🌐 Port Encyclopedia — All TCP/UDP Ports Explained

Search any port number. Instant service identification, security risk level, and scanning commands for 2,758 ports.

2,758Ports
52Critical
139High Risk
145Medium
🔍
Enter a port number (1–65535) or service name
TCP
1
TCPMUX
TCP port service multiplexer — rarely used, can indicate misconfigured systems
 TCP
5
RJE
Remote Job Entry — legacy protocol for submitting jobs to remote computers
 TCP/UDP
7
Echo
Echo protocol — reflects data back to sender, used for network testing and diagnostics
 TCP/UDP
9
Discard
Discard protocol — silently drops all data received, used for testing and Wake-on-LAN
 TCP
11
systat
Active users protocol — can leak system user information to attackers
 TCP/UDP
13
Daytime
Daytime protocol — returns current date and time, potential information disclosure
 TCP/UDP
17
QOTD
Quote of the Day — returns a text quote, rarely used in modern networks
 TCP/UDP
19
Chargen
Character Generator — can be abused for amplification DDoS attacks
 TCP
20
FTP-Data
FTP data transfer channel — transmits files in cleartext, credentials can be sniffed
 TCP
21
FTP
FTP control channel — authentication in cleartext, anonymous login risks, bounce attacks
 TCP
22
SSH
Secure Shell — encrypted remote access, brute force target, key-based auth recommended
 TCP
23
Telnet
Telnet — unencrypted remote access, all data including passwords sent in cleartext
 TCP
25
SMTP
Simple Mail Transfer Protocol — email relay, open relay abuse, spam vector
 TCP
26
RSFTP
RSFTP — alternative SMTP port sometimes used to bypass port 25 filtering
 TCP/UDP
37
Time
Time protocol — provides machine-readable time, largely replaced by NTP
 TCP/UDP
42
WINS
Windows Internet Name Service — NetBIOS name resolution, legacy Windows networks
 TCP
43
WHOIS
WHOIS protocol — domain registration lookup, reconnaissance tool for attackers
 TCP/UDP
49
TACACS
TACACS+ — network device authentication, authorization, and accounting
 TCP/UDP
53
DNS
Domain Name System — DNS queries and zone transfers, DNS hijacking, cache poisoning
 UDP
67
DHCP-Server
DHCP server — dynamic IP assignment, rogue DHCP attacks, DHCP starvation
 UDP
68
DHCP-Client
DHCP client — receives IP configuration, DHCP spoofing vulnerability
 UDP
69
TFTP
Trivial FTP — no authentication, used for firmware updates, often misconfigured
 TCP
70
Gopher
Gopher protocol — precursor to HTTP, rarely used but sometimes found in CTFs
 TCP
79
Finger
Finger protocol — reveals user information, username enumeration, privacy risk
 TCP
80
HTTP
Hypertext Transfer Protocol — unencrypted web traffic, XSS, SQLi, web app attacks
 TCP
81
HTTP-Alt
Alternative HTTP — often used for web admin panels and secondary web services
 TCP
82
HTTP-Alt
Alternative HTTP — secondary web service port
 TCP
83
HTTP-Alt
Alternative HTTP — third alternative web port
 TCP
84
HTTP-Alt
Alternative HTTP — used by some web applications
 TCP/UDP
88
Kerberos
Kerberos authentication — Active Directory, ticket-granting, Kerberoasting attacks
 TCP
102
ISO-TSAP
ISO Transport Service Access Point — used by Siemens S7 PLCs and SCADA systems
 TCP
104
ACR-NEMA
DICOM — medical imaging protocol, patient data exposure if misconfigured
 TCP
110
POP3
Post Office Protocol v3 — email retrieval in cleartext, credential theft risk
 TCP/UDP
111
RPCbind
RPC portmapper — reveals available RPC services, NFS enumeration starting point
 TCP
113
Ident
Identification protocol — reveals username running a process, information leak
 TCP
119
NNTP
Network News Transfer Protocol — Usenet, can expose internal network information
 UDP
123
NTP
Network Time Protocol — time synchronization, NTP amplification DDoS attacks
 TCP
135
MSRPC
Microsoft RPC — Windows service endpoint mapper, lateral movement, remote execution
 UDP
137
NetBIOS-NS
NetBIOS Name Service — Windows name resolution, null session enumeration
 UDP
138
NetBIOS-DGM
NetBIOS Datagram Service — Windows datagram distribution, browsing
 TCP
139
NetBIOS-SSN
NetBIOS Session Service — file sharing, printer sharing, EternalBlue (MS17-010)
 TCP
143
IMAP
Internet Message Access Protocol — email access in cleartext, credential interception
 UDP
161
SNMP
Simple Network Management Protocol — network device management, community string guessing
 UDP
162
SNMP-Trap
SNMP Trap — receives alerts from network devices, information disclosure
 TCP
179
BGP
Border Gateway Protocol — internet routing, BGP hijacking, route injection attacks
 TCP
194
IRC
Internet Relay Chat — botnet command and control, social engineering vector
 TCP
199
SMUX
SNMP Unix Multiplexer — SNMP proxy on Unix systems
 TCP
201
AppleTalk
AppleTalk routing — legacy Apple networking protocol
 TCP
264
BGMP
Border Gateway Multicast Protocol — multicast routing
