Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
Port(s) |
Protocol |
Service |
Scan level |
Description |
101 |
tcp,udp |
hostname |
not scanned |
Hostnames NIC Host Name Server. [RFC953] [RFC811]
Skun trojan also uses this port (TCP). |
102 |
tcp,udp |
iso-tsap |
Members scan |
Port used by X.400, X.500, ITOT, ISO-TSAP (Transport Service Access Point) protocol.
Microsoft Exchange uses this port for X.400 mail messaging traffic. No known vulnerabilities, but similar to data-driven attacks common to smtp plus possible direct attacks, such as with sendmail. Always static route inbound mail to a protected/hardened email server.
X.500 Directory Service - Used to distribute user names, user info and public keys.
Security Concerns: Depending on vendor implementation probes can reveal valuable user info for follow-on attacks. On poorly configured servers attackers can replace public keys for data capture or DOS purposes.
[RFC1006] [RFC2126]
Delf, Skun trojans also use this port (TCP).
Siemens SIMATIC S7-1200 PLCs 2.x and 3.x allow remote attackers to cause a denial of service (defect-mode transition and control outage) via crafted packets to TCP port 102 (aka the ISO-TSAP port).
References: [CVE-2013-0700]
Siemens SIMATIC S7-1200 is vulnerable to a denial of service. By sending specially-crafted ISO-TSAP packets to TCP port 102, a remote attacker could exploit this vulnerability to cause the device to go into defect mode until a cold restart is performed.
References: [XFDB-109688] [EDB-38964]
A vulnerability in Siemens SIMATIC STEP 7 (TIA Portal) could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability using man-in-the-middle techniques to intercept or modify Siemens industrial communications at TCP port 102.
References: [CVE-2015-1601] [XFDB-101004] [BID-72691]
Siemens SIMATIC HMI Comfort Panels before WinCC (TIA Portal) 13 SP1 Upd2 and SIMATIC WinCC Runtime Advanced before WinCC (TIA Portal) 13 SP1 Upd2 allow man-in-the-middle attackers to cause a denial of service via crafted packets on TCP port 102.
References: [CVE-2015-2822]
Siemens SIMATIC S7-300 CPU devices allow remote attackers to cause a denial of service (defect-mode transition) via crafted packets on (1) TCP port 102 or (2) Profibus.
References: [CVE-2015-2177]
Siemens SIMATIC CP 343-1 Advanced devices before 3.0.44, CP 343-1 Lean devices, CP 343-1 devices, TIM 3V-IE devices, TIM 3V-IE Advanced devices, TIM 3V-IE DNP3 devices, TIM 4R-IE devices, TIM 4R-IE DNP3 devices, CP 443-1 devices, and CP 443-1 Advanced devices might allow remote attackers to obtain administrative access via a session on TCP port 102.
References: [CVE-2015-8214]
Siemens SIMATIC S7-1500 CPU devices before 1.8.3 allow remote attackers to bypass a replay protection mechanism via packets on TCP port 102.
References: [CVE-2016-2201]
Siemens SIMATIC S7-1500 CPU devices before 1.8.3 allow remote attackers to cause a denial of service (STOP mode transition) via crafted packets on TCP port 102.
References: [CVE-2016-2200], [XFDB-110522]
Siemens SIMATIC S7-300 is vulnerable to a denial of service. By sending specially-crafted packets to TCP port 102, a remote attacker could exploit this vulnerability to cause the device to go into defect mode.
References: [CVE-2016-3949] [XFDB-113903]
An Improper Authentication issue was discovered in Siemens SIMATIC CP 44x-1 RNA, all versions prior to 1.4.1. An unauthenticated remote attacker may be able to perform administrative actions on the Communication Process (CP) of the RNA series module, if network access to Port 102/TCP is available and the configuration file for the CP is stored on the RNA's CPU.
References: [CVE-2017-6868], [BID-99234]
A vulnerability has been identified in Firmware variant IEC 61850 for EN100 Ethernet module (All versions < V4.33), Firmware variant PROFINET IO for EN100 Ethernet module (All versions), Firmware variant Modbus TCP for EN100 Ethernet module (All versions), Firmware variant DNP3 TCP for EN100 Ethernet module (All versions), Firmware variant IEC104 for EN100 Ethernet module (All versions). Specially crafted packets to port 102/tcp could cause a denial-of-service condition in the EN100 communication module if oscillographs are running. A manual restart is required to recover the EN100 module functionality. Successful exploitation requires an attacker with network access to send multiple packets to the EN100 module. As a precondition the IEC 61850-MMS communication needs to be activated on the affected EN100 modules. No user interaction or privileges are required to exploit the security vulnerability. The vulnerability could allow causing a Denial-of-Service condition of the network functionality of the device, compromising the availability of the system. At the time of advisory publication no public exploitation of this security vulnerability was known.
