Skip to content

Ports & Protocols

May 22, 2025

Netlas uses its own scanning technology, purpose-built for safe, high-speed, and large-scale internet scanning. We constantly improve both our scanning infrastructure and the scanners themselves to expand coverage and decreace time of scanning cycle.

IP and Port Coverage

Netlas scans the entire IPv4 space against a curated list of commonly used ports, which periodically expands in proportion to our infrastructure growth.

Coverage Details
IPv4 Space Entire IPv4 space — from 1.0.0.0 to 239.255.255.255.
Reserved and special-use ranges are excluded.
IPv6 Space Currently, the IPv6 is not supported for scanning.
TCP Ports 7, 13, 21, 22, 23, 25, 37, 53, 79, 80, 81, 88, 102, 106, 110, 111, 113, 119, 135, 139, 143, 179, 199, 389, 443, 444, 445, 465, 502, 515, 548, 554, 587, 631, 646, 808, 809, 873, 990, 993, 995, 1025, 1026, 1027, 1028, 1029, 1080, 1110, 1337, 1433, 1443, 1521, 1723, 1883, 1900, 2000, 2001, 2049, 2095, 2096, 2121, 2222, 2376, 2443, 2525, 3000, 3128, 3306, 3389, 3790, 4343, 4443, 4444, 4449, 4782, 5000, 5001, 5009, 5060, 5190, 5357, 5432, 5671, 5672, 5800, 5900, 5984, 6000, 6001, 6066, 6379, 6501, 6606, 7001, 7002, 7070, 7443, 7547, 7707, 8000, 8001, 8002, 8008, 8009, 8010, 8080, 8081, 8088, 8090, 8091, 8123, 8222, 8333, 8443, 8500, 8808, 8888, 8899, 9000, 9100, 9191, 9200, 9443, 9998, 9999, 10000, 10443, 11211, 12443, 22222, 27017, 30443, 31337, 40056, 40443, 41337, 49152, 49153, 50000, 50050, 50443.
UDP Ports 53, 123, 137, 161, 162.

Protocol Support

Netlas identifies and parses responses for approximately 30 application-layer protocols:

Protocol Description
amqp Advanced Message Queuing Protocol used for reliable messaging in IoT, cloud, and enterprise systems.
dns Domain Name System protocoll, with support for both UDP and TCP transport.
elasticsearch Elasticsearch RESTful engine for searching, analyzing, and managing data in real time.
ftp File Transfer Protocol.
http Hypertext Transfer Protocol.
imap Internet Message Access Protocol allowing clients to retrieve and manage email messages.
memcached Memcached protocol for high-performance distributed memory caching.
mongodb MongoDB Protocol for document-based NoSQL databases.
modbus Modbus industrial protocol widely used in SCADA and automation systems.
mqtt MQTT, a lightweight publish-subscribe messaging protocol ideal for IoT.
mssql Microsoft SQL Server Protocol.
mysql MySQL Protocol.
netbios NetBIOS protocol suite for basic networking services on local networks.
ntp Network Time Protocol used for clock synchronization across networks.
oracle Oracle Database Protocol.
pop3 Post Office Protocol v3 used by email clients to retrieve messages from servers.
postgres PostgreSQL Protocol.
rdp Remote Desktop Protocol used for remote access to Windows desktops.
redis Redis Protocol for in-memory data structure storage and caching.
s7 S7 Protocol for communication with Siemens PLCs in industrial networks.
smb Server Message Block protocol for network file and resource sharing.
smtp Simple Mail Transfer Protocol for sending emails across networks.
snmp Simple Network Management Protocol used for monitoring and managing network devices.
socks SOCKS proxy protocol, used to detect and identify proxy servers.
ssh Secure Shell protocol.
t3 T3 Protocol, proprietary WebLogic protocol for Java EE communication.
telnet Telnet protocol.
vnc Virtual Network Computing protocol for graphical desktop sharing over a network.

If the Netlas scanner cannot identify the protocol, the unparsed network response is stored in the raw_tcp field.

Extended HTTP Support

Beyond basic banner grabbing, Netlas captures full page responses, follows redirects, identifies virtual hosts, parses headers, stores favicons, and enables flexible search across collected HTTP data.

Virtual Hosts

To effectively gather data from web servers, Netlas scanners query them not only by IP address but also by domain names. If multiple websites or web applications are hosted on the same web server, Netlas will query them one after another.

Domain name-based queries are performed only on standard web ports 80 (HTTP) and 443 (HTTPS). For all other ports, Netlas scanners send requests directly by IP address without using domain names.

