Security Ports

Atlasz Secure Server

Port 8881 is commonly associated with Atlasz Informatics Research Ltd.'s Secure Application Server, a platform intended to facilitate secure application deployment and communications, primarily over TCP. While its utilization isn't standardized or well documented, it often serves proprietary secure communication processes or remote management interfaces that demand careful access control and monitoring due to elevated security implications.

HTTPS

HTTPS (Hypertext Transfer Protocol Secure) is the encrypted version of HTTP, which enables secure communication over computer networks. It uses SSL/TLS protocols to encrypt and decrypt requests and responses between web clients and servers, ensuring data integrity and confidentiality. HTTPS is the standard protocol for accessing secure websites, handling sensitive transactions, and protecting user privacy online.

Winbox MikroTik Admin

*MikroTik's Winbox* is a Windows-based utility used predominantly to configure and manage MikroTik RouterOS devices via TCP port 8291. It provides a graphical management interface that complements other access methods like SSH, Telnet, and an integrated web UI, offering administrators comprehensive and user-friendly device control.

Microsoft Global Catalog (GC)

Port 3268 is primarily used by Microsoft Domain Controllers to provide access to the Global Catalog service. This service allows fast searches across an entire Active Directory forest using LDAP. It contains a partial, read-only replica of all objects in the directory, facilitating user logins, address book lookups, and efficient query capabilities in large, multi-domain environments.

Microsoft EPMAP

Microsoft Endpoint Mapper (EPMAP), commonly operating on port 135, serves as the RPC (Remote Procedure Call) locator service. It allows clients to identify network services available on a Windows host, facilitating communication with components like DHCP, DNS, WINS, and Distributed Component Object Model (DCOM). By mapping UUIDs to network addresses, EPMAP acts as a directory, enabling dynamic discovery of RPC services essential for remote management and inter-process communication in Windows environments.

Squid Proxy HTTP

Port 3128 is commonly used by proxy servers, notably Squid, for handling HTTP web caching and proxy services. It enables improved web performance by caching frequently accessed content and provides anonymity and filtering capabilities for clients accessing the internet through the proxy.

HTTP Alternate

Port 8080 is a widely used alternative to the default HTTP port 80. It is often utilized for web proxies, caching servers, and development or administrative web interfaces running on non-root privileges. Its versatility makes it prevalent in web server management and testing environments, especially when the default port 80 is already occupied or restricted.

Vuze HTTPS Tracker

Port 7000 is commonly used by Vuze BitTorrent client as the default for its built-in HTTPS tracker, which facilitates secure peer coordination within torrent swarms. This port helps establish encrypted connections for tracker communications, ensuring data privacy and integrity during content distribution.

Check Point Embedded HTTPS Management

Port 981 is typically utilized by SofaWare Technologies for secure remote management of firewall devices running embedded Check Point FireWall-1 software. This port enables administrators to access and configure these security appliances over an encrypted HTTPS connection, ensuring confidentiality of sensitive operational data during remote sessions.

Openfire Admin Console (SSL)

Openfire's secured web-based Administration Console operates on port 9091, providing administrators encrypted access to configure and manage the Openfire real-time collaboration server. It offers a user-friendly interface for server setup, user management, group chat configuration, and plugin management, all protected by SSL encryption to ensure secure administrator connections.

Radmin Remote Administration

Radmin is a remote control software solution for remote desktop management and access. It enables administrators and users to connect to remote computers for tasks such as troubleshooting, configuration, or support. While primarily used for legitimate remote administration, its powerful capabilities have also made it a tool of choice exploited by cybercriminals and malware, frequently associated with unauthorized access if not properly secured.

PowerFolder P2P

PowerFolder is a peer-to-peer encrypted file synchronization program enabling users to seamlessly share, synchronize, and backup data across multiple devices and users. Designed for secure and efficient file distribution, it leverages decentralized communication for reliable data transfer.

Freeciv

Port 5555 is unofficially associated with the popular free and open-source turn-based strategy game Freeciv, along with services such as Hewlett-Packard Data Protector, McAfee EndPoint Encryption Database Server, and SAP applications. Primarily, Freeciv uses this port for network gameplay sessions, where players connect to dedicated servers enabling multiplayer matches across various systems.

Microsoft Global Catalog SSL

Port 3269 is used by Microsoft's Global Catalog service operating over SSL/TLS encryption. This port facilitates secure access to a forest-wide directory in Active Directory, enabling encrypted LDAP searches that span multiple domains. Utilizing SSL ensures sensitive directory queries and authentication details remain protected during transmission.

Oracle SSL Listener

Port 2484 is primarily used by Oracle Database systems to accept SSL-encrypted client connections to the Oracle Net Listener service. This secure communication channel ensures confidentiality and integrity of data transmitted between Oracle clients and the database server.

McAfee Web Gateway GUI

The default HTTPS port for the web interface of McAfee Web Gateway 7, primarily used for secure administrative access. It provides a secure layer for configuring and managing web security policies, threat protection features, and monitoring network activity through an encrypted connection.

OPC UA over TLS/SSL

OPC UA over TLS/SSL uses port 4843 to provide secure, encrypted industrial protocol communications via Transport Layer Security or Secure Sockets Layer. This port supports interactions within the OPC Unified Architecture ecosystem, enabling secure cross-platform data exchange for industrial control systems, automation devices, and IoT components. Widely adopted in industrial environments, it ensures data integrity and confidentiality across networked enterprise and manufacturing systems.

McAfee Web Gateway Proxy

Port 9090 is commonly used as the default proxy port for McAfee Web Gateway, formerly known as Webwasher or Secure Web. It facilitates secure web filtering, malware scanning, content inspection, and access control for corporate networks, acting as an intermediary between users and the external internet to enforce organizational security policies.

Tor Network

Port 9001 is widely used as a default unencrypted relay port for the Tor anonymity network, facilitating encrypted internet traffic routing through volunteer-operated nodes. It enables data exchange between Tor relays, helping maintain user privacy and circumvent censorship.

Kerberos Admin

**Kerberos administration** typically uses port 749 to perform administrative tasks such as managing principals, policies, and key databases within a Kerberos authentication infrastructure. This port facilitates secure and centralized identity management for distributed network environments.

Telnet over TLS/SSL

Port 992 is designated for Telnet communications secured through TLS/SSL encryption, augmenting the traditional Telnet protocol by providing a secure channel that protects data integrity and confidentiality during remote command-line sessions. It is used primarily where legacy Telnet access needs to be maintained while enhancing security.

HTTP Alternate Port

Port 8081 is widely used as an alternative HTTP port for web services and management consoles. It provides access to applications like VibeStreamer, McAfee ePolicy Orchestrator (ePO), or bespoke web server interfaces, typically when the primary HTTP port 80 is restricted or occupied. This port is common in development, testing environments, or for segregating web application management interfaces from the main service endpoints.

WASTE Encrypted Sharing

WASTE is a peer-to-peer encrypted file sharing and private messaging application. It facilitates secure group communications by creating encrypted virtual private networks (VPNs) between trusted peers. Designed for small, private group use, it helps users exchange files, chat messages, and link to another trusted user securely without relying on a central server.

OpenPGP Keyserver

Port 11371 is primarily used by OpenPGP HTTP key servers, which facilitate the distribution, retrieval, and synchronization of public encryption keys. This enables a global infrastructure where users can upload or search for OpenPGP public keys to verify digital signatures, exchange secure messages, and support encrypted communication. These servers generally operate over HTTP, creating a public directory of keys to foster secure and trusted communications among users and services.

FTPS Data

Port 989 is primarily used for FTPS data transfer, which is an extension of the traditional FTP protocol secured with TLS or SSL encryption. This port facilitates the encrypted transfer of files between clients and servers, ensuring both confidentiality and integrity during data exchange. FTPS addresses the inherent security weaknesses of standard FTP by adding support for encryption standards widely accepted across industries.

McAfee Web Gateway HTTP GUI

TCP port 4711 is primarily used as the default HTTP port for the graphical user interface (GUI) of McAfee Web Gateway 7. This management console allows administrators to configure, monitor, and maintain the web security appliance. Although unofficial and unencrypted by default, understanding and securing access to this port is important, as it offers significant control over web traffic filtering and security policies within an organization.

