The Broadband Guide
SG
search advanced

Vulnerable Ports

This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please . Any feedback and suggestions can also be posted to our Security forum.

 1 | 2 | 3 | 4 | 5 | 6 | 7 |....| 54 
Port(s) Protocol Service Scan level Description
 101 tcp,udp hostname not scanned Hostnames NIC Host Name Server. [RFC953] [RFC811]

Skun trojan also uses this port (TCP).
 102 tcp,udp iso-tsap Members scan Port used by X.400, X.500, ITOT, ISO-TSAP (Transport Service Access Point) protocol.

Microsoft Exchange uses this port for X.400 mail messaging traffic. No known vulnerabilities, but similar to data-driven attacks common to smtp plus possible direct attacks, such as with sendmail. Always static route inbound mail to a protected/hardened email server.

X.500 Directory Service - Used to distribute user names, user info and public keys.
Security Concerns: Depending on vendor implementation probes can reveal valuable user info for follow-on attacks. On poorly configured servers attackers can replace public keys for data capture or DOS purposes.

[RFC1006] [RFC2126]

Delf, Skun trojans also use this port (TCP).

Siemens SIMATIC S7-1200 PLCs 2.x and 3.x allow remote attackers to cause a denial of service (defect-mode transition and control outage) via crafted packets to TCP port 102 (aka the ISO-TSAP port).
References: [CVE-2013-0700]

Siemens SIMATIC S7-1200 is vulnerable to a denial of service. By sending specially-crafted ISO-TSAP packets to TCP port 102, a remote attacker could exploit this vulnerability to cause the device to go into defect mode until a cold restart is performed.
References: [XFDB-109688] [EDB-38964]

A vulnerability in Siemens SIMATIC STEP 7 (TIA Portal) could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability using man-in-the-middle techniques to intercept or modify Siemens industrial communications at TCP port 102.
References: [CVE-2015-1601] [XFDB-101004] [BID-72691]

Siemens SIMATIC HMI Comfort Panels before WinCC (TIA Portal) 13 SP1 Upd2 and SIMATIC WinCC Runtime Advanced before WinCC (TIA Portal) 13 SP1 Upd2 allow man-in-the-middle attackers to cause a denial of service via crafted packets on TCP port 102.
References: [CVE-2015-2822]

Siemens SIMATIC S7-300 CPU devices allow remote attackers to cause a denial of service (defect-mode transition) via crafted packets on (1) TCP port 102 or (2) Profibus.
References: [CVE-2015-2177]

Siemens SIMATIC CP 343-1 Advanced devices before 3.0.44, CP 343-1 Lean devices, CP 343-1 devices, TIM 3V-IE devices, TIM 3V-IE Advanced devices, TIM 3V-IE DNP3 devices, TIM 4R-IE devices, TIM 4R-IE DNP3 devices, CP 443-1 devices, and CP 443-1 Advanced devices might allow remote attackers to obtain administrative access via a session on TCP port 102.
References: [CVE-2015-8214]

Siemens SIMATIC S7-1500 CPU devices before 1.8.3 allow remote attackers to bypass a replay protection mechanism via packets on TCP port 102.
References: [CVE-2016-2201]

Siemens SIMATIC S7-1500 CPU devices before 1.8.3 allow remote attackers to cause a denial of service (STOP mode transition) via crafted packets on TCP port 102.
References: [CVE-2016-2200], [XFDB-110522]

Siemens SIMATIC S7-300 is vulnerable to a denial of service. By sending specially-crafted packets to TCP port 102, a remote attacker could exploit this vulnerability to cause the device to go into defect mode.
References: [CVE-2016-3949] [XFDB-113903]

An Improper Authentication issue was discovered in Siemens SIMATIC CP 44x-1 RNA, all versions prior to 1.4.1. An unauthenticated remote attacker may be able to perform administrative actions on the Communication Process (CP) of the RNA series module, if network access to Port 102/TCP is available and the configuration file for the CP is stored on the RNA's CPU.
References: [CVE-2017-6868], [BID-99234]

A vulnerability has been identified in Firmware variant IEC 61850 for EN100 Ethernet module (All versions < V4.33), Firmware variant PROFINET IO for EN100 Ethernet module (All versions), Firmware variant Modbus TCP for EN100 Ethernet module (All versions), Firmware variant DNP3 TCP for EN100 Ethernet module (All versions), Firmware variant IEC104 for EN100 Ethernet module (All versions). Specially crafted packets to port 102/tcp could cause a denial-of-service condition in the EN100 communication module if oscillographs are running. A manual restart is required to recover the EN100 module functionality. Successful exploitation requires an attacker with network access to send multiple packets to the EN100 module. As a precondition the IEC 61850-MMS communication needs to be activated on the affected EN100 modules. No user interaction or privileges are required to exploit the security vulnerability. The vulnerability could allow causing a Denial-of-Service condition of the network functionality of the device, compromising the availability of the system. At the time of advisory publication no public exploitation of this security vulnerability was known.
References: [CVE-2018-11452]

