Port(s) |
Protocol |
Service |
Scan level |
Description |
9119 |
tcp,udp |
mxit |
not scanned |
MXit Instant Messaging (IANA official) |
9120 |
tcp,udp |
applications |
not scanned |
In Flexense Disk Pulse Enterprise v10.1.18, the Control Protocol suffers from a denial of service vulnerability. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9120.
References: [CVE-2017-15663], [EDB-43452], [EDB-43589], [XFDB-137273] |
9121 |
tcp |
applications |
not scanned |
A buffer overflow vulnerability in the control protocol of Flexense SyncBreeze Enterprise v10.4.18 allows remote attackers to execute arbitrary code by sending a crafted packet to TCP port 9121.
References: [CVE-2018-6537], [EDB-43936]
In Flexense Sync Breeze Enterprise v10.1.16, the Control Protocol suffers from a denial of service vulnerability. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9121.
References: [CVE-2017-15664], [EDB-43453] |
9122 |
tcp |
grcmp |
not scanned |
Global Relay compliant mobile instant messaging protocol [Global_Relay] (IANA official) |
9123 |
tcp |
grcp |
not scanned |
Global Relay compliant instant messaging protocol (IANA official)
In Flexense VX Search Enterprise v10.1.12, the Control Protocol suffers from a denial of service vulnerability. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9123.
References: [CVE-2017-15662], [EDB-43451], [XFDB-137295] |
9124 |
tcp,udp |
trojans |
not scanned |
Backdoor.Fox [Symantec-2002-071517-2053-99] (2002.07.15) - gives a hacker full remote access to the comnputer
A buffer overflow vulnerability in the control protocol of Disk Savvy Enterprise v10.4.18 allows remote attackers to execute arbitrary code by sending a crafted packet to TCP port 9124.
References: [CVE-2018-6481], [EDB-44156] |
9125 |
tcp |
trojans |
Premium scan |
Backdoor.Nibu.J [Symantec-2005-032410-4542-99] - back door and a keylogger, periodically sending the stolen info via email. Listens on port 9125/tcp for instructions from a remote attacker.
Backdoor.Nibu.N [Symantec-2005-081216-4542-99] - a trojan that blocks access to security-related sites, and opens a backdoor on the compromised computer. It also runs a keylogger, sending information periodically via email. Opens a backdoor and listens for remote commands on ports 9125/tcp, and 27328/tcp.
Backdoor.Nibu.L [Symantec-2005-062110-3427-99] - trojan that opens a backdoor and blocks access to security-related websites and runs a keylogger, periodically sending the information to a remote attacker. Opens a backdoor on port 9125/tcp. |
9148 |
tcp |
trojan |
Premium scan |
Nautical trojan |
9150 |
tcp |
applications |
not scanned |
Tor (The Onion Router) anonymity network - conceals traffic by directing it through a free worldwide volunteer network of thousands of relays. |
9191 |
tcp |
applications |
not scanned |
Heap-based buffer overflow in SW3eng.exe in the eID Engine service in CA (formerly Computer Associates) eTrust Intrusion Detection and earlier allows remote attackers to cause a denial of service (application crash) via a long key length value to the remote administration port (9191/tcp).
References: [CVE-2007-1005], [BID-22743]
Sierra Wireless Airlink uses port 9191/TCP
PaperCut (print management system) uses these ports:
9191/tcp - HTTP
9192/tcp - HTTPS
9193/tcp - RPC (only for embedded copier/MFP solutions)
Sun AppSvr JPDA (old IANA registration)
Catamount Software - PocketMoney Sync (IANA official) |
9192 |
tcp |
papercut |
not scanned |
PaperCut (print management system) uses these ports:
9191/tcp - HTTP
9192/tcp - HTTPS
9193/tcp - RPC (only for embedded copier/MFP solutions) |
9193 |
tcp |
papercut |
not scanned |
PaperCut (print management system) uses these ports:
9191/tcp - HTTP
9192/tcp - HTTPS
9193/tcp - RPC (only for embedded copier/MFP solutions) |
9196 |
tcp |
aws |
not scanned |
Amazon AWS MSK uses these TCP ports:
9092, 9094 - TLS
9096, 9196 - ASL/SCRAM
9098, 9198 - IAM access control |
9198 |
tcp |
aws |
not scanned |
Amazon AWS MSK uses these TCP ports:
9092, 9094 - TLS
9096, 9196 - ASL/SCRAM
9098, 9198 - IAM access control |
9199 |
tcp |
applications |
not scanned |
Avtex LLC - qStats |
9200 |
tcp,udp |
wsp |
not scanned |
Elasticsearch listens on ports 9200 and 9300 TCP
Starlink gRPC uses ports 9200 and 9201 TCP
Some Lexmark printers open port 9200 TCP/UDP
WapServ Lite, WapServ Pro and WapServ Enterprise are vulnerable to a denial of service. By sending specific byte values over port 9200 or port 9201, a remote attacker can cause the gateway to consume large amounts of memory resources, prevent the gateway from starting, or cause the gateway to crash.
References: [BID-8472], [XFDB-13011]
File Replication Pro could allow a remote attacker to execute arbitrary commands on the system, caused by an error in the ExecCommand function. By viewing configuration.xml, an attacker could exploit this vulnerability to send specially-crafted packet to port 9200 to execute arbitrary commands on the system.
References: [XFDB-110638]
WAP Connectionless Wireless Session Protocol (TCP/UDP) [WAP Forum] (IANA official) |
9201 |
tcp,udp |
applications |
not scanned |
Starlink gRPC uses ports 9200 and 9201 TCP
WapServ Lite, WapServ Pro and WapServ Enterprise are vulnerable to a denial of service. By sending specific byte values over port 9200 or port 9201, a remote attacker can cause the gateway to consume large amounts of memory resources, prevent the gateway from starting, or cause the gateway to crash.
References: [BID-8472], [XFDB-13011]
WAP session service [WAP Forum] (IANA official) |
9202 |
tcp,udp |
wap-wsp-s |
not scanned |
WAP secure connectionless session service [WAP Forum] (IANA official) |
9203 |
tcp,udp |
wap-wsp-wtp-s |
not scanned |
WAP secure session service [WAP Forum] (IANA official) |
9204 |
udp |
applications |
not scanned |
HTC Touch Pro and HTC Touch Cruise vCard allows remote attackers to cause denial of service (CPU consumption, SMS consumption, and connectivity loss) via a flood of vCards to UDP port 9204.
References: [CVE-2008-6775]
WAP vCard (TCP/UDP) [WAP Forum] (IANA official) |
9205 |
tcp,udp |
wap-vcal |
not scanned |
WAP vCal [WAP_Forum] (IANA official) |
9206 |
tcp,udp |
wap-vcard-s |
not scanned |
WAP vCard Secure [WAP Forum] (IANA official) |
9207 |
tcp,udp |
wap-vcal-s |
not scanned |
WAP vCal Secure [WAP Forum] (IANA official) |
9217 |
tcp,udp |
fsc-port |
not scanned |
iPass Platform Service (TCP)
IANA registered for: FSC Communication Port |
9221 |
tcp,udp |
applications |
not scanned |
The server in Flexense SysGauge 3.6.18 operating on port 9221 can be exploited remotely with the attacker gaining system-level access because of a Buffer Overflow.
References: [CVE-2018-5359], [EDB-43588]
In Flexense SysGauge Server 3.6.18, the Control Protocol suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9221.
References: [CVE-2017-15667], [EDB-43403], [XFDB-136840]
Flexense Sync Breeze Enterprise is vulnerable to a denial of service, caused by a flaw in the control protocol. By sending a specially crafted SERVER_GET_INFO packet to control port 9121, a remote attacker could exploit this vulnerability to cause the application to crash.
References: [CVE-2017-15664], [XFDB-137392] |
9222 |
tcp |
debug |
not scanned |
Port often used for remote debugging - Microsoft Edge DevTools Protocol
IANA Registered for: QSC Team Coherence |
9229 |
tcp |
applications |
not scanned |
NodeJS debugging default port (localhost) |
9251 |
tcp,udp |
applications |
not scanned |
QNAP QTS could allow a remote attacker to execute arbitrary commands on the system, caused by a flaw in the transcoding service on port 9251. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
References: [CVE-2017-13067], [XFDB-132062] |
9256 |
udp |
applications |
not scanned |
Achat is vulnerable to a SEH-based stack buffer overflow, caused by improper bounds checking by AChat.exe. By sending a specially-crafted UDP packet to the default port 9256 to overwrite the SEH handler, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [EDB-36056], [XFDB-100845] |
9277 |
udp |
traingpsdata |
not scanned |
GPS Data transmitted from train to ground network [Alstom_Transport_Preston] (IANA official) |
9278 |
tcp,udp |
pegasus |
not scanned |
Pegasus GPS Platform |
9279 |
tcp,udp |
pegasus-ctl |
not scanned |
Pegaus GPS System Control Interface |
9284 |
tcp,udp |
applications |
not scanned |
Netris 0.5, and possibly other versions before 0.52, when running with the -w (wait) option, allows remote attackers to cause a denial of service (crash) via a long string to port 9284.
