| 20 | TCP | FTP Data | FTP data transfer | Often filtered, used with port 21 |
| 21 | TCP | FTP | File Transfer Protocol control | Anonymous login, credential brute-force, bounce attacks |
| 22 | TCP | SSH | Secure Shell | Brute-force, key-based attacks, tunneling |
| 23 | TCP | Telnet | Unencrypted remote access | Cleartext credentials, legacy systems |
| 25 | TCP | SMTP | Simple Mail Transfer Protocol | Open relay, user enumeration (VRFY) |
| 53 | TCP/UDP | DNS | Domain Name System | Zone transfers (AXFR), DNS tunneling |
| 67 | UDP | DHCP | DHCP Server | Rogue DHCP, starvation attacks |
| 68 | UDP | DHCP | DHCP Client | Client-side attacks |
| 69 | UDP | TFTP | Trivial File Transfer | No authentication, file retrieval |
| 80 | TCP | HTTP | Web Server | Web app attacks, directory bruteforce |
| 88 | TCP/UDP | Kerberos | Kerberos authentication | AS-REP roasting, Kerberoasting |
| 110 | TCP | POP3 | Post Office Protocol | Credential brute-force |
| 111 | TCP/UDP | RPCBind | RPC Port Mapper | Enumerate RPC services |
| 123 | UDP | NTP | Network Time Protocol | NTP amplification DDoS |
| 135 | TCP | MSRPC | Microsoft RPC | RPC enumeration, WMI access |
| 137 | UDP | NetBIOS-NS | NetBIOS Name Service | Name enumeration |
| 138 | UDP | NetBIOS-DGM | NetBIOS Datagram | Browser service attacks |
| 139 | TCP | NetBIOS-SSN | NetBIOS Session | SMB over NetBIOS, null sessions |
| 143 | TCP | IMAP | Internet Message Access Protocol | Email access, credential attacks |
| 161 | UDP | SNMP | Simple Network Management | Community string brute-force, info disclosure |
| 162 | UDP | SNMP Trap | SNMP Traps | Trap spoofing |
| 389 | TCP/UDP | LDAP | Lightweight Directory Access | Anonymous bind, AD enumeration |
| 443 | TCP | HTTPS | HTTP over TLS | SSL/TLS attacks, web app testing |
| 445 | TCP | SMB | Server Message Block | EternalBlue, relay attacks, shares |
| 464 | TCP/UDP | Kerberos | Kerberos password change | Password attacks |
| 500 | UDP | IKE | IPSec/IKE VPN | VPN enumeration, aggressive mode |
| 514 | UDP | Syslog | System Logging | Log injection, info gathering |
| 515 | TCP | LPD | Line Printer Daemon | Printer exploitation |
| 523 | TCP | IBM DB2 | IBM DB2 Discovery | Database enumeration |
| 548 | TCP | AFP | Apple Filing Protocol | macOS file sharing attacks |
| 554 | TCP | RTSP | Real Time Streaming Protocol | Camera/streaming enumeration |
| 587 | TCP | SMTP | SMTP Submission | Email submission, credential attacks |
| 593 | TCP | RPC over HTTP | Microsoft RPC over HTTP | Exchange RPC |
| 623 | UDP | IPMI | Intelligent Platform Management | Hash dump, cipher zero attack |
| 636 | TCP | LDAPS | LDAP over SSL | Secure LDAP enumeration |
| 873 | TCP | Rsync | Remote Sync | Anonymous access, file retrieval |
| 993 | TCP | IMAPS | IMAP over SSL | Secure email access |
| 995 | TCP | POP3S | POP3 over SSL | Secure email retrieval |
| 1080 | TCP | SOCKS | SOCKS Proxy | Proxy pivoting |
| 1099 | TCP | Java RMI | Java Remote Method Invocation | Deserialization attacks |
| 1433 | TCP | MSSQL | Microsoft SQL Server | SQL injection, xp_cmdshell |
| 1434 | UDP | MSSQL Browser | SQL Server Browser | Instance enumeration |
| 1521 | TCP | Oracle | Oracle Database | TNS listener attacks |
| 1723 | TCP | PPTP | Point-to-Point Tunneling | VPN attacks, MS-CHAPv2 cracking |
| 2049 | TCP/UDP | NFS | Network File System | Share enumeration, access |
| 2375 | TCP | Docker | Docker API (unencrypted) | Container escape, RCE |
| 2376 | TCP | Docker TLS | Docker API (TLS) | Certificate attacks |
| 3268 | TCP | Global Catalog | AD Global Catalog | AD enumeration |
| 3269 | TCP | Global Catalog SSL | AD Global Catalog over SSL | Secure AD enumeration |
| 3306 | TCP | MySQL | MySQL Database | Credential attacks, UDF |
| 3389 | TCP | RDP | Remote Desktop Protocol | BlueKeep, brute-force, session hijacking |
| 4369 | TCP | EPMD | Erlang Port Mapper | RabbitMQ, distributed Erlang |
| 5000 | TCP | Various | Common dev server port | Docker Registry, Flask |
| 5432 | TCP | PostgreSQL | PostgreSQL Database | Database attacks |
| 5672 | TCP | AMQP | RabbitMQ | Message queue attacks |
| 5900 | TCP | VNC | Virtual Network Computing | Authentication bypass, brute-force |
| 5985 | TCP | WinRM HTTP | Windows Remote Management | PowerShell remoting |
| 5986 | TCP | WinRM HTTPS | WinRM over HTTPS | Secure PS remoting |
| 6379 | TCP | Redis | Redis Database | Unauthenticated access, RCE |
| 6667 | TCP | IRC | Internet Relay Chat | Botnet C2, info gathering |
| 8000 | TCP | HTTP Alt | Alternative HTTP | Development servers |
| 8080 | TCP | HTTP Proxy | HTTP Proxy/Alt | Tomcat, Jenkins, proxies |
| 8443 | TCP | HTTPS Alt | Alternative HTTPS | Management interfaces |
| 8888 | TCP | HTTP Alt | Alternative HTTP | Jupyter, various apps |
| 9000 | TCP | Various | PHP-FPM, SonarQube | FastCGI attacks |
| 9200 | TCP | Elasticsearch | Elasticsearch REST API | Data exposure, RCE |
| 9418 | TCP | Git | Git Protocol | Repository access |
| 11211 | TCP/UDP | Memcached | Memcached Cache | Data exposure, amplification |
| 27017 | TCP | MongoDB | MongoDB Database | Unauthenticated access |
| 27018 | TCP | MongoDB | MongoDB Shard | Shard server access |
| 50000 | TCP | SAP | SAP Management Console | SAP enumeration |