Skip to content
PortsDB

Port reference

Port 4444 (TCP) – Metasploit / Reverse-Shell C2

De-facto reverse-shell and C2 port — Metasploit's default Meterpreter listener, also abused by the MSBlaster worm.

tcpRegisteredCommonly attacked

Default state

Not a standard service. Appears when a Metasploit handler is listening or malware opens a reverse-shell channel; alerting on it is a detection signal.

Common attacks

  • Metasploit Meterpreter reverse-shell callbacks to a 4444 handler
  • Command-and-control (C2) and post-exploitation traffic
  • Historic MSBlaster worm propagation via MSRPC (CVE-2003-0352, port 135)
  • Bind-shell payloads listening on 4444 for attacker connect-back

Hardening

  • Treat outbound/inbound 4444 as suspicious — alert and block by default
  • Egress-filter so internal hosts cannot dial out on arbitrary high ports
  • Hunt for Meterpreter behaviour, not just the port number
  • Patch the underlying RCE/MSRPC bugs that drop these payloads (e.g. MS03-026)
  • Use EDR to detect in-memory Meterpreter and process injection

nmap snippet

nmap -p4444 -sV --script metasploit-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 4444?

Port 4444 has no single fixed legitimate service. It is best known as the default listener port for Metasploit's Meterpreter payload — when an operator runs an exploit, the compromised host typically calls back to a handler on 4444. It also has history: the 2003 MSBlaster worm used 4444 to open a remote shell after exploiting the MSRPC DCOM flaw (CVE-2003-0352) on port 135.

Why it matters for security

Because 4444 is the de-facto reverse-shell and C2 port, traffic to or from it is a classic indicator of compromise. Blue teams and IDS rules specifically alert on 4444 callbacks. It rarely hosts anything legitimate, so seeing an internal host connect outbound to 4444 — or listen on it — usually means an exploit landed and a foothold is active.

How it's attacked

Attackers configure a Metasploit multi/handler on 4444 and deliver a payload that connects back, giving an interactive Meterpreter session for post-exploitation: pivoting, credential theft, and lateral movement. Bind-shell payloads instead listen on 4444 for the attacker to connect in. Historically, worms like MSBlaster spread via the MSRPC (port 135) bug and used 4444 as their shell channel.

Hardening checklist

Treat any 4444 traffic as suspicious by default — alert and block it. Egress-filter so internal hosts cannot dial out on arbitrary high ports to a C2. Hunt for Meterpreter behaviour (in-memory injection, named-pipe activity) rather than relying on the port alone, and deploy EDR to catch in-memory payloads. Patch the underlying RCE/MSRPC bugs (e.g. MS03-026) that drop these implants. The nmap snippet above probes the port on systems you are authorized to test.

Related ports

Port 135Port 1337Port 31337Port 5555

Frequently asked questions

Why is port 4444 considered malicious?
It is Metasploit's default Meterpreter listener and a common reverse-shell/C2 port, so traffic to or from 4444 is a strong indicator of exploitation. It carries no single fixed legitimate service.
What is the connection between port 4444 and MSBlaster?
The 2003 MSBlaster worm exploited the MSRPC DCOM bug (CVE-2003-0352 on port 135) and used 4444 to spawn a remote shell on victims, cementing the port's reputation.