Mony
Mony13mo ago

Blocked Ports Still Show up on Nmap?

Btw I apologize if I sound kinda stupid, I'm not new to cyber security as a whole but I don't have much knowledge of the topic and how stuff works, but anyways; I was pen testing today and found open, vulnerable, ports on Nmap (those being 135, 139, 445, 53, 80, 443, and some other random ones), and on my Windows Defender Firewall settings I made inbound rules to block connections to those ports, but after running Nmap again, as well as "netstat -ano" the ports I thought I had closed were still in fact open (according to Nmap), and listening on cmd. Is this normal? Is there something else I need to do to ensure my ports are closed? Thanks for your understanding and your help!
18 Replies
Cyber Forum
Cyber Forum13mo ago
Post created!
🔎 This post has been indexed in our web forum and will be seen by search engines so other users can find it outside Discord 🕵️ Your user profile is private by default and won't be visible to users outside Discord, if you want to be visible in the web forum you can add the "Public Forum Profile" role in <id:customize> ✅ You can mark a message as the answer for your post with Right click -> Apps -> Mark Solution (if you don't see the option, try refreshing Discord with Ctrl + R)
From An unknown user
DirtyJ
DirtyJ13mo ago
I know Windows can be a bit weird sometimes, but you can at least get a representation of what's bound to those ports here if netstat isn't giving you enough https://learn.microsoft.com/en-us/sysinternals/downloads/tcpview This guide from them may also help https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring
w33t
w33t13mo ago
What flags are you running on NMAP? -sU or -Pn? Try it with -sV
Mony
Mony13mo ago
I don't quite understand what you mean
w33t
w33t13mo ago
When you're running NMAP, you generally provide it with flags that controls how it functions, so -p- will scan all ports, T1 - T5 controls the speed, -v - -vvv controls the verbosity. You can adjust what types of packets you're sending, which can change the response you're getting. You might need to do this in some scenarios depending on the firewall you're scanning. -sV is the most "common" one
Mony
Mony13mo ago
Here you can see the rule I set, to block, and what Nmap says
w33t
w33t13mo ago
You can also do -A, if I recall, to do an OS fingerprint
Mony
Mony13mo ago
oh btw im using zenmap if that helps
w33t
w33t13mo ago
Same premise, it's just a GUI for NMAP
Mony
Mony13mo ago
yeah i know i think thats what im doing
w33t
w33t13mo ago
But 135, 139, and 445 are kind of expected to be open. I'm 99% sure there will be another firewall rule there that's overriding the one you made
Mony
Mony13mo ago
possible
w33t
w33t13mo ago
Are you running this against the machine that you're currently on?
Mony
Mony13mo ago
yep also did i just leak my ip?
w33t
w33t13mo ago
It's... a private IP, dawg, it doesn't matter lol
Mony
Mony13mo ago
i yeah i forgot lmao i also ran the default gateway and that had other ports opened, idk if that means anything but
w33t
w33t13mo ago
But if you're running NMAP against the same system that it's running on, I feel like the loopback wouldn't feed through the firewall NMAP can also be wrong, depending on what types of packets you're sending and it might assume something is "open (filtered)", depending on the device's response
Mony
Mony13mo ago
That’s a good point I can try running it on another device