Advice for HackerPenetration Testing

How to Prevent #WannaCry Ransomware by Blocking These Ports!

If you’ve already been infected by WannaCry infection maybe you should block these ports to avoid any damage to your computer.  Let’s start by blocking some ports.

Ports to block. info about these ports here: read

  • 445 “This port replaces the notorious Windows NetBIOS trio (ports 137-139), for all versions of Windows after NT, as the preferred port for carrying Windows file sharing and numerous other services.”
  • 137
  • 138
  • 139

Step 1: How to block these ports to prevent WannaCry?

You can do it by making some changes to your registry.

  • Click “Start”, “Run”, type “regedit” to open the registry.

  • Locate the registry key “HKEY_LOCAL_MACHINE\System\Controlset\Services\NetBT\Parameters

  • Select “Parameters” New Right “DWORD Value.
  • Rename the DWORD value as “SMBDeviceEnabled
  • Right-click “SMBDeviceEnabled” and select “Edit” in the “numerical data”, “0
Key: System\CurrentControlSet\Services\NetBT\Parameters
Name: SMBDeviceEnabled
Value: 0

After completing step 1 you have to restart your computer and when your boot up completely now you have to make sure if that port is closed or not you can simply do it through CMD.

netstat -an | findstr 445


As you can see in the above screenshot mine is listening.. because I haven’t closed it for this article. And I’m not infected with WannaCry. If you are infected with that you must have an established connection with their servers.

Step 2: Configure Firewall to Prevent WannaCry?

What does Firewall do to prevent these infected ports?

Basically, it will prevent you to establish a connection with the infected servers which WannaCry is using And prevent you to connect to the 445 port. So you need to add some inbound rules to block access for these ports.

Firewall Advanced Settings – Inbound rules – Right-click New Rule – Select UDP, the port number in the dialog box to write 445.

Step 3: Shut down the server service

Once you’re done with the firewall you have to stop those services which are using that port. In order to do that, Open up CMD with Administrator Permission.


net stop server

After that, you need to restart your computer again.

Disable SMBv1

WannaCryToolkit scanner and removal toolkit

Trustlook has released a scanner and removal toolkit to help system administrators protect Windows computers that are either vulnerable to or have been infected with the dangerous strain of ransomware known as WannaCry.


git clone
cd TrustlookWannaCryToolkit/scanner/
pip install -r requirements.txt


Usage: host/network
Single host scan
Single a network

1. Run

tl_wannacry_console.exe and tl_wannacry_no_console.exe prevent WannaCry Ransomeware to encrypt users’ files.

The two tools work pretty much the same, except tl_wannacry_console.exe comes with a console to show some progress information. tl_wannacry_no_console.exe runs in the background.

Users may want to add tl__wannacry_no_console.exe to the Windows startup script, so every time the user starts his computer, Trustlook WannaCry Vaccine Tool will start to prevent your system from being affected.

2. Add to Windows startup script

Add tl_wannacry_no_console.exe value to the following register script

Add to the windows startup script:


Noor Qureshi

Experienced Founder with a demonstrated history of working in the computer software industry. Skilled in Network Security and Information Security.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button