The Broadband Guide
SG
search advanced
 Username:
 Password:
Register
 forgot password?

Vulnerable Ports

This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please . Any feedback and suggestions can also be posted to our Security forum.

 1 | 2 | 3 | 4 | 5 | 6 | 7 |....| 41 
Port(s) Protocol Service Scan level Description
 127 udp games not scanned Command and Conquer Generals
 133 tcp trojan Premium scan Farnaz
 135 tcp,udp loc-srv Basic scan Remote Procedure Call (RPC) port 135 is used in client/server applications (might be on a single machine) such as Exchange clients, the recently exploited messenger service, as well as other Windows NT/2K/XP software. If you have remote users who VPN into your network, you might need to open this port on the firewall to allow access to the Exchange server.

There is a RPC (a RPC's Endpoint Mapper component) vulnerability in Windows NT where a malformed request to port 135 could cause denial of service (DoS). RPC contains a flaw that causes it to fail upon receipt of a request that contains a particular type of malformed data. To restore normal functionality victim has to reboot the system. Alternatively, you can upgrade/patch your OS (there is patch downloadable from Microsoft), or you can close port 135.

Port 135 is used by Messenger Service (not MSN Messenger) and exploited in popup net send messenger spam: MSKB 330904. To stop the popups you'd need to filter port 135 at the firewall level or stop the messenger service. The service uses all the following ports: 135/tcp, 135/udp, 137/udp 138/udp, 139/tcp, 445/tcp.

MS Security Bulletin [MS03-026] outlines another critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.

W32.Blaster.Worm is a widely spread worm that exploits the DCOM RPC vulnerability described above (MS Security Bulletin [MS03-026]). The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.

Port is also used by Messenger Service (not MSN Messenger) and exploited in popup net send messenger spam: MSKB 330904. To stop the popups you'd need to filter port 135 at the firewall level or stop the messenger service. The service uses all the following ports: 135/tcp, 135/udp, 137/udp 138/udp, 139/tcp, 445/tcp.

W32.Reatle.E@mm (08.02.2005) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability ([MS03-026]) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service.
 137 tcp,udp netbios-ns Basic scan NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be.

NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)

By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:

1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.

Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.

There is also a Critical Windows RPC vulnerability affecting ports 135,139 and 445, as detailed here: MS Technet Security Bulletin [MS03-026]

The following trojans/backdoors also use these ports: Chode, God Message worm, Msinit, Netlog, Network, Qaz
W32.HLLW.Moega
W32.Crowt.A@mm (01.23.2005) - mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80 and 137.
W32.Reidana.A (03.27.2005) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin [MS03-026]) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444.

Windows Internet Naming Service (WINS) also uses this port (UDP).

Sygate Personal Firewall comes with a default rule set that blocks all udp requests, however if udp requests originates from source port 137 or 138 they are allowed, thus a malicious person could get access to all open udp ports on a target merely by sending all requests from source port 137 or 138.
References: [SECUNIA-7930]
 138 tcp,udp netbios-dgm Basic scan NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be.

NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)

By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:

1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.

Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.

The following trojans/backdoors also use these ports: Chode, God Message worm, Msinit, Netlog, Network, Qaz
W32.HLLW.Moega

Sygate Personal Firewall comes with a default rule set that blocks all udp requests, however if udp requests originates from source port 137 or 138 they are allowed, thus a malicious person could get access to all open udp ports on a target merely by sending all requests from source port 137 or 138.
References: [SECUNIA-7930]
 139 tcp,udp netbios-ss Basic scan NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be. There are a number of vulnerabilities associated with leaving this port open.

NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)

By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:

1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.

Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.

There is also a Critical Windows RPC vulnerability affecting ports 135,139 and 445, as detailed here: MS Technet Security Bulletin [MS03-026]

The following trojans/backdoors also use these ports: Chode, God Message worm, Msinit, Netlog, Network, Qaz
W32.HLLW.Moega
W32.Reidana.A (03.27.2005) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin [MS03-026]) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444.

W32.Klez worm - a class of worms that collects email addresses from an infected computer's Windows address book and propagates using its own SMTP server. As of April 26, 2002, there are nine variants of the Klez worm that all exploit the "Microsoft Internet Explorer Incorrect MIME header" vulnerability, which causes an email attachment to be automatically executed when an HTML email is previewed by a Microsoft Outlook or Outlook Express user. The worm can arrive as an email attachment with one of the following file extensions: asp, bak, c, cpp, doc, htm, html, jpg, mp3, mpg, mpeg, pas, rtf, wab, or xls.

W32.Sircam.Worm - a computer worm that propagates by e-mail from Microsoft Windows systems. It also spreads via open shares on a network. Sircam scans the network for computers with shared drives and copy itself to a machine with an open (non-password protected) drive or directory.

