Default Open Ports in Windows

February 09, 2018

One of the truly rewarding aspects of the goal to “write what you don’t know” is that as you go through the process of learning enough about a topic to write about it, you are constantly surprised by new unknowns along the way.

I’m working towards a better understanding of Nmap’s plumbing, but to do that justice I spent some time in the lab documenting the default state of various Windows operating systems and configurations.

Scan Results

Nmap settings: nmap -Pn -sU -sS -T4 -p 1-65535

Scans were performed from a Linux host on the same subnet as the target VM.

Target Open TCP Open UDP
Windows 7, Standalone None None
Windows 7, Domain Member 135 None
Windows 10, Standalone None None
Windows 10, Domain Member 135 None
Server 2008 R2, Standalone 135, 445 None
Server 2008 R2, Domain Member 135, 445 None
Server 2008 R2, Domain Controller 53, 88, 135, 389, 445, 464, 593, 636, 3268, 3269, 5722, 9389 53, 123, 389
Server 2016, Standalone 135, 139, 445, 5985 137
Server 2016, Domain Member 5985 None
Server 2016, Domain Controller 53, 88, 135, 139, 389, 445, 464, 593, 636, 3268, 3269, 5985, 9389 53, 123, 137, 389

Some Notes

What do we need so many ports for?!

Port Protocol Description
53 TCP/UDP DNS
88 TCP Kerberos
123 UDP NTP
135 TCP RPC
137 UDP NetBIOS Name Services (NBNS). Translate names to IPs.
139 TCP NetBIOS Session Services (NBSS). Establish sessions.
389 TCP/UDP LDAP
445 TCP SMB
464 TCP Kerberos Password
593 TCP RPC over HTTPS
636 TCP LDAPS
3268 TCP Global Catalog
3269 TCP Global Catalog
5722 TCP RPC (DFSR)
5785 TCP WinRM
9389 TCP Active Directory Web Services

Thanks

References