Skip to content
ProtocolPorts

Port reference

Port 12345 (TCP) – NetBus

Default control port of the NetBus Windows remote-access trojan; an open 12345 is a strong compromise indicator.

tcpRegisteredCommonly attacked

Default state

Not a normal service. If 12345 is listening, investigate for a NetBus-style backdoor — though some legitimate apps also reuse the port.

Common attacks

  • NetBus remote-access trojan control channel
  • Full remote control of an infected Windows host
  • Keylogging, file transfer, and screen capture by the operator
  • Mass scanning for hosts already infected by NetBus

Hardening

  • Treat a listening 12345 as a likely compromise and investigate the host
  • Run a reputable AV/EDR scan to remove NetBus and similar RATs
  • Block inbound 12345 at the perimeter firewall
  • Rebuild the host if a backdoor is confirmed and rotate credentials

nmap snippet

nmap -p12345 -sV --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 12345?

Port 12345 is the default control port for NetBus, a classic late-1990s Windows remote-access trojan (RAT). It is not a standard service: if a host is listening on 12345, the most likely explanation is a NetBus-style backdoor. A handful of legitimate applications have also reused the port over the years, so the finding needs investigation rather than instant panic.

Why it matters for security

NetBus gives an attacker full remote control of an infected Windows machine: keystroke logging, file upload/download, screen capture, and command execution. Because it is a backdoor and not a sanctioned service, an open 12345 is a strong indicator of compromise. Attackers also scan the internet for already-infected hosts to take over, so an exposed NetBus port can be hijacked by a second party.

How it's attacked

The port itself is the attack surface: a NetBus client connects to 12345 and drives the victim remotely. Opportunistic actors mass-scan for the open port and connect to hosts other attackers already infected. There is no real authentication to defeat — the presence of the listener is the foothold.

Hardening checklist

Treat a listening 12345 as a likely compromise and investigate the host with a reputable AV/EDR scan to remove NetBus and similar RATs. Block inbound 12345 at the perimeter firewall so no external client can reach it. If a backdoor is confirmed, rebuild the host from known-good media and rotate all credentials that touched it. The nmap snippet above grabs the banner on systems you are authorized to test.

Related ports

Port 31337Port 1524Port 4444Port 27374

Frequently asked questions

Does an open port 12345 mean I'm infected?
Not always, but it is a strong indicator. 12345 is the default NetBus trojan port, so a listening 12345 warrants immediate investigation — though a few legitimate applications also reuse the port.
What is NetBus?
NetBus is a late-1990s Windows remote-access trojan that gives an attacker full control of an infected machine — keylogging, file access, and screen capture — over its default port 12345.