Organizations are increasing their use of various solutions to address communication needs across their infrastructure. As file systems are an integral part of collaboration, this article will dive into one of the most widely used protocols necessary for many systems. We will learn more about the SMB protocol, Port 139, Port 445, how it works, the risks associated with it, and remediation steps to provide a more secure communication channel.
What is SMB Port?
The SMB (Server Message Block) port is a network port primarily utilized for file and resource sharing across a computer network. SMB operates over TCP port 445 and enables shared access to files, printers, and serial ports among devices on a network.
Moreover, its core function of resource sharing, enables SMB to be utilized for following use cases:
- Involving mail slots (inter-process communication mechanisms)
- Named pipes (a method for processes to communicate either on the same machine or over a network).
What are Port 139 and Port 445?
For the SMB protocol to function correctly, network ports are required to communicate with other systems. SMB requires either port 139 or port 445 to be an open port.
Port 139
Originally, SMB ran on port 139 as an application layer protocol for Windows computers to communicate with each other on the same network. It was run on NetBIOS over TCP/IP and is being passed over by port 445 in modern environments.
Port 445
Port 445 port is used by newer versions of SMB as Windows 2000 adopted it for use for direct TCP/IP communication. Generally favored over port 139, it also allows for communication across different networks for things like internet-based file sharing.
How does SMB Protocol work?
Client-Server Communication
SMB is known as a response-request protocol. It uses the approach of a client-server relationship, where the client makes any specific request, and the server responds as requested. Some examples of practical use today are situations where file resources are requested or printers need to be shared. SMB is also used for other uses, such as mail slots and named pipe situations.
Historical Development
Historically, SMB originated with IBM and was designed in 1983 for DOS file access over networks. It wasn’t until 1990 that Microsoft merged the SMB protocol with its LAN Manager product. From there, continual maturation of the SMB protocol appeared in instances such as the introduction of CIFS, as well as milestone improvements in efficiency, performance, and security, as described through the aforementioned upgrades of SMB 2 and SMB 3.
SMB Protocol Dialects
With an increasing presence of SMB implementations across the industry, network requirements evolved to have different demands of SMB. This led to the emergence of different SMB protocol dialects to cater to different environments. Depending on the need and use, different dialects could be implemented for a variety of purposes.
SMB Dialect Variations
Here’s a list of popular SMB dialects along with their uses:
- CIFS (Common Internet File System): was a Microsoft developed dialect debuting in Windows 95 that was designed for network connections over remote servers. This dialect (CIFS Port) enabled clients to connect to remote file and printer shares as if they were accessed locally.
- Samba: Samba is an open source dialect (Samba port) that enables Linux/Unix machines to communicate with Windows devices.
- NQ: was developed by Visuality Systems that brings the SMB protocol to non-Windows platforms. Especially prevalent in devices such as printers and home network devices.
- Tuxera SMB and MoSMB: Dialects were also created as proprietary methods using the SMB protocol for specific features, such as enterprise file sharing and advanced authentication.
Security Risks Associated with Open SMB Ports
Ports like the ones used with the SMB protocol are necessary to communicate from within and across different networks. While their use isn’t itself dangerous, open ports can be used and exploited for malicious purposes.
Having over exposed ports can lead to the following vulnerabilities, such as:
- A Wormable port
- Man-In-The-Middle attacks,
- NetBIOS spoofing,
Case Study: WannaCry Ransomware:
Once recent occurrence was the WannaCry ransomware attack that targeted Windows clients running an outdated version of SMB. A worm infection was installed on a target machine, encrypting the user’s files in exchange for ransom. In addition to that, the infected system would also start searching for other machines via the SMB v1 protocol, and if other systems were using those open ports, they would be susceptible to the ransomware self-install on that machine and continue its spread.
While WannaCry created havoc and pain for many companies and networks, its disastrous results could have been much less impactful had systems been patched with up-to-date security measures.
Best Practices to Secure SMB Ports 139 and 445
Since SMB ports can be targeted, here are some best practices to implement to protect against various attacks:
Enable Firewall and Endpoint Protection
Enabling these network security devices can protect these ports from threats as well provide blacklisting services against known malicious IP addresses.
Utilize VPNs
By utilizing VPNs, network traffic can be encrypted and protected against malicious actors.
Create VLANs
Creating Virtual LANs can be utilized to isolate internal traffic to limit attack surface.
Implement MAC Address Filtering:
These filters can keep unknown systems from accessing and infiltrating your internal network.