References: [BID-5680], [CVE-2002-1566], [XFDB-10081]
Port is also IANA registered for VERITAS Information Server |
9286 |
udp |
n2receive |
not scanned |
IANA registered for: n2 monitoring receiver |
9293 |
tcp,udp |
storview |
not scanned |
Sony Playstation RemotePlay (TCP)
StorView Client (IANA official) |
9295 |
tcp,udp |
applications |
not scanned |
Sony PlayStation Remote Play Session creation communication port |
9296 |
udp |
applications |
not scanned |
Sony PlayStation Remote Play |
9300 |
tcp |
vrace |
not scanned |
Elasticsearch listens on ports 9200 and 9300 TCP
IBM Cognos 8 SOAP Business Intelligence and Performance Management
IANA registered for: Virtual Racing Service |
9301 |
tcp |
trojans |
Premium scan |
DLP, LoseLove |
9303 |
udp |
applications |
not scanned |
D-Link Shareport Share storage and MFP printers |
9306 |
tcp |
sphinxql |
not scanned |
Sphinx search server (MySQL listener) |
9309 |
tcp,udp |
applications |
not scanned |
Sony PlayStation Vita Host Collaboration WiFi Data Transfer |
9310 |
tcp |
sapms |
not scanned |
IANA registered for: SAP Message Server |
9312 |
tcp |
sphinxapi |
not scanned |
Sphinx search server |
9319 |
tcp |
applications |
not scanned |
EMC Networker could allow a remote attacker to execute arbitrary code on the system, caused by a format string vulnerability in librpc.dll within the nsrd RPC service. By sending a specially-crafted request containing malicious format string specifiers to TCP port 9319, a remote attacker could exploit this vulnerability to execute arbitrary code on the vulnerable system or cause the application to crash.
References: [XFDB-78187], [BID-55330] |
9324 |
tcp |
google |
not scanned |
Google Assistant docker containers commonly run a webserver listening for HTTP requests on TCP ports 9324 and 5000. |
9325 |
udp |
trojan |
not scanned |
Mstream trojan
DDOS communication also uses this port |
9329 |
tcp |
trojan |
Premium scan |
DLP trojan |
9329 |
udp |
malware |
not scanned |
Backdoor.Win32.Loselove / Denial of Service - the malware listens on UDP ports 9329, 8329, 8322, 8131 and 8130. Attackers can send a large junk payload to UDP port 8131 causing it to crash.
References: [MVID-2022-0554] |
9332 |
tcp |
applications |
not scanned |
Litecoin JSON-RPC server |
9333 |
tcp |
cryptocurrency |
Premium scan |
Litecoin cryptocurrency uses port 9333.
Common cryptocurrency ports (TCP):
Bitcoin: 8333
Litecoin: 9332,9333
Dash: 9999
Dogecoin: 22556
Ethereum: 30303 |
9339 |
tcp |
games |
not scanned |
Used by all Supercell games such as Brawl Stars and Clash of Clans, mobile freemium strategy video games
IANA registered for: gRPC Network Mgmt/Operations Interface |
9340 |
tcp |
gribi |
not scanned |
gRPC Routing Information Base Interface (IANA official) |
9345 |
tcp |
rancher |
not scanned |
Rancher Agent (IANA official) |
9393 |
tcp,udp |
applications |
not scanned |
TalkSwitch |
9400 |
tcp |
trojan |
Premium scan |
InCommand trojan |
9401 |
tcp |
trojan |
Premium scan |
InCommand trojan |
9402 |
tcp |
trojan |
Premium scan |
InCommand trojan |
9415 |
tcp |
applications |
not scanned |
Port used by PPLive P2P online streaming TV service. PPLive is prone to an open proxy vulnerability because of an insecure default configuration. A remote attacker may exploit this condition in order to launch attacks against local and public services in the context of the site that is hosting the vulnerable script.
