How do I close TCP Port 139?

Todd · Sep 17, 2013

Hi All,

Hi All,

How do I close TCP Port 139?

Many thanks,
-T

# nmap --script smb-brute.nse --reason -p 137,138,139,445 192.168.255.100

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-16 19:13 PDT
Nmap scan report for KVM-WinXP.xxxx.local (192.168.255.100)
Host is up, received arp-response (0.0011s latency).
PORT STATE SERVICE REASON
137/tcp closed netbios-ns reset
138/tcp closed netbios-dgm reset
139/tcp open netbios-ssn syn-ack
445/tcp closed microsoft-ds reset
MAC Address: 52:54:00:F5:14:7E (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

David H. Lipman · Sep 17, 2013

From: "Todd said:
Hi All,

Hi All,

How do I close TCP Port 139?

Many thanks,
-T

# nmap --script smb-brute.nse --reason -p 137,138,139,445 192.168.255.100

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-16 19:13 PDT
Nmap scan report for KVM-WinXP.xxxx.local (192.168.255.100)
Host is up, received arp-response (0.0011s latency).
PORT STATE SERVICE REASON
137/tcp closed netbios-ns reset
138/tcp closed netbios-dgm reset
139/tcp open netbios-ssn syn-ack
445/tcp closed microsoft-ds reset
MAC Address: 52:54:00:F5:14:7E (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Disable NetBIOS over TCP/IP.

Todd · Sep 17, 2013

Disable NetBIOS over TCP/IP.

Hi David,

Thank you! It even turned off port 135.

Here is a different XP virtual machine than
the first with a before and after.

-T

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both on:

# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:32 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.0033s latency).
Not shown: 701 filtered ports, 296 closed ports
Reason: 701 no-responses and 296 resets
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack

Nmap done: 1 IP address (1 host up) scanned in 119.89 seconds

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both off:

[root@rn4 tony]# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:37 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.00039s latency).
All 1000 scanned ports on kvm-winxp2.rent-a-nerd.local (192.168.255.117)
are filtered because of 1000 no-responses

Nmap done: 1 IP address (1 host up) scanned in 21.16 seconds

Todd · Sep 18, 2013

From: "Todd said:
From: "Todd said:

From: "Todd" <[email protected]>

Hi All,

Hi All,

How do I close TCP Port 139?

Many thanks,
-T

# nmap --script smb-brute.nse --reason -p 137,138,139,445
192.168.255.100

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-16 19:13 PDT
Nmap scan report for KVM-WinXP.xxxx.local (192.168.255.100)
Host is up, received arp-response (0.0011s latency).
PORT STATE SERVICE REASON
137/tcp closed netbios-ns reset
138/tcp closed netbios-dgm reset
139/tcp open netbios-ssn syn-ack
445/tcp closed microsoft-ds reset
MAC Address: 52:54:00:F5:14:7E (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Disable NetBIOS over TCP/IP.

Click to expand...

Hi David,

Thank you! It even turned off port 135.

Here is a different XP virtual machine than
the first with a before and after.

-T

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both on:

# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:32 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.0033s latency).
Not shown: 701 filtered ports, 296 closed ports
Reason: 701 no-responses and 296 resets
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack

Nmap done: 1 IP address (1 host up) scanned in 119.89 seconds

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both off:

[root@rn4 tony]# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:37 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.00039s latency).
All 1000 scanned ports on kvm-winxp2.rent-a-nerd.local
(192.168.255.117) are filtered because of 1000 no-responses

Nmap done: 1 IP address (1 host up) scanned in 21.16 seconds

Click to expand...

On my Router I explicitly block TCP & UDP ports 135 ~ 139 and 445 such
that there can be NetBIOS traffic passed between LAN and WAN. I want
NetBIOS over IP traffic on the LAN side.

Hi David,

Me too. On mine.

What I am up to is trying to close up a Point of Sale workstation
that stores encrypted credit cards locally. I want it in
"stealth" mode. In other words, completely quiet. The workstation
is even going to be by himself on his own leg of a fancy firewall.

Kaspersky's firewall lets all kinds of crap through. I will be calling
their tech support today or tomorrow. (In W7, K's firewall lets
remote procedure calls through, lots of them, not just port
135 -- yikes!)

-T

Todd · Sep 18, 2013

From: "Todd said:
From: "Todd said:

From: "Todd" <[email protected]>

On 09/17/2013 06:29 AM, David H. Lipman wrote:
From: "Todd" <[email protected]>

Hi All,

Hi All,

How do I close TCP Port 139?

Many thanks,
-T

# nmap --script smb-brute.nse --reason -p 137,138,139,445
192.168.255.100

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-16 19:13 PDT
Nmap scan report for KVM-WinXP.xxxx.local (192.168.255.100)
Host is up, received arp-response (0.0011s latency).
PORT STATE SERVICE REASON
137/tcp closed netbios-ns reset
138/tcp closed netbios-dgm reset
139/tcp open netbios-ssn syn-ack
445/tcp closed microsoft-ds reset
MAC Address: 52:54:00:F5:14:7E (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Disable NetBIOS over TCP/IP.