Implement System Configuration Changes
Following changes can be made to harden your security against SMB attacks:
Disable NetBIOS over TCP/IP
- Select Start, point to Settings, and then select Network and Dial-up Connection.
- Right-click Local Area Connection, and then select Properties.
- Select Internet Protocol (TCP/IP), and then select Properties.
- Select Advanced.
- Select the WINS tab, and then select Disable NetBIOS over TCP/IP.
Commands to monitor port status
To determine if NetBIOS is enabled on a Windows computer, run a net config redirector or net config server command to see if if any ‘NetBT_Tcpip’ device is bound to the network adapter.
Conclusion
The SMB protocol has proved to be a valuable and vital method of accessing different network resources. While it has enabled things like file sharing and connectivity, security measures should be taken to ensure authorized access within the network. Securing ports and keeping up to date with protocols are a couple of examples of how to heighten your security profile in modern-day networking.
In conjunction with network security, Netwrix can fulfill your security plan at the data layer. With Netwrix solutions, we can help your organization see who has access to your data and the activity that surrounds it. Monitoring is a critical part of detecting attacks and protecting against breaches.
Mark has over 20 years in the IT industry and has consulted in a wide array of industries including the automotive, insurance, medical, legal, and financial sectors. With his IT background, he joins Netwrix with his ability to empathize with the problems IT teams face today. In his role as Solutions Engineer, Mark will understand the needs your organization faces and provide solutions to help overcome those challenges.
The server message block (SMB) protocol provides “client-server communication,” which allows programs and services on networked computers to communicate with one another. SMB enables network functions like file, print and device sharing, among others.
SMB Ports Explained
SMB ports are used for file sharing, enabling programs and services on networked computers to communicate with each other. The SMB protocol sends and receives request-response communication between clients and servers to make dealing with networked computers easier.
What Is an SMB Port?
A server message block (SMB) port is a network port that allows devices within the same network to communicate with each other, so they can exchange files and share data, printers and other resources. In the case of files, users on different devices can perform various actions like opening, editing and moving files. While SMB ports have relied on different protocols through the years, they currently use port 445 (more on this to come).
How Does SMB Work?
The SMB protocol sends and receives request-response messages to establish communication between clients and servers. This arrangement sets up a file-sharing system as if a user were accessing data on their hard drive. It makes dealing with networked systems all over the world a lot easier.
Other operating systems, such as Unix, Linux and OS/2, use Samba to connect and provide file-sharing services within a network by speaking the same language as SMB.
SMB History and Evolution
During the mid-1990s, Microsoft incorporated SMB in their LAN Manager product, which IBM initially built. SMB 1.0 was renamed common internet file system (CIFS) , and Microsoft published draft standards to the Internet Engineering Task Force (IETF), though these have now expired.
SMB and early CIFS implementation had a number of flaws that limited its applicability to managing small files for end-users. The protocol was “chatty,” which resulted in poor performance over long distances or when there was a lag between client and server. Around this time, the Samba project was born, with the goal of reverse-engineering the SMB/CIFS protocol and developing an SMB server that would allow MS-DOS clients to access files on Unix machines.
SMB has gone through a few evolutions since then.
SMB 2.0
Microsoft released SMB2 with Windows Vista in 2006. SMB2.0 had a significant number of improvements over SMB 1.0, particularly reducing the “chattiness” of the protocol by reducing the number of commands and subcommands from hundreds to 19.
The term CIFS becomes redundant, as it only applied to SMB version 1.0.
SMB2 supported many other improvements like TCP window scaling and WAN acceleration, opportunistic locking and a feature known as “pipelining” to enable multiple requests to be queued at the same time.
Performance improvements included allowing larger block sizes, which improved large file transfers. Microsoft introduced “durable file handles” that allowed the connection to an SMB server to survive brief network failures frequently seen in wireless networks. They did this by allowing clients to transparently reconnect to servers.
SMB 2.1
SMB 2.1 was released alongside Windows 7 and Windows Server 2008, and included minor upgrades.
SMB 3.0
With Windows 8 and Windows Server 2012, SMB 3.0 (also known as SMB 2.2) was released. SMB3 included significant protocol modifications such as the SMB Direct Protocol (SMB over remote direct memory access (RDMA) and SMB Multichannel (many connections per SMB session), which are meant to improve SMB2 performance, particularly in virtualized data centers.
SMB 3.1.1
SMB 3.1.1 was introduced alongside Windows Server 2016 and Windows 10. The protocol comes with additional security measures, including advanced encryption, expanded caching options and pre-authentication features to address man-in-the-middle attacks.
