Set the target address. ... An infected computer will search its Windows network for devices accepting traffic on TCP ports 135-139 or 445 indicating the system is configured to run SMB. NetBios services: Instead of using PSEXEC over TCP port 445 we use the WMIC command to start a Remote Procedure Call on TCP port 135 and an ephemeral port. To exploit this vulnerability, the attacker would require the ability to send a specially crafted request to port 135, 139, 445 or 593 or any other specifically configured RPC port on the remote machine. The default RPORT is 135 which is the RPC port. TCP and UDP ports 137–139 — Windows NetBIOS over TCP/IP. This module executes powershell on the remote host using the current user credentials or those supplied. TCP and UDP port 135 — Windows RPC. Kevin Beaver is an independent information security consultant with more than three decades of experience. Over a dozen years ago, malware pioneer Dr. Peter Tippett coined the expression “virus disaster,” which describes the point at which more than 25 machines are infected on a single network as the “tipping point” for complete shutdown of a network. There are a number of vulnerabilities associated with leaving this port open. Port(s) Protocol Service Details Source; 139 : tcp,udp: netbios-ss: NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. About the Book Author. The SCM server running on the user’s computer opens port 135 and listens for incoming requests from clients wishing to locate the ports where DCOM services can be found on that machine. TCP port 389 must be open for MQIS queries to be made directly against Active Directory. Description. The WannaCry TCP port 445 exploit returned the spotlight to the vulnerabilities in Microsoft's long-abused networking port. An SMB port is a network port commonly used for file sharing that is susceptible to an exploit known as EternalBlue exploit that resulted in WannaCry. Port 135 is used in a manner that is similar to Sun’s UNIX use of port 111.
This article was revised 5/15/17 at 9:12 a.m. (PDT) with updated recommendations. RPORT 135 yes The target port Exploit target: Id Name — —-0 Windows NT SP3-6a/2000/XP/2003 Universal msf exploit(ms03_026_dcom) > RHOST and RPORT are compulsory. While this in itself is not a problem, the way that the protocol is implemented can be. The RPC Endpoint Mapper (port 135) is definitely not required by RDP, and it is perfectly reasonable (and suggested) to block it on a firewall so non local hosts cannot attempt to enumerate and exploit services. TCP port 1433 and UDP port 1434 — Microsoft SQL Server. So the server that has this port open is probably an email-server, and other clients on the network (or outside) access this server to fetch their emails.