References: [CVE-2018-11452]
A vulnerability has been identified in SIMATIC ET 200SP Open Controller CPU 1515SP PC (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (All versions), SIMATIC S7-1200 CPU family (All versions >= V4.0), SIMATIC S7-1500 CPU family (All versions), SIMATIC S7-1500 Software Controller (All versions), SIMATIC S7-PLCSIM Advanced (All versions). An attacker with network access to port 102/tcp could potentially modify the user program on the PLC in a way that the running code is different from the source code which is stored on the device. An attacker must have network access to affected devices and must be able to perform changes to the user program. The vulnerability could impact the perceived integrity of the user program stored on the CPU. An engineer that tries to obtain the code of the user program running on the device, can receive different source code that is not actually running on the device. No public exploitation of the vulnerability was known at the time of advisory publication.
References: [CVE-2019-10943]
A vulnerability has been identified in SIMATIC ET 200SP Open Controller CPU 1515SP PC (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (All versions), SIMATIC S7-1200 CPU family (All versions >= V4.0), SIMATIC S7-1500 CPU family (All versions), SIMATIC S7-1500 Software Controller (All versions), SIMATIC S7-PLCSIM Advanced (All versions). An attacker in a Man-in-the-Middle position could potentially modify network traffic exchanged on port 102/tcp, due to certain properties in the calculation used for integrity protection. In order to exploit the vulnerability, an attacker must be able to perform a Man-in-the-Middle attack. The vulnerability could impact the integrity of the communication. No public exploitation of the vulnerability was known at the time of advisory publication.
References: [CVE-2019-10929], [XFDB-174097]
A vulnerability has been identified in SINUMERIK 808D (All versions), SINUMERIK 828D (All versions < V4.95). Affected devices don't process correctly certain special crafted packets sent to port 102/tcp, which could allow an attacker to cause a denial-of-service in the device.
References: [CVE-2021-37199]
Affected devices improperly handle specially crafted packets sent to port 102/tcp. This could allow an attacker to create a denial of service condition. A restart is needed to restore normal operations.
References: [CVE-2023-46156] |
103 |
tcp,udp |
gppitnp |
not scanned |
MS Exchange X.400 mail messaging traffic.
Trojans that use this port: Skun
Genesis Point-to-Point Trans Net (IANA registered) |
105 |
tcp,udp |
ccso |
not scanned |
IANA assigned to CCSO name server protocol (mailbox name nameserver). [RFC2378]
Backdoor.Nerte [Symantec-2001-110909-3147-99] also uses this port (TCP).
Buffer overflow in Mercury Mail Transport System 4.01b allows remote attackers to execute arbitrary code via a long request to TCP port 105.
References: [CVE-2005-4411], [BID-16396] |
106 |
tcp |
poppassd |
not scanned |
(TCP) poppassd (aka. epass) allows passwords to be changed on POP servers. Traditionally, users would have to have shell (Telnet) accounts on the servers in order to change their passwords. This allows users with just POP access to change their passwords.
The exchange looks something like:
S: 200 Hello
C: user robert
S: 300 Please send current password
C: pass mypassword
S: 200 send New Pass Word
C: newpass newpassword
S: 200 successful
C: quite
Protocol was originally developed for Eudora. Eudora Internet Mail Server vs. 1.2, 2.0, 2.01. DoS If you connect to this server and enter the command "USER xxxxxx" with more than 1000 characters, this service will crash.
Apple Mac OS X Password Server and City of Heroes also use this port.
Mail Management Agent (MAILMA) (a.k.a. Mail Management Server) in Rockliffe MailSite 7.0.3.1 and earlier generates different responses depending on whether or not a username is valid, which allows remote attackers to enumerate valid usernames via user requests to TCP port 106.
References: [CVE-2006-0129]
Buffer overflow in Eudora Internet Mail Server (EIMS) 2.01 and earlier on MacOS systems allows remote attackers to cause a denial of service via a long USER command to port 106.
References: [CVE-1999-1113] [BID-75] |
107 |
tcp |
trojan |
Premium scan |
Backdoor.Skun [Symantec-2002-120514-4425-99] |
109 |
tcp,udp |
pop2 |
not scanned |
Post Office Protocol 2 (obsolete). While POP2 has largely been replaced by POP3, hackers still scan for this port because many older POP servers have vulnerabilities associated with them. [RFC937]
ADM trojan also uses this port (TCP). |
110 |
udp |
pop-or-not |
Basic scan |
POP3 server traffic (should be TCP only?)
Final Fantasy XI also uses this port. |
110 |
tcp |
POP3 |
Basic scan |
POP3 (Post Office Protocol - Version 3)
Security Concerns: Re-usable cleartext password, no auditing of connections & attempts thus subject to grinding. Some POP3 server versions have had buffer overflow problems. CERT Advisories: CA-97.09
ADM, ProMail trojans also use port 110 (TCP).
Integer overflow in inetcomm.dll in Microsoft Outlook Express 5.5 SP2, 6, and 6 SP1; Windows Live Mail on Windows XP SP2 and SP3, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7; and Windows Mail on Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows remote e-mail servers and man-in-the-middle attackers to execute arbitrary code via a crafted (1) POP3 or (2) IMAP response, as demonstrated by a certain +OK response on TCP port 110, aka "Outlook Express and Windows Mail Integer Overflow Vulnerability."
References: [CVE-2010-0816] [BID-40052]
Integer overflow in eXtremail 2.1.1 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long USER command containing "%s" sequences to the pop3 port (110/tcp), which are expanded to "%%s" before being used in the memmove function, possibly due to an incomplete fix for [CVE-2001-1078].