A vulnerability has been identified in SIMATIC ET 200SP Open Controller CPU 1515SP PC (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (All versions), SIMATIC S7-1200 CPU family (All versions >= V4.0), SIMATIC S7-1500 CPU family (All versions), SIMATIC S7-1500 Software Controller (All versions), SIMATIC S7-PLCSIM Advanced (All versions). An attacker with network access to port 102/tcp could potentially modify the user program on the PLC in a way that the running code is different from the source code which is stored on the device. An attacker must have network access to affected devices and must be able to perform changes to the user program. The vulnerability could impact the perceived integrity of the user program stored on the CPU. An engineer that tries to obtain the code of the user program running on the device, can receive different source code that is not actually running on the device. No public exploitation of the vulnerability was known at the time of advisory publication.
References: [CVE-2019-10943]

A vulnerability has been identified in SIMATIC ET 200SP Open Controller CPU 1515SP PC (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (All versions), SIMATIC S7-1200 CPU family (All versions >= V4.0), SIMATIC S7-1500 CPU family (All versions), SIMATIC S7-1500 Software Controller (All versions), SIMATIC S7-PLCSIM Advanced (All versions). An attacker in a Man-in-the-Middle position could potentially modify network traffic exchanged on port 102/tcp, due to certain properties in the calculation used for integrity protection. In order to exploit the vulnerability, an attacker must be able to perform a Man-in-the-Middle attack. The vulnerability could impact the integrity of the communication. No public exploitation of the vulnerability was known at the time of advisory publication.
References: [CVE-2019-10929], [XFDB-174097]

A vulnerability has been identified in SINUMERIK 808D (All versions), SINUMERIK 828D (All versions < V4.95). Affected devices don't process correctly certain special crafted packets sent to port 102/tcp, which could allow an attacker to cause a denial-of-service in the device.
References: [CVE-2021-37199]

Affected devices improperly handle specially crafted packets sent to port 102/tcp. This could allow an attacker to create a denial of service condition. A restart is needed to restore normal operations.
References: [CVE-2023-46156]
 103 tcp,udp gppitnp not scanned MS Exchange X.400 mail messaging traffic.

Trojans that use this port: Skun

Genesis Point-to-Point Trans Net (IANA registered)
 105 tcp,udp ccso not scanned IANA assigned to CCSO name server protocol (mailbox name nameserver). [RFC2378]

Backdoor.Nerte [Symantec-2001-110909-3147-99] also uses this port (TCP).

Buffer overflow in Mercury Mail Transport System 4.01b allows remote attackers to execute arbitrary code via a long request to TCP port 105.
References: [CVE-2005-4411], [BID-16396]
 106 tcp poppassd not scanned (TCP) poppassd (aka. epass) allows passwords to be changed on POP servers. Traditionally, users would have to have shell (Telnet) accounts on the servers in order to change their passwords. This allows users with just POP access to change their passwords.
The exchange looks something like:

S: 200 Hello
C: user robert
S: 300 Please send current password
C: pass mypassword
S: 200 send New Pass Word
C: newpass newpassword
S: 200 successful
C: quite

Protocol was originally developed for Eudora. Eudora Internet Mail Server vs. 1.2, 2.0, 2.01. DoS If you connect to this server and enter the command "USER xxxxxx" with more than 1000 characters, this service will crash.

Apple Mac OS X Password Server and City of Heroes also use this port.

Mail Management Agent (MAILMA) (a.k.a. Mail Management Server) in Rockliffe MailSite 7.0.3.1 and earlier generates different responses depending on whether or not a username is valid, which allows remote attackers to enumerate valid usernames via user requests to TCP port 106.
References: [CVE-2006-0129]

Buffer overflow in Eudora Internet Mail Server (EIMS) 2.01 and earlier on MacOS systems allows remote attackers to cause a denial of service via a long USER command to port 106.
References: [CVE-1999-1113] [BID-75]
 107 tcp trojan Premium scan Backdoor.Skun [Symantec-2002-120514-4425-99]
 109 tcp,udp pop2 not scanned Post Office Protocol 2 (obsolete). While POP2 has largely been replaced by POP3, hackers still scan for this port because many older POP servers have vulnerabilities associated with them. [RFC937]

ADM trojan also uses this port (TCP).
 110 udp pop-or-not Basic scan POP3 server traffic (should be TCP only?)

Final Fantasy XI also uses this port.
 110 tcp POP3 Basic scan POP3 (Post Office Protocol - Version 3)

Security Concerns: Re-usable cleartext password, no auditing of connections & attempts thus subject to grinding. Some POP3 server versions have had buffer overflow problems. CERT Advisories: CA-97.09

ADM, ProMail trojans also use port 110 (TCP).

