Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 458 |
tcp,udp |
applications |
not scanned |
QuickTime Conferencing (MovieTalk) |
| 464 |
tcp,udp |
kpasswd |
not scanned |
Kerberos (v5)
Related ports: 88,543,544,749
A vulnerability has been reported in Kerberos, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the kpasswd application not properly handling malformed UDP packets and can be exploited to exhaust CPU and network resources via the UDP "ping-pong" attack on port 464.
References: [CVE-2002-2443], [SECUNIA-53375] |
| 465 |
tcp |
smtp-ssl |
Premium scan |
Outgoing SMTP Mail over SSL (SMTPS) [RFC 2487] - older IANA registered port, largely replaced by port 587 and SMTP over TLS.
PlayStation Network and SCEA Game Servers use this port
Datalust Seq.App.EmailPlus (aka seq-app-htmlemail) 3.1.0-dev-00148, 3.1.0-dev-00170, and 3.1.0-dev-00176 can use cleartext SMTP on port 25 in some cases where encryption on port 465 was intended.
References: [CVE-2021-43270]
Message Submission over TLS protocol [RFC8314] (IANA official) |
| 465 |
udp |
igmpv3lite |
not scanned |
Cisco IOS 15.2S allows remote attackers to cause a denial of service (interface queue wedge) via malformed UDP traffic on port 465, aka Bug ID CSCts48300.
References: [CVE-2011-4015]
IGMP over UDP for SSM (IANA official) |
| 476-490 |
tcp,udp |
applications |
not scanned |
Centro Software ERP ports |
| 496 |
udp |
pim-rp-disc |
not scanned |
A vulnerability in the Protocol Independent Multicast (PIM) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause the PIM process to restart, resulting in a denial of service condition on an affected device. The vulnerability is due to the incorrect processing of crafted AutoRP packets. An attacker could exploit this vulnerability by sending crafted packets to port UDP 496 on a reachable IP address on the device. A successful exploit could allow the attacker to cause the PIM process to restart. Software versions prior to 6.2.3, 6.3.2, 6.4.0, and 6.5.1 are affected.
References: [CVE-2019-1712]
IANA registered for: PIM-RP-DISC |
| 497 |
tcp,udp |
applications |
not scanned |
retroclient.exe in EMC Dantz Retrospect Backup Client 7.5.116 allows remote attackers to cause a denial of service (daemon crash) via malformed packets to TCP port 497, which trigger a NULL pointer dereference and memory corruption.
References: [CVE-2008-3287] [CVE-2008-3290] [BID-30306] [BID-30313] [SECUNIA-31186]
Buffer overflow in EMC Retrospect Client 5.1 through 7.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet to port 497.
References: [CVE-2006-2391] [BID-17948] [SECUNIA-20080]
EMC Dantz Retrospect 7 backup client 7.0.107, and other versions before 7.0.109, and 6.5 before 6.5.138 allows remote attackers to cause a denial of service (client termination and loss of backup service) via a malformed packet to TCP port 497, which triggers an assert error.
References: [CVE-2006-0995] [BID-16933] [SECUNIA-19097]
Port is IANA registered for: Dantz Retrospect backup and restore service [Retrospect Inc] |
| 500 |
tcp,udp |
ipsec |
Members scan |
IPSec (VPN tunneling) uses the following ports:
500/udp - Internet Key Exchange (IKE)
4500/udp - NAT traversal
500/tcp - sometimes used for IKE over TCP
See also:
port 1701 (L2TP)
port 1723 (PPTP)
Some Apple applications use this port as well: Mac OS X Server VPN service, Back to My Mac (MobileMe, Mac OS X v10.5 or later).
Xbox 360 (LIVE) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP
Xbox One (LIVE) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP, 500 UDP, 3544 UDP, 4500 UDP
isakmp_sub_print in tcpdump 3.6 through 3.7.1 allows remote attackers to cause a denial of service (CPU consumption) via a certain malformed ISAKMP packet to UDP port 500, which causes tcpdump to enter an infinite loop.
References: [CVE-2003-0108] [BID-6974]
Microsoft Windows XP allows remote attackers to cause a denial of service (CPU consumption) by flooding UDP port 500 (ISAKMP).
References: [CVE-2002-2117]
Snapgear Lite+ firewall 1.5.3 allows remote attackers to cause a denial of service (IPSEC crash) via a zero length packet to UDP port 500.
References: [CVE-2002-0603] [BID-4659]
Cisco Wireless LAN Controller is vulnerable to a denial of service, caused by an error when handling Internet Key Exchange (IKE) messages. By sending a specially-crafted IKE packet to UDP Port 500, a remote attacker could exploit this vulnerability to cause the device to crash and reload.
References: [CVE-2010-0574] [XFDB-61666] [BID-43059]
A vulnerability in MikroTik Version 6.38.5 could allow an unauthenticated remote attacker to exhaust all available CPU via a flood of UDP packets on port 500 (used for L2TP over IPsec), preventing the affected router from accepting new connections; all devices will be disconnected from the router and all logs removed automatically.