 TCP
318
TSP
Time Stamp Protocol — network time stamping
 TCP
381
HP-Collector
HP data collection — HP OpenView network management
 TCP
383
HP-Alarm
HP data alarm manager — HP OpenView alerting
 TCP/UDP
389
LDAP
Lightweight Directory Access Protocol — Active Directory queries, LDAP injection
 TCP
411
DC-Hub
Direct Connect Hub — P2P file sharing hub
 TCP
412
DC-Client
Direct Connect Client-to-Client — P2P transfers
 TCP/UDP
427
SLP
Service Location Protocol — service discovery, can leak internal services
 TCP
443
HTTPS
HTTP over TLS/SSL — encrypted web traffic, SSL/TLS vulnerabilities, certificate issues
 TCP
444
SNPP
Simple Network Paging Protocol — pager notifications
 TCP
445
SMB
Server Message Block — Windows file sharing, EternalBlue, WannaCry, PrintNightmare
 TCP/UDP
464
Kerberos-Change
Kerberos password change — Active Directory password operations
 TCP
465
SMTPS
SMTP over SSL — encrypted email submission, now deprecated in favor of STARTTLS
 TCP
497
Retrospect
Retrospect backup — backup software communication
 UDP
500
IKE
Internet Key Exchange — IPsec VPN negotiation, IKE aggressive mode attacks
 TCP
502
Modbus
Modbus — industrial control protocol, no authentication, SCADA/ICS attacks
 TCP
512
rexec
Remote execution — executes commands on remote Unix systems, cleartext auth
 TCP
513
rlogin
Remote login — cleartext remote login, trust relationship exploitation
 UDP
514
Syslog
Syslog — centralized logging, log injection, log forging attacks
 TCP
515
LPD
Line Printer Daemon — network printing, print spooler vulnerabilities
 UDP
520
RIP
Routing Information Protocol — dynamic routing, route poisoning attacks
 UDP
521
RIPng
RIP next generation — IPv6 routing protocol
 TCP
523
IBM-DB2
IBM DB2 — database discovery, SQL injection if exposed
 TCP
524
NCP
NetWare Core Protocol — Novell NetWare file services
 TCP
530
RPC
Remote Procedure Call — Unix RPC services
 TCP
540
UUCP
Unix-to-Unix Copy — legacy file transfer between Unix systems
 TCP
543
Klogin
Kerberos authenticated login — Kerberized rlogin
 TCP
544
Kshell
Kerberos authenticated shell — Kerberized rsh
 TCP
548
AFP
Apple Filing Protocol — macOS file sharing, now largely replaced by SMB
 TCP
554
RTSP
Real Time Streaming Protocol — media streaming, IP camera feeds
 TCP
563
NNTPS
NNTP over SSL — encrypted Usenet access
 TCP
587
SMTP-Submission
Email submission port — authenticated SMTP, STARTTLS encryption
 TCP
591
FileMaker
FileMaker — database application protocol
 TCP
593
MS-DCOM
Microsoft DCOM — HTTP tunneling for DCOM/RPC, remote execution
 UDP
623
IPMI
IPMI/BMC — server out-of-band management, cipher zero vulnerability, hash disclosure
 TCP
631
IPP
Internet Printing Protocol — CUPS printing, printer exploitation
 TCP
636
LDAPS
LDAP over SSL — encrypted directory queries, certificate validation issues
 TCP
646
LDP
Label Distribution Protocol — MPLS label distribution
 TCP
666
Doom
Doom multiplayer — also used by some backdoors and malware
 TCP
691
MS-Exchange
MS Exchange routing — Microsoft Exchange server communication
 TCP
700
EPP
Extensible Provisioning Protocol — domain name registration
 TCP/UDP
749
Kerberos-Admin
Kerberos administration — KDC admin interface, password changes
 TCP
873
rsync
rsync — file synchronization, unauthenticated access if misconfigured
 TCP
902
VMware
VMware ESXi — virtual machine management, vSphere client connection
 TCP
993
IMAPS
IMAP over SSL — encrypted email access, safer than plaintext IMAP
 TCP
995
POP3S
POP3 over SSL — encrypted email retrieval
 TCP
1024
Reserved
First non-privileged port — often dynamically assigned
 TCP
1025
NFS-RPC
NFS or IIS RPC — can indicate Windows RPC services
 TCP
1080
SOCKS
SOCKS proxy — traffic tunneling, often used by malware for C2 communication
 TCP
1099
RMI
Java RMI Registry — Java Remote Method Invocation, deserialization attacks
 TCP/UDP
1194
OpenVPN
OpenVPN — open-source VPN tunnel, target for credential brute force
 UDP
1200
Steam
Steam Friends — Valve Steam gaming platform communication
 TCP
1214
Kazaa
Kazaa P2P — legacy peer-to-peer file sharing
 TCP
1241
Nessus
Nessus vulnerability scanner — security scanning daemon
 TCP
1270
SCOM
Microsoft SCOM — System Center Operations Manager agent
 TCP
1311
Dell-OME
Dell OpenManage — server management console, default credentials risk
 TCP
1337
WASTE
WASTE encrypted chat — also commonly used for backdoors (leet speak)
 TCP
1433
MSSQL
Microsoft SQL Server — database access, SQL injection, xp_cmdshell RCE
 UDP
1434
MSSQL-UDP
MS SQL Server Browser — instance discovery, SQL Slammer worm target
 TCP
1494
Citrix-ICA
Citrix ICA — virtual desktop protocol, session hijacking risks
 TCP
1500
RDP-Alt
Alternative RDP — sometimes used instead of 3389 for security through obscurity