Integer overflow in inetcomm.dll in Microsoft Outlook Express 5.5 SP2, 6, and 6 SP1; Windows Live Mail on Windows XP SP2 and SP3, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7; and Windows Mail on Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows remote e-mail servers and man-in-the-middle attackers to execute arbitrary code via a crafted (1) POP3 or (2) IMAP response, as demonstrated by a certain +OK response on TCP port 110, aka "Outlook Express and Windows Mail Integer Overflow Vulnerability."
References: [CVE-2010-0816] [BID-40052]

Integer overflow in eXtremail 2.1.1 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long USER command containing "%s" sequences to the pop3 port (110/tcp), which are expanded to "%%s" before being used in the memmove function, possibly due to an incomplete fix for [CVE-2001-1078].
References: [CVE-2007-5467] [BID-26074] [SECUNIA-27220]

The POP3 service in YahooPOPs (aka YPOPs!) 1.6 allows a remote denial of service (reboot) via a long string to TCP port 110, a related issue to CVE-2004-1558.
References: [CVE-2024-24736]
 111 tcp,udp SunRPC Basic scan Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service.

Port 111 was designed by the Sun Microsystems as a component of their Network File System. It is also known as Open Network Computing Remote Procedure Call (ONC RPC). Port 111 is a port mapper with similar functions to Microsoft's port 135 or DCOM DCE.

Security Concerns: Provides rpc port map without auth, has no filtering or logging, rpcinfo probes can quickly find your Unix hosts. Shut down portmapper on any hosts not requiring rpcs, ensure it is blocked at net perimeters.

Trojans that use this port: ADM worm, MscanWorm, Sadmind/IIS Worm

NFS daemon (nfsd.exe) for Omni-NFS/X 6.1 allows remote attackers to cause a denial of service (resource exhaustion) via certain packets, possibly with the Urgent (URG) flag set, to port 111.
References: [CVE-1999-1349]

PORTSERV.exe in Emerson DeltaV and DeltaV Workstations 9.3.1, 10.3.1, 11.3, and 11.3.1 and DeltaV ProEssentials Scientific Graph 5.0.0.6 allows remote attackers to cause a denial of service (daemon crash) via a crafted (1) TCP or (2) UDP packet to port 111.
References: [CVE-2012-1816] [BID-53591] [SECUNIA-49210] [OSVDB-82012]

Vestel TV 42pf9322 is vulnerable to a denial of service. By sending a specially-crafted request containing an overlong string argument to port 111, a remote attacker could exploit this vulnerability to cause the device to malfunction.
References: [XFDB-87101] [BID-62394] [EDB-28271]

MiCOM C264 could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the RPC service. By sending specially-crafted data to port 111, an attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges.
References: [XFDB-111158]

Vulnerability in BrightStor ARCserve Backup, can be exploited and cause a DoS (Denial of Service). The vulnerability is caused due to a NULL pointer dereference error when handling TADDR2UADDR (0x08) request types within the CA Remote Procedure Call Server service (CATIRPC.EXE). This can be exploited to crash the service by sending a specially crafted packet to port 111/UDP.
References: [CVE-2007-0816] [SECUNIA-24009]

The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.
References: [CVE-2017-8804], [BID-98339]

rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.
References: [CVE-2017-8779], [BID-98325]

On Junos OS, rpcbind should only be listening to port 111 on the internal routing instance (IRI). External packets destined to port 111 should be dropped. Due to an information leak vulnerability, responses were being generated from the source address of the management interface (e.g. fxp0) thus disclosing internal addressing and existence of the management interface itself. A high rate of crafted packets destined to port 111 may also lead to a partial Denial of Service (DoS). Note: Systems with fxp0 disabled or unconfigured are not vulnerable to this issue. This issue only affects Junos OS releases based on FreeBSD 10 or higher (typically Junos OS 15.1+). Administrators can confirm whether systems are running a version of Junos OS based on FreeBSD 10 or higher by typing: user@junos> show version | match kernel JUNOS OS Kernel 64-bit [20181214.223829_fbsd-builder_stable_10] Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1F6-S12, 15.1R7-S4; 15.1X53 versions prior to 15.1X53-D236; 16.1 versions prior to 16.1R7-S1; 16.2 versions prior to 16.2R2-S9; 17.1 versions prior to 17.1R3; 17.2 versions prior to 17.2R1-S8; 17.3 versions prior to 17.3R2; 17.4 versions prior to 17.4R1-S1, 17.4R1-S7, 17.4R2. This issue does not affect Junos OS releases prior to 15.1.
References: [CVE-2019-0040], [BID-107902], [XFDB-159358]
 112 tcp,udp mcidas not scanned McIDAS Data Transmission Protocol (IANA official)
 113 tcp,udp IDENT Basic scan Port 113 used for Identification/Authorization service. When a client program on your end contacts a remote server for services such as POP, IMAP, SMTP, IRC, FTP, etc. that remote server sends back a query to the IDENT port 113 asking for identification from your system...

Port 113 can be probed by attackers and it poses some security concerns, but the problem with filtering/stealthing port 113 is that if legitimate requests get no response at all from port 113 queries, the connection to them (which initiated their query in the first place) will be delayed or perhaps even completely abandoned.

