How do I close TCP Port 139?


T

Todd

Hi All,

Hi All,

How do I close TCP Port 139?

Many thanks,
-T


# nmap --script smb-brute.nse --reason -p 137,138,139,445 192.168.255.100

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-16 19:13 PDT
Nmap scan report for KVM-WinXP.xxxx.local (192.168.255.100)
Host is up, received arp-response (0.0011s latency).
PORT STATE SERVICE REASON
137/tcp closed netbios-ns reset
138/tcp closed netbios-dgm reset
139/tcp open netbios-ssn syn-ack
445/tcp closed microsoft-ds reset
MAC Address: 52:54:00:F5:14:7E (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
 
Ad

Advertisements

D

David H. Lipman

From: "Todd said:
Hi All,

Hi All,

How do I close TCP Port 139?

Many thanks,
-T


# nmap --script smb-brute.nse --reason -p 137,138,139,445 192.168.255.100

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-16 19:13 PDT
Nmap scan report for KVM-WinXP.xxxx.local (192.168.255.100)
Host is up, received arp-response (0.0011s latency).
PORT STATE SERVICE REASON
137/tcp closed netbios-ns reset
138/tcp closed netbios-dgm reset
139/tcp open netbios-ssn syn-ack
445/tcp closed microsoft-ds reset
MAC Address: 52:54:00:F5:14:7E (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Disable NetBIOS over TCP/IP.
 
T

Todd

Disable NetBIOS over TCP/IP.


Hi David,

Thank you! It even turned off port 135.

Here is a different XP virtual machine than
the first with a before and after.

-T

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both on:

# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:32 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.0033s latency).
Not shown: 701 filtered ports, 296 closed ports
Reason: 701 no-responses and 296 resets
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack

Nmap done: 1 IP address (1 host up) scanned in 119.89 seconds


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both off:

[[email protected] tony]# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:37 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.00039s latency).
All 1000 scanned ports on kvm-winxp2.rent-a-nerd.local (192.168.255.117)
are filtered because of 1000 no-responses

Nmap done: 1 IP address (1 host up) scanned in 21.16 seconds
 
T

Todd

From: "Todd said:
From: "Todd" <[email protected]>

Hi All,

Hi All,

How do I close TCP Port 139?

Many thanks,
-T

# nmap --script smb-brute.nse --reason -p 137,138,139,445
192.168.255.100

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-16 19:13 PDT
Nmap scan report for KVM-WinXP.xxxx.local (192.168.255.100)
Host is up, received arp-response (0.0011s latency).
PORT STATE SERVICE REASON
137/tcp closed netbios-ns reset
138/tcp closed netbios-dgm reset
139/tcp open netbios-ssn syn-ack
445/tcp closed microsoft-ds reset
MAC Address: 52:54:00:F5:14:7E (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Disable NetBIOS over TCP/IP.

Hi David,

Thank you! It even turned off port 135.

Here is a different XP virtual machine than
the first with a before and after.

-T

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both on:

# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:32 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.0033s latency).
Not shown: 701 filtered ports, 296 closed ports
Reason: 701 no-responses and 296 resets
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack

Nmap done: 1 IP address (1 host up) scanned in 119.89 seconds

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both off:

[[email protected] tony]# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:37 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.00039s latency).
All 1000 scanned ports on kvm-winxp2.rent-a-nerd.local
(192.168.255.117) are filtered because of 1000 no-responses

Nmap done: 1 IP address (1 host up) scanned in 21.16 seconds


On my Router I explicitly block TCP & UDP ports 135 ~ 139 and 445 such
that there can be NetBIOS traffic passed between LAN and WAN. I want
NetBIOS over IP traffic on the LAN side.

Hi David,

Me too. On mine.

What I am up to is trying to close up a Point of Sale workstation
that stores encrypted credit cards locally. I want it in
"stealth" mode. In other words, completely quiet. The workstation
is even going to be by himself on his own leg of a fancy firewall.

Kaspersky's firewall lets all kinds of crap through. I will be calling
their tech support today or tomorrow. (In W7, K's firewall lets
remote procedure calls through, lots of them, not just port
135 -- yikes!)

-T
 
T

Todd

From: "Todd said:
From: "Todd" <[email protected]>

On 09/17/2013 06:29 AM, David H. Lipman wrote:
From: "Todd" <[email protected]>

Hi All,

Hi All,

How do I close TCP Port 139?

