[ipv6hackers] Scanning for IPv6 addresses embedding TCP/UDP service ports

Jim Small jim.small at cdw.com
Sat Mar 16 16:02:22 CET 2013

> I would suggest to have both ports TCP/137 and TCP/445 to be included as
> part of the embeded services ports. By looking back to historical
> incidents, these MS NETBIOS/SMB protocol on Windows machine always be
> the
> target for further exploitation or massive malware/worm infection (e.g.
> Conflicker and etc).

TCP/445 is an especially good one to include.

In regards to port 137, I'm pretty sure it only runs on UDP for name service resolution.  But of course there may be exceptions.  Here is my recollection of the legacy NetBIOS ports/services:
UDP/137 - WINS or NetBIOS Name Server
UDP/138 - NetBIOS datagram service
TCP/139 - NetBIOS session service

I believe the most dangerous one is probably TCP/139.  This is what TCP/445 (direct hosting) essentially replaces.  The RPC Endpoint Mapper service sits on TCP/135 (based on DCE RPC) and is also high risk.

Other things sometimes exposed to the Internet would include:

Directory Services - sometimes exposed to allow "cloud based authentication":
UDP or TCP/389 - LDAP
TCP/3268 - Windows Active Directory Global Catalog (LDAP)
TCP/3269 - Secure ADGC (LDAPS)

Sometimes left open as a means of remote administration:
TCP/3389 - Windows Terminal Services (RDP)

Remote access:
TCP/1494 - Citrix ICA

RADIUS - sometimes used for/by service ("cloud") providers:
UDP/1645 - Legacy Authentication
UDP/1646 - Legacy Accounting
UDP/1812 - New Authentication
UDP/1813 - New Accounting

Old School Usenet!
TCP/119 - NNTP
TCP/563 - NNTP-S

UDP/161 - SNMP

Legacy "simple" TCP/IP services - yes some people actually still leave these on...:
UDP or TCP/7 - Echo
UDP or TCP/9 - Discard
UDP or TCP/13 - Daytime
UDP or TCP/17 - QOTD
UDP or TCP/19 - Chargen

UDP/1900 - SSDP
UDP/2869 - SSDP Event Notification
UDP/5000 - SSDP legacy Event Notification



More information about the Ipv6hackers mailing list