Organizations are increasing their use of various solutions to address communication needs across their infrastructure. As file systems are an integral part of collaboration, this article will dive into one of the most widely used protocols necessary for many systems. We will learn more about the SMB protocol, Port 139, Port 445, how it works, the risks associated with it, and remediation steps to provide a more secure communication channel.
What is SMB Port?
The SMB (Server Message Block) port is a network port primarily utilized for file and resource sharing across a computer network. SMB operates over TCP port 445 and enables shared access to files, printers, and serial ports among devices on a network.
Moreover, its core function of resource sharing, enables SMB to be utilized for following use cases:
- Involving mail slots (inter-process communication mechanisms)
- Named pipes (a method for processes to communicate either on the same machine or over a network).
What are Port 139 and Port 445?
For the SMB protocol to function correctly, network ports are required to communicate with other systems. SMB requires either port 139 or port 445 to be an open port.
Port 139
Originally, SMB ran on port 139 as an application layer protocol for Windows computers to communicate with each other on the same network. It was run on NetBIOS over TCP/IP and is being passed over by port 445 in modern environments.
Port 445
Port 445 port is used by newer versions of SMB as Windows 2000 adopted it for use for direct TCP/IP communication. Generally favored over port 139, it also allows for communication across different networks for things like internet-based file sharing.
How does SMB Protocol work?
Client-Server Communication
SMB is known as a response-request protocol. It uses the approach of a client-server relationship, where the client makes any specific request, and the server responds as requested. Some examples of practical use today are situations where file resources are requested or printers need to be shared. SMB is also used for other uses, such as mail slots and named pipe situations.
Historical Development
Historically, SMB originated with IBM and was designed in 1983 for DOS file access over networks. It wasn’t until 1990 that Microsoft merged the SMB protocol with its LAN Manager product. From there, continual maturation of the SMB protocol appeared in instances such as the introduction of CIFS, as well as milestone improvements in efficiency, performance, and security, as described through the aforementioned upgrades of SMB 2 and SMB 3.
SMB Protocol Dialects
With an increasing presence of SMB implementations across the industry, network requirements evolved to have different demands of SMB. This led to the emergence of different SMB protocol dialects to cater to different environments. Depending on the need and use, different dialects could be implemented for a variety of purposes.
SMB Dialect Variations
Here’s a list of popular SMB dialects along with their uses:
- CIFS (Common Internet File System): was a Microsoft developed dialect debuting in Windows 95 that was designed for network connections over remote servers. This dialect (CIFS Port) enabled clients to connect to remote file and printer shares as if they were accessed locally.
- Samba: Samba is an open source dialect (Samba port) that enables Linux/Unix machines to communicate with Windows devices.
- NQ: was developed by Visuality Systems that brings the SMB protocol to non-Windows platforms. Especially prevalent in devices such as printers and home network devices.
- Tuxera SMB and MoSMB: Dialects were also created as proprietary methods using the SMB protocol for specific features, such as enterprise file sharing and advanced authentication.
Security Risks Associated with Open SMB Ports
Ports like the ones used with the SMB protocol are necessary to communicate from within and across different networks. While their use isn’t itself dangerous, open ports can be used and exploited for malicious purposes.
Having over exposed ports can lead to the following vulnerabilities, such as:
- A Wormable port
- Man-In-The-Middle attacks,
- NetBIOS spoofing,
Case Study: WannaCry Ransomware:
Once recent occurrence was the WannaCry ransomware attack that targeted Windows clients running an outdated version of SMB. A worm infection was installed on a target machine, encrypting the user’s files in exchange for ransom. In addition to that, the infected system would also start searching for other machines via the SMB v1 protocol, and if other systems were using those open ports, they would be susceptible to the ransomware self-install on that machine and continue its spread.
While WannaCry created havoc and pain for many companies and networks, its disastrous results could have been much less impactful had systems been patched with up-to-date security measures.
Best Practices to Secure SMB Ports 139 and 445
Since SMB ports can be targeted, here are some best practices to implement to protect against various attacks:
Enable Firewall and Endpoint Protection
Enabling these network security devices can protect these ports from threats as well provide blacklisting services against known malicious IP addresses.
Utilize VPNs
By utilizing VPNs, network traffic can be encrypted and protected against malicious actors.
Create VLANs
Creating Virtual LANs can be utilized to isolate internal traffic to limit attack surface.
Implement MAC Address Filtering:
These filters can keep unknown systems from accessing and infiltrating your internal network.
Implement System Configuration Changes
Following changes can be made to harden your security against SMB attacks:
Disable NetBIOS over TCP/IP
- Select Start, point to Settings, and then select Network and Dial-up Connection.
- Right-click Local Area Connection, and then select Properties.
- Select Internet Protocol (TCP/IP), and then select Properties.
