⚡ The 15 Ports You Must Know Cold
20/21 FTP · 22 SSH · 23 Telnet · 25 SMTP · 53 DNS · 67/68 DHCP · 80 HTTP · 110 POP3 · 143 IMAP · 443 HTTPS · 445 SMB · 3389 RDP · 389 LDAP · 636 LDAPS · 161/162 SNMP — these are the ports that appear on every CompTIA exam. Know the port number, the protocol name, TCP or UDP, and whether there's an encrypted alternative (Telnet→SSH, HTTP→HTTPS, LDAP→LDAPS, IMAP→993, POP3→995).
TCP vs UDP — Know the Difference
TCP — Transmission Control Protocol
Connection-oriented · Reliable
Establishes a connection with a 3-way handshake (SYN → SYN-ACK → ACK) before transferring data. Guarantees delivery, ordering, and error checking. Slower than UDP due to overhead — used when data integrity matters.
HTTP · HTTPS · FTP · SSH · Telnet · SMTP · POP3 · IMAP · RDP · SMB · LDAP
UDP — User Datagram Protocol
Connectionless · Fast
Sends data without establishing a connection first. No guaranteed delivery, no ordering, no error recovery. Fast and low-overhead — used when speed matters more than reliability (live video, voice, DNS lookups).
DNS · DHCP · SNMP · TFTP · NTP · Syslog · VoIP (RTP) · RADIUS · streaming
🎯 DNS Uses Both TCP and UDP — Know When
DNS uses UDP port 53 for standard queries — fast, low overhead, fits in one packet. DNS uses TCP port 53 for zone transfers (replicating the full DNS database between servers) and responses larger than 512 bytes. The exam may ask which protocol DNS uses — answer UDP for lookups, TCP for zone transfers.
Quick Reference — Most Tested Ports
20
FTP Data
TCP
21
FTP Control
TCP
22
SSH / SFTP / SCP
TCP
23
Telnet
TCP
25
SMTP
TCP
53
DNS
TCP/UDP
67
DHCP Server
UDP
68
DHCP Client
UDP
69
TFTP
UDP
80
HTTP
TCP
110
POP3
TCP
119
NNTP
TCP
123
NTP
UDP
137–139
NetBIOS
TCP/UDP
143
IMAP
TCP
161
SNMP
UDP
162
SNMP Trap
UDP
389
LDAP
TCP/UDP
443
HTTPS
TCP
445
SMB
TCP
465/587
SMTPS
TCP
514
Syslog
UDP
636
LDAPS
TCP
993
IMAPS
TCP
995
POP3S
TCP
1433
MS SQL Server
TCP
1723
PPTP VPN
TCP
3306
MySQL
TCP
3389
RDP
TCP
5060/5061
SIP / VoIP
TCP/UDP
Full Port Reference Table
| Port | Protocol | TCP/UDP | Description | Exams |
|---|---|---|---|---|
| 📁 File Transfer | ||||
| 20 | FTP Data | TCP | FTP active mode data transfer. The server initiates the data connection back to the client on port 20. Passive mode FTP uses a negotiated high port instead. | A+N+ |
| 21 | FTP Control | TCP | FTP command/control channel — login, directory listing, file commands. Unencrypted — credentials sent in cleartext. Use SFTP (port 22) or FTPS (port 990) instead. | A+N+S+ |
| 22 | SSH / SFTP / SCP | TCP | Secure Shell — encrypted remote terminal access, replacing Telnet. Also used by SFTP (Secure FTP over SSH) and SCP (Secure Copy). The most important "secure replacement" port to know. | A+N+S+ |
| 69 | TFTP | UDP | Trivial FTP — simple, no authentication, no directory listing. Used to transfer OS images to network devices (Cisco IOS), PXE boot, and firmware updates. Never used for sensitive files. | N+ |
| 445 | SMB | TCP | Server Message Block — Windows file and printer sharing. Used by Windows mapped drives, Active Directory, and network printing. WannaCry ransomware exploited SMBv1 vulnerability. EternalBlue exploit targets this port. | A+N+S+ |
| 25 | SMTP | TCP | Simple Mail Transfer Protocol — sends email between mail servers (server to server). Also used by email clients to send outgoing mail. Unencrypted — credentials visible in transit. | A+N+S+ |
| 110 | POP3 | TCP | Post Office Protocol v3 — downloads email from server to client and typically deletes it from the server. Unencrypted. Use POP3S (port 995) for encrypted version. Key difference from IMAP: email is removed from server. | A+N+ |
| 143 | IMAP | TCP | Internet Message Access Protocol — syncs email with server, leaving messages on the server. Multiple devices see the same inbox. Unencrypted. Use IMAPS (port 993) for encrypted version. Key difference from POP3: email stays on server. | A+N+ |
