Gunnar Assmy - Fotolia

How to defend against TCP port 445 and other SMB exploits

Keeping TCP port 445 and other SMB ports open is necessary for resource sharing, yet this can create an easy target for attackers without the proper protections in place.

When ports are being discussed, the focus most of the time is on the well-known web ports 80 and 443. But, as security...

admins know, many other Internet Assigned Numbers Authority ports are in use. One that got a lot of attention just a few years ago is port 445, which was exploited as part of the WannaCry and NotPetya ransomware attacks.

Let's look at what port 445 is, why it can pose risks to organizations and how security professionals can support file sharing without putting company assets and information at risk.

What is port 445 and what is it used for?

Port 445 is a traditional Microsoft networking port with tie-ins to the original NetBIOS service found in earlier versions of Windows OSes. Today, port 445 is used by Microsoft Directory Services for Active Directory (AD) and for the Server Message Block (SMB) protocol over TCP/IP.

SMB traffic is important to the functionality of a network not only because it enables resource sharing, including printers and files on the LAN, but also because it is important to the operation of AD. If you're in an office and printing to a printer on another floor, you're probably using SMB.

SMBv1 was introduced in 1984. It has been updated many times, with the most recent version, SMBv3.1.1, being released in 2020. Since resource sharing is one of the main reasons for networking, it's common for companies running Windows to have port 445 open and available on both clients, such as laptops, and servers.

Other ports

SMB is available directly over TCP (port 445) and over NetBIOS over TCP/IP (port 139). Other ports you may see connected with NetBIOS communications are port 137 (nbname) and port 138 (nbdatagram) over User Datagram Protocol. Microsoft Remote Procedure Call (RPC), used for client-server communication, requires an endpoint mapper that is accessible through port 135 or over SMB on port 445.

RPC and SMB exploits

In order for resource sharing and communication to work, ports must be open and accessible. This means they are open for legitimate resource sharing but also become open and always-on targets for attackers.

While RPC and SMB attacks are numerous, the most well-known example is EternalBlue, or CVE-2017-0144. This is the vulnerability behind two of the most infamous ransomware attacks: WannaCry and NotPetya. Any system using the Windows SMBv1 protocol is vulnerable. In addition to Windows desktops and servers, some other equipment, such as medical devices, also use the protocol.

EternalBlue has been used both as the initial vector of attack and as a way to perform lateral movement after a network has been infiltrated. The exploit works when attackers send crafted packets to a system running SMBv1. By doing so, they can run code remotely on that system. In the case of WannaCry, attackers exploited the vulnerability by loading malware on the vulnerable target system and then spreading that malware via the same vulnerability to other systems on the network. EternalBlue was also used in the NotPetya attacks and as part of the TrickBot malware Trojan.

In addition to EternalBlue, SMBv1 is vulnerable to distributed denial-of-service attacks, which can lead to system outages. Race condition issues, such as those in Eternal Champion, where an attacker overwrites the SMB session to execute commands as the privileged user, also plague SMBv1.

Penetration testing for SMB vulnerabilities

Performing penetration tests are one way security admins can test for SMB vulnerabilities and uncover any issues that must be addressed.

Most pen tests start with a port scan, which involves looking across the network to see which ports are open and responding. Port scanning a network can indicate whether port 445 is available and, if it is, whether it's running a vulnerable implementation of SMBv1.

TCP port scanning is performed via network scanner tools, such as the popular and free Nmap scanner, as well as commercial scanners, such as NetScanTools Pro. Network vulnerability scanners, such as Nessus and Qualys, also incorporate TCP port scanning. Regardless of what tools a tester uses, TCP port scanning is an integral step in the vulnerability and pen testing process.

Graphic displaying TCP port scanning techniques
Examples of scanning open and closed ports

How to defend against port 445 exploits

The best way to improve security is to disable SMBv1 and patch to the latest version of SMB. The vulnerabilities discussed above affect SMBv1; using later, nonvulnerable versions of SMB will prevent SMBv1-dependent attacks. Note that Microsoft disabled SMBv1 on Windows 10. Upgrading to the latest version of Windows is also advised.

Another way to prevent SMB exploits is to turn the protocol off and close port 445. This is not a solution for many organizations, however, because it can break network communications and take some Windows services offline. Before disabling or blocking port 445 on Windows systems, perform an in-depth analysis of how it will affect the services and programs running on them.

Other actions that can be taken to improve security while still running SMB include the following:

  • block TCP port 445 at the network perimeter if critical services will not be interrupted;
  • shore up endpoint detection with an integrated product that includes advanced antimalware defense and endpoint detection and response functionality;
  • implement segmentation and isolation wherever possible to prevent lateral movement;
  • enforce strong passwords across the AD domain and for local Windows accounts;
  • maintain a proper inventory of the services and applications running on your systems;
  • enable strong file and share permissions to keep sensitive information locked down; and
  • perform proactive system monitoring and alerting, especially for critical Windows systems.
This was last published in August 2021

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)

SearchCloudSecurity
SearchNetworking
SearchCIO
SearchEnterpriseDesktop
SearchCloudComputing
ComputerWeekly.com
Close