The simplest solution is to close, rather than filter port 113.

Some trojans also use this port: ADM worm, Alicia, Cyn, DataSpy Network X, Dosh, Gibbon, Invisible Identd Deamon, Kazimas, Taskman,W32.Korgo.F
W32.Bofra.C@mm [Symantec-2004-111113-3948-99] (2004.11.11) - It opens ports 1639/tcp and 1640/tcp for listening, opens an ident daemon on port 113/tcp, connects to IRC servers on port 6667/tcp.
W32.Linkbot.A [Symantec-2004-110516-3932-99] (2004.11.05) - worm that exploits the MS Windows LSASS Buffer Overrun Vulnerability. It also creates an IRC backdoor and attempts to install adware on the infected machine. It can affect all current Windows versions. Listens on port 113/tcp for remote commands.
W32.Spybot.LZI [Symantec-2005-040609-3623-99] (2005.04.06) - worm that attempts to exploit the MS DCOM RPC vulnerability on ports 135, 445 & 1025. Opens a backdoor on port 113.
W32.Linkbot.M [Symantec-2005-052109-2651-99] (2005.05.21) - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.

Stack-based buffer overflow in TinyIdentD 2.2 and earlier allows remote attackers to execute arbitrary code via a long string to TCP port 113.
References: [CVE-2007-2711] [BID-23981] [SECUNIA-25248] [OSVDB-36053]

Backdoor.Win32.Whisper.b / Remote Stack Corruption - Whisper.b listens on TCP port 113 and connects to port 6667, deletes itself drops executable named rundll32.exe in Windows\System dir. The malware is prone to stack corruption issues when receiving unexpected characters of random sizes.
References: [MVID-2021-0039]
 114 tcp,udp audionews not scanned Audio News Multicast
 116 tcp,udp ansanotify not scanned ANSA REX Notify (IANA official)
 118 udp trojan not scanned Infector 1.4.2 trojan horse
 119 udp NNTP Basic scan NNTP (Network News Transfer Protocol) control messages.
 119 tcp trojan Premium scan Happy99/Ska trojan
 120 tcp trojan Premium scan Backdoor.Skun [Symantec-2002-120514-4425-99]

CFDPTKT (TCP/UDP) (IANA official)
 121 tcp erpc Premium scan trojans/backdoors that use this port:
Attack Bot (files: Sysadmin.exe-181KB, Mpeg.exe, affects Windows 9x/ME)
God Message (ports 80,121,7777, a.k.a. BackDoor.AB.gen, JS.Trojan.WindowBomb, affects Windows 9x/ME/NT/2k)
JammerKillah (files: Jammerkillah.zip, Jammerkillah.exe, Mswin32.drv, affects Windows 9x/ME)
BO jammerkilla

Encore Expedited Remote Pro.Call (IANA official)
 122 tcp,udp smakynet not scanned SMAKYNET (IANA official)
 123 udp NTP Basic scan Network Time Protocol (NTP) - used for time synchronization [RFC 5905]

Security Concerns:
It provides both information and possible avenue of attack for intruders. Info gathered can include system uptime, time since reset, time server pkt, I/O & memory statistics and ntp peer list. If a host is susceptible to time altering via ntp an attacker can possibly:
1) Run replay attacks using captured OTP and Kerberos tickets before they expire.
2) Stop security-related cron jobs from running or cause them to run at incorrect times.
3) Make system and audit logs unreliable since time is alterable.

Vodafone Sure Signal also uses this port
 123 tcp trojan Premium scan Net Controller trojan

Network Time Protocol (NTP), as specified in RFC 5905, uses port 123 even for modes where a fixed port number is not required, which makes it easier for remote attackers to conduct off-path attacks.
References: [CVE-2019-11331], [BID-108010], [XFDB-159889]
 124 tcp,udp ansatrader not scanned SecurID (UDP)

ANSA REX Trader (IANA official)
 125 tcp misc not scanned Port is sometimes unofficially used as an alternate to port 25 SMTP (Simple Mail Transfer Protocol). This is useful as a dedicated port for VPN clients or for those who cannot directly send mail to a mail server outside of their ISP's network because of an ISP block on port 25.

Locus PC-Interface Net Map Ser (TCP/UDP) (IANA official)
 127 udp games not scanned Command and Conquer Generals

Locus PC-Interface Conn Server (TCP/UDP) (IANA official)
 128 tcp,udp gss-xlicen not scanned GSS X License Verification (IANA official)
 129 tcp,udp pwdgen not scanned Password Generator Protocol (IANA official)
 130 tcp,udp cisco-fna not scanned cisco FNATIVE (IANA official)
 131 tcp,udp cisco-fna not scanned cisco FNATIVE (IANA official)
 132 tcp,udp cisco-sys not scanned cisco SYSMAINT (IANA official)
 133 tcp trojan Premium scan Farnaz

Statistics Service (TCP/UDP) (IANA official)
 134 tcp,udp ingres-net not scanned INGRES-NET Service (IANA official)
 135 tcp,udp loc-srv Basic scan Remote Procedure Call (RPC) port 135 is used in client/server applications (might be on a single machine) such as Exchange clients, the recently exploited messenger service, as well as other Windows NT/2K/XP software. If you have remote users who VPN into your network, you might need to open this port on the firewall to allow access to the Exchange server.