Buffer overflow in a certain driver in Cisco Security Agent 4.5.1 before 4.5.1.672, 5.0 before 5.0.0.225, 5.1 before 5.1.0.106, and 5.2 before 5.2.0.238 on Windows allows remote attackers to execute arbitrary code via a crafted SMB packet in a TCP session on port (1) 139 or (2) 445.
References: [CVE-2007-5580] [BID-26723] [SECUNIA-27947] [OSVDB-39521]

Server Message Block (SMB) also uses this port. It is used by Microsoft Windows file and print services, such as Windows Sharing in Mac OS X.
 142 tcp trojan Premium scan NetTaxi trojan
 143 tcp,udp IMAP Basic scan IMAP (Internet Mail Access Protocol) mail server uses this port. See also port 993/tcp.

Numerous IMAP servers have buffer overflows that allow compromise during the login. Note that for awhile, there was a Linux worm (admw0rm) that would spread by compromising port 143, so a lot of scans on this port are actually from innocent people who have already been compromised. IMAP exploits became popular when Red Hat enabled the service by default on its distributions. This port is also used for IMAP2, but that version wasn't very popular. Several people have noted attacks from port 0 to port 143, which appears to be from some attack script.

MailServer.exe in NoticeWare Email Server 4.6.1.0 allows remote attackers to cause a denial of service (application crash) via a long string to IMAP port (143/tcp).
References: [CVE-2008-1713] [BID-28559] [SECUNIA-29629]

Format string vulnerability in the University of Washington (UW) c-client library, as used by the UW IMAP toolkit imap-2007d and other applications, allows remote attackers to execute arbitrary code via format string specifiers in the initial request to the IMAP port (143/tcp). NOTE: Red Hat has disputed the vulnerability, stating "The Red Hat Security Response Team have been unable to confirm the existence of this format string vulnerability in the toolkit, and the sample published exploit is not complete or functional." CVE agrees that the exploit contains syntax errors and uses Unix-only include files while invoking Windows functions.
References: [CVE-2009-0671] [BID-33795]

ADM trojan also uses this port (TCP).
 146 tcp trojans Premium scan Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000
 150 tcp,udp sql-net not scanned Denial of service of Ascend routers through port 150 (remote administration).
References: [CVE-1999-0221]

SQL-NET (IANA official)
 161 udp SNMP Basic scan Simple network management protocol (SNMP). Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications.

Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162.

Apple AirPort Express prior to 6.1.1 and Extreme prior to 5.5.1, configured as a Wireless Data Service (WDS), allows remote attackers to cause a denial of service (device freeze) by connecting to UDP port 161 and before link-state change occurs.
References: [CVE-2005-0289], [BID-12152]

The Emerson DeltaV SE3006 through 11.3.1, DeltaV VE3005 through 10.3.1 and 11.x through 11.3.1, and DeltaV VE3006 through 10.3.1 and 11.x through 11.3.1 allow remote attackers to cause a denial of service (device restart) via a crafted packet on (1) TCP port 23, (2) UDP port 161, or (3) TCP port 513.
References: [CVE-2012-4703]

Siemens SIMATIC S7-1200 PLCs 2.x and 3.x allow remote attackers to cause a denial of service (defect-mode transition and control outage) via crafted packets to UDP port 161 (aka the SNMP port).
References: [CVE-2013-2780]

Cisco Catalyst 2900 XL series switches are vulnerable to a denial of service, caused by an empty UDP packet. If SNMP is disabled, a remote attacker can connect to port 161 and send an empty UDP packet to cause the switch to crash.
References: [CVE-2001-0566], [XFDB-6515]
 162 udp SNMP Basic scan Simple network management protocol (SNMP). Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications.

Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162.

Format string vulnerability in the snmp_input function in snmptrapd in CMU SNMP utilities (cmu-snmp) allows remote attackers to execute arbitrary code by sending crafted SNMP messages to UDP port 162.
References: [CVE-2006-0250], [BID-16267]

Memory leak in the SNMP process in Cisco IOS XR allows remote attackers to cause a denial of service (memory consumption or process reload) by sending many port-162 UDP packets, aka Bug ID CSCug80345.
References: [CVE-2013-1204]

Cisco Hosted Collaboration Mediation allows remote attackers to cause a denial of service (CPU consumption) via a flood of malformed UDP packets on port 162, aka Bug ID CSCug85756.
References: [CVE-2013-3381]
 165 tcp applications not scanned The SNMPc Server (crserv.exe) process in Castle Rock Computing SNMPc allows remote attackers to cause a denial of service (crash) via a crafted packet to port 165/TCP.
References: [CVE-2007-3098], [BID-24292]