References: [CVE-2007-5467] [BID-26074] [SECUNIA-27220]
The POP3 service in YahooPOPs (aka YPOPs!) 1.6 allows a remote denial of service (reboot) via a long string to TCP port 110, a related issue to CVE-2004-1558.
References: [CVE-2024-24736] |
111 |
tcp,udp |
SunRPC |
Basic scan |
Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service.
Port 111 was designed by the Sun Microsystems as a component of their Network File System. It is also known as Open Network Computing Remote Procedure Call (ONC RPC). Port 111 is a port mapper with similar functions to Microsoft's port 135 or DCOM DCE.
Security Concerns: Provides rpc port map without auth, has no filtering or logging, rpcinfo probes can quickly find your Unix hosts. Shut down portmapper on any hosts not requiring rpcs, ensure it is blocked at net perimeters.
Trojans that use this port: ADM worm, MscanWorm, Sadmind/IIS Worm
NFS daemon (nfsd.exe) for Omni-NFS/X 6.1 allows remote attackers to cause a denial of service (resource exhaustion) via certain packets, possibly with the Urgent (URG) flag set, to port 111.
References: [CVE-1999-1349]
PORTSERV.exe in Emerson DeltaV and DeltaV Workstations 9.3.1, 10.3.1, 11.3, and 11.3.1 and DeltaV ProEssentials Scientific Graph 5.0.0.6 allows remote attackers to cause a denial of service (daemon crash) via a crafted (1) TCP or (2) UDP packet to port 111.
References: [CVE-2012-1816] [BID-53591] [SECUNIA-49210] [OSVDB-82012]
Vestel TV 42pf9322 is vulnerable to a denial of service. By sending a specially-crafted request containing an overlong string argument to port 111, a remote attacker could exploit this vulnerability to cause the device to malfunction.
References: [XFDB-87101] [BID-62394] [EDB-28271]
MiCOM C264 could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the RPC service. By sending specially-crafted data to port 111, an attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges.
References: [XFDB-111158]
Vulnerability in BrightStor ARCserve Backup, can be exploited and cause a DoS (Denial of Service). The vulnerability is caused due to a NULL pointer dereference error when handling TADDR2UADDR (0x08) request types within the CA Remote Procedure Call Server service (CATIRPC.EXE). This can be exploited to crash the service by sending a specially crafted packet to port 111/UDP.
References: [CVE-2007-0816] [SECUNIA-24009]
The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.
References: [CVE-2017-8804], [BID-98339]
rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.
References: [CVE-2017-8779], [BID-98325]
On Junos OS, rpcbind should only be listening to port 111 on the internal routing instance (IRI). External packets destined to port 111 should be dropped. Due to an information leak vulnerability, responses were being generated from the source address of the management interface (e.g. fxp0) thus disclosing internal addressing and existence of the management interface itself. A high rate of crafted packets destined to port 111 may also lead to a partial Denial of Service (DoS). Note: Systems with fxp0 disabled or unconfigured are not vulnerable to this issue. This issue only affects Junos OS releases based on FreeBSD 10 or higher (typically Junos OS 15.1+). Administrators can confirm whether systems are running a version of Junos OS based on FreeBSD 10 or higher by typing: user@junos> show version | match kernel JUNOS OS Kernel 64-bit [20181214.223829_fbsd-builder_stable_10] Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1F6-S12, 15.1R7-S4; 15.1X53 versions prior to 15.1X53-D236; 16.1 versions prior to 16.1R7-S1; 16.2 versions prior to 16.2R2-S9; 17.1 versions prior to 17.1R3; 17.2 versions prior to 17.2R1-S8; 17.3 versions prior to 17.3R2; 17.4 versions prior to 17.4R1-S1, 17.4R1-S7, 17.4R2. This issue does not affect Junos OS releases prior to 15.1.
References: [CVE-2019-0040], [BID-107902], [XFDB-159358] |
112 |
tcp,udp |
mcidas |
not scanned |
McIDAS Data Transmission Protocol (IANA official) |
113 |
tcp,udp |
IDENT |
Basic scan |
Port 113 used for Identification/Authorization service. When a client program on your end contacts a remote server for services such as POP, IMAP, SMTP, IRC, FTP, etc. that remote server sends back a query to the IDENT port 113 asking for identification from your system...
Port 113 can be probed by attackers and it poses some security concerns, but the problem with filtering/stealthing port 113 is that if legitimate requests get no response at all from port 113 queries, the connection to them (which initiated their query in the first place) will be delayed or perhaps even completely abandoned.
The simplest solution is to close, rather than filter port 113.
Some trojans also use this port: ADM worm, Alicia, Cyn, DataSpy Network X, Dosh, Gibbon, Invisible Identd Deamon, Kazimas, Taskman,W32.Korgo.F
W32.Bofra.C@mm [Symantec-2004-111113-3948-99] (2004.11.11) - It opens ports 1639/tcp and 1640/tcp for listening, opens an ident daemon on port 113/tcp, connects to IRC servers on port 6667/tcp.
