Port 139 (TCP) – NetBIOS Session Service

What runs on port 139?

Port 139 is the NetBIOS Session Service, the legacy transport that carries SMB (Server Message Block) file and printer sharing over NetBIOS. Before Windows 2000 introduced direct SMB on port 445, all Windows file sharing rode on 139. It remains open on hosts that still have NetBIOS over TCP/IP enabled and is often paired with the NetBIOS Name Service on UDP 137.

Why it matters for security

Port 139 exposes the same SMB attack surface as 445 but tied to older, weaker defaults. Legacy SMBv1 carried the EternalBlue vulnerability (MS17-010 / CVE-2017-0144) weaponized by WannaCry and NotPetya. The service also historically permitted null sessions — unauthenticated connections that enumerate users, groups, shares, and password policy — handing attackers a detailed map of the domain before they have any credentials.

How it's attacked

Attackers run null-session enumeration to harvest users, shares, and policy, then either crack discovered accounts or relay captured NTLM authentication to other hosts. Against unpatched SMBv1 systems, EternalBlue (MS17-010) gives remote code execution with no credentials, and ransomware then spreads laterally across reachable file shares.

Hardening checklist

Disable SMBv1 everywhere — it has no safe use today. Disable NetBIOS over TCP/IP and consolidate on SMB over 445 with signing enforced. Restrict anonymous access to kill null sessions, enforce SMB signing to defeat relay, and block TCP 139 at network boundaries. Patch MS17-010 immediately on any remaining legacy host. The nmap scripts above enumerate OS and shares on systems you are authorized to test.