The Server Message Block Protocol (SMB Protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports, and data on a network. It can also carry transaction protocols for authenticated inter-process communication.
In short, the SMB protocol is a way for computers to talk to each other.
How Does the SMB Protocol Work?
SMB works through a client-server approach, where a client makes specific requests and the server responds accordingly. This is known as a response-request protocol. This protocol facilitates file shares between networked computers.
Once connected, it enables users or applications to make requests to a file server and access resources like printer sharing, mail slots, and named pipes on the remote server. This means a user of the application can open, read, move, create, and update files on the remote server.
SMB was originally designed by Barry Feigenbaum at IBM in 1983 with the aim of turning DOS INT 21h local file access into a networked file system and was originally designed to run on top of NetBIOS over TCP/IP (NBT) using IP port 139 and UDP ports 137 and 138.
Software applications that run on a NetBIOS session service locate and identify each other via their NetBIOS names over TCP port 139.
Microsoft merged the SMB protocol with their LAN Manager product that it started developing in 1990 and continues to add features to the protocol in Windows for Workgroups.
Learn how to respond to the Fortigate SSL VPN vulnerability >
In 1996, Microsoft launched an initiative to rename SMB to Common Internet File System (CIFS) and added more features, including support for symbolic links, hard links, larger file sizes, and an initial attempt to support direct connections over TCP port 445 without requiring NetBIOS as a transport (a largely experimental effort that required further refinement).
By Microsoft Windows 2000, Microsoft had changed SMB to operate over port 445. SMB still uses port 445.
This proved to be problematic as CIFS was a notoriously chatty protocol that could ruin network performance due to latency and numerous acknowledgments. While Microsoft estimates that SMB/CIFS compromised less than 10% of network traffic in the average Enterprise network, that is still a significant amount of traffic.
Microsoft explained performance issues were primarily because SMB 1.0 is a block-level rather than streaming protocol that was designed for small LANs.
The next dialect, SMB 2.0, improved the protocol's efficiency by reducing its hundreds of commands and subcommand down to 19.
Microsoft continues to invest in improving SMB performance and security. SMB 3.0 which was introduced with Windows 8 and Windows Server 2012 brought several significant changes that added functionality and improved SMB2 performance, notably in virtualized data centers.
Additionally, it introduced several security enhancements such as end-to-end encryption and a new AES-based signing algorithm.
Learn how to respond to the MOVEit Transfer zero-day >
What are the SMB Protocol Dialects?
The SMB protocol was created in the 1980s by IBM and has spawned multiple dialects designed to meet evolving network requirements. For example, the Common Internet File System (CIFS) mentioned above is a specific implementation of SMB that enables file sharing.
Important SMB implementations include:
SMB 1.0 (1984)
Created by IBM for file sharing in DOS. It introduced opportunistic locking as a client-side caching mechanism designed to reduce network traffic.
Samba (1992)
Samba is an open-source implementation of the SMB protocol and Microsoft Active Directory for Unix systems and Linux distributions that supports file sharing and print services, authentication and authorization, name resolution, and service announcements between Linux/Unix servers and Windows clients.
CIFS (1996)
Microsoft-developed SMB dialect that debuted in Windows 95 and added support for larger file sizes, transport directly over TCP/IP, symbolic links, and hard links.
NQ (1998)
NQ is a family of portable SMB client and server implementations developed by Visuality Systems. NQ is portable to non-Windows platforms such as Linux, iOS, and Android and supports SMB 3.1.1 dialect.
Netsmb (2004)
Netsmb is a family of in-kernel SMB client and server implementations in BSD operating systems.
SMB 2.0 (2006)
Released with Windows Vista and Windows Server 2008, SMB v2 reduced chattiness to improve performance, enhance scalability and resiliency, and added support for WAN acceleration.
Tuxera SMB (2009)
Tuxera is also a proprietary SMB implementation that runs in either kernel or user-space.
Likewise (2009)
Likewise developed a CIFS/SMB implementation that provided a multiprotocol, identity-aware platform for network access to files in OEM storage products built on Linux/Unix based platforms.
SMB 2.1 (2010)
Introduced with Windows Server 2008 R2 and Windows 7. The client oplock leasing model replaced opportunistic locking to enhance caching and improve performance. It also introduced large maximum transmission unit (MTU) support and improved energy efficiency, enabling clients to open files from an SMB server to enter sleep mode.
