Nmap over the years may have spread its functionality to include other features. Its core function however remains as a port scanner. The basic command Nmap <target domain or IP address> is responsible for scanning popular 1,000 TCP ports located on the host’s <target>.
Two of the most commonly used ports are ports 445 and 139. The former is Microsoft-DS used for SMB communication over IP used with Microsoft Windows services. The latter is NetBIOS-SSN which allows for interaction with Microsoft Windows services. These protocols are however abused by hackers. Find out how they exploit these ports for their malicious activities in this article.
What is a Port and How Do Hackers Use it?
A port is a logical medium that tells which communication channel is which. Similar to the way IP addresses can identify machines, ports identify distinct applications or services running on a single machine.
Nmap works with two protocols that run on ports – transmission control protocol (TCP) and user datagram protocol (UDP). Every protocol’s connection is specifically identified by four elements. They are destination IP address, source address, the corresponding source, and destination ports. People easily guess open ports represented by a particular service.
This is because most well-known services are registered to popular port numbers. So what is port scanning? Port scanning simply is a test on ports to determine their state. The most easily exploitable one is the open port. Perhaps it could be because the application is listening and welcoming connections on the port or the application/service is using an outdated software version.
Hackers employ several techniques to conduct scans on such ports. What makes Nmap a unique port scanner is that it distinguishes ports into six states, while others lump them all together. The 6 states are open, closed, filtered, unfiltered, open|filtered, or closed|filtered.
However, these states are not inherent properties of the port but are simply how Nmap sees them. For instance, using Nmap to scan from the same network of the target scan may indicate port 135/TCP to be open. Given the same option at the same time, another scan may indicate the port as filtered.
How Do Hackers Scan with Nmap?
A hacker may use several kinds of port scanning techniques. What makes this incredibly dangerous is that if they can get into the system, they feed it with malware that ruins things. Below is a summary of “canned” scan types and the command line flags corresponding to them.
- -sT: TCP Connect scan
- -sS: SYN Scan
- -sA: ACK Scan
- sW: Window
- sF: FIN Scan
- -sX: XMas Scan
- -b: FTP Bounce Scan
From the above, a simple SYN Scan can be generated on the Windows box, using the following commands:
Nmap -sS 192.168.1.100
Interesting ports on 192.168.1.100:
Not shown: 1692 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
5000/tcp open UPnP
MAC Address: 00:11:22:33:44:55
Nmap finished: 1 IP address (1 host up) scanned in 1.347 seconds
Knowing Nmap’s decision regarding a port’s state can simply be revealed when one clicks on “–reason”. This offers you a full explanation.
A hacker can scan all available ports on a machine using the command:
Nmap -sS 192.168.1.100 -p1-65535
Whereas if he intends scanning a large number of machines, he applies range and wildcards:
Nmap -sA 192.168.*.1-10,250-254
The above command can scan anything that begins with 192.168 and ends with 1-10 or 250-254.
Here’s and example nmap scan screenshot:
Why Do Hackers Target Port 445 and Port 139?
First of all, you need to understand what NETBIOS is. It stands for Network Basic Input Output System. A unique software protocol, it allows PCs, applications, and desktops situated on a LAN to interact with network hardware. This enables them to translate data across the network.
Software applications running on a NETBIOS network can easily track and interact with each other through their NETBIOS names. A NETBIOS session can be initiated with two applications when a client calls another client. This is usually performed over TCP 139 port.
Port 139 is used for file and printer sharing. Many people term it as the most dangerous port on the internet. So why is Port 139 easily exploitable? It is because it leaves a user’s hard disk exposed to hackers.
Here’s what an attacker can do with that. Once he locates an active port 139 on a device, he then goes ahead and runs the “NBSTAT” command on the target system. This is a tool that helps NETBIOS over TCP/IP run diagnosis.
With the use of this NBSTAT command, a hacker can get some serious information related to:
- NETBIOS names located within the network
- Name of computer
- Source/destination IP addresses
Having obtained the details above, information regarding OS as well as major services running on the device is at risk. That’s not all. This makes it incredibly easy for hackers to gain remote access to what is in hard disk directories, file shares, and more. How about Port 445? Well, exposing that too to the internet is dangerous. Port 445 like Windows Port 139 is deeply embedded in windows. This makes it difficult to close it safely.
Even when you attempt to do so, other services like can DHCP frequently stop functioning. Considering the security reasons addressed above, many ISPs consider it necessary to block this port for their users. However, this happens when port 445 is not found to be protected by a network address translation (NAT) router. Situations like this cause your ISP to cut off your Port 445 traffic.
In case you have never heard of port scanning, well, now you know how serious it can be if exploited by hackers. In serious software vulnerabilities like this, you can’t afford to be careless with your device security, or else you risk being taken advantage of. Knowing why you shouldn’t expose your ports to the internet helps you avoid being hacked.
System administrators can also supplement your vigilance by scanning their network with scanning tools like Nmap. Afterward, they can take note of open ports and take note of services that aren’t in use. From there, they disable them closing an attack vector.