NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be. There are a number of vulnerabilities associated with leaving this port open.
NetBios services: NETBIOS Name Service (TCP/UDP: 137) NETBIOS Datagram Service (TCP/UDP: 138) NETBIOS Session Service (TCP/UDP: 139)
By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:
1. Use strong passwords, containing non-alphanumeric characters. 2. Attach "$" at the end of your share names (the casual snooper using net view might not see them). 3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol). 4. Block ports 135-139 in your router/firewall.
Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.
There is also a Critical Windows RPC vulnerability affecting ports 135,139 and 445, as detailed here: MS Technet Security Bulletin [MS03-026]
The following trojans/backdoors also use these ports: Chode, God Message worm, Msinit, Netlog, Network, Qaz
W32.Reidana.A [Symantec-2005-032515-4042-99] (2005.03.27) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin [MS03-026]) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444.
W32.Klez worm [Symantec-2002-031910-1028-99] - a class of worms that collects email addresses from an infected computer's Windows address book and propagates using its own SMTP server. As of April 26, 2002, there are nine variants of the Klez worm that all exploit the "Microsoft Internet Explorer Incorrect MIME header" vulnerability, which causes an email attachment to be automatically executed when an HTML email is previewed by a Microsoft Outlook or Outlook Express user. The worm can arrive as an email attachment with one of the following file extensions: asp, bak, c, cpp, doc, htm, html, jpg, mp3, mpg, mpeg, pas, rtf, wab, or xls.
W32.Sircam.Worm [Symantec-2001-071720-1640-99] - a computer worm that propagates by e-mail from Microsoft Windows systems. It also spreads via open shares on a network. Sircam scans the network for computers with shared drives and copy itself to a machine with an open (non-password protected) drive or directory.
Buffer overflow in a certain driver in Cisco Security Agent 4.5.1 before 4.5.1.672, 5.0 before 5.0.0.225, 5.1 before 5.1.0.106, and 5.2 before 5.2.0.238 on Windows allows remote attackers to execute arbitrary code via a crafted SMB packet in a TCP session on port (1) 139 or (2) 445. References: [CVE-2007-5580] [BID-26723] [SECUNIA-27947] [OSVDB-39521]
Server Message Block (SMB) also uses this port. It is used by Microsoft Windows file and print services, such as Windows Sharing in Mac OS X.
Port 139 is used for file and printer sharing over NetBIOS
NetBIOS
NetBIOS (/ˈnɛtbaɪɒs/) is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol.
, running over TCP/IP. This setup is typical in older versions of Windows and in various Unix systems. On the other hand, port 445 is used for direct SMB communications without the need for NetBIOS.
Inbound connection in port 139 (TCP) is not blocked in Windows firewall. Port 139 is utilized by NetBIOS Session service. Enabling NetBIOS services provide access to shared resources like files and printers not only to your network computers but also to anyone across the internet.
Port 137 is for providing name services over TCP or UDP for SMB over NetBIOS. Port 138 is for providing diagram services over UDP for SMB over NetBIOS. Port 139 is for providing session services over TCP or UDP for SMB over NetBIOS. Port 445 is for directly-hosted SMB over TCP or UDP without the need of NetBIOS.
The following are all known SMB v2/v3 ports: TCP 445 — SMB over transmission control protocol (TCP) without the need for a network basic input/output system (NetBIOS). UDP 137 — SMB over user datagram protocol (UDP or Name Services). UDP 138 — SMB over UDP (datagram).
SMB uses either IP port 139 or 445. Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network. Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack.
Port 135 is used for RPC client-server communication, and ports 139 and 445 are used for authentication and file sharing. UDP ports 137 and 138 are used for local NetBIOS browser, naming, and lookup functions.
Inbound connection in port 135 (UDP/TCP) is not blocked in Windows firewall. Microsoft''s "DCOM (Distributed Component Object Model) Service Control Manager" running on the user''s computer utilizes the port 135. Port 135 exposes where DCOM services can be found on a machine.
TCP is best used for direct communication in which a reliable connection is needed, such as web browsing, email, text messaging, and file transfers. UDP is best used for live and real-time data transmission when speed is more important than reliability.
If you're using a client and using POP3 or IMAP4, you're using TCP port 110 for POP3– that's the Post Office Protocol version 3– and if you're using IMAP4 as your client protocol, it's a TCP port 143 for the Internet Message Access Protocol version 4.
Ports 139 and 445 are used for 'NetBIOS' communication between two Windows 2000 hosts. In the case of port 445 an attacker may use this to perform NetBIOS attacks as it would on port 139. Impact: All NetBIOS attacks are possible on this host.
UDP ports depend on the UDP/IP protocols. UDP ports include the DNS port (53), the Dynamic Host Configuration Protocol port (68), and the Kerberos port (88), which is used by gaming services.
It was developed in the 1980s for use on early, IBM-developed PC networks. A few years later, Microsoft adopted NetBIOS and it became a de facto industry standard. Currently, NetBIOS is mostly relegated to specific legacy application use cases that still rely on the suite of communication services.
Port 139, primarily used by the Server Message Block (SMB) protocol for file sharing in Windows networks, stands out as a critical point of vulnerability when not properly secured. This port facilitates network communications, allowing computers to share files, printers, and serial ports over a network.
Port 138 is utilized by NetBIOS Datagram service. Enabling NetBIOS services provide access to shared resources like files and printers not only to your network computers but also to anyone across the internet. Therefore it is advisable to block port 138 in the Firewall.
NetBIOS provides three distinct services: Name service for name registration and resolution (ports: 137/udp and 137/tcp) Datagram distribution service for connectionless communication (port: 138/udp) Session service for connection-oriented communication (port: 139/tcp)
In the days before the Internet, SMB operated over port 139 on top of NetBIOS. Microsoft changed the protocol to work over port 445 to support the Internet using TCP. But you can still use it over port 139 too if you need to support legacy systems.
Cybercriminals can leverage vulnerabilities in this port to inject malware, ransomware, or carry out Denial of Service (DoS) attacks. The notoriety of TCP 445 escalated with its exploitation by the WannaCry ransomware, which wreaked havoc on unsecured networks globally by leveraging the EternalBlue exploit.
Address: 359 Kelvin Stream, Lake Eldonview, MT 33517-1242
Phone: +577037762465
Job: Product Hospitality Supervisor
Hobby: Gardening, Web surfing, Video gaming, Amateur radio, Flag Football, Reading, Table tennis
Introduction: My name is Manual Maggio, I am a thankful, tender, adventurous, delightful, fantastic, proud, graceful person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