Apache Synapse HTTPS Listener

Port 8243 is primarily used as the default HTTPS listener endpoint for Apache Synapse and WSO2 API Manager. It facilitates secure, encrypted communication over SSL/TLS for API management, mediation, and integration tasks. This port allows clients to securely connect for API publishing, invocation, and governance operations.

eklogin Kerberos Remote Login

Port 2105 is used by eklogin, a version of the classic Unix remote login (rlogin) service that incorporates Kerberos encryption. It facilitates secure, authenticated remote terminal access by leveraging Kerberos to verify user identities and encrypt the login session. This port aims to provide a safer alternative to traditional rlogin, reducing risks from credential exposure and session hijacking over untrusted networks.

AMLFilter HTTPS

**21022/tcp** is the default HTTPS port for *AMLFilter*, a platform developed by *AMLFilter Inc.* intended for Anti-Money Laundering filtering operations. The port is primarily used by their amlf-engine-02 modules to facilitate secure, encrypted communication between clients and the AMLFilter server.

FTPS Control

FTPS (File Transfer Protocol Secure) Control utilizes port 990 to establish an encrypted communication channel for managing connections in an FTP over TLS/SSL environment. It provides authentication and command exchange securely, protecting data integrity and confidentiality during the initiation of file transfers.

AMLFilter HTTPS

Port 21012 is commonly used by AMLFilter Inc.'s amlf-engine-01 as its default HTTPS communication port. It's designed primarily to facilitate secure, encrypted data exchange between the AMLFilter platform components and client systems. This port supports secure transmission essential for anti-money laundering (AML) filtering and related financial data processing.

DirectAdmin & ESET Remote Admin

Port 2222 is widely recognized as the default TCP port for DirectAdmin, a commercial web hosting control panel, and is also employed by ESET Remote Administrator for centralized management of ESET security solutions. This dual-purpose port is predominantly used for secure web-based management interfaces, allowing administrators to manage servers or endpoint clients remotely. Due to its remote administration capabilities, it is a notable target and should be protected accordingly.

IBM Tivoli Monitoring

IBM Tivoli Monitoring Console over HTTPS provides a secure, web-based interface for monitoring and managing IT resources across an enterprise. It enables IT administrators to observe system health, performance, and application status, facilitating proactive management of hardware and software assets.

Torpark Onion Routing

Port 81 is commonly associated with HTTP traffic used for Onion routing through tools like Torpark, an anonymized web browser based on the Tor network. It often serves as an alternative or secondary HTTP port leveraged by onion routing gateways and proxy servers to facilitate user anonymity while browsing the internet.

Back Orifice RAT

Back Orifice is a notorious remote administration tool released in the late 1990s, primarily known for its exploitation as a Trojan horse. It allows remote control of a Windows system, often without the user’s knowledge or consent, enabling malicious actors to access files, monitor user activity, and manipulate system configurations. Due to its ease of deployment and stealthy capabilities, it has historically been a popular choice for attackers targeting vulnerable systems.

Panda AdminSecure Agent

Panda Software AdminSecure Communication Agent operates on port 19226, enabling centralized management and communication between Panda's security console and agent endpoints within an enterprise environment. This port facilitates reporting, updates, deployment of security policies, and coordination of security services to ensure consistent protection across all connected systems.

tcpnethaspsrv

tcpnethaspsrv is a network service used primarily to facilitate license management and copy protection for software utilizing the HASP (Hardware Against Software Piracy) dongle system developed by Aladdin Knowledge Systems. It allows software applications to communicate with hardware dongles over TCP/IP networks, enabling centralized licensing control and enforcement.

AMLFilter HTTP

Port 21021 is commonly associated with AMLFilter, an anti-money laundering solution developed by AMLFilter Inc. This port serves as the default HTTP communication channel for the amlf-engine-02 service, facilitating web-based management, data transfer, and detection operations that support financial compliance workflows.

SSH

<p><strong>Secure Shell (SSH)</strong> is a widely-used network protocol designed to provide secure access and communication with remote systems over an unsecured network. It encrypts login credentials, command execution, file transfers, and tunneling capabilities, making it a fundamental tool for system administrators and developers to securely manage servers and devices.</p>

cPanel SSL

**Port 2083** is commonly used for secure, encrypted access to the **cPanel web hosting control panel**. This SSL-enabled port provides administrators and users a secure interface to manage their hosting environment, including website files, email accounts, databases, and domain settings. Through HTTP over TLS/SSL (HTTPS), cPanel ensures that all transmitted data, such as login credentials and sensitive configurations, is protected from interception or tampering.

AMLFilter HTTP

Port 21011 is the default HTTP port for AMLFilter's amlf-engine-01, a software produced by AMLFilter Inc., which specializes in financial compliance solutions. It provides a web interface that facilitates communication with anti-money laundering (AML) data filtering systems designed to assist financial organizations in detecting suspicious activities and ensure compliance with regulatory norms. As this is an HTTP service, the port provides unencrypted access unless rerouted through secure protocols.

NetBus / NetBuster

Port 12345 is strongly associated with the NetBus remote administration tool, which is widely known as a backdoor Trojan horse. It was originally designed for legitimate remote control but was quickly adopted by malicious actors for unauthorized access and control over infected machines. Additionally, this port has seen use by NetBuster, a NetBus honeypot tool, and is sometimes used by certain networked games such as Little Fighter 2.

NAT-PMP

NAT Port Mapping Protocol (NAT-PMP) enables client devices behind a NAT gateway to configure dynamic port mappings automatically, simplifying inbound connection management. This improves connectivity for services such as peer-to-peer applications, gaming, and remote access without manual network configuration. Operating over both TCP and UDP, it allows devices to communicate their requirements directly to the NAT device to facilitate seamless data exchange while maintaining a level of security and network segmentation.

Oracle TNS Listener

Port 1521 is commonly used by Oracle Database for its Transparent Network Substrate (TNS) Listener service, which handles incoming client connection requests, database communication, and service management. It's a critical component in enterprise database environments.

AMLFilter Admin

Port 21001 is typically used by AMLFilter Inc.'s AMLFilter application as the default administration interface port for its anti-money laundering filtering software. This interface allows security and compliance administrators to configure filters, manage rulesets, review alerts, and maintain the system for regulated financial institutions.

POP3S

POP3S (Post Office Protocol Version 3 Secure) provides encrypted email retrieval for clients accessing their mailbox from mail servers, ensuring user authentication and message data remain protected during transit. It is essentially the secure version of POP3, using TLS/SSL to add a layer of encryption to prevent eavesdropping or tampering. POP3S is widely supported in mail clients and offers a simple, dependable method to securely access email stored on remote servers.

NNTPS

NNTPS (Network News Transfer Protocol Secure) is the encrypted version of NNTP, which facilitates the distribution, querying, retrieval, and posting of Usenet articles using TLS/SSL encryption to ensure privacy and integrity during data transmission.

IPSec

Internet Protocol Security (IPSec) is a suite of protocols designed to secure IP communications by authenticating and encrypting each IP packet in a communication session. It is widely used to establish secure VPNs, protecting data traffic over untrusted networks, including the internet. Port 1293 is specifically assigned for the IPSec Network Address Translation-Traversal (NAT-T), facilitating IPSec operation behind NAT devices.

WHM SSL

Port 2087 is primarily used for secure access to WebHost Manager (WHM), a popular web hosting control panel component of cPanel. This SSL-enabled port facilitates encrypted management of server and hosting configurations, allowing administrators to handle server tasks safely over HTTPS. It plays a crucial role in secure server administration in hosting environments where protecting credentials and sensitive operations is essential.