SMB Protocol Ports
To provide file and print-sharing services within a network, SMB uses a number of ports. The following are all known SMB v2/v3 ports:
- TCP 445 — SMB over transmission control protocol (TCP) without the need for a network basic input/output system (NetBIOS).
- UDP 137 — SMB over user datagram protocol (UDP or Name Services).
- UDP 138 — SMB over UDP (datagram).
- TCP 139 — SMB over TCP (session service).
More on CybersecurityWhat Is Smishing
SMB Ports 139 and 445 Explained
There are two common ports you will see in SMBs — Port 139 and Port 445. Here’s what they do.
Port 139
Port 139 is used by the NetBIOS session service. Prior to Windows 2000, most operating systems used TCP 139, with SMB running on top of NetBIOS. NetBIOS is a service on the Open Systems Interconnection (OSI) model’s session layer that allows applications to communicate with one another within a local area network (LAN). This might be anyone on the internet, but because of security concerns, it’s not a recommended alternative.
Port 445
Windows uses port 445 for file sharing across the network. From Windows 2000 onward, Microsoft changed SMB to use port 445. Microsoft directory services, often known as Microsoft-DS, use port 445.
TCP and UDP protocols both use port 445 for numerous Microsoft services. For file replication, user and computer authentication, group policy and trusts, Microsoft Active Directory and Domain Services use this port. SMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR and SrvSvc protocols and services are most likely to be found on these ports.
Is SMB Secure?
While different versions of SMB provide varying levels of security and protection, SMBv1 was discovered to have a vulnerability that hackers may exploit to execute their code without the user’s knowledge. When a device becomes infected, it attacks other devices that are linked to it. The National Security Agency (NSA) uncovered the flaw in 2017.
The exploit was called EternalBlue, and it was taken from the NSA and posted online by the Shadow Brokers hacker group. Microsoft did issue a patch to address the vulnerability, but the WannaCry ransomware attack hit the world just a month later.
More recently, LemonDuck malware has taken advantage of EternalBlue and launched brute-force attacks on SMB services to gain network access. Meanwhile, hackers used DarkGate malware to spread their malware via Samba file shares in a brief campaign. SMB security has improved over the years, but the protocol isn’t immune to attacks — especially as malicious players invent new methods for infiltrating SMB services.
More on Cybersecurity: What Is a Phishing Attack? (With 18 Examples)
How to Prevent SMB Vulnerabilities
To keep your SMB services secure, combine the following tools and best practices for shoring up your defenses against SMB attacks.
Patch All Devices
Attackers will be unable to access a patched machine, but a huge number of Windows computers have yet to be patched. The March 2017 update from Microsoft can assist in patching the server message block vulnerabilities. If you use a Windows 10 or later system, the fixes are already built in. This is why most SMB assaults target Windows 7 and earlier. Furthermore, the WannaCry patch can prevent EternalBlue exploits and similar flaws.
Practice Healthy SMB Habits
It’s better to have layers of security when it comes to protecting yourself from cyberattacks, as it is with other things. Apart from the WannaCry and ransomware patches, you can further safeguard your systems by restricting SMB access from the internet, blocking SMB in offsite computers when in public areas and removing SMB if it’s not needed.
Establish Firewall and Endpoint Protection Measures
Firewalls are excellent tools for regulating network traffic, ensuring only authorized users can access network information. For any devices that fall outside firewalls, endpoint protection methods like antivirus software can shield laptops, phones and other devices from the initial attempts of cyber attackers.
Invest in Detection Tools and Services
Finally, vulnerability scanning and managed detection and response services can help your system avoid and identify SMB attacks and other cyberattacks.
How Does the SMB Protocol Work?
In early versions of Windows operating systems, SMB used NetBIOS network architecture for its communication. However, with the advent of Windows 2000, Microsoft transformed SMB to operate on TCP (Transmission Control Protocol) and use a dedicated IP port. This enhancement has been carried forward into subsequent Windows versions. Over the years, Microsoft has steadfastly evolved SMB for both enhanced performance and reinforced security. SMB2 brought about a reduction in chattiness, while SMB3 significantly improved performance in virtualized environments. Additionally, SMB3 introduced support for robust end-to-end encryption, bolstering data protection.
SMB requires specific ports to facilitate communication between computers and servers: ports 139 and 445. Port 139 is used by older SMB dialects that rely on NetBIOS for communication and establish network connections for shared resources like printers and serial ports, particularly in Windows operating systems. Port 445, on the other hand, is employed by more recent versions of SMB (post-Windows 2000). It leverages the TCP protocol stack and allows SMB communication beyond local networks to the internet. This enables the use of IP addresses for SMB-related activities, such as file sharing and remote access to resources.
