logo

Port 4444 – Metasploit Handler (Custom)

Service:

Reverse shell / Metasploit listener

Protocol:

TCP

Port:

4444

Used for:

Reverse shell callbacks (common default)

Why It’s Open

Not used by standard services, but often seen during active exploitation or C2 (Command & Control) setups.

Common Risks

  • Active Compromise Indicator
  • Reverse Shell Listener
  • Post-Exploitation Tooling

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Check if it’s open

Terminal window
nmap -p 4444

Use -sC for basic script scan:

Terminal window
nmap -p 4444 -sC

Manual Testing with Netcat / Telnet

Terminal window
nc  4444

If you connect and see no prompt but the socket stays open — likely a listener waiting for a callback (reverse shell handler).

Check for Active Reverse Shells

Run on your own machine to detect callbacks:

Terminal window
sudo tcpdump -i any port 4444

Use lsof or netstat:

Terminal window
sudo lsof -i :4444
sudo netstat -anp | grep 4444

Metasploit Reverse Shell Detection

  • Use tools like YARA or Snort to detect:
    • Meterpreter shell signatures
    • Common reverse shell payload formats

IDS/EDR Monitoring

  • Monitor for:
    • cmd.exe, sh, powershell spawning from unknown parent processes
    • Connections to odd IPs over high ports (like 4444)
    • Long-lived idle TCP connections with no user agent or headers

Known Exploits

Port 4444 is commonly used by Metasploit for reverse shells and payload handlers. While there are no specific CVEs associated with this port, its open state may indicate the presence of a Metasploit handler or other reverse shell listener. It’s essential to monitor and investigate any unexpected activity on this port.

Common Exploit Use Cases

  • Metasploit Payloads:
    • reverse_tcp, reverse_https, and meterpreter often use port 4444 by default.
  • WebShells / Droppers:
    • PowerShell or Python-based shells often callback to this port.
  • APT & Red Team Ops:
    • Many open-source C2 frameworks default to this port (Empire, Covenant, etc.)

Notable CVEs where 4444 is used post-exploitation:

  • CVE-2017-5638 – *Apache Struts RCE - *Commonly used to spawn a shell back to attacker listener on port 4444
  • CVE-2019-0708 (BlueKeep) – RCE leading to reverse shell (often to 4444)
  • CVE-2021-21972VMware vCenter RCE exploited to drop webshells with port 4444 listeners

What to Look For

CheckpointWhat it means
Netcat/Metasploit runningCould indicate breach
Shell connectionsBackdoor or C2 activity

Mitigation

  • Block unused high ports.
  • Use EDR/XDR to detect reverse shell behavior.
  • Forensically investigate usage.

TL;DR

  • Service: Custom Reverse Shell Listener (Metasploit default)
  • Default Port: 4444/TCP
  • Risks: Indicator of compromise, C2 channel, reverse shell
  • Mitigation: Monitor outbound traffic to 4444, restrict firewall egress rules, investigate unknown listeners