Skip to content
PortsDB

Port reference

Port 1433 (TCP) – Microsoft SQL Server

Default listener for Microsoft SQL Server database connections.

tcpRegisteredCommonly attacked

Default state

Listens on 1433 once the SQL Server TCP/IP protocol is enabled. Frequently bound to all interfaces and reachable from the LAN; sometimes exposed to the internet on misconfigured hosts.

Common attacks

  • Credential brute force and password spraying against the sa account
  • Command execution via xp_cmdshell after login
  • SQL injection pivoting to the database engine
  • Lateral movement using captured SQL service credentials

Hardening

  • Bind to localhost or a private interface; never expose 1433 to the internet
  • Disable or rename the sa account and enforce strong, unique passwords
  • Keep xp_cmdshell disabled and apply least-privilege roles
  • Require TLS/encrypted connections and segment with host firewalls
  • Patch promptly and monitor failed-login auditing

nmap snippet

nmap -p1433 --script ms-sql-info,ms-sql-empty-password <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 1433?

Port 1433 is the default TCP listener for Microsoft SQL Server, Microsoft's relational database engine. Clients, application servers, and admin tools such as SQL Server Management Studio connect over 1433 to run queries, stored procedures, and administrative commands. Named instances may use dynamic ports brokered by the SQL Server Browser on UDP 1434.

Why it matters for security

A SQL Server instance typically holds an organisation's most sensitive data, and 1433 is a direct path to it. Internet-wide scanners catalog every open 1433, and weak or reused credentials on the powerful sa account make brute force highly effective. Once authenticated as a privileged user, an attacker can read and exfiltrate every database and potentially escalate to the operating system.

How it's attacked

Attackers mass-scan for open 1433, then launch credential brute force or password spraying against sa and other logins. After gaining sysadmin rights they frequently enable xp_cmdshell to run operating-system commands, turning a database login into full host compromise. SQL injection in web apps can also pivot directly into the engine on this port.

Hardening checklist

Bind SQL Server to localhost or a private interface and keep 1433 off the public internet, behind a firewall or VPN. Disable or rename sa, enforce strong unique passwords, and apply least-privilege roles. Keep xp_cmdshell disabled, require TLS for connections, and enable failed-login auditing. Use the nmap snippet above to check for empty passwords and gather instance info on hosts you are authorized to test.

Related ports

Port 1521Port 3306Port 5432Port 27017

Frequently asked questions

Is it safe to expose port 1433 to the internet?
No. Exposed SQL Server is mass-scanned and brute-forced. Keep 1433 on a private network behind a firewall or VPN, with strong auth and TLS.
What is xp_cmdshell and why is it risky?
It's a stored procedure that runs OS commands from inside SQL Server. If an attacker gets sysadmin access it becomes a direct path to host compromise, so it should stay disabled.