Many thanks,
-T

# nmap --script smb-brute.nse --reason -p 137,138,139,445
192.168.255.100

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-16 19:13 PDT
Nmap scan report for KVM-WinXP.xxxx.local (192.168.255.100)
Host is up, received arp-response (0.0011s latency).
PORT STATE SERVICE REASON
137/tcp closed netbios-ns reset
138/tcp closed netbios-dgm reset
139/tcp open netbios-ssn syn-ack
445/tcp closed microsoft-ds reset
MAC Address: 52:54:00:F5:14:7E (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Disable NetBIOS over TCP/IP.

Hi David,

Thank you! It even turned off port 135.

Here is a different XP virtual machine than
the first with a before and after.

-T

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both on:

# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:32 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.0033s latency).
Not shown: 701 filtered ports, 296 closed ports
Reason: 701 no-responses and 296 resets
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack

Nmap done: 1 IP address (1 host up) scanned in 119.89 seconds

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both off:

[[email protected] tony]# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:37 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.00039s latency).
All 1000 scanned ports on kvm-winxp2.rent-a-nerd.local
(192.168.255.117) are filtered because of 1000 no-responses

Nmap done: 1 IP address (1 host up) scanned in 21.16 seconds

On my Router I explicitly block TCP & UDP ports 135 ~ 139 and 445 such
that there can be NetBIOS traffic passed between LAN and WAN. I want
NetBIOS over IP traffic on the LAN side.

Hi David,

Me too. On mine.

What I am up to is trying to close up a Point of Sale workstation
that stores encrypted credit cards locally. I want it in
"stealth" mode. In other words, completely quiet. The workstation
is even going to be by himself on his own leg of a fancy firewall.

Kaspersky's firewall lets all kinds of crap through. I will be calling
their tech support today or tomorrow. (In W7, K's firewall lets
remote procedure calls through, lots of them, not just port
135 -- yikes!)

Why not then remove or disable the NIC altogether ?

Had crossed my mind.

The POS computer has to go out on the internet to process
credit cards and receive on line payments from a cloud service

A plane old mechanical cash register passed my mind too.
 
T

Todd

From: "Todd said:
From: "Todd" <[email protected]>

On 09/17/2013 04:24 PM, David H. Lipman wrote:
From: "Todd" <[email protected]>

On 09/17/2013 06:29 AM, David H. Lipman wrote:
From: "Todd" <[email protected]>

Hi All,

Hi All,

How do I close TCP Port 139?

Many thanks,
-T

# nmap --script smb-brute.nse --reason -p 137,138,139,445
192.168.255.100

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-16 19:13 PDT
Nmap scan report for KVM-WinXP.xxxx.local (192.168.255.100)
Host is up, received arp-response (0.0011s latency).
PORT STATE SERVICE REASON
137/tcp closed netbios-ns reset
138/tcp closed netbios-dgm reset
139/tcp open netbios-ssn syn-ack
445/tcp closed microsoft-ds reset
MAC Address: 52:54:00:F5:14:7E (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Disable NetBIOS over TCP/IP.

Hi David,

Thank you! It even turned off port 135.

Here is a different XP virtual machine than
the first with a before and after.

-T

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both on:

# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:32 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.0033s latency).
Not shown: 701 filtered ports, 296 closed ports
Reason: 701 no-responses and 296 resets
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack

Nmap done: 1 IP address (1 host up) scanned in 119.89 seconds

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both off:

[[email protected] tony]# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:37 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.00039s latency).
All 1000 scanned ports on kvm-winxp2.rent-a-nerd.local
(192.168.255.117) are filtered because of 1000 no-responses

Nmap done: 1 IP address (1 host up) scanned in 21.16 seconds

On my Router I explicitly block TCP & UDP ports 135 ~ 139 and 445 such
that there can be NetBIOS traffic passed between LAN and WAN. I want
NetBIOS over IP traffic on the LAN side.

Hi David,

Me too. On mine.

What I am up to is trying to close up a Point of Sale workstation
that stores encrypted credit cards locally. I want it in
"stealth" mode. In other words, completely quiet. The workstation
is even going to be by himself on his own leg of a fancy firewall.

Kaspersky's firewall lets all kinds of crap through. I will be calling
their tech support today or tomorrow. (In W7, K's firewall lets
remote procedure calls through, lots of them, not just port
135 -- yikes!)

Why not then remove or disable the NIC altogether ?

Had crossed my mind.

The POS computer has to go out on the internet to process
credit cards and receive on line payments from a cloud service

A plane old mechanical cash register passed my mind too.

It sounds like it should be using WinXPe -
http://en.wikipedia.org/wiki/Windows_xp_embedded#Windows_XP_Embedded

If it is a standard PC I see why you would want to limit it.

Perhaps what yo should do is go into the Windows Firewall and REMOVE all
exceptions and ADD as an exception only the POS software.

