbitrary junk payload to port 891 results in Floating-point exception and malware crash. Therefore, to exploit this issue we can send two consecutive packets one to port 890 which will in turn open port 891.
References: [MVID-2021-0125] |
| 895 |
tcp,udp |
applications |
not scanned |
Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and port 895. The web server uses JSONP and hosts sensitive information including configuration. User controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine, including whether the user is connected to a VPN, to which VPN he/she is connected, and what is their real IP address.
References: [CVE-2018-6460], [EDB-44042] |
| 900 |
udp |
games |
not scanned |
Command and Conquer Generals Zero Hour, Black and White
OMG Initial Refs (TCP/UDP) (IANA official) |
| 901 |
tcp |
trojans |
Members scan |
NetDevil [Symantec-2002-021310-3452-99] (2002.02.13) - remote access trojan. Affects Windows 9x/Me/NT/2k/XP
Port IANA registered for SMPNAMERES
Also used by VMware Virtual Infrastructure Client, Samba SWAT tool, ISS RealSecure Sensor |
| 902 |
tcp |
trojans |
Premium scan |
VMware Server Console port. VMware also uses TCP ports 443, 902.
Ideafarm Chat
ISS RealSecure Sensor
NetDevil [Symantec-2002-021310-3452-99] (2002.02.13) - remote access trojan. Affects Windows 9x/Me/NT/2k/XP
Port IANA registered for self documenting Telnet Door |
| 903 |
tcp |
trojans |
Premium scan |
VMware Remote Console port. VMware Authentication Daemon Version 1.10. Also used by vSphere clients and vSphere Web Access. Also uses TCP ports 443, 902.
Port also used by Ideafarm-catch, ISS Console Manager.
NetDevil [Symantec-2002-021310-3452-99] (2002.02.13) - remote access trojan. Affects Windows 9x/Me/NT/2k/XP
Port IANA registered for self documenting Telnet Door |
| 905 |
tcp |
trojans |
not scanned |
Backdoor.NetDevil.B [Symantec-2002-122712-0302-99] (2002.12.27) - a variant of Backdoor.NetDevil. The trojan allows a hacker to remotely control the infected computer. The trojan opens port 905 for listening. |
| 910 |
tcp,udp |
applications |
not scanned |
DATAC RealWin SCADA Server Multiple Remote Buffer Overflow Vulnerabilities
References: [CVE-2011-1563], [BID-46937]
Kerberized Internet Negotiation of Keys (KINK) (IANA official) [RFC 4430] |
| 911 |
tcp |
trojans |
Premium scan |
Backdoor.NetCrack [Symantec-2002-082815-5727-99] (2002.08.28) - a backdoor trojan that gives an attacker unauthorized access to an infected computer. By default it opens port 911 on the compromised computer. Backdoor.NetCrack is a Delphi application, packed using UPX v1.05-1.22.
Port is also used by Dark Shadow trojan.
xact-backup (IANA registered) |
| 912 |
tcp |
apex |
Members scan |
Port assigned to the APEX (Application Exchange Core) protocol. It is an XML-based protocol designed for sending instant messages based on the Blocks Extensible Exchange Protocol (BEEP).
APEX also uses TCP port 913 as its endpoint-relay service. The APEX protocol has been replaced by the SIP, SIMPLE and XMPP protocols. Port 912 is used primarily to receive and send messages that are originated via the end-points located in port 913. Information sent and received via port 912 includes the endpoint that created it, a URI reference point, the endpoints that will receive it and other options.
RealFlex RealWin is a SCADA server package for medium and small applications designed to control and monitor real-time applications. The RealWin application runs an HMI service on port 912/tcp. This service is vulnerable to two stack-based buffer overflows. One vulnerability is caused by the use of sprintf() in the SCPC_INITIALIZE() and SCPC_INITIALIZE_RF() functions. The second vulnerability is caused by the use of strcpy() in the SCPC_TXTEVENT() function.
References: [CVE-2010-4142], [BID-44150] |
| 913 |
tcp,udp |
apex-edge |
not scanned |
VMware Authentication Daemon Version 1.0 (version 1.10 uses TCP port 903). VMware also uses TCP ports 443, 902.
APEX endpoint-relay service (IANA official) [RFC 3340] |
| 916 |
udp |
applications |
not scanned |
The Linksys WAG200G with firmware 1.01.01, WRT54GC 2 with firmware 1.00.7, and WRT54GC 1 with firmware 1.03.0 and earlier allow remote attackers to obtain sensitive information (passwords and configuration data) via a packet to UDP port 916.
References: [CVE-2007-1585], [BID-23063] |
| 943 |
tcp |
silverlight |
Members scan |
Port not officially assigned, used by Silverlight Microsoft plugin. Silverlight can add graphics, interactive and multimedia functionality to the Web browser. Port 943 was first used in Silverlight version 2 beta 2 release.
Websites with Silverlight-compatible content will send requests to the computer and access the policy file on port 943. Once the policy file is read, ports 4502-4534 can be used to send data to the Web browser. |
| 950 |
tcp |
rpc.statd |
Members scan |
Port used by rpc.statd background process. This daemon is a part of the Network File System (NFS) protocol. This protocol was developed by Sun Microsystems to allow a client to access files that are shared on a network. The rpc.statd daemon is a subsystem of NFS used mostly on UNIX and Linux platforms.
Port 950 can also be used in a malicious way. The port allows direct access to the syslog() function, which may be manipulated by unauthorized users.
The port has been used historically to start a buffer overflow and launch Distributed Denial of Service attacks. |
| 953 |
tcp,udp |
rdns |
not scanned |
Domain Name System (DNS) RDNC Service
BIND9 remote name daemon controller (TCP) (IANA registered) |
| 956 |
tcp |
trojan |
Premium scan |
Crat Pro |
| 959 |
tcp,udp |
applications |
not scanned |
Mac OS X RPC-based services. Used by NetInfo. |
| 983 |
tcp |
applications |
not scanned |
PlayStation Network and SCEA Game Servers use this port |
| 985 |
tcp |
applications |
not scanned |
NetInfo Static Port |
| 987 |
tcp,udp |
applications |
not scanned |
SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an Unauthenticated Remote Buffer Overflow via a long string to the CE Remote feature listening on Port 987.
References: [CVE-2019-13577], [XFDB-163945] |
| 988 |
tcp |
applications |
not scanned |
Lustre (file system) Protocol (data) |
| 989 |
tcp |
ftps |
Members scan |
FTPS Protocol, FTP over TLS/SSL (IANA official) uses ports 989 and 990.
Cyclops Blink Botnet uses these ports. The malware has targeted governments, WatchGuard firewalls, ASUS routers, etc., it is active as of March 2022, and it is believed to be operated by the Sandworm threat group linked to Russian intelligence. Cyclops Blink botnet malware uses the following TCP ports: 636, 989, 990, 992, 994, 995, 3269, 8443
|
| 990 |
tcp |
ftps |
Members scan |
FTPS Protocol, FTP over TLS/SSL (IANA official) uses ports 989 and 990.
Cyclops Blink Botnet uses these ports. The malware has targeted governments, WatchGuard firewalls, ASUS routers, etc., it is active as of March 2022, and it is believed to be operated by the Sandworm threat group linked to Russian intelligence. Cyclops Blink botnet malware uses the following TCP ports: 636, 989, 990, 992, 994, 995, 3269, 8443 |
Vulnerabilities listed: 100 (some use multiple ports)
|