References: [CVE-2017-8338], [XFDB-126179]
Vodafone Sure Signal also uses this port |
| 502 |
tcp |
asa-appl-proto |
not scanned |
Phoenix Contact FL IL 24 BK-PAC allows remote attackers to cause a denial of service (hang) via unspecified manipulations as demonstrated by a Nessus scan or (2) malformed input to TCP port 502.
References: [CVE-2008-7199]
The modbus_125_handler function in the Schneider Electric Quantum Ethernet Module on the NOE 771 device (aka the Quantum 140NOE771* module) allows remote attackers to install arbitrary firmware updates via a MODBUS 125 function code to TCP port 502.
References: [CVE-2011-4861]
Unspecified vulnerability in the Modbus/TCP Diagnostic function in MiniHMI.exe for the Automated Solutions Modbus Slave ActiveX Control before 1.5 allows remote attackers to corrupt the heap and possibly execute arbitrary code via malformed Modbus requests to TCP port 502.
References: [CVE-2007-4827] [BID-25713] [OSVDB-38259]
Triangle Research International (aka Tri) Nano-10 PLC devices with firmware before r81 use an incorrect algorithm for bounds checking of data in Modbus/TCP packets, which allows remote attackers to cause a denial of service (networking outage) via a crafted packet to TCP port 502.
References: [CVE-2013-2784]
Triangle Research International (aka Tri) Nano-10 PLC devices with firmware r81 and earlier do not properly handle large length values in MODBUS data, which allows remote attackers to cause a denial of service (transition to the interrupt state) via a crafted packet to TCP port 502.
References: [CVE-2013-5741], [OSVDB-97728], [SECUNIA-55782]
Schneider Electric Modicon TM221CE16R 1.3.3.3 devices allow remote attackers to discover the application-protection password via a \x00\x01\x00\x00\x00\x05\x01\x5a\x00\x03\x00 request to the Modbus port (502/tcp). Subsequently the application may be arbitrarily downloaded, modified, and uploaded.
References: [CVE-2017-7575], [BID-97523]
The Auto-Maskin products utilize an undocumented custom protocol to set up Modbus communications with other devices without validating those devices. The originating device sends a message in plaintext, 48:65:6c:6c:6f:20:57:6f:72:6c:64, "Hello World" over UDP ports 44444-44446 to the broadcast address for the LAN. Without verification devices respond to any of these broadcast messages on the LAN with a plaintext reply over UDP containing the device model and firmware version. Following this exchange the devices allow Modbus transmissions between the two devices on the standard Modbus port 502 TCP. Impact: An attacker can exploit this vulnerability to send arbitrary messages to any DCU or RP device through spoofing or replay attacks as long as they have access to the network. Affected releases are Auto-Maskin DCU-210E RP-210E: Versions prior to 3.7 on ARMv7.
References: [CVE-2018-5400]
An issue was discovered on TENGCONTROL T-920 PLC v5.5 devices. It allows remote attackers to cause a denial of service (persistent failure mode) by sending a series of \x19\xb2\x00\x00\x00\x06\x43\x01\x00\xac\xff\x00 (aka UID 0x43) requests to TCP port 502.
References: [CVE-2019-9590], [XFDB-158222]
Carel pCOWeb HVAC could allow a remote attacker to bypass security restrictions, caused by no authentication mechanism required for Modbus interface on TCP port 502. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
References: [XFDB-170822]
IANA registered for: Modbus Application Protocol, asa-appl-proto |
| 510 |
tcp |
trojans |
Premium scan |
T0rnkit sshd backdoor |
| 511 |
tcp |
|
Premium scan |
Part of rootkit t0rn, a program called "leeto's socket daemon" runs at this port. |
| 512 |
tcp |
applications |
not scanned |
Act P202S VoIP WiFi phone undocumented open port, multiple vulnerabilities.
References: [CVE-2006-0374], [CVE-2006-0375], [BID-16288] |
| 513 |
udp |
applications |
not scanned |
Multiple buffer overflows in the Syslog server in ManageEngine EventLog Analyzer 6.1 allow remote attackers to cause a denial of service (SysEvttCol.exe process crash) or possibly execute arbitrary code via a long Syslog PRI message header to UDP port 513 or 514.
References: [CVE-2010-4840] |
| 513 |
tcp |
trojans |
Premium scan |
ADM worm, Grlogin
UTStarcom F1000 VOIP WIFI Phone s2.0 running VxWorks 5.5.1 with kernel WIND 2.6 does not allow users to disable access to (1) SNMP or (2) the rlogin port TCP 513, which allows remote attackers to exploit other vulnerabilities such as CVE-2005-3716, or execute arbitrary shell commands via rlogin, which does not require authentication.
