| FTP | 20 (data), 21 (control) | File Transfer Protocol | FileZilla, Hydra, Metasploit | Transfers files between a client and server. Cleartext unless using FTPS. |
| SMB | 445, 139 | Server Message Block | SMBClient, CrackMapExec | Protocol for sharing files, printers, and resources over a network (Windows). |
| HTTP | 80 | Hypertext Transfer Protocol | Curl, Burp Suite, Nmap | Standard web protocol for transferring hypertext (web pages). |
| DNS | 53 | Domain Name System | Dig, Nslookup, Responder | Resolves domain names to IP addresses. Also used in DNS-based attacks. |
| SMTP | 25, 465, 587 | Simple Mail Transfer Protocol | Telnet, Swaks, Metasploit | Sends email. Port 25 is legacy; 465 uses SSL; 587 uses STARTTLS. |
| NFS | 111, 2049 | Network File System | Showmount, Rpcinfo, Nmap | Shares file systems across a network. Relies on RPC (port 111). |
| SNMP | 161 (queries), 162 (traps) | Simple Network Management Protocol | Snmpwalk, Nmap | Manages devices on IP networks. Version 1/2c is insecure; v3 adds encryption. |
| IMAP / POP3 | 143 (IMAP) | Internet Message Access Protocol / Post Office Protocol | Telnet, Swaks | IMAP retrieves emails from a server. POP3 also retrieves but deletes after download. |
| MySQL | 3306 (MySQL), 1433 (MSSQL) | MySQL / Microsoft SQL Server | MySQLClient, SQLMap | Database services for managing relational databases. |
| SSH | 22 | Secure Shell | OpenSSH, Putty, Hydra | Secure remote login and command execution. Uses encrypted communication. |
| RDP | 3389 | Remote Desktop Protocol | Rdesktop, Metasploit | Remote Desktop Protocol for GUI-based access to Windows systems. |
| WinRM | 5985 (HTTP), 5986 (HTTPS) | Windows Remote Management | Evil-WinRM, CrackMapExec | Remote management of Windows systems using WS-Management. |
| Oracle TNS | 1521 | Oracle Transparent Network Substrate | Sqlplus, ODAT, Nmap | Connects to Oracle databases using Transparent Network Substrate (TNS). |
| WMI (wmiexec) | 135 (RPC), 445 (SMB) | Windows Management Instrumentation | CrackMapExec, Impacket-Wmiexec | Executes commands on Windows via WMI. Relies on DCOM (RPC) and SMB. |
| PostgreSQL | 5432 | PostgreSQL | Psql, SQLMap | Relational database service similar to MySQL, often used for backend storage. |
| Telnet | 23 | Telecommunications Network | Telnet | An insecure text-based network protocol for remote access, often used for testing and debugging. |
| DNS | 53 | Domain Name System | Dig, Nslookup, Responder | Resolves domain names to IP addresses. Also used in DNS-based attacks. |
| Kerberos | 88 | Kerberos Authentication Protocol | Klist, Impacket | Network authentication protocol using tickets to authenticate clients to services. |
| LDAP | 389 (LDAP), 636 (LDAPS) | Lightweight Directory Access Protocol | Ldapsearch, Nmap | Protocol for accessing and maintaining directory information services over an IP network. |
| ICMP | N/A | Internet Control Message Protocol | Ping, Hping, Nmap | Used for network diagnostics, error reporting, and troubleshooting. |