Inside an enterprise network, the attack surface extends far beyond web servers and Active Directory. Switches, printers, scanners, remote administration tools, virtualization platforms, and legacy services often expose ports that are overlooked in traditional assessments.From a VAPT perspective, these services represent misconfigurations and exposure risks.From a Red Team perspective, they represent control points, stealthy footholds, and attack pivots.This blog maps crucial internal ports using a consistent structure, explaining what to test, why it matters, and how attackers realistically use the findings.
1. Port 21 – File Transfer Protocol (FTP):
nmap -p 21 -sV <target>
nmap -p 21 --script ftp-anon <target>VAPT Perspective:
- Anonymous login enabled
- Cleartext authentication
- Sensitive files exposed
Red Team Perspective:
- Harvest credentials from scripts/backups
- Upload staging payloads
- Quiet initial foothold on legacy systems
Red Team Insight:
FTP is rarely monitored and often forgotten, making it useful for low-noise access.
2. Port 22 – Secure Shell (SSH)
nmap -p 22 -sV --script=ssh2-enum-algos <target>VAPT Perspective:
- Weak cryptographic algorithms
- Legacy OpenSSH versions
Red Team Perspective:
- Identify password-based authentication
- Target credential reuse
- Pivot via jump hosts
Red Team Insight:
SSH compromise is usually credential-driven, not exploit-driven.
3. Port 23 – Telnet (Network Devices)
nmap -p 23 -sV --script telnet-encryption <target>VAPT Perspective:
- Cleartext credentials
- Legacy management access
Red Team Perspective:
- Compromise switches/routers
- Access VLAN, routing, ACL configurations
- Network-level visibility
Red Team Insight:
Telnet on switches often leads to network dominance, not just device access.
4. Port 25 / 465 / 587 – Simple Mail Transfer Protocol (SMTP)
nmap -p 25,465,587 -sV --script=smtp-commands <target>
nmap -p 25 --script=smtp-enum-users <target>VAPT Perspective:
- User enumeration
- Weak mail configuration
Red Team Perspective:
- Username harvesting
- Password spray preparation
- Phishing infrastructure validation
Red Team Insight:
SMTP feeds identity-based attacks rather than direct exploitation.
5. Port 53 – Domain Name System (DNS)
nmap -p 53 --script dns-zone-transfer <target>VAPT Perspective:
- Zone transfer misconfiguration
- Information disclosure
Red Team Perspective:
- Internal hostname mapping
- Identify DCs, mail servers, backups
- Plan lateral movement
Red Team Insight:
DNS often reveals internal architecture without authentication.
6. Port 69 – Trivial File Transfer Protocol (TFTP)
nmap -sU -p 69 <target>VAPT Perspective:
- Insecure file transfer service
Red Team Perspective:
- Download device configs
- Extract credentials and secrets
Red Team Insight:
TFTP frequently stores switch/router configurations in plaintext.
7. Port 80 / 443 / 8080 / 8443 – HTTP/HTTP(S)
nmap -p 80,443,8080,8443 -sV --script http-title,http-headers <target>VAPT Perspective:
- Banner disclosure
- Outdated admin interfaces
Red Team Perspective:
- Identify admin panels
- Default or weak credentials
- Shadow IT discovery
Red Team Insight:
Management UIs are often more valuable than production apps.
8. Port 88 – Kerberos
nmap -p 88 -sV <target>VAPT Perspective:
- Domain service exposure
Red Team Perspective:
- Confirm AD presence
- Kerberos-based attack planning
Red Team Insight:
Port 88 confirms AD even when LDAP is restricted.
9. Port 110 / 143 – POP3 / IMAP
nmap -p 110,143 -sV <target>VAPT Perspective:
- Cleartext authentication risks
Red Team Perspective:
- Credential harvesting
- Email access post-compromise
Red Team Insight:
Mail protocols often use reused domain credentials.
10. Port 123 – Network Time Protocol (NTP)
nmap -sU -p 123 <target>VAPT Perspective:
- Misconfigured time services
Red Team Perspective:
- Infrastructure fingerprinting
- Identify core servers
Red Team Insight:
Time services often run only on critical infrastructure.
11. Port 135 / 139 – RPC / NetBIOS
nmap -p 135,139 -sV <target>VAPT Perspective:
- Legacy Windows exposure
Red Team Perspective:
- Windows host enumeration
- Precursor to SMB attacks
Red Team Insight:
Often combined with SMB for lateral movement.