There is a RPC (a RPC's Endpoint Mapper component) vulnerability in Windows NT where a malformed request to port 135 could cause denial of service (DoS). RPC contains a flaw that causes it to fail upon receipt of a request that contains a particular type of malformed data. To restore normal functionality victim has to reboot the system. Alternatively, you can upgrade/patch your OS (there is patch downloadable from Microsoft), or you can close port 135.

Port 135 is used by Messenger Service (not MSN Messenger) and exploited in popup net send messenger spam [MSKB 330904]. To stop the popups you'd need to filter port 135 at the firewall level or stop the messenger service. The service uses all the following ports: 135/tcp, 135/udp, 137/udp 138/udp, 139/tcp, 445/tcp.

MS Security Bulletin [MS03-026] outlines another critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.

W32.Blaster.Worm [Symantec-2003-081113-0229-99] - a widely spread worm that exploits the DCOM RPC vulnerability described above (MS Security Bulletin [MS03-026]). The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.

Port is also used by Messenger Service (not MSN Messenger) and exploited in popup net send messenger spam [MSKB 330904]. To stop the popups you'd need to filter port 135 at the firewall level or stop the messenger service. The service uses all the following ports: 135/tcp, 135/udp, 137/udp 138/udp, 139/tcp, 445/tcp.

W32.Reatle.E@mm [Symantec-2005-080215-5809-99] - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability [MS03-026] on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service.

A vulnerability has been identified in LOGO!8 BM (incl. SIPLUS variants) (All versions). The vulnerability could lead to an attacker reading and modifying the device configuration and obtain project files from affected devices. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 135/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the device. At the time of advisory publication no public exploitation of this security vulnerability was known.
References: [CVE-2020-7589], [XFDB-183129]
 136 tcp,udp profile not scanned PROFILE Naming System (IANA official)
 137 tcp,udp netbios-ns Basic scan NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be.

NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)

By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:

1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.

Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.

There is also a Critical Windows RPC vulnerability affecting ports 135,139 and 445, as detailed here: MS Technet Security Bulletin [MS03-026]

The following trojans/backdoors also use these ports: Chode, God Message worm, Msinit, Netlog, Network, Qaz
W32.HLLW.Moega [Symantec-2003-080813-3234-99] (2003.08.08) - worm with backdoor capabilities, opens TCP ports 139 and 445.
W32.Crowt.A@mm [Symantec-2005-012310-2158-99] (2005.01.23) - mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80 and 137.
W32.Reidana.A [Symantec-2005-032515-4042-99] (2005.03.27) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin [MS03-026]) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444.

Windows Internet Naming Service (WINS) also uses this port (UDP).

Sygate Personal Firewall comes with a default rule set that blocks all udp requests, however if udp requests originates from source port 137 or 138 they are allowed, thus a malicious person could get access to all open udp ports on a target merely by sending all requests from source port 137 or 138.
References: [SECUNIA-7930]
 138 tcp,udp netbios-dgm Basic scan NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be.

NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)

By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:

1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.

Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.

The following trojans/backdoors also use these ports: Chode, God Message worm, Msinit, Netlog, Network, Qaz
W32.HLLW.Moega [Symantec-2003-080813-3234-99]

Sygate Personal Firewall comes with a default rule set that blocks all udp requests, however if udp requests originates from source port 137 or 138 they are allowed, thus a malicious person could get access to all open udp ports on a target merely by sending all requests from source port 137 or 138.
References: [SECUNIA-7930]
 139 tcp,udp netbios-ss Basic scan NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be. There are a number of vulnerabilities associated with leaving this port open.

NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)

By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:

1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.

Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.

There is also a Critical Windows RPC vulnerability affecting ports 135,139 and 445, as detailed here: MS Technet Security Bulletin [MS03-026]

The following trojans/backdoors also use these ports:
Chode, God Message worm, Msinit, Netlog, Network, Qaz

W32.HLLW.Moega [Symantec-2003-080813-3234-99]

W32.Reidana.A [Symantec-2005-032515-4042-99] (2005.03.27) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin [MS03-026]) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444.

W32.Klez worm [Symantec-2002-031910-1028-99] - a class of worms that collects email addresses from an infected computer's Windows address book and propagates using its own SMTP server. As of April 26, 2002, there are nine variants of the Klez worm that all exploit the "Microsoft Internet Explorer Incorrect MIME header" vulnerability, which causes an email attachment to be automatically executed when an HTML email is previewed by a Microsoft Outlook or Outlook Express user. The worm can arrive as an email attachment with one of the following file extensions: asp, bak, c, cpp, doc, htm, html, jpg, mp3, mpg, mpeg, pas, rtf, wab, or xls.

