[unisog] Correction: XP SP2 ports open to local subnet

Phil Rodrigues phil.rodrigues at nyu.edu
Wed Jun 9 22:09:59 GMT 2004


Brian Eckman of the University of Minnesota brought to my attention the 
fact that the XP SP2 exception only applies to the LOCAL SUBNET.  If a 
computer is on the same subnet as the XP computer, it will see ports 
137-139,445 open if file and print sharing is enabled even if XP SP2 is 

All computers *NOT* on the same local subnet will see the ports as 
filtered.  XP SP2 closes those ports to anyone not on the same local 
subnet by default.

I tested it and agree completely:

# Same Subnet: from 128.122.XXX.111
$ nmap -p 139,445 128.122.XXX.123 -P0 -T5
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-09 17:15 EDT
Interesting ports on SOMEONE.NYU.EDU (128.122.XXX.123):
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

# Different subnet: from 128.122.YYY.222
$ nmap -p 139,445 128.122.XXX.123 -P0 -T5
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on SOMEONE.NYU.EDU (128.122.XXX.123):
Port       State       Service
139/tcp    filtered    netbios-ssn
445/tcp    filtered    microsoft-ds

Sorry for the confusion, and thanks Brian for taking me up on my "Please 
try it yourself" offer.


Phil Rodrigues wrote:

> Hi all,
> We downloaded the publicly available XP SP2 beta from Microsoft, 
> installed it on a computer, then ran some test with nmap.
> By default, the Windows "Security Center" allows for 2 exceptions to the 
> firewall: one for "File and Print Sharing" and one for "Remote Assistance".
> Remote Assistance didn't seem so scary: you still have to enable that 
> feature, which is disabled by default.
> But since an exception for "File and Print Sharing" was enabled by 
> default, nmap showed that ports 137/udp, 138/udp, 139/tcp, and 445/tcp 
> were all open, even when the Firewall was turned on.  By default.  In 
> order to close these ports, we had to take the extra step of disabling 
> the exception within the Windows Security Center app.
> Please try it yourself, and tell me if we missed something:
> http://www.microsoft.com/SP2Preview
> So, I would still make plans to automate pre-registration scans of your 
> networks for Windows RPC-ish vulnerabilities, at the very least.  They 
> may have closed 135/tcp, but with 445/tcp open there is still plenty of 
> room for mischief.  By default.
> Phil
> Sr Network Security Analyst
> New York University
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list