What is SMB protocol?
SMB stands for Server Message Block, once known as Common Internet File System, is a communication protocol for providing shared access between systems on a network. At a high level, it is a set of rules adopted to share files, printers in a network.
SMB is a file sharing protocol that involves computers communicating with each other in a local network. This local network could be a small business within the same office or a multi-national company with offices around the globe connected to each other.
A similar analogy is to knock on doors to see if someone is home. An open port would accept connections, similar to opening the door to someone knocking on the door.
How does it work?
The SMB protocol establishes communication by creating a client-server connection based on sending request-response messages back and forth. This setup would then set up a file-sharing as if a user is accessing files on their hard drive. It would make working easier with networked systems across the globe. Just like HTTPS port 443, SMB port utilises a specific set of ports for all file and print communication.
Within the same network, other operating systems like Unix, Linux, and OS/2 use Samba to speak the same language as SMB in order to connect and provide file-sharing services within a network. More information on these terms and dialects is provided below.
The very first version of this network communication protocol was designed at IBM in 1984. Microsoft modified it in 1990.
Samba is an open-source suite that provides file and print services for Linux systems in an Active Directory environment. In other words, Linux/Unix systems utilise Samba for file and print services in a windows network.
CIFS (Common Internet File System) came into existence in 1996 along with Windows 95. It had more features especially enabling support for large file transfers.
CIFS vs SMB
CIFS, which stands for Common Internet File System, was an early version of SMB developed by Microsoft. The way CIFS works is using the client-server model (similar to SMB) to share files across systems in a network. CIFS and SMB are used interchangeably during discussions. These are interchangeable not only in talking terms but also technically because CIFS is a form of SMB.
In 2006, Microsoft released a big revision to Server Message Block (SMB) through the launch of Windows Vista. Although the Operating System did not do very well in the market, SMB 2.0 was introduced with multiple changes such as:
- Massive reduction in the commands and subcommands from 100 to 19
- New functions such as symbolic links support, queue function, storage/caching
- Message signing using HMAC SHA-256
- Better scalability and overall performance
SMB 2.1, SMB 3.0 and 3.1
With Windows 7, version 2.1 was launched and Microsoft released SMB 3.0 in 2012. This was initially referred to as SMB 2.2 but was changed later to SMB 3.0.
SMB version 3.1.1 is considered as the most recent (published in 2015) one that expanded the protocol series with integrity checks based on SHA-256 hash values and utilising AES-128 with GCM (Galois/Counter Mode).
What ports are used by SMB protocol?
SMB makes use of several ports to enable file and print sharing services within a network. All the known ports used by SMB v2/v3 are:
TCP 445 – SMB over TCP without the need for NetBIOS
UDP 137 – SMB over UDP (Name Services)
UDP 138 – SMB over UDP (Datagram)
TCP 139 – SMB over TCP (Session service)
What are ports 139 and 445?
The two most used SMB ports utilising file and print services on a network are 139 and 445.
NetBIOS session service utilises port 139. Pre Windows 2000 operating systems mostly used port TCP 139 where SMB ran on top of NetBIOS. NetBIOS, an acronym for Network Basic Input/Output System, provides services on the session layer of the OSI model allowing applications to talk to each other within a local network (LAN). This can be anyone on the internet also, however, it is not a recommended option due to security reasons.
Simply put, port 445 is used for file sharing over the network by windows. Microsoft made a change to run SMB over port 445 from Windows 2000. Port 445 is used by Microsoft directory services, known as Microsoft-DS.
Port 445 is used by both TCP and UDP protocols for several Microsoft services. Microsoft active directory and domain services use this port for file replication, user and computer authentication, group policy and trusts. Most likely traffic on these ports relates to SMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR and SrvSvc protocols and services.
How to check if SMB port is open?
There are multiple ways to check if SMB port is open on a windows system.
Open the command prompt and run the following commands and filter the port number ( 445 in this example) to see the status.
netstat -an | findstr 445
How to check which SMB version is enabled?
You can open cmd.exe and run this command to query the status of the lanmanworkstation service that maintains SMB network connections.
sc qc lanmanworkstation
As illustrated in the above screenshot, MrxSMB20 represents SMB v2 and MrxSMB10 is equivalent to SMB v1 in use.
Is SMB secure?
NetBIOS port 139 over the internet or on WAN is a HIGH risk. To put this into perspective, you must raise this issue to the highest possible level to get this restricted ASAP. Yes, it is that serious! And, the same goes for port 445.
SMB ports are also considered wormable ports. A wormable vulnerability can be exploited by an exploit to initiate a chain reaction that automatically lets the vulnerable machine find and infect other vulnerable machines.
WannaCry exploited legacy versions of Windows computers that used an outdated version of the SMB protocol. WannaCry is a network worm with a transport mechanism designed to automatically spread itself. The transport code scans for systems vulnerable to the EternalBlue exploit and then installs DoublePulsar, a backdoor tool, and executes a copy of itself.
Threat actors utilise scripts, bots, scanners and other utilities to constantly look for open ports 139 and 445. This is often one of the low hanging fruits in order to attempt attacks and if successful, provides an in-road into a company’s internal network. For this very reason, it is vital that businesses constantly check their exposed services with routine checks on open ports and listening services over the internet.
Several dangerous attacks in the past exploited SMB weaknesses (both protocol and configurational weaknesses). The most common incidents are EternalBlue zero-day exploit and WannaCry ransomware.
If you recall WannaCry ransomware attack, this ransomware took advantage of SMBv1 protocol. The very first recommendation was to disable SMBv1 in use. Where this was not possible, the following ports were added for blocking on network devices and host-based firewalls:
- UDP 137 and 138
- TCP 139 and 445
How to keep SMB ports secure?
Interconnection of computers over the internet is inevitable, especially when resources are being shared. Equally, you must be on the lookout to avoid being attacked by malicious users. Exposed SMB ports on Windows servers are an easy invite for attackers and can allow hackers to access an individual system or company network.
SMB administrators can reduce the exposure of SMB ports to risks and internet attacks by implementing some simple strategy. Keeping your SMB port secure requires you to take the following steps:
Never expose SMB ports on the internet.
Firewall protection and endpoint protection can help to protect your network from attacks and hackers. Make sure all inbound and outbound SMB traffic is restricted.
The use of VPN software to encrypt and protect the network traffic whilst outside the office is recommended.
Regularly updating your systems protects your systems against threats exploiting vulnerable services
The use of VLAN’s in business networks helps to isolate internal traffic based on the need to known basis. This is one of the most effective controls to limit the spread of lateral movements and privilege escalation attacks.
MAC address filtering
MAC address filtering is capable of disabling access to unknown systems attempting to connect to your network. This always filters suspicious networks and attempts connections.
The above steps are the most common ways to stop a threat actor from taking advantage of SMB weaknesses. However, that’s not a comprehensive list and is impossible to prepare a list because attackers utilise multiple ways such as a compromised workstation of an employee would act as a legitimate asset within a network. Therefore, a proactive cyber security approach ensuring that the security strategy is built on strong basics with the inclusion of a defence-in-depth approach, layered architecture that follows the least privilege principle and involves collective effort from people, process and technology pillars when it comes to securing an organisation.
We help businesses protect their most prized assets by securing their cyber sphere. This includes carrying out independent technical security assessments to identify gaps and provide an accurate risk posture to help customers handle their digital risks. Get in touch to discuss your primary security concerns, it includes a free consultation call to advise you without any salesy tactics.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.