how-to block ads
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
| reply to dave
Re: Windows File Sharing: Facing The Mystery
said by dave  :A good summary. I have a couple of technical nits to pick, thoguh. NetBIOS using these ports was benign enough initially because they were bound to a protocol called Netbeui. A little confusion here. You listed some TCP and UDP ports. Netbeui does not use TCP or UDP ports. When MS Networking (SMB) is using Netbeui, no TCP or UDP ports are involved. Heh, that's not a "little confusion", that's gross error.  Thanks for catching that; it was late.
Netbeui is in fact "portless", just like AH, ESP, and most other protocols aside from 06 and 17.
said by dave :Also, I wouldn't describe port 135 as being used by Windows File Sharing at all. It's the RPC endpoint mapper, which does not use Windows File Sharing protocols. RPC is not SMB. Very true, and I covered port 135's role when I described each port. Perhaps I should make the distinction a bit clearer, however.
said by dave :As far as I am aware, RPC endpoint mapping does not use port 445. I think it does, actually. Take for example this advisory by CERT where they advocate the following:
said by CERT:Using a network or host-based firewall, block RPC network traffic (ports 135/tcp, 139/tcp, 445/tcp, 593/tcp and 135/udp, 137/udp, 138/udp, 445/udp). » www.kb.cert.org/vuls/id/547820 Thanks so much for your comments, Dave, and everyone else's too. This forum just rocks because of the ability for people to bring content here and get it looked at without the negativity associated with many other venues.
--
dmiessler.com - grep understanding knowledge | |
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
3 edits | reply to Daniel
A good summary. I have a couple of technical nits to pick, thoguh.
NetBIOS using these ports was benign enough initially because they were bound to a protocol called Netbeui. A little confusion here.
You listed some TCP and UDP ports. Netbeui does not use TCP or UDP ports. When MS Networking (SMB) is using Netbeui, no TCP or UDP ports are involved.
Netbeui identifies endpoints by 'netbios name', not by TCP or UDP port. E.g., the name of the SMB server is the machine name, padded to 16 bytes with spaces. The name of the SMB client is the machine name, padded to 15 bytes with spaces, followed by a zero byte. The name of the messenger service is the machine name, padded to 15 bytes with spaces, followed by a byte with value 3.
Also, I wouldn't describe port 135 as being used by Windows File Sharing at all. It's the RPC endpoint mapper, which does not use Windows File Sharing protocols. RPC is not SMB.
As can be expected, most of the functions taken care of by ports 135-139 when NetBIOS was used are now taken care of by the single port 445. This means that not only file and print sharing take place over 445, but also network browsing functionality and RPC. As far as I am aware, RPC endpoint mapping does not use port 445.
Port 445 is "CIFS (nee SMB) over Native TCP", replacing "CIFS over Netbios over TCP" -- ports 137/138/139.
There might be some confusion because RPC traffic itself can be carried over named pipes, which are simply files as far as SMB is concerned. i.e., to talk using RPC, you open a pipe using file-access methods over (pick 1) a netbeui session to the smb server, a netbios-over-TCP connection to TCP/139, or a TCP connection to TCP/445.
RPC traffic can also be carried over 'plain TCP', which typically requires you to talk to the port mapper to find out which port to use.
I don't know much about RPC but I know a little about SMB/CIFS. | |
|
