EN
Русский
TCP
Dangerous
Other
Port 139 (NetBIOS Session)
Learn about port 139 (NetBIOS Session) - security risks, vulnerabilities, and common uses. Find devices with port 139 open.
Quick Info
Port Number
139
Protocol
TCP
Service
NetBIOS Session
IANA Name
NetBIOS Session
Service Description
TCP port 139 is primarily associated with NetBIOS Session Service (NetBIOS-SSN). NetBIOS, or Network Basic Input/Output System, is a legacy networking protocol that provides services for applications on a local area network (LAN). Port 139 is used to establish and maintain a session between two computers on the network. It facilitates the transfer of data and commands related to file and printer sharing, as well as other network services that rely on NetBIOS. Historically, it was a core component of Windows networking, allowing older versions to communicate and share resources. The session service operates at the session layer (Layer 5) of the OSI model, managing connections between applications. It relies on NetBIOS names for identification and resolution.
Technically, the NetBIOS-SSN protocol uses a connection-oriented approach. When two computers want to establish a session, one computer initiates a connection request to the other computer's port 139. If the connection is accepted, a session is established, and data can be exchanged using the NetBIOS protocol. This data is often encapsulated within Server Message Block (SMB) packets, although SMB can also run directly over TCP port 445 (NetBIOS-less SMB). The session service handles tasks such as session establishment, session termination, and data transfer management. It is important to note that while NetBIOS itself is outdated, its services are often emulated or integrated into more modern networking protocols, particularly in environments where legacy systems are still present.
## Firewall Recommendations
The best practice is to block port 139 at the firewall, especially for traffic originating from or destined to the internet. If NetBIOS services are required within the internal network, restrict access to this port using firewall rules that only allow communication between trusted systems. Consider disabling NetBIOS over TCP/IP on systems that do not require it. Where possible, migrate to SMB over port 445 (NetBIOS-less SMB) and disable or remove NetBIOS entirely. Regularly patch systems to address known vulnerabilities in NetBIOS and SMB implementations. Implement network segmentation to limit the impact of a potential breach. Use strong authentication methods and enforce the principle of least privilege to minimize the risk of unauthorized access.
Technically, the NetBIOS-SSN protocol uses a connection-oriented approach. When two computers want to establish a session, one computer initiates a connection request to the other computer's port 139. If the connection is accepted, a session is established, and data can be exchanged using the NetBIOS protocol. This data is often encapsulated within Server Message Block (SMB) packets, although SMB can also run directly over TCP port 445 (NetBIOS-less SMB). The session service handles tasks such as session establishment, session termination, and data transfer management. It is important to note that while NetBIOS itself is outdated, its services are often emulated or integrated into more modern networking protocols, particularly in environments where legacy systems are still present.
## Firewall Recommendations
The best practice is to block port 139 at the firewall, especially for traffic originating from or destined to the internet. If NetBIOS services are required within the internal network, restrict access to this port using firewall rules that only allow communication between trusted systems. Consider disabling NetBIOS over TCP/IP on systems that do not require it. Where possible, migrate to SMB over port 445 (NetBIOS-less SMB) and disable or remove NetBIOS entirely. Regularly patch systems to address known vulnerabilities in NetBIOS and SMB implementations. Implement network segmentation to limit the impact of a potential breach. Use strong authentication methods and enforce the principle of least privilege to minimize the risk of unauthorized access.
Security Information
Port 139 is a significant security risk due to its association with legacy protocols that have known vulnerabilities. Attackers often target this port to exploit weaknesses in NetBIOS implementations and gain unauthorized access to systems and data. Common attack vectors include NetBIOS name service poisoning, SMB relay attacks, and exploiting vulnerabilities in older versions of the SMB protocol that run over NetBIOS. The exposure of port 139 to the internet or untrusted networks is particularly dangerous, as it can allow attackers to enumerate network resources, intercept sensitive data, or even execute arbitrary code on vulnerable systems. Furthermore, poorly configured or unpatched systems are prime targets for exploits that leverage vulnerabilities related to NetBIOS and SMB.
Known Vulnerabilities
| CVE | Name | Severity | Description |
|---|---|---|---|
| CVE-2017-0143 | MS17-010: Security Update for Microsoft Windows SMB Server | Critical | This vulnerability, exploited by WannaCry and other ransomware, allows remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block (SMB) server. While this vulnerability primarily targets port 445, the underlying SMB vulnerability can be exploited through NetBIOS. |
| CVE-2008-4834 | Microsoft Windows SMB Relay Vulnerability | High | A vulnerability in Microsoft Windows SMