Skip to content
ProtocolPorts

What ports does SMB use?

SMB and CIFS use port 445 today, with legacy NetBIOS on 137 and 139. Here is what each does, why 445 is the top ransomware vector, and what to block.

Published on 5 min read
portssmbwindows

SMB (Server Message Block), also known as CIFS, is the protocol Windows uses for file and printer sharing, and it underpins a large amount of internal authentication and administration. If you are reading firewall logs or hardening a network, knowing exactly which ports SMB uses — and which to block — is essential. The short answer is that modern SMB runs on a single port, port 445, while a couple of legacy ports linger from the NetBIOS era. This post breaks down each port, explains modern versus legacy SMB, and covers why port 445 is the single most dangerous port to leave exposed. Look up any of these on ProtocolPorts or browse all ports.

The SMB port reference

PortProtocol / ServiceRole
445SMB direct over TCPModern SMB2/SMB3 — file sharing, named pipes, RPC over SMB
139NetBIOS Session Service (TCP)Legacy SMB carried over a NetBIOS session
137NetBIOS Name Service (UDP)Legacy name resolution used to locate SMB hosts
135RPC Endpoint Mapper (TCP)Locates RPC services that frequently run over SMB

Modern SMB: direct over port 445

Since Windows 2000, SMB has run directly over TCP on port 445, with no NetBIOS layer in between. Every modern dialect — SMB2 and the encrypted, performant SMB3 used by Windows 10/11 and current Windows Server — uses this single port. When a machine maps a network drive, applies Group Policy, copies a file from a share, or calls a remote service through a named pipe, that traffic flows over port 445.

Because so much rides on it, port 445 is also the port you most need to watch. It carries not just files but RPC calls used for remote administration, which is exactly what attackers abuse to move from one machine to the next.

Legacy NetBIOS: port 137 and port 139

Before port 445 existed, SMB was transported inside NetBIOS sessions. Two ports handled this:

  • Port 137 (UDP) is the NetBIOS Name Service, used to resolve computer names to addresses on the local segment.
  • Port 139 (TCP) is the NetBIOS Session Service, which actually carried the SMB file-sharing traffic.

On a current network you almost never need these. They remain enabled mainly for backward compatibility with very old systems, and they bring real risk: NetBIOS name resolution is the basis of NBT-NS poisoning, where an attacker answers broadcast lookups to capture NTLM credentials. Disabling NetBIOS over TCP/IP closes that door and forces clients onto port 445.

RPC and the port 135 connection

The RPC endpoint mapper on port 135 is not SMB itself, but it is closely tied to it. Many Windows RPC services are reachable through named pipes over SMB, and the endpoint mapper tells clients where to find them. Tools that perform remote administration — and the lateral-movement techniques that imitate them — typically touch both port 135 and port 445 together, which is why they are usually firewalled as a group.

Why port 445 is the #1 ransomware vector

No port has a worse security reputation than port 445. It is the surface exploited by EternalBlue (MS17-010), the wormable flaw that powered WannaCry and NotPetya in 2017. Those outbreaks spread across the world precisely because so many networks left SMB reachable and unpatched.

The danger has two parts:

  1. Lateral movement. Once an attacker lands on one host, port 445 is the highway to every other machine — copying payloads to admin shares, executing services remotely, and spreading ransomware internally.
  2. SMB relay. Credentials captured over the wire can be relayed to port 445 on another host unless SMB signing is enforced, giving attackers authenticated access without ever cracking a password.

What to block and how to harden

The rules are simple and non-negotiable:

  • Block port 445 and port 139 at the internet perimeter, inbound and outbound. SMB should never traverse the public internet.
  • Disable NetBIOS over TCP/IP to retire port 137 and port 139 and kill NBT-NS poisoning.
  • Enforce SMB signing on servers and domain controllers to defeat relay attacks.
  • Disable the obsolete SMBv1 dialect entirely — it is the version EternalBlue targets.
  • Patch aggressively. SMB vulnerabilities are wormable; apply Microsoft fixes the moment they ship.

Internally, allow port 445 only between hosts that genuinely need file sharing, and segment your network so a single compromise cannot reach everything.

Conclusion

SMB today is effectively one port: port 445, the direct TCP transport for SMB2 and SMB3. The legacy NetBIOS ports 137 and 139, plus the RPC mapper on port 135, are holdovers you should disable or tightly restrict. Treat port 445 with respect — it is the top lateral-movement and ransomware vector — keep it off the internet, sign your SMB traffic, and patch fast. Use ProtocolPorts to verify any of these ports, or browse all ports.

Related articles

What ports does Active Directory use?
The full list of ports a domain controller needs — Kerberos, LDAP, SMB, RPC, Global Catalog — plus why none of them should ever face the internet.
portsactive-directorywindows
Common backdoor and trojan ports to investigate
Ports tied to trojans, backdoors and C2 — NetBus, Back Orifice, ingreslock, Meterpreter and abused legit services — and how to detect a compromise.
portssecuritymalware
Common TCP and UDP ports: a cheat sheet
A scannable reference of common TCP and UDP ports grouped by purpose — web, mail, file transfer, remote access, databases, and infrastructure.
portssecurityreference