Port Classification & Attack Vectors

Understanding critical ports and their exploitation techniques

Critical Ports & Attack Methods

Port 21 - FTP (File Transfer Protocol)

Attack Vectors:
  • Anonymous login attempts
  • Brute force attacks
  • Banner grabbing for version info
  • FTP bounce attacks
# Anonymous access ftp target.com # Try: anonymous/anonymous, ftp/ftp, guest/guest
# Brute force hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://target.com
medusa -h target.com -u admin -P /usr/share/wordlists/rockyou.txt -M ftp
# Banner grabbing nc target.com 21 telnet target.com 21
# FTP vulnerability scan nmap -p 21 --script ftp-* target.com

Port 22 - SSH (Secure Shell)

Attack Vectors:
  • Brute force attacks
  • Key-based authentication abuse / leaked keys
  • Weak/legacy algorithms and version-specific flaws
# SSH brute force hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://target.com
medusa -h target.com -u root -P /usr/share/wordlists/rockyou.txt -M ssh
# SSH version & algorithms ssh -v target.com nmap -p 22 --script ssh2-enum-algos,ssh-hostkey target.com
# SSH user enumeration (where applicable) python ssh_user_enum.py --port 22 --userList users.txt target.com

Port 23 - Telnet

Attack Vectors:
  • Default/weak credentials
  • Brute force attacks
  • Cleartext credential sniffing
# Telnet access telnet target.com 23
# Brute force hydra -l admin -P /usr/share/wordlists/rockyou.txt telnet://target.com
medusa -h target.com -u admin -P /usr/share/wordlists/rockyou.txt -M telnet
Common default credentials:
  • admin/admin
  • root/root
  • cisco/cisco
  • admin/password

Port 53 - DNS (Domain Name System)

Attack Vectors:
  • Zone transfer (AXFR) leaks
  • Open recursion & cache poisoning risk
  • DNS tunneling abuse
# Zone transfer dig axfr @target.com domain.com host -t axfr domain.com target.com
# DNS enumeration dnsrecon -d target.com -a fierce --domain target.com
# Recursion / amplification check nmap -sU -p 53 --script dns-recursion,dns-cache-snoop target.com

Port 80/443 - HTTP/HTTPS

Directory Traversal
Access restricted directories and files
SQL Injection
Manipulate DB via vulnerable inputs
Cross-site Scripting (XSS)
Inject client-side payloads
File Upload Vulns
Upload web shells / arbitrary files
# Web enumeration gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/big.txt nikto -h target.com whatweb target.com
# SSL/TLS testing sslscan target.com testssl.sh target.com
# CMS / app scanners (examples) wpscan --url http://target.com --enumerate ap,at,cb,dbe joomscan --url http://target.com

Port 135 - RPC Endpoint Mapper

Attack Vectors:
  • RPC enumeration and service mapping
  • Abuse of MS-RPC services
# RPC enumeration rpcinfo target.com rpcclient -U "" target.com -N
# Impacket tools python rpcmap.py target.com
# Nmap RPC scripts nmap -p 135 --script rpc-grind target.com

Port 139/445 - SMB (Server Message Block)

Attack Vectors:
  • Null/guest sessions exposing shares
  • SMB relay & NTLM capture/replay
  • Legacy SMBv1 & critical RCE vulns
# SMB enumeration smbclient -L //target.com -N enum4linux target.com smbmap -H target.com
# SMB vulnerability scanning nmap -p 445 --script smb-vuln* target.com
# EternalBlue-class checks (legacy) nmap -p 445 --script smb-vuln-ms17-010 target.com
# SMB brute force hydra -l administrator -P /usr/share/wordlists/rockyou.txt smb://target.com

Port 161 - SNMP (Simple Network Management Protocol)

Attack Vectors:
  • Guessable community strings
  • Extensive device info exposure
  • Config/credential leakage
# SNMP enumeration snmpwalk -c public -v1 target.com snmp-check target.com
# Community string brute force onesixtyone -c /usr/share/doc/onesixtyone/dict.txt target.com
# SNMP scanning nmap -sU -p 161 --script snmp-* target.com

