Chapter 9. Assessing Windows Networking Services

This chapter focuses squarely on Windows NetBIOS and CIFS services that are used in corporate networks to provide access to SMB for file sharing, printing, and other useful functions. If these services aren’t configured or protected correctly by network filtering devices, they can be used to great effect to enumerate system details and cause a complete network compromise.

Microsoft Windows Networking Services

Microsoft Windows networking services use the following ports:

loc-srv         135/tcp
loc-srv         135/udp
netbios-ns      137/udp
netbios-dgm     138/udp
netbios-ssn     139/tcp
microsoft-ds    445/tcp
microsoft-ds    445/udp

Port 135 is used for RPC client-server communication; ports 139 and 445 are used for authentication and file sharing. UDP ports 137 and 138 are used for local NetBIOS browser, naming, and lookup functions.

SMB, CIFS, and NetBIOS

The Server Message Block (SMB) protocol can facilitate resource sharing in Microsoft Windows environments. Under Windows NT, SMB is run through NetBIOS over TCP/IP, which uses UDP ports 135, 137, and 138 along with TCP ports 135 and 139. With Windows 2000, Microsoft added CIFS support, which provides full SMB access directly through TCP and UDP port 445 (as opposed to using a variety of UDP and TCP ports). Many system administrators diligently filter access to ports between 135 and 139, but have been known to neglect port 445 when protecting Windows 2000 hosts.

Microsoft RPC Services

The Microsoft RPC endpoint mapper ...

Get Network Security Assessment now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.