Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cyber Security Awareness Month - Day 21 - Port 135

 

Welcome to day 21. Today we will talk about port 135.

In a simple way, we have these basic information:

Port: 135
Service Name: epmap/loc-srv
Popular Name: Microsoft DCE locator
Udp or Tcp: Both

Description:
Port 135 hosts an important service on Windows hosts. When a host wants to connect to a RPC service on a remote machine,
it firsts checks with the destination machine on port 135, to know which port is being used by the service it wants to connect into. (Yes, quite close to *nix Portmap)
The Microsoft DCE locator, which runs on port 135 will then return the port on which the desired service is running.
The original requester host will then connect to this port.

May be used by:    
*  DHCP server
* DNS server
* WINS server

What makes this a port of interest is that in the past, it used have lots of vulnerabilities, which were exploited by malicious users and for worms,
as the old Blaster or for bots that had the exploit on its database, like the old phatbot/sdbot.


A good move form Microsoft was to include on Windows XP ServicePack 2 a firewall default rule to block external access to this port.

However, there are still some situations where you may need to add some exceptions to remote connection on this port, such as:

- some MS SQL Server scenarios.

- some WMI (Windows Management Instrumentation), which is quite useful for CLI administration.

Whatever is the reason you need it to be open, make sure you will restrict it at the maximum possible way.

Example of a port 135 traffic (from pcapr):

01:48:35.511258 IP 1.0.0.1.3949 > 1.0.0.2.135: S 2182823608:2182823608(0) win 8760 <mss 1460,nop,nop,sackOK>
01:48:35.536500 IP 1.0.0.2.135 > 1.0.0.1.3949: S 3596070259:3596070259(0) ack 2182823609 win 17424 <mss 1452,nop,nop,sackOK>
01:48:35.974438 IP 1.0.0.1.3949 > 1.0.0.2.135: . ack 1 win 10164
01:48:35.999130 IP 1.0.0.1.3949 > 1.0.0.2.135: P 1:73(72) ack 1 win 10164
01:48:36.035866 IP 1.0.0.2.135 > 1.0.0.1.3949: P 1:61(60) ack 73 win 17352
01:48:36.561338 IP 1.0.0.1.3949 > 1.0.0.2.135: . 73:1525(1452) ack 61 win 10104
01:48:36.575457 IP 1.0.0.1.3949 > 1.0.0.2.135: P 1525:1681(156) ack 61 win 10104
01:48:36.580581 IP 1.0.0.1.3949 > 1.0.0.2.135: F 1681:1681(0) ack 61 win 10104
01:48:36.601318 IP 1.0.0.2.135 > 1.0.0.1.3949: . ack 1681 win 17424
01:48:36.605455 IP 1.0.0.2.135 > 1.0.0.1.3949: P 61:101(40) ack 1681 win 17424
01:48:36.614687 IP 1.0.0.2.135 > 1.0.0.1.3949: F 101:101(0) ack 1682 win 17424
01:48:39.871749 IP 1.0.0.2.135 > 1.0.0.1.3949: FP 61:101(40) ack 1682 win 17424
01:48:46.433952 IP 1.0.0.2.135 > 1.0.0.1.3949: FP 61:101(40) ack 1682 win 17424
01:48:59.558881 IP 1.0.0.2.135 > 1.0.0.1.3949: FP 61:101(40) ack 1682 win 17424

------------------------------------------------------------

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

 Pedro

155 Posts
ISC Handler
Oct 21st 2009
Thread locked Subscribe Oct 21st 2009
1 decade ago
i'm surprised this port report wasn't done earlier... before ICMP, before telnet, before SSH, before FTP... you get the point.
Anonymous
Quote Oct 21st 2009
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!