References: [BID-47508] |
9418 |
tcp,udp |
git |
not scanned |
git pack transfer service (IANA official) |
9419 |
tcp |
moosefs |
not scanned |
MooseFS distributed file system uses these ports:
9419 -> MooseFS master control port
9420 -> MooseFS master command port
9421 -> MooseFS master client port
9422 -> MooseFS Chunkservers
9425 -> MooseFS CGI server
|
9420 |
tcp |
moosefs |
not scanned |
MooseFS distributed file system uses these ports:
9419 -> MooseFS master control port
9420 -> MooseFS master command port
9421 -> MooseFS master client port
9422 -> MooseFS Chunkservers
9425 -> MooseFS CGI server
|
9421 |
tcp |
moosefs |
not scanned |
MooseFS distributed file system uses these ports:
9419 -> MooseFS master control port
9420 -> MooseFS master command port
9421 -> MooseFS master client port
9422 -> MooseFS Chunkservers
9425 -> MooseFS CGI server
|
9422 |
tcp |
moosefs |
not scanned |
MooseFS distributed file system uses these ports:
9419 -> MooseFS master control port
9420 -> MooseFS master command port
9421 -> MooseFS master client port
9422 -> MooseFS Chunkservers
9425 -> MooseFS CGI server
|
9425 |
tcp |
moosefs |
not scanned |
MooseFS distributed file system uses these ports:
9419 -> MooseFS master control port
9420 -> MooseFS master command port
9421 -> MooseFS master client port
9422 -> MooseFS Chunkservers
9425 -> MooseFS CGI server
|
9427 |
tcp |
applications |
not scanned |
VMWare Blast Extreme
Windows Multi Media (MMR) and USB redirection
Optional for client drive redirection (CDR) and multimedia redirection (MMR). |
9442 |
udp |
games |
not scanned |
Need For Speed |
9443 |
tcp |
tungsten-https |
Premium scan |
Sometimes used as an alternate SSL port.
Dogtag Certificate System authority uses port 9080 (ca) and port 9443 (secure ca) by default.
Dograg Certificate PKI Subsystems may also use:
DRM - ports 10080 (drm) and 10443 (drm secure)
OCSP - ports 11080 (ocsp) and 11443 (ocsp secure)
RA - ports 12888 (ra) and 12889 (ra secure)
TKS - ports 13080 (tks) and 13443 (tks secure)
TPS - ports (tps) 7888 and 7889 (tps secure)
German Health Getwork (aka Gesundheitskarte) "Konnektor" uses ports 8443 and 9443.
VMware HTTPS uses port 9443 (TCP) for accessing and administrating a vCenter Server via the Web Management Interface
Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance 8.6 and 9.0 allows remote attackers to cause a denial of service (CPU consumption and monitoring outage) via malformed TLS messages to TCP port (1) 9043 or (2) 9443, aka Bug ID CSCuc07155.
References: [CVE-2013-1135]
Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.
References: [CVE-2019-17134]
OpenNMS is accessible via port 9443
References: [CVE-2020-1652]
WSO2 Tungsten HTTPS (IANA official) |
9443 |
udp |
fortiguard |
not scanned |
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
|
9445 |
tcp |
mindarray-ca |
not scanned |
MindArray Systems Console Agent [MINDARRAY SYSTEMS] (IANA official) |
9495 |
tcp |
applications |
not scanned |
Tivoli Endpoint in IBM Tivoli Management Framework 3.7.1, 4.1, 4.1.1, and 4.3.1 has an unspecified "built-in account" that is trivially accessed, which makes it easier for remote attackers to send requests to restricted pages via a session on TCP port 9495.
References: [CVE-2011-2330] |
9512 |
tcp,udp |
applications |
not scanned |
Unified Remote 3.9.0.2463 - Remote Code Execution
References: [EDB-49587] |
9515 |
tcp |
trojans |
Members scan |
W32.Loxbot.A [Symantec-2005-101813-2331-99] (2005.10.17) - a worm with backdoor capabilities. It can spread using AIM, and it can lower security settings on the comromised computer. Also uses a rootkit to hide its process in memory. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 9515/tcp.
Port also used by the W32.Loxbot.B [Symantec-2005-103115-1053-99] variant. |
9522 |
udp |
sma-spw |
not scanned |
SMA Speedwire [SMA Solar Techology] (IANA official) |
9524 |
tcp |
applications |
not scanned |
Lansweeper |
9527 |
tcp |
applications |
not scanned |
An issue was discovered on Wireless IP Camera 360 devices. Remote attackers can discover RTSP credentials by connecting to TCP port 9527 and reading the InsertConnect field.
References: [CVE-2017-11633]
An issue was discovered on Wireless IP Camera 360 devices. Remote attackers can discover a weakly encoded admin password by connecting to TCP port 9527 and reading the password field of the debugging information, e.g., nTBCS19C corresponds to a password of 123456.