Kaspersky Network Agent

Kaspersky Network Agent is a key component in Kaspersky's security infrastructure, facilitating communication between managed security products and the central administration server. It enables remote deployment, configuration, monitoring, and updates of security policies, ensuring seamless management of endpoints across an organization.

cPanel SSL Webmail

Port 2096 is commonly used by cPanel's webmail service over an encrypted SSL/TLS connection. It enables users to securely access their email accounts via a web-based interface, providing convenient email management for domains hosted on servers utilizing cPanel. The SSL encryption ensures data privacy during transmission, protecting sensitive email content from interception by unauthorized parties.

knetd Demultiplexer

knetd is a network service used primarily as a Kerberos protocol multiplexer or demultiplexer, which assists with forwarding different Kerberos-related traffic streams to the correct local service. It facilitates enhanced management of authentication services across distributed systems leveraging Kerberos security.

Big Brother Monitor

Big Brother is an early system and network monitoring solution that provides real-time status reports for hosts and network services. Administrators use it to track service uptime, detect failures, and get alerts on changes or outages, helping maintain system reliability.

DNS RNDC

Port 953 is primarily used by the Remote Name Daemon Control (RNDC), a command utility for controlling the BIND DNS server. It facilitates secure, authenticated communication between administrators and the DNS server, enabling remote management tasks such as reloading zone files and flushing caches. RNDC operates over both TCP and UDP, and by default listens on TCP port 953, providing administrators fine-grained control over DNS server operations.

IRC over SSL

Port 6697 is commonly used to deliver encrypted Internet Relay Chat (IRC) communications over SSL/TLS. It provides an additional security layer to safeguard chat messages against eavesdropping and interception during transit. While unofficial, this port is broadly adopted by modern IRC servers aiming to protect user privacy and credentials through encryption.

XMPP over SSL

Port 5223 is primarily used for secure client connections in the Extensible Messaging and Presence Protocol (XMPP). It enables encrypted communication between XMPP clients and servers, facilitating secure instant messaging, presence information exchange, and collaboration applications. Historically, this port has been used to support SSL/TLS encrypted connections for clients needing to protect data in transit.

SOCKS Proxy

Port 1080 is traditionally used for the SOCKS proxy protocol, a flexible proxy mechanism enabling network clients to route traffic through intermediary servers. It supports various types of network connections, providing anonymity, bypassing restrictions, or improving security by acting as a relay between networks.

DNSIX

**DNSIX** (DoD Network Security for Information Exchange) facilitates secure attribute-based access control within Department of Defense networks, enabling attribute token mapping to govern data exchange securely across interconnected systems.

Odette FTPS

Odette File Transfer Protocol over TLS/SSL (OFTP over TLS) is a secure communication protocol primarily used within the automotive industry and related supply chains in Europe. It facilitates secure, reliable file transfers between suppliers, manufacturers, and business partners by leveraging encrypted connections to protect sensitive business documents.

fpscand Virus Scanner

Port 10200 is primarily used by FRISK Software International's fpscand, a virus scanning daemon designed for Unix platforms. fpscand acts as a backend antivirus engine that integrates with various email and file transfer systems to perform on-demand and real-time scanning of files and data streams. Its main role is to identify and block malicious content before it reaches end-users or sensitive system components.

McAfee Agent Discovery

*McAfee Network Agent uses UDP port 6646 primarily for local network device discovery. This facilitates the detection of other endpoints running McAfee software, potentially to optimize internal communication such as update distribution or peer management.*

IPSec NAT Traversal

Port 4500 facilitates IPSec VPN connections across network devices using NAT by encapsulating ESP packets within UDP to traverse NAT gateways seamlessly. Defined in RFC 3947, it extends IPSec capabilities for real-world networks where NAT is prevalent, ensuring secure communications remain intact. NAT-T allows enterprises and remote workers to maintain encrypted IPSec tunnels reliably over varied and complex network topologies.

IRC SSL

**IRC SSL on port 6679** is frequently used for secure Internet Relay Chat services, enabling real-time text communication over an encrypted connection. It protects message content during transmission by leveraging SSL/TLS, thereby ensuring privacy and integrity. Although this port is unofficial, it is widely adopted by IRC networks to add a security layer to traditional plaintext IRC communications.

LDAPS

LDAPS, or Lightweight Directory Access Protocol over TLS/SSL, is an encrypted form of LDAP that facilitates secure communication between directory service clients and servers. It operates over standard port 636 and is widely used in enterprise environments for secure directory queries, authentication, and management, ensuring sensitive data remains confidential during transmission.

Aladdin HASP License Manager

Port 1947 is primarily used by the Aladdin HASP License Manager, a system responsible for managing software licensing through hardware or software-based security keys. This service enables developers and organizations to enforce copy protection, ensure software compliance, and administrate license allocation via network communication.

L2TP & L2F

Layer 2 Forwarding Protocol (L2F) and Layer 2 Tunneling Protocol (L2TP) are technologies primarily employed for creating Virtual Private Network (VPN) tunnels by encapsulating data for secure transmission across IP networks. L2TP, often used in conjunction with IPSec for encryption, has largely supplanted L2F, which was an earlier Cisco-developed protocol. These protocols operate at the data link layer, enabling secure communication of PPP frames beyond point-to-point physical connections.

RADIUS Authentication (Cisco/Juniper)

Port 1645 was traditionally used for RADIUS authentication messages by vendors like Cisco and Juniper. As a protocol, RADIUS (Remote Authentication Dial In User Service) facilitates centralized Authentication, Authorization, and Accounting (AAA) for accessing network resources, widely adopted in network access servers, wireless controllers, VPNs, and more. Despite newer official port allocations, port 1645 remains in use in certain legacy or vendor-specific deployments.

Tripwire FIM

Tripwire is a renowned File Integrity Monitoring (FIM) solution that helps organizations detect unauthorized changes to critical system files and configurations, thereby maintaining security and compliance. By closely monitoring file systems, registries, and configurations, Tripwire enables real-time detection and alerting of suspicious activity across enterprise environments.

MSSQL Monitor

Microsoft SQL Server Monitor port facilitates database discovery and management via the SQL Server Resolution Service. It primarily helps clients locate SQL Server instances and dynamically negotiate ports. This port supports both TCP and UDP, allowing flexibility in network environments. Given its influential role in discovery, it's often a target during reconnaissance, requiring careful management and security controls.

Symantec BindView UNIX Mgmt

Port 1236 is utilized by Symantec BindView Control, a security and compliance management solution primarily for UNIX systems. This port serves as the default TCP endpoint for communication between UNIX agents and the central management server, facilitating policy distribution, data collection, and reporting.

IMAPS

IMAPS (Internet Message Access Protocol Secure) is the encrypted version of IMAP that enables secure retrieval of email messages from a mail server over SSL/TLS. It protects the confidentiality and integrity of email content during transit, ensuring user credentials and emails remain private against eavesdropping and tampering.

SIP over TLS

Port 5061 is primarily used for Session Initiation Protocol (SIP) signaling over Transport Layer Security (TLS), offering encrypted communication channels for establishing and managing Voice over IP (VoIP) sessions. This secures call setups, modifications, and teardowns, providing confidentiality and integrity for signaling data between clients and servers.

Netwall Emergency Broadcasts

UDP Port 533 is primarily used by the Netwall service, designed for transmitting emergency broadcast messages across networks. It enables fast and reliable alert dissemination in crisis scenarios, supporting critical infrastructural communication with minimal delay.

IEEE-MMS-SSL

IEEE-MMS-SSL is a secure implementation of the IEEE Media Management System, leveraging SSL encryption to manage, transfer, and control media content across networks safely. It facilitates secure communication in environments dealing with digital media storage, processing, or distribution, typically used within industrial, research, or specialized broadcast applications requiring encrypted data exchange.

Kaspersky Control Center

Port 8086 is primarily utilized by the Kaspersky Anti-Virus (AV) Control Center, which facilitates centralized administration and management of Kaspersky security solutions across networked devices. This management portal enables system administrators to deploy updates, monitor endpoint status, and configure security policies from a single dashboard.

Oracle Listener (Unsecure)

Port 2483 is utilized by Oracle databases as the designated unencrypted listener port, replacing the default port 1521 in some configurations. This port facilitates communication between Oracle clients and the database server when SSL or other encryption mechanisms are not enforced. It enables initial connection establishment and orchestration of SQL query execution over TCP or UDP protocols without transport-level security.

cPanel Unencrypted Access

Port 2082 is commonly used for accessing the cPanel web hosting control panel over an unencrypted HTTP connection. It provides administrators and users a graphical interface to manage web hosting accounts, websites, databases, email accounts, and server configurations. Being an unencrypted default access port, it transmits data in plaintext, which exposes sensitive credentials and information to network interception, making its use deprecated in favor of secure alternatives.

