Skip to content
PortsDB

Port reference

Port 1720 (TCP) – H.323 (VoIP call signaling)

H.323 call setup channel (Q.931 over TCP) — the legacy signaling protocol for VoIP and video conferencing endpoints and gatekeepers.

tcpRegisteredCommonly attacked

Default state

Open on H.323 gateways, gatekeepers, IP-PBXs, and video conferencing units (Cisco, Avaya, Polycom). Sometimes exposed to the internet for inter-site trunks.

Common attacks

  • Endpoint and gatekeeper enumeration
  • Toll fraud through unauthenticated call setup
  • Q.931/H.225 fuzzing causing crashes or denial of service
  • Call interception and signaling manipulation

Hardening

  • Do not expose H.323 directly — front with an SBC or VPN
  • Require gatekeeper registration and authentication for endpoints
  • Restrict source IPs for trunks and inter-site links
  • Patch gateway/endpoint firmware against H.225/Q.931 parsing flaws
  • Prefer modern SIP/TLS where possible and retire legacy H.323

nmap snippet

nmap -p1720 --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 1720?

Port 1720 carries H.323 call signaling, specifically the Q.931/H.225 call setup channel over TCP. H.323 is the older ITU-T standard for VoIP and video conferencing, using gatekeepers to register endpoints and route calls. Gateways, IP-PBXs, and conferencing units from Cisco, Avaya, and Polycom listen here. Like SIP on 5060, it handles signaling while the media flows over RTP.

Why it matters for security

A reachable H.323 gateway that accepts unauthenticated call setup is directly monetizable through toll fraud — attackers route expensive premium-rate calls on the victim's trunk. The protocol's complex ASN.1/Q.931 parsing has a long history of crash and overflow bugs, and cleartext signaling exposes call metadata and enables interception.

How it's attacked

Attackers scan for open 1720 and enumerate endpoints and gatekeepers, then attempt unauthenticated call setup for toll fraud. Malformed Q.931/H.225 messages are fuzzed to crash devices or trigger memory bugs, and weak deployments allow signaling manipulation and call interception.

Hardening checklist

Keep H.323 off the open internet — front it with a Session Border Controller (SBC) or VPN. Require gatekeeper registration and authentication for all endpoints, and restrict source IPs for trunks and inter-site links. Patch firmware against H.225/Q.931 parsing flaws. Where feasible, migrate to SIP over TLS and retire legacy H.323. Use the nmap snippet above to fingerprint devices you are authorized to test.

Related ports

Port 5060Port 5061Port 5004Port 1719

Frequently asked questions

What is the difference between H.323 and SIP?
Both are VoIP signaling protocols. H.323 (port 1720) is the older ITU standard built on Q.931/H.225, while SIP (port 5060) is the simpler, text-based IETF standard that has largely replaced it. Many deployments now migrate H.323 to SIP.
Why is port 1720 a toll fraud risk?
An H.323 gateway that accepts unauthenticated call setup lets attackers route outbound calls to premium-rate numbers at the victim's expense, the same monetization seen on SIP 5060.