Virtual sites scan limit

Due to resource restrictions, Netlas scanners limit the number of virtual sites per IP to 100,000.

Because of this limitation, some websites hosted on popular hostings may not be in the search results.

HTTP Redirects

Many web servers make redirections to another address. They use special HTTP responses with codes 301 (Moved Permanently), 302 (Moved Temporarily) and some others.

Netlas scanners follow up to 5 HTTP redirects in a row. During this process, each response is saved as a separate document. Those responses differ in fields host, target, http.status_code and referer (not a typo — the word 'referer' is spelled this way in the original HTTP specification).

Response captured after redirect Response captured after redirect

JavaScript

Netlas does not execute JavaScript when scanning websites.

Netlas scanners also do not follow JavaScript-based redirects — only standard HTTP 301/302 redirects are recognized and handled.

HTTP Body

Netlas parses and saves the first 100Kbytes of each response during the scan. In the vast majority of cases, this is enough to save a full server response.

HTML pages are stored in the http.body field. A full-text search is available for this field. So it is possible to search across the entire body of a web page.

HTTP Headers

HTTP headers are available in two fields: http.headers and http.unknown_headers.

The http.headers field points to 1000 of the most used HTTP headers. Other headers are stored as key-value pairs in the unknown_headers field.

All - (dashes) in header names are replaced with the _ due to database limitation

For example, use http.headers.content_security_policy instead of http.headers.content-security-policy.

Netlas supports searching for websites based on favicon hashes, using two types of fingerprints:

  • SHA-256 hash in the http.favicon.hash_sha256 field for exact search.
  • Perceptual hash in the http.favicon.perceptual_hash field for average search. (1)

  1. How Perceptual Hash Search Works

    Perceptual hashes represent the visual structure of a favicon. The greater the differences between two images, the more their hashes will differ, especially toward the end.

    When searching:

    • Use the full hash for an exact perceptual match.
    • Trim the end of the hash and add a * wildcard to perform partial matching and find favicons that are visually similar. 
      http.favicon.perceptual_hash:00763c383c3c*
    • Alternatively, use the ~ operator to perform fuzzy matching based on Hamming distance (1–2 symbol differences). 
      http.favicon.perceptual_hash:00763c383c3c6e00~1

    This flexibility helps discover related servers, clones, phishing sites, or malware infrastructure that use similar branding.

In the Responses Search tool, click the Favicon Search button on the right side of the search panel to upload a favicon.

Search by favicon button Search by favicon button

What perceptual hashing algorithm does Netlas use?

Netlas uses the Average Hash (aHash) algorithm — a 64-bit visual fingerprint, tolerant to minor modifications like resizing, slight color changes, or compression artifacts.

📚 To dive deeper into perceptual hashing, read Dr. Neal Krawetz’s classic article explaining the principles behind aHash and other perceptual hash techniques.

SSL/TLS Support

Netlas supports identification and parsing of secure versions of common protocols, including HTTPS, FTPS, IMAPS, SMTPS, POP3S, and STARTTLS-enabled services.

Whenever a secure connection is detected, we always extract and store the server's X.509 certificate.

Sometimes, an SSL/TLS certificate is the only information available from a service.

Indicatiors of Malware Infrastructure

This often happens with malware-related servers, which are configured not to respond to any unauthenticated requests — providing no banners, headers, or service responses until proper authorization is completed.

In such cases, the collected certificate becomes the primary and the only indicator of the service's existence.

JARM Fingerprints

Netlas supports JARM — a TLS server fingerprinting technique developed by Salesforce for identifying and grouping servers based on their TLS configurations.

JARM is a method for fingerprinting TLS servers based on the way they respond to a set of 10 specially crafted TLS Client Hello packets. JARM fingerprints are stored in the jarm field.

Currently, Netlas generates JARM fingerprints only for HTTPS services. If the target server does not respond over HTTPS or uses a non-standard TLS configuration, a JARM fingerprint may not be available.

jarm:27d40d40d29d40d1dc42d43d00041d4689ee210389f4f6b4b5b1b93f92252d

Extended RDP Support

In addition to detecting RDP services, Netlas collects the following:

  • NetBIOS Information: Key system identifiers such as computer name, domain name, OS version, and server time.
  • Desktop Screenshots: After establishing a connection, Netlas captures a screenshot of the RDP login screen or desktop.
  • OCR (Optical Character Recognition): Netlas automatically extracts and indexes visible text from RDP screenshots, allowing users to perform full-text search across recognized screen contents.

Use rdp.text field to access recognized screen contents.