Smartcard TLS

Port 4116 is designated for Smartcard TLS communication, which facilitates secure interactions between smartcard-enabled devices and authentication servers. It supports both TCP and UDP protocols, enabling versatile deployment scenarios for authentication, secure access, and identity verification services.

pcAnywhere Status

Symantec pcAnywhere uses port 5632 UDP for transmitting status information between client and host systems. This port helps facilitate remote management and monitoring capabilities within the pcAnywhere application suite, which is widely used for remote desktop control. Proper configuration and securing of this port is essential to avoid unauthorized access.

RadSec

RadSec is a transport layer security (TLS) based protocol designed as a secure implementation of the RADIUS protocol. It protects RADIUS communication channels by encrypting data, ensuring confidentiality and integrity, making it suitable for exchanging authentication, authorization, and accounting information over untrusted networks such as the Internet.

Xware xTrm over SSL

Xware xTrm Communication Protocol over SSL is a secure, encrypted communication protocol used primarily within the Xware xTrm platform to enable safe data exchange between enterprise systems, often across corporate firewalls or internet connections. The protocol relies on SSL/TLS to ensure the confidentiality and integrity of transmitted data, supporting encrypted business-critical transfers and integration scenarios.

psyBNC

psyBNC is a popular IRC proxy or Bouncer that allows IRC users to maintain a persistent connection to IRC networks even when they are disconnected. Commonly used by advanced users for privacy, convenience, and hiding IP addresses, it offers multi-server support and filtering capabilities, making it a versatile tool for managing IRC sessions efficiently.

f-protd Virus Scanning Daemon

The f-protd daemon by FRISK Software International provides a virus scanning service designed for Unix platforms. It acts as a server component for scanning files and data streams for malware using the F-Prot Antivirus engine. Typically integrated with mail servers or file transfer services to scan in-transit data, it helps in automating and centralizing the malware detection process.

RADIUS Accounting

Port 1646 is primarily used by RADIUS accounting services, often involving Cisco and Juniper Networks devices. It facilitates the transmission of user accounting information, enabling network administrators to track user activity, session statistics, and billing data. This port complements RADIUS authentication (usually on port 1812 or alternatives), ensuring comprehensive management of network access and resource utilization.

Adobe Flash Socket Policy

Port 843 is primarily associated with the Adobe Flash socket policy server, which was used historically to deliver cross-domain policy files to Flash applications. This enabled Flash clients embedded in browsers or standalone applications to determine whether they were allowed to establish socket connections to specific servers. Its usage peaked during the prominence of Adobe Flash content across the web, but it has since declined considerably due to the deprecation of Flash technology.

TCPMUX

The TCP Port Service Multiplexer (TCPMUX) is a protocol used on port 1 to allow clients to query a server for a list of active services and connect to specific daemon processes dynamically. It acts as a service directory or initial contact point, facilitating connection establishment to various services hosted on a server.

MikroTik Dude Secure Management

Port 2211 is utilized by MikroTik for secure management communications within The Dude network monitoring system. It facilitates administrative tasks, device management, and secure data transfer between The Dude client and server components, ensuring that network administrators can efficiently monitor and maintain their network infrastructure.

Miralix Proxy

Miralix Proxy is primarily used by Miralix solutions to facilitate call center communication management and proxying of signaling data between various telephony components. It acts as a middleware component, ensuring seamless integration and data exchange in complex telecom environments.

NetGuard GuardianPro Remote Management

Port 1500 is typically used for remote management of NetGuard GuardianPro firewalls based on NT4 systems. This port facilitates administrative access, configuration management, and real-time monitoring of firewall status. Designed for legacy environments, it enables system administrators to remotely maintain security policies and respond to network events efficiently.

TcpWrapped (MacBook)

TcpWrapped (MacBook) is a firewall feature designed for Linux Operating Systems, ensuring controlled access to ports.

Identification Protocol

Port 113 was historically used for the Identification Protocol (Ident), a service that identifies the user of a particular TCP connection. This service allowed remote servers to query a client system to determine which user initiated a connection request, facilitating logging and access controls. While once commonly enabled on servers and network devices, Ident's use has declined substantially due to privacy concerns, inherent security risks, and the development of more secure authentication methods.

NetGuard GuardianPro Auth Client

The NetGuard GuardianPro firewall Authentication Client enables secure communication and verification processes between client systems and the GuardianPro firewall on NT4 platforms. Operating mainly over UDP port 1501, it facilitates authentication requests and responses, helping enforce network access control. This service is essential for validating clients before granting protected network access via the GuardianPro security suite.

CodeMeter

CodeMeter by WIBU-SYSTEMS AG is a versatile software protection and licensing platform widely used to safeguard applications and digital assets against piracy and unauthorized use. It integrates cryptographic licensing, secure key storage, and flexible license management into a comprehensive solution that allows developers to monetize, manage, and secure their software offerings across various environments. CodeMeter ensures intellectual property protection while enabling flexible licensing models suitable for both standalone software and embedded systems.

DNP3 Secure

DNP3 Secure is an enhanced, secure version of the Distributed Network Protocol used primarily for communication between SCADA systems and devices like RTUs and IEDs. It adds robust authentication and encryption features to the standard DNP3, aiming to protect critical infrastructure communications from interception and tampering.

RADIUS Auth Protocol

The RADIUS (Remote Authentication Dial-In User Service) protocol is a security protocol primarily used to provide centralized Authentication and Authorization services for users attempting to access a network. It facilitates the validation of user credentials and determines user permissions before granting access. Widely adopted by ISPs and enterprise WLANs, RADIUS enables scalable and secure user management across various network access servers.

Tini Backdoor

TCP port 7777 is commonly linked to the Windows backdoor malware tini.exe, a lightweight but effective trojan that provides remote shell access to compromised hosts. Frequently leveraged by attackers to create a hidden foothold, tini.exe listens for incoming connections, enabling unauthorized command execution and control on targeted Windows systems.

Torpark Control

Port 82 is commonly associated with alternative web service configurations or specialized control functions, such as for proxy networks like Torpark. It is sometimes used for managing Torpark, a privacy-centric portable web browsing system designed to anonymize internet usage by routing traffic over the Tor network.

TACACS

TACACS (Terminal Access Controller Access-Control System) is an authentication, authorization, and accounting protocol widely used in network environments to manage access control for routers, switches, and other network devices. Operating on both TCP and UDP port 49, TACACS helps network administrators enforce centralized security policies easily, offering flexibility and granular access management for network users and administrators alike.

PPTP

PPTP, or Point-to-Point Tunneling Protocol, is a VPN protocol developed by Microsoft to enable secure data transfer through encryption and encapsulation. While it historically allowed users to create secure communication tunnels over public networks, today it is largely considered outdated due to its well-known security vulnerabilities.

klogin (Kerberos Login)

Kerberos klogin facilitates secure, authenticated remote login services using Kerberos as the authentication mechanism. It is a protocol built on top of the Berkeley rlogin protocol but with strong authentication to prevent credential interception or replay attacks. Historically, it served to allow trusted access between hosts in environments where Kerberos is deployed.

OpenVPN

OpenVPN is an open-source VPN protocol and software that enables secure, encrypted connections over both TCP and UDP. Designed for flexibility, reliability, and ease of configuration, OpenVPN has become one of the most popular solutions for creating virtual private networks that bypass network restrictions and ensure data privacy.

Home FTP Server Web UI

Port 4993 is predominantly associated with the web interface of Home FTP Server, an application designed for personal file sharing. It enables users to remotely manage their FTP server via a web browser, providing a convenient and user-friendly method to configure server settings, users, and access permissions without requiring direct console access.

Microsoft DCOM

TCP port 1026 is frequently associated with Microsoft Distributed Component Object Model (DCOM) services. DCOM enables software components to communicate over a network, facilitating distributed computing on Windows environments. This port is notorious for being targeted by malware and pop-up spam, especially when RPC services listen on this port.

