This chapter focuses on Microsoft RPC, NetBIOS, and CIFS services that are used in large internal networks to support file sharing, printing, and other functions. If these services aren’t configured or protected properly by network filtering devices, they can be used to great effect to enumerate system details and cause a complete network compromise.
Microsoft Windows networking services use the following ports:
loc-srv 135/tcp loc-srv 135/udp netbios-ns 137/udp netbios-dgm 138/udp netbios-ssn 139/tcp microsoft-ds 445/tcp microsoft-ds 445/udp
Port 135 is used for RPC client-server communication, and ports 139 and 445 are used for authentication and file sharing. UDP ports 137 and 138 are used for local NetBIOS browser, naming, and lookup functions.
The Server Message Block (SMB) protocol facilitates resource sharing in Microsoft Windows environments. Under Windows NT, SMB is run through NetBIOS over TCP/IP, using UDP ports 137 and 138 and TCP port 139. Windows 2000 and later support Common Internet File System (CIFS), which provides full SMB access directly through TCP and UDP port 445 (as opposed to using a variety of UDP and TCP ports). Many system administrators diligently filter access to ports between 135 and 139, but have been known to neglect port 445 when protecting Windows 2000, XP, 2003, and Vista hosts.
The Microsoft RPC endpoint mapper (also known ...