Hi David,

Thank you! It even turned off port 135.

Here is a different XP virtual machine than
the first with a before and after.

-T

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both on:

# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:32 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.0033s latency).
Not shown: 701 filtered ports, 296 closed ports
Reason: 701 no-responses and 296 resets
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack

Nmap done: 1 IP address (1 host up) scanned in 119.89 seconds

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both off:

[root@rn4 tony]# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:37 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.00039s latency).
All 1000 scanned ports on kvm-winxp2.rent-a-nerd.local
(192.168.255.117) are filtered because of 1000 no-responses

Nmap done: 1 IP address (1 host up) scanned in 21.16 seconds

On my Router I explicitly block TCP & UDP ports 135 ~ 139 and 445 such
that there can be NetBIOS traffic passed between LAN and WAN. I want
NetBIOS over IP traffic on the LAN side.

Click to expand...

Hi David,

Me too. On mine.

What I am up to is trying to close up a Point of Sale workstation
that stores encrypted credit cards locally. I want it in
"stealth" mode. In other words, completely quiet. The workstation
is even going to be by himself on his own leg of a fancy firewall.

Kaspersky's firewall lets all kinds of crap through. I will be calling
their tech support today or tomorrow. (In W7, K's firewall lets
remote procedure calls through, lots of them, not just port
135 -- yikes!)

Click to expand...

Why not then remove or disable the NIC altogether ?

Had crossed my mind.

The POS computer has to go out on the internet to process
credit cards and receive on line payments from a cloud service

A plane old mechanical cash register passed my mind too.

Todd · Sep 18, 2013

From: "Todd said:
From: "Todd said:

From: "Todd" <[email protected]>

On 09/17/2013 04:24 PM, David H. Lipman wrote:
From: "Todd" <[email protected]>

On 09/17/2013 06:29 AM, David H. Lipman wrote:
From: "Todd" <[email protected]>

Hi All,

Hi All,

How do I close TCP Port 139?

Many thanks,
-T

# nmap --script smb-brute.nse --reason -p 137,138,139,445
192.168.255.100

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-16 19:13 PDT
Nmap scan report for KVM-WinXP.xxxx.local (192.168.255.100)
Host is up, received arp-response (0.0011s latency).
PORT STATE SERVICE REASON
137/tcp closed netbios-ns reset
138/tcp closed netbios-dgm reset
139/tcp open netbios-ssn syn-ack
445/tcp closed microsoft-ds reset
MAC Address: 52:54:00:F5:14:7E (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Disable NetBIOS over TCP/IP.

Hi David,

Thank you! It even turned off port 135.

Here is a different XP virtual machine than
the first with a before and after.

-T

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both on:

# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:32 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.0033s latency).
Not shown: 701 filtered ports, 296 closed ports
Reason: 701 no-responses and 296 resets
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack

Nmap done: 1 IP address (1 host up) scanned in 119.89 seconds

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both off:

[root@rn4 tony]# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:37 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.00039s latency).
All 1000 scanned ports on kvm-winxp2.rent-a-nerd.local
(192.168.255.117) are filtered because of 1000 no-responses

Nmap done: 1 IP address (1 host up) scanned in 21.16 seconds

On my Router I explicitly block TCP & UDP ports 135 ~ 139 and 445 such
that there can be NetBIOS traffic passed between LAN and WAN. I want
NetBIOS over IP traffic on the LAN side.

Hi David,

Me too. On mine.

What I am up to is trying to close up a Point of Sale workstation
that stores encrypted credit cards locally. I want it in
"stealth" mode. In other words, completely quiet. The workstation
is even going to be by himself on his own leg of a fancy firewall.

Kaspersky's firewall lets all kinds of crap through. I will be calling
their tech support today or tomorrow. (In W7, K's firewall lets
remote procedure calls through, lots of them, not just port
135 -- yikes!)

Why not then remove or disable the NIC altogether ?

Click to expand...

Had crossed my mind.

The POS computer has to go out on the internet to process
credit cards and receive on line payments from a cloud service

A plane old mechanical cash register passed my mind too.

Click to expand...

It sounds like it should be using WinXPe -
http://en.wikipedia.org/wiki/Windows_xp_embedded#Windows_XP_Embedded

If it is a standard PC I see why you would want to limit it.

Perhaps what yo should do is go into the Windows Firewall and REMOVE all
exceptions and ADD as an exception only the POS software.

The problem is the EoL of WinXP. Instead of doing all this work for XP,
it should be done using Win7 or Win8 'cause XP will go EoL in a matter
of months.

Hi David,

It is a workstation. Figured it out how to "stealth" Kaspersky's
firewall. Here are my notes. Thank you for all the help!