References: [CVE-2005-3718] [SECUNIA-17629] [BID-15476]
The Emerson DeltaV SE3006 through 11.3.1, DeltaV VE3005 through 10.3.1 and 11.x through 11.3.1, and DeltaV VE3006 through 10.3.1 and 11.x through 11.3.1 allow remote attackers to cause a denial of service (device restart) via a crafted packet on (1) TCP port 23, (2) UDP port 161, or (3) TCP port 513.
References: [CVE-2012-4703] |
| 514 |
tcp |
shell |
Members scan |
Used by rsh and (also rcp), interactive shell without any logging.
Citrix NetScaler appliance MAS syslog port.
Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
Games that use this port: America's Army
Malware using this port: RPC Backdoor, Whacky, ADM worm
Stack-based buffer overflow in Mike Dubman Windows RSH daemon (rshd) 1.7 allows remote attackers to execute arbitrary code via a long string to the shell port (514/tcp). NOTE: this might overlap [CVE-2007-4006].
References: [CVE-2007-4005] [BID-25044] [SECUNIA-26197]
Denicomp RSHD 2.18 and earlier allows a remote attacker to cause a denial of service (crash) via a long string to port 514.
References: [CVE-2001-0707]
A vulnerability has been reported in Cisco IOS, which can be exploited to cause a DoS (Denial of Service). The vulnerability is caused due to TCP connection information not being properly validated when connecting to a protocol translation resource and can be exploited to cause a reload via specially crafted packets sent to TCP ports 514 or 544. Successful exploitation requires a vulnerable protocol translation configuration or a Telnet-to-PAD protocol translation ruleset to be configured.
References: [CVE-2013-1147] [SECUNIA-52785] |
| 514 |
udp |
applications |
Premium scan |
Ooma VoIP - uses UDP port 1194 (VPN tunnel to the Ooma servers for call/setup control), ports 49000-50000 for actual VoIP data, and ports TCP 443, UDP 514, UDP 3480
Multiple buffer overflows in the Syslog server in ManageEngine EventLog Analyzer 6.1 allow remote attackers to cause a denial of service (SysEvttCol.exe process crash) or possibly execute arbitrary code via a long Syslog PRI message header to UDP port 513 or 514.
Reference: [CVE-2010-4840]
Stack-based buffer overflow in the Syslog service (nssyslogd.exe) in Enterasys Network Management Suite (NMS) before 4.1.0.80 allows remote attackers to execute arbitrary code via a long PRIO field in a message to UDP port 514.
References: [CVE-2011-5227] [SECUNIA-47263]
Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).
References: [CVE-2022-32294] |
| 515 |
tcp |
printer |
Premium scan |
Printing services, listening for incoming connections
Trojans using this port: MscanWorm, lpdw0rm, Ramen.
Multiple buffer overflows in Client Software WinCom LPD Total 3.0.2.623 and earlier allow remote attackers to execute arbitrary code via a long 0x02 command to the remote administration service on TCP port 13500 or a long invalid control filename to LPDService.exe on TCP port 515.
References: [CVE-2008-5176], [BID-27614]
Stack-based buffer overflow in Winlpd 1.26 allows remote attackers to execute arbitrary code via a long string in a request to TCP port 515.
References: [CVE-2006-3670] [SECUNIA-21058] [BID-19011] [OSVDB-27332]
Buffer overflow in NIPrint 4.10 allows remote attackers to execute arbitrary code via a long string to TCP port 515.
References: [CVE-2003-1141] [BID-8968] [OSVDB-2774] [SECUNIA-10143]
SAPlpd through 7400.3.11.33 in SAP GUI 7.40 on Windows has a Denial of Service vulnerability (service crash) with a long string to TCP port 515.
References: [CVE-2016-10079], [EDB-41030]
spooler (IANA official) |
| 520 |
udp |
router |
Premium scan |
RIP (Routing Information Protocol). Routers use RIP in order to advertise routing information to each other and communicate optimal paths.
References: [RFC 1058] & [RFC 2453]
Cisco NX-OS is vulnerable to a denial of service, caused by an error in the Routing Information Protocol (RIP) service engine. By sending a specially-crafted RIPv4 or RIPv6 message to UDP port 520, a remote attacker could exploit this vulnerability to cause the RIP service engine to restart.
References: [CVE-2012-4091] [XFDB-87669] [BID-62838]
A UDP backdoor also uses this port. |
| 520 |
tcp |
efs |
not scanned |
ISC DHCP server 4.2 before 4.2.0-P2, when configured to use failover partnerships, allows remote attackers to cause a denial of service (communications-interrupted state and DHCP client service loss) by connecting to a port that is only intended for a failover peer, as demonstrated by a Nagios check_tcp process check to TCP port 520.