W32.Linkbot.A [Symantec-2004-110516-3932-99] (2004.11.05) - worm that exploits the MS Windows LSASS Buffer Overrun Vulnerability. It also creates an IRC backdoor and attempts to install adware on the infected machine. It can affect all current Windows versions. Listens on port 113/tcp for remote commands.
W32.Spybot.LZI [Symantec-2005-040609-3623-99] (2005.04.06) - worm that attempts to exploit the MS DCOM RPC vulnerability on ports 135, 445 & 1025. Opens a backdoor on port 113.
W32.Linkbot.M [Symantec-2005-052109-2651-99] (2005.05.21) - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.
Stack-based buffer overflow in TinyIdentD 2.2 and earlier allows remote attackers to execute arbitrary code via a long string to TCP port 113.
References: [CVE-2007-2711] [BID-23981] [SECUNIA-25248] [OSVDB-36053]
Backdoor.Win32.Whisper.b / Remote Stack Corruption - Whisper.b listens on TCP port 113 and connects to port 6667, deletes itself drops executable named rundll32.exe in Windows\System dir. The malware is prone to stack corruption issues when receiving unexpected characters of random sizes.
References: [MVID-2021-0039] |
114 |
tcp,udp |
audionews |
not scanned |
Audio News Multicast |
116 |
tcp,udp |
ansanotify |
not scanned |
ANSA REX Notify (IANA official) |
118 |
udp |
trojan |
not scanned |
Infector 1.4.2 trojan horse |
119 |
udp |
NNTP |
Basic scan |
NNTP (Network News Transfer Protocol) control messages. |
119 |
tcp |
trojan |
Premium scan |
Happy99/Ska trojan |
120 |
tcp |
trojan |
Premium scan |
Backdoor.Skun [Symantec-2002-120514-4425-99]
CFDPTKT (TCP/UDP) (IANA official) |
121 |
tcp |
erpc |
Premium scan |
trojans/backdoors that use this port:
Attack Bot (files: Sysadmin.exe-181KB, Mpeg.exe, affects Windows 9x/ME)
God Message (ports 80,121,7777, a.k.a. BackDoor.AB.gen, JS.Trojan.WindowBomb, affects Windows 9x/ME/NT/2k)
JammerKillah (files: Jammerkillah.zip, Jammerkillah.exe, Mswin32.drv, affects Windows 9x/ME)
BO jammerkilla
Encore Expedited Remote Pro.Call (IANA official) |
122 |
tcp,udp |
smakynet |
not scanned |
SMAKYNET (IANA official) |
123 |
udp |
NTP |
Basic scan |
Network Time Protocol (NTP) - used for time synchronization [RFC 5905]
Security Concerns:
It provides both information and possible avenue of attack for intruders. Info gathered can include system uptime, time since reset, time server pkt, I/O & memory statistics and ntp peer list. If a host is susceptible to time altering via ntp an attacker can possibly:
1) Run replay attacks using captured OTP and Kerberos tickets before they expire.
2) Stop security-related cron jobs from running or cause them to run at incorrect times.
3) Make system and audit logs unreliable since time is alterable.
Vodafone Sure Signal also uses this port |
123 |
tcp |
trojan |
Premium scan |
Net Controller trojan
Network Time Protocol (NTP), as specified in RFC 5905, uses port 123 even for modes where a fixed port number is not required, which makes it easier for remote attackers to conduct off-path attacks.
References: [CVE-2019-11331], [BID-108010], [XFDB-159889] |
124 |
tcp,udp |
ansatrader |
not scanned |
SecurID (UDP)
ANSA REX Trader (IANA official) |
125 |
tcp |
misc |
not scanned |
Port is sometimes unofficially used as an alternate to port 25 SMTP (Simple Mail Transfer Protocol). This is useful as a dedicated port for VPN clients or for those who cannot directly send mail to a mail server outside of their ISP's network because of an ISP block on port 25.
Locus PC-Interface Net Map Ser (TCP/UDP) (IANA official) |
127 |
udp |
games |
not scanned |
Command and Conquer Generals
Locus PC-Interface Conn Server (TCP/UDP) (IANA official) |
128 |
tcp,udp |
gss-xlicen |
not scanned |
GSS X License Verification (IANA official) |
129 |
tcp,udp |
pwdgen |
not scanned |
Password Generator Protocol (IANA official) |
130 |
tcp,udp |
cisco-fna |
not scanned |
cisco FNATIVE (IANA official) |
131 |
tcp,udp |
cisco-fna |
not scanned |
cisco FNATIVE (IANA official) |
132 |
tcp,udp |
cisco-sys |
not scanned |
cisco SYSMAINT (IANA official) |
133 |
tcp |
trojan |
Premium scan |
Farnaz
Statistics Service (TCP/UDP) (IANA official) |
134 |
tcp,udp |
ingres-net |
not scanned |
INGRES-NET Service (IANA official) |
135 |
tcp,udp |
loc-srv |
Basic scan |
Remote Procedure Call (RPC) port 135 is used in client/server applications (might be on a single machine) such as Exchange clients, the recently exploited messenger service, as well as other Windows NT/2K/XP software. If you have remote users who VPN into your network, you might need to open this port on the firewall to allow access to the Exchange server.
