SMB & NetBIOS
SMB:
Stands for Server Message Block, once known as Common Internet File System, is a communication protocol for providing shared access between systems on a network. At a high level, it is a set of rules adopted to share files, printers in a network.
NetBIOS:
Acronym for Network Basic Input/Output System, is a program that provides services on the session layer of the OSI model allowing applications to talk to each other within a LAN.
Port 445:
Used for file sharing over the network by windows. Microsoft made a change to run SMB over port 445 from Windows 2000. Port 445 is used by Microsoft directory services, known as Microsoft-DS.
Port 445 is used by both TCP and UDP protocols for several Microsoft services. Microsoft active directory and domain services use this port for file replication, user and computer authentication, group policy and trusts. Most likely traffic on these ports relates to SMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR and SrvSvc protocols and services.
Port 139:
NetBIOS session service utilizes port 139. Pre Windows 2000 operating systems mostly used port TCP 139 where SMB ran on top of NetBIOS. This can be anyone on the internet also, however, it is not a recommended option due to security reasons.
NetBIOS port 139 over the internet or on WAN is a HIGH risk. To put this into perspective, you must raise this issue to the highest possible level to get this restricted ASAP. Yes, it is that serious! And, the same goes for port 445.
SMB ports are also considered wormable ports. A wormable vulnerability can be exploited by an exploit to initiate a chain reaction that automatically lets the vulnerable machine find and infect other vulnerable machines. [WannaCry Ransomeware-EternalBlue Exploit]
What ports are used by SMB protocol?
SMB makes use of several ports to enable file and print sharing services within a network. All the known ports used by SMB v2/v3 are:
• TCP 445 – SMB over TCP without the need for NetBIOS
• UDP 137 – SMB over UDP (Name Services)
• UDP 138 – SMB over UDP (Datagram)
• TCP 139 – SMB over TCP (Session service)
Name | Number(h) | Type | Usage |
<computername> | 00 | U | Workstation Service |
<computername> | 01 | U | Messenger Service |
<\\--__MSBROWSE__> | 01 | G | Master Browser |
<computername> | 03 | U | Messenger Service |
<computername> | 06 | U | RAS Server Service |
<computername> | 1F | U | NetDDE Service |
<computername> | 20 | U | File Server Service |
<computername> | 21 | U | RAS Client Service |
<computername> | 22 | U | Microsoft Exchange Interchange(MSMail Connector) |
<computername> | 23 | U | Microsoft Exchange Store |
<computername> | 24 | U | Microsoft Exchange Directory |
<computername> | 30 | U | Modem Sharing Server Service |
<computername> | 31 | U | Modem Sharing Client Service |
<computername> | 43 | U | SMS Clients Remote Control |
<computername> | 44 | U | SMS Administrators Remote Control Tool |
<computername> | 45 | U | SMS Clients Remote Chat |
<computername> | 46 | U | SMS Clients Remote Transfer |
<computername> | 4C | U | DEC Pathworks TCPIP service on Windows NT |
<computername> | 42 | U | mccaffee anti-virus |
<computername> | 52 | U | DEC Pathworks TCPIP service on Windows NT |
<computername> | 87 | U | Microsoft Exchange MTA |
<computername> | 6A | U | Microsoft Exchange IMC |
<computername> | BE | U | Network Monitor Agent |
<computername> | BF | U | Network Monitor Application |
<username> | 03 | U | Messenger Service |
<domain> | 00 | G | Domain Name |
<domain> | 1B | U | Domain Master Browser |
<domain> | 1C | G | Domain Controllers |
<domain> | 1D | U | Master Browser |
<domain> | 1E | G | Browser Service Elections |
<INet~Services> | 1C | G | IIS |
<IS~computer name> | 00 | U | IIS |
<computername> | [2B] | U | Lotus Notes Server Service |
IRISMULTICAST | [2F] | G | Lotus Notes |
IRISNAMESERVER | [33] | G | Lotus Notes |
Forte_$ND800ZA | [20] | U | DCA IrmaLan Gateway Server Service |
Let's Start this !!!
ReplyDelete