| 465 / 587 | SMTPS | TCP | Encrypted SMTP. Port 465 uses implicit TLS (SSL). Port 587 uses STARTTLS (upgrades plaintext connection to encrypted). Modern email clients typically use 587. Both replace unencrypted SMTP (25) for client-to-server submission. | A+N+ |
| 993 | IMAPS | TCP | IMAP over SSL/TLS — encrypted version of IMAP. Mail stays on server, synced across devices, connection is encrypted. The recommended replacement for plaintext IMAP (143). | A+N+ |
| 995 | POP3S | TCP | POP3 over SSL/TLS — encrypted version of POP3. Downloads and typically deletes from server, connection is encrypted. Replacement for plaintext POP3 (110). | A+N+ |
| 🌐 Web & Remote Access | ||||
| 23 | Telnet | TCP | Remote terminal access — unencrypted. Everything including passwords is sent in cleartext. Replaced by SSH (port 22). Still tested because it's a classic example of an insecure protocol that should be disabled. | A+N+S+ |
| 80 | HTTP | TCP | Hypertext Transfer Protocol — unencrypted web traffic. Traffic is visible in transit. Should be replaced by HTTPS (443) for any site handling sensitive data. Still used for initial redirect to HTTPS. | A+N+S+ |
| 443 | HTTPS | TCP | HTTP over TLS/SSL — encrypted web traffic. The "S" means encrypted with a TLS certificate. URL shows https:// and browser shows padlock. The standard for all modern web traffic. | A+N+S+ |
| 3389 | RDP | TCP | Remote Desktop Protocol — graphical remote access to Windows desktops. Requires Windows Pro or higher on the host. Commonly targeted by attackers — brute-force and credential stuffing attacks on exposed RDP are extremely common. Should not be exposed directly to the internet. | A+N+S+ |
| 🗂️ Directory & Authentication | ||||
| 389 | LDAP | TCP/UDP | Lightweight Directory Access Protocol — queries Active Directory and other directory services. Unencrypted. Used for authentication lookups, user searches, group membership queries. | N+S+ |
| 636 | LDAPS | TCP | LDAP over SSL/TLS — encrypted version of LDAP. Same function as LDAP but traffic is encrypted. Required when LDAP is used for authentication in security-sensitive environments. | N+S+ |
| 88 | Kerberos | TCP/UDP | Authentication protocol used by Active Directory for SSO (Single Sign-On). Issues tickets (TGT, service tickets) that prove identity without sending passwords over the network. | N+S+ |
| 1812 / 1813 | RADIUS | UDP | Remote Authentication Dial-In User Service — centralised authentication for network access (VPN, Wi-Fi 802.1X). Port 1812 for authentication/authorisation, 1813 for accounting. Used with WPA2/WPA3 Enterprise wireless. | N+S+ |
| 🔧 Network Services | ||||
| 53 | DNS | TCP/UDP | Domain Name System — resolves hostnames to IP addresses. UDP for standard queries (fast, small responses). TCP for zone transfers and large responses. Port 53 is one of the most critical ports — blocking it breaks internet connectivity. | A+N+S+ |
| 67 | DHCP Server | UDP | DHCP server listens on UDP 67 for DISCOVER messages from clients. The DORA process: Discover (client, broadcast) → Offer (server) → Request (client) → Acknowledge (server). | A+N+ |
| 68 | DHCP Client | UDP | DHCP client port — receives DHCP offers and acknowledgements from the server. A client without a DHCP address broadcasts on port 68 to port 67 to find a server. | A+N+ |
| 123 | NTP | UDP | Network Time Protocol — synchronises clocks across network devices. Critical for Kerberos authentication (tickets have timestamps — clock skew of more than 5 minutes breaks AD auth) and log correlation in SIEM. | N+S+ |
| 161 | SNMP | UDP | Simple Network Management Protocol — polls network devices for status, performance counters, and configuration data. SNMPv1 and v2c use community strings (no encryption). SNMPv3 adds authentication and encryption. | N+S+ |
| 162 | SNMP Trap | UDP | Devices send unsolicited SNMP Trap messages to the management station (NMS) when an alert condition occurs — instead of waiting to be polled. Used for real-time alerts like link down, high CPU, or threshold exceeded. | N+ |