LLMNR

Link-Local Multicast Name Resolution (LLMNR) is a protocol that enables devices on the same local network segment to perform name resolution without requiring a DNS server. Primarily found in Microsoft environments starting from Windows Vista and Server 2008, LLMNR facilitates communication during network initialization or when DNS is unavailable.

SNMP

Simple Network Management Protocol (SNMP) is a widely used protocol for network management. It facilitates the monitoring and management of network devices, including routers, switches, servers, printers, and other connected hardware. SNMP enables centralized network control by allowing administrators to collect information, configure devices, and detect network issues efficiently.

MIL-STD-2045-47001 VMF

MIL-STD-2045-47001 VMF (Variable Message Format) is a military data communication protocol used primarily for tactical messaging among defense systems. Leveraging efficient message formatting, it facilitates rapid, secure, and interoperable data exchange across diverse battlefield communication platforms.

Kerberos Password Change

Port 464 is primarily used for the Kerberos protocol's password change and set functions, enabling secure management of user credentials within a Kerberos authentication infrastructure.

SMTP

SMTP (Simple Mail Transfer Protocol) is one of the core protocols used for sending emails across the Internet. It facilitates the reliable transfer of outgoing mail between email servers and from email clients to servers, enabling seamless global communication. Operating primarily over TCP port 25, SMTP ensures that messages are relayed efficiently, serving as the foundation of modern Internet email infrastructure.

Kaspersky AV Control Center

Port 8087 is used by the Kaspersky Anti-Virus Control Center for managing antivirus deployments over a network. It facilitates server-client communication for centralized control, updates, and monitoring of antivirus agents installed across the infrastructure.

SMTP over SSL

Port 465 is commonly used for secure SMTP communication, encapsulating email transmission within SSL encryption. This port facilitates encrypted email delivery between clients and mail servers, enhancing privacy compared to traditional plain-text SMTP connections. Although it was initially designated as a secure SMTP port, its status has shifted over time, but it remains widely supported for legacy encrypted email connections.

GNUnet

GNUnet is a secure, decentralized peer-to-peer networking framework designed to enable privacy-preserving communication, file sharing, and distributed applications. It prioritizes anonymity and resistance to censorship, making it a robust platform for privacy advocates and researchers interested in decentralized Internet technologies.

RAP - Internet Route Access Protocol

<p>RAP, Internet Route Access Protocol</p>

Symantec pcAnywhere

Symantec pcAnywhere is a remote access tool that enables secure communications and control over another system, often used for remote support or administration. The port 5631 is utilized specifically for data transfer in versions 7.52 and later. Despite its usefulness, it has a history of security concerns and is largely considered legacy software today due to emerging, more secure remote access solutions.

WatchGuard Auth Applet

Port 4100 is typically associated with the WatchGuard Authentication Applet, which facilitates user authentication processes within WatchGuard network security devices. This service enables clients to communicate authentication credentials to a WatchGuard firewall or security appliance, granting trusted network access based on identity verification.

GFI EventsManager

GFI EventsManager ports facilitate the collection, management, and analysis of logs from multiple network and security sources. It enables centralized event management, allowing organizations to efficiently monitor and respond to security-related events, system alerts, and compliance audits. Port 7787 is primarily used by versions 7 and 8 of the software for communication and data exchange.

Polipo Proxy

Polipo is a lightweight caching and forwarding web proxy designed to speed up browsing by reusing network connections and reducing bandwidth consumption. It serves as an intermediary between web clients and servers, optimizing traffic and caching frequently accessed web resources. Its streamlined design makes it particularly suitable for embedded systems or situations where resource efficiency is critical.

Kerberos Remote Shell (kshell)

Kerberos Remote shell (kshell) is a network service port traditionally used to provide authenticated command execution between systems in a network using the Kerberos authentication protocol. It enhances the conventional rsh protocol by incorporating secure identity verification, enabling users to remotely execute commands on trusted hosts without transmitting plain credentials. Although designed to improve security, its practical use has diminished in favor of more robust modern alternatives.

SecureCast

SecureCast is a protocol primarily used for outbound communication with Network Associates Inc. (NAI) servers. It facilitates the secure management, monitoring, and transfer of systems or security-related data, serving enterprise network infrastructure and security services. This port is often used by administration tools or security applications to transmit information externally.

Kerberos

Kerberos is a widely-used network authentication protocol designed to provide strong authentication for client/server applications through secret-key cryptography. Port 88 supports the Kerberos authentication system for securely verifying the identities of users and services across insecure networks. Both TCP and UDP transport mechanisms are employed depending on the use case, ensuring flexibility and reliability in various environments.

Norman Scanning Service

Norman Distributed Scanning Service is used by Norman security products for distributed malware scanning and coordination across networked endpoints. It facilitates efficient scanning by offloading tasks, distributing updates, and managing scan schedules in enterprise environments.

Nessus Scanner

Port 1241 is primarily used by Nessus, a popular vulnerability assessment tool designed to identify and remediate security issues across networked environments. Both TCP and UDP are supported, facilitating flexible communication during scans, plugin updates, and report retrieval. While essential for penetration testing and security auditing, exposure of this port in production environments requires careful control due to its sensitive nature.

Privoxy Web Proxy

Privoxy is a non-caching web proxy designed to protect user privacy and block advertisements. It operates with filtering capabilities for HTTP traffic, allowing removal of banners, pop-ups, and intrusive content on websites, while offering users control over their browsing experience and improved privacy.

SMTP Submission

Port 587 is primarily used for the submission of email messages over the Simple Mail Transfer Protocol (SMTP). It is designated for client-to-mail server communication, allowing authenticated users to send outgoing emails securely, typically requiring authentication and optional encryption. This port replaces legacy port 25 for authenticated message submission to improve security and adherence to email standards.

VTun VPN

VTun is a virtual tunneling software that creates encrypted and unencrypted VPN tunnels between remote systems, facilitating secure communication. It is primarily used to build secure private networks over the internet, leveraging techniques like tunneling and optional encryption to provide confidentiality, authentication, and data integrity. Though flexible and configurable, its default operation on port 5000 supports various link options including Ethernet and IP-level virtual links.

SoftPerfect Bandwidth Manager

SoftPerfect Bandwidth Manager is a traffic management and bandwidth monitoring application that primarily uses UDP port 8702 for communication between its management console and distributed agents. It allows network administrators to control usage, prioritize traffic, and enforce data quotas across a network in real-time.

Exchange Routing

Port 691 is used by Microsoft Exchange Server for routing email messages within and between Exchange servers in an organization. It plays a vital role in facilitating message transport and ensuring efficient communication across the messaging infrastructure.

CHARGEN

The Character Generator Protocol (CHARGEN) is a simple network service designed primarily for testing, debugging, and measurement of network performance. When connected, a server running the CHARGEN protocol continuously generates a stream of arbitrary characters until the client closes the connection. Initially developed for diagnostic purposes, this protocol is rarely used in modern systems but still exists on many legacy devices and installations.

SNMP Trap

SNMP Trap is a notification mechanism within the Simple Network Management Protocol (SNMP). It allows network devices such as routers, switches, servers, and firewalls to send unsolicited alert messages—called traps—to a management system when predefined conditions occur. This enables real-time monitoring and rapid response to network events including failures, threshold breaches, or configuration changes.

Tripwire

Tripwire is a well-known security auditing and intrusion detection software suite that helps maintain the integrity of critical files and system configurations. It accomplishes this by monitoring system changes and alerting administrators to suspicious alterations, contributing to improved compliance and security posture.

Adeona OpenDHT Client

Port 5852 is primarily used by the Adeona client software for secure communication with the OpenDHT distributed hash table network as part of device location recovery services. Adeona is an open-source system designed to assist owners in tracking lost or stolen laptops by periodically sending encrypted device location data to OpenDHT servers.

Office OS X Anti-Piracy Monitor

Port 2223 is associated with the Microsoft Office OS X anti-piracy network monitor, a service primarily used by specific versions of Microsoft Office for Mac to detect unlicensed usage or installations. It generally communicates via UDP and is unofficially assigned for this function. The port facilitates internal messaging and license verification processes to uphold Microsoft’s software licensing terms.