- Select Advanced.
- Select the WINS tab, and then select Disable NetBIOS over TCP/IP.
Commands to monitor port status
To determine if NetBIOS is enabled on a Windows computer, run a net config redirector or net config server command to see if if any ‘NetBT_Tcpip’ device is bound to the network adapter.
Conclusion
The SMB protocol has proved to be a valuable and vital method of accessing different network resources. While it has enabled things like file sharing and connectivity, security measures should be taken to ensure authorized access within the network. Securing ports and keeping up to date with protocols are a couple of examples of how to heighten your security profile in modern-day networking.
In conjunction with network security, Netwrix can fulfill your security plan at the data layer. With Netwrix solutions, we can help your organization see who has access to your data and the activity that surrounds it. Monitoring is a critical part of detecting attacks and protecting against breaches.
Mark has over 20 years in the IT industry and has consulted in a wide array of industries including the automotive, insurance, medical, legal, and financial sectors. With his IT background, he joins Netwrix with his ability to empathize with the problems IT teams face today. In his role as Solutions Engineer, Mark will understand the needs your organization faces and provide solutions to help overcome those challenges.
Introduction to SMB (Server Message Block)
Server Message Block (SMB) is a widely used network protocol that allows shared access to files, printers, and serial ports between nodes on a network. It’s heavily used in Windows environments but also supported on Linux and macOS.Understanding which port SMB uses is crucial for configuring firewalls, enhancing security, and enabling successful network file sharing.
What is the Default Port for SMB?
The default port used by SMB is TCP 445. This enables direct communication without relying on older NetBIOS services. Previously, SMB also ran over TCP 139 through NetBIOS, but this method is now mostly deprecated.
Port 445: SMB over TCP
Port 445 supports SMB directly over TCP/IP and is used by modern operating systems. It eliminates the dependency on NetBIOS, simplifying configuration and increasing security.
Port 139: NetBIOS Session Service
Port 139 is associated with older SMB implementations using NetBIOS over TCP/IP. Although some legacy systems may still use it, it’s considered less secure and should be disabled if possible.
Why Does SMB Use Port 445?
Modern SMB versions (SMBv2 and SMBv3) require port 445 to establish secure and efficient communication. Port 445 supports authentication, encryption, and direct connection between devices without relying on name resolution services.
TCP vs UDP for SMB Communication
SMB primarily uses TCP for data transfer. However, NetBIOS services historically required UDP for name resolution and datagram services.
Does SMB Use Both Ports 445 and 139?
Most modern environments use only port 445, but older systems may still use both ports 445 and 139. Ensuring your infrastructure is up-to-date helps simplify this and boosts security.
Disable SMBv1 using PowerShell:
Set-SmbServerConfiguration -EnableSMB1Protocol $false
SMB Ports and Security: Why Blocking Port 445 Matters
The WannaCry and NotPetya ransomware attacks exploited vulnerabilities in SMBv1 over port 445. Blocking or monitoring this port can protect your infrastructure from similar attacks.
Key Tips:
Block port 445 at the perimeter firewall
Disable SMBv1 on all devices
Use Endpoint Detection & Response (EDR) for monitoring SMB usage.
Best Practices: Firewall Rules for SMB
Windows
New-NetFirewallRule -DisplayName "Block SMB 445" -Direction Inbound -LocalPort 445 -Protocol TCP -Action Block
Linux (UFW)
sudo ufw deny 445/tcpsudo ufw deny 139/tcp
How to Open SMB Ports on Windows and Linux
To enable SMB for internal file sharing:On Windows:
Go to Windows Firewall > Advanced Settings. Create a new inbound rule for TCP 445.
Allow access from trusted IP ranges only.
On Linux:
sudo ufw allow from 192.168.0.0/16 to any port 445 proto tcp
Alternatives to SMB fo
SFTP (SSH File Transfer Protocol)
NFS (Network File System)
WebDAVCloud-based sharing (e.g., OneDrive, Google Drive)
These options offer encryption, centralized access control, and better protection for remote sharing.
Conclusion: Proactive SMB Port Security
Understanding the role of ports 445 and 139 is essential for secure SMB implementation. Modern networks should rely exclusively on TCP port 445, with legacy ports disabled. Firewalls must be configured to restrict external access and reduce risk from exploits.
