Cyber Security Forensics!

Commonly Exploited or High-Risk Ports

These ports are known to be frequently targeted by attackers for exploitation, privilege escalation, or lateral movement. Always review context and verify legitimate use.

• 21 — FTP: Cleartext credentials, anonymous upload risks
• 22 — SSH: Brute-force, credential reuse, pivoting
• 23 — Telnet: Cleartext remote access, IoT exploitation
• 25 — SMTP: Open relay misuse, phishing, spam
• 53 — DNS: Tunneling, amplification DDoS, exfiltration
• 69 — TFTP: No authentication, firmware abuse
• 80 — HTTP: Web app exploits (XSS, SQLi, RCE)
• 110 / 143 — POP3 / IMAP: Cleartext mail credentials
• 111 — RPCBind / Portmapper: Exposes RPC interfaces
• 135 — Microsoft RPC / DCE: RCE, wormable vulnerabilities
• 137–139 / 445 — SMB: Lateral movement, ransomware propagation
• 1433 / 1434 — MSSQL: Brute-force and injection attacks
• 1521 — Oracle DB: Listener attacks, data access
• 2049 — NFS: Misconfigured exports, data theft
• 3306 — MySQL: Exposed DBs, credential brute-forcing
• 3389 — RDP: Brute-force, ransomware, lateral movement
• 5900 — VNC: Weak or no authentication
• 8080 / 8000 / 8888 — HTTP Alt Ports: Admin consoles, dev tools
• 5666 / 5667 — NRPE: Misconfigured monitoring daemons
• Custom ports: Admin APIs, backdoors, and internal tools

Generally Benign or Low-Investigation Ports

These ports are typically expected and safe when used legitimately within known environments. Still, any anomaly in behavior or destination should be investigated.

• 53 — DNS: Normal resolver traffic to trusted servers
• 67 / 68 — DHCP: Local IP assignment traffic
• 88 — Kerberos: Standard authentication in AD networks
• 123 — NTP: Time sync to approved servers
• 389 — LDAP: Directory lookups, internal auth
• 443 — HTTPS: Secure web browsing and API access
• 631 — IPP: Printing service on local LANs
• 3702 / 5353 — mDNS / WS-Discovery: Local discovery traffic
• Ephemeral (1024–65535): Outbound client connections

Quick Triage Tips

• Context first: Is the port expected for that host or service?
• Destination check: Internal vs external traffic patterns
• Baseline volume: Investigate spikes or new persistent connections
• Authentication: Watch for unauthenticated or cleartext sessions
• Endpoint logs: Correlate with process, command-line, and user context
• Reputation: Validate external IP or domain reputation