RSH / REMSH

Remote Shell (rsh or remsh) is a legacy protocol designed to execute shell commands on a remote Unix system in a non-interactive fashion. It operates primarily over TCP, allowing administrators or automated systems to issue single commands remotely. Despite its historical usage, RSH is largely deprecated due to its insecure design, transmitting data in plaintext, including user credentials, posing significant security risks in modern network environments.

ISAKMP

Internet Security Association and Key Management Protocol (ISAKMP) is a framework used in establishing, negotiating, modifying, and deleting security associations (SAs) for IPsec. Operating primarily over UDP port 500, it's fundamental to initiating secure, encrypted communication sessions on IP networks by managing cryptographic key exchanges. ISAKMP abstracts key management from specific encryption algorithms, ensuring flexibility and interoperability across various security protocols.

FLIR Camera Protocol

The FLIR Systems Camera Resource Protocol is utilized primarily by FLIR network-enabled cameras to facilitate command, control, and data exchange. It enables remote configuration, firmware updates, and live video streaming capabilities, making it essential for surveillance, security applications, and industrial monitoring. Despite being a proprietary and unofficial protocol specification, it has gained traction across various FLIR hardware implementations.

Netop Remote Control

*Netop Remote Control* is a remote administration tool by Netop Business Solutions, allowing IT teams to securely connect to and manage remote desktops and servers over TCP or UDP. Designed primarily for enterprise use, it provides features for support, troubleshooting, software deployment, and maintenance.

CodaAuth2 Authentication

CodaAuth2 operates as the authentication service within the Coda distributed filesystem, facilitating secure identity verification and access control for networked file sharing. It enables clients and servers to establish trust, supporting seamless collaboration and data access in Coda environments.

MMTSG

MMTSG-mutualed over MMT (encrypted transmission) is a protocol designed for secure multimedia transmissions over a network.

Axence nVision

Axence nVision is a comprehensive network management and monitoring tool that allows IT professionals to oversee their infrastructure effectively. It provides real-time visibility into network assets, user activity, and security events, enabling efficient troubleshooting and performance optimization.

Syslog

Syslog operates primarily over UDP port 514 to facilitate the centralization of log messages from network devices and Unix systems. It allows administrators to collect, store, and analyze log data centrally, streamlining monitoring, troubleshooting, and security event analysis across distributed systems.

SonicWALL Antispam

Port 2599 is utilized by SonicWALL's Antispam service for communication between the Remote Analyzer (RA) and the Control Center (CC). This dedicated connection enables real-time transfer of spam analysis data, updates, and coordination commands, facilitating effective centralized spam filtering across distributed email environments.

Axence nVision

Axence nVision is a comprehensive network monitoring and management solution used by organizations to oversee resources, track network activity, and ensure security compliance. It facilitates real-time monitoring, asset management, user activity analysis, helpdesk support, and data protection practices, typically through a centralized management console accessed over specific TCP ports.

Zimbra SMTP Amavis Integration

Port 10025 is commonly used internally within Zimbra Collaboration Suite to facilitate the relay of email messages from the Amavis content filter back into the Postfix Mail Transfer Agent (MTA). This port enables scanning and filtering of emails for malware, spam, or policy compliance before final delivery, serving as a secure and structured point of reinjection after content analysis.

Zimbra SMTP to Amavis

This port is commonly used within Zimbra Collaboration Suite for internal communication between the mail transfer agent (Postfix) and Amavis, an open-source content filter. It facilitates email scanning, virus filtering, and spam detection before mail delivery, ensuring cleaner email flows within an organization’s email infrastructure.

Kerberos User Registration

Port 753 is primarily associated with the Kerberos user registration server (userreg_server). It facilitates client-server communication for managing user identity registrations within Kerberos authentication infrastructure. Typically using UDP, it plays a role in updating and maintaining secure user credentials essential for the operation of Kerberos-based networks.

ProRat Server

**ProRat Server** is a commonly used backdoor tool known as a Remote Access Trojan (RAT). It enables unauthorized access and remote control over compromised Windows systems. Cybercriminals use ProRat to steal sensitive information, manipulate system settings, and perform malicious activities covertly, posing significant security risks.

Sophos RMS

Sophos Remote Management System (RMS) facilitates communication between Sophos endpoint security products and central management consoles. It enables the centralized administration, policy enforcement, status monitoring, and update delivery crucial for maintaining an organization's security infrastructure efficiently.

Axence nVision

Axence nVision is a comprehensive IT management software that utilizes port 12011 primarily for communication between monitoring agents and the management console. It facilitates monitoring, inventory, helpdesk, and security policy management within enterprise networks, allowing administrators to gain deep insights into network performance and security status.

Ident

Ident, operating on port 113, is a protocol primarily used by Internet Relay Chat (IRC) servers to obtain the identity of a client attempting to connect. It provides simple identification by querying the connecting user’s ident daemon, which reports the username associated with a TCP connection. Although its use has declined due to security concerns and shifts to newer authentication methods, ident remains noteworthy historically in facilitating user management and access control in IRC networks.

Tor Control

**Tor (The Onion Router)** is a volunteer-operated overlay network designed to enable anonymous communication over the Internet. It routes traffic through multiple relays to obscure the user's location and usage from surveillance or network traffic analysis, promoting privacy and free access. Port `9051` is primarily used as the **Control Port** for interacting programmatically with the Tor daemon, allowing software to script or query Tor's status.

LDAP

The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral protocol used to query and manage directory services over a network. It facilitates centralized authentication, authorization, and directory-based lookups, serving as a backbone for enterprise identity management and access control. LDAP powers a wide array of services including corporate user directories, email systems, and network resource lookups.

Splunk Daemon

Port 8089 is primarily used by the Splunk Daemon, the management service for Splunk Enterprise deployments. It facilitates communication between Splunk components, such as forwarders, indexers, deployment servers, and management consoles, enabling distributed orchestration and secure data collection.

Axence nVision

Axence nVision is a network monitoring tool that provides comprehensive visibility and control over network devices and performance.

Tor Directory

TCP port 9030 is commonly associated with the Tor network, specifically used for directory server communication. Directory authorities and relays share metadata about the network topology, enabling Tor clients to bootstrap, find relays, and maintain anonymity circuits. While the port is often unofficial, it plays a vital role in the Tor infrastructure's operation.

Who Service

The WHO service on UDP port 513 is a legacy Unix command networking service designed to remotely return information about users logged into a host system. Often bundled with early UNIX systems, it provides details such as usernames, terminal locations, and login times. Due to its age and security concerns, its usage has largely declined with modern alternatives offering enhanced security.

Kerberos IV

Kerberos version IV is an authentication protocol primarily used to verify the identities of clients and servers in distributed network environments. Operating over UDP port 750, Kerberos IV employs a ticket-based system to securely authenticate users without transmitting passwords in plaintext, enhancing overall security. Though widely influential, this older version has been mostly superseded by Kerberos V due to enhanced features and security improvements.

Smartcard Service

Port 3516 is primarily used for smartcard communication services, allowing secure interactions between smartcard readers and authentication systems. It acts as a transport layer facilitating the exchange of authentication, identification, and cryptographic information during smartcard transactions across various enterprise and networked environments.

WibuKey Protection

WibuKey is a proprietary hardware and software-based licensing and software protection system developed by WIBU-SYSTEMS AG. It helps software vendors secure their applications against unauthorized use, piracy, and reverse engineering by integrating with dedicated hardware dongles and specialized drivers. The system operates over network services, allowing license verification across distributed environments.

KPOP - Kerberos POP

KPOP, or Kerberos Post Office Protocol, is a secure adaptation of the Post Office Protocol (POP) that leverages Kerberos authentication. It was designed to provide stronger security measures for email retrieval by integrating Kerberos' trusted ticket-based authentication system, thereby reducing risks associated with password-based methods.

