Among the new ports used by Windows 2000 is TCP port 445. In this paper we will look at what this port is used for, and how it relates to the security in Windows 2000.
SMB over TCP vs. SMB over NBT
The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT / 2000. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NBT. For this they use TCP port 445.
When Windows 2000 uses port 445, and when it uses 139
In Windows 2000 you have the possibility to disable NetBIOS over TCP/IP. You do this by right-clicking on My Network Places and selecting Properties. Then right-click on the appropriate Local Area Connection icon, and select Properties. Next, click on Internet Protocol (TCP/IP) and Properties. Now click Advanced, and select the WINS tab. There you can enable or disable NetBIOS over TCP/IP. The changes take effect immediately without rebooting the system.
From now on I will refer to the "client" as the computer from where you map drives and other shared resources, and to the "server" as the computer with resources that are shared. I will also refer to NetBIOS over TCP/IP only as NBT.
If the client has NBT enabled, it will always try to connect to the server at both port 139 and 445 simultaneously. If there is a response from port 445, it sends a RST to port 139, and continues it's SMB session to port 445 only. If there is no response from port 445, it will continue it's SMB session to port 139 only, if it gets a response from there. If there is no response from either of the ports, the session will fail completely.
If the client has NBT disabled, it will always try to connect to the server at port 445 only. If the server answers on port 445, the session will be established and continue on that port. If it doesn't answer, the session will fail completely. This is the case if the server for example runs Windows NT 4.0.
If the server has NBT enabled, it listens on UDP ports 137, 138, and on TCP ports 139, 445. If it has NBT disabled, it listens on TCP port 445 only.
In the case of Windows NT 4.0, null sessions always used port 139. A tool like winfo
can give you a lot of information on Windows NT 4.0, but how does this work on Windows 2000? The answer is quite simple - it works according to the above description. To sum things up: if you run winfo from Windows 2000, and have NBT enabled, everything will normally work fine whatever the target system is. If you want it to never use anything but port 445, disable NBT.