12. Port 161 – Simple Network Management Protocol (SNMP)
nmap -sU -p 161 --script snmp-info <target>
nmap -sU -p 161 --script snmpwalk --script-args snmpcommunity=public <target>VAPT Perspective:
- Default community strings
- Information disclosure
Red Team Perspective:
- Network topology mapping
- Interface and routing discovery
- Asset prioritization
Red Team Insight:
SNMP enables stealth recon without touching endpoints.
13. Port 389 / 636 – Lightweight Directory Access Protocol (LDAP)
nmap -p 389,636 -sV --script=ldap-rootdse <target>VAPT Perspective:
- Anonymous bind
- Directory information leakage
Red Team Perspective:
- Domain & forest discovery
- Functional level identification
Red Team Insight:
LDAP tells you what attacks are worth trying.
14. Port 445 – SMB (High-Value Target)
nmap -p 445 --script smb-protocols,smb2-security-mode <target>VAPT Perspective:
- SMBv1 enabled
- Signing not required
Red Team Perspective:
- NTLM relay feasibility
- Lateral movement
- Domain compromise chains
Red Team Insight:
Most internal compromises start here, not with exploits.
15. Port 515 / 631 / 9100 – Printers & Scanners
nmap -p 515,631,9100 -sV <target>VAPT Perspective:
- Unsecured printer services
- Weak admin interfaces
Red Team Perspective:
- Document theft
- Scan-to-email abuse
- Credential leakage from address books
Red Team Insight:
Printers store data people assume is “already gone”.
16. Port 5900–5905 – VNC
nmap -p 5900-5905 -sV --script vnc-info <target>VAPT Perspective
- Weak or missing authentication
Red Team Perspective
- Interactive desktop access
- Shadow IT remote access discovery
Red Team Insight:
VNC often bypasses hardened endpoint controls.
17. Port 5938 – TeamViewer (Common)
nmap -p 5938 -sV <target>VAPT Perspective:
- Unauthorized remote access tools
Red Team Perspective:
- Covert persistence channel
- Remote admin abuse
Red Team Insight:
Remote tools are often trusted and overlooked.
18. Port 5985 / 5986 – WinRM
nmap -p 5985,5986 -sV <target>VAPT Perspective:
- Remote management exposure
Red Team Perspective:
- Post-credential remote execution
- Lateral movement without SMB
Red Team Insight:
WinRM is quieter than SMB in mature environments.
19. Port 6379 – Redis
nmap -p 6379 -sV <target>
nmap -p 6379 --script=redis-info <target>VAPT Perspective:
- Unauthorized access
- No authentication
Red Team Perspective:
- File write abuse
- SSH key injection
- Persistence without creds
Red Team Insight:
Redis often bypasses authentication entirely.
20. Port 873 – Rsync
nmap -p 873 -sV <target>VAPT Perspective:
- Open file synchronization
Red Team Perspective:
- Source code access
- Config and secret harvesting
Red Team Insight:
Rsync often exposes what devs never intended to share.
21. Port 2049 – NFS
nmap -p 2049 -sV <target>VAPT Perspective:
- Insecure file shares
Red Team Perspective:
- Credential discovery
- Shared scripts and keys
Red Team Insight:
NFS often trusts internal networks blindly.
22. Port 3389 – RDP
nmap -p 3389 --script=rdp-ntlm-info <target>VAPT Perspective:
- NTLM exposure
- Weak encryption
Red Team Perspective:
- Identify interactive access points
- Confirm domain-joined systems
- Validate persistence vectors
Red Team Insight:
RDP is rarely exploited, it is used after compromise.
In modern internal networks, the true attack surface extends far beyond traditional servers to include switches, printers, remote access tools, and management interfaces that are often overlooked and under-monitored. Nmap remains critical not because it automatically finds exploits, but because it exposes how infrastructure decisions translate into real risk.
From a VAPT perspective, this highlights misconfigurations and exposure; from a red team perspective, it reveals control points, pivots, and realistic attack paths. Ultimately, the value of Nmap lies in interpretation, turning open ports into context-driven insights that support meaningful risk assessment and realistic attack simulation rather than noisy, checkbox-driven scanning.
Leave a Reply