Port is also IANA registered for Xerox.
 166 tcp trojan Premium scan NokNok
 170 tcp trojan Premium scan A-Trojan
 171 tcp trojan Premium scan A-trojan
 173 tcp trojan Premium scan Nestea trojan
 177 tcp xdmcp Premium scan Numerous hacks may allow access to an X-Window console; it needs port 6000 open as well in order to really succeed.
 179 tcp,udp,sctp bgp not scanned Border Gateway Protocol (IANA official)
See also [RFC 4960]

Brocade BigIron RX switches allow remote attackers to bypass ACL rules by using 179 as the source port of a packet.
References: [CVE-2011-2760] [BID-48663] [SECUNIA-45217] [OSVDB-73869]
 181 tcp,udp unify not scanned Unify [Daegis_Inc] (IANA official)
 192 udp applications not scanned Apple AirPort Base Station PPP status or discovery (certain configurations), AirPort Admin Utility, AirPort Express Assistant
 194 tcp,udp IRC Members scan Internet Relay Chat Protocol
 200 tcp trojan Premium scan CyberSpy trojan

America's Army also uses this port.
 201 tcp trojan Premium scan One Windows Trojan
 202 tcp trojans Premium scan One Windows Trojan, Backdoor.Skun
 211 tcp trojan Premium scan One Windows Trojan
 212 tcp trojan Premium scan One Windows Trojan
 221 tcp,udp fln-spx not scanned Port is IANA registered for Berkeley rlogind with SPX auth

Trojans that use this port: Snape
 222 tcp,udp rsh-spx not scanned IANA registered for Berkeley rshd with SPX auth

Trojans that use this port: NeuroticKat, Snape
 224 tcp,udp masqdialer not scanned ADSL Road Runner modem in the Annex A family has a service running on port 224, which allows remote attackers to login to the modem with a blank password and gain unauthorized access.
References: [CVE-2005-2862]

masqdialer (IANA official)
 230 tcp trojan Premium scan Skun trojan
 230 udp games not scanned Dungeon Siege II
 231 tcp trojan Premium scan Skun trojan
 232 tcp trojan Premium scan Skun trojan
 254 tcp,udp applications not scanned The Hawking Technologies HAR11A modem/router allows remote attackers to obtain sensitive information by connecting to port 254, which displays a management interface and information on established connections.
References: [CVE-2004-1637] [BID-11543]

Origo ASR-8100 ADSL Router 3.21 has an administration service running on port 254 that does not require a password, which allows remote attackers to cause a denial of service by restoring the factory defaults.
References: [CVE-2003-1515] [BID-8855]
 256 udp trojans not scanned Trojan.SpBot (04.05.2005) - trojan horse that opens a compromised computer to be used as an email relay. Opens a backdoor on port 256/udp.
 259 tcp,udp applications not scanned FW1 VPN

Check Point VPN-1/FireWall-1 4.1 base.def contains a default macro, accept_fw1_rdp, which can allow remote attackers to bypass intended restrictions with forged RDP (internal protocol) headers to UDP port 259 of arbitrary hosts.
References: [CVE-2001-1158], [BID-2952]

Check Point ports:
259 udp - MEP configuration
264 tcp - Topology download
500 tcp/udp - IKE
2746 udp - UDP Encapsulation.
18231 tcp - Policy Server logon, when the client is inside the network
18232 tcp - Distribution server when the client is inside the network
18233 udp - Keep-alive protocol when the client is inside the network
18234 udp - Performing tunnel test, when the client is inside the network
18264 tcp - ICA certificate registration
 264 tcp,udp bgmp not scanned Check Point FireWall-1 allows remote attackers to cause a denial of service (high CPU) via a flood of packets to port 264.
References: [CVE-2000-1201]

Check Point ports:
259 udp - MEP configuration
264 tcp - Topology download
500 tcp/udp - IKE
2746 udp - UDP Encapsulation.
18231 tcp - Policy Server logon, when the client is inside the network
18232 tcp - Distribution server when the client is inside the network
18233 udp - Keep-alive protocol when the client is inside the network
18234 udp - Performing tunnel test, when the client is inside the network
18264 tcp - ICA certificate registration

BGMP, Border Gateway Multicast Protocol (IANA official)
 269 tcp,udp manet not scanned IANA registered for MANET Protocols [RFC 5498]
 270 udp gist not scanned Port 270 UDP is IANA registered for GIST (General Internet Signalling Transport). It is assigned by the IETF to pass signaling traffic for GIST, see [RFC 5971]
 271 tcp,udp pl-tls not scanned Port is IANA reserved for: IETF Network Endpoint Assessment (NEA) Posture Transport Protocol over TLS (PT-TLS) [IESG][draft-ietf-nea-pt-tls-06] [RFC 6876]
 285 tcp trojans Premium scan Delf, WCTrojan
 286 tcp trojan Premium scan WCTrojan
 299 tcp trojan Premium scan One Windows Trojan