Server Message Block (SMB) Versions
| SMB Version | Windows version |
|---|---|
| CIFS | Microsoft Windows NT 4.0 |
| SMB 1.0 | Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2 |
| SMB 2.0 | Windows Vista & Windows Server 2008 |
| SMB 2.1 | Windows 7 and Windows Server 2008 R2 |
| SMB 3.0 | Windows 8 and Windows Server 2012 |
| SMB 3.0.2 | Windows 8.1 and Windows Server 2012 R2 |
| SMB 3.1.1 | Windows 10 and Windows Server 2016 |
Ports
netbios-ns 137/tcp # (NBT over IP) NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # (NBT over IP) NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # (NBT over IP) NETBIOS session service
netbios-ssn 139/udp
microsoft-ds 445/tcp # (SMB over IP) If you are using Active Directory (used when SMB is used directly on TCP stack, without using NetBIOS)
NetBIOS suffixes
For unique names:
00: Workstation Service (workstation name)
03: Windows Messenger service
06: Remote Access Service
20: File Service (also called Host Record)
21: Remote Access Service client
1B: Domain Master Browser – Primary Domain Controller for a domain
1D: Master Browser
For group names:
00: Workstation Service (workgroup/domain name)
1C: Domain Controllers for a domain
1E: Browser Service Elections
Scanning
- Ref: https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/
nmap
nmap --script safe -445 $ip
nmap --script smb-protocols -p445 $ip
nmap -p 139,446 $ip --open
nmap ‐v ‐p 139,445 -‐script smb‐* $ip
nmap ‐v ‐p 139,445 -‐script smb‐vuln* $ip
nmap ‐v ‐p 139,445 -‐script smb‐security‐mode $ip
nmap ‐v ‐p 139,445 -‐script smb‐os-discovery $ip
nmap ‐v ‐p 139,445 -‐script smb‐check-vulns --script-args=unsafe=1 $ip
nmblookup
- Query NetBIOS names and map them to IP addresses in a network
- Using NetBIOS over TCP/IP queries
nmblookup -A $ip
nbtscan
- Scan NetBIOS name servers open on a local or remote TCP/IP network
- Works on a whole subnet instead of individual IP
- Similar to
nbtstat(Windows standard tool)
nbtscan $ip/24
nbtstat
nbtstat $ip
nbtscan -‐r $ip/24
- Allows users to enumerate samba share drives across an entire domain
- Usage
- List share drives, drive permissions, share contents
- Upload/download functionality
- File name auto-download pattern matching
- Execute remote commands
smbmap -H $ip
smbmap -u <user> -p <password> -d <workgroup> -H $ip
smbmap -u <user> -p <password> -d <workgroup> -H $ip -L #test command execution
smbmap -u <user> -p <password> -d <workgroup> -H $ip -r #read drive
Recursively list dirs, and files:
smbmap -R $sharename -H $ip
Search for Groups.xml in given share:
smbmap -R $shareName -H $ip -A Groups.xml -q
Downloads a file in quiet mode:
smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q
smbclient
- Client that can «talk» to an SMB/CIFS server
- Operations
- Upload/download functionality
- Retrieving directory information
smbclient -L $ip
smbclient -L $ip -U $username -p 445
password: <prompt>
smbclient -L //server/share
smbclient -L //server/share password options
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
rpcclient
- Part of the Samba suite
- Developed to test MS-RPC functionality in Samba
- Usable to open an authenticated SMB session to a target machine
NULL session:
rpcclient -U "" -N 192.168.1.102
User session:
rpcclient -U htb\\james mantis.htb.local
Querying:
rpcclient $> srvinfo
rpcclient $> enum<tab><tab>
rpcclient $> enumdomusers // Username and RID (suffix of SID)
rpcclient $> queryuser 0x3e8 // Info of the user for given RID
rpcclient $> enumalsgroups domain // Enum aliases groups
rpcclient $> enumalsgroups builtin
rpcclient $> lookupnames james
Enum4linux
- Tool for enumerating information from Windows and Samba systems
- Wrapper for
smbclient,rpcclient,netandnmblookup
enum4linux -a $ip
enum4linux -U $ip
- RID cycling (When RestrictAnonymous is set to 1 on Windows 2000)
- User listing (When RestrictAnonymous is set to 0 on Windows 2000)
- Listing of group membership information
- Share enumeration
- Detecting if the host is in a workgroup or a domain
- Identifying the remote operating system
- Password policy retrieval
- Ref: https://hackercool.com/2016/07/smb-enumeration-with-kali-linux-enum4linuxacccheck-smbmap/
acccheck
- Password attacks
acccheck -v -t $ip -u <user> -P <password_file>
mblookup
- NetBIOS over TCP/IP client used to lookup NetBIOS names
sudo apt-get install cifs-utils
mkdir /mnt/$shareName
mount -t cifs //$ip/$shareName /mnt/$shareName -o username=$username,password=$password,domain=$domain
Null Session Enumeration
Null Session Enumeration (enabled by default in SMB1)
net use \\192.168.1.1\ipc$ "" /u:""
net view \\ip_address
rpcclient -U "" ip (give empty password)
> srvinfo
> enumdomusers
> getdompwinfo
Use UpTime to guess patch level