References: [CVE-2010-3616], [BID-45360]
Port IANA registered for Extended File Name Server |
| 522 |
tcp |
applications |
Members scan |
ULP (User Locator Service) used by collaborative apps and web video conferencing servers to locate and track active users. |
| 523 |
udp |
ibm-db2 |
not scanned |
The DB2 Discovery Service for IBM DB2 before FixPak 10a allows remote attackers to cause a denial of service (crash) via a long packet to UDP port 523.
References: [CVE-2003-0827]
IBM-DB2 (TCP/UDP) (IANA official) |
| 524 |
tcp,udp |
applications |
not scanned |
Citrix Sign-on plugin/service uses port 524 TCP/UDP for ZEN works communication.
Unspecified vulnerability in the NCP service in Novell eDirectory 8.8.5 before 8.8.5.6 and 8.8.6 before 8.8.6.2 allows remote attackers to cause a denial of service (hang) via a malformed FileSetLock request to port 524.
References: [CVE-2010-4327], [BID-46263] |
| 527 |
tcp,udp |
stx |
not scanned |
Stock IXChange [Fraxion Software] (IANA official) |
| 528 |
tcp,udp |
custix |
not scanned |
Customer IXChange [Fraxion Software] (IANA official) |
| 530 |
tcp |
trojan |
Premium scan |
W32.kibuv.worm |
| 531 |
tcp |
chat |
Premium scan |
Port used by IRC chat
Trojans using this port: Rasmin, Net666 |
| 535 |
udp |
CORBA IIOP |
Premium scan |
Common Object Request Broker Architecture (CORBA) is an object-oriented remote procedure call (RPC) system. If you are on a cable-modem or DSL VLAN, then you may see broadcasts to this port. CORBA broadcasts send out information that can often be used to hack back into the systems generating these broadcasts. |
| 540 |
tcp |
uucp |
Members scan |
a famous file transfer service, potential vulnerability. |
| 541 |
tcp,udp |
uucp-rlogin |
not scanned |
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
Fortinet FortiGate and FortiWiFi 4.00.6 and possibly earlier versions are susceptible to man-in-the-middle attacks and a heap-based overflow vulnerability. The vulnerabilities exist in the FortiManager service running on TCP port 541.
References: [CVE-2014-2216], [CVE-2014-0351]
IANA registered for: uucp-rlogin |
| 542 |
|
commerce |
not scanned |
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
Commerce Applications (IANA official)
|
| 543 |
tcp |
klogin |
not scanned |
Kerberos login
Related ports: 88,464,544,749,751 |
| 544 |
tcp |
kshell |
not scanned |
Kerberos remote shell
Related ports: 88,464,543,749,751
A vulnerability has been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to TCP connection information not being properly validated when connecting to a protocol translation resource and can be exploited to cause a reload via specially crafted packets sent to TCP ports 514 or 544. Successful exploitation requires a vulnerable protocol translation configuration or a Telnet-to-PAD protocol translation ruleset to be configured.
References: [CVE-2013-1147] [SECUNIA-52785] |
| 545 |
tcp |
aspentech |
not scanned |
AspenTech Cim-IO uses this port for their industrial communications (process historian). PI 3 server uses port 5450 and PI 2 server uses port 545. |
| 546 |
tcp,udp |
DHCP |
Premium scan |
DHCP(v6) Client |
| 547 |
tcp,udp |
DHCP |
Premium scan |
DHCP(v6) Server |
| 548 |
tcp |
afpovertcp |
not scanned |
AppleShare, Personal File Sharing, Apple File Service
ExtremeZ-IP.exe in ExtremeZ-IP File and Print Server 5.1.2x15 and earlier allows remote attackers to cause a denial of service (daemon crash) via an invalid UAM field in a request to the Apple Filing Protocol (AFP) service on TCP port 548.
References: [CVE-2008-0759], [BID-27718]
Novell Netware is vulnerable to a denial of service, caused by a NULL pointer dereference in the AFPTCP.nlm module. By sending a specially-crafted AFP request to TCP port 548, a remote attacker could exploit this vulnerability to cause the application to crash.
References: [CVE-2010-0317], [XFDB-55389], [BID-37616], [OSVDB-61604] |
| 551 |
tcp |
cybercash |
Premium scan |
Backdoor.Amitis [Symantec-2003-010717-1940-99] (2003.01.07) Windows remote access trojan. Listens on ports 27, 551. Other variants of Backdoor.Amitis also use ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429.
cybercash [Donald E Eastlake] [RFC 1898] (IANA official)
|
| 554 |
tcp |
ms-rtsp |
Members scan |
Port used by Real Time Streaming Protocol (RTSP) for Microsoft Windows Media streaming services and QuickTime Streaming Server (QTSS).
RTSP uses the following ports:
554 TCP - used for accepting incoming RTSP client connections and for delivering data packets to clients that are streaming by using RTSPT.
5004 UDP - used for delivering data packets to clients that are streaming by using RTSPU.
5005 UDP - used for receiving packet loss information from clients and providing synchronization information to clients that are streaming by using RTSPU.