 TCP
1521
Oracle
Oracle Database listener — TNS listener, SQL injection, listener poisoning
 TCP
1723
PPTP
Point-to-Point Tunneling Protocol — legacy VPN, broken encryption, MS-CHAPv2 weakness
 TCP
1741
CiscoWorks
CiscoWorks — Cisco network management platform
 UDP
1812
RADIUS
RADIUS authentication — network access control, shared secret attacks
 UDP
1813
RADIUS-Acct
RADIUS accounting — tracks user session data for billing and auditing
 TCP
1883
MQTT
MQTT — IoT messaging protocol, often unauthenticated, smart home device control
 UDP
1900
SSDP
Simple Service Discovery Protocol — UPnP discovery, amplification DDoS attacks
 TCP
1911
Niagara-Fox
Tridium Niagara Fox — building automation systems, ICS/SCADA
 TCP
1935
RTMP
Real-Time Messaging Protocol — Adobe Flash streaming, live video
 TCP
1947
SentinelLM
Sentinel license manager — software license server
 TCP
2000
Cisco-SCCP
Cisco Skinny Call Control Protocol — IP phone signaling
 TCP/UDP
2049
NFS
Network File System — Unix file sharing, no-root-squash exploitation, data theft
 TCP
2082
cPanel
cPanel — web hosting control panel, credential brute force target
 TCP
2083
cPanel-SSL
cPanel over SSL — encrypted hosting management
 TCP
2086
WHM
Web Host Manager — server management for hosting providers
 TCP
2087
WHM-SSL
WHM over SSL — encrypted server management
 TCP
2100
Oracle-XDB
Oracle XML DB — Oracle database HTTP interface
 TCP
2181
ZooKeeper
Apache ZooKeeper — distributed coordination, unauthenticated access common
 TCP
2222
SSH-Alt
Alternative SSH — commonly used to hide SSH from default port scanners
 TCP
2323
Telnet-Alt
Alternative Telnet — IoT devices often use this for management
 TCP
2375
Docker
Docker daemon — unauthenticated container management, full host compromise
 TCP
2376
Docker-TLS
Docker daemon TLS — encrypted container management
 TCP
2379
etcd
etcd client — Kubernetes key-value store, cluster secrets exposure
 TCP
2380
etcd-Peer
etcd peer — cluster node communication
 TCP
2483
Oracle-TLS
Oracle database over TLS — encrypted database connections
 TCP
2484
Oracle-TLS-Alt
Oracle database TLS alternative — secondary encrypted Oracle port
 TCP
2525
SMTP-Alt
Alternative SMTP — used when port 25 is blocked by ISPs
 TCP
2598
Citrix-CGP
Citrix CGP — session reliability protocol
 TCP
2601
Zebra
Zebra routing — Quagga/FRR routing daemon CLI
 TCP
2604
Zebra-OSPF
OSPF daemon — Open Shortest Path First routing
 TCP
2638
Sybase
SAP Sybase — database server connections
 TCP
2701
SMS-RCINFO
Microsoft SMS — remote control agent
 TCP
2869
UPnP
Universal Plug and Play — device discovery, SSRF, remote code execution
 TCP
2947
GPS
gpsd — GPS daemon, location data sharing
 TCP
2967
Symantec-AV
Symantec AntiVirus — endpoint protection management
 TCP
3000
Grafana
Grafana/Node.js — dashboard default port, dev servers often exposed
 TCP
3001
Node-Alt
Node.js alternative — development server commonly on this port
 TCP
3050
Firebird
Firebird database — SQL database server, injection risks
 TCP
3128
Squid
Squid proxy — web caching proxy, open proxy abuse, SSRF
 TCP
3268
LDAP-GC
LDAP Global Catalog — Active Directory forest-wide queries
 TCP
3269
LDAPS-GC
LDAP Global Catalog SSL — encrypted forest-wide AD queries
 TCP
3283
Apple-Remote
Apple Remote Desktop — macOS remote management
 TCP
3306
MySQL
MySQL/MariaDB — database access, SQL injection, UDF exploitation, data theft
 TCP
3307
MySQL-Alt
Alternative MySQL — secondary MySQL instance
 TCP
3333
DEC-Notes
DEC Notes — also common for development servers
 TCP
3389
RDP
Remote Desktop Protocol — Windows remote access, BlueKeep, brute force, NLA bypass
 TCP/UDP
3478
STUN
STUN — NAT traversal for VoIP and WebRTC
 TCP
3500
PBSPro
PBS Professional — job scheduler for HPC clusters
 TCP
3541
PBSPro-Sched
PBS Professional scheduler
 TCP
3542
PBSPro-MoM
PBS Professional MoM — node management
 TCP
3632
distcc
Distributed C compiler — remote code execution if exposed
 TCP
3690
SVN
Subversion — version control, source code exposure
 TCP
3780
Nexpose
Rapid7 Nexpose — vulnerability management console
 TCP
3784
BFD
Bidirectional Forwarding Detection — fast failure detection
 TCP
3790
Metasploit
Metasploit Framework — penetration testing web interface
 TCP
3868
Diameter
Diameter protocol — successor to RADIUS for network authentication
 TCP
4000
ICQ
ICQ instant messaging — legacy chat protocol
 TCP
4022
DNSSEC
DNSSEC — DNS Security Extensions debugging
 TCP
4040
Spark
Apache Spark — data processing web UI
 TCP
4063
Ice
ZeroC ICE — Internet Communications Engine
 TCP
4200
Angular
Angular CLI — development server default port
 TCP
4369
EPMD
Erlang Port Mapper — Erlang/RabbitMQ node discovery, RCE potential
 TCP
4443
HTTPS-Alt
Alternative HTTPS — secondary secure web services
