# Ports and associated Vectors
PortUse caseAbuse Case
2121 FTP (File Transfer Protocol)Exploited for brute force attacks to gain unauthorized access to file shares and potentially upload malicious scripts or files.
22SSH (Secure Shell)Targeted for brute force or dictionary attacks to gain remote control of systems. Often scanned for vulnerable or default credentials.
23TelnetBecause it's unencrypted, attackers could eavesdrop on communications, capturing credentials for unauthorized access.
25SMTP (Simple Mail Transfer Protocol)Used for sending spam or phishing emails if the SMTP server is compromised or misconfigured.
53DNS (Domain Name System)Exploited in DNS amplification attacks to overwhelm a network with DNS response traffic, leading to DDoS attacks.
80/443HTTP/HTTPS (Web Services)Web servers on these ports can be targeted with various web application attacks such as SQL injection, XSS, or CSRF.
110/995POP3/POP3S (Email Retrieval)Attackers could intercept unencrypted POP3 traffic to steal email credentials or use compromised accounts to spread malware.
135-139/445Windows RPC/NetBIOS/SMBExploited by malware like WannaCry for spreading within networks or to execute remote code.
143/993IMAP/IMAPS (Email Retrieval)Similar to POP3, IMAP traffic can be intercepted to gain unauthorized access to email accounts.
161/162SNMP (Simple Network Management Protocol)Misused to gather detailed network information or, in some configurations, to modify device settings.
389/636LDAP/LDAPS (Directory Services)Attackers could exploit vulnerabilities to perform directory traversal attacks or gain unauthorized access to directory listings.
1433/1434Microsoft SQL ServerSQL injection attacks or unauthorized access for data theft or manipulation. Exploited for executing remote commands.
1521Oracle DatabaseAttackers may attempt to exploit vulnerabilities for unauthorized database access or to inject malicious SQL queries.
1812/1813RADIUS (Remote Authentication Dial-In User Service)Used for network authentication. Vulnerable to brute force attacks or exploited for unauthorized network access if poorly configured.
3306MySQLIf accessible from externally, it can be brute-forced or exploited to gain access to databases, leading to data theft or loss.
3389RDP (Remote Desktop Protocol)Often targeted for brute force attacks or BlueKeeplike vulnerabilities to gain remote control of systems.
3899Radmin (Remote Administrator)A remote control software that can be abused for unauthorized remote access if left exposed or if weak credentials are used.
4444Metasploit Framework’s default port for payloadsOften used by attackers after exploiting a vulnerability to establish a reverse shell or gain control over a system.
4848GlassFish Server Administration ConsoleCan be targeted for unauthorized access or remote code execution if not secured with strong authentication.
5000UPnP (Universal Plug and Play)Can be exploited to open other ports or for denialof-service attacks due to its capability to configure network devices.
5060/5061SIP (Session Initiation Protocol)Utilized in VoIP environments, vulnerable to eavesdropping, toll fraud, or DDoS attacks targeting communication infrastructure.
5555Android Debug BridgeIf left open, can be exploited to install malicious applications, exfiltrate data, or control the device remotely without user consent.
5601KibanaExposed instances without proper authentication can lead to unauthorized access to data indexed by Elasticsearch.
5900/5901VNC (Virtual Network Computing)Vulnerable to brute force attacks or unauthorized access if not properly secured with strong passwords and encryption.
5985/5986WinRM (Windows Remote Management)If improperly configured, can be exploited for remote code execution or lateral movement within a network.
6379RedisUnsecured instances may lead to data theft, ransomware, or unauthorized use of the server for malicious purposes.
6667IRC (Internet Relay Chat)Historically used by botnets as command and control channels. Vulnerable to eavesdropping and man-in-the-middle attacks if not encrypted.
7547CWMP (TR-069) - CPE WAN Management ProtocolExploited in mass-scale attacks to remotely manage home routers and modems. Vulnerabilities can lead to device compromise.
8000/8001Common alternative HTTP portsOften used for web servers running in non-standard configurations, which may be less monitored and therefore vulnerable to web application attacks
8080/8443Alternate HTTP/HTTPSOften used for web applications and services, which could be targeted with various web-based exploits if not secured.
8081Proxy or web server alternative portSimilar to port 8080, but less commonly monitored, making services hosted here potential targets for unnoticed exploitation.
8089SplunkdExposed management ports can lead to unauthorized access to Splunk datasets or system compromise.
8291MikroTik RouterOS WinboxVulnerabilities could allow attackers to bypass authentication and gain remote access to the device.
8444BitmessageA decentralized messaging protocol that can be abused for exfiltrating data or command and control if not properly secured.
9001/9030Tor network entry/exit nodesUsed by Tor for anonymous communication. Misconfigured Tor services can be exploited for malicious purposes or data exfiltration.
9100PDL (Printer Description Language) Data StreamVulnerable to printing denial of service or unauthorized document printing if exposed to a public network.
9200/9300ElasticsearchOpen ports can be misused for unauthorized data access, deletion, or index manipulation if not properly secured.
10000WebminA web-based interface for system administration for Unix. Vulnerable to exploitation if not regularly updated or properly secured
10050/10051Zabbix Agent/ServerOpen Zabbix agents or servers could be compromised to gain information on monitored systems or to execute commands.
11211MemcachedExploited in reflection DDoS attacks due to its high bandwidth amplification factor when left exposed to the internet.
27015Valve's Source Dedicated ServerCould be targeted for DDoS attacks, disrupting game servers and other services running on this port.
27017-27019MongoDBExposed databases can be targeted for unauthorized access, data leakage, or ransomware attacks due to misconfiguration or lack of authentication.
27018MongoDB default port for Sharded clustersSimilar risks as the default MongoDB port (27017), but specific to Sharded clusters. Misconfiguration can lead to unauthorized data access.
32400Plex Media ServerIf improperly secured, can be accessed without authorization, potentially exposing personal media collections or being used for bandwidth theft.