The problem is the EoL of WinXP. Instead of doing all this work for XP,
it should be done using Win7 or Win8 'cause XP will go EoL in a matter
of months.

Hi David,

It is a workstation. Figured it out how to "stealth" Kaspersky's
firewall. Here are my notes. Thank you for all the help!

PCI testing has a lot of good things in it, but most of it is a
paper chase for the lawyers to get out of liability. Think of
it: most exploits comes through Java lately. All this firewall
wall stuff does no good. (I told my customer to call a company
meeting, pull out a 15" knife and start sharpening it, while
telling the employees "no surfing the Internet".)

-T


How to make Kaspersky End Point Security 10.1.0.867 "Stealth":

--> Kaspersky Setting
--> Anti Virus Protection, Firewall (Left Column)
--> Network Packet Rules (button on right)

A table will show. Find

-->> TCP connections through the local port
-->> UDP connections through the local port

Press the "edit" icon at the top margin and change both to "Block"

If you actually want an open port, items above other items on this
table take precedence. So create a new rule (Open VPN for instance)
above these two rules.
 
Ad

Advertisements

R

RJK

Todd said:
From: "Todd said:
On 09/18/2013 01:15 PM, David H. Lipman wrote:
From: "Todd" <[email protected]>

On 09/17/2013 04:24 PM, David H. Lipman wrote:
From: "Todd" <[email protected]>

On 09/17/2013 06:29 AM, David H. Lipman wrote:
From: "Todd" <[email protected]>

Hi All,

Hi All,

How do I close TCP Port 139?

Many thanks,
-T

# nmap --script smb-brute.nse --reason -p 137,138,139,445
192.168.255.100

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-16 19:13 PDT
Nmap scan report for KVM-WinXP.xxxx.local (192.168.255.100)
Host is up, received arp-response (0.0011s latency).
PORT STATE SERVICE REASON
137/tcp closed netbios-ns reset
138/tcp closed netbios-dgm reset
139/tcp open netbios-ssn syn-ack
445/tcp closed microsoft-ds reset
MAC Address: 52:54:00:F5:14:7E (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Disable NetBIOS over TCP/IP.

Hi David,

Thank you! It even turned off port 135.

Here is a different XP virtual machine than
the first with a before and after.

-T

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both on:

# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:32 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.0033s latency).
Not shown: 701 filtered ports, 296 closed ports
Reason: 701 no-responses and 296 resets
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack

Nmap done: 1 IP address (1 host up) scanned in 119.89 seconds

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both off:

[[email protected] tony]# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:37 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.00039s latency).
All 1000 scanned ports on kvm-winxp2.rent-a-nerd.local
(192.168.255.117) are filtered because of 1000 no-responses

Nmap done: 1 IP address (1 host up) scanned in 21.16 seconds

On my Router I explicitly block TCP & UDP ports 135 ~ 139 and 445
such
that there can be NetBIOS traffic passed between LAN and WAN. I want
NetBIOS over IP traffic on the LAN side.

Hi David,

Me too. On mine.

What I am up to is trying to close up a Point of Sale workstation
that stores encrypted credit cards locally. I want it in
"stealth" mode. In other words, completely quiet. The workstation
is even going to be by himself on his own leg of a fancy firewall.

Kaspersky's firewall lets all kinds of crap through. I will be
calling
their tech support today or tomorrow. (In W7, K's firewall lets
remote procedure calls through, lots of them, not just port
135 -- yikes!)

Why not then remove or disable the NIC altogether ?

Had crossed my mind.

The POS computer has to go out on the internet to process
credit cards and receive on line payments from a cloud service

A plane old mechanical cash register passed my mind too.

It sounds like it should be using WinXPe -
http://en.wikipedia.org/wiki/Windows_xp_embedded#Windows_XP_Embedded

If it is a standard PC I see why you would want to limit it.

Perhaps what yo should do is go into the Windows Firewall and REMOVE all
exceptions and ADD as an exception only the POS software.

The problem is the EoL of WinXP. Instead of doing all this work for XP,
it should be done using Win7 or Win8 'cause XP will go EoL in a matter
of months.

Hi David,

It is a workstation. Figured it out how to "stealth" Kaspersky's
firewall. Here are my notes. Thank you for all the help!

PCI testing has a lot of good things in it, but most of it is a
paper chase for the lawyers to get out of liability. Think of
it: most exploits comes through Java lately.

All this firewall
wall stuff does no good.

Well, ....SPI, (stateful packet inspection), in the modem/router/wifi unit,
(when switched on), seems to go a long way :)

regards, Richard


(I told my customer to call a company
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top