Real life attacks, or penetration testing attempts, always start with the reconnaissance phase. This involves massive or localized port scanning against different port ranges.
Blue teams use port scanning for a number of reasons, from identifying their own weaknesses (through the discovery of unusual services running on their systems) to pinpointing firewall port-filtering misconfiguration issues.
In previous posts, we’ve written about the best port scanners and covered the most popular Nmap commands to scan remote hosts, all to improve your port scanning daily tasks. Today we’re going to extend your port scanning knowledge by sharing the top 20 and 200 most popular ports recognized in the infosec industry.
But first, let’s go back to the basics, to identify the concept of the port as it’s understood in computer science.
What is a software or network port?
In simple words, a port number is a 16-bit numeric value that oscillates between 0 and 65535. There are three different types of port number spaces: well known ports (0-1023), registered ports (1024-49151) and dynamic ports (49152-65535).
These ports can be opened and used by software application and operating system services under certain protocols (e.g. TCP, UDP) across the network (LAN or WAN) to send and receive information.
For example: common network ports we use in our day to day tasks include 80 for HTTP-web-based browsing in plain text, and 443 for HTTPS-web-based encrypted web pages.
To summarize, a port can be defined as a logical form to identify system processes or different network services that are used to establish local or network-based communications.
Types of port scanning techniques
When performing a port scan, different techniques can be applied to achieve success in this data discovery process. We’ll now show you a brief description of the most common ways to scan remote or local hosts.
TCP half and full scan
There are two common ways to scan any server TCP ports:
The half TCP scan is one of the most popular techniques used in port scanning tasks. It uses the first half of the three-way handshake, which leads to faster network port exploration times as the handshake is never completed. This scan sends the SYN message, catches the SYN-ACK responses, but leaves the target waiting for the final ACK response.
On the other hand, a full TCP port scan uses the full three-way handshake to check every port to see if any of them are open. In this case, the final ACK response is sent, making this scan slower and leaving more tracks over the network.
While TCP scans are the most common types of port scans, ignoring the UDP protocol is a common mistake made by security researchers, one that can offer sensitive information through exposed network services, which can be likewise as exploited as the TCP services.
Popular network services such as DHCP (67/68), SNMP (161,162), DNS (53) or Xbox Live service (88) run on UDP ports; therefore, a UDP scan is another layer to consider when performing any port scan audit.
If you are using Nmap as your port scanner, the UDP scan can be performed by adding the
For years, it’s been easy to detect port scan activities against your servers. Therefore, it’s no surprise that stealth port scanning is becoming the default scan performed by penetration testers, real attackers and blue teams.
A stealth scan is a type of network scanning technique that allows an attacker to remain undetected as it never completes the TCP connection. This type of scan (SYN) is the default when using the -sS option in Nmap port scanner.
Stealth scans also include FIN, XMAS, NULL and dumb scan methods to remain invisible while performing the network exploration.
A ping scan, also known as a ping sweep or ICMP sweep, is not a port scan per se, but a host discovery technique used to determine which hosts are live across a specific network.
This technique is often used to detect available hosts within any local or remote network, as well as for monitoring purposes.
While the common ping command can also let you know if a host is alive, this technique uses a different approach as it doesn’t ping a broadcast address. Instead it performs ICMP (Internet Control Message Protocol) ECHO requests sent to multiple hosts, as well as TCP SYN to port 443 and TCP ACK to port 80.
If you’re using Nmap, this can be done by using the argument:
How can I get a list of the most popular scanned ports?
Here at SecurityTrails we use Nmap in almost all of our infosec investigations and testing, thanks to its effectiveness as a service, network and port discovery tool.
Yet even in the infosec field, some people still don’t know that Nmap has a built-in option called –top-ports. This option enables you to get the top scanned ports on the Internet.
The top ports database is maintained by Gordon Lyon (aka Fyodor, the creator of Nmap), sharing extensive port scanning research conducted since Nmap’s creation.
Becoming familiar with the most popular scanned ports will help you save precious time in performing your port scanning activities. Let’s take a look at them.
Stay in the loop with the best infosec news, tips and tools
Follow us on Twitter to receive updates!Follow @SecurityTrails
Top 20 most scanned ports
How can I get the top 20 most scanned ports? That’s actually an easy question—just use:
nmap --top-ports 20 X.X.X.X
Replace X.X.X.X with the host or IP address you are targeting. Otherwise, if you want to avoid big network scanning times against a real target, simply replace X.X.X.X with “localhost”:
nmap --top-ports 20 localhost
This will show you something like this:
According to the Nmap port database these are the top 20 most scanned ports on the Internet, usually discovered as open.
