Today, let’s look at a list of important ports to learn if you want to work in cyber security or a related field like networking. While you don’t have to learn these ports by heart right from the beginning, it can be very helpful to look through them now and then. Seeing them regularly will help you to recognize them when you come across them later.
But don’t sweat if this list seems intimidating. You will slowly learn these ports one by one through experience.
I will give a short description of the service that normally runs on each port. Now let’s begin.
HTTP – 80, 8080
HTTP is the protocol through which websites are served. When you visit a website via HTTP the traffic won’t be encrypted. If you now enter some login credentials and a hacker happened to sit nearby sniffing traffic with his Wifi adapter, he may be able to see your login credentials in plain text in a progam like Wireshark.
HTTPS – 443
Secure version of HTTP. All traffic is encrypted. You can recognize from the green lock symbol in your browser when a website uses HTTPS. If you are the owner of a website, it’s a good idea to redirect traffic that goes to the HTTP version of your site to the HTTPS version of your site.
FTP – 21
File Transfer Protocol. FTP is used to transfer files to and from servers. Say that you have a website and you need to upload documents to it with FileZilla. You are now using FTP. FileZilla is a kind of graphical interface for FTP.
SSH – 22
Secure Shell. When you connect to a server via SSH you can execute commands on the server via a terminal interface, just like in the cmd in Windows or the terminal in Linux. All the traffic that goes via SSH is encrypted. However SSH is still a popular port to attack for hackers. They will mainly attack it by trying to brute force the password. So, don’t use SSH with a weak password. Extra: if SFTP (Secure FTP) is active it also usually runs on this port as it uses the SSH protocol.
Telnet – 23
Telnet. The port we discussed before this is SSH. Well, Telnet is kind of the old SSH. It does the same thing – connect you to a system via a terminal interface – but is insecure. All the traffic that goes via Telnet is unencrypted. Therefore, never enable telnet. If you find it enabled anywhere, tell them to disable it. Telnet is always bad.
SMTP – 25
Simple Mail Transfer Protocol. This is a mail protocol used for sending e-mails. When you scan a target and find that this port and the IMAP port are both open, there is likely a mail server on the target.
DNS – 53
Domain Name Service. This is a protocol that translates domains to IP addresses and IP addresses to domains. When you type in ‘google.com’, DNS is the protocol that finds which IP address is connected to google.com to serve you the page.
TFTP – 69
Trivial File Transfer Protocol. This is a faster, simpler version of FTP. While FTP requires a two-way connection and authentication, TFTP only goes in one direction and doesn’t require authentication. You shouldn’t use TFTP unless necessary, because it’s not very secure.
Kerberos – 88
Kerberos is a mythical dog with three heads. But also it is a program that … Kerberos is often part of an Active Directory. It works with ‘tickets’. But that may not be a topic for now.
POP3 – 110
POP3. This is a protocol for retrieving e-mails. It’s somewhat outdated but still used widely.
NTP – 123
Network Time Protocol. This protocol makes sure that time is synchronized across systems. This seems like a trivial thing but if the time is out of sync on several systems that communicate with each other this can cause practical issues. NTP is not really a protocol that hackers can use to get into a system but if they disturb the way it works, they can cause trouble.
IMAP – 143
Internet Message Access Protocol. This is another protocol to retrieve e-mail beside POP3. It is a better, more modern protocol than POP3.
LDAP – 389
Lightweight Directory Access Protocol. This is a lightweight version of Directory Access Protocol. LDAP is used to extract data from a database or directory like Active Directory. In order to extract data with LDAP you first need to authenticate.
SMB – 445
Server Message Block is used in Windows to share files between multiple computers. A well known exploit of the SMB protocol is Eternal Blue (MS17-010). This exploit was developed by the NSA. It exploits a vulnerability in the way Microsoft implemented SMB. It allows remote access to a system.
Other ports related to SMB are 137 until 139.
IMAPs- 993, POP3s – 995
Those are the more secure versions of IMAP and POP3. Communications goes over SSL/TLS. TLS is recommended for security as it is the successor of SSL.
MySQL – 3306
MySQL is a database that uses port 3306 by default. SQL (Structured Query Language) is a language that is used to communicate with the database. Applications use SQL statements to get data from the database and insert data into the database. If a website has a MySQL database and doesn’t handle user input well, it may be vulnerable to SQL injection.
RDP – 3389
Remote Desktop Protocol. This is what the very friendly Microsoft ‘tech support’ guy will use when he wants to connect to your computer to help you with your Windows problem that you didn’t know about. Great service! 😉
(RDP gives remote access to the graphical interface of your computer. Using RDP you can do most things on a computer that a normal user can do.)
Is this a complete list of the important ports in cyber security?
If you made it to the end of this list, you now know about several ports that are important to learn if you want to work in cyber security. This is not a complete list, however these are ports you will probably come across often. Some of them won’t show up a lot in scans but are just useful to know, like port 53 (DNS) and 123 (NTP).