- https://github.com/SpiderLabs/Responder/blob/master/tools/FindSMB2UPTime.py
python FindSMB2UpTime.py 172.16.80.10
Enable / Disable / Status
Detect, enable and disableyeha SMBv1, SMBv2, and SMBv3 in Windows and Windows Server: https://support.microsoft.com/en-gb/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and
Windows Server 2012 R2 & 2016: PowerShell methods
SMB v1
- Detect:
Get-WindowsFeature FS-SMB1 - Disable:
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol - Enable:
Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
SMB v2/v3
- Detect:
Get-SmbServerConfiguration | Select EnableSMB2Protocol - Disable:
Set-SmbServerConfiguration -EnableSMB2Protocol $false - Enable:
Set-SmbServerConfiguration -EnableSMB2Protocol $true
Windows 8.1 and Windows 10: PowerShell method
SMB v1 Protocol
- Detect:
Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol - Disable:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol - Enable:
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
SMB v2/v3 Protocol
- Detect:
Get-SmbServerConfiguration | Select EnableSMB2Protocol - Disable:
Set-SmbServerConfiguration –EnableSMB2Protocol $false - Enable:
Set-SmbServerConfiguration –EnableSMB2Protocol $true
Windows 8 and Windows Server 2012
SMB v1 on SMB Server
- Detect:
Get-SmbServerConfiguration | Select EnableSMB1Protocol - Disable:
Set-SmbServerConfiguration -EnableSMB1Protocol $false - Enable:
Set-SmbServerConfiguration -EnableSMB1Protocol $true
SMB v2/v3 on SMB Server
- Detect:
Get-SmbServerConfiguration | Select EnableSMB2Protocol - Disable:
Set-SmbServerConfiguration -EnableSMB2Protocol $false - Enable:
Set-SmbServerConfiguration -EnableSMB2Protocol $true
Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008
SMB v1 on SMB Server
Default configuration = Enabled (No registry key is created), so no SMB1 value will be returned
- Detect:
Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath} - Disable:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force - Enable:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 –Force
SMB v2/v3 on SMB Server
- Detect: `Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}«
- Disable:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 –Force - Enable:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 –Force
Disable SMB Client
SMB v1 on SMB Client
- Detect:
sc.exe qc lanmanworkstation - Disable:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
- Enable:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb10 start= auto
SMB v2/v3 on SMB Client
- Detect:
sc.exe qc lanmanworkstation - Disable:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc.exe config mrxsmb20 start= disabled
- Enable:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb20 start= auto
Samba Configuration
Configuration file
/etc/samba/smb.conf
smb.conf
lmhosts
Test & reload configuration
testparm -v
service smb restart
User creation
smbpasswd -a <username>
Samba Enumeration
#!/bin/sh
# Author: rewardone
# Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
# Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" && sleep .1
- SuperScan
- Hyena
- Winfingerprint
- NetBIOS enumerator
References
- https://www.youtube.com/watch?v=jUc1J31DNdw&t=445s
- Implementing CIFS — The Common Internet Filesystem — http://www.ubiqx.org/cifs/
- Using Samba 2nd Edition — http://www.samba.org/samba/docs/using_samba/toc.html
Vulnerabilities
- Linux
- CVE-2007-2447 — Samba versions 3.0.20 through 3.0.25rc3
- When the «username map script» smb.conf option is enabled
- https://github.com/amriunix/cve-2007-2447
exploit/windows/smb/ms08_067_netapi
- Windows
- CVE-2008-4250 MS08-067 — Microsoft Server Service Relative Path Stack Corruption
- Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta
- https://github.com/jivoi/pentest/blob/master/exploit_win/ms08-067.py
- https://vulners.com/exploitdb/EDB-ID:6824
exploit/windows/smb/ms08_067_netapi
At a Glance
#
Default Ports
- SMB over NBT (NetBIOS over TCP/IP): 139
- SMB over TCP/IP: 445
SMB is a network communication protocol for providing shared access to files, printers, and serial ports between nodes on a network. It also provides an authenticated IPC (inter-process communication) mechanism.1
Windows SMB Ports and Protocols
#
Originally,
in Windows NT,
SMB ran on top of NBT (NetBIOS over TCP/IP),
which uses ports UDP 137 and 138,
and TCP 139.
With Windows 2000,
was introduced what Microsoft calls “direct hosting”,
the option to run “NetBIOS-less” SMB,
directly over TCP/445.
Older versions of Windows
(with NBT enabled)
will try to connect to both port 139
and 445 simultaneously,
while in newer versions,
port 139 is a fall-back port,
as clients will try to connect to port 445
by default.2
SMB Host Discovery
#
Refer to host discovert with nbtscan.