Multiple Vivotek IP Camera products could allow a remote attacker to bypass security restrictions, caused by the improper validation of input. If RTSP authentication is set to basic, an attacker could send a specially-crafted request to TCP port 554 in order to bypass authentication and gain access to the RTSP live video stream.
References: [CVE-2013-4985] [XFDB-88567] [EDB-29516]
Multiple Vivotek IP Cameras products could allow a remote attacker to bypass security restrictions, caused by the failure to restrict access to the video stream. By sending specially-crafted RTSP packets to TCP port 554, an attacker could exploit this vulnerability to access the video stream without authentication.
References: [CVE-2013-1596] [XFDB-83945] [BID-59574]
See also: port 1755 - Microsoft Media Server (MMS) protocol |
| 555 |
tcp |
dsf |
Members scan |
Trojans that use this port: 711 trojan (Seven Eleven), Ini-Killer, Net Administrator (NeTadmin), Phase Zero, Stealth Spy
Stack-based buffer overflow in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 555.
References: [CVE-2012-1830]
Siklu EtherHaul could allow a remote attacker to execute arbitrary commands on the system. By connecting to port 555 via telnet, an attacker could exploit this vulnerability to execute arbitrary commands on the system and obtain sensitive information.
References: [CVE-2017-7318], [XFDB-122267]
Backdoor.Win32.Phase.11 / Unauthenticated Remote Command Execution - the phAse zero server v1.1 by njord of kr0me corp listens on TCP port 555. Third-party attackers who can reach an infected system can run commands made available by the malware and execute arbitrary programs further compromising the host. Using telnet to connect worked best, to start programs you need to pass an "S" argument preceding the program name like... EXEC S PROGRAM_NAME. Other commands are CURDIR, SHOWMSG etc. The ftpd command can also be initiated to third-party FTP servers to download tools to the infected host.
References: [MVID-2021-0428] |
| 559 |
tcp |
trojans |
Premium scan |
Port used by Domwis remote access trojan. Creates a backdoor and spam proxy on port 559.
Backdoor.Solufina [Symantec-2005-030813-5906-99] also uses this port. |
| 563 |
tcp,udp |
applications |
not scanned |
NNTP protocol over TLS/SSL (NNTPS) |
| 564 |
tcp |
trojan |
Premium scan |
Oracle |
| 569 |
udp |
games |
not scanned |
Delta Force II |
| 587 |
tcp |
smtp |
Members scan |
Outgoing SMTP Mail port (TLS/Start TLS Port) - used by various mail servers for relaying outgoing mail as a modern alternative to port 25. Gmail, Apple MobileMe Mail, Yahoo SMTP server, etc. all use this port. See [RFC2476]
IANA registered for: Message Submission (TCP/UDP) |
| 589 |
tcp |
trojan |
Premium scan |
Assasin trojan |
| 591 |
tcp,udp |
http-alt |
not scanned |
FileMaker, Inc. - HTTP Alternate |
| 593 |
tcp |
|
Members scan |
MS Security Bulletin [MS03-026] outlines a critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet. |
| 600 |
tcp |
trojan |
Premium scan |
SweetHeart, Sadmind |
| 601 |
tcp,udp |
syslog-conn |
not scanned |
Reliable Syslog Service (IANA official) [RFC 3195] |
| 602 |
tcp,udp |
xmlrpc-beep |
not scanned |
XML-RPC over BEEP (IANA official) [RFC 3529] |
| 603 |
tcp,udp |
idxp |
not scanned |
IDXP (IANA official) [RFC 4767] |
| 604 |
tcp,udp |
tunnel |
not scanned |
TUNNEL (IANA official) [RFC 3620] |
| 605 |
tcp |
trojan |
Premium scan |
Secret Service Trojan
SOAP over BEEP [RFC 3288] (IANA official) |
| 606 |
tcp |
trojan |
Premium scan |
Secret Service trojan horse |
| 607 |
tcp |
games |
not scanned |
Operation Flashpoint, Railroad Tycoon 3 |
| 608 |
udp |
sift-uft |
not scanned |
Directory traversal vulnerability in eFileGo 3.01 allows remote attackers to execute arbitrary code, read arbitrary files, and upload arbitrary files via a ... (triple dot) in (1) the URL on port 608 and (2) the argument to upload.exe.
References: [CVE-2005-4622] [BID-16124] [OSVDB-22151] [SECUNIA-18279]
Sender-Initiated/Unsolicited File Transfer (IANA official) |
| 620 |
tcp,udp |
games |
not scanned |
Dark and Light |
| 622 |
tcp |
games |
not scanned |
Dark Ages of Camelot |
| 623 |
tcp |
dmtf |
Members scan |
IPMI and BMC Remote Management Control Protocol (RMCP) systems typically use port 623/udp, but some servers also listen on port 623/tcp.