 TCP
4444
Metasploit
Metasploit default handler — extremely common for reverse shells and payloads
 UDP
4500
IPsec-NAT
IPsec NAT traversal — VPN through NAT
 TCP
4505
SaltStack
SaltStack Master — configuration management, CVE-2020-11651 RCE
 TCP
4506
SaltStack-Ret
SaltStack Master return — results from managed nodes
 TCP
4567
Sinatra
Sinatra/Tram — Ruby web framework default port
 TCP
4662
eMule
eMule P2P — peer-to-peer file sharing
 UDP
4672
eMule-UDP
eMule P2P UDP — peer-to-peer serverless search
 TCP
4730
Gearman
Gearman — distributed job processing framework
 TCP
4786
Cisco-Smart
Cisco Smart Install — remote code execution, device takeover (CVE-2018-0171)
 TCP
4848
GlassFish
GlassFish admin — Java application server management
 TCP
4899
Radmin
Radmin — remote desktop software, brute force target
 TCP
5000
UPnP
UPnP/Docker/Flask — varies: Docker Registry, Flask dev, Synology DSM
 TCP
5001
Synology
Synology NAS — NAS management interface
 UDP
5004
RTP
Real-time Transport Protocol — audio/video streaming
 UDP
5005
RTP-Alt
RTP alternative — media streaming
 TCP
5006
WSAS
WSAS — Workstation Solutions Agent Service
 TCP
5007
WSAS-Alt
WSAS alternative port
 TCP
5008
Synaptics
Synaptics — touchpad driver communication
 TCP
5009
Airport-Admin
Apple Airport — wireless router administration
 TCP
5010
Telelpathstart
Telepath — legacy communication
 TCP
5040
DCutil
DCutil — display controller utility
 TCP
5050
Yahoo-IM
Yahoo Messenger — legacy instant messaging
 TCP/UDP
5060
SIP
Session Initiation Protocol — VoIP signaling, toll fraud, eavesdropping
 TCP
5061
SIP-TLS
SIP over TLS — encrypted VoIP signaling
 TCP
5100
SOCALIA
Socalia — service port
 TCP
5190
AIM
AOL Instant Messenger — legacy chat protocol
 TCP
5222
XMPP
XMPP client — Jabber instant messaging, ejabberd, Prosody
 TCP
5223
XMPP-SSL
XMPP over SSL — encrypted instant messaging
 TCP
5269
XMPP-Server
XMPP server-to-server — federated messaging between domains
 UDP
5353
mDNS
Multicast DNS — Bonjour/Avahi local service discovery, reconnaissance
 TCP
5357
WSDAPI
Web Services for Devices — Windows network discovery, information leak
 TCP
5432
PostgreSQL
PostgreSQL — relational database, SQL injection, privilege escalation
 TCP
5500
VNC-HTTP
VNC HTTP — web-based VNC access
 TCP
5555
ADB
Android Debug Bridge — full device control, malware installation, data theft
 TCP
5601
Kibana
Kibana — Elasticsearch dashboard, CVE-2019-7609 prototype pollution RCE
 TCP
5631
pcAnywhere
pcAnywhere — Symantec remote access, known vulnerabilities
 UDP
5632
pcAnywhere-Data
pcAnywhere data channel
 TCP
5672
AMQP
AMQP — RabbitMQ advanced message queuing, unauthenticated access risk
 UDP
5683
CoAP
Constrained Application Protocol — IoT device communication, no auth common
 TCP
5800
VNC-Web
VNC Java web client — browser-based remote desktop access
 TCP
5900
VNC
VNC Remote Desktop — screen sharing, weak auth, no encryption by default
 TCP
5901
VNC-1
VNC display 1 — additional VNC virtual display
 TCP
5938
TeamViewer
TeamViewer — remote support, scam target, credential reuse attacks
 TCP
5984
CouchDB
CouchDB — NoSQL database HTTP API, unauthenticated admin access
 TCP
5985
WinRM-HTTP
WinRM HTTP — Windows remote management, PowerShell remoting, lateral movement
 TCP
5986
WinRM-HTTPS
WinRM HTTPS — encrypted Windows remote management
 TCP
6000
X11
X Window System — Unix GUI forwarding, screen capture, keystroke logging
 TCP
6001
X11-1
X11 display 1 — additional X Window display
 TCP
6060
X11-Proxy
X11 proxy — X Window forwarding proxy
 TCP
6379
Redis
Redis — in-memory data store, unauthenticated by default, RCE via SLAVEOF
 TCP
6443
Kubernetes
Kubernetes API server — cluster management, RBAC bypass, secret access
 TCP
6514
Syslog-TLS
Syslog over TLS — encrypted centralized logging
 TCP
6660
IRC-Alt
Alternative IRC — IRC on non-standard port
 TCP
6661
IRC
IRC — Internet Relay Chat server
 TCP
6662
IRC
IRC — additional IRC port
 TCP
6663
IRC
IRC — additional IRC port
 TCP
6664
IRC
IRC — additional IRC port
 TCP
6665
IRC
IRC — additional IRC port
 TCP
6666
IRC
IRC — common IRC port, also used by some backdoors
 TCP
6667
IRC
IRC — default IRC port, botnet C2 communication
 TCP
6668
IRC
IRC — additional IRC port
 TCP
6669
IRC
IRC — additional IRC port
 TCP
6697
IRC-TLS
IRC over TLS — encrypted IRC communication
 TCP
6881
BitTorrent
BitTorrent — peer-to-peer file sharing
 TCP
6969
BitTorrent-Tracker
BitTorrent tracker — torrent peer coordination
 TCP
7000
Cassandra
Apache Cassandra — inter-node communication, NoSQL cluster
 TCP
7001
WebLogic
Oracle WebLogic — Java app server admin, deserialization RCE (CVE-2017-10271)
 TCP
7002
WebLogic-SSL
WebLogic SSL — encrypted admin interface
 TCP
7070
RealServer