Server Version
#
Metasploit SMB Auxiliary Module 3
#
msf> use auxiliary/scanner/smb/smb_version
msf> set rhost 10.0.0.3
msf> run
Common Login Credentials
#
Backup and Management software requires dedicated user accounts on the server or local machine to function, and are often set with a weak password. 4
| Usernmae | Password |
|---|---|
| (blank) | (blank) |
Administrator admin guest |
(blank) admin password |
arcserve |
arcserve backup |
tivoli |
tivoli |
backupexec |
backupexec backup |
test |
test |
Enumeration
#
enum4linux 5
#
With credentials:
enum4linux -a -u "<username>" -p "<passwd>" 10.0.0.3
Parameters
-a: Do all simple enumeration (-U -S -G -P -r -o -n -i).-u <user>: specify username to use.-p <pass>: specify password to use.
NSE Scripts
#
nmap --script "safe or smb-enum-*" -p 139,445 10.0.0.3
Note:
NSE SMB enumeration scripts:
smb-enum-domainssmb-enum-groupssmb-enum-processessmb-enum-servicessmb-enum-sessionssmb-enum-sharessmb-enum-users
smbclient 6
#
List available shares.
smbclient -N -L //10.0.0.3
Connect to a share.
smbclient -N //10.0.0.3/Share
Parameters
-N: remove the password prompt from the client to the user.-L: list services available on the server.
RPC Enumeration
#
Null Session
#
Windows Administrative Shares
#
Administrative shares are hidden shares that provide administrators the ability to remotely manage hosts. They are automatically created and enabled by default.
Note:
It is worth clarifying these shares are not hidden but removed from views just by appending a dollar sign ($) to the share name. Ultimately, the share will be part of the result if listing from a Unix-based system or by using: net share and net view /all.
Various shares are exposed to clients via SMB, as follows:
C$: C Drive on the remote machine.Admin$: Windows installation directory.IPC$: The inter-process communication or IPC share.SYSVOLandNETLOGON: domain controller shares.PRINT$andFAX$: printer and fax shares.
IPC$ is a special share
used to facilitate inter-process communication (IPC).
It does not allow access to files or directories,
but it allows to communicate
with processes running on the remote system.
Specifically, IPC$, exposes named pipes,
which can be written or read
to communicate with remote processes.
These named pipes
are opened by the application
and registered with SMB
so that it can be exposed by the IPC$ share.
They are usually used
to perform specific functions on the remote system,
also known as RPC or remote procedure calls.
Some versions of Windows
allow you to authenticate
and mount the IPC$ share
without providing a username and password.
Such a connection is often called a NULL session,
which,
despite its limited privileges,
could be used to make multiple RPC calls
and obtain useful information
about the remote system.7
Note:
RPC endpoints exposed via IPC$
include the Server service,
Task Scheduler,
Local Security Authority (LSA),
and Service Control Manager (SCM).
Upon authenticating,
you can use these
to enumerate user and system details,
access the registry,
and execute commands
In Linux
enum4linux utility
can be used to dump data
from these service
Refer to MSRPC for more about RPC.
mount -t cifs -o username=user,password=password //10.0.0.3/Share /mnt/share
Download Files
#
Create a tar file of the files beneath users/docs. 6
smbclient //10.0.0.3/Share "" -N -Tc backup.tar users/docs
Parameters
-N: remove the password prompt from the client to the user.-T: TAR options.c: Create a tar backup archive on the local system.
Brute Forcing
#
Refer to SMB Brute Forcing
SMB Exploits Search
#
Refer to Exploits Search
-
Contributors to Wikimedia projects. “Server Message Block — Wikipedia.” Wikipedia, the Free Encyclopedia, Wikimedia Foundation, Inc., 26 Oct. 2003, https://en.wikipedia.org/wiki/Server_Message_Block. ↩︎
-
“The Use of TCP Ports 139 and 445 in Windows.” Vidstrom Labs, https://vidstromlabs.com/blog/the-use-of-tcp-ports-139-and-445-in-windows/. ↩︎
-
“Scanner SMB Auxiliary Modules — Metasploit Unleashed.” Infosec Training and Penetration Testing | Offensive Security, https://www.offensive-security.com/metasploit-unleashed/scanner-smb-auxiliary-modules/. ↩︎
-
McNab, Chris. Network Security Assessment. “O’Reilly Media, Inc.,” 2007, p. 281. ↩︎
-
“Enum4linux.” Enum4linux | Portcullis Labs, Portcullis Computer Security Ltd & Portcullis Inc., 16 Sept. 2008, https://labs.portcullis.co.uk/tools/enum4linux/. ↩︎
-
“Smbclient.” Samba — Opening Windows to a Wider World, https://www.samba.org/samba/docs/current/man-html/smbclient.1.html. ↩︎
-
“A New Look at Null Sessions and User Enumeration.” SensePost, https://sensepost.com/blog/2018/a-new-look-at-null-sessions-and-user-enumeration/. ↩︎
-
“Mounting Samba Shares from a Unix Client.” SambaWiki, https://wiki.samba.org/index.php/Mounting_samba_shares_from_a_unix_client. ↩︎
Server Message Block (SMB) is a network protocol that enables devices within the same network to share resources like files, printers, and services. It was previously known as the Common Internet File System (CIFS). SMB facilitates communication between computers over a local network, ensuring seamless access to shared resources.
