Tuesday, April 19, 2011

For your safety Port 139 should be closed

Although those two ports are well known for security reason for a long time, we still hope to know something in details. As we know, NFS (Netwrok File Systems) is developed by Sun. It’s mainly for sharing directories and files between UNIX machines. Microsoft invented a protocol called SMB (Sever Message Blocks), by which, people can share directories and files with other Windows machines. Microsoft is trying to rename SMB-based networking to “Windows Networking” and the protocol to “CIFS”. When we try to mount SAMBA server directory to our Linux machine, we most likely do the following command.
sudo mount -t cifs -o username=henrydu //172.17.93.105/Swap-1Day /mnt/Swap-1Day
Microsoft open a security hole to many people who haven’t set up Administrator’s password. In the early time, people can easily share others C:\WINDOWS directory:
\\172.17.93.105\ADMIN$
Even with password, malicious people still can figure out by port 139 and 445. This article is not for how to hack others by port 139 and 445. We will see how SMB and NETBIOS work.
SMB is the most popular protocols for Windows PCs lets us share files, disks, directories, printers, and (in some cases) even COM ports across a network. SMB-based networks use a variety of underlying protocols, but the most popular are “NetBIOS over TCP/IP”.
Here is a solid example. SMB-client (Hacker) send TCP 445 SYN to SMB-server (Victim). Without waiting for SYN/ACK package, it sends TCP 139 SYN to SMB-server immediately. TCP 445 is to set up SMB session and TCP 139 is to set up NETBIOS session. SMB need NETBIOS protocol. We can see from screen shot that, after TCP 139 and TCP 445 session is up, SMB protocol start to run. From package hierarchy we can see, SMB is over NETBIOS protocol.
After Microsoft noticed this security issue, TCP 139 and 445 is blocked by default. Thus, SMB-server never reply SYN package if the firewall is on. We can use NMAP to do a test.
Firewall is off.
nmap -PN -p139,445 -n -v 172.17.93.105
…..
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
Firewall is on
PORT    STATE    SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Therefore, please make sure these two ports are protected by firewall.

Read here : http://henrydu.com/blog/networks/windows-tcp-139-and-445-vulnerability-335.html


So How to Close the port 139


Follow the Screens

Select Your Network Adapter

Select your Network Adapter properties

Select Your required network adapter (Mine is Wireless and Local Area Connection)

Click on the Internet Protocol Version 4 TCP/IP IPv4

Click on the TCP/IP and on the Properties

Click on the Advanced

Click on the WINS

Disable the NetBios over TCP/IP

Filed Under :

0 comments for "For your safety Port 139 should be closed"

Post a Comment

background