COMMON PORTS
Every port number you need for the Security+ exam. Sorted by exam weight — learn the high-priority ones first.
Ports 0-1023 (Well-Known) — require root/administrator privileges to bind. This is why a compromised web server on port 80 implies privileged access, and why running services as root is a hardening concern.
Ports 1024-49151 (Registered) — assigned by IANA to specific services (e.g., 3389/RDP, 1812/RADIUS). No special privileges needed.
Ports 49152-65535 (Dynamic/Ephemeral) — assigned temporarily by the OS for outbound connections. You'll see these in packet captures as client source ports.
BRAIN DUMP — MEMORIZE THESE
INSECURE → SECURE REPLACEMENTS
CompTIA loves testing whether you know the secure replacement. If the question says "which protocol should replace X," this is your cheat sheet:
| Insecure | Port | → | Secure | Port |
|---|---|---|---|---|
| Telnet | 23 | → | SSH | 22 |
| HTTP | 80 | → | HTTPS | 443 |
| FTP | 20/21 | → | SFTP or FTPS | 22 or 990 |
| SMTP | 25 | → | SMTP+TLS | 587 |
| POP3 | 110 | → | POP3S | 995 |
| IMAP | 143 | → | IMAPS | 993 |
| LDAP | 389 | → | LDAPS | 636 |
| SNMPv1/v2c | 161 | → | SNMPv3 | 161 |
| Syslog (UDP) | 514 | → | Syslog TLS | 6514 |
| RADIUS | 1812 | → | TACACS+ | 49 |
Pattern: SNMPv3 is the only "upgrade" that keeps the same port. Everything else gets a new port number. RADIUS → TACACS+ isn't a direct version upgrade but a protocol replacement (TACACS+ encrypts everything; RADIUS only encrypts the password).
FULL REFERENCE
| Port | Protocol | TCP/UDP | Category | Secure | Notes |
|---|---|---|---|---|---|
| 20/21 | FTP | TCP | File Transfer | No | 20=data, 21=control. Cleartext credentials. Use SFTP or FTPS instead. |
| 22 | SSH/SCP/SFTP | TCP | Remote Access | Yes | Encrypted remote shell, file copy, and file transfer. Replaces Telnet, FTP, rcp. |
| 23 | Telnet | TCP | Remote Access | No | Cleartext remote access. Deprecated — always pick SSH over Telnet on exam. |
| 25 | SMTP | TCP | No | Email sending between servers. Unencrypted by default. | |
| 49 | TACACS+ | TCP | Authentication | Yes | Cisco AAA protocol. Encrypts entire payload (unlike RADIUS). Uses TCP for reliability. |
| 53 | DNS | TCP/UDP | Name Resolution | No | UDP for queries, TCP for zone transfers. DNSSEC adds authentication, not encryption. |
| 80 | HTTP | TCP | Web | No | Unencrypted web traffic. Never use for sensitive data. |
| 88 | Kerberos | TCP/UDP | Authentication | Yes | Active Directory authentication. Uses tickets (TGT, service tickets), not passwords over the wire. |
| 110 | POP3 | TCP | No | Email retrieval — downloads and deletes from server. Unencrypted. | |
| 143 | IMAP | TCP | No | Email retrieval — keeps mail on server, syncs across devices. Unencrypted. | |
| 161/162 | SNMP | UDP | Network Management | No | 161=queries, 162=traps. v1/v2c use community strings (cleartext). v3 adds encryption+auth. |
| 389 | LDAP | TCP | Directory Services | No | Directory queries (Active Directory). Unencrypted — use LDAPS (636) or StartTLS. |
| 443 | HTTPS | TCP | Web | Yes | HTTP over TLS. Default for all modern web traffic. |
| 445 | SMB | TCP | File Sharing | No | Windows file/printer sharing. Target of EternalBlue, WannaCry. Block at perimeter. |
| 636 | LDAPS | TCP | Directory Services | Yes | LDAP over TLS. Always prefer over port 389. |
| 1812/1813 | RADIUS | UDP | Authentication | No | 1812=authentication, 1813=accounting. Encrypts only the password field, not full payload. |