This local network could be as small as a single office for a small business or as large as a global network connecting multiple offices for a multinational company.
SMB relies on specific SMB ports for communication: Port 135 is used for Microsoft Remote Procedure Call (RPC) to help establish and manage SMB connections. Port 445 is used for direct SMB communication over TCP/IP without requiring older protocols like NetBIOS.
In this article, we will explore what is SMB port and the different SMB port numbers it relies on for efficient resource sharing over networks. In addition, we will explain how smb works on different smb ports.
What is SMB?
The Server Message Block (SMB) protocol is a network communication protocol used to share files, printers, and other resources between devices on the same network. It also offers a way for processes on different computers to communicate securely. Originally developed by IBM in the 1980s with SMB 1.0, the protocol has undergone multiple updates to improve its security, performance, and functionality.
SMB Protocol Dialects Overview
The Server Message Block (SMB) protocol has evolved through various dialects since its inception, each designed to meet changing network needs and enhance security. Here’s a brief overview of key SMB protocol dialects:
SMB 1.0 (1984)
Developed by IBM for DOS, SMB 1.0 laid the foundation for file and printer sharing across networks. It introduced opportunistic locking (OpLock) to improve performance by enabling client-side data caching. However, its lack of robust security made it vulnerable to exploits, notably the WannaCry ransomware attack in 2017, which highlighted the urgent need to disable SMB 1.0/CIFS to mitigate risks.
Netsmb (2004)
Emerging around 2004, Netsmb represented a crucial update in the SMB protocol, focusing on enhancing security and performance. While specific details are scarce, this dialect aimed to address vulnerabilities in earlier versions, reflecting the growing importance of network security at that time.
SMB 3.02 (2014)
Introduced with Windows 8.1 and Windows Server 2012 R2, SMB 3.02 brought significant improvements in performance and security. It optimized data transmission efficiency and allowed administrators to disable support for the outdated CIFS/SMB 1.0, reducing potential security risks. This version continued the trend of integrating advanced security measures, and enhancing data protection within the SMB framework.
How does SMB Work?
SMB follows a client-server architecture, where the client sends requests, and the server responds accordingly. This setup makes it easy for devices on the same network to share files and other resources seamlessly, regardless of the operating system—whether it’s Windows, Linux, or macOS.
Once a connection is established, users or applications can send requests to a remote file server, gaining access to resources like mail slots, shared printers, and named pipes. This setup allows users to open, view, edit, move, and update files on the remote server as if they were stored locally.
In earlier versions of Windows, SMB operated on top of the NetBIOS network layer. However, starting with Windows 2000, Microsoft enhanced SMB to run directly over TCP/IP, using a dedicated IP port to improve performance and reliability. Below, we have listed key features of SMB:
- File Sharing
- SMB allows multiple users to access shared files over the network, supporting simultaneous use. This is essential in collaborative environments, such as offices, where teams work together on shared documents and projects.
- Printer Sharing
- Besides files, SMB enables printer sharing. Users on the same network can send print jobs to a shared printer, making resource management more efficient.
- Authentication and Authorization
- SMB includes user authentication mechanisms to ensure that only authorized individuals can access shared resources. This feature enhances network security by controlling access to files and devices.
- Inter-process Communication
- SMB also supports communication between processes on different computers, extending its functionality beyond file and printer sharing. It enables network services and applications to interact smoothly.
- Cross-Platform Compatibility
- One of SMB’s strengths is its compatibility with various operating systems, allowing different devices to communicate and share resources effectively across diverse environments.
SMB Versions and Updates
The protocol has evolved with newer versions like SMB 2.0, SMB 3.0, and later. These versions introduced encryption for secure data transfers, performance improvements, and support for modern networking needs such as virtualization and cloud storage.
SMB’s ongoing development reflects the need to balance usability with security. Its role in file and resource sharing has made it a key element of network infrastructure for businesses of all sizes, ensuring efficient collaboration and secure communication across connected devices.
SMB 2.1
Released with Windows 7 and Windows Server 2008 R2, this version replaced opportunistic locking with a client oplock leasing model to improve caching and performance. It also introduced support for high MTU (Maximum Transmission Unit) and better energy efficiency, allowing clients to enter sleep mode while keeping files open on the server.