RealServer — RTSP alternate for streaming media
 TCP
7071
Zimbra
Zimbra admin — email suite administration panel
 TCP
7078
Zimbra-LMTP
Zimbra LMTP — local mail delivery
 TCP
7443
Oracle-AS
Oracle Application Server — HTTPS administration
 TCP
7474
Neo4j
Neo4j Browser — graph database web interface
 TCP
7547
CWMP
CPE WAN Management Protocol (TR-069) — ISP device management, mass router exploitation
 TCP
7548
CWMP-TLS
TR-069 over TLS — encrypted ISP device management
 TCP
7777
cBrowser
cBrowser/iChat — development server or game server
 TCP
7778
Interwise
Interwise — web conferencing platform
 TCP
8000
HTTP-Alt
Alternative HTTP — Django dev server, various web apps
 TCP
8001
HTTP-Alt
Alternative HTTP — secondary development web server
 TCP
8008
HTTP-Alt
Alternative HTTP — often used for web proxies or APIs
 TCP
8009
AJP
Apache JServ Protocol — Tomcat AJP connector, GhostCat (CVE-2020-1938)
 TCP
8010
HTTP-Alt
Alternative HTTP — web application port
 TCP
8042
YARN
Hadoop YARN NodeManager — big data cluster web UI
 TCP
8060
Roku
Roku External Control — smart TV control API
 TCP
8069
Odoo
Odoo ERP — business application web interface
 TCP
8080
HTTP-Proxy
HTTP proxy/alternative — Tomcat, Jenkins, Burp Suite, web app default
 TCP
8081
HTTP-Alt
Alternative HTTP — secondary web service, management panels
 TCP
8082
HTTP-Alt
Alternative HTTP — another web service port
 TCP
8083
HTTP-Alt
Alternative HTTP — web application port
 TCP
8088
Radan
Radan HTTP — also used by Hadoop YARN ResourceManager
 TCP
8090
Confluence
Atlassian Confluence — wiki/knowledge base, OGNL injection targets
 TCP
8091
Couchbase
Couchbase Web Console — NoSQL database administration
 TCP
8096
Jellyfin
Jellyfin — open-source media server
 TCP
8111
TeamCity
JetBrains TeamCity — CI/CD server, authentication bypass CVEs
 TCP
8112
Deluge
Deluge Web UI — BitTorrent client web interface
 TCP
8123
Home-Assistant
Home Assistant — smart home automation dashboard
 TCP
8139
Puppet
Puppet agent — configuration management, command execution
 TCP
8140
Puppet-Master
Puppet master — configuration management server
 TCP
8161
ActiveMQ
Apache ActiveMQ Web Console — message broker admin, deserialization RCE
 TCP
8180
Tomcat-Alt
Alternative Tomcat — secondary Apache Tomcat instance
 TCP
8200
Vault
HashiCorp Vault — secrets management, token theft = full compromise
 TCP
8222
VMware-VCSA
VMware VCSA — vCenter Server Appliance management
 TCP
8291
MikroTik
MikroTik Winbox — router management, Winbox exploitation (CVE-2018-14847)
 TCP
8333
Bitcoin
Bitcoin — cryptocurrency node peer communication
 TCP
8334
Bitcoin-Alt
Bitcoin JSON-RPC — alternative Bitcoin API
 TCP
8383
HTTP-Alt
Alternative HTTP — web application port
 TCP
8443
HTTPS-Alt
Alternative HTTPS — common for admin panels, APIs, VMware
 TCP
8444
HTTPS-Alt
Alternative HTTPS — secondary encrypted web service
 TCP
8500
Consul
HashiCorp Consul — service discovery, key-value store
 TCP
8545
Ethereum
Ethereum JSON-RPC — blockchain node API, wallet theft if exposed
 TCP
8600
Consul-DNS
Consul DNS interface — service discovery via DNS
 TCP
8686
JMX
Java Management Extensions — remote Java monitoring, deserialization attacks
 TCP
8765
Ultrasurf
Ultrasurf — proxy/VPN tool for censorship circumvention
 TCP
8834
Nessus
Nessus Web UI — Tenable vulnerability scanner interface
 TCP
8880
CDP
Alternate HTTP — Websphere, alternative web services
 TCP
8888
HTTP-Alt
Alternative HTTP — Jupyter Notebook, various dev tools
 TCP
8983
Solr
Apache Solr — search platform, SSRF, RCE via Velocity template injection
 TCP
9000
Portainer
Portainer/SonarQube/PHP-FPM — container management or code quality
 TCP
9001
Tor-Control
Tor control — Tor anonymity network management
 TCP
9002
PHP-FPM-Alt
Alternative PHP-FPM — FastCGI Process Manager
 TCP
9042
Cassandra-CQL
Cassandra CQL — native query protocol for Apache Cassandra
 TCP
9043
WebSphere
IBM WebSphere admin — application server management
 TCP
9060
WebSphere-Alt
WebSphere admin console — alternative admin port
 TCP
9080
WebSphere-HTTP
WebSphere HTTP — application server web transport
 TCP
9090
Prometheus
Prometheus/Cockpit/WebSM — monitoring or web system manager
 TCP
9091
Transmission
Transmission Web UI — BitTorrent client web interface
 TCP
9100
JetDirect
HP JetDirect — network printing, PRET exploitation, PJL injection
 TCP
9160
Cassandra-Thrift
Cassandra Thrift — legacy Cassandra protocol
 TCP
9200
Elasticsearch
Elasticsearch — search engine REST API, data exposure, RCE
 TCP
9201
Elasticsearch-Alt
Elasticsearch alternative — secondary REST endpoint
 TCP
9300
Elasticsearch-TCP
Elasticsearch transport — inter-node cluster communication
 TCP
9418
Git
Git protocol — unencrypted Git repository access
 TCP
9443
HTTPS-Alt
