Sign in Subscribe
nmap

History of Nmap Top Ports

Nmap’s top 1,000 ports haven’t changed since 2008, but the internet has. New services have emerged, and attack surfaces have shifted. This post revisits port scanning’s evolution, highlights outdated assumptions, and stresses the need to know your target—because defaults don’t always cut it.

Mike

2 min read
History of Nmap Top Ports
Nmap History

This is a companion post to my Top 1,000 TCP and UDP ports (Nmap default) article. That post is, by far, the #1 visited page on this site. This is thanks to a link from Hack The Box's "Getting Started" module. For those visiting from there, I wanted to provide an update and more context to that post without junking it up, thus this.

To get to the point, these are still the top 1000 ports and 100 services scanned by Nmap, but there is a heavy emphasis on Nmap. The idea of top ports was first floated sometime around 2006 (publicly at least) and added in 2008. That was the last time these ports were updated. That port list can already get shitfaced in Germany. It can gamble in Las Vegas at the next Defcon. It's a rounding error away from entering it's 20's. Right now that port list is making questionable life choices and skipping it's first college classes. That port list is probably older than some of you.

Meanwhile services have not stood still. Web traffic, 80 and 443, are still #1 and #2, though it won't be long until the order is reversed. After that though, all bets are off. Shodan shows #3 as 7547/TCP, which appears to be mostly more HTTP stuff and wasn't even on the list last time. #4 is 4567/TCP, which was on the list, but not in the top 100. Props to SSH for holding a respectable 5th place for 17 years. After that, we see more SMB and web traffic on 8080 and 8443 than in the past, and less FTP services than there were in 2008.

There's also plenty of services that weren't even alive in 2008. MongoDB comes to mind. At one point it was a favorite target due to it's unauthenticated by default nature. Plenty of instances were inadvertently exposed, both to internal and external networks. A pentester or redteam member running Nmap in the early/mid 2010's was missing a lot of juicy targets using Nmap's top 1000, because 27017/TCP wasn't on the list.

There was an effort around 2018 to update and modernize the list, including internal services. I don't know what ever happened to this effort, but to the best of my knowledge, the list was never updated.

All that to say, this is Nmap's list, not the Internets list, and certainly not a list belonging to an internal network. Know it's limits, defaults, and it's history, and know your target (or just masscan everything until you knock a core switch offline).

The More You Know

Other References:

  • https://nmap.org/book/port-scanning.html#most-popular-ports
  • https://nmap.org/book/man-port-specification.html
  • https://nmap.org/book/nmap-services.html

Sign up for more like this.

Enter your email
Subscribe