RTB 666 trojan
Citrix NetScaler appliance Lights out Management uses ports 4001, 5900, 623 TCP to run a daemon that offers unified configuration management of routing protocols.
Stack-based buffer overflow in the DPC Proxy server (DpcProxy.exe) in ASUS Remote Console (a.k.a. ARC or ASMB3) 2.0.0.19 and 2.0.0.24 allows remote attackers to execute arbitrary code via a long string to TCP port 623.
References: [CVE-2008-1491], [BID-28394]
Port is also IANA registered for DMTF out-of-band web services management protocol. |
| 623 |
udp |
ipmi |
Premium scan |
IMPI and BMC Remote Management Control Protocol (RMCP) systems use this port. HP, Dell, and SuperMicro IPMI 1.5 and 2.0 protocols, Intel Xserves Lights-Out-Monitoring (LOM) feature all use this port.
IPMI-based systems have a number of possible attack vectors, such as cleartext passwords, even anonymous access via impitool command to reset the password of any other user without authentication. IPMI 2.0 systems share the (SHA1 or MD5) password hash with unauthenticated clients, allowing for offline cracking. IPMI systems also store user passwords in cleartext, so a single compromised user can be used to trivially obtain even the strongest passwords for other accounts. SuperMicro BMCs are vulnerable to an additional overflow exploit in their UPnP SSDP service (UDP 1900) that will grant root access to the BMC.
See: [CVE-2013-4786], [CVE-2013-4038], [CVE-2013-4037], [CVE-2013-4031]
Cisco Unified Computing System is vulnerable to a buffer overflow, caused by improper bounds checking by the Intelligent Platform Management Interface (IPMI) implementation. By sending a specially-crafted request to UDP port 623, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2013-1183] [XFDB-83771] [BID-59453] |
| 624 |
tcp |
games |
not scanned |
Operation Flashpoint |
| 625 |
tcp |
dsproxy |
not scanned |
DirectoryService, Open Directory Assistant, Workgroup Manager.
Port is IANA registered for DEC DLM. |
| 626 |
tcp |
applications |
not scanned |
Apple IMAP Administration (Mac OS X Server 10.2.8 or earlier, AppleShare IP 6) |
| 629 |
tcp,udp |
ipcserver |
not scanned |
Mac OS X RPC-based services like NetInfo use this port.
Port is also IANA registered for 3Com AMP3 |
| 631 |
tcp |
ipp |
not scanned |
Mac OS X Printer Sharing
Unknown vulnerability in the Internet Printing Protocol (IPP) implementation in CUPS before 1.1.19 allows remote attackers to cause a denial of service (CPU consumption from a "busy loop") via certain inputs to the IPP port (TCP 631).
References: [CVE-2003-0788] [BID-8952] [SECUNIA-10123] |
| 631 |
udp |
applications |
not scanned |
Double free vulnerability in the process_browse_data function in CUPS 1.3.5 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via crafted UDP Browse packets to the cupsd port (631/udp), related to an unspecified manipulation of a remote printer. References: [CVE-2008-0882], [BID-27906], [SECUNIA-28994]
The Internet Printing Protocol (IPP) implementation in CUPS before 1.1.21 allows remote attackers to cause a denial of service (service hang) via a certain UDP packet to the IPP port. This can be exploited by sending an empty UDP datagram to port 631, which can cause cupsd to stop listening on that port.
References: [CVE-2004-0558] [SECUNIA-12556]
Port also IANA registered for IPP (Internet Printing Protocol) |
| 635 |
tcp,udp |
NFS mount |
Members scan |
RPC Remote filesystem access mount service - a very popular attack vector, often scanned for. Most scans on this port are UDP-based, but they are increasingly TCP-based (mountd runs on both ports simultaneously). Note that mountd can run at any port (for which you must first do a portmap lookup at port 111), it's just that Linux defaulted to port 635 in much the same way that NFS universally runs at port 2049.
ADM worm also uses this port (TCP). |
| 636 |
tcp |
ldaps |
Members scan |
LDAPS - Lightweight Directory Access Protocol over TLS/SSL. See also LDAP port 389/tcp.
VMWare, Siemens Openstage and Gigaset phones, etc.
Novell eDirectory and Netware are vulnerable to a denial of service, caused by the improper allocation of memory by the LDAP_SSL daemon. A remote attacker could exploit this vulnerability to cause a system-wide denial of service (over/on/using) port 636 TCP.