Alternative HTTPS — various web administration panels
 TCP
9500
ISPmanager
ISPmanager — web hosting control panel
 TCP
9530
IBM-WASD
IBM HTTP Server admin — web server management
 TCP
9595
PingFederate
PingFederate — SSO and identity federation
 TCP
9600
Logstash
Logstash — log processing pipeline API
 TCP
9669
Session-Border
Session border controller — VoIP security gateway
 TCP
9876
Miner
Crypto miner — often used by unauthorized cryptocurrency miners
 TCP
9943
Jenkins-HTTPS
Jenkins HTTPS — CI/CD server encrypted access
 TCP
9944
Jenkins-Alt
Jenkins alternative — secondary Jenkins port
 TCP
9998
Distinct-Alt
Distinct — various web services
 TCP
9999
Urchin
Urchin/Telnet — analytics or alternative admin port
 TCP
10000
Webmin
Webmin — Unix system administration panel, RCE vulnerabilities
 TCP
10001
SCP-Config
SCP config — Ubiquiti device discovery
 TCP
10050
Zabbix-Agent
Zabbix agent — monitoring agent, command execution if misconfigured
 TCP
10051
Zabbix-Server
Zabbix server — monitoring server, SQL injection history
 TCP
10250
Kubelet
Kubelet API — Kubernetes node agent, unauthenticated command execution
 TCP
10255
Kubelet-RO
Kubelet read-only — pod information disclosure
 TCP
10443
HTTPS-Alt
Alternative HTTPS — various management interfaces
 TCP/UDP
11211
Memcached
Memcached — in-memory cache, amplification DDoS, data exposure
 TCP
11214
Memcached-Alt
Memcached alternative — secondary cache port
 TCP
11215
Memcached-Alt
Memcached alternative — tertiary cache port
 TCP
11443
HTTPS-Alt
Alternative HTTPS — web management interface
 TCP
12345
NetBus
NetBus trojan — classic backdoor port, also used by some apps
 TCP
13000
Asterisk
Asterisk — open source PBX/VoIP
 TCP
13306
MySQL-Alt
Alternative MySQL — non-standard MySQL instance
 TCP
13337
PowerShell
Custom backdoor — commonly used by pentesters and malware
 TCP
14147
Filezilla
FileZilla Server admin — FTP server management
 TCP
15672
RabbitMQ
RabbitMQ management — message broker web UI, default credentials
 TCP
16010
HBase
HBase Master — Hadoop database web UI
 TCP
16992
Intel-AMT
Intel AMT — Active Management Technology, CVE-2017-5689 auth bypass
 TCP
16993
Intel-AMT-TLS
Intel AMT over TLS — encrypted out-of-band management
 TCP
17000
Cassandra-Alt
Cassandra — alternative port for NoSQL database
 TCP
17778
Bitvise
Bitvise SSH Server — Windows SSH implementation
 TCP
18080
HTTP-Alt
Alternative HTTP — various web applications
 TCP
19150
GKrellM
GKrellM — system monitoring daemon
 TCP
20000
DNP3
Distributed Network Protocol — SCADA/ICS, power grid, water systems
 TCP
20547
ProFTPD
ProFTPD — FTP server alternative port
 TCP
21025
Starbound
Starbound — multiplayer game server
 TCP
22222
SSH-Alt
Alternative SSH — non-standard SSH port for obscurity
 TCP
23023
Telnet-Alt
Alternative Telnet — IoT management interface
 TCP
25565
Minecraft
Minecraft server — game server, Log4Shell target (CVE-2021-44228)
 TCP
25575
Minecraft-RCON
Minecraft RCON — remote console, server administration
 UDP
27015
Steam-Game
Steam game server — Source engine multiplayer
 TCP
27017
MongoDB
MongoDB — NoSQL database, unauthenticated access epidemic, data ransom
 TCP
27018
MongoDB-Shard
MongoDB shard server — sharded cluster communication
 TCP
27019
MongoDB-Config
MongoDB config server — cluster metadata
 TCP
28015
RethinkDB
RethinkDB — real-time database, web admin interface
 TCP
28017
MongoDB-Web
MongoDB HTTP interface — web-based database status (deprecated)
 TCP
29418
Gerrit
Gerrit code review — SSH-based Git repository management
 TCP
30718
Lantronix
Lantronix — serial device server, firmware extraction
 TCP
31337
Back-Orifice
Back Orifice — classic remote access trojan, elite (31337/ELEET) port
 TCP
32400
Plex
Plex Media Server — personal media streaming
 TCP
32764
Router-Backdoor
Router backdoor — Linksys/Netgear/Cisco backdoor found in firmware
 TCP
33060
MySQL-X
MySQL X Protocol — document store and CRUD operations
 TCP
33389
RDP-Alt
Alternative RDP — non-standard Remote Desktop port
 TCP
33848
Jenkins-JNLP
Jenkins JNLP agent — Java Web Start slave connections
 TCP
35871
SMB-Alt
Alternative SMB — non-standard SMB port
 TCP
37777
Dahua
Dahua DVR/NVR — surveillance camera management, default credentials
 TCP
40000
SafeNet
SafeNet Sentinel — hardware security module
 TCP
41794
Crestron
Crestron — AV control systems, building automation
 TCP
43594
RuneScape
RuneScape — online game server
 TCP
44818
EtherNet-IP
EtherNet/IP — industrial automation protocol, PLC communication
 TCP
47001
WinRM-Alt
WinRM alternative — Windows remote management on non-standard port
 UDP
47808
BACnet
BACnet — building automation and control, HVAC systems
 TCP
49152
Dynamic
First dynamic/private port — ephemeral port range start
No ports match your search.