We can change the output by adding verbose option, along with the
-oG (grepable output) arguments and using grep at the end, as you can see below:
research@securitytrails(0):~# nmap --top-ports 20 localhost -v -oG - | grep TCP # Ports scanned: TCP(20;21-23,25,53,80,110-111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080)
So, according to the Nmap top ports database, the final list of the top 20 most scanned ports can be resumed to:
- 21: ftp
- 22: ssh
- 23: telnet
- 25: smtp
- 53: domain name system
- 80: http
- 110: pop3
- 111: rpcbind
- 135: msrpc
- 139: netbios-ssn
- 143: imap
- 443: https
- 445: microsoft-ds
- 993: imaps
- 995: pop3s
- 1723: pptp
- 3306: mysql
- 3389: ms-wbt-server
- 5900: vnc
- 8080: http-proxy
If you want to scan both UDP and TCP ports (by default the top-ports arguments launches a TCP scan only), you can simply add the -sTU option, as shown here:
nmap -sTU --top-ports 20 localhost -v -oG -
Top 200 most scanned ports
In the same way that we scanned the top 20 ports, you can literally request any port range from the available 65535 ports.
So, if you want to get the full UDP and TCP top 200 ports, this can be achieved by simply running:
nmap -sTU --top-ports 200 localhost -v -oG -
Here’s the output we got in our testing environment:
research@securitytrails(0):~# nmap -sTU --top-ports 200 localhost -v -oG - # Nmap 7.70 scan initiated Sun May 5 20:27:50 2019 as: nmap -sTU --top-ports 200 -v -oG - localhost # Ports scanned: TCP(200;1,3,7,9,13,17,19,21-23,25-26,37,53,79-82,88,100,106,110-111,113,119,135,139,143-144,179,199,254-255,280,311,389,427,443-445,464-465,497,513-515,543-544,548,554,587,593,625,631,636,646,787,808,873,902,990,993,995,1000,1022,1024-1033,1035-1041,1044,1048-1050,1053-1054,1056,1058-1059,1064-1066,1069,1071,1074,1080,1110,1234,1433,1494,1521,1720,1723,1755,1761,1801,1900,1935,1998,2000-2003,2005,2049,2103,2105,2107,2121,2161,2301,2383,2401,2601,2717,2869,2967,3000-3001,3128,3268,3306,3389,3689-3690,3703,3986,4000-4001,4045,4899,5000-5001,5003,5009,5050-5051,5060,5101,5120,5190,5357,5432,5555,5631,5666,5800,5900-5901,6000-6002,6004,6112,6646,6666,7000,7070,7937-7938,8000,8002,8008-8010,8031,8080-8081,8443,8888,9000-9001,9090,9100,9102,9999-10001,10010,32768,32771,49152-49157,50000) UDP(200;7,9,13,17,19,21-23,37,42,49,53,67-69,80,88,111,120,123,135-139,158,161-162,177,192,199,389,407,427,443,445,464,497,500,514-515,517-518,520,593,623,626,631,664,683,800,989-990,996-999,1001,1008,1019,1021-1034,1036,1038-1039,1041,1043-1045,1049,1068,1419,1433-1434,1645-1646,1701,1718-1719,1782,1812-1813,1885,1900,2000,2002,2048-2049,2148,2222-2223,2967,3052,3130,3283,3389,3456,3659,3703,4000,4045,4444,4500,4672,5000-5001,5060,5093,5351,5353,5355,5500,5632,6000-6001,6346,7938,9200,9876,10000,10080,11487,16680,17185,19283,19682,20031,22986,27892,30718,31337,32768-32773,32815,33281,33354,34555,34861-34862,37444,39213,41524,44968,49152-49154,49156,49158-49159,49162-49163,49165-49166,49168,49171-49172,49179-49182,49184-49196,49199-49202,49205,49208-49211,58002,65024) SCTP(0;) PROTOCOLS(0;) Host: 127.0.0.1 (localhost) Status: Up Host: 127.0.0.1 (localhost) Ports: 631/open/tcp//ipp///, 68/open|filtered/udp//dhcpc///, 5353/open|filtered/udp//zeroconf///, 5355/open|filtered/udp//llmnr/// Ignored State: closed (396) # Nmap done at Sun May 5 20:27:53 2019 — 1 IP address (1 host up) scanned in 2.76 seconds
Do you need the top 1000 ports? Just set the desired number and that’s it.