| 514 | Syslog | UDP | Sends log messages from network devices (routers, switches, firewalls) to a central syslog server. UDP means logs can be lost if the network is congested — use TCP syslog (port 6514 with TLS) for critical logs. | N+S+ |
| 🔒 VPN & Tunneling | ||||
| 500 | IKE / IPSec | UDP | Internet Key Exchange — negotiates IPSec VPN sessions. Used for site-to-site and client VPN tunnels. IKEv2 is the modern standard. IPSec also uses IP protocol 50 (ESP) and 51 (AH) — not port-based. | N+S+ |
| 1194 | OpenVPN | TCP/UDP | Open-source VPN protocol. Typically uses UDP 1194 for performance, can also use TCP 443 to bypass firewalls that block VPN traffic. | N+ |
| 1723 | PPTP | TCP | Point-to-Point Tunneling Protocol — legacy VPN. Considered insecure — known vulnerabilities in MS-CHAPv2 authentication. Should not be used. Still tested as an example of a deprecated/insecure protocol. | N+S+ |
| 🖨️ Printing & Windows | ||||
| 137–139 | NetBIOS | TCP/UDP | Legacy Windows name resolution and session services. Largely replaced by DNS and SMB direct (445). Port 137: NetBIOS Name Service. 138: Datagram. 139: Session. Often disabled in modern environments. | N+ |
| 9100 | RAW Print / JetDirect | TCP | HP JetDirect / raw printing — sends print jobs directly to a network printer without a print server. Common in enterprise environments with networked printers. | A+ |
| 📡 VoIP | ||||
| 5060 / 5061 | SIP | TCP/UDP | Session Initiation Protocol — sets up, manages, and tears down VoIP calls. Port 5060: unencrypted SIP. Port 5061: SIP over TLS (encrypted). The actual voice data travels over RTP (dynamic ports). | N+ |
| 🗄️ Database | ||||
| 1433 | Microsoft SQL Server | TCP | Default port for Microsoft SQL Server database connections. Should not be exposed to the internet — commonly targeted by automated scanners. Firewall rules should limit access to application servers only. | S+ |
| 3306 | MySQL / MariaDB | TCP | Default port for MySQL and MariaDB database connections. Common in LAMP/LEMP web stacks. Like MSSQL, should be firewalled to allow access only from application servers. | S+ |
Encrypted vs Unencrypted — The Upgrade Pairs
Know Your Secure Replacements
The Security+ exam frequently tests whether you can identify which protocols are insecure and what their encrypted replacements are. These pairs are the most tested:
Telnet (23) → SSH (22) — Remote terminal access. Telnet sends everything in cleartext. SSH encrypts the session.
FTP (20/21) → SFTP or FTPS — SFTP runs over SSH (port 22). FTPS is FTP with TLS (port 990/21). Both encrypt credentials and data.
HTTP (80) → HTTPS (443) — Web traffic. HTTPS uses TLS to encrypt the connection.
SMTP (25) → SMTPS (465/587) — Email sending. Port 587 with STARTTLS is the modern standard.
IMAP (143) → IMAPS (993) — Email retrieval (leaves on server). Encrypted with TLS.
POP3 (110) → POP3S (995) — Email retrieval (downloads to client). Encrypted with TLS.
LDAP (389) → LDAPS (636) — Directory queries. LDAPS encrypts the connection.
SNMP v1/v2c → SNMPv3 — Not a port change — same port 161, but v3 adds authentication and encryption.
🎯 The Three Biggest Port Exam Traps
FTP uses two ports — 20 for data, 21 for control. A firewall rule blocking port 21 blocks the login/commands. A rule blocking port 20 blocks the actual file transfer. Both need to be open for active mode FTP to work.
RDP (3389) is TCP, not UDP — Many candidates assume it's UDP because it streams a graphical display. It's TCP. Exposing RDP directly to the internet is a major security risk — attackers constantly scan for open port 3389.
DHCP uses UDP, not TCP — DHCP discovery is a broadcast — the client doesn't have an IP yet so it can't establish a TCP connection. DHCP uses UDP 67 (server) and 68 (client) specifically because it doesn't require a prior connection.
Ready to put this into practice?
See the best practice exams and study resources for Network+ and Security+.