Blocked Ports Still Show up on Nmap?
Btw I apologize if I sound kinda stupid, I'm not new to cyber security as a whole but I don't have much knowledge of the topic and how stuff works, but anyways; I was pen testing today and found open, vulnerable, ports on Nmap (those being 135, 139, 445, 53, 80, 443, and some other random ones), and on my Windows Defender Firewall settings I made inbound rules to block connections to those ports, but after running Nmap again, as well as "netstat -ano" the ports I thought I had closed were still in fact open (according to Nmap), and listening on cmd.
Is this normal? Is there something else I need to do to ensure my ports are closed?
Thanks for your understanding and your help!
18 Replies
Post created!
🔎 This post has been indexed in our web forum and will be seen by search engines so other users can find it outside Discord
🕵️ Your user profile is private by default and won't be visible to users outside Discord, if you want to be visible in the web forum you can add the "Public Forum Profile" role in <id:customize>
✅ You can mark a message as the answer for your post with
Right click -> Apps -> Mark Solution
(if you don't see the option, try refreshing Discord with Ctrl + R)I know Windows can be a bit weird sometimes, but you can at least get a representation of what's bound to those ports here if netstat isn't giving you enough https://learn.microsoft.com/en-us/sysinternals/downloads/tcpview
This guide from them may also help https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring
What flags are you running on NMAP? -sU or -Pn? Try it with -sV
I don't quite understand what you mean
When you're running NMAP, you generally provide it with flags that controls how it functions, so -p- will scan all ports, T1 - T5 controls the speed, -v - -vvv controls the verbosity. You can adjust what types of packets you're sending, which can change the response you're getting. You might need to do this in some scenarios depending on the firewall you're scanning. -sV is the most "common" one
Here you can see the rule I set, to block, and what Nmap says
You can also do -A, if I recall, to do an OS fingerprint
oh btw im using zenmap if that helps
Same premise, it's just a GUI for NMAP
yeah i know
i think thats what im doing
But 135, 139, and 445 are kind of expected to be open. I'm 99% sure there will be another firewall rule there that's overriding the one you made
possible
Are you running this against the machine that you're currently on?
yep
also did i just leak my ip?
It's... a private IP, dawg, it doesn't matter lol
i yeah i forgot lmao
i also ran the default gateway and that had other ports opened, idk if that means anything but
But if you're running NMAP against the same system that it's running on, I feel like the loopback wouldn't feed through the firewall
NMAP can also be wrong, depending on what types of packets you're sending and it might assume something is "open (filtered)", depending on the device's response
That’s a good point
I can try running it on another device