While there are other third party lists collected by several security groups and infosec researchers, we believe the Nmap top scanned port database is one of the most reliable and accurate.
How can I prevent a port scan?
What if you’re on the blue team and need to prevent a massive port scanning against your servers and networks? Is there any way to prevent a port scan?
Let’s find answers to these questions, as well as different methods you can use to filter the most popular port scanning techniques.
Allowing connections from only the whitelisted IPs in a network is one of the oldest practices in use to prevent port scanners from revealing whether you have any open ports running on your network.
By setting up a simple whitelist for your internal and denying the rest of the connection requests, you’ll isolate all possible port scanning attempts in a single area.
Many other firewalls for Linux/Unix also include port scanning prevention features such as “Port scan tracking” by CSF from ConfigServer.
Once an IP address surpasses the PS_LIMIT within PS_INTERVAL (measured in seconds), it will be automatically blocked.
The detected scans will be logged using this format:
*Port Scan* detected from 22.214.171.124 (GB/United Kingdom/Bradford/Shipley/cpc30-cust254.cable.host.net).
While this is a good way to prevent port scanners to report if you have ports open, be aware that Nmap has ways to bypass your firewall rules.
Here’s another proven technique to prevent/delay certain port scanning activities against your servers.
Simply put, port knocking is a way to externally open certain ports on the remote server firewall by generating a few connection attempts to a predefined set of ports.
In order to open any port, you will first have to knock (a connection attempt) other ports using a valid sequence.
For example, in order to open port 22; ports 99, 145 and 234 will have to be knocked first, in that particular order. If the knocks sequence fails, then the SSH port will never be opened, and therefore, you’ll be safe against any type of scanning.
While there are a few advanced techniques one can use to detect the knocking sequence, this still works as a useful method to delay and distract most attackers.
This configuration can be applied by configuring certain variables within your firewall. CSF Firewall, which we mentioned before, includes a 1 minute port knocking setup.
In case you want to test it, simply run the following commands:
nano -w /etc/csf/csf.conf
Then search for “PortKnocking”. The syntax is simple:
Explanation: 22 is the port that will open if all the knocks are correct. TCP is the protocol set, and 20 the timeout interval where the 3 (minimum) ports (100,200,300) must be knocked.
If you want to be alerted every time the port knocking port is opened, you can set this variable to “1”.
PORTKNOCKING_ALERT = "0"
Now type the following command to apply the changes and reload the firewall rules:
Another way to use port knocking is with knockd service, and a handy tutorial on setting it up can be found here. If you’re using other firewalls, such as a stateful firewall, more information can be found in this link.
Portspoof is another good choice to help you prevent port scanning activities.
This application makes port scanning results interpretation difficult, dragging out the task of identifying open ports into a really slow job.
How does Portspoof work?
It will cause your OS to report all TCP ports as open, instead of showing the state as FILTERED or CLOSED.
For this, Portspoof will answer back with SYN-ACK for all the incoming connection attempts by the port scanners.
This will result in delaying any typical SYN/ACK port scans as all the 65535 ports will be displayed as open, confusing your attackers
Another tricky way Portspoof can be used is to set a fake TCP port service description.
Portspoof will emulate running services on all the reported open ports, but these descriptions will be randomly generated from its own valid-service description signature database.
The result will create even more distraction for any attacker, as it will deceive them in two ways: they’ll think that the port is open, and that a specific service is running on it. Ninety-nine percent of the time, these two conditions will not be true.
As we’ve shared today, knowing the most popular ports in the infosec industry can save time and effort in your service discovery and data reconnaissance tasks.
Now, you know how to get the most popular scanned ports on the Internet and have learned a few techniques to guard against most common automated port scanning attempts.
Here at SecurityTrails, our vast,passive cybersecurity database contains a lot of the ports mentioned. Exploring DNS servers, domain names, IP addresses and SSL certificates can also reveal a lot of useful intelligence data about your server and application infrastructure.
Open a free API account today, or book a demo with our sales team to check out our world-class enterprise-security product SurfaceBrowser™.