W32.Sircam.Worm [Symantec-2001-071720-1640-99] - a computer worm that propagates by e-mail from Microsoft Windows systems. It also spreads via open shares on a network. Sircam scans the network for computers with shared drives and copy itself to a machine with an open (non-password protected) drive or directory.

Buffer overflow in a certain driver in Cisco Security Agent 4.5.1 before 4.5.1.672, 5.0 before 5.0.0.225, 5.1 before 5.1.0.106, and 5.2 before 5.2.0.238 on Windows allows remote attackers to execute arbitrary code via a crafted SMB packet in a TCP session on port (1) 139 or (2) 445.
References: [CVE-2007-5580] [BID-26723] [SECUNIA-27947] [OSVDB-39521]

Server Message Block (SMB) also uses this port. It is used by Microsoft Windows file and print services, such as Windows Sharing in Mac OS X.
 140 tcp,udp emfis-data not scanned EMFIS Data Service (IANA official)
 141 tcp,udp emfis-cntl not scanned EMFIS Control Service (IANA official)
 142 tcp trojan Premium scan NetTaxi trojan

Britton-Lee IDM (TCP/UDP) (IANA official)
 143 tcp,udp IMAP Basic scan IMAP (Internet Mail Access Protocol) mail server uses this port. See also port 993/tcp.

Numerous IMAP servers have buffer overflows that allow compromise during the login. Note that for awhile, there was a Linux worm (admw0rm) that would spread by compromising port 143, so a lot of scans on this port are actually from innocent people who have already been compromised. IMAP exploits became popular when Red Hat enabled the service by default on its distributions. This port is also used for IMAP2, but that version wasn't very popular. Several people have noted attacks from port 0 to port 143, which appears to be from some attack script.

MailServer.exe in NoticeWare Email Server 4.6.1.0 allows remote attackers to cause a denial of service (application crash) via a long string to IMAP port (143/tcp).
References: [CVE-2008-1713] [BID-28559] [SECUNIA-29629]

Format string vulnerability in the University of Washington (UW) c-client library, as used by the UW IMAP toolkit imap-2007d and other applications, allows remote attackers to execute arbitrary code via format string specifiers in the initial request to the IMAP port (143/tcp). NOTE: Red Hat has disputed the vulnerability, stating "The Red Hat Security Response Team have been unable to confirm the existence of this format string vulnerability in the toolkit, and the sample published exploit is not complete or functional." CVE agrees that the exploit contains syntax errors and uses Unix-only include files while invoking Windows functions.
References: [CVE-2009-0671] [BID-33795]

ADM trojan also uses this port (TCP).
 144 tcp,udp uma not scanned Universal Management Architecture (IANA official)
 145 tcp,udp uaac not scanned UAAC Protocol (IANA official)
 146 tcp trojans Premium scan Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000

ISO-IP0 (TCP/UDP) (IANA official)
 147 tcp,udp iso-ip not scanned ISO-IP (IANA official)
 148 tcp,udp jargon not scanned CRONUS-SUPPORT

Jargon (IANA official)
 149 tcp,udp aed-512 not scanned AED 512 Emulation Service (IANA official)
 150 tcp,udp sql-net not scanned Denial of service of Ascend routers through port 150 (remote administration).
References: [CVE-1999-0221]

SQL-NET (IANA official)
 151 tcp,udp hems not scanned HEMS (IANA official)
 154 tcp,udp netsc-prod not scanned NETSC (IANA official)
 155 tcp,udp netsc-dev not scanned NETSC (IANA official)
 157 tcp,udp knet-cmp not scanned KNET/VM Command/Message Protocol (IANA official)
 159 tcp,udp nss-routing not scanned NSS-Routing (IANA official)
 160 tcp,udp sgmp-traps not scanned SGMP-TRAPS (IANA official)
 161 udp SNMP Basic scan Simple network management protocol (SNMP). Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications. Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162.

Brother MFC printers use ports 137 UDP and 161 UDP (network printing and remote setup), 54925/udp (network scanning), 54926 UDP (PC fax receiving). Some may also open port 21 TCP (scan to FTP feature).

Apple AirPort Express prior to 6.1.1 and Extreme prior to 5.5.1, configured as a Wireless Data Service (WDS), allows remote attackers to cause a denial of service (device freeze) by connecting to UDP port 161 and before link-state change occurs.
References: [CVE-2005-0289], [BID-12152]

The Emerson DeltaV SE3006 through 11.3.1, DeltaV VE3005 through 10.3.1 and 11.x through 11.3.1, and DeltaV VE3006 through 10.3.1 and 11.x through 11.3.1 allow remote attackers to cause a denial of service (device restart) via a crafted packet on (1) TCP port 23, (2) UDP port 161, or (3) TCP port 513.
References: [CVE-2012-4703]

