logo

Port 1978 – TeraTerm / Open Mic (Uncommon Use)

Service:

Varies (sometimes Open Mic ,
often custom/embedded)

Protocol:

TCP

Port:

1978

Used for:

Ad-hoc in embedded systems, rare in mainstream services

Why It’s Open

This is not an IANA-assigned port for a well-known service. However, it’s occasionally used by:

  • TeraTerm (older terminal emulators); IANA-registered service: TeraTerm/Open Mic (rarely used)
  • Custom TCP backdoors or open mic audio streams

In real-world usage, it’s most commonly associated with: Kyoto Tycoon, a lightweight database server that acts as a key-value store and uses port 1978 for its HTTP-based API (sometimes referred to as GWS - Generic Web Server in its documentation).

Common Risks

  • Unknown/Unclassified Service: Could indicate misused or rogue service.
  • Backdoors / Surveillance: Some malware and internal tools use uncommon ports to evade detection.

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Nmap check

Terminal window
nmap -p 1978 -sV

Basic banner grabbing:

Terminal window
nc  1978

Fuzz with netcat or simple scripts:

Terminal window
for i in {1..10}; do echo "test-$i" | nc  1978; done

Known Exploits

No public CVEs specifically for port 1978, but…

  • TeraTerm has had minor vulnerabilities in the past involving buffer overflows or plaintext handling.
  • This port is often used in custom or rogue applications, so any detection should prompt investigation.

Treat as suspicious unless validated - possible C2 channel or raw data stream port in red team scenarios.

Tools & Tactics

  • Use Wireshark to check for audio/video stream signatures (raw media)
  • Identify services listening using netstat -ano or lsof -i :1978
  • Run strings on suspect binaries communicating over 1978

What to Look For

CheckpointWhat it means
No service bannerCould be hiding activity
Raw audio dataPotential open mic or stream

Mitigation

  • Investigate the binary using that port.
  • Close unused high ports.
  • Log and monitor for unusual TCP usage.

Real World Example

A few targeted red team assessments found port 1978 being used as a raw TCP stream for microphones in surveillance environments.

TL;DR

  • Service: Ad-hoc in embedded systems, rare in mainstream services, may be Kyoto Tycoon / GWS
  • Default Port: 1978/TCP
  • Risks: Information disclosure, weak or no authentication, DoS
  • Mitigation: Restrict access, enforce authentication, monitor logs, patch software