SMB 3.0
Introduced in Windows Server 2012 and Windows 8, SMB 3.0 enhanced management, performance, backup capabilities, security, and availability. It became crucial for modern data centers and cloud environments.
SMB 3.02
This version, which debuted with Windows 8.1 and Windows Server 2012 R2, offered performance improvements. It also included an option to disable SMB 1.0/CIFS support, requiring the removal of legacy components to enhance security.
SMB 3.1.1
Released with Windows 10 and Windows Server 2016, this version introduced advanced features like pre-authentication integrity to prevent man-in-the-middle attacks, enhanced encryption, and cluster dialect fencing for improved security in distributed systems.
Knowing which SMB version is in use is important, especially for businesses relying on Windows-based environments. While modern offices rarely use older systems like Windows 95 or XP that rely on SMBv1, some outdated servers may still run these early versions. For optimal performance and security, it’s essential to upgrade to newer SMB versions whenever possible.
What is SMB Port Number? (SMB Port Numbers)
To provide file and print-sharing functions within a network, SMB uses several ports. However, smb ports 139 and 445 are the most often utilized SMB port numbers on a network when using file and print services. But, most users still don’t know what is smb port that you will learn in this section.
Verifying that the ports are open is important to ensure the smooth functioning of SMB on your VPS. To get started with a dependable VPS, consider MonoVM’s Linux VPS offerings or their Windows VPS options.
Port 139
SMB dialects that interact over NetBIOS use smb default port 139. It functions as an application layer protocol for device communication across a network in Windows operating systems. For instance, Port 139 is used by printers and serial ports to connect.
Port 445
Simply put, Windows smb port 445 is for file sharing across the network. Microsoft changed Windows 2000 to use port 445 for SMB.
Microsoft-DS also referred to as directory services from Microsoft, uses port 445. Both TCP and UDP protocols use port 445 for several Microsoft services.
Microsoft Active Directory and Domain Services use this port for file replication, user and device authentication, group policies, and trusts.
SMB, CIFS, LSARPC, SMB2, DFSN, NbtSS, SamR, NetLogonR, and SrvSvc protocols and services are most likely involved in the traffic on these ports.
What is SMB Port or SMB Protocol Port? (Samba Port )
In networking, a port serves as a virtual endpoint that manages different types of network connections on the same IP address. This allows multiple services, such as file sharing or printing, to coexist on a single device without conflict.
Samba is a software suite that implements the Server Message Block (SMB) protocol, enabling Unix-like systems (such as Linux) to share files and printers with Windows systems. Samba relies on specific network samba ports, aligning with those used in the SMB/CIFS protocols. Below is an overview of the key samba ports used:
- TCP 139: This port is utilized for SMB communication through NetBIOS over TCP/IP. It allows sharing of files, printers, and other network resources over a local area network (LAN). NetBIOS provides a way for applications on different systems to communicate over the network.
- TCP 445: This port enables direct SMB communication over TCP/IP, bypassing the NetBIOS layer. As a result, it has become the primary port for file sharing, printer access, and inter-process communication, especially in modern networks.
- UDP 137 and 138: These ports handle NetBIOS Name Service (UDP 137) and NetBIOS Datagram Service (UDP 138), respectively. While not directly involved in Samba’s core file-sharing functionality, they support broader SMB-related services in some network setups.
What are the different Variants of the SMB Protocol?
Over time, developers have introduced different SMB dialects to serve various purposes, similar to how languages evolve. One well-known variant is the Common Internet File System (CIFS), which facilitates file sharing. Despite some misconceptions, CIFS and SMB share the same core principles. Here are some of the most notable SMB implementations:
1. CIFS
CIFS is a standard protocol used for file sharing, primarily found on Windows servers and compatible NAS (Network-Attached Storage) devices.
2. Samba
Samba is an open-source implementation of SMB that supports authentication, authorization, name resolution, file and printer sharing, and service announcements. It allows Linux/Unix servers to interact with Windows clients and integrates with Microsoft Active Directory, making it essential for cross-platform environments.
3. NQ (Visuality Systems)
The NQ suite, developed by Visuality Systems, provides portable SMB client and server solutions. It supports the SMB 3.1.1 dialect and can run on non-Windows platforms like Linux, iOS, and Android.
4. MoSMB (Ryussi Technologies)
MoSMB is a proprietary SMB implementation designed by Ryussi Technologies. It is optimized for Linux and other Unix-like systems, making it suitable for specific enterprise environments.
5. Tuxera SMB
This proprietary implementation from Tuxera can operate in either kernel or user space, providing flexibility for various networking environments.
6. Likewise
EMC acquired Likewise in 2012. This software offers multi-protocol file sharing with identity-aware access, providing seamless network file sharing with integrated security features.
What is SMB Authentication?
