The server message block (SMB) protocol provides “client-server communication,” which allows programs and services on networked computers to communicate with one another. SMB enables network functions like file, print and device sharing, among others.
SMB Ports Explained
SMB ports are used for file sharing, enabling programs and services on networked computers to communicate with each other. The SMB protocol sends and receives request-response communication between clients and servers to make dealing with networked computers easier.
How Does SMB Work?
The SMB protocol sends and receives request-response messages to establish communication between clients and servers. This arrangement sets up a file-sharing system as though a user was accessing data on their hard drive. It makes dealing with networked systems all over the world a lot easier.
Other operating systems, such as Unix, Linux and OS/2, use Samba to connect and provide file-sharing services within a network by speaking the same language as SMB.
SMB History and Evolution
During the mid-1990s, Microsoft incorporated SMB in their LAN Manager product, which IBM initially built. SMB 1.0 was renamed common internet file system (CIFS) , and Microsoft published draft standards to the Internet Engineering Task Force (IETF), though these have now expired.
SMB and early CIFS implementation had a number of flaws that limited its applicability to managing small files for end-users. The protocol was “chatty,” which resulted in poor performance over long distances or when there was a lag between client and server. Around this time, the Samba project was born, with the goal of reverse-engineering the SMB/CIFS protocol and developing an SMB server that would allow MS-DOS clients to access files on Unix machines.
SMB has gone through a few evolutions since then.
SMB 2.0
Microsoft released SMB2 with Windows Vista in 2006. SMB2.0 had a significant number of improvements over SMB 1.0 particularly reducing the “chattiness” of the protocol by reducing the number of commands and subcommands from hundreds to 19.
The term CIFS become redundant, as it only applied to SMB version 1.0
SMB2 supported many other improvements like TCP window scaling and WAN acceleration, opportunistic locking and a feature known as “pipelining” to enable multiple requests to be queued at the same time.
Performance improvements included allowing larger block sizes, which improved large file transfers. Microsoft introduced “durable file handles” that allowed the connection to an SMB server to survive brief network failure frequently seen in wireless networks. They did this by allowing clients to transparently reconnect to servers.
SMB 2.1
SMB 2.1 was released alongside Windows 7 and Windows Server 2008, and included minor upgrades.
SMB 3.0
With Windows 8 and Windows Server 2012, SMB 3.0 (also known as SMB 2.2) was released. SMB3 included significant protocol modifications such as the SMB Direct Protocol (SMB over remote direct memory access (RDMA) and SMB Multichannel (many connections per SMB session), which are meant to improve SMB2 performance, particularly in virtualized data centers.
SMB Protocol Ports
To provide file and print sharing services within a network, SMB uses a number of ports. The following are all known SMB v2/v3 ports:
- TCP 445 — SMB over transmission control protocol (TCP) without the need for a network basic input/output system (NetBIOS).
- UDP 137 — SMB over user datagram protocol (UDP or Name Services).
- UDP 138 — SMB over UDP (datagram).
- TCP 139 — SMB over TCP (session service).
SMB Ports 139 and 445 Explained
There are two common ports you will see in SMBs. These are: Port 139 and Port 445. Here’s what they do.
Port 139
Port 139 is used by the NetBIOS session service. Prior to Windows 2000, most operating systems used TCP 139, with SMB running on top of NetBIOS. NetBIOS is a service on the open systems interconnectedness (OSI) model’s session layer that allows applications to communicate with one another within a local network (LAN). This might be anyone on the internet, but because of security concerns, it’s not a recommended alternative.
Port 445
Windows uses port 445 for file sharing across the network. From Windows 2000 onward, Microsoft changed SMB to use port 445. Microsoft directory services, often known as Microsoft-DS, use port 445.
TCP and UDP protocols both use port 445 for numerous Microsoft services. For file replication, user and computer authentication, group policy and trusts, Microsoft Active Directory and Domain Services use this port. SMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR and SrvSvc protocols and services are most likely to be found on these ports.
Is SMB Secure?
While different versions of SMB provide differing levels of security and protection, SMBv1 was discovered to have a vulnerability that hackers may exploit to execute their code without the user’s knowledge. When a gadget becomes infected, it attacks any other devices that are linked to it. The National Security Agency (NSA) uncovered the flaw in 2017.
The exploit was called EternalBlue, and it was taken from the NSA and posted online by the Shadow Brokers hacker group. Microsoft did issue a patch to address the vulnerability, but the WannaCry ransomware attack hit the world just a month later.
How to Prevent SMB Vulnerabilities
Patching your system is the best defense against an SMB attack. Attackers will be unable to get access to a patched machine, but a huge number of Windows computers have yet to be patched. The March 2017 update from Microsoft can assist in patching the server message block vulnerabilities. Applying this fix is one of the greatest ways to safeguard a system. If you use a Windows 10 or later system, the update fixes are already built-in. This is why most SMB assaults target Windows 7 and earlier. Furthermore, the WannaCry patch can prevent EternalBlue exploits and other similar flaws. These fixes are among the most effective SMB server security solutions available.
It’s better to have layers of security when it comes to protecting yourself from cyberattacks, as it is with other things. Apart from the WannaCry and ransomware patches, you can further safeguard your systems by restricting SMB access from the internet, blocking SMB in off site computers when in public areas, and removing SMB if it’s not needed. These easy measures can help protect your system from SMB exploits.
Finally, vulnerability scanning and managed detection and response services can help your system avoid and identify SMB attacks and other cyberattacks.
