The Server Message Block Protocol (SMB Protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports, and data on a network. It can also carry transaction protocols for authenticated inter-process communication.
In short, the SMB protocol is a way for computers to talk to each other.
How does the SMB protocol work?
SMB works through a client-server approach, where a client makes specific requests and the server responds accordingly. This is known as a response-request protocol.
Once connected, it enables users or applications to make requests to a file server and access resources like printer sharing, mail slots, and named pipes on the remote server. This means a user of application can open, read, move, create, and update files on the remote server.
SMB was originally designed by Barry Feigenbaum at IBM in 1983 with the aim of turning DOS INT 21h local file access into a networked file system and was originally designed to run on top of NetBIOS over TCP/IP (NBT) using IP port 139 and UDP ports 137 and 138. Software applications that run on a NetBIOS network locate and identify each other via their NetBIOS names.
Microsoft merged the SMB protocol with their LAN Manager product that it started developing in 1990 and continue to add features to the protocol in Windows for Workgroups.
In 1996, Microsoft launched an initiative to rename SMB to Common Internet File System (CIFS) and added more features, including support for symbolic links, hard links, larger file sizes, and an initial attempt to support direct connections over TCP port 445 without requiring NetBIOS as a transport (a largely experimental effort that required further refinement).
By Microsoft Windows 2000, Microsoft had changed SMB to operate over port 445. SMB still uses port 445.
This proved to be problematic as CIFS was a notoriously chatty protocol that could ruin network performance due to latency and numerous acknowledgments. While Microsoft estimates that SMB/CIFS compromised less than 10% of network traffic in the average Enterprise network, that is still a significant amount of traffic.
Microsoft explained performance issues were primarily because SMB 1.0 is a block-level rather than streaming protocol that was designed for small LANs.
The next dialect, SMB 2.0, improved the protocol's efficiency by reducing its hundreds of commands and subcommand down to 19.
Microsoft continues to invest in improving SMB performance and security. SMB 3.0 which was introduced with Windows 8 and Windows Server 2012 brought several significant changes that added functionality and improved SMB2 performance, notably in virtualized data centres.
Additionally, it introduced several security enhancements such as end-to-end encryption and a new AES based signing algorithm.
What are the SMB protocol dialects?
The SMB protocol was created in the 1980s by IBM and has spawned multiple dialects designed to meet evolving network requirements. For example, the Common Internet File System (CIFS) mentioned above is a specific implementation of SMB that enables file sharing.
Important SMB implementations include:
- SMB 1.0 (1984): Created by IBM for file sharing in DOS. It introduced opportunistic locking as a client-side caching mechanism designed to reduce network traffic.
- Samba (1992): Samba is an open-source implementation of the SMB protocol and Microsoft Active Directory for Unix systems and Linux distributions that supports file sharing and print services, authentication and authorization, name resolution, and service announcements between Linux/Unix servers and Windows clients.
- CIFS (1996): Microsoft-developed SMB dialect that debuted in Windows 95 and added support for larger file sizes, transport directly over TCP/IP, symbolic links, and hard links.
- NQ (1998): NQ is a family of portable SMB client and server implementations developed by Visuality Systems. NQ is portable to non-Windows platforms such as Linux, iOS, and Android and supports SMB 3.1.1 dialect.
- Netsmb (2004): Netsmb is a family of in-kernel SMB client and server implementations in BSD operating systems.
- SMB 2.0 (2006): Released with Windows Vista and Windows Server 2008, it reduced chattiness to improve performance, enhance scalability and resiliency, and added support for WAN acceleration.
- Tuxera SMB (2009): Tuxera is also a proprietary SMB implementation that runs in either kernel or user-space.
- Likewise (2009): Likewise developed a CIFS/SMB implementation that provided a multiprotocol, identity-aware platform for network access to files in OEM storage products built on Linux/Unix based platforms.
- SMB 2.1 (2010): Introduced with Windows Server 2008 R2 and Windows 7. The client oplock leasing model replaced opportunistic locking to enhance caching and improve performance. It also introduced large maximum transmission unit (MTU) support and improved energy efficiency, enabling clients to open files from an SMB server to enter sleep mode.
- SMB 3.0 (2012): Debuted in Windows 8 and Windows Server 2012. It introduced several significant improvements to availability, performance, backup, security, and management.
- MoSMB (2012): MoSMB is a proprietary SMB implementation for Linux and other Unix-like systems, developed by Ryussi Technologies. It supports only SMB 2.x and SMB 3.x.
- SMB 3.02 (2014): Introduced in Windows 8.1 and Windows Server 2012 R2 and included performance updates and the ability to disable CIFS/SMB 1.0 support, including the removal of related binaries.
- SMB 3.1.1 (2015): Released with Windows 10 and Windows Server 2016 and added support for advanced encryption, preauthentication integrity to prevent man-in-the-middle attacks and cluster dialect fencing.
What are ports 139 and 445?
SMB is a network file sharing protocol that requires an open port on a computer or server to communicate with other systems. SMB ports are generally port numbers 139 and 445.
- Port 139: Used by SMB dialects that communicate over NetBIOS, a transport layer protocol designed to use in Windows operating systems over a network
- Port 445: Used by newer versions of SMB (after Windows 2000) on top of a TCP stack, allowing SMB to communicate over the Internet. This also means you can use IP addresses in order to use SMB like file sharing.
How to keep port 139 and 445 secure
While port 139 and 445 aren't inherently dangerous, there are known issues with exposing these ports to the Internet. You can check if a port is open by using the netstat command.
There is a common misconception that an open port is dangerous. This is largely driven by a lack of understanding into how open ports work, why they are open, and which ones shouldn't be open.
Open ports are necessary to communicate across the Internet. However, an open port can become dangerous when the service listening to the port is misconfigured, unpatched, vulnerable to exploits, or has poor network security rules.
The most dangerous open ports are wormable ports, like the one that the SMB protocol uses, which are open by default in some operating systems.
WannaCry exploited legacy versions of Windows computers that used an outdated version of the SMB protocol. WannaCry is a network worm with a transport mechanism designed to automatically spread itself. The transport code scans for systems vulnerable to the EternalBlue exploit and then installs DoublePulsar, a backdoor tool, and executes a copy of itself.
An infected computer will search its Windows network for devices accepting traffic on TCP ports 135-139 or 445 indicating the system is configured to run SMB.
It will then initiate an SMBv1 connection to the device and use buffer overflow to take control of the system and install the ransomware component of the attack.
This means WannaCry can spread automatically without victim participation.
The good news is that the Windows has since released a security update to Windows XP, Windows Server 2003, Windows 8, Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2016 to prevent this exploit.
Here are some other ways you can secure port 139 and 445.
- Avoid exposing SMB ports: Ports 135-139 and 445 are not safe to publicly expose and have not been for a decade.
- Patch everything: Keep your systems up-to-date to avoid exploits of known vulnerabilities.
- No single point of failure: Whether it's ransomware, malware, hardware failure, database error, or something else. If your data is important, then it should be backed up, at least one other secure location.
- Use a firewall or endpoint protection: Most solutions will include a blacklist of known attacker IP addresses.
- Use a virtual private network (VPN): VPNs encypt and protect network traffic.
- Implement virtual local area networks (VLANs): VLANs can be used to isolate internal network traffic
- Use MAC address filtering: This can prevent unknown systems from accessing your network.
UpGuard can help you manage your open ports
Our platform explicitly checks for nearly 200 services running across thousands of ports, and reports on any services we can't identify, as well as any open ports with no services detected.