dslreports logo
site
spacer

spacer
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


About

Mark
Premium
join:2001-11-15
Phoenix, AZ
kudos:1

SMB Service - Port 445

The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT / 2000. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NBT. For this they use TCP port 445.

NetWatchMan
Premium
join:2001-03-13
Alpharetta, GA

Re: SMB Service - Port 445

Deloader worm and update on tcp/445:

»www.mynetwatchman.com/kb/securit···/445.htm

TCP port 445 is used for *direct* Microsoft Networking access. More specifically, it enables direct TCP/IP access to Microsoft Networking functions WITHOUT the need for a Netbios layer. This service is only implemented in the more recent verions of Windows (e.g. Windows 2000 and XP).

Hosts which are generating port probing to this port are usually worm infected. The most recent worm released with this pattern is the W32.Deloader worm (see Below). Most anti-virus vendors didn't release anti-virus definitions for 2-3 days after the worm appeared, causing even anti-virus protected systems from being infected.

Additionally, because Deloader uses a much more extensive password list in it's password crack routine we are seeing it being more prolific than earlier worms using this same technique. We are also seeing firewall-protected networks becoming infected as a result of mobile laptops, AOL connections, and other VPN connections in much the same manner as the Opaserv worm, see: udp/137

This port is also a common target for Warez hackers who seek to turn your PC into a public file server. If anti-virus scans don't find a problem, you'll have to do a manual forensic analysis to identify possible Pubstro compromise as show here: mNW Pubstro Analysis Guide
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch

Krispy1
Premium
join:2001-12-11
the stix
kudos:1

Windows Null Sessions Exploit and the IraqiWorm

If this port is open you are also potentially vulnerable to the Windows Null Sessions Exploit and the IraqiWorm. Many machines vulnerable to this exploit are used as zombies in denial of service attacks.

For more information on the IraqiWorm (aka Iraqi_oil ) visit...
»www.mynetwatchman.com/kb/securit···ndex.htm

For information on disabling Windows Null Sessions visit...
»www.brown.edu/Facilities/CIS/CIR···ull.html

rtcpenguin
Premium
join:2001-01-21
Fairfax, VA

Yeah

Im a big fan of this port.
Cleophus2

join:2004-03-04
V6E-1L3

Close 445 in Registry

I was reading of a registry tweak that can shut port 445 by disabling NetBT. Seems to do the trick, but I've not yet figured out the down side completely.

HKLM/System/CurrentControlSet/Services/NetBT/Parameter

Give 'TransportBindName' nil value by deleting '/Device'

I'm on XP, can't vouch for it on any other OS.
moparman77

join:2003-11-02
London, ON

Re: Close 445 in Registry

Is it not possible to simply stop the service in Windows 2000? Under services (in the administrative tools), there is one called TCP/IP Netbios Helper Service, if you change that to disabled, will that do it?

Shaun
moparman77

join:2003-11-02
London, ON
Actually.. just a little note here.. but along the same lines. I have a little laptop (old) running windows 98SE (that's all it'll handle), and I couldn't see it with the two win2000 machines, nor could it see the rest of the network. Then after thinking about this topic, it struck me. Windows 98SE cannot use Netbios over TCP/IP, so I installed the Netbios protocol on the win2000 machines and all is well...