SMB Protocol Dialects
Computer programmers have devised multiple variations of the SMB protocol, each tailored to specific applications. Among these, the Common Internet File System (CIFS) stands out as a notable implementation that facilitates file sharing capabilities. While CIFS may often be misconstrued as a distinct protocol from SMB, they share a common foundation, with CIFS acting as a specialized extension of the broader SMB architecture. Below are some of the most common SMB dialects:
- CIFS: Common Internet File System (CIFS) is a widely used file sharing protocol designed specifically for Windows servers and their compatible NAS (Network Attached Storage) devices. This protocol enables seamless sharing and exchange of files and directories across connected systems, facilitating efficient data accessibility within Windows-based environments.
- Samba: Samba is an open-source implementation of Microsoft Active Directory, providing interoperability between non-Windows machines and Windows networks. It allows seamless authentication and authorization processes, enabling non-Windows devices to connect to Windows domains and access shared resources, bridging the gap between disparate operating systems.
- NQ: NQ stands for NetQOS and is a portable implementation of the SMB protocol developed by Visuality Systems. Its distinguishing feature is its platform independence, allowing it to be deployed on various operating systems, including Windows, Linux, and macOS. This versatility makes NQ a suitable solution for heterogeneous network environments.
- MoSMB: MoSMB is a proprietary SMB implementation created by Ryussi Technologies. Known for its high performance, stability, and scalability, MoSMB is widely used in enterprise-scale environments. Its closed-source nature provides additional control and optimization capabilities tailored to specific requirements.
- Tuxera SMB: Tuxera SMB is a proprietary SMB implementation that offers flexibility in terms of deployment options. It can operate either in kernel-mode or user-space mode, catering to different performance and security considerations. This flexibility allows administrators to optimize Tuxera SMB based on their specific network requirements.
- Likewise: Likewise is a multi-protocol, identity-aware network file sharing protocol acquired by EMC in 2012. It supports both SMB and NFS (Network File System) protocols, providing a comprehensive solution for file sharing between Windows and non-Windows systems. Additionally, Likewise features identity management capabilities, ensuring secure access to shared resources.
How To Keep SMB Ports Secure
To bolster the security of open network ports, implementing a layered approach is crucial. Enable firewalls or endpoint protection with a blacklist to block malicious IP addresses. Installing a VPN encrypts network traffic, adding an extra layer of protection. Segmenting the network using VLANs isolates internal traffic, reducing the risk of internal attacks. Additionally, implementing MAC address filtering restricts system access to authorized devices, but requires ongoing management. To enhance data-centric security, a comprehensive plan is necessary. Map data and access rights on SMB shares to establish proper permissions. Use data discovery tools to identify sensitive information on SMB shares. Monitor data for suspicious activities that could indicate breaches. By highlighting data at risk and tracking abnormal access patterns, organizations can proactively mitigate cyber threats.
At a Glance
#
Default Ports
- SMB over NBT (NetBIOS over TCP/IP): 139
- SMB over TCP/IP: 445
SMB is a network communication protocol for providing shared access to files, printers, and serial ports between nodes on a network. It also provides an authenticated IPC (inter-process communication) mechanism.1
Windows SMB Ports and Protocols
#
Originally,
in Windows NT,
SMB ran on top of NBT (NetBIOS over TCP/IP),
which uses ports UDP 137 and 138,
and TCP 139.
With Windows 2000,
was introduced what Microsoft calls “direct hosting”,
the option to run “NetBIOS-less” SMB,
directly over TCP/445.
Older versions of Windows
(with NBT enabled)
will try to connect to both port 139
and 445 simultaneously,
while in newer versions,
port 139 is a fall-back port,
as clients will try to connect to port 445
by default.2
SMB Host Discovery
#
Refer to host discovert with nbtscan.
Server Version
#
Metasploit SMB Auxiliary Module 3
#
msf> use auxiliary/scanner/smb/smb_version
msf> set rhost 10.0.0.3
msf> run
Common Login Credentials
#
Backup and Management software requires dedicated user accounts on the server or local machine to function, and are often set with a weak password. 4
| Usernmae | Password |
|---|---|
| (blank) | (blank) |
Administrator admin guest |
(blank) admin password |
arcserve |
arcserve backup |
tivoli |
tivoli |
backupexec |
backupexec backup |
test |
test |
Enumeration
#
enum4linux 5
#
With credentials:
enum4linux -a -u "<username>" -p "<passwd>" 10.0.0.3
Parameters
-a: Do all simple enumeration (-U -S -G -P -r -o -n -i).-u <user>: specify username to use.-p <pass>: specify password to use.
