Scanning ports is an important part of penetration testing. It allows you to identify and exploit vulnerabilities in websites, mobile applications, or systems. As a penetration tester or ethical hacker, it is essential you know the easiest and most vulnerable ports to attack when carrying out a test.

So what actually are open ports? And which ports are most vulnerable?

What Is a Penetration Test?

A penetration test is a form of ethical hacking that involves carrying out authorized simulated cybersecurity attacks on websites, mobile applications, networks, and systems to discover vulnerabilities on them using cybersecurity strategies and tools. This is done to evaluate the security of the system in question.

What Are Ports?

A port is a virtual array used by computers to communicate with other computers over a network. A port is also referred to as the number assigned to a specific network protocol. A network protocol is a set of rules that determine how devices transmit data to and fro on a network.

The two most common types of network protocols are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).

Transmission Control Protocols

TCP is a communication standard that allows devices to send and receive information securely and orderly over a network. It does this by establishing a connection from the client computer to the server or designated computer, and then sending packets of information over the network. TCP works hand in hand with the internet protocol to connect computers over the internet.

User Datagram Protocols

UDP works very much like TCP, only it does not establish a connection before transferring information. The UDP is faster than the TCP because it skips the establishing connection step and just transfers information to the target computer over a network. This makes it unreliable and less secure.

How to Check for Open Ports

An open port is a TCP or UDP port that accepts connections or packets of information. If a port rejects connections or packets of information, then it is called a closed port. Open ports are necessary for network traffic across the internet.

To check for open ports, all you need is the target IP address and a port scanner. There are many free port scanners and penetration testing tools that can be used both on the CLI and the GUI. The most popular port scanner is Nmap, which is free, open-source, and easy to use. If you're unfamiliar with it, you can learn how to scan for open ports using Nmap.

Are All Open Ports Vulnerable?

Not necessarily. Although a closed port is less of a vulnerability compared to an open port, not all open ports are vulnerable. Rather, the services and technologies using that port are liable to vulnerabilities. So, if the infrastructure behind a port isn't secure, that port is prone to attack.

Vulnerable Ports to Look Out For

pentest-scan

There are over 130,000 TCP and UDP ports, yet some are more vulnerable than others. In penetration testing, these ports are considered low-hanging fruits, i.e. vulnerabilities that are easy to exploit.

Many ports have known vulnerabilities that you can exploit when they come up in the scanning phase of your penetration test. Here are some common vulnerable ports you need to know.

1. FTP (20, 21)

FTP stands for File Transfer Protocol. Port 20 and 21 are solely TCP ports used to allow users to send and to receive files from a server to their personal computers.

The FTP port is insecure and outdated and can be exploited using:

  • Anonymous authentication. You can log into the FTP port with both username and password set to "anonymous".
  • Cross-Site Scripting.
  • Brute-forcing passwords.
  • Directory traversal attacks.

2. SSH (22)

SSH stands for Secure Shell. It is a TCP port used to ensure secure remote access to servers. You can exploit the SSH port by brute-forcing SSH credentials or using a private key to gain access to the target system.

3. SMB (139, 137, 445)

SMB stands for Server Message Block. It is a communication protocol created by Microsoft to provide sharing access of files and printers across a network. When enumerating the SMB port, find the SMB version, and then you can search for an exploit on the internet, Searchsploit, or Metasploit.

The SMB port could be exploited using the EternalBlue vulnerability, brute forcing SMB login credentials, exploiting the SMB port using NTLM Capture, and connecting to SMB using PSexec.

An example of an SMB vulnerability is the Wannacry vulnerability that runs on EternalBlue

4. DNS (53)

DNS stands for Domain Name System. It is both a TCP and UDP port used for transfers and queries respectively. One common exploit on the DNS ports is the Distributed Denial of Service (DDoS) attack.

5. HTTP / HTTPS (443, 80, 8080, 8443)

HTTP stands for HyperText Transfer Protocol, while HTTPS stands for HyperText Transfer Protocol Secure (which is the more secure version of HTTP). These are the most popular and widely used protocols on the internet, and as such are prone to many vulnerabilities. They are vulnerable to SQL injections, cross-site scripting, cross-site request forgery, etc

6. Telnet (23)

The Telnet protocol is a TCP protocol that enables a user to connect to remote computers over the internet. The Telnet port has long been replaced by SSH, but it is still used by some websites today. It is outdated, insecure, and vulnerable to malware. Telnet is vulnerable to spoofing, credential sniffing, and credential brute-forcing.

7. SMTP (25)

SMTP stands for Simple Mail Transfer Protocol. It is a TCP port used for sending and receiving mails. It can be vulnerable to mail spamming and spoofing if not well-secured.

8. TFTP (69)

TFTP stands for Trivial File Transfer Protocol. It's a UDP port used to send and receive files between a user and a server over a network. TFTP is a simplified version of the file transfer protocol. Because it is a UDP port, it does not require authentication, which makes it faster yet less secure.

It can be exploited using password spraying and unauthorized access, and Denial of Service (DoS) attacks.

Port Scanning as a Pentester

As a penetration tester or ethical hacking, the importance of port scanning cannot be overemphasized. Port scanning helps you to gather information about a given target, know the services running behind specific ports, and the vulnerabilities attached to them.

Now that you know the most vulnerable ports on the internet, you can use this information to perform pentests. Good luck!