The server message block (SMB) protocol provides “client-server communication,” which allows programs and services on networked computers to communicate with one another. SMB enables network functions like file, print and device sharing, among others.
SMB Ports Explained
SMB ports are used for file sharing, enabling programs and services on networked computers to communicate with each other. The SMB protocol sends and receives request-response communication between clients and servers to make dealing with networked computers easier.
What Is an SMB Port?
A server message block (SMB) port is a network port that allows devices within the same network to communicate with each other, so they can exchange files and share data, printers and other resources. In the case of files, users on different devices can perform various actions like opening, editing and moving files. While SMB ports have relied on different protocols through the years, they currently use port 445 (more on this to come).
How Does SMB Work?
The SMB protocol sends and receives request-response messages to establish communication between clients and servers. This arrangement sets up a file-sharing system as if a user were accessing data on their hard drive. It makes dealing with networked systems all over the world a lot easier.
Other operating systems, such as Unix, Linux and OS/2, use Samba to connect and provide file-sharing services within a network by speaking the same language as SMB.
SMB History and Evolution
During the mid-1990s, Microsoft incorporated SMB in their LAN Manager product, which IBM initially built. SMB 1.0 was renamed common internet file system (CIFS) , and Microsoft published draft standards to the Internet Engineering Task Force (IETF), though these have now expired.
SMB and early CIFS implementation had a number of flaws that limited its applicability to managing small files for end-users. The protocol was “chatty,” which resulted in poor performance over long distances or when there was a lag between client and server. Around this time, the Samba project was born, with the goal of reverse-engineering the SMB/CIFS protocol and developing an SMB server that would allow MS-DOS clients to access files on Unix machines.
SMB has gone through a few evolutions since then.
SMB 2.0
Microsoft released SMB2 with Windows Vista in 2006. SMB2.0 had a significant number of improvements over SMB 1.0, particularly reducing the “chattiness” of the protocol by reducing the number of commands and subcommands from hundreds to 19.
The term CIFS becomes redundant, as it only applied to SMB version 1.0.
SMB2 supported many other improvements like TCP window scaling and WAN acceleration, opportunistic locking and a feature known as “pipelining” to enable multiple requests to be queued at the same time.
Performance improvements included allowing larger block sizes, which improved large file transfers. Microsoft introduced “durable file handles” that allowed the connection to an SMB server to survive brief network failures frequently seen in wireless networks. They did this by allowing clients to transparently reconnect to servers.
SMB 2.1
SMB 2.1 was released alongside Windows 7 and Windows Server 2008, and included minor upgrades.
SMB 3.0
With Windows 8 and Windows Server 2012, SMB 3.0 (also known as SMB 2.2) was released. SMB3 included significant protocol modifications such as the SMB Direct Protocol (SMB over remote direct memory access (RDMA) and SMB Multichannel (many connections per SMB session), which are meant to improve SMB2 performance, particularly in virtualized data centers.
SMB 3.1.1
SMB 3.1.1 was introduced alongside Windows Server 2016 and Windows 10. The protocol comes with additional security measures, including advanced encryption, expanded caching options and pre-authentication features to address man-in-the-middle attacks.
SMB Protocol Ports
To provide file and print-sharing services within a network, SMB uses a number of ports. The following are all known SMB v2/v3 ports:
- TCP 445 — SMB over transmission control protocol (TCP) without the need for a network basic input/output system (NetBIOS).
- UDP 137 — SMB over user datagram protocol (UDP or Name Services).
- UDP 138 — SMB over UDP (datagram).
- TCP 139 — SMB over TCP (session service).
SMB Ports 139 and 445 Explained
There are two common ports you will see in SMBs — Port 139 and Port 445. Here’s what they do.
Port 139
Port 139 is used by the NetBIOS session service. Prior to Windows 2000, most operating systems used TCP 139, with SMB running on top of NetBIOS. NetBIOS is a service on the Open Systems Interconnection (OSI) model’s session layer that allows applications to communicate with one another within a local area network (LAN). This might be anyone on the internet, but because of security concerns, it’s not a recommended alternative.
Port 445
Windows uses port 445 for file sharing across the network. From Windows 2000 onward, Microsoft changed SMB to use port 445. Microsoft directory services, often known as Microsoft-DS, use port 445.
TCP and UDP protocols both use port 445 for numerous Microsoft services. For file replication, user and computer authentication, group policy and trusts, Microsoft Active Directory and Domain Services use this port. SMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR and SrvSvc protocols and services are most likely to be found on these ports.
Is SMB Secure?
While different versions of SMB provide varying levels of security and protection, SMBv1 was discovered to have a vulnerability that hackers may exploit to execute their code without the user’s knowledge. When a device becomes infected, it attacks other devices that are linked to it. The National Security Agency (NSA) uncovered the flaw in 2017.
The exploit was called EternalBlue, and it was taken from the NSA and posted online by the Shadow Brokers hacker group. Microsoft did issue a patch to address the vulnerability, but the WannaCry ransomware attack hit the world just a month later.
More recently, LemonDuck malware has taken advantage of EternalBlue and launched brute-force attacks on SMB services to gain network access. Meanwhile, hackers used DarkGate malware to spread their malware via Samba file shares in a brief campaign. SMB security has improved over the years, but the protocol isn’t immune to attacks — especially as malicious players invent new methods for infiltrating SMB services.
How to Prevent SMB Vulnerabilities
To keep your SMB services secure, combine the following tools and best practices for shoring up your defenses against SMB attacks.
Patch All Devices
Attackers will be unable to access a patched machine, but a huge number of Windows computers have yet to be patched. The March 2017 update from Microsoft can assist in patching the server message block vulnerabilities. If you use a Windows 10 or later system, the fixes are already built in. This is why most SMB assaults target Windows 7 and earlier. Furthermore, the WannaCry patch can prevent EternalBlue exploits and similar flaws.
Practice Healthy SMB Habits
It’s better to have layers of security when it comes to protecting yourself from cyberattacks, as it is with other things. Apart from the WannaCry and ransomware patches, you can further safeguard your systems by restricting SMB access from the internet, blocking SMB in offsite computers when in public areas and removing SMB if it’s not needed.
Establish Firewall and Endpoint Protection Measures
Firewalls are excellent tools for regulating network traffic, ensuring only authorized users can access network information. For any devices that fall outside firewalls, endpoint protection methods like antivirus software can shield laptops, phones and other devices from the initial attempts of cyber attackers.
Invest in Detection Tools and Services
Finally, vulnerability scanning and managed detection and response services can help your system avoid and identify SMB attacks and other cyberattacks.
