The US-CERT advisory reveals that the best practice to follow for Server Message Block (SMB) is to block TCP port 445, used by Microsoft Directory Services along with UDP ports 137, 138 and TCP port 139.
Port 445 was exploited in 2017 by the WannaCry ransomware attack, which caused huge damage across the globe targeting businesses, banks and other public bodies.
What is the use of port 445?
Port 445 is a Microsoft networking port which is also linked to the NetBIOS service present in earlier versions of Microsoft Operating Systems. It runs Server Message Block (SMB), which allows systems of the same network to share files and printers over TCP/IP.
This port shouldn't be opened for external network. All microsoft devices mostly have port 445 open as the port is used for LAN communication.
How do attackers exploit port 445?
The attackers can perform port scanning using open source tools like Nmap, Metasploit, and NetScan Tools Pro. These scanning tools identify the services that utilize port 445 and gather critical information about the devices. After getting to know the device details, the attackers launch malware and ransomware attacks by exploiting this port.
Prevention of port 445 exploit.
The best way to prevent port 445 exploit is to ensure that your firewall is configured properly and there are no unnecessary 445 open ports in your network.
Steps to prevent port 445 exploit.
Make sure port 445 is blocked in all unused devices and in devices that have connectivity outside your network.
How can you do this? Create a firewall rule as mentioned below:
- Source: Any (or External, if you want to use the port for file sharing within the network).
- Source Port: Any
- Destination: Any
- Destination Port: 445.
- Action: Drop or Deny.
How to detect a 445 port exploit by analyzing firewall logs?
Port 445 exploit can be detected using network security solutions such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), and also by security information and event management (SIEM) solutions. Monitor firewall logs and see if they indicate:
- Outbound traffic for SMB v1's ports TCP 445 and 139.
- If port 445 is unresponsive for a long time (could be a stealth attack).
- Multiple port scanning requests to UDP ports 137 and 138.
These events indicate a 445 port exploitation targeted on the system. When you see these indicators in your network, block all 445 ports and conduct investigation to identify the target systems.
EventLog Analyzer, a comprehensive log management solution that collects and monitors logs from all network devices, provides you all the information about port 445 exploit. This solution sends out real-time alerts when the port 445 exploit happens and also gives you detailed information on the attack including where it happened, the infected network resource, when the attack happened, and so on. You can even view the impact of the exploit using our solution's built-in intuitive reports. Click here to know how it is done.
FAQs
The cybersecurity risks of TCP 445
Despite its utility, TCP 445's open nature can also be its Achilles' heel, exposing networks to unauthorized access and malicious exploits. Cybercriminals can leverage vulnerabilities in this port to inject malware, ransomware, or carry out Denial of Service (DoS) attacks.
How to block TCP port 445? ›
Step 1: Open the Control Panel Step 2: Click on Windows Firewall/ Windows Defender firewall Step 3: Navigate to advanced settings. Step 4:Right click on inbound rules and click on new rule. Step 6:Select port and press next Step 7:Specify the port 445 under specific local ports, select TCP and press next.
How to permit the TCP 445 port in your computer's firewall? ›
To add a firewall rule to allow TCP/445 (SMB/CIFS) and TCP/135 (RPC): Go to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security - LDAP > Inbound Rules. Right-click and choose New Rule. Choose Port and click Next.
What is TCP port 445 used for? ›
Port 445 is a Microsoft networking port which is also linked to the NetBIOS service present in earlier versions of Microsoft Operating Systems. It runs Server Message Block (SMB), which allows systems of the same network to share files and printers over TCP/IP. This port shouldn't be opened for external network.
How to check if port 445 is open? ›
Answer: Open the Run command and type cmd to open the command prompt. Type: “netstat –na” and hit enter. Find port 445 under the Local Address and check the State. If it says Listening, your port is open.
Why port 445 should be closed? ›
We also recommend blocking port 445 on internal firewalls to segment your network and prevent lateral movement – this will prevent internal spreading of the ransomware.
How do I block port 445 on FortiGate firewall? ›
To block a specific port on a FortiGate device, follow these instructions:
- Access the FortiGate web interface.
- Go to Policy & Objects > IPv4 Policy.
- Select Create New to set up a new firewall policy.
- Adjust the following settings: ...
- Save the new firewall policy.
The reason some services decide to block port 445 is due to historical reasons of vulnerabilities found in lower SMB versions. Ideally, the port should be blocked for only for SMB 1.0 traffic and SMB 1.0 should be turned off on all clients.
How do I allow port access through firewall? ›
How to open a port on the firewall
- Click on Start then on Control Panel.
- Click on Windows Firewall and then click on Advanced Settings.
- Right click on Inbound Rules then on New Rule:
- Select Port and click on Next:
- Enter a specific local port (e.g. 8080) and click on Next:
- Click on Next:
- Name the rule and click on Finish:
Open ports in Windows Firewall
- Open the Windows Firewall configuration settings on your report server. ...
- Select Advanced Settings.
- Select Inbound Rules.
- In the Actions pane, select New Rule.
- Choose the Port rule type and select Next.
- On the Protocol and Ports page, choose TCP.
In the navigation tree, select Inbound Rule, and then in the Actions pane, click New Rule. On the Rule type panel, select Port and then click Next. On the Protocol and Ports panel, select TCP, enter the TCP/IP port numbers that you set in steps 3 and 4 in Specific local ports, and then click Next.
Is it safe to block port 445? ›
Port 445 can expose devices to significant harm if left open on the public Internet. You should either disable it in your firewall, or properly secure it.
Is port 445 open by default? ›
This is because, by default, Windows 2000 and later versions use SMB over TCP/IP via port 445 rather than over NetBIOS whenever possible. If port 445 is disabled, it will fall back to NetBIOS using port 137, 138, or 139. The ports depend on the Microsoft Windows operating system configuration.
How to check SMB connection in Windows? ›
The Get-SmbConnection cmdlet retrieves the connections established from the Server Message Block (SMB) client to the SMB servers. Users can connect to an SMB share using credentials different than the associated logon credentials so that there will be a connection listed per share per user logon per credential used.
Is port 445 secure? ›
Security implications of SMB ports
Ports 139 and 445 have been targets for various cyberattacks, including the notorious WannaCry ransomware. These attacks exploit vulnerabilities in the SMB protocol to execute malicious code and spread across networks.
Why is port 445 and 139 vulnerable? ›
Ports 139 and 445 are used for 'NetBIOS' communication between two Windows 2000 hosts. In the case of port 445 an attacker may use this to perform NetBIOS attacks as it would on port 139. Impact: All NetBIOS attacks are possible on this host.
Are TCP ports vulnerable? ›
Port 22 is a TCP port, which can be exploited by attackers using brute force credentials or leaked SSH keys. Port 53 is a UDP and TCP port for queries and transfers vulnerable to DDoS attacks. This port is used to receive and send emails.
What is the TCP protocol vulnerability? ›
The TCP/IP protocol suite is vulnerable to a variety of attacks ranging from password sniffing to denial of service. Software to carry out most of these attacks is freely available on the Internet. These vulnerabilities—unless carefully controlled—can place the use of the Internet or intranet at considerable risk.