Siemens SIMATIC S7-1200 PLCs 2.x and 3.x allow remote attackers to cause a denial of service (defect-mode transition and control outage) via crafted packets to UDP port 161 (aka the SNMP port).
References: [CVE-2013-2780]

Cisco Catalyst 2900 XL series switches are vulnerable to a denial of service, caused by an empty UDP packet. If SNMP is disabled, a remote attacker can connect to port 161 and send an empty UDP packet to cause the switch to crash.
References: [CVE-2001-0566], [XFDB-6515]

A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in BMXNOR0200H Ethernet / Serial RTU module (all firmware versions) and Modicon M340 controller (all firmware versions), which could cause denial of service when truncated SNMP packets on port 161/UDP are received by the device.
References: [CVE-2019-6813]
 162 udp SNMP Basic scan Simple network management protocol (SNMP). Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications.

Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162.

Format string vulnerability in the snmp_input function in snmptrapd in CMU SNMP utilities (cmu-snmp) allows remote attackers to execute arbitrary code by sending crafted SNMP messages to UDP port 162.
References: [CVE-2006-0250], [BID-16267]

Memory leak in the SNMP process in Cisco IOS XR allows remote attackers to cause a denial of service (memory consumption or process reload) by sending many port-162 UDP packets, aka Bug ID CSCug80345.
References: [CVE-2013-1204]

Cisco Hosted Collaboration Mediation allows remote attackers to cause a denial of service (CPU consumption) via a flood of malformed UDP packets on port 162, aka Bug ID CSCug85756.
References: [CVE-2013-3381]
 163 tcp,udp cmip-man not scanned CMIP/TCP Manager (IANA official)
 164 tcp,udp cmip-agent not scanned CMIP/TCP Agent (IANA official)
 165 tcp applications not scanned The SNMPc Server (crserv.exe) process in Castle Rock Computing SNMPc allows remote attackers to cause a denial of service (crash) via a crafted packet to port 165/TCP.
References: [CVE-2007-3098], [BID-24292]

Port is also IANA registered for Xerox.
 166 tcp trojan Premium scan NokNok

Sirius Systems (TCP/UDP) (IANA official)
 167 tcp,udp namp not scanned NAMP (IANA official)
 168 tcp,udp rsvd not scanned RSVD (IANA official)
 169 tcp,udp send not scanned SEND (IANA registered)
 170 tcp trojan Premium scan A-Trojan
 171 tcp trojan Premium scan A-trojan

Network Innovations Multiplex (TCP/UDP) (IANA official)
 172 tcp,udp cl-1 not scanned Network Innovations CL 1 (IANA official)
 173 tcp trojan Premium scan Nestea trojan

Xyplex (TCP/UDP) (IANA official)
 174 tcp,udp mailq not scanned MAILQ (IANA official)
 176 tcp,udp genrad-mux not scanned GENRAD-MUX (IANA official)
 177 tcp xdmcp Premium scan Numerous hacks may allow access to an X-Window console; it needs port 6000 open as well in order to really succeed.
 178 tcp,udp nextstep not scanned NextStep Window Server (IANA official)
 179 tcp,udp,sctp bgp not scanned Border Gateway Protocol (IANA official)
See also [RFC 4960]

Brocade BigIron RX switches allow remote attackers to bypass ACL rules by using 179 as the source port of a packet.
References: [CVE-2011-2760] [BID-48663] [SECUNIA-45217] [OSVDB-73869]
 180 tcp,udp ris not scanned Intergraph (IANA official)
 181 tcp,udp unify not scanned Unify [Daegis_Inc] (IANA official)
 182 tcp,udp audit not scanned Unisys Audit SITP (IANA official)
 183 tcp,udp ocbinder not scanned OCBinder (IANA official)
 184 tcp,udp ocserver not scanned OCServer (IANA official)
 185 tcp,udp remote-kis not scanned Remote-KIS (IANA official)
 186 tcp,udp kis not scanned KIS Protocol (IANA official)
 187 tcp,udp aci not scanned Application Communication Interface (IANA official)
 188 tcp,udp mumps not scanned Plus Five's MUMPS (IANA official)
 189 tcp,udp qft not scanned Akuvox C315 115.116.2613 allows remote command Injection via the cfgd_server service. The attack vector is sending a payload to port 189 (default root 0.0.0.0).
References: [CVE-2021-31726]

Queued File Transport (IANA official)
 190 tcp,udp gacp not scanned Gateway Access Control Protocol (IANA official)
 191 tcp,udp prospero not scanned Prospero Directory Service (IANA official)
 192 udp applications not scanned Apple AirPort Base Station PPP status or discovery (certain configurations), AirPort Admin Utility, AirPort Express Assistant

