Common ports and what they mean when found open:
| Port | Service | What to try |
|---|---|---|
| 21 | FTP | Anonymous login, brute force, bounce attacks |
| 22 | SSH | Brute force, key-based auth bypass, default credentials |
| 23 | Telnet | Cleartext credentials, brute force |
| 25 | SMTP | User enumeration (VRFY/EXPN), open relay |
| 80/443 | HTTP/S | Web app attacks, SSL/TLS issues |
| 445 | SMB | Null session, EternalBlue, Pass the Hash |
| 1433 | MSSQL | SA account, xp_cmdshell RCE |
| 3306 | MySQL | Default credentials, remote root login |
| 3389 | RDP | BlueKeep, brute force, credential reuse |
| 5900 | VNC | No auth, default password: password |
| 6379 | Redis | No auth by default, RCE via config set |
| 9200 | Elasticsearch | No auth — read/delete all data |