References: [CVE-2017-11634] |
9530 |
tcp,udp |
applications |
not scanned |
HoverRace |
9531 |
tcp,udp |
applications |
not scanned |
HoverRace |
9533 |
tcp |
trojans |
Premium scan |
Backdoor.Lyshell [Symantec-2004-022818-3727-99] (2004.02.28) - a backdoor trojan horse that gives an attacker complete access to your computer. By default, the trojan runs as a service and listens on port 9533. |
9535 |
tcp,udp |
mngsuite |
not scanned |
Management Suite Remote Control (IANA official) |
9536 |
tcp |
trojan |
Premium scan |
Lula trojan
Surveillance buffering function (TCP/UDP) (IANA official) |
9555 |
tcp,udp |
applications |
not scanned |
Secure Planet VPN, Trispen@TheOffice, The Orange Box (UDP)
Sometimes used by Cisco NetFlow (usually on port 2055/udp) |
9559 |
tcp |
p4runtime |
not scanned |
IANA registered for: P4Runtime gRPC Service |
9561 |
tcp |
trojan |
Premium scan |
CRatPro trojan |
9563 |
tcp |
trojan |
Premium scan |
CRatPro trojan |
9565 |
udp |
games |
not scanned |
Burnout Paradise (PS3), developer: Criterion Games |
9570 |
udp |
games |
not scanned |
Burnout Paradise (PS3), developer: Criterion Games
FIFA Soccer 2009, NBA 2007 (TCP/UDP) also use this port |
9571 |
tcp |
espn |
not scanned |
ESPN streaming traffic, reaches out to fastcast.espn.com for streaming servers. |
9580 |
tcp |
trojan |
Premium scan |
TheefLE trojan |
9582 |
tcp |
fortiguard |
not scanned |
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
|
9600 |
udp |
micromuse-ncpw |
not scanned |
IANA registered for MICROMUSE-NCPW
Factory Interface Network Service (FINS), a network protocol used by Omron programmable logic controllers |
9600 |
tcp |
applications |
not scanned |
The Omron SYSMAC Cx product family PLCs (CS series, CJ series, and CP series) through 2022-05-18 lack cryptographic authentication. They utilize the Omron FINS (9600/TCP) protocol for engineering purposes, including downloading projects and control logic to the PLC. This protocol has authentication flaws as reported in FSCT-2022-0057. Control logic is downloaded to PLC volatile memory using the FINS Program Area Read and Program Area Write commands or to non-volatile memory using other commands from where it can be loaded into volatile memory for execution. The logic that is loaded into and executed from the user program area exists in compiled object code form. Upon execution, these object codes are first passed to a dedicated ASIC that determines whether the object code is to be executed by the ASIC or the microprocessor. In the former case, the object code is interpreted by the ASIC whereas in the latter case the object code is passed to the microprocessor for object code interpretation by a ROM interpreter. In the abnormal case where the object code cannot be handled by either, an abnormal condition is triggered and the PLC is halted. The logic that is downloaded to the PLC does not seem to be cryptographically authenticated, thus allowing an attacker to manipulate transmitted object code to the PLC and either execute arbitrary object code commands on the ASIC or on the microprocessor interpreter.
References:[CVE-2022-31207] |
9604 |
tcp |
worm |
Members scan |
W32.Kibuv.Worm [Symantec-2004-051411-1858-99] (2004.05.14) - a worm that exploits the LSASS vulnerability (described in Microsoft Security Bulletin [MS04-011]) and the DCOM RPC vulnerability described in (Microsoft Security Bulletin [MS03-026]). Starts an FTP server on TCP port 9604, also listens on TCP port 420, and attempts to exploit the DCOM RPC vulnerability on TCP port 135. |
9612 |
tcp |
trojans |
Premium scan |
Danton, Ghost |
9616 |
tcp |
erunbook_agent |
not scanned |
eRunbook Agent |
9617 |
tcp |
erunbook_server |
not scanned |
eRunbook Server |
9630 |
tcp |
peoctlr |
not scanned |
Peovica Controller |
9631 |
tcp |
peocoll |
not scanned |
Peovica Collector |
9632 |
udp |
mc-comm |
not scanned |
Mobile-C Communications |
9633 |
tcp |
winconnect |
not scanned |
Infoblox IPAM WinConnect connector port. Also uses port 4443 for Web GUI. |