Battlefield 2 also uses this port.
 310 udp games not scanned Delta Force
 311 tcp,udp asip-webadmin not scanned Mac OS X Server Admin (officially AppleShare IP Web administration)
 315 tcp trojan Premium scan The Invasor trojan horse
 321 tcp trojans Members scan W32.Looksky.A@mm (10.25.2005) - a mass-mailing worm that lowers security settings and logs keystrokes on the compromised computer. It also gathers and sends out personal information. Opens a backdoor and listens for remote commands on port 321/tcp. It also periodically connects to proxy4u.ws on port 8080/tcp to check for updates.
Port also used by other variants:
W32.Looksky.A@mm
W32.Looksky.H@mm (01.17.2006).
 323 tcp rpki-rtr not scanned Resource PKI to Router Protocol (IANA official) [RFC 6810]
 334 tcp trojan Premium scan Backage Trojan
 335 tcp trojan Premium scan Nautical
 347 tcp games not scanned Operation Flashpoint
 350 tcp,udp matip-type-a not scanned MATIP Type A (IANA official) [RFC 2351]
 351 tcp,udp matip-type-b not scanned MATIP Type B (IANA official) [RFC 2351]

bhoetty (IANA official) - unassigned but widespread use
 353 tcp applications not scanned Remote attackers can cause a denial of service in Novell BorderManager 3.6 and earlier by sending TCP SYN flood to port 353.
References: [CVE-2001-0486], [BID-2623]

Port is also IANA registered for NDSAUTH
 365 tcp games not scanned Railroad Tycoon 3
 370 tcp trojan Premium scan NeuroticKat
 371 tcp applications not scanned Rational ClearCase 4.1, 2002.05, and possibly other versions allows remote attackers to cause a denial of service (crash) via certain packets to port 371, e.g. via nmap.
References: [CVE-2002-1322], [BID-6228]

Port is also IANA registered for Clearcase
 382 tcp trojan Premium scan W32.Rotor
 389 tcp LDAP Basic scan LDAP (Lightweight Directory Access Protocol) - an Internet protocol, used my MS Active Directory,as well as some email programs to look up contact information from a server.

Both Microsoft Exchange and NetMeeting install a LDAP server on this port.

IBM Lotus Domino Server 7.0 allows remote attackers to cause a denial of service (segmentation fault) via a crafted packet to the LDAP port (389/TCP).
References: [CVE-2006-0580], [BID-16523]

Rockliffe MailSite 7.0 and earlier allows remote attackers to cause a denial of service by sending crafted LDAP packets to port 389/TCP, as demonstrated by the ProtoVer LDAP testsuite.
References: [CVE-2006-0790] [BID-16675] [SECUNIA-18888]
 399 tcp,udp iso-tsap-c2 not scanned Digital Equipment Corporation DECnet (Phase V+)

ISO Transport Class 2 Non-Control over TCP/UDP [Yanick_Pouffary] (IANA official)
 400 tcp trojan Premium scan Argentino
 401 tcp trojan Premium scan One Windows Trojan
 402 tcp trojan Premium scan One Windows Trojan
 407 tcp,udp applications not scanned Buffer overflow in Netopia Timbuktu 7.0.3 allows remote attackers to cause a denial of service (server process crash) via a certain data string that is sent to multiple simultaneous client connections to TCP port 407.
References: [CVE-2004-0810] [BID-11714]

The authentication protocol in Timbuktu Pro 2.0b650 allows remote attackers to cause a denial of service via connections to port 407 and 1417.
References: [CVE-2000-0142]

Port is also IANA registered for Timbuktu Pro Mac
 411 tcp trojan Premium scan Backage trojan
 420 tcp trojans Members scan W32.Kibuv.Worm (2004-05-14) - a worm that exploits the LSASS vulnerability (described in Microsoft Security Bulletin [MS04-011]) and the DCOM RPC vulnerability described in (Microsoft Security Bulletin [MS03-026]). Starts an FTP server on TCP port 9604, also listens on TCP port 420, and attempts to exploit the DCOM RPC vulnerability on TCP port 135.