Like any other network protocol, SMB requires security measures to ensure safe communication. At the user level, SMB authentication involves verifying a username and password to grant access to a server’s resources.
A system administrator manages access by adding or removing users and monitoring permissions. To access a shared file or server, users typically provide a one-time password at the share level. However, this method does not require identity verification, focusing only on access to the specific shared resource.
Is SMB Safe?
Is it safe to use SMB? Generally, it appears to be secure for now, but new vulnerabilities can emerge at any time. To protect your system from potential threats, it’s advisable to disable SMB entirely if you don’t have any applications relying on it.
As of October 2017, SMB is not enabled by default in Windows 10, so you only need to take precautions if you’re using an older version of Windows.
What Actions Should You Take to Ensure the Security of Your SMB Port?
To ensure the security of your SMB port, the following measures should be taken:
Avoid Exposing SMB Ports
For over a decade, opening ports 135 through 139 and 445 has been considered unsafe. While exposing ports 139 and 445 to the Internet isn’t inherently dangerous, there are several recognized risks associated with it.
To check if a port is open, you can use the netstat command.
Patch Vulnerabilities
Regularly update your systems to guard against threats such as Man-in-the-Middle (MITM) attacks and NetBIOS Name Service (NBNS) spoofing.
Eliminate Single Points of Failure
To ensure data security, maintain at least one additional secure backup location, as risks can arise from malware, hardware failures, or database issues.
Utilize Firewalls and Endpoint Security
Effective security solutions typically include a blacklist of known malicious IP addresses and their most frequently used ports. Want to learn more about IP addresses? Check out our detailed articles for a deeper understanding!
Implement a Virtual Private Network (VPN)
VPNs encrypt and safeguard your network traffic. Looking to boost your online privacy? Explore our comprehensive guide on «What is a VPN? How Does a VPN Work?» to learn how to enhance your digital security!
Use VLANs
In business environments, utilizing Virtual Local Area Networks (VLANs) can help segregate internal traffic according to specific requirements. This practice is crucial for preventing lateral movement and privilege escalation attacks.
Employ MAC Address Filtering
This method helps block unauthorized devices from accessing your network. The strategies mentioned above are common ways to prevent malicious entities from exploiting vulnerabilities in SMB.
However, this list is not exhaustive, as attackers employ various tactics, including masquerading as legitimate assets on compromised employee workstations.
Therefore, a proactive cybersecurity strategy is essential for organizational security. This approach should be grounded in strong fundamentals, incorporating a defence-in-depth methodology, layered architecture adhering to the principle of least privilege, and a collaborative effort involving people, processes, and technology.
Are Open SMB Ports Dangerous? (SMB Ports)
The idea that open ports are inherently dangerous often stems from misunderstandings about their function and potential vulnerabilities. Here’s a clearer perspective on the safety of open ports:
- Understanding Open SMB Ports
Open ports are essential for network communication, acting as gateways that allow services and applications to communicate across networks.
- Not Inherently Dangerous
Open ports themselves do not pose an inherent risk; rather, the danger lies in how well the services or applications running on those ports are configured and secured.
- Factors Determining Safety
The safety of open ports is influenced by several factors:
- Service Configuration: Proper configuration is crucial for preventing vulnerabilities.
- Software Updates: Using outdated software can leave services exposed to risks.
- Security Measures: Adequate security protections must be in place to mitigate potential threats.
- Real-World Example
A notable illustration of the risks associated with open ports is the exploitation of certain SMB default ports during the WannaCry ransomware attack. In this case, the danger was not simply due to the open ports, but rather vulnerabilities in the SMB services that were exploited by the EternalBlue exploit.
Conclusion
We have learned about what is smb port and smb port numbers. We explored how the Server Message Block (SMB) protocol facilitates inter-process communication and allows programs and services on networked computers to interact seamlessly. SMB ports support various essential network functions, including file and printer sharing, as well as access to devices.
In essence, SMB enables applications on a computer to read and write files and request services from server software across a network.
As computers increasingly connect over the internet for resource sharing, it’s crucial to remain vigilant against potential attacks from malicious users.
Exposed SMB ports on Windows servers present a tempting target for attackers, potentially granting them unauthorized access to specific systems or corporate networks. However, SMB administrators can implement several straightforward strategies to reduce the risks and vulnerabilities associated with SMB ports against internet threats.
Experience Limitless Hosting with 10GBVPS!
Unlock the power of unlimited hosting with 10GBVPS! Visit 10GBVPS.com today and enjoy lightning-fast speeds that significantly enhance your website’s performance.
No more worrying about hitting bandwidth limits or incurring overage fees—10GBVPS ensures you have all the resources you need. Plus, with a choice of global locations, you can optimize your site’s speed and reliability like never before. Don’t wait—sign up now and elevate your hosting experience!
Blog