References: [XFDB-67468], [EDB-17298]
Cyclops Blink Botnet uses these ports. The malware has targeted governments, WatchGuard firewalls, ASUS routers, etc., it is active as of March 2022, and it is believed to be operated by the Sandworm threat group linked to Russian intelligence. Cyclops Blink botnet malware uses the following TCP ports: 636, 989, 990, 992, 994, 995, 3269, 8443 |
| 639 |
tcp,udp |
msdp |
not scanned |
MSDP - Multicast Source Discovery Protocol |
| 641 |
tcp,udp |
proxy |
not scanned |
SupportSoft Nexus Remote Command (control/listening): A proxy gateway connecting remote control traffic |
| 646 |
tcp |
ldp |
not scanned |
McAfee ePO uses these ports:
80, 443, 8443, 8444 TCP - HTTP(S) traffic
389, 646 - LDAP, LDAPS
881 TCP - receiving security threat feed
1433 TCP, 1434 UDP - communication with SQL server
8081 TCP - outbound wakeup requests from the McAfee ePO server
8082 UDP - outbound traffic from superagents forwarding server messages
LDP, Label Distribution Protocol, a routing protocol used in MPLS networks (official) |
| 650 |
tcp |
trojan |
Premium scan |
Assasin
The telnet administrator service running on port 650 on Gigaset DX600A v41.00-175 devices does not implement any lockout or throttling functionality. This situation (together with the weak password policy that forces a 4-digit password) allows remote attackers to easily obtain administrative access via brute-force attacks.
References: [CVE-2021-25309] |
| 650 |
udp |
games |
not scanned |
Black and White |
| 653 |
tcp,udp |
proxy |
not scanned |
SupportSoft Nexus Remote Command (data): A proxy gateway connecting remote control traffic |
| 654 |
tcp |
trojans |
Premium scan |
Official use by AODV (Ad-hoc On-demand Distance Vector)
Port also used by HoaVelu trojan
|
| 655 |
tcp,udp |
tinc |
not scanned |
Stack-based buffer overflow in the receive_tcppacket function in net_packet.c in tinc before 1.0.21 and 1.1 before 1.1pre7 allows remote authenticated peers to cause a denial of service (crash) or possibly execute arbitrary code via a large TCP packet.
References: [CVE-2013-1428], [EDB-35441], [BID-59369]
IANA registered for: TINC |
| 660 |
tcp,udp |
mac-srvr-admin |
not scanned |
Mac OS X Server administration
Zaratustra trojan also uses this port (TCP).
Buffer overflow in the GUI admin service in Mac OS X Server 10.3 allows remote attackers to cause a denial of service (crash and restart) via a large amount of data to TCP port 660.
References: [CVE-2004-1832], [BID-9914]
Backdoor.Win32.Zaratustra / Unauthenticated Remote File Write (Remote Code Exec) - Zaratustra malware listens on TCP port 660. Third-party attackers who can reach infected systems can use a socket program to write binary data to execute. The malware then writes that data to a file named "x.exe" under c: drive and will execute upon completion of the downloaded code.
References: [MVID-2021-0315] |
| 661 |
tcp |
trojan |
Premium scan |
NokNok trojan |
| 665 |
tcp |
trojans |
Members scan |
W32.Netsky.Z@mm [Symantec-2004-042110-2302-99] (2004.04.21) - a Netsky variant that uses its own SMTP engine to email itself. Listens on port 665/tcp to receive and execute a file from an attacker.
Some other trojans also use this port: lpdw0rm, Shadow Phyre, ServU, Satans Back Door - SBD, NokNok, Cain & Abel, Back Construction, BLA trojan, th3r1pp3rz (= Therippers) |
| 666 |
tcp,udp |
doom |
Members scan |
Doom game (ID Software) uses this port.
Dark and Light [game] uses this port.
Because of the cool connotations, this port is also used by numerous trojan horses/backdoors. Here is a list:
Attack FTP, Back Construction, BLA trojan, Cain & Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre, th3r1pp3rz (the rippers), lpdw0rm, Satanz Backdoor.
Backdoor.FTP_Ana.C [Symantec-2003-032708-3955-99] (2003.03.27) - Windows backdoor trojan.
Backdoor.Checkesp [Symantec-2003-060315-1236-99] (2003.06.03] - Windows backdoor trojan, 06.2003.
Backdoor.Private [Symantec-2003-052715-2101-99] (2003.05.27) - Windows backdoor trojan.
W32.Dreffort [Symantec-2005-040514-2341-99] (2005.04.05) - Infects .exe and .scr files, deletes files on Dec. 29th. Also opens a backdoor on the 29th of each month on port 666/tcp.
Backdoor.Microkos [Symantec-2005-081015-0341-99] (2005.08.10) - a trojan that opens a backdoor on the compromised computer. It listens for remote commands on port 65111/tcp, and can also open an additional backdoor on port 666/tcp.