Tor SOCKS Proxy

Port 9050 is primarily used by the Tor network as a SOCKS proxy, allowing applications to anonymize their internet traffic by routing it through the Tor network. This process provides privacy and obfuscation of the user's IP address, enabling access to content anonymously across the internet, including hidden services on the dark web. While widely adopted for privacy-focused browsing, its use must be carefully managed due to security considerations.

Zabbix Agent

Zabbix Agent is a lightweight software component installed on endpoints to collect monitoring data and send it to the Zabbix Server over a designated port. Designed mainly for performance statistics, availability metrics, and system health checks, it enables centralized infrastructure and service monitoring in enterprise and open-source environments.

ComCam IO

Port 3605 is primarily associated with ComCam IO, a service related to network-enabled surveillance cameras and communication modules. It facilitates device communication, data transmission, and control signaling between camera components and remote systems — typically operating over UDP for efficient real-time data streaming.

Teredo

Teredo is a network protocol designed to provide IPv6 connectivity to nodes that are located behind IPv4 NAT (Network Address Translation) devices. Implemented as a tunneling protocol, Teredo encapsulates IPv6 packets within IPv4 UDP datagrams, enabling seamless communication across IPv4 networks without requiring native IPv6 infrastructure. This ensures broader IPv6 adoption and maintains compatibility where direct IPv6 support is not feasible.

Kerberos Master Authentication

Port 751 is utilized primarily for the Kerberos master authentication service, an integral part of the Kerberos network authentication protocol. It helps facilitate secure communication for verifying user identities over insecure networks by acting as a central key distribution hub.

NetSupport Manager

NetSupport Manager is a remote control software solution widely used by enterprises and educational institutions for remote desktop management, classroom control, and IT support. It enables administrators and teachers to connect to and control multiple endpoints seamlessly over a network, providing a versatile toolset for system management, troubleshooting, and collaboration.

Diameter Protocol

Diameter is an Authentication, Authorization, and Accounting (AAA) protocol defined in RFC 3588, and a successor to RADIUS. It is used primarily in modern IP-based networks for carrying authentication, service authorization, and configuration information, especially within mobile networks and LTE infrastructure.

EMCADS

EMCADS is a proprietary communication service developed by Giritech for its G/On product suite. The service facilitates remote access and secure communication pathways between client endpoints and organizational resources, centralizing management while maintaining flexibility. It operates over both TCP and UDP, ensuring adaptability across network environments and providing robust connectivity options.

Kerberos Slave Propagation

Port 754 is used by Kerberos version 5 to propagate database updates from a primary KDC (Key Distribution Center) to secondary or slave KDCs. This replication ensures all KDCs maintain consistent authentication credentials across the Kerberos realm, which is crucial for maintaining a unified and secure authentication environment.

Secure Access Control Server (ACS)

Cisco's Secure Access Control Server (ACS) running on Windows provides centralized authentication, authorization, and accounting (AAA) services for network devices. It facilitates managing user policies and securing access to corporate network resources efficiently. Operating over TCP port 2002, it supports integration with various network infrastructure elements for enhanced access control mechanisms.

Ingreslock

Port 1524 is commonly associated with the Ingreslock backdoor trojan related to the Ingres database software. Originally designed for internal database communication, over time, it has been widely abused by attackers to gain unauthorized access to systems, making it a known security concern. Both TCP and UDP protocols can be used on this port, increasing its attack surface and necessitating vigilant network monitoring and filtering.

Sophos RMS

Sophos Remote Management System (RMS) allows administrators to remotely manage, update, and monitor Sophos security products across an enterprise. It leverages a proprietary communication protocol to facilitate command delivery, status reporting, and policy update enforcement between endpoint agents and the management console.

Kerberos kpasswd Server

**Kerberos Password Change (kpasswd) Server** — Port 752 is primarily used by the Kerberos authentication protocol to handle password changes securely. The service facilitates secure communication between clients wishing to update their passwords and the Kerberos authentication infrastructure, maintaining strong user identity management within enterprise environments.

Kaseya

**Kaseya** is a remote monitoring and management (RMM) solution widely used by managed service providers (MSPs) and IT departments. It enables centralized management of workstations, servers, network devices, and software deployment, streamlining IT operations from a single console.

RADIUS Accounting

RADIUS Accounting operates on port 1813 and is part of the Remote Authentication Dial-In User Service (RADIUS), primarily used for tracking usage and accounting purposes in network authentication scenarios. It helps network administrators manage resource consumption, billing, and audit trails by recording data usage, connection times, and user activity. Usually paired with RADIUS Authentication on port 1812, accounting ensures proper monitoring and management of network services.

NCA over OpenSSH

Network Console on Acid (NCA) over OpenSSH provides a way to redirect local TTY consoles over secure SSH tunnels, enabling remote system management while leveraging encrypted communications for enhanced security.

sFlow Monitoring

**sFlow** is a widely-used protocol for monitoring network traffic. It uses statistical sampling techniques to collect data on traffic flows and interface counters across network devices like routers and switches. This collected data enables network administrators to analyze bandwidth usage, detect anomalies, troubleshoot issues, and optimize network performance effectively without overloading devices or links.

Sophos RMS

Sophos Remote Management System (RMS) is a proprietary communication channel utilized by Sophos security products for centralized management and command relay between managed endpoints and the Sophos Enterprise Console. This port facilitates the distribution of security policies, event notifications, and status updates, enabling administrators to efficiently oversee endpoint protection across enterprise networks.

Symantec ITA Agent

Port 5051 is primarily used by Symantec Intruder Alert's ITA Agent, a component within Symantec’s intrusion detection system designed to collect and communicate real-time security event data to centralized management consoles.

DART Reporting Server

DART Reporting Server typically functions as an endpoint for data collection, aggregation, and analytics within enterprise environments, enabling centralized reporting of operational or security events across an organization's infrastructure.

traceroute

The traceroute port facilitates the tracking of the path data packets take through a network.

ESET Antivirus Updates

This port is primarily used by ESET security products to facilitate downloading antivirus updates and virus signature databases from ESET servers, ensuring that the endpoint has the most current protection against malware threats.

LWAPP Data

The Lightweight Access Point Protocol (LWAPP) is designed to enable centralized wireless LAN management by facilitating communication between wireless access points (APs) and wireless LAN controllers. LWAPP Data on port 12222 typically handles the exchange of user data packets between APs and controllers, supplementing the control and management communication. This centralized approach helps organizations streamline deployment, monitoring, and troubleshooting of wireless networks.

Splitlock Server

Splitlock Server is a network service application that facilitates secure data communications between client systems, often involving authentication and resource management. It typically enables a protected environment for transmitting or managing files or commands over a TCP/UDP connection. The service is capable of handling concurrent client requests and supports the operations required within its application context.

Kiwi Log Server

SolarWinds Kiwi Log Server is a centralized syslog management solution used to collect, store, analyze, and archive syslog and SNMP messages from network devices. It facilitates real-time event monitoring and enables network administrators to efficiently manage logs and ensure network security and compliance.

HSRP

The Hot Standby Router Protocol (HSRP) is a Cisco proprietary redundancy protocol designed to ensure high network availability by providing automatic failover to a backup router in case the primary router becomes unreachable, thereby maintaining uninterrupted communication within a network.

Cisco VQP / VMPS

Cisco's VLAN Query Protocol (VQP) facilitates dynamic VLAN assignments by querying VLAN Management Policy Servers (VMPS). Operating primarily over UDP, it allows network switches to determine which VLAN a device should belong to based on its MAC address. This aids in automated network policy enforcement and scalable, dynamic network segmentation.

Certificate Management Protocol

CMP (Certificate Management Protocol) facilitates the secure management of digital certificates, which are vital components in establishing trusted identities in public key infrastructures (PKIs). It enables certificate enrollment, renewal, revocation, and retrieval across distributed networks. The protocol supports automation of certificate lifecycle processes, making certificate management more scalable, efficient, and reliable for organizations.

SpamAssassin spamd

SpamAssassin's spamd daemon listens on port 783 to perform content-based email filtering, identifying spam through a vast array of heuristic and signature-based tests. Designed to work alongside mail transfer agents, spamd enables rapid analysis of inbound mail streams, efficiently tagging or rejecting unwanted messages. It is a popular tool integrated into many email security solutions to reduce spam volume and protect users from unsolicited messages and common email threats.