PCI testing has a lot of good things in it, but most of it is a
paper chase for the lawyers to get out of liability. Think of
it: most exploits comes through Java lately. All this firewall
wall stuff does no good. (I told my customer to call a company
meeting, pull out a 15" knife and start sharpening it, while
telling the employees "no surfing the Internet".)

-T

How to make Kaspersky End Point Security 10.1.0.867 "Stealth":

--> Kaspersky Setting
--> Anti Virus Protection, Firewall (Left Column)
--> Network Packet Rules (button on right)

A table will show. Find

-->> TCP connections through the local port
-->> UDP connections through the local port

Press the "edit" icon at the top margin and change both to "Block"

If you actually want an open port, items above other items on this
table take precedence. So create a new rule (Open VPN for instance)
above these two rules.

RJK · Sep 21, 2013

Todd said:
From: "Todd said:

On 09/18/2013 01:15 PM, David H. Lipman wrote:
From: "Todd" <[email protected]>

On 09/17/2013 04:24 PM, David H. Lipman wrote:
From: "Todd" <[email protected]>

On 09/17/2013 06:29 AM, David H. Lipman wrote:
From: "Todd" <[email protected]>

Hi All,

Hi All,

How do I close TCP Port 139?

Many thanks,
-T

# nmap --script smb-brute.nse --reason -p 137,138,139,445
192.168.255.100

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-16 19:13 PDT
Nmap scan report for KVM-WinXP.xxxx.local (192.168.255.100)
Host is up, received arp-response (0.0011s latency).
PORT STATE SERVICE REASON
137/tcp closed netbios-ns reset
138/tcp closed netbios-dgm reset
139/tcp open netbios-ssn syn-ack
445/tcp closed microsoft-ds reset
MAC Address: 52:54:00:F5:14:7E (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Disable NetBIOS over TCP/IP.

Hi David,

Thank you! It even turned off port 135.

Here is a different XP virtual machine than
the first with a before and after.

-T

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both on:

# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:32 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.0033s latency).
Not shown: 701 filtered ports, 296 closed ports
Reason: 701 no-responses and 296 resets
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack

Nmap done: 1 IP address (1 host up) scanned in 119.89 seconds

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File sharing and NetBIOS over TCP/IP both off:

[root@rn4 tony]# nmap --reason 192.168.255.117

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-17 10:37 PDT
Nmap scan report for kvm-winxp2.rent-a-nerd.local (192.168.255.117)
Host is up, received arp-response (0.00039s latency).
All 1000 scanned ports on kvm-winxp2.rent-a-nerd.local
(192.168.255.117) are filtered because of 1000 no-responses

Nmap done: 1 IP address (1 host up) scanned in 21.16 seconds

On my Router I explicitly block TCP & UDP ports 135 ~ 139 and 445
such
that there can be NetBIOS traffic passed between LAN and WAN. I want
NetBIOS over IP traffic on the LAN side.

Hi David,

Me too. On mine.

What I am up to is trying to close up a Point of Sale workstation
that stores encrypted credit cards locally. I want it in
"stealth" mode. In other words, completely quiet. The workstation
is even going to be by himself on his own leg of a fancy firewall.

Kaspersky's firewall lets all kinds of crap through. I will be
calling
their tech support today or tomorrow. (In W7, K's firewall lets
remote procedure calls through, lots of them, not just port
135 -- yikes!)

Why not then remove or disable the NIC altogether ?

Had crossed my mind.

The POS computer has to go out on the internet to process
credit cards and receive on line payments from a cloud service

A plane old mechanical cash register passed my mind too.

Click to expand...

It sounds like it should be using WinXPe -
http://en.wikipedia.org/wiki/Windows_xp_embedded#Windows_XP_Embedded

If it is a standard PC I see why you would want to limit it.

Perhaps what yo should do is go into the Windows Firewall and REMOVE all
exceptions and ADD as an exception only the POS software.

The problem is the EoL of WinXP. Instead of doing all this work for XP,
it should be done using Win7 or Win8 'cause XP will go EoL in a matter
of months.

Click to expand...

Hi David,

It is a workstation. Figured it out how to "stealth" Kaspersky's
firewall. Here are my notes. Thank you for all the help!

PCI testing has a lot of good things in it, but most of it is a
paper chase for the lawyers to get out of liability. Think of
it: most exploits comes through Java lately.

All this firewall

wall stuff does no good.

Well, ....SPI, (stateful packet inspection), in the modem/router/wifi unit,
(when switched on), seems to go a long way

regards, Richard

(I told my customer to call a company

Todd · Sep 21, 2013

Well, ....SPI, (stateful packet inspection), in the modem/router/wifi unit,
(when switched on), seems to go a long way

Doesn't help with Java.

How do I close TCP Port 139?

Todd

David H. Lipman

Todd

Todd

Todd

Todd

RJK

Todd