OSU Network Monitoring System (TCP/UDP) (IANA official)
 193 tcp,udp srmp not scanned Spider Remote Monitoring Protocol (IANA official)
 194 tcp,udp IRC Members scan Internet Relay Chat Protocol
 195 tcp,udp dn6-nlm-aud not scanned DNSIX Network Level Module Audit (IANA official)
 196 tcp,udp dn6-smm-red not scanned DNSIX Session Mgt Module Audit Redir (IANA official)
 197 tcp,udp dls not scanned Directory Location Service (IANA official)
 198 tcp,udp dls-mon not scanned Directory Location Service Monitor (IANA official)
 199 tcp,udp smux not scanned A vulnerability in the TCP/IP stack of Cisco Email Security Appliance (ESA), Cisco Web Security Appliance (WSA), and Cisco Secure Email and Web Manager, formerly Security Management Appliance, could allow an unauthenticated, remote attacker to crash the Simple Network Management Protocol (SNMP) service, resulting in a denial of service (DoS) condition. This vulnerability is due to an open port listener on TCP port 199. An attacker could exploit this vulnerability by connecting to TCP port 199. A successful exploit could allow the attacker to crash the SNMP service, resulting in a DoS condition.
References: [CVE-2022-20675]

SMUX (IANA official)
 200 tcp trojan Premium scan America's Army

CyberSpy trojan

IBM System Resource Controller (IANA official)
 201 tcp trojan Premium scan One Windows Trojan

AppleTalk uses these ports:
201 (TCP/UDP) - AppleTalk Routing Maintenance
202 (TCP/UDP) - AppleTalk Name Binding
203 (TCP/UDP) - AppleTalk Unused
204 (TCP/UDP) - AppleTalk Echo
205 (TCP/UDP) - AppleTalk Unused
206 (TCP/UDP) - AppleTalk Zone Information
207 (TCP/UDP) - AppleTalk Unused
208 (TCP/UDP) - AppleTalk Unused
 202 tcp trojans Premium scan One Windows Trojan, Backdoor.Skun [Symantec-2002-120514-4425-99]

AppleTalk uses these ports:
201 (TCP/UDP) - AppleTalk Routing Maintenance
202 (TCP/UDP) - AppleTalk Name Binding
203 (TCP/UDP) - AppleTalk Unused
204 (TCP/UDP) - AppleTalk Echo
205 (TCP/UDP) - AppleTalk Unused
206 (TCP/UDP) - AppleTalk Zone Information
207 (TCP/UDP) - AppleTalk Unused
208 (TCP/UDP) - AppleTalk Unused
 203 tcp,udp at-3 not scanned AppleTalk uses these ports:
201 (TCP/UDP) - AppleTalk Routing Maintenance
202 (TCP/UDP) - AppleTalk Name Binding
203 (TCP/UDP) - AppleTalk Unused
204 (TCP/UDP) - AppleTalk Echo
205 (TCP/UDP) - AppleTalk Unused
206 (TCP/UDP) - AppleTalk Zone Information
207 (TCP/UDP) - AppleTalk Unused
208 (TCP/UDP) - AppleTalk Unused
 204 tcp,udp at-echo not scanned AppleTalk uses these ports:
201 (TCP/UDP) - AppleTalk Routing Maintenance
202 (TCP/UDP) - AppleTalk Name Binding
203 (TCP/UDP) - AppleTalk Unused
204 (TCP/UDP) - AppleTalk Echo
205 (TCP/UDP) - AppleTalk Unused
206 (TCP/UDP) - AppleTalk Zone Information
207 (TCP/UDP) - AppleTalk Unused
208 (TCP/UDP) - AppleTalk Unused
 205 tcp,udp at-5 not scanned AppleTalk uses these ports:
201 (TCP/UDP) - AppleTalk Routing Maintenance
202 (TCP/UDP) - AppleTalk Name Binding
203 (TCP/UDP) - AppleTalk Unused
204 (TCP/UDP) - AppleTalk Echo
205 (TCP/UDP) - AppleTalk Unused
206 (TCP/UDP) - AppleTalk Zone Information
207 (TCP/UDP) - AppleTalk Unused
208 (TCP/UDP) - AppleTalk Unused
 206 tcp,udp at-zis not scanned AppleTalk uses these ports:
201 (TCP/UDP) - AppleTalk Routing Maintenance
202 (TCP/UDP) - AppleTalk Name Binding
203 (TCP/UDP) - AppleTalk Unused
204 (TCP/UDP) - AppleTalk Echo
205 (TCP/UDP) - AppleTalk Unused
206 (TCP/UDP) - AppleTalk Zone Information
207 (TCP/UDP) - AppleTalk Unused
208 (TCP/UDP) - AppleTalk Unused
 207 tcp,udp at-7 not scanned AppleTalk uses these ports:
201 (TCP/UDP) - AppleTalk Routing Maintenance
202 (TCP/UDP) - AppleTalk Name Binding
203 (TCP/UDP) - AppleTalk Unused
204 (TCP/UDP) - AppleTalk Echo
205 (TCP/UDP) - AppleTalk Unused
206 (TCP/UDP) - AppleTalk Zone Information
207 (TCP/UDP) - AppleTalk Unused
208 (TCP/UDP) - AppleTalk Unused

Vulnerabilities listed: 100 (some use multiple ports)
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About