There is a RPC (a RPC's Endpoint Mapper component) vulnerability in Windows NT where a malformed request to port 135 could cause denial of service (DoS). RPC contains a flaw that causes it to fail upon receipt of a request that contains a particular type of malformed data. To restore normal functionality victim has to reboot the system. Alternatively, you can upgrade/patch your OS (there is patch downloadable from Microsoft), or you can close port 135.
Port 135 is used by Messenger Service (not MSN Messenger) and exploited in popup net send messenger spam [MSKB 330904]. To stop the popups you'd need to filter port 135 at the firewall level or stop the messenger service. The service uses all the following ports: 135/tcp, 135/udp, 137/udp 138/udp, 139/tcp, 445/tcp.
MS Security Bulletin [MS03-026] outlines another critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
W32.Blaster.Worm [Symantec-2003-081113-0229-99] - a widely spread worm that exploits the DCOM RPC vulnerability described above (MS Security Bulletin [MS03-026]). The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
Port is also used by Messenger Service (not MSN Messenger) and exploited in popup net send messenger spam [MSKB 330904]. To stop the popups you'd need to filter port 135 at the firewall level or stop the messenger service. The service uses all the following ports: 135/tcp, 135/udp, 137/udp 138/udp, 139/tcp, 445/tcp.
W32.Reatle.E@mm [Symantec-2005-080215-5809-99] - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability [MS03-026] on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service.
A vulnerability has been identified in LOGO!8 BM (incl. SIPLUS variants) (All versions). The vulnerability could lead to an attacker reading and modifying the device configuration and obtain project files from affected devices. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 135/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the device. At the time of advisory publication no public exploitation of this security vulnerability was known.
References: [CVE-2020-7589], [XFDB-183129] |
136 |
tcp,udp |
profile |
not scanned |
PROFILE Naming System (IANA official) |
137 |
tcp,udp |
netbios-ns |
Basic scan |
NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be.
NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)
By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:
1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.
Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.
There is also a Critical Windows RPC vulnerability affecting ports 135,139 and 445, as detailed here: MS Technet Security Bulletin [MS03-026]
The following trojans/backdoors also use these ports: Chode, God Message worm, Msinit, Netlog, Network, Qaz
W32.HLLW.Moega [Symantec-2003-080813-3234-99] (2003.08.08) - worm with backdoor capabilities, opens TCP ports 139 and 445.
W32.Crowt.A@mm [Symantec-2005-012310-2158-99] (2005.01.23) - mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80 and 137.
W32.Reidana.A [Symantec-2005-032515-4042-99] (2005.03.27) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin [MS03-026]) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444.
Windows Internet Naming Service (WINS) also uses this port (UDP).
Sygate Personal Firewall comes with a default rule set that blocks all udp requests, however if udp requests originates from source port 137 or 138 they are allowed, thus a malicious person could get access to all open udp ports on a target merely by sending all requests from source port 137 or 138.
References: [SECUNIA-7930] |
138 |
tcp,udp |
netbios-dgm |
Basic scan |
NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be.
NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)
By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:
1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.
Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.
The following trojans/backdoors also use these ports: Chode, God Message worm, Msinit, Netlog, Network, Qaz
W32.HLLW.Moega [Symantec-2003-080813-3234-99]
Sygate Personal Firewall comes with a default rule set that blocks all udp requests, however if udp requests originates from source port 137 or 138 they are allowed, thus a malicious person could get access to all open udp ports on a target merely by sending all requests from source port 137 or 138.
References: [SECUNIA-7930] |
139 |
tcp,udp |
netbios-ss |
Basic scan |
NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be. There are a number of vulnerabilities associated with leaving this port open.
NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)
By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:
1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.
Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.
There is also a Critical Windows RPC vulnerability affecting ports 135,139 and 445, as detailed here: MS Technet Security Bulletin [MS03-026]
The following trojans/backdoors also use these ports:
Chode, God Message worm, Msinit, Netlog, Network, Qaz
W32.HLLW.Moega [Symantec-2003-080813-3234-99]
W32.Reidana.A [Symantec-2005-032515-4042-99] (2005.03.27) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin [MS03-026]) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444.
W32.Klez worm [Symantec-2002-031910-1028-99] - a class of worms that collects email addresses from an infected computer's Windows address book and propagates using its own SMTP server. As of April 26, 2002, there are nine variants of the Klez worm that all exploit the "Microsoft Internet Explorer Incorrect MIME header" vulnerability, which causes an email attachment to be automatically executed when an HTML email is previewed by a Microsoft Outlook or Outlook Express user. The worm can arrive as an email attachment with one of the following file extensions: asp, bak, c, cpp, doc, htm, html, jpg, mp3, mpg, mpeg, pas, rtf, wab, or xls.
W32.Sircam.Worm [Symantec-2001-071720-1640-99] - a computer worm that propagates by e-mail from Microsoft Windows systems. It also spreads via open shares on a network. Sircam scans the network for computers with shared drives and copy itself to a machine with an open (non-password protected) drive or directory.
Buffer overflow in a certain driver in Cisco Security Agent 4.5.1 before 4.5.1.672, 5.0 before 5.0.0.225, 5.1 before 5.1.0.106, and 5.2 before 5.2.0.238 on Windows allows remote attackers to execute arbitrary code via a crafted SMB packet in a TCP session on port (1) 139 or (2) 445.