Other trojans that also use this port: Breach, Incognito
Port is IANA registered for: SMPTE
 421 tcp trojan Premium scan TCP Wrappers

City of Heroes also uses this port.
 427 tcp,udp applications not scanned SLP (Service Location Protocol, used by MacOS and NetWare)

ExtremeZ-IP.exe in ExtremeZ-IP File and Print Server does not verify that a certain "number of URLs" field is consistent with the packet length, which allows remote attackers to cause a denial of service (daemon crash) via a large integer in this field in a packet to the Service Location Protocol (SLP) service on UDP port 427, triggering an out-of-bounds read.
References: [CVE-2008-0767] [BID-27718]

srvloc.sys in Novell Client for Windows before 4.91 SP3 allows remote attackers to cause an unspecified denial of service via a crafted packet to port 427 that triggers an access of pageable or invalid addresses using a higher interrupt request level (IRQL) than necessary.
References: [CVE-2006-6307] [BID-21430] [SECUNIA-23244]
 432 udp games not scanned Command and Conquer Generals
 443 tcp,sctp HTTPS Basic scan HTTPS / SSL - encrypted web traffic.

ASUS AiCloud routers file sharing service uses ports 443 and 8082. There is a vulnerability in AiCloud with firmwares prior to 3.0.4.372 , see [CVE-2013-4937]

SoftEther VPN (Ethernet over HTTPS) uses TCP Ports 443, 992 and 5555

Call of Duty World at War uses this port.

Apple applications that use this port:
Secured websites, iTunes Store, FaceTime, MobileMe (authentication and MobileMe Sync.

Ooma VoIP - uses UDP port 1194 (VPN tunnel to the Ooma servers for call/setup control), ports 49000-50000 for actual VoIP data, and ports TCP 443, UDP 514, UDP 3480

Trojans that use this port:
W32.Kelvir.M (04.05.2005) - worm that spreads through MSN Messanger and drops a variant of the W32.Spybot.Worm. Connects to IRC servers on the s.defonic2.net and s.majesticwin.com domains, and listens for commands on port 443/tcp.

Directory traversal vulnerability in Cisco Network Admission Control (NAC) Manager 4.8.x allows remote attackers to read arbitrary files via crafted traffic to TCP port 443, aka Bug ID CSCtq10755.
References: [CVE-2011-3305] [BID-49954]

Multiple buffer overflows in the authentication functionality in the web-server module in Cisco CiscoWorks Common Services before 4.0 allow remote attackers to execute arbitrary code via a session on TCP port (1) 443 or (2) 1741, aka Bug ID CSCti41352.
References: [CVE-2010-3036] [BID-44468] [SECUNIA-42011] [OSVDB-68927]

Buffer overflow in the logging functionality of the HTTP server in IBM Tivoli Provisioning Manager for OS Deployment (TPMfOSD) before 5.1.0.3 Interim Fix 3 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via an HTTP request with a long method string to port 443/tcp.
References: [CVE-2008-0401] [BID-27387] [SECUNIA-28604]

The administrative web interface on Cisco TelePresence Immersive Endpoint Devices before 1.7.4 allows remote authenticated users to execute arbitrary commands via a malformed request on TCP port 443, aka Bug ID CSCtn99724.
References: [CVE-2012-3075]

Cisco Identity Services Engine (ISE) 1.x before 1.1.1 allows remote attackers to bypass authentication, and read support-bundle configuration and credentials data, via a crafted session on TCP port 443, aka Bug ID CSCty20405.
References: [CVE-2013-5531]

The web framework in Cisco Identity Services Engine (ISE) 1.0 and 1.1.0 before 1.1.0.665-5, 1.1.1 before 1.1.1.268-7, 1.1.2 before 1.1.2.145-10, 1.1.3 before 1.1.3.124-7, 1.1.4 before 1.1.4.218-7, and 1.2 before 1.2.0.899-2 allows remote authenticated users to execute arbitrary commands via a crafted session on TCP port 443, aka Bug ID CSCuh81511.
References: [CVE-2013-5530]

Siemens SCALANCE S613 allows remote attackers to cause a denial of service (web-server outage) via traffic to TCP port 443.
References: [CVE-2016-3963]

Siemens SIMATIC S7-1200 is vulnerable to a denial of service, caused by an error when handling specially-crafted HTTPS traffic passed to TCP port 443. By sending specially-crafted packets to TCP port 443, a remote attacker could exploit this vulnerability to cause the device to go into defect mode.
References: [CVE-2014-2258] [XFDB-92059]
 443 udp games not scanned Port used by Google talk.
Games that use this port: Final Fantasy XI
 445 tcp microsoft-ds Basic scan TCP port 445 is used for direct TCP/IP MS Networking access without the need for a NetBIOS layer. This service is only implemented in the more recent verions of Windows (e.g. Windows 2K / XP). The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2K/XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP, ports 137, 139 and 138/udp). In Windows 2K/XP, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.

Port 445 should be blocked at the firewall level. It can also be disabled by deleting the HKLM\System\CurrentControlSet\Services \NetBT\Parameters\TransportBindName (value only) in the Windows Registry.

