Ever wonder if someone is hacking into your computer and gaining access to sensitive information on your local network. Wouldn’t it be great to see the opened doors of your machines and find the vulnerabilities before the hackers do?
In this article I will discuss some of the basics on how to scan your local computers and network assets to identify open ports and how to close them to lower your risk in being exploited. Although this technique is no silver bullet, it will minimize the chance in having your system compromised.
Before we get started lets discuss briefly some of the tools we will need to audit our system.
- Tools Description
- The Process
- Install The Programs
- Scan your Network Using Angry IP
- Target a Computer Using Zenmap
- Close The Port Using Windows Firewall
- Check to See if The Port is Closed
*Zenmap ( A.K.A. Nmap )
*Make sure you download the right version for your operating system (e.g. Since I have Windows 7 64bit OS, I would download the Win 7 64bit binary.)
First, you need to download these two pieces of software, before we can begin this tutorial. Don’t worry, this software is completely free hence the term open source and this does not mean its bad software. On the contrary, these applications are very credible and are well respected by IT experts, systems administrators, and computer scientists.
Angry IP Scanner:
Is a fast and simple IP network scanner that allows administrators to gather information on network assets such as IP addresses, hostnames and more.
For more information go to angryip.org
Also known as Nmap is a comprehensive network auditing scanner program. Zenmap is just the front end or GUI (graphical user interface) of the Nmap program which does all the work so don’t get confused if you find people calling it Nmap. This program can do a lot but for the sake of this tutorial we will focus on scanning individual machines based their IP or hostname, in hopes of determining any open ports before the bad guys do ;-)
For more information go to nmap.org
Once you have both programs installed go to your start menu or if you created a desktop shortcut open up Angry IP, it should look like this.
Go ahead and type in your IP range entering your first IP in the first field populated with 0.0.0.0 and the end IP in the second field. If not sure, just select the IP button and it will grab your current machines IP address.
Based on that, change your last 3 digits going from 1-255. Your LAN IP’s might be different from mine. Once you’ve typed that, go ahead and hit Start you should get something like this in the picture below showing the active hosts on your network. Go ahead and hit OK.
Sort by Ping by selecting the Ping column header so you can see all the devices attached to your network.
Select the computer you want to check for open ports, in this case I decided to check 192.168.1.107 or GRID computer. Keep this information handy so you can use it when you run Nmap.
Startup Zenmap and plugin the IP address or hostname of the computer you want to scan in the Target drop down list.
Next to the Target drop down list you will find a Profile drop down list which is already populated with different types of scans. If you have the time go ahead and select the Intense scan, this will take a little longer depending on your computer and network but it will give you more information on the targeted machine. You can also select Quick scan plus as this will also show any open ports on the target machine but won’t provide any detailed information.
Select the Profile scan you want and then hit the Scan button. You should see Nmap thinking hard and see a little animation indicating that the program is working.
After Nmap has finished select the Port/Hosts tab to see what ports are open on the target. You will notice not many ports are open on this machine but I think port 139 is a suspicious port. If it turns out later that the port indeed is legitimate we can always go back and un-block the port. You can also see the protocol used, state of the port, the service , and the version.
Select the Host Detail tab to get some more information about the target, you will notice the pretty icons depicting the operating system illustrating how safe this machine is. Generally, you want to aim for a safe or chest icon if you see a Swiss cheese or a bomb icon you’d better check to see what ports are open and make some serious changes.
So now that we found open ports on our target what do we do? First keep a note of the port you find to be suspicious and move to the target machine. Again if it turns out the port is a legit port we can always undue our changes. For now, we will mark port 139 as a possible bad port and use the windows firewall to close the port.
Although this technique may not stop the program or process that tries to communicate through this port, at least this will terminate any connection attempts through this port.
Now head over to the target machine on your LAN and select Start -> Run or Win+R and type firewall.cpl in the run dialog box and hit OK.
Select Advanced settings link
In the Advanced Security settings window right click on the Inbound icon and select New Rule. We are going to create a new rule to block port 139.
Select the Port radio button and hit Next
Select the TCP radio button as well as Specific local ports radio button and type in the port number you want to block. In this case it’s port 139 but it may be different for you. Remember, we retrieved this information using Zenmap to get the port number and protocol.
Select Block the connection radio button and hit Next
If not already selected, select Domain, Private, and Public as to what this rule applies to.
Now this is important, don’t just give any old name make sure it’s descriptive so if it turns out that you actually need this port in order for Microsoft updates to work you can always come back and distinguish which port rules you created and what their actions are on the port. In this case I wrote block 139, this is a simple, unique concise description as it tells you what action is being performed on the port and to what port number.
There you have it! You’ve just successfully blocked/closed port 139, you should see a new rule in the Inbound Rules list below as indicated by the red box.
Go over to you original computer that has Zenmap installed on it and run the scan again to verify that the port is indeed closed. After a few second you see that port 139 does not appear on the open Ports/Hosts list tab… awesome! You've just successfully closed port 139!
Feel free to repeat the same process again on other computers attached to your network. You will be surprised as just to how many ports are open on Windows machines vs Mac. Although, this auditing process is not comprehensive it gives you an intro on computer security. Have fun using these new tools and try not to abuse them. ;-)