How the Port Encyclopedia is organised

The encyclopedia indexes all standard TCP and UDP ports (1-65535) with focus on the ones that actually matter for security — service name, protocol (TCP/UDP/both), category (web, database, remote access, email, file sharing, etc.), risk classification (Critical / High / Medium / Low), and common attack patterns. The grid above shows ports with detailed annotations; generic filler ports without notable security context are omitted from the visible grid but searchable via the lookup field.

Risk classification methodology. Risk reflects how often the port appears in real attack scenarios and how severe the impact of compromise is. Critical (RDP/3389, SMB/445, exposed databases): historically wormable, frequent severe vulnerabilities, high-value access if compromised. High (SSH/22, MS-SQL/1433, MongoDB/27017): significant attack surface, common credential brute force, often misconfigured. Medium (FTP/21, Telnet/23): bad security practices baked in but lower base rate of exploitation today. Low (HTTPS/443 properly configured, IMAP/993): hardened modern services on this port. Risk is contextual — a properly-configured service on any port is lower risk than an unpatched legacy version of the same service.

Search and filter. Type a port number in the search box for instant lookup against the encyclopedia. Use the category filter chips to narrow by service type (databases, web, remote access). The 30 chips at the top show the most-searched ports for fast access. Each port card links through to /ports/N/ for the full per-port detail page with attack scenarios, hardening guidance, and historical CVE patterns.

Coverage and what is NOT included. The encyclopedia covers IANA-registered services and historically-significant ports (including legacy protocols like Telnet that should not be running anywhere in 2026 but still appear on legacy systems). It does not include ephemeral port range (49152-65535 dynamic client connections) since those are not service-specific. It does not cover application-layer protocols on top of HTTP (REST APIs, gRPC, GraphQL) because those run over HTTPS/443 and are not port-distinguishable. For application-protocol identification, you need DPI tools, not port lookup.

Five real-world use cases

Penetration test reconnaissance

After running an initial port scan against a target with the Port Scanner or nmap, look up each open port in the encyclopedia. The risk classification tells you which to investigate first; the common-attacks notes give you the starting point for testing each service. Cuts hours off recon by surfacing the highest-impact attack surfaces immediately.

Vendor security questionnaire — what services do they expose

When evaluating a SaaS vendor or assessing third-party risk, run nmap (or use Shodan / Censys) against their public IPs and look up the open ports here. A vendor exposing database ports directly to the internet is signalling something serious about their security maturity. The encyclopedia\'s risk classifications help you triage findings into critical-conversation-needed vs acceptable-risk categories.

Educator / trainer reference for network security courses

For teaching network security concepts, the encyclopedia provides ready-made examples for each port — what runs on it, what attacks target it, why it matters. Useful for building out lesson plans without re-researching every protocol from scratch. Particularly the Critical/High categorised ports come with attack-pattern annotations that make for concrete classroom examples.

Incident response — identifying what was probably attacked

During an incident, you have logs showing connections to specific ports on internal systems. Look up unfamiliar ports here to quickly identify what service was likely the target — is this normal application traffic or something investigation-worthy? Speeds up the triage step where you decide which alerts deserve deep-dive investigation vs noise.

Hardening checklist — what to firewall-block by default

Build your default firewall block-list from the Critical and High categories. Database ports, RDP, SMB, anything in the High category exposed to public internet — block by default, allow only with explicit business justification. The encyclopedia gives you the principled list to start from rather than reactive blocking after each incident.

Common mistakes & edge cases

Treating "non-standard port" as security

Moving SSH from 22 to 22222 reduces opportunistic scanner traffic but does not stop targeted attacks — modern scanners check all ports anyway. Port change is operational hygiene (cleaner logs), not security. For real SSH security, use key auth, disable password auth, restrict source IPs.

Assuming port-only filtering blocks the application

Blocking port 80 does not block a service that also listens on 8080, 8000, or 443. Real port-blocking requires comprehensive firewall rules covering all the ports a service might use, not just the canonical one. Check what is actually listening (ss/netstat on Linux) before assuming a block is comprehensive.

Ignoring UDP because TCP scans look clean

Most port scans default to TCP. UDP services (DNS/53, DHCP/67, NTP/123, SNMP/161) get missed. UDP-based attacks (DNS amplification, NTP amplification) historically produced massive DDoS campaigns. Always scan both TCP and UDP for security assessments; do not assume "no TCP findings" means "secure".

Confusing port being "open" with service being vulnerable

Open port = service is reachable. Whether the service is vulnerable depends on the service version, configuration, authentication, and known CVEs. The encyclopedia tells you which ports are high-risk attack surfaces; vulnerability scanning (Nessus, OpenVAS) tells you whether the specific instance is currently vulnerable.

Trusting "well-known port = legitimate service"

Anyone can run any service on any port. A service responding on port 443 might not be HTTPS — could be a custom protocol, malware C2, or anything else. Banner-grabbing and protocol detection (nmap -sV) tells you what is actually running, not what should be running based on port assignment.

Default-deny policies that forget about ephemeral ports

Strict firewall policies that block "all ports above 1024" break outbound connections because client connections use ephemeral ports (49152-65535) for return traffic. Stateful firewalls handle this automatically; pure stateless allow-list policies need explicit ephemeral-range rules. Test connectivity after policy changes to catch this.

Frequently Asked Questions

Ports are numbered endpoints (1-65535) that services listen on for network connections. Web servers listen on port 80 (HTTP) and 443 (HTTPS); SSH on 22; databases on various ports (MySQL 3306, PostgreSQL 5432). Each open port on a system is a potential attack surface — if the service listening is vulnerable or misconfigured, attackers reach it through that port. Port enumeration (figuring out which ports are open and what runs on them) is the first phase of almost every penetration test. Knowing which ports correspond to which services tells you what attack surface a target exposes.
Risk classification reflects how often each port appears in real attack scenarios and how severe the impact of compromise is. Critical: ports for services with frequent severe vulnerabilities and high-value access (RDP/3389, SMB/445, database ports exposed to internet). High: ports for services with significant attack surface (SSH/22 for credential brute force, MS-SQL/1433, MongoDB/27017 unauthenticated by default). Medium: ports with notable but more bounded risk (FTP/21, Telnet/23 — bad security practices but lower base rate of exploitation). Low: well-hardened modern services on this port (HTTPS/443 properly configured, IMAP/993). Risk is contextual — port 80 (HTTP) on a properly-configured site is low risk; the same port on an unpatched legacy app is critical.
TCP (Transmission Control Protocol) is connection-oriented — establishes a session, guarantees delivery, used for most application protocols (HTTP, HTTPS, SSH, SMTP). UDP (User Datagram Protocol) is connectionless — fire-and-forget, no guarantee, used for time-sensitive services (DNS, DHCP, NTP, gaming). Port 53 is famously both: DNS uses UDP for normal queries and TCP for large responses. When scanning, you often scan TCP and UDP separately because the protocols behave differently and many attackers focus on TCP scanning since it is faster and more reliable.
The Port Encyclopedia is a reference for what each port number means and represents — service name, protocol, typical use, security risk, common attacks. The Port Scanner actively checks which ports are open on a specific target. Use the encyclopedia first to understand which ports matter and what to look for; use the scanner to find which of those ports are actually exposed on a target. Together: encyclopedia for theory, scanner for practice.
IANA divides the port range into three groups. Well-known ports (0-1023): require root/administrator privileges to bind to, reserved for major services (HTTP/80, HTTPS/443, SSH/22). Registered ports (1024-49151): registered with IANA for specific services (PostgreSQL/5432, MongoDB/27017) but no privilege requirement. Dynamic/ephemeral (49152-65535): used for outbound client connections, no registration. The classification matters less for security than the actual service running, but well-known ports being unauthenticated is generally considered worse than registered ports because they are scanned first by attackers.
Yes — port scanning is trivial. Tools like nmap, masscan, RustScan can scan all 65,535 TCP ports across an entire IP range in minutes. Internet-wide scans by services like Shodan and Censys constantly map exposed ports across the public IPv4 space. If your service is on a public IP, assume it is in scan results within hours of going online. The right defence is not hiding ports (security through obscurity fails); it is hardening the services on those ports — current patches, strong authentication, MFA, monitoring, and network segmentation.
Port knocking is a technique where a service stays closed until a specific sequence of connection attempts to other ports is detected, then opens for the source IP. It adds a small obscurity layer that defeats opportunistic scanners but does not stop targeted attacks (the knock sequence is observable on the network). For SSH access specifically, port knocking can reduce log noise from automated bots; it does not replace strong authentication. For high-security access, modern alternatives like WireGuard VPN or zero-trust network access (ZTNA) are dramatically better than port knocking.
Changing SSH to a non-standard port (like 22222 or 50022) reduces opportunistic scanner traffic significantly — automated bots often only check port 22, and finding nothing there move on. This is obscurity, not security: any targeted attacker scans all ports anyway. The benefit is operational (cleaner logs, less brute-force noise) not actually-security (a determined attacker still finds your SSH). For real SSH security, use SSH key authentication, disable password auth, restrict by source IP via firewall, and consider behind-VPN access. Port change alone is not enough.
Historically: SMB (445) and RDP (3389) — both have repeatedly produced wormable internet-exploitable vulnerabilities (EternalBlue/WannaCry on 445, BlueKeep on 3389). Both should never be exposed to the internet directly under any circumstances; if remote access is needed, route through VPN or zero-trust gateway. Other high-risk exposures: database ports (3306, 5432, 1433, 27017) — every year there are massive breaches from databases left publicly exposed with default or no authentication. Database ports should be firewall-blocked from the public internet by default; access via application servers in a private network only.
The base port assignments (which port runs which service) are largely stable — IANA assignments do not change often. Risk classifications and attack-trend annotations get updated when notable new vulnerabilities or attack patterns emerge in the security industry. Major updates typically happen annually or in response to significant events (a new wormable vulnerability, a class of attacks getting popular). For a specific port detail page (linked from each card), check the page directly for the most current annotations.
📚 Learn Network Security — Free Course 🤖 Learn AI Red Team — Free