Posted: May 14th, 2018
What is the Windows SMB service?
The Server Message Block (SMB) Protocol is a network file sharing protocol running on port 445. It is implemented in Microsoft Windows Server as the Microsoft SMB service. Microsoft SMB Protocol is installed by default in Microsoft Windows Server. SMBv2 protocol was introduced in Windows Vista and Windows Server 2008, however SMBv1 still exists on operating systems with SMBv2. SMBv3 protocol was introduced in Windows 8 and Windows Server 2012 with an SMB Encryption feature, but it is not configured by default.
What is Windows NetBios/NetBT service?
NetBIOS was a famous protocol co-developed by IBM and Sytek for computer networking in the 80's. Microsoft's implementation of NetBIOS Over TCP/IP (NetBT) provides the NetBIOS programming interface over the TCP/IP protocol, extending the reach of NetBIOS client and server programs to TCP/IP networks and providing interoperability with other operating systems.
It uses the following TCP and UDP ports:
- UDP port 137 (name services)
- UDP port 138 (datagram services)
- TCP port 139 (session services)
NetBIOS over TCP/IP (NBT) is installed and enabled by default for backwards compatibility with old systems (or SMB implementations); however Microsoft SMB Protocol can be used without Microsoft NetBIOS.
Vulnerabilities:
Since SMB and NetBios/NetBT services are enabled by default, malicious intruders may be able to query these services to gather information about the server or exploit breaches if they exist.
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
NetBios/NetBT service can also be exploited to perform amplification attacks:
https://www.us-cert.gov/ncas/alerts/TA14-017A
How to verify if your server/device is vulnerable?
Use the following command to collect the information about your system via the SMB service:
# nmap --script smb-os-discovery.nse -p445 <Your-server-IP>
Output sample:
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-os-discovery:
| OS: Windows Server xxxx
| OS CPE: cpe:/o:microsoft:windows_server_xxxx::-
| Computer name: xx-xxxxxxxxxxxx
| NetBIOS computer name: xx-xxxxxxxxxxxx
| Workgroup: WorkGroup
|_ System time: xxxx-xx-xx
or using this tcping tool on port 445 for your IP: https://w3dt.net/tools/tcping
Use the following command to collect the information about your system via the NetBios/NetBT service:
From Windows machines (cmd):
# nbtstat -A <Your-server-IP>
From Linux machines (terminal):
# nmblookup -S -R -A <Your-server-IP>
Output sample:
[...]
Looking up status of <Your-server-IP>
XX-XXXXXXXXXXXX <00> - B <ACTIVE>
WORKGROUP <00> - <GROUP> B <ACTIVE>
XX-XXXXXXXXXXXX <20> - B <ACTIVE>
MAC Address = XX-XX-XX-XX-XX-XX
or using this online tool: https://w3dt.net/tools/netbios
If the commands return a time-out, the services might already be filtered/disabled.
Internet cartography services (such as www.shodan.io) could also be used to search for information about services publicly available on your IP (such as "SMB Version: 1").
Resolution:
SMB and NetBios/NetBT services are designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose these services directly to the Internet or, in general, to an environment where untrusted clients can directly access these services.
Different options are available to mitigate this issue and protect your server or device:
- Disable NetBios/NetBT and SMB services if you are not using them.
or
- Use your firewall to filter inbound connections to SMB and NetBios/NetBT services, and only allow the trusted IPs and hosts.
In addition to the above suggestions, you should install the Operating System security updates as soon as possible and ensure SMBv1 is not in use.