| Seems like Windows is trying to connect on port 445 first when a user types in a servername in Internet explorer, and then falls back to http when 445 fails.
When the user uses a correct URL, starting with http:// or https:// port 445 is not used.
|On Windows 2000 professional, there is always a share "ADMIN$",
so that it is essential to create a password for "Administrator"
- perhaps not so obvious to those from a Windows 95/98 background.
|original text -- http://ntsecurity.nu/papers/port445/
The use of TCP port 445 in Windows 2000
- Arne Vidstrom
Among the new ports used by Windows 2000 is TCP port 445. In this paper we will look at what this port is used for, and how it relates to the security in Windows 2000.
SMB over TCP vs. SMB over NBT
The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT / 2000. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NBT. For this they use TCP port 445.
When Windows 2000 uses port 445, and when it uses 139
In Windows 2000 you have the possibility to disable NetBIOS over TCP/IP. You do this by right-clicking on My Network Places and selecting Properties. Then right-click on the appropriate Local Area Connection icon, and select Properties. Next, click on Internet Protocol (TCP/IP) and Properties. Now click Advanced, and select the WINS tab. There you can enable or disable NetBIOS over TCP/IP. The changes take effect immediately without rebooting the system.
From now on I will refer to the "client" as the computer from where you map drives and other shared resources, and to the "server" as the computer with resources that are shared. I will also refer to NetBIOS over TCP/IP only as NBT.
If the client has NBT enabled, it will always try to connect to the server at both port 139 and 445 simultaneously. If there is a response from port 445, it sends a RST to port 139, and continues it's SMB session to port 445 only. If there is no response from port 445, it will continue it's SMB session to port 139 only, if it gets a response from there. If there is no response from either of the ports, the session will fail completely.
If the client has NBT disabled, it will always try to connect to the server at port 445 only. If the server answers on port 445, the session will be established and continue on that port. If it doesn't answer, the session will fail completely. This is the case if the server for example runs Windows NT 4.0.
If the server has NBT enabled, it listens on UDP ports 137, 138, and on TCP ports 139, 445. If it has NBT disabled, it listens on TCP port 445 only.
In the case of Windows NT 4.0, null sessions always used port 139. A tool like winfo can give you a lot of information on Windows NT 4.0, but how does this work on Windows 2000? The answer is quite simple - it works according to the above description. To sum things up: if you run winfo from Windows 2000, and have NBT enabled, everything will normally work fine whatever the target system is. If you want it to never use anything but port 445, disable NBT.
|Port 445 and "Swiss cheese"
MS SMB - CIFS - DS - DIRECT HOST
SMB & CIFS
Windows 2000 Startup and Logon Traffic "SMB implemented in Windows 2000 is the Common Internet File System (CIFS)" "TCP and UDP Port Assignments
445 TCP Microsoft CIFS
445 UDP Microsoft CIFS" (CIFS)
"The Common Internet File System is the standard way that computer users share files across corporate intranets and the Internet in a Windows network. The CIFS is an enhanced version of the SMB protocol. CIFS is an open, cross-platform implementation of SMB"
Windows 2000 TCP/IP Protocols and Services Technical Reference
Microsoft-DS TCP Port 445 - microsoft-ds
Microsoft-DS UDP Port 445 - microsoft-ds
"Directory Services provide name resolution and lookup capabilities, allowing users or devices to locate resources on the network by human readable or well-known names"
Windows 2000 Domain Controller Default Ports 445/TCP -- SMB
"DMZ servers that are members of the internal domain."
"Chapter 3 - Firewall Design - Infrastructure (Domain - SMB Direct Host) 445 TCP
"additional protocol definitions that were created on the internal ISA Server firewall to all servers in the DMZ (IIS and DNS) to join and participate in the domain, and for the management agents installed on these servers to be able to forward information packets to the internal management servers."