Port 389/636 - LDAP/LDAPS

Attack Vectors:
  • Anonymous bind / directory dump
  • LDAP injection via apps
  • AD object enumeration (on Windows)
# LDAP enumeration ldapsearch -x -h target.com -s base ldapsearch -x -h target.com -b "dc=domain,dc=com"
# Anonymous bind check ldapsearch -x -h target.com -s base namingcontexts
# LDAP brute force hydra -l cn=admin,dc=domain,dc=com -P /usr/share/wordlists/rockyou.txt ldap2://target.com

Port 1433 - MSSQL

Attack Vectors:
  • Default/weak credentials
  • xp_cmdshell abuse for OS commands
  • Unencrypted DB traffic
# MSSQL enumeration nmap -p 1433 --script ms-sql-info target.com
# MSSQL brute force hydra -l sa -P /usr/share/wordlists/rockyou.txt mssql://target.com
# Impacket MSSQL client python mssqlclient.py sa:password@target.com
# MSSQL vulnerability scan nmap -p 1433 --script ms-sql-* target.com

Port 3306 - MySQL

Attack Vectors:
  • Weak root credentials / no auth on exposed dev DBs
  • Privilege misconfig enabling file read/write
# MySQL enumeration nmap -p 3306 --script mysql-info target.com
# MySQL brute force hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://target.com

Port 5432 - PostgreSQL

Attack Vectors:
  • Weak DB credentials
  • Extension abuse for code exec
# PostgreSQL enumeration nmap -p 5432 --script pgsql-brute target.com

Port 3389 - RDP (Remote Desktop Protocol)

Attack Vectors:
  • Legacy RDP vulnerabilities (e.g., BlueKeep-era)
  • RDP brute force / password spray
  • Weak NLA / encryption settings
# RDP enumeration nmap -p 3389 --script rdp-enum-encryption,rdp-ntlm-info -sV target.com
# RDP brute force hydra -l administrator -P /usr/share/wordlists/rockyou.txt rdp://target.com
# Vulnerability probing (use vendor/PoC scanners for specific CVEs) rdpscan target.com

Port 5900 - VNC

Attack Vectors:
  • No/weak password
  • Cleartext session on older servers
# VNC check nmap -p 5900 --script vnc-info,vnc-title target.com
# VNC brute force (be cautious) hydra -P /usr/share/wordlists/rockyou.txt -t 4 vnc://target.com

Port 27017 - MongoDB

Attack Vectors:
  • Unauthenticated DB access
  • Open management interfaces
# MongoDB check nmap -p 27017 --script mongodb-info target.com

Port 6379 - Redis

Attack Vectors:
  • Unauthenticated command execution
  • Persistence via authorized_keys write
# Redis check nmap -p 6379 --script redis-info target.com

Port 8080/8443 - Alternate Web / Admin Panels

Attack Vectors:
  • Exposed admin consoles (Tomcat/JBoss, Jenkins, etc.)
  • Default creds / console RCE
# Probe alt web ports nmap -p 8080,8443 --script http-title,http-headers -sV target.com gobuster dir -u http://target.com:8080 -w /usr/share/wordlists/dirb/common.txt

Port 25 - SMTP

Attack Vectors:
  • Open relay misuse
  • User enumeration via VRFY/EXPN
  • Phishing footholds
# SMTP checks nc target.com 25 telnet target.com 25 nmap -p 25 --script smtp-open-relay,smtp-enum-users target.com

Port 123 - NTP

Attack Vectors:
  • Reflection/amplification if misconfigured
  • Time spoofing impacts logs/auth
# NTP checks nmap -sU -p 123 --script ntp-info,ntp-monlist target.com
Safety Reminder: Always operate within scope and maintenance windows. Prefer low-intensity scans first, escalate only when necessary, and document all actions for rollback.