TOOLS / PORT LOOKUP
Port Number Lookup
Look up what runs on any TCP/UDP port plus our security notes on real-world attack patterns. Curated from the IANA registry with security-engineering context.
What it does
Every nmap output and firewall log entry is a port number. Knowing what runs there — and what attackers do with it — is foundational. Our lookup combines IANA’s well-known port registrations with security-engineering notes drawn from real-world incident reports: which ports are top initial-access vectors (3389 RDP, 22 SSH, 445 SMB), which carry C2 traffic (443, 53), and which signal misconfiguration if exposed (2375 Docker, 6379 Redis, 9200 Elasticsearch).
How to use it
- Enter any port number (0–65535). Click "Look up".
- Get service name, protocol (TCP/UDP), description, and a security note where one applies.
- Range field tells you whether IANA classifies it as well-known, registered, or ephemeral/dynamic.
Common use cases
nmap interpretation
Translate port-scan results into "this is a domain controller" or "this is a misconfigured Elasticsearch cluster".
Firewall audit
When you see an unexpected outbound rule, check the destination port. Anomalies often hide in 4444, 6667, 8333, 9999.
Egress filtering design
Decide which ports to block at the egress proxy. Compare your allowlist against this list.
Onboarding for junior analysts
A reference for "what is port X" without breaking flow.
Frequently asked questions
Are all 65 536 ports listed? +
No — we curated ~80 ports that matter for security work. Anything outside the list returns a range classification (well-known / registered / ephemeral) plus a generic message.
Why does port 53 say "tunneling"? +
DNS (53) is allowed almost everywhere, so attackers tunnel C2 traffic through it (dnscat2, iodine, Cobalt Strike). Monitor TXT-record query volume and length distributions.
Is high-port (50 000+) traffic suspicious? +
Usually no — those are ephemeral client-side ports. But INBOUND traffic to a high port can be a reverse shell or non-standard service. Context matters.
Related tools
CIDR / Subnet Calculator
Network / broadcast / mask / wildcard / hosts. Pure JS — no network requests.
DNS Records Lookup
All 8 record types in one card. Powered by Cloudflare DNS-over-HTTPS.
IP Reputation Lookup
AbuseIPDB abuse score + ipinfo geo + Tor exit-node detection. IPv4 and IPv6.
Related coverage on Ciphers Security
- YARA-X 1.16.0: Faster Scans, Panic Fixes, and Neovim LSP Support
- Instructure Removed from ShinyHunters' Leak Site as Canvas Breach Deadline Passes
- Costa Rica Joins Have I Been Pwned as the 42nd Government
- LummaC2 Infostealer Targets US Critical Infrastructure: CISA-FBI Advisory AA25-141B and DOJ Domain Seizures
- MacSync Stealer: Hackers Abuse Google Ads and Claude.ai Chats to Push Mac Malware
Free for everyone, no signup required. Tool runs at /tools/port-lookup/ — bookmark or share.