Leaving port 445 open will leave you vulnerable to some worms, such as W32.Deloader and IraqiWorm (aka Iraq_oil.exe ), W32.HLLW.Moega, W32.Sasser.Worm, W32.Korgo.AB (09.24.2004), Backdoor.Rtkit.B (10.01.2004), Trojan.Netdepix.B (01.16.2005), as well as the Windows Null Session Exploit.

MS Security Bulletin [MS03-026] outlines a critical RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.

See also: Microsoft Security Bulletin [MS03-049] and Microsoft Security Bulletin [MS03-043]

W32.Zotob.C@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port 33333/tcp.
Note: Same ports are used by the W32.Zotob.A and W32.Zotob.B variants of the worm as well.

W32.Zotob.D (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.

W32.Zotob.E (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8594/tcp. Port 445/tcp also used by the W32.Zotob.H variant of the worm.

W32.Conficker.worm - a worm with multiple variants. It exploits a buffer overflow vulnerability in the Server Service on Windows computers. McAfee has named the most recently discovered variant of this worm as W32/Conficker.worm.gen.d. The original W32.Conficker.worm attacks port 445, the port that Microsoft Directory Service uses, and exploits Microsoft Windows vulnerability [MS08-067].

Buffer overflow in a certain driver in Cisco Security Agent 4.5.1 before 4.5.1.672, 5.0 before 5.0.0.225, 5.1 before 5.1.0.106, and 5.2 before 5.2.0.238 on Windows allows remote attackers to execute arbitrary code via a crafted SMB packet in a TCP session on port (1) 139 or (2) 445.
References: [CVE-2007-5580] [BID-26723] [SECUNIA-27947] [OSVDB-39521]

LANMAN service on Microsoft Windows 2000 allows remote attackers to cause a denial of service (CPU/memory exhaustion) via a stream of malformed data to microsoft-ds port 445.
References: [CVE-2002-0597] [BID-4532] [OSVDB-5179]
 449 tcp trojans Premium scan Backdoor.Krei (2003.01.31) - a backdoor trojan that uses Trojan.Slanret to hide its malicious activities. Backdoor.Krei opens a listening port (port 449 by default) on the infected computer and it gives a hacker full access to the infected system.

Port is also IANA registered for AS Server Mapper
 452 tcp,udp trojans not scanned Backdoor.Ompnmagic (2002.08.29) - a backdoor trojan that gives an attacker unauthorized access to a compromised computer. By default it opens port 452 on the compromised computer.

Port is also IANA registered for Cray SFS config server
 455 tcp trojan Premium scan Fatal Connections
 456 tcp trojans Premium scan used by Hackers Paradise trojan (also uses port 31)
 458 tcp,udp applications not scanned QuickTime Conferencing (MovieTalk)
 464 tcp,udp kpasswd not scanned Kerberos (v5)
Related ports: 88,543,544,749

A vulnerability has been reported in Kerberos, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the kpasswd application not properly handling malformed UDP packets and can be exploited to exhaust CPU and network resources via the UDP "ping-pong" attack on port 464.
References: [CVE-2002-2443], [SECUNIA-53375]
 465 tcp smtp-ssl not scanned Outgoing SMTP Mail over SSL (Gmail uses this port)

PlayStation Network and SCEA Game Servers use this port
 465 udp igmpv3lite not scanned Cisco IOS 15.2S allows remote attackers to cause a denial of service (interface queue wedge) via malformed UDP traffic on port 465, aka Bug ID CSCts48300.
References: [CVE-2011-4015]

IGMP over UDP for SSM (IANA official)
 497 tcp,udp applications not scanned retroclient.exe in EMC Dantz Retrospect Backup Client 7.5.116 allows remote attackers to cause a denial of service (daemon crash) via malformed packets to TCP port 497, which trigger a NULL pointer dereference and memory corruption.
References: [CVE-2008-3287] [CVE-2008-3290] [BID-30306] [BID-30313] [SECUNIA-31186]

Buffer overflow in EMC Retrospect Client 5.1 through 7.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet to port 497.
References: [CVE-2006-2391] [BID-17948] [SECUNIA-20080]

EMC Dantz Retrospect 7 backup client 7.0.107, and other versions before 7.0.109, and 6.5 before 6.5.138 allows remote attackers to cause a denial of service (client termination and loss of backup service) via a malformed packet to TCP port 497, which triggers an assert error.
References: [CVE-2006-0995] [BID-16933] [SECUNIA-19097]

Port is IANA registered for: Dantz Retrospect backup and restore service [Retrospect Inc]
 500 tcp,udp ipsec Members scan IPSec (VPN tunneling) uses the following ports:

50 - Encapsulation Header (ESP)
51 - Authentication Header (AH)
500/udp - Internet Key Exchange (IKE)
4500/udp - NAT traversal