| 3389 | RDP | TCP | Remote Access | No | Microsoft remote desktop. Major attack target — use VPN or gateway, enable NLA. |
| 67/68 | DHCP | UDP | Network Services | No | 67=server, 68=client. Vulnerable to rogue DHCP and starvation attacks. |
| 69 | TFTP | UDP | File Transfer | No | Trivial FTP — no authentication at all. Used for PXE boot, firmware updates. |
| 123 | NTP | UDP | Network Services | No | Time synchronization. Critical for log correlation, Kerberos (5-min tolerance), and certificate validation. |
| 465 | SMTPS | TCP | Yes | SMTP over implicit TLS. Legacy — 587 with STARTTLS is preferred. | |
| 514 | Syslog | UDP | Logging | No | Centralized logging. UDP = unreliable, no encryption. Use TLS syslog (6514) for secure transport. |
| 587 | SMTP+TLS | TCP | Yes | Email submission with STARTTLS. Modern standard for sending email from clients. | |
| 990 | FTPS | TCP | File Transfer | Yes | FTP over implicit TLS. Alternative to SFTP (port 22). |
| 993 | IMAPS | TCP | Yes | IMAP over TLS. | |
| 995 | POP3S | TCP | Yes | POP3 over TLS. | |
| 5060/5061 | SIP | TCP/UDP | VoIP | No | 5060=unencrypted, 5061=TLS. VoIP session signaling. |
| 119 | NNTP | TCP | Network Services | No | Usenet/newsgroup protocol. Rarely tested but on CompTIA acronym list. |
| 1433 | MS-SQL | TCP | Database | No | Microsoft SQL Server. Should never be exposed to internet. |
| 1521 | Oracle SQL | TCP | Database | No | Oracle database listener. |
| 1645/1646 | RADIUS (legacy) | UDP | Authentication | No | Original RADIUS ports before IANA assignment. May still appear on exam. |
| 1720 | H.323 | TCP | VoIP | No | Video/voice signaling protocol. |
| 3306 | MySQL | TCP | Database | No | MySQL/MariaDB database. |
| 5432 | PostgreSQL | TCP | Database | No | PostgreSQL database. |
| 6514 | Syslog TLS | TCP | Logging | Yes | Encrypted syslog over TLS. Secure alternative to UDP 514. |
MEMORIZATION TRICKS
NUMBER PATTERNS
- Email ports end in 3: POP3=110, IMAP=143, SMTP-submit=587 (sorta)
- Secure email = base + 853-ish: 110→995, 143→993
- LDAP + 247 = LDAPS: 389 + 247 = 636
- DNS is "55" minus 2: 53. HTTP is "88" minus 8: 80.
- 443 = 4+4+3 = 11 → HTTPS has extra security
- RDP = 3389. "33" (double trouble) + "89" (year the Berlin Wall fell — remote access opened up).
ASSOCIATIONS
- 22 = SSH: "Secure SHell" — two 2's, double S.
- 23 = Telnet: One more than SSH and one step behind (insecure).
- 25 = SMTP: You send Christmas cards on the 25th → SMTP sends mail.
- 445 = SMB: "4-4-5" like a 4×4 truck + 5th wheel → SMB carries (shares) stuff.
- 88 = Kerberos: The "88" key on the piano → tickets (concert tickets).
- 49 = TACACS+: "49ers" — a football TEAM that TACKLES access control.
TCP vs UDP — WHEN IT MATTERS
CompTIA tests whether you know which transport protocol a service uses. The pattern:
UDP (connectionless, fast)
- DNS queries (53)
- DHCP (67/68)
- TFTP (69)
- NTP (123)
- SNMP (161/162)
- Syslog (514)
- RADIUS (1812/1813)
- SIP (5060)
Pattern: real-time, broadcast, or "fire-and-forget" services use UDP.
TCP (connection-oriented, reliable)
- SSH (22), Telnet (23)
- SMTP (25), HTTP/S (80/443)
- FTP (20/21), FTPS (990)
- POP3 (110), IMAP (143)
- LDAP/S (389/636)
- SMB (445)
- RDP (3389)
- TACACS+ (49)
Pattern: anything that transfers files, requires login, or needs guaranteed delivery uses TCP.
Exam trap: DNS uses both. UDP for normal queries, TCP for zone transfers (AXFR) and responses over 512 bytes. Kerberos also uses both. RADIUS uses UDP; TACACS+ uses TCP — this is a common comparison question.