SMB 3.0 (2012)
Debuted in Windows 8 and Windows Server 2012. It introduced several significant improvements to availability, performance, backup, security, and management.
MoSMB (2012)
MoSMB is a proprietary SMB implementation for Linux and other Unix-like systems, developed by Ryussi Technologies. It supports only SMB 2.x and SMB 3.x.
SMB 3.02 (2014)
Introduced in Windows 8.1 and Windows Server 2012 R2 and included performance updates and the ability to disable CIFS/SMB 1.0 support, including the removal of related binaries.
SMB 3.1.1 (2015)
Released with Windows 10 and Windows Server 2016 and added support for advanced encryption, preauthentication integrity to prevent man-in-the-middle attacks and cluster dialect fencing.
What are Ports 139 and 445?
SMB is a network file sharing protocol that requires an open port on a computer or server to communicate with other systems. SMB ports are generally port numbers 139 and 445.
Port 139 is used by SMB dialects that communicate over NetBIOS. It operates as an application layer network protocol for device communication in Windows operating systems over a network. For example, printers and serials ports communicate via Port 139.
Port 445 is used by newer versions of SMB (after Windows 2000) on top of a TCP stack, allowing SMB to communicate over the Internet. This also means you can use IP addresses in order to use SMB like file sharing.
Are Open Ports Dangerous?
While port 139 and 445 aren't inherently dangerous, there are known issues with exposing these ports to the Internet. You can check if a port is open by using the netstat command.
There is a common misconception that an open port is dangerous. This is largely driven by a lack of understanding of how open ports work, why they are open, and which ones shouldn't be open.
Open ports are necessary to communicate across the Internet. However, an open port can become a security risk when the service listening to the port is misconfigured, unpatched, vulnerable to exploits, or has poor network security rules.
The most dangerous open ports are wormable ports, like the one that the SMB protocol uses, which are open by default in some operating systems.
Early versions of the SMB protocol were exploited during the WannaCry ransomware attack through a zero-day exploit called EternalBlue.
WannaCry exploited legacy versions of Windows computers that used an outdated version of the SMB protocol. WannaCry is a network worm with a transport mechanism designed to spread itself automatically. The transport code scans for systems vulnerable to the EternalBlue exploit and then installs DoublePulsar, a backdoor tool, and executes a copy of itself.
An infected computer will search its Windows network for devices accepting traffic on TCP ports 135-139 or 445, indicating the system is configured to run SMB.
It will then initiate an SMBv1 connection to the device and use buffer overflow to take control of the system and install the ransomware component of the attack.
This means WannaCry can spread automatically without victim participation.
The good news is that the Windows has since released a security update to Windows XP, Windows Server 2003, Windows 8, Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2016 to prevent this exploit.
How to Keep Ports 139 and 445 Secure
Here are some other ways you can keep ports 139 and 445 secure from hackers.
Avoid Exposing SMB Ports
Ports 135-139 and 445 are not safe to publicly expose and have not been for a decade.
Patch Everything
Keep your systems up-to-date to avoid exploits of known vulnerabilities and cyberattacks such as NetBIOS name service (NBNS) spoofing and Main-in-the-Middle (MITM) attacks.
No Single Point of Failure
Whether it's ransomware, malware, hardware failure, database error, or something else. If your data is important, then it should be backed up, at least one other secure location.
Use a Firewall or Endpoint Protection
Most solutions will include a blacklist of known attacker IP addresses and their most used ports during attacks.
Use a Virtual Private Network (VPN)
VPNs encypt and protect network traffic.
Implement Virtual Local Area Networks (VLANs)
VLANs can be used to isolate internal network traffic
Use MAC Address Filtering
This can prevent unknown systems from accessing your network.
UpGuard Can Secure Your Open Ports
UpGuard can protect your business from data breaches, identify all of your data leaks, and help you continuously monitor the security posture of all your vendors.
UpGuard also supports compliance across a myriad of security frameworks, including the new requirements set by Biden's Cybersecurity Executive Order.
Get a preliminary evaluation of your organization’s data breach risk. Click here to request your free instant security score now.