Port 445 (TCP) – SMB / CIFS

What runs on port 445?

Port 445 is the modern home of SMB (Server Message Block), also known as CIFS — the protocol Windows uses for file and printer sharing, named pipes, and inter-process communication. Since Windows 2000 it runs SMB directly over TCP, replacing the older NetBIOS transport on port 139. It is one of the most important ports in any Active Directory environment and is present on essentially every Windows host.

Why it matters for security

SMB is the connective tissue of Windows networks, which makes 445 a top target. It is the channel for EternalBlue (MS17-010 / CVE-2017-0144), the wormable pre-auth RCE behind WannaCry and NotPetya, and for SMBGhost (CVE-2020-0796). It also underpins NTLM relay: captured authentication can be relayed to SMB or LDAP to seize a host or escalate in the domain. And once inside, ransomware uses 445 to move laterally and encrypt file shares at scale.

How it's attacked

Attackers enumerate shares and null sessions to map data and trust, then exploit MS17-010 for unauthenticated code execution on unpatched hosts. Where SMB signing is off, coerced or captured NTLM authentication is relayed to take over other machines. After a foothold, operators spread ransomware host to host over reachable shares — the dominant lateral-movement pattern in modern intrusions.

Hardening checklist

Disable SMBv1 and require SMBv3 with encryption. Enforce SMB signing domain-wide to break relay attacks. Never expose 445 to the internet — keep it internal and segment it. Restrict anonymous access and apply least-privilege share ACLs. Patch MS17-010 and SMBGhost immediately. The nmap scripts above check for MS17-010 and enumerate shares on hosts you are authorized to test.