References: [CVE-2007-5580] [BID-26723] [SECUNIA-27947] [OSVDB-39521]
Server Message Block (SMB) also uses this port. It is used by Microsoft Windows file and print services, such as Windows Sharing in Mac OS X. |
140 |
tcp,udp |
emfis-data |
not scanned |
EMFIS Data Service (IANA official) |
141 |
tcp,udp |
emfis-cntl |
not scanned |
EMFIS Control Service (IANA official) |
142 |
tcp |
trojan |
Premium scan |
NetTaxi trojan
Britton-Lee IDM (TCP/UDP) (IANA official) |
143 |
tcp,udp |
IMAP |
Basic scan |
IMAP (Internet Mail Access Protocol) mail server uses this port. See also port 993/tcp.
Numerous IMAP servers have buffer overflows that allow compromise during the login. Note that for awhile, there was a Linux worm (admw0rm) that would spread by compromising port 143, so a lot of scans on this port are actually from innocent people who have already been compromised. IMAP exploits became popular when Red Hat enabled the service by default on its distributions. This port is also used for IMAP2, but that version wasn't very popular. Several people have noted attacks from port 0 to port 143, which appears to be from some attack script.
MailServer.exe in NoticeWare Email Server 4.6.1.0 allows remote attackers to cause a denial of service (application crash) via a long string to IMAP port (143/tcp).
References: [CVE-2008-1713] [BID-28559] [SECUNIA-29629]
Format string vulnerability in the University of Washington (UW) c-client library, as used by the UW IMAP toolkit imap-2007d and other applications, allows remote attackers to execute arbitrary code via format string specifiers in the initial request to the IMAP port (143/tcp). NOTE: Red Hat has disputed the vulnerability, stating "The Red Hat Security Response Team have been unable to confirm the existence of this format string vulnerability in the toolkit, and the sample published exploit is not complete or functional." CVE agrees that the exploit contains syntax errors and uses Unix-only include files while invoking Windows functions.
References: [CVE-2009-0671] [BID-33795]
ADM trojan also uses this port (TCP). |
144 |
tcp,udp |
uma |
not scanned |
Universal Management Architecture (IANA official) |
145 |
tcp,udp |
uaac |
not scanned |
UAAC Protocol (IANA official) |
146 |
tcp |
trojans |
Premium scan |
Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000
ISO-IP0 (TCP/UDP) (IANA official) |
147 |
tcp,udp |
iso-ip |
not scanned |
ISO-IP (IANA official) |
148 |
tcp,udp |
jargon |
not scanned |
CRONUS-SUPPORT
Jargon (IANA official) |
149 |
tcp,udp |
aed-512 |
not scanned |
AED 512 Emulation Service (IANA official) |
150 |
tcp,udp |
sql-net |
not scanned |
Denial of service of Ascend routers through port 150 (remote administration).
References: [CVE-1999-0221]
SQL-NET (IANA official) |
151 |
tcp,udp |
hems |
not scanned |
HEMS (IANA official) |
154 |
tcp,udp |
netsc-prod |
not scanned |
NETSC (IANA official) |
155 |
tcp,udp |
netsc-dev |
not scanned |
NETSC (IANA official) |
157 |
tcp,udp |
knet-cmp |
not scanned |
KNET/VM Command/Message Protocol (IANA official) |
159 |
tcp,udp |
nss-routing |
not scanned |
NSS-Routing (IANA official) |
160 |
tcp,udp |
sgmp-traps |
not scanned |
SGMP-TRAPS (IANA official) |
161 |
udp |
SNMP |
Basic scan |
Simple network management protocol (SNMP). Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications. Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162.
Brother MFC printers use ports 137 UDP and 161 UDP (network printing and remote setup), 54925/udp (network scanning), 54926 UDP (PC fax receiving). Some may also open port 21 TCP (scan to FTP feature).
Apple AirPort Express prior to 6.1.1 and Extreme prior to 5.5.1, configured as a Wireless Data Service (WDS), allows remote attackers to cause a denial of service (device freeze) by connecting to UDP port 161 and before link-state change occurs.
References: [CVE-2005-0289], [BID-12152]
The Emerson DeltaV SE3006 through 11.3.1, DeltaV VE3005 through 10.3.1 and 11.x through 11.3.1, and DeltaV VE3006 through 10.3.1 and 11.x through 11.3.1 allow remote attackers to cause a denial of service (device restart) via a crafted packet on (1) TCP port 23, (2) UDP port 161, or (3) TCP port 513.
References: [CVE-2012-4703]
Siemens SIMATIC S7-1200 PLCs 2.x and 3.x allow remote attackers to cause a denial of service (defect-mode transition and control outage) via crafted packets to UDP port 161 (aka the SNMP port).
References: [CVE-2013-2780]
Cisco Catalyst 2900 XL series switches are vulnerable to a denial of service, caused by an empty UDP packet. If SNMP is disabled, a remote attacker can connect to port 161 and send an empty UDP packet to cause the switch to crash.