Table 2 New Protocol Definitions
Protocol Definition Name - Direct Host (TCP)
Internal Connection Port Number - 445
Initial Protocol - TCP
Initial Direction - Inbound"
"Active Directory Replication over Firewalls;
Full dynamic RPC - Cons - Turns the firewall into "Swiss cheese" - Server message block (SMB) over IP (Microsoft-DS) 445/tcp, 445/udp. (Ask Us About... Security, March 2001
by Joel Scambray http://support.microsoft.com/default.aspx?scid=KB;en-us;289241& )
Limited RPC - SMB over IP (Microsoft-DS) 445/tcp, 445/udp"
"XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls - Enable Windows 2000 Server-based computers to log on to the domain through the firewall by opening the following ports for inbound traffic: 445 (TCP) - Server message block (SMB) for Netlogon, LDAP conversion and distributed file system (Dfs) discovery."
|now also used by the "Lioten" worm/virus.
|Bob A. Schelfhout Aubertijn
|As Johannes Ullrich stated wisely in his comment, 445 is also used by the Win2k / WinXP worm "Lioten" also known as "iraq_oil.exe".
Since a couple of weeks or so firewall logs show a heightened incoming activity on Port 445, very likely due to this worm.
FYI, following links can help you out when needed.
Stay happy, stay clean.
New Worm detected by Symantec on 06/07/03. Maybe what we are seeing the last couple of days.
W32.Randex.B is a network-aware worm that will copy itself to the following paths:
on computers with weak administrator passwords
When W32.Randex.B is executed, it does the following:
Caclulates a random IP address for a computer to infect. The worm will not infect computers with IP addresses in the following ranges:
10.0.0.0 -> 10.255.255.255.255
172.16.0.0 -> 172.16.255.255
192.168.0.0 -> 192.168.255.255
127.0.0.0 -> 127.255.255.255
240.0.0.0 -> 240.255.255.255
Attempts to authenticate itself to the aforementioned randomly-generated IP addresses using one of the following passwords:
Copies itself to computers (with weak administrator passwords) as the following:
Schedules a Network Job to run the worm:
Adds the value:
to the registry key:
so that the worm runs when you start Windows.
|The new "Deloader" worm also uses this port.
|Its Conficker.B hammering the port at the moment. It operates in several modes (not at same time). One mode tries to get out to sites on web and the other tries to crack passwords on accounts (I think it starts by going through host file..)this results in account lockouts)- the 2 together form a very effective DDoS on corporate networks - causing major DNS/AD problems. Not sure if there is third mode which is just spreading itself (or whether the other 2 do that)- it sets scheduled jobs to rundll multiple infections at once. From my experince Oct MS patch doesn't always work. Tuesday's patch from MS and updated malicious software removal tool better. We have cured about 600 infected servers and PCs and still got some to go...
|Hmm, seems like a new variation has broken out: sources/day x 6
I guess a lot of people have been infected by the Gimmiv.A virus this weekend:
|We have some clients with malwares and process: adtech2006a
Access to page: http://www.findthewebsiteyouneed.com/
Scans sequential ips (10/seg) using 445 port.
Solutions: ad-aware se and windows update if necessary.
Some clients with an anti-spyware not detected malware or malwares.
|We were hit hard with W32/Sdbot.worm that's associated with the MS LSASS vulnerablity (ms04-011). We had some machines that weren't patched and decided to not get anti virus updates from our central dat file server. Only 25 hosts infected but infection was global.
|New variant seen at two customer sites as of Tuesday November 9th, called "morbot". Installs as "c:\winnt\system32\wuamgrctl.exe", also leaves behind "c:\winnt\system32\sslugs.txt", which is an IRC log.
Causes DDOS effect due to excessive port 445 traffic.
Functionality appears VERY similar to rBot / rxBot.
|Detected a filename videosd32.exe which also causing high traffic using this port.Run multiple connection in backround.
|This seems to be some new type of variant that looks similar to many. Infected hosts will open many outbound tcp 445 attempts and also propergate to other hosts. So far there is very limited information on this and virustotal.com shows...
