logo

What are SMB Ports, Port 139 and Port 445?

Organizations are increasing their use of various solutions to address communication needs across their infrastructure. As file systems are an integral part of collaboration, this article will dive into one of the most widely used protocols necessary for many systems. We will learn more about the SMB protocol, Port 139, Port 445, how it works, the risks associated with it, and remediation steps to provide a more secure communication channel.

What is SMB Port?

The SMB (Server Message Block) port is a network port primarily utilized for file and resource sharing across a computer network. SMB operates over TCP port 445 and enables shared access to files, printers, and serial ports among devices on a network.

Moreover, its core function of resource sharing, enables SMB to be utilized for following use cases:

  • Involving mail slots (inter-process communication mechanisms)
  • Named pipes (a method for processes to communicate either on the same machine or over a network).

What are Port 139 and Port 445?

For the SMB protocol to function correctly, network ports are required to communicate with other systems. SMB requires either port 139 or port 445 to be an open port.

Port 139

Originally, SMB ran on port 139 as an application layer protocol for Windows computers to communicate with each other on the same network. It was run on NetBIOS over TCP/IP and is being passed over by port 445 in modern environments.

Port 445

Port 445 port is used by newer versions of SMB as Windows 2000 adopted it for use for direct TCP/IP communication. Generally favored over port 139, it also allows for communication across different networks for things like internet-based file sharing.

How does SMB Protocol work?

Client-Server Communication

SMB is known as a response-request protocol. It uses the approach of a client-server relationship, where the client makes any specific request, and the server responds as requested. Some examples of practical use today are situations where file resources are requested or printers need to be shared. SMB is also used for other uses, such as mail slots and named pipe situations.

Historical Development

Historically, SMB originated with IBM and was designed in 1983 for DOS file access over networks. It wasn’t until 1990 that Microsoft merged the SMB protocol with its LAN Manager product. From there, continual maturation of the SMB protocol appeared in instances such as the introduction of CIFS, as well as milestone improvements in efficiency, performance, and security, as described through the aforementioned upgrades of SMB 2 and SMB 3.

SMB Protocol Dialects

With an increasing presence of SMB implementations across the industry, network requirements evolved to have different demands of SMB. This led to the emergence of different SMB protocol dialects to cater to different environments. Depending on the need and use, different dialects could be implemented for a variety of purposes.

SMB Dialect Variations

Here’s a list of popular SMB dialects along with their uses:

  • CIFS (Common Internet File System): was a Microsoft developed dialect debuting in Windows 95 that was designed for network connections over remote servers. This dialect (CIFS Port) enabled clients to connect to remote file and printer shares as if they were accessed locally.
  • Samba: Samba is an open source dialect (Samba port) that enables Linux/Unix machines to communicate with Windows devices.
  • NQ: was developed by Visuality Systems that brings the SMB protocol to non-Windows platforms. Especially prevalent in devices such as printers and home network devices.
  • Tuxera SMB and MoSMB: Dialects were also created as proprietary methods using the SMB protocol for specific features, such as enterprise file sharing and advanced authentication.

Security Risks Associated with Open SMB Ports

Ports like the ones used with the SMB protocol are necessary to communicate from within and across different networks. While their use isn’t itself dangerous, open ports can be used and exploited for malicious purposes.

Having over exposed ports can lead to the following vulnerabilities, such as:

  • A Wormable port
  • Man-In-The-Middle attacks,
  • NetBIOS spoofing,

Case Study: WannaCry Ransomware:

Once recent occurrence was the WannaCry ransomware attack that targeted Windows clients running an outdated version of SMB. A worm infection was installed on a target machine, encrypting the user’s files in exchange for ransom. In addition to that, the infected system would also start searching for other machines via the SMB v1 protocol, and if other systems were using those open ports, they would be susceptible to the ransomware self-install on that machine and continue its spread.

While WannaCry created havoc and pain for many companies and networks, its disastrous results could have been much less impactful had systems been patched with up-to-date security measures.

Best Practices to Secure SMB Ports 139 and 445

Since SMB ports can be targeted, here are some best practices to implement to protect against various attacks:

Enable Firewall and Endpoint Protection

Enabling these network security devices can protect these ports from threats as well provide blacklisting services against known malicious IP addresses.

Utilize VPNs

By utilizing VPNs, network traffic can be encrypted and protected against malicious actors.

Create VLANs

Creating Virtual LANs can be utilized to isolate internal traffic to limit attack surface.

Implement MAC Address Filtering:

These filters can keep unknown systems from accessing and infiltrating your internal network.

Implement System Configuration Changes

Following changes can be made to harden your security against SMB attacks:

Disable NetBIOS over TCP/IP

  • Select Start, point to Settings, and then select Network and Dial-up Connection.
  • Right-click Local Area Connection, and then select Properties.
  • Select Internet Protocol (TCP/IP), and then select Properties.
  • Select Advanced.
  • Select the WINS tab, and then select Disable NetBIOS over TCP/IP.

Commands to monitor port status

To determine if NetBIOS is enabled on a Windows computer, run a net config redirector or net config server command to see if if any ‘NetBT_Tcpip’ device is bound to the network adapter.

Conclusion

The SMB protocol has proved to be a valuable and vital method of accessing different network resources. While it has enabled things like file sharing and connectivity, security measures should be taken to ensure authorized access within the network. Securing ports and keeping up to date with protocols are a couple of examples of how to heighten your security profile in modern-day networking.

In conjunction with network security, Netwrix can fulfill your security plan at the data layer. With Netwrix solutions, we can help your organization see who has access to your data and the activity that surrounds it. Monitoring is a critical part of detecting attacks and protecting against breaches.

Mark has over 20 years in the IT industry and has consulted in a wide array of industries including the automotive, insurance, medical, legal, and financial sectors. With his IT background, he joins Netwrix with his ability to empathize with the problems IT teams face today. In his role as Solutions Engineer, Mark will understand the needs your organization faces and provide solutions to help overcome those challenges.