References: [CVE-2001-0566], [XFDB-6515]
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in BMXNOR0200H Ethernet / Serial RTU module (all firmware versions) and Modicon M340 controller (all firmware versions), which could cause denial of service when truncated SNMP packets on port 161/UDP are received by the device.
References: [CVE-2019-6813] |
162 |
udp |
SNMP |
Basic scan |
Simple network management protocol (SNMP). Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications.
Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162.
Format string vulnerability in the snmp_input function in snmptrapd in CMU SNMP utilities (cmu-snmp) allows remote attackers to execute arbitrary code by sending crafted SNMP messages to UDP port 162.
References: [CVE-2006-0250], [BID-16267]
Memory leak in the SNMP process in Cisco IOS XR allows remote attackers to cause a denial of service (memory consumption or process reload) by sending many port-162 UDP packets, aka Bug ID CSCug80345.
References: [CVE-2013-1204]
Cisco Hosted Collaboration Mediation allows remote attackers to cause a denial of service (CPU consumption) via a flood of malformed UDP packets on port 162, aka Bug ID CSCug85756.
References: [CVE-2013-3381] |
163 |
tcp,udp |
cmip-man |
not scanned |
CMIP/TCP Manager (IANA official) |
164 |
tcp,udp |
cmip-agent |
not scanned |
CMIP/TCP Agent (IANA official) |
165 |
tcp |
applications |
not scanned |
The SNMPc Server (crserv.exe) process in Castle Rock Computing SNMPc allows remote attackers to cause a denial of service (crash) via a crafted packet to port 165/TCP.
References: [CVE-2007-3098], [BID-24292]
Port is also IANA registered for Xerox. |
166 |
tcp |
trojan |
Premium scan |
NokNok
Sirius Systems (TCP/UDP) (IANA official) |
167 |
tcp,udp |
namp |
not scanned |
NAMP (IANA official) |
168 |
tcp,udp |
rsvd |
not scanned |
RSVD (IANA official) |
169 |
tcp,udp |
send |
not scanned |
SEND (IANA registered) |
170 |
tcp |
trojan |
Premium scan |
A-Trojan |
171 |
tcp |
trojan |
Premium scan |
A-trojan
Network Innovations Multiplex (TCP/UDP) (IANA official) |
172 |
tcp,udp |
cl-1 |
not scanned |
Network Innovations CL 1 (IANA official) |
173 |
tcp |
trojan |
Premium scan |
Nestea trojan
Xyplex (TCP/UDP) (IANA official) |
174 |
tcp,udp |
mailq |
not scanned |
MAILQ (IANA official) |
176 |
tcp,udp |
genrad-mux |
not scanned |
GENRAD-MUX (IANA official) |
177 |
tcp |
xdmcp |
Premium scan |
Numerous hacks may allow access to an X-Window console; it needs port 6000 open as well in order to really succeed. |
178 |
tcp,udp |
nextstep |
not scanned |
NextStep Window Server (IANA official) |
179 |
tcp,udp,sctp |
bgp |
not scanned |
Border Gateway Protocol (IANA official)
See also [RFC 4960]
Brocade BigIron RX switches allow remote attackers to bypass ACL rules by using 179 as the source port of a packet.
References: [CVE-2011-2760] [BID-48663] [SECUNIA-45217] [OSVDB-73869] |
180 |
tcp,udp |
ris |
not scanned |
Intergraph (IANA official) |
181 |
tcp,udp |
unify |
not scanned |
Unify [Daegis_Inc] (IANA official) |
182 |
tcp,udp |
audit |
not scanned |
Unisys Audit SITP (IANA official) |
183 |
tcp,udp |
ocbinder |
not scanned |
OCBinder (IANA official) |
184 |
tcp,udp |
ocserver |
not scanned |
OCServer (IANA official) |
185 |
tcp,udp |
remote-kis |
not scanned |
Remote-KIS (IANA official) |
186 |
tcp,udp |
kis |
not scanned |
KIS Protocol (IANA official) |
187 |
tcp,udp |
aci |
not scanned |
Application Communication Interface (IANA official) |
188 |
tcp,udp |
mumps |
not scanned |
Plus Five's MUMPS (IANA official) |
189 |
tcp,udp |
qft |
not scanned |
Akuvox C315 115.116.2613 allows remote command Injection via the cfgd_server service. The attack vector is sending a payload to port 189 (default root 0.0.0.0).
