Default Open Ports in Windows
One of the truly rewarding aspects of the goal to “write what you don’t know” is that as you go through the process of learning enough about a topic to write about it, you are constantly surprised by new unknowns along the way.
I’m working towards a better understanding of Nmap’s plumbing, but to do that justice I spent some time in the lab documenting the default state of various Windows operating systems and configurations.
nmap -Pn -sU -sS -T4 -p 1-65535
Scans were performed from a Linux host on the same subnet as the target VM.
|Target||Open TCP||Open UDP|
|Windows 7, Standalone||None||None|
|Windows 7, Domain Member||135||None|
|Windows 10, Standalone||None||None|
|Windows 10, Domain Member||135||None|
|Server 2008 R2, Standalone||135, 445||None|
|Server 2008 R2, Domain Member||135, 445||None|
|Server 2008 R2, Domain Controller||53, 88, 135, 389, 445, 464, 593, 636, 3268, 3269, 5722, 9389||53, 123, 389|
|Server 2016, Standalone||135, 139, 445, 5985||137|
|Server 2016, Domain Member||5985||None|
|Server 2016, Domain Controller||53, 88, 135, 139, 389, 445, 464, 593, 636, 3268, 3269, 5985, 9389||53, 123, 137, 389|
- Standalone Windows 7/10 used the “Public” location when prompted.
- File and Print Sharing opens: tcp/135, tcp/445, tcp/139, tcp/5985.
- Server 2016 DCs have tcp/139 open as well as tcp/137. 2008R2 DCs do not.
What do we need so many ports for?!
|137||UDP||NetBIOS Name Services (NBNS). Translate names to IPs.|
|139||TCP||NetBIOS Session Services (NBSS). Establish sessions.|
|593||TCP||RPC over HTTPS|
|9389||TCP||Active Directory Web Services|
- @pixlblur for saving me from doing a few scans