500/tcp - sometimes used for IKE over TCP

See also:
port 1701 (L2TP)
port 1723 (PPTP)

Some Apple applications use this port as well: Mac OS X Server VPN service, Back to My Mac (MobileMe, Mac OS X v10.5 or later).

isakmp_sub_print in tcpdump 3.6 through 3.7.1 allows remote attackers to cause a denial of service (CPU consumption) via a certain malformed ISAKMP packet to UDP port 500, which causes tcpdump to enter an infinite loop.
References: [CVE-2003-0108] [BID-6974]

Microsoft Windows XP allows remote attackers to cause a denial of service (CPU consumption) by flooding UDP port 500 (ISAKMP).
References: [CVE-2002-2117]

Snapgear Lite+ firewall 1.5.3 allows remote attackers to cause a denial of service (IPSEC crash) via a zero length packet to UDP port 500.
References: [CVE-2002-0603] [BID-4659]

Cisco Wireless LAN Controller is vulnerable to a denial of service, caused by an error when handling Internet Key Exchange (IKE) messages. By sending a specially-crafted IKE packet to UDP Port 500, a remote attacker could exploit this vulnerability to cause the device to crash and reload.
References: [CVE-2010-0574] [XFDB-61666] [BID-43059]

Vodafone Sure Signal also uses this port
 502 tcp asa-appl-proto not scanned Phoenix Contact FL IL 24 BK-PAC allows remote attackers to cause a denial of service (hang) via unspecified manipulations as demonstrated by a Nessus scan or (2) malformed input to TCP port 502.
References: [CVE-2008-7199]

The modbus_125_handler function in the Schneider Electric Quantum Ethernet Module on the NOE 771 device (aka the Quantum 140NOE771* module) allows remote attackers to install arbitrary firmware updates via a MODBUS 125 function code to TCP port 502.
References: [CVE-2011-4861]

Unspecified vulnerability in the Modbus/TCP Diagnostic function in MiniHMI.exe for the Automated Solutions Modbus Slave ActiveX Control before 1.5 allows remote attackers to corrupt the heap and possibly execute arbitrary code via malformed Modbus requests to TCP port 502.
References: [CVE-2007-4827] [BID-25713] [OSVDB-38259]

Triangle Research International (aka Tri) Nano-10 PLC devices with firmware before r81 use an incorrect algorithm for bounds checking of data in Modbus/TCP packets, which allows remote attackers to cause a denial of service (networking outage) via a crafted packet to TCP port 502.
References: [CVE-2013-2784]

Triangle Research International (aka Tri) Nano-10 PLC devices with firmware r81 and earlier do not properly handle large length values in MODBUS data, which allows remote attackers to cause a denial of service (transition to the interrupt state) via a crafted packet to TCP port 502.
References: [CVE-2013-5741], [OSVDB-97728]

asa-appl-proto (IANA official)
 510 tcp trojans Premium scan T0rnkit sshd backdoor
 511 tcp Premium scan Part of rootkit t0rn, a program called "leeto's socket daemon" runs at this port.
 512 tcp applications not scanned Act P202S VoIP WiFi phone undocumented open port, multiple vulnerabilities.
References: [CVE-2006-0374], [CVE-2006-0375], [BID-16288]
 513 udp applications not scanned Multiple buffer overflows in the Syslog server in ManageEngine EventLog Analyzer 6.1 allow remote attackers to cause a denial of service (SysEvttCol.exe process crash) or possibly execute arbitrary code via a long Syslog PRI message header to UDP port 513 or 514.
References: [CVE-2010-4840]
 513 tcp trojans Premium scan ADM worm, Grlogin

UTStarcom F1000 VOIP WIFI Phone s2.0 running VxWorks 5.5.1 with kernel WIND 2.6 does not allow users to disable access to (1) SNMP or (2) the rlogin port TCP 513, which allows remote attackers to exploit other vulnerabilities such as CVE-2005-3716, or execute arbitrary shell commands via rlogin, which does not require authentication.
References: [CVE-2005-3718] [SECUNIA-17629] [BID-15476]

The Emerson DeltaV SE3006 through 11.3.1, DeltaV VE3005 through 10.3.1 and 11.x through 11.3.1, and DeltaV VE3006 through 10.3.1 and 11.x through 11.3.1 allow remote attackers to cause a denial of service (device restart) via a crafted packet on (1) TCP port 23, (2) UDP port 161, or (3) TCP port 513.
References: [CVE-2012-4703]
 514 tcp shell Members scan Used by rsh and (also rcp), interactive shell without any logging.

Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port


Games that use this port: America's Army

Malware using this port: RPC Backdoor, Whacky, ADM worm

Stack-based buffer overflow in Mike Dubman Windows RSH daemon (rshd) 1.7 allows remote attackers to execute arbitrary code via a long string to the shell port (514/tcp). NOTE: this might overlap [CVE-2007-4006].
References: [CVE-2007-4005] [BID-25044] [SECUNIA-26197]

Denicomp RSHD 2.18 and earlier allows a remote attacker to cause a denial of service (crash) via a long string to port 514.
References: [CVE-2001-0707]

A vulnerability has been reported in Cisco IOS, which can be exploited to cause a DoS (Denial of Service). The vulnerability is caused due to TCP connection information not being properly validated when connecting to a protocol translation resource and can be exploited to cause a reload via specially crafted packets sent to TCP ports 514 or 544. Successful exploitation requires a vulnerable protocol translation configuration or a Telnet-to-PAD protocol translation ruleset to be configured.
References: [CVE-2013-1147] [SECUNIA-52785]
 514 udp applications Premium scan Ooma VoIP - uses UDP port 1194 (VPN tunnel to the Ooma servers for call/setup control), ports 49000-50000 for actual VoIP data, and ports TCP 443, UDP 514, UDP 3480

Multiple buffer overflows in the Syslog server in ManageEngine EventLog Analyzer 6.1 allow remote attackers to cause a denial of service (SysEvttCol.exe process crash) or possibly execute arbitrary code via a long Syslog PRI message header to UDP port 513 or 514.
Reference: [CVE-2010-4840]

Stack-based buffer overflow in the Syslog service (nssyslogd.exe) in Enterasys Network Management Suite (NMS) before 4.1.0.80 allows remote attackers to execute arbitrary code via a long PRIO field in a message to UDP port 514.
References: [CVE-2011-5227] [SECUNIA-47263]
 515 tcp printer Premium scan Printing services, listening for incoming connections

Trojans using this port: MscanWorm, lpdw0rm, Ramen.

Multiple buffer overflows in Client Software WinCom LPD Total 3.0.2.623 and earlier allow remote attackers to execute arbitrary code via a long 0x02 command to the remote administration service on TCP port 13500 or a long invalid control filename to LPDService.exe on TCP port 515.
References: [CVE-2008-5176], [BID-27614]

Stack-based buffer overflow in Winlpd 1.26 allows remote attackers to execute arbitrary code via a long string in a request to TCP port 515.
References: [CVE-2006-3670] [SECUNIA-21058] [BID-19011] [OSVDB-27332]

Buffer overflow in NIPrint 4.10 allows remote attackers to execute arbitrary code via a long string to TCP port 515.
References: [CVE-2003-1141] [BID-8968] [OSVDB-2774] [SECUNIA-10143]

spooler (IANA official)
 520 udp router Premium scan RIP (Routing Information Protocol). Routers use RIP in order to advertise routing information to each other and communicate optimal paths.

References: [RFC 1058] & [RFC 2453]

Cisco NX-OS is vulnerable to a denial of service, caused by an error in the Routing Information Protocol (RIP) service engine. By sending a specially-crafted RIPv4 or RIPv6 message to UDP port 520, a remote attacker could exploit this vulnerability to cause the RIP service engine to restart.
References: [CVE-2012-4091] [XFDB-87669] [BID-62838]

A UDP backdoor also uses this port.
 520 tcp efs not scanned ISC DHCP server 4.2 before 4.2.0-P2, when configured to use failover partnerships, allows remote attackers to cause a denial of service (communications-interrupted state and DHCP client service loss) by connecting to a port that is only intended for a failover peer, as demonstrated by a Nagios check_tcp process check to TCP port 520.
References: [CVE-2010-3616], [BID-45360]

Port IANA registered for Extended File Name Server
 522 tcp,udp applications not scanned NetMeeting 2.0 through 3.01
 523 udp ibm-db2 not scanned The DB2 Discovery Service for IBM DB2 before FixPak 10a allows remote attackers to cause a denial of service (crash) via a long packet to UDP port 523.
References: [CVE-2003-0827]

IBM-DB2 (TCP/UDP) (IANA official)
 524 tcp,udp applications not scanned Unspecified vulnerability in the NCP service in Novell eDirectory 8.8.5 before 8.8.5.6 and 8.8.6 before 8.8.6.2 allows remote attackers to cause a denial of service (hang) via a malformed FileSetLock request to port 524.
References: [CVE-2010-4327], [BID-46263]
 527 tcp,udp stx not scanned Stock IXChange [Fraxion Software] (IANA official)
 528 tcp,udp custix not scanned Customer IXChange [Fraxion Software] (IANA official)
 530 tcp trojan Premium scan W32.kibuv.worm

Vulnerabilities listed: 100 (some use multiple ports)
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About