NSE Scripts
#
nmap --script "safe or smb-enum-*" -p 139,445 10.0.0.3
Note:
NSE SMB enumeration scripts:
smb-enum-domainssmb-enum-groupssmb-enum-processessmb-enum-servicessmb-enum-sessionssmb-enum-sharessmb-enum-users
smbclient 6
#
List available shares.
smbclient -N -L //10.0.0.3
Connect to a share.
smbclient -N //10.0.0.3/Share
Parameters
-N: remove the password prompt from the client to the user.-L: list services available on the server.
RPC Enumeration
#
Null Session
#
Windows Administrative Shares
#
Administrative shares are hidden shares that provide administrators the ability to remotely manage hosts. They are automatically created and enabled by default.
Note:
It is worth clarifying these shares are not hidden but removed from views just by appending a dollar sign ($) to the share name. Ultimately, the share will be part of the result if listing from a Unix-based system or by using: net share and net view /all.
Various shares are exposed to clients via SMB, as follows:
C$: C Drive on the remote machine.Admin$: Windows installation directory.IPC$: The inter-process communication or IPC share.SYSVOLandNETLOGON: domain controller shares.PRINT$andFAX$: printer and fax shares.
IPC$ is a special share
used to facilitate inter-process communication (IPC).
It does not allow access to files or directories,
but it allows to communicate
with processes running on the remote system.
Specifically, IPC$, exposes named pipes,
which can be written or read
to communicate with remote processes.
These named pipes
are opened by the application
and registered with SMB
so that it can be exposed by the IPC$ share.
They are usually used
to perform specific functions on the remote system,
also known as RPC or remote procedure calls.
Some versions of Windows
allow you to authenticate
and mount the IPC$ share
without providing a username and password.
Such a connection is often called a NULL session,
which,
despite its limited privileges,
could be used to make multiple RPC calls
and obtain useful information
about the remote system.7
Note:
RPC endpoints exposed via IPC$
include the Server service,
Task Scheduler,
Local Security Authority (LSA),
and Service Control Manager (SCM).
Upon authenticating,
you can use these
to enumerate user and system details,
access the registry,
and execute commands
In Linux
enum4linux utility
can be used to dump data
from these service
Refer to MSRPC for more about RPC.
mount -t cifs -o username=user,password=password //10.0.0.3/Share /mnt/share
Download Files
#
Create a tar file of the files beneath users/docs. 6
smbclient //10.0.0.3/Share "" -N -Tc backup.tar users/docs
Parameters
-N: remove the password prompt from the client to the user.-T: TAR options.c: Create a tar backup archive on the local system.
Brute Forcing
#
Refer to SMB Brute Forcing
SMB Exploits Search
#
Refer to Exploits Search
-
Contributors to Wikimedia projects. “Server Message Block — Wikipedia.” Wikipedia, the Free Encyclopedia, Wikimedia Foundation, Inc., 26 Oct. 2003, https://en.wikipedia.org/wiki/Server_Message_Block. ↩︎
-
“The Use of TCP Ports 139 and 445 in Windows.” Vidstrom Labs, https://vidstromlabs.com/blog/the-use-of-tcp-ports-139-and-445-in-windows/. ↩︎
-
“Scanner SMB Auxiliary Modules — Metasploit Unleashed.” Infosec Training and Penetration Testing | Offensive Security, https://www.offensive-security.com/metasploit-unleashed/scanner-smb-auxiliary-modules/. ↩︎
-
McNab, Chris. Network Security Assessment. “O’Reilly Media, Inc.,” 2007, p. 281. ↩︎
-
“Enum4linux.” Enum4linux | Portcullis Labs, Portcullis Computer Security Ltd & Portcullis Inc., 16 Sept. 2008, https://labs.portcullis.co.uk/tools/enum4linux/. ↩︎
-
“Smbclient.” Samba — Opening Windows to a Wider World, https://www.samba.org/samba/docs/current/man-html/smbclient.1.html. ↩︎
-
“A New Look at Null Sessions and User Enumeration.” SensePost, https://sensepost.com/blog/2018/a-new-look-at-null-sessions-and-user-enumeration/. ↩︎
-
“Mounting Samba Shares from a Unix Client.” SambaWiki, https://wiki.samba.org/index.php/Mounting_samba_shares_from_a_unix_client. ↩︎