References: [CVE-2021-31726]
Queued File Transport (IANA official) |
190 |
tcp,udp |
gacp |
not scanned |
Gateway Access Control Protocol (IANA official) |
191 |
tcp,udp |
prospero |
not scanned |
Prospero Directory Service (IANA official) |
192 |
udp |
applications |
not scanned |
Apple AirPort Base Station PPP status or discovery (certain configurations), AirPort Admin Utility, AirPort Express Assistant
OSU Network Monitoring System (TCP/UDP) (IANA official) |
193 |
tcp,udp |
srmp |
not scanned |
Spider Remote Monitoring Protocol (IANA official) |
194 |
tcp,udp |
IRC |
Members scan |
Internet Relay Chat Protocol |
195 |
tcp,udp |
dn6-nlm-aud |
not scanned |
DNSIX Network Level Module Audit (IANA official) |
196 |
tcp,udp |
dn6-smm-red |
not scanned |
DNSIX Session Mgt Module Audit Redir (IANA official) |
197 |
tcp,udp |
dls |
not scanned |
Directory Location Service (IANA official) |
198 |
tcp,udp |
dls-mon |
not scanned |
Directory Location Service Monitor (IANA official) |
199 |
tcp,udp |
smux |
not scanned |
A vulnerability in the TCP/IP stack of Cisco Email Security Appliance (ESA), Cisco Web Security Appliance (WSA), and Cisco Secure Email and Web Manager, formerly Security Management Appliance, could allow an unauthenticated, remote attacker to crash the Simple Network Management Protocol (SNMP) service, resulting in a denial of service (DoS) condition. This vulnerability is due to an open port listener on TCP port 199. An attacker could exploit this vulnerability by connecting to TCP port 199. A successful exploit could allow the attacker to crash the SNMP service, resulting in a DoS condition.
References: [CVE-2022-20675]
SMUX (IANA official) |
200 |
tcp |
trojan |
Premium scan |
America's Army
CyberSpy trojan
IBM System Resource Controller (IANA official) |
201 |
tcp |
trojan |
Premium scan |
One Windows Trojan
AppleTalk uses these ports:
201 (TCP/UDP) - AppleTalk Routing Maintenance
202 (TCP/UDP) - AppleTalk Name Binding
203 (TCP/UDP) - AppleTalk Unused
204 (TCP/UDP) - AppleTalk Echo
205 (TCP/UDP) - AppleTalk Unused
206 (TCP/UDP) - AppleTalk Zone Information
207 (TCP/UDP) - AppleTalk Unused
208 (TCP/UDP) - AppleTalk Unused |
202 |
tcp |
trojans |
Premium scan |
One Windows Trojan, Backdoor.Skun [Symantec-2002-120514-4425-99]
AppleTalk uses these ports:
201 (TCP/UDP) - AppleTalk Routing Maintenance
202 (TCP/UDP) - AppleTalk Name Binding
203 (TCP/UDP) - AppleTalk Unused
204 (TCP/UDP) - AppleTalk Echo
205 (TCP/UDP) - AppleTalk Unused
206 (TCP/UDP) - AppleTalk Zone Information
207 (TCP/UDP) - AppleTalk Unused
208 (TCP/UDP) - AppleTalk Unused |
203 |
tcp,udp |
at-3 |
not scanned |
AppleTalk uses these ports:
201 (TCP/UDP) - AppleTalk Routing Maintenance
202 (TCP/UDP) - AppleTalk Name Binding
203 (TCP/UDP) - AppleTalk Unused
204 (TCP/UDP) - AppleTalk Echo
205 (TCP/UDP) - AppleTalk Unused
206 (TCP/UDP) - AppleTalk Zone Information
207 (TCP/UDP) - AppleTalk Unused
208 (TCP/UDP) - AppleTalk Unused |
204 |
tcp,udp |
at-echo |
not scanned |
AppleTalk uses these ports:
201 (TCP/UDP) - AppleTalk Routing Maintenance
202 (TCP/UDP) - AppleTalk Name Binding
203 (TCP/UDP) - AppleTalk Unused
204 (TCP/UDP) - AppleTalk Echo
205 (TCP/UDP) - AppleTalk Unused
206 (TCP/UDP) - AppleTalk Zone Information
207 (TCP/UDP) - AppleTalk Unused
208 (TCP/UDP) - AppleTalk Unused |
205 |
tcp,udp |
at-5 |
not scanned |
AppleTalk uses these ports:
201 (TCP/UDP) - AppleTalk Routing Maintenance
202 (TCP/UDP) - AppleTalk Name Binding
203 (TCP/UDP) - AppleTalk Unused
204 (TCP/UDP) - AppleTalk Echo
205 (TCP/UDP) - AppleTalk Unused
206 (TCP/UDP) - AppleTalk Zone Information
207 (TCP/UDP) - AppleTalk Unused
208 (TCP/UDP) - AppleTalk Unused |
206 |
tcp,udp |
at-zis |
not scanned |
AppleTalk uses these ports:
201 (TCP/UDP) - AppleTalk Routing Maintenance
202 (TCP/UDP) - AppleTalk Name Binding
203 (TCP/UDP) - AppleTalk Unused
204 (TCP/UDP) - AppleTalk Echo
205 (TCP/UDP) - AppleTalk Unused
206 (TCP/UDP) - AppleTalk Zone Information
207 (TCP/UDP) - AppleTalk Unused
208 (TCP/UDP) - AppleTalk Unused |
207 |
tcp,udp |
at-7 |
not scanned |
AppleTalk uses these ports:
201 (TCP/UDP) - AppleTalk Routing Maintenance
202 (TCP/UDP) - AppleTalk Name Binding
203 (TCP/UDP) - AppleTalk Unused
204 (TCP/UDP) - AppleTalk Echo
205 (TCP/UDP) - AppleTalk Unused
206 (TCP/UDP) - AppleTalk Zone Information
207 (TCP/UDP) - AppleTalk Unused
208 (TCP/UDP) - AppleTalk Unused |
Vulnerabilities listed: 100 (some use multiple ports)
|