Backdoor.Beasty [Symantec-2003-011711-1226-99] - a backdoor Trojan horse that allows complete access to an infected computer. By default, the Trojan listens on port 666 and notifies the hacker through ICQ. |
| 667 |
tcp |
trojans |
Premium scan |
SniperNet remote access trojan, 02.2000. Affects Windows 9x |
| 668 |
tcp |
trojans |
Premium scan |
Unicorn, th3r1pp3rz |
| 669 |
tcp |
trojans |
Premium scan |
Trojans that use this port: DP trojan , SniperNet
Port is also IANA assigned for: MeRegister |
| 674 |
tcp |
ACAP |
Premium scan |
ACAP -- Application Configuration Access Protocol
References: RFC2244, RFC2595, RFC2636 |
| 680 |
tcp |
trojan |
Premium scan |
RTB 666 |
| 683 |
udp |
games |
not scanned |
Delta Force |
| 684 |
tcp,udp |
corba-iiop-ssl |
not scanned |
CORBA IIOP SS (IANA official) |
| 689 |
tcp,udp |
nmap |
not scanned |
A vulnerability in the way Novell NetMail handles NMAP "STOR" commands may cause a buffer overflow that may allow remote execution of arbitrary code. Novell NetMail's implementation of the Network Messaging Application Protocol (NMAP) contains a buffer overflow that may occur when processing parameters supplied to the "STOR" command. An attacker must login to an affected system in order to take advantage of this vulnerability. The vulnerable daemon, nmapd.exe, binds to port 689/tcp.
References: [CVE-2006-6424], [BID-21725]
IANA registered for: NMAP |
| 692 |
tcp |
trojan |
Premium scan |
GayOL trojan |
| 694 |
udp |
applications |
not scanned |
XHA (Linux-HA) on the BlueCat Networks Adonis DNS/DHCP Appliance 5.0.2.8 allows remote attackers to cause a denial of service (heartbeat control process crash) via a UDP packet to port 694.
References: [CVE-2007-4205]
Multiple format string vulnerabilities in heartbeat 0.4.9 and earlier (claimed as buffer overflows in some sources) allow remote attackers to execute arbitrary code via certain packets to UDP port 694 (incorrectly claimed as TCP in some sources).
References: [CVE-2002-1215] [BID-5955]
Port is also IANA registered for ha-cluster. |
| 699 |
tcp |
games |
not scanned |
City of Heroes |
| 700 |
udp |
buddyphone |
not scanned |
Port used by BuddyPhone Internet Telephony software. Also uses TCP range 5000-5111. |
| 700 |
tcp |
trojan |
Premium scan |
REx
Extensible Provisioning Protocol (TCP/UDP) (IANA official) [RFC 5734] |
| 701 |
udp |
applications |
not scanned |
Blubster 2.5 allows remote attackers to cause a denial of service (crash) via a flood of connections to UDP port 701.
References: [CVE-2003-0760], [BID-8482]
Port is also IANA registered for Link Management Protocol (LMP) [RFC 4204] |
| 702 |
tcp,udp |
iris-beep |
not scanned |
IRIS over BEEP (IANA official) [RFC 3983] |
| 703 |
tcp,udp |
fortigate |
not scanned |
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
|
| 704 |
tcp,udp |
elcsd |
not scanned |
errlog copy/server daemon (IANA official) |
| 705 |
tcp |
agentx |
not scanned |
RealNetworks Helix Server is vulnerable to a denial of service, caused by an error in the SNMP Master Agent process (master.exe). By establishing and immediately closing a TCP connection on port 705, a remote attacker could exploit this vulnerability to cause the service to terminate.
References: [XFDB-74674], [BID-52929]
An Exposure of System Data vulnerability in Juniper Networks Junos OS and Junos OS Evolved, where a sensitive system-level resource is not being sufficiently protected, allows a network-based unauthenticated attacker to send specific traffic which partially reaches this resource. A high rate of specific traffic may lead to a partial Denial of Service (DoS) as the CPU utilization of the RE is significantly increased. The SNMP Agent Extensibility (agentx) process should only be listening to TCP port 705 on the internal routing instance. External connections destined to port 705 should not be allowed. This issue affects: Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S9; 17.3 versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R2-S13, 17.4R3-S5; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R2-S8; 19.1 versions prior to 19.1R3-S5; 19.2 versions prior to 19.2R3-S2; 19.3 versions prior to 19.3R2-S6, 19.3R3-S2; 19.4 versions prior to 19.4R1-S4, 19.4R2-S4, 19.4R3; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R2; 20.3 versions prior to 20.3R2. Juniper Networks Junos OS Evolved versions prior to 20.3R2-EVO. This issue does not affect Juniper Networks Junos OS versions prior to 13.2R1.
References: [CVE-2021-0291]
IANA registered for: AgentX |
| 707 |
tcp,udp |
borland-dsj |
not scanned |
Backdoor.Win32.BO2K.09.b / Unauthenticated Remote Command Execution - backdoor BO2K.09.b listens on TCP ports 707 and 808. Third party adversarys who can reach the system, can execute any command on the infected host using sockets or get a remote shell using telnet, curl etc.
References: [MVID-2021-0120]
Borland DSJ (IANA official) |
| 709 |
tcp,udp |
entrust-kmsh |
not scanned |
Entrust Key Management Service Handler (IANA official) |
Vulnerabilities listed: 100 (some use multiple ports)
|
