Results 1 to 8 of 8

Thread: TCP port 135

  1. #1
    Junior Member
    Join Date
    Mar 2004
    Posts
    4

    TCP port 135

    Posted: Sun Mar 07, 2004 12:21 pm
    Post subject: TCP port 135

    I wonder if anyone here can tell me what else I need to do to close TCP
    port 135 on XP Pro.

    Task Scheduler is disabled (which closes 1025 completely).
    DCOM ha been shut down to through Dcomcnfg.exe. Even checked in registry key
    "EnableDCOM" and it's set to "N" now. So it's off.
    Now, I've read that all that is left is to shut down is MSDTC. A bit
    confused on how. Disabled it through Dcomcnfg.exe and the "Distributed
    Transaction Service" is shut down (Can just as well be shut down through
    Services MMC straight off, same thing). Reboot, and TCP port 135 is STILL
    open when I scan for it with nmap from another computer.

    I was on my way on renaming msdtc.exe file in both system32 and dllcache but
    I'm a bit afraid to do that and test. Just might not get system running
    again though it should be no problem.

    Anyone knows what I'm missing to get TCP port 135 closed?

    MsMittens has posted this link to closing the port:
    http://www.security-forums.com/forum...pic.php?t=3300

    But is there no other way, as aked in my above question?
    (Don't like the idea of hexediting the dll)
    .·´¯`·-·´¯`WayuU´¯`·-·´¯`·.

  2. #2
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Good Day,

    Did a quick search on www.google.com and there's tons of info about securing your 135. Here's a little program from grc.com that's only 29kb, that should do the trick.


    "Microsoft's DCOM security patch leaves
    DCOM running, open, and waiting for
    the next malicious exploit."

    "Our 29 kbyte "DCOMbobulator" allows any Windows user
    to quickly check their system's DCOM vulnerability, then
    simply shut down the unnecessary DCOM security risk. "

    http://grc.com/dcom/


    edit: Interesting for sure, I'll look some more. In the mean time a good packet dropping firewall should keep people from exploiting it. Seems you have been working on this for awhile: http://www.webservertalk.com/message103786-2.html ....

  3. #3
    Junior Member
    Join Date
    Mar 2004
    Posts
    4
    Thx for trying to help.

    But no, there is actually no info at all by searching Google on the net. I've been searching all over for around 10 hours.
    Bobulator does not close TCP port 135. Bobulator does exactly what I wrote I've done manually, that is just disable DCOM. Steve Gibson states himself that disabling DCOM, TaskScheduler and MSDTC will close down TCP port 135, which is what I've been trying, but when I close down all three my TCP port 135 stil remains open. Most info on the net is just 100 times copy of DCOM disabling info.

    Thx tho

    PS. No apps to fix system configurations. Hands on manual step by step procedure is what I need. Don't trust apps. Tho Steve's little Bobulator actually doesn't modify system or reg, unless you run the patcher.
    .·´¯`·-·´¯`WayuU´¯`·-·´¯`·.

  4. #4
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Here ya go Mate,

    A step by step provided by a chap named Rodney from another forum:

    http://www.security-forums.com/forum...8005&view=next

    well i tried many ways to close it and last i got it.

    1) run regedit.exe

    2) goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs
    save ImagePath data.

    3) restart the computer. it may take longer time to start, and it may give you some errors, & also it may change windows xp taskbar but this will return to normal after returning the ImagePath data (click the file you have exported) or you can pasting the data you saved.

    4) you need hex editor to open this file
    c:\windows\system32\rpcss.dll in hex,binary
    find this number 1.3.5 in hex 31 00 33 00 35 in the file(this is the port number)

    5) change this to 0.0.0 in hex 30 00 30 00 30 (port 0 does not exist)

    6)run regedit.exe and goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs and
    returning the ImagePath data (you can just click the file you have exported) or you can pasting the data you saved.

    7)restart the computer

    8)run netstat -a in cmd to check the port

    RODNEY

  5. #5
    Junior Member
    Join Date
    Mar 2004
    Posts
    4
    hehe Relyt.
    Read my last 4 lines in my main post

    but thx again tho
    .·´¯`·-·´¯`WayuU´¯`·-·´¯`·.

  6. #6
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Krud guess I better learn to read. But since you don't what to use a hexedit procedure, I don't know if there is anyother way.



    Edit: Keyword by HTR is "completely" , rats I didn't consider that...lol

  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    So you want to do it without hexeditting eh... How about a lot of registry editting?


    Source: DSLReports.com

    Re: How do I..
    Basically you can close the port but if you do
    you are shutting a lot of functionality off...

    Its also not an easy task to do....
    I wrote up a breakdown on how to harden your system in kerio security forum once...

    But only I just mentioned this since its a difficult process...I will include a similar breakdown here:

    A secure system is one that doesn't advertise shares using netbios and closes ports 135-139 and port 445.
    However you can skip Section 1, to try and avoid losing some functionality.

    Section 1: Turning off Netbios

    (Warning this will disable your ability to share anything.)
    (If you truly need to share files,
    consider running a ftp server such as raiden.)

    Summary: Basically Disable all netbios drivers,
    reboot, your ports should be closed.

    How to do it:

    1. First go into your services and turn off netbios helper. 2. Then go to my computer\hardware\Device Manager,
    click on view, show hidden devices,
    look for non-plug and play drivers,
    then look for netbios, disable it..
    3. Reboot, if no errors occurs..your set.
    4. Go to a dos prompt, and double check,
    to see if port 135 is closed.
    Type: netstat -an.
    5. If not go to Section 2.

    (You should see ports 135-139 are missing and port 445,
    is closed as well.)

    Section 2: The hard way of closing port 135, you

    1. Open regedt32
    2. Export below keys into a backup reg file.
    3. Change items below in registry.

    Basically find:
    HKLM\Software\Microsoft\OLE
    Look for: EnableDCOM
    Look for: EnableRemoteConnect
    Change value from: Y to N
    (If not present then add it.)
    (Reg_SZ)

    Then go to:
    HKLM\Software\Microsoft\RPC\ClientProtocols
    Look for: ncacn_ip_tcp
    Look for: ncagd_ip_udp
    Remove Them.
    (Reg_SZ)

    HKLM\Software\Microsoft\RPC\DCom Protocols
    Look for: ncacn_ip_tcp
    Remove It.
    (Reg_Multi_SZ)

    Section 3: Closing Port 445.

    HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
    Look for: SMBDeviceEnabled
    Change it to: 00000000
    (If not present then add it.)

    (To simplify some of it, copy below to a text file name it Dcom-Smboff.reg. Double click on file and it should make changes automatically remember this will not remove any of the ncacn reg entries those have to be done by hand.)

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
    "EnableDCOM"="N"
    "EnableRemoteConnect"="N"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
    "SMBDeviceEnabled"=dword:00000000

    If you perform all these steps this should turn off port 135 and 445, and stop remote users from running any programs.

    Reply to this message if you have questions.

    Hardened.
    I haven't tried this, but the logic seems sound. You really do lose a LOT of functionality though. Say goodbye to file/print sharing. Good luck with your efforts.

    Peace,
    HT

    PS: That took less than 3 minutes of searching on google using this search. It's the second result.

  8. #8
    Junior Member
    Join Date
    Mar 2004
    Posts
    4
    HTRegz:

    Thx. Just great. Gonna test it and return with result tomorrow.

    That "Completely" in your search was a word I never used. Closed is closed. Whats the diff between a closed door and completely closed door? ;P

    Half of that editing I already did, so wasn't that far from the total
    .·´¯`·-·´¯`WayuU´¯`·-·´¯`·.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •