khanfarris
-
ports
- 20 — FTP (Data)
FTP (Data) - Port 20Protocol: TCPUsage: File Transfer Protocol data channelSecurity: Unencrypted, vulnerable to MITM attacksWatch for: Suspicious file transfers, privilege escalation attempts
- 21 — FTP (Control)
FTP (Control) - Port 21Protocol: TCPUsage: File Transfer Protocol control commandsSecurity: Unencrypted authentication, weak protocolsWatch for: Brute force attacks, anonymous login attempts
- 22 — SSH
SSH - Port 22Protocol: TCPUsage: Secure Shell remote administrationSecurity: Encrypted, strong authenticationWatch for: Brute force attacks, unusual login times/locations
- 23 — Telnet
Telnet - Port 23Protocol: TCPUsage: Unencrypted remote terminal accessSecurity: Unencrypted, credentials exposedWatch for: Any usage (should be replaced with SSH), password sniffing
- 25 — SMTP
SMTP - Port 25Protocol: TCPUsage: Mail server communicationSecurity: Unencrypted by defaultWatch for: Spam, phishing emails, relay attacks, DDoS amplification
- 53 — DNS
DNS - Port 53Protocol: TCP/UDPUsage: Domain name resolutionSecurity: Unencrypted by default (DNS over HTTPS/TLS available)Watch for: DNS tunneling, DDoS amplification, cache poisoning
- 80 — HTTP
HTTP - Port 80Protocol: TCPUsage: Web browsing, HTTP trafficSecurity: Unencrypted, credentials in plaintextWatch for: Credential harvesting, sensitive data exposure, malware downloads
- 88 — Kerberos
Kerberos - Port 88Protocol: TCP/UDPUsage: Network authentication protocolSecurity: Encrypted tickets, time-bound authenticationWatch for: Golden ticket attacks, ticket replay attacks, time skew attacks
- 110 — POP3
POP3 - Port 110Protocol: TCPUsage: Email retrieval from mail serverSecurity: Unencrypted authentication and dataWatch for: Credential theft, email interception, brute force attacks
- 111 — RPCbind
RPCbind - Port 111Protocol: TCP/UDPUsage: Maps RPC program numbers to portsSecurity: Vulnerable, often exposedWatch for: Enumeration attempts, unauthorized service discovery, RPC exploits
- 135 — MSRPC
MSRPC - Port 135Protocol: TCPUsage: Microsoft RPC endpoint mapperSecurity: Vulnerable to enumeration and exploitationWatch for: EternalBlue, DCE/RPC exploits, unauthorized enumeration
- 139 — NetBIOS-SSN
NetBIOS-SSN - Port 139Protocol: TCPUsage: NetBIOS session service, legacy Windows file sharingSecurity: Unencrypted, NTLM authenticationWatch for: Pass-the-hash, NTLM relay, SMB exploits
- 143 — IMAP
IMAP - Port 143Protocol: TCPUsage: Email access protocolSecurity: Unencrypted authentication and mail contentWatch for: Credential theft, email interception, unauthorized access
- 161 — SNMP
SNMP - Port 161Protocol: UDPUsage: Network device monitoring and managementSecurity: Weak community strings, information disclosureWatch for: Default community strings, network reconnaissance, OID brute force
- 389 — LDAP
LDAP - Port 389Protocol: TCP/UDPUsage: Directory services authenticationSecurity: Unencrypted by default, bind attacksWatch for: Null bind attacks, LDAP injection, credential harvesting
- 443 — HTTPS
HTTPS - Port 443Protocol: TCPUsage: Encrypted web trafficSecurity: TLS/SSL encryptedWatch for: TLS downgrade attacks, weak ciphers, certificate issues, malware C2
- 445 — SMB
SMB - Port 445Protocol: TCPUsage: Windows file sharing, print servicesSecurity: Often exploits, EternalBlue, pass-the-hashWatch for: Lateral movement, ransomware propagation, Null sessions, Kerberoasting
- 636 — LDAPS
LDAPS - Port 636Protocol: TCPUsage: Secure LDAP over SSL/TLSSecurity: Encrypted LDAPWatch for: Weak SSL/TLS, certificate issues, LDAP injection
- 993 — IMAPS
IMAPS - Port 993Protocol: TCPUsage: Secure IMAP over SSL/TLSSecurity: Encrypted email accessWatch for: Certificate issues, weak ciphers, brute force attacks
- 995 — POP3S
POP3S - Port 995Protocol: TCPUsage: Secure POP3 over SSL/TLSSecurity: Encrypted email retrievalWatch for: Certificate issues, weak ciphers, brute force attacks
- 1433 — MSSQL
MSSQL - Port 1433Protocol: TCPUsage: Microsoft SQL ServerSecurity: SQL injection vulnerabilitiesWatch for: SQL injection, brute force, unauthorized access, data exfiltration
- 3306 — MySQL
MySQL - Port 3306Protocol: TCPUsage: MySQL database serverSecurity: Weak authentication, SQL injectionWatch for: SQL injection, brute force, privilege escalation, data exfiltration
- 3389 — RDP
RDP - Port 3389Protocol: TCPUsage: Remote Desktop ProtocolSecurity: Targeted by ransomware, brute force attacksWatch for: Brute force, BlueKeep exploits, unauthorized access, lateral movement
- 5432 — PostgreSQL
PostgreSQL - Port 5432Protocol: TCPUsage: PostgreSQL database serverSecurity: SQL injection, weak authWatch for: SQL injection, brute force, unauthorized database access
- 5985 — WinRM HTTP
WinRM HTTP - Port 5985Protocol: TCPUsage: Windows Remote ManagementSecurity: Unencrypted by defaultWatch for: Credential theft, pass-the-hash, lateral movement
- 5986 — WinRM HTTPS
WinRM HTTPS - Port 5986Protocol: TCPUsage: Windows Remote Management encryptedSecurity: TLS/SSL encryptedWatch for: Certificate issues, pass-the-hash, lateral movement
- 8080 — HTTP-Proxy
HTTP-Proxy - Port 8080Protocol: TCPUsage: Alternative HTTP port, proxiesSecurity: Often misconfigured, unencryptedWatch for: Open proxies, malware C2, unauthorized access
- 8443 — HTTPS-Proxy
HTTPS-Proxy - Port 8443Protocol: TCPUsage: Alternative HTTPS port, secure proxiesSecurity: TLS/SSL encryptedWatch for: Certificate issues, malware C2, unauthorized proxy use
- 20 — FTP (Data)