SMTPS

Port 465 was initially used for the Secure SMTP (SMTPS) protocol, providing encrypted email transmission via SSL. Despite its early deprecation in favor of STARTTLS on port 587, it has seen a resurgence in use for secured email submissions. This port helps facilitate confidential communication between email clients and servers, ensuring message privacy over potentially insecure networks.

ConsoleWorks UI

Port 5176 is used by ConsoleWorks, a centralized management platform focused on secure remote access, device management, and event logging within critical infrastructure environments. This port typically hosts the application's web-based user interface, allowing administrators to configure systems, monitor events, and review access logs through an intuitive dashboard.

Unassigned Port

Port 6 is currently unassigned by the Internet Assigned Numbers Authority (IANA) and does not have a designated service or protocol. Although unallocated, it can sometimes be utilized for experimental purposes or proprietary communications, but generally remains unused in standard networking environments.

Kerberos Registration

Port 760 is utilized by the Kerberos registration service (known as krbupdate or kreg). It facilitates the registration and update of Kerberos principals and credentials, enabling centralized identity management and secure authentication within a networked environment.

Unassigned Port

Port 8 remains officially unassigned by IANA and is not reserved for any widely recognized service or protocol. Although both TCP and UDP communications on this port are technically possible, its undefined status means it does not typically host specific services. This lack of official designation means use of this port is generally considered arbitrary or for proprietary applications, testing scenarios, or potentially malicious activities.

Symantec AV Corporate

Port 2967 is primarily used by Symantec AntiVirus Corporate Edition to facilitate client-server communication within enterprise environments. It enables the transfer of virus definitions, policy updates, and reporting data between managed clients and Symantec management servers. Keeping this port accessible is essential for maintaining updated antivirus protection and centralized security management across corporate networks.

PKIX Time Stamp Protocol

The PKIX Time Stamp Protocol (TSP) provides a method for associating a trusted timestamp with data, enabling proof that specific content existed at a particular point in time. Commonly used within digital signature frameworks, TSP ensures long-term validation by involving certified time-stamping authorities (TSAs).

rfile Protocol

Port 750, typically associated with 'rfile', was historically used within the Kerberos authentication system developed by MIT. It served as an RPC-based frontend for remote file management, particularly for secure file transfer and operations in academic and research environments. While largely deprecated today, understanding rfile helps contextualize legacy authentication and file service protocols.

DTCP

Dynamic Tunnel Configuration Protocol (DTCP) facilitates the dynamic establishment, maintenance, and termination of network tunnels such as VPNs, enabling efficient, flexible, and automated secure communication channels within large or complex networks.

Unassigned Port

Port 14 is currently an unassigned port according to official registries. It does not have a formally designated use, and remains open for potential future assignment or for ephemeral, experimental, or private use by applications or organizations. While unassigned, it can still be seen on network scans, typically as an ephemeral or mistakenly configured port.

Microsoft Net.TCP Port Sharing

Microsoft Net.TCP Port Sharing UpnpService is used for sharing TCP connections.

NetIQ NCAP

NetIQ NCAP (NetIQ Channel Access Protocol) is a proprietary protocol developed by NetIQ, primarily used for communication between NetIQ monitoring agents and management servers. It facilitates secure data exchange, system control, and event notification within enterprise IT environments that utilize NetIQ tools for system and security management.

LWAPP Control

The Light Weight Access Point Protocol (LWAPP) Control port, defined in RFC 5412, facilitates communication between lightweight wireless access points (APs) and a centralized wireless LAN controller. Operating primarily over UDP, it supports control plane messaging necessary for secure, scalable management of wireless infrastructures by decoupling management functions from the APs and consolidating configuration and policy enforcement.

Check Point CCP

Check Point Cluster Control Protocol (CCP) is a proprietary communication protocol used in Check Point firewall clusters. It facilitates the synchronization of state, status updates, and health information among all nodes within a cluster, enabling efficient failover and load balancing in clustered environments.

Rapid7 InsightVM Engine-to-Console

Rapid7 InsightVM Engine-to-Console

Verisys FIM

Verisys is a file integrity monitoring (FIM) software designed to detect unauthorized changes to files and configurations across systems. It is typically employed within enterprise environments to enhance compliance, security, and operational integrity by monitoring critical system files and alerting administrators of any unexpected modifications.

Rapid7 InsightVM Console-to-Engine

Rapid7 InsightVM Console-to-Engine is a communication channel for executing vulnerability scans and assessments.

loadav

Port 750, known as loadav, is traditionally used in UNIX environments associated with Kerberos 4's service operation. Historically, it was designated for the Kerberos 'kerberos-iv' remote authentication protocol, facilitating secure login and authentication in a distributed computing environment. Given the evolution of security practices, its use has become largely obsolete in favor of more secure protocols.

TUNNEL Profile (BEEP)

The TUNNEL Profile for BEEP (Blocks Extensible Exchange Protocol) enables the creation of application-layer tunnels over TCP. This facilitates encapsulating various application protocols transparently, allowing peer-to-peer communication, protocol multiplexing, and flexible data flow management within the BEEP framework. It is a versatile mechanism mainly employed in network services and security contexts where tunneling is required without developing new transport protocols.

Norman NPEP

Norman Proprietary Event Protocol (NPEP) is a specialized communication protocol utilized by Norman security products to transmit event notifications, status updates, and log data between security clients and management consoles within an enterprise environment. It facilitates centralized monitoring and management of endpoint security status.

QRH

QRH is a network port associated with the official assignment of port 752, primarily used for secure routing control applications such as `kerberos_load` and `userreg`. While it is uncommon in everyday networking, it contributes to routing authentication and management. Its usage is generally confined to specialized network infrastructure services.

SMTP Alternate

Port 2525 is widely used as an alternative SMTP (Simple Mail Transfer Protocol) port for email message submission, particularly as a workaround when ISP restrictions or firewall policies block the default SMTP port 25. While unofficial, it has become popular among email service providers for facilitating reliable outbound email delivery.

KDM - Key Distribution Manager

KDM - Key Distribution Manager facilitates centralized management of SSH keys in UNIX systems, enabling secure and simplified user authentication.

Secure Internet Live Conferencing (SILC)

**SILC (Secure Internet Live Conferencing)** is a secure conferencing protocol designed to provide private, encrypted real-time collaboration and communication over the Internet. It supports group chats, messaging, and data exchanges with strong security features, aiming to address the privacy concerns found in traditional chat protocols.

Sub7

Port 27374 is notoriously associated with Sub7, a popular remote administration trojan from the late 1990s and early 2000s. Sub7 enables a malicious actor to gain covert control of infected Windows machines, allowing unauthorized access, data theft, and remote manipulation. Although its prevalence has declined, the port remains a common scan target for cybercriminals attempting to identify backdoored systems.

Netop Remote Control

Netop Remote Control by Netop Business Solutions is a remote desktop and administration tool designed to provide secure and efficient remote access and support services. Widely used in enterprise environments, it allows IT staff to troubleshoot issues, manage devices, and offer remote assistance seamlessly across various platforms.

IP Fabrics Buffering

Port 9536 is primarily used by IP Fabrics for their lawful intercept and surveillance systems, specifically the buffering function that temporarily stores network data before processing or forwarding. This port supports both TCP and UDP communications and facilitates efficient data capture and analysis for lawful electronic surveillance compliance.

NetIQ Endpoint

NetIQ Endpoint port 10115 is used primarily by NetIQ suite services for communication between endpoints and management consoles. This port facilitates management, monitoring, policy enforcement, and event data collection across networked devices, allowing administrators to maintain oversight on endpoint activities and configurations in enterprise environments.

NetIQ Endpoint

NetIQ Endpoint is used primarily by Micro Focus NetIQ, a suite of enterprise identity, access, and security management solutions. This port facilitates communication between NetIQ endpoints and management servers, enabling data collection, monitoring, administration, and remote control functionalities. Supporting both TCP and UDP, it ensures flexible connectivity for endpoint management tasks in distributed network environments.