Common ports & protocols
The port numbers worth memorising, with transport protocol and a note on whether traffic is encrypted.
Why memorise ports
Port-to-service recall speeds up reading an nmap scan, a firewall rule, or a packet capture. The numbers below are the IANA-registered defaults; services can be moved, so treat them as conventions, not guarantees. Pay attention to the plaintext vs encrypted column, a recurring exam and real-world theme being legacy protocols that send credentials in the clear.
Core services
| Port | Proto | Service | Notes |
|---|---|---|---|
| 20 / 21 | TCP | FTP (data / control) | File transfer. Plaintext: credentials in the clear. |
| 22 | TCP | SSH | Secure remote shell, also SFTP/SCP. Encrypted. Replaces Telnet. |
| 23 | TCP | Telnet | Remote shell, plaintext. Obsolete; never use over untrusted networks. |
| 25 | TCP | SMTP | Mail relay between servers. |
| 53 | TCP/UDP | DNS | Name resolution. UDP for queries, TCP for zone transfers/large responses. |
| 67 / 68 | UDP | DHCP | Server / client. Automatic IP configuration. |
| 69 | UDP | TFTP | Trivial FTP, no auth. Used for device boot/config. |
| 80 | TCP | HTTP | Web, plaintext. |
| 110 | TCP | POP3 | Mail retrieval (downloads and deletes). |
| 123 | UDP | NTP | Time synchronisation. Has been abused for DDoS amplification. |
| 137–139 | TCP/UDP | NetBIOS | Legacy Windows networking. |
| 143 | TCP | IMAP | Mail retrieval (keeps mail on server). |
| 161 / 162 | UDP | SNMP | Network device monitoring / traps. v1/v2c are plaintext; use v3. |
| 389 | TCP/UDP | LDAP | Directory access (e.g. Active Directory), plaintext. |
| 443 | TCP | HTTPS | Web over TLS. Encrypted. |
| 445 | TCP | SMB | Windows file sharing. Heavily targeted (EternalBlue/WannaCry). |
| 465 / 587 | TCP | SMTP submission | Mail submission from clients; 587 with STARTTLS, 465 implicit TLS. |
| 636 | TCP | LDAPS | LDAP over TLS. Encrypted. |
| 993 | TCP | IMAPS | IMAP over TLS. Encrypted. |
| 995 | TCP | POP3S | POP3 over TLS. Encrypted. |
| 1433 | TCP | MS SQL Server | Database. Should never be internet-facing. |
| 3306 | TCP | MySQL | Database. Should never be internet-facing. |
| 3389 | TCP | RDP | Windows Remote Desktop. A top ransomware entry point when exposed. |
| 5432 | TCP | PostgreSQL | Database. |
| 5900 | TCP | VNC | Remote desktop. Often weakly authenticated. |
| 8080 | TCP | HTTP alt | Proxies, dev servers, app servers. |
Plaintext → encrypted pairs
A pattern worth internalising: the secure version usually adds TLS and a new port:
| Insecure | Secure |
|---|---|
| HTTP 80 | HTTPS 443 |
| FTP 21 | SFTP (over SSH 22) / FTPS |
| Telnet 23 | SSH 22 |
| SMTP 25 | SMTP+STARTTLS 587 / SMTPS 465 |
| IMAP 143 | IMAPS 993 |
| POP3 110 | POP3S 995 |
| LDAP 389 | LDAPS 636 |
| SNMP v1/v2c 161 | SNMP v3 |
Port ranges
- 0–1023: well-known ports, assigned to core services, usually require privilege to bind.
- 1024–49151: registered ports, assigned to specific applications.
- 49152–65535: dynamic / ephemeral, used as the client side of connections.