Date: 06/26/2004 01:14:54
BitDefender 7.0/20040625 found [Backdoor.SDBot.JK]
eTrustAV-Inoc 4641/20040624 found nothing
F-Prot 3.14e/20040624 found nothing
Kaspersky 3.0/20040626 found [Backdoor.Rbot.gen]
McAfee 4369/20040624 found nothing
NOD32v2 1.795/20040625 found [probably unknown CRYPT.WIN32]
Panda 7.02.00/20040625 found nothing
Sybari 7.50.1138/20040625 found [Worm.RBot.AG]
Symantec 8.0/20040625 found [W32.Spybot.Worm]
TrendMicro 1.00/20040625 found [WORM_RBOT.DA]
This seems to add itself to the following registry keys using Microsoft Update Manager.
|Exerienced worldwide virus outbreak from Korgo that spread to all corneres of our network within 2 hours. Affected all unpatched systems. Created excessive 445 traffic.
|Worm exploting computers without MS04-011. The worm scans the subnet of the infected machine and infects them via that port. As of right now Trend has info on it, but noone else does. They're calling it Rbot.cc. I sent a copy of the worm to NAI and they sent back an extra.dat, however as of 4:25pm EST no info was posted on their site. In their email to me they called the virus W32/Spybot.Worm.gen.e. The specific file in question is systemse.exe, first evidence we saw of this file was 6-15-04 at 8:40am EST.
Hope this helps.
|CA finally described the virus as Win32.Slinbot.EF worm with aliases as (Backdoor.IRCBot.gen) (W32/Sdbot.worm.gen) (Backdoor.SDBot.Gen). Today they have released new pattern files which cures the virus. This virus has been in the wild since April 16th in our systems. It generates heavy traffic on port 445 and spreads fast across networks.
|We have discovered a virus W32/Sdbot.AH that exploits port 445 and generates a lot of fw traffic. CA, Norman and other antivirus companies does not have a fix for this virus. The only one we could find a working solution with was Trend.
|The Sasser worm probes for this port for possible exploitation of the LSASS Vulnerability (MS04-011). See http://www.microsoft.com/security/incident/sasser.asp for more information.
|Port 445 also used to exploit the Windows ASN.1 vulnerability (MS04-007)
see : http://www.k-otik.com/exploits/02.14.MS04-007-dos.c.php
|Port 445 is used for Windows File Sharing.
|Please see http://www.nipc.gov/warnings/advisories/2003/Potential7302003.htm for the latest on an RPC exploit against Microsoft operating systems.
Also, from the vendor: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
Please ensure that all unnecessary TCP/UDP ports are blocked and particularly TCP 135, TCP 139, TCP 445, or any other specifically configured RPC port.
Please ensure that your vulnerable operating system is patched and current.
Unapproved CVE #: CAN-2003-0352 (As of July 31st, 2003)
|Marcus H. Sachs, SANS Institute
|SANS Top-20 Entry:
W5 Windows Remote Access Services
The family of Windows Operating Platforms support a variety of different networking methods and technologies. There is native support for most industry standard networking protocols and built-in functionality for many Microsoft specific networking methods and techniques. Among these MS specific network technologies are notoriously insecure or misconfigured items such as NETBIOS Network Shares, Anonymous Logon NULL sessions, remote registry access, and remote procedure calls. These items make up a large share of the more common network level exploits on Windows and are outlined in the following text.
|Deloder virus spreading port.
seems to propagate over Port 445 as well
|Kaspersky Labs-RANDON Trojan spreads via IRC channels and local area networks and infects computers running Windows 2000 and Windows XP. To penetrate computer systems the worm registers itself in the IRC server (or local area network), scans for all present users and connects to victim computers via port 445 and attempts to gain access by using a fixed list of the most commonly used passwords
|This port is scanned by the worm
More info at
|Recent (early March 2003) activity may be due to the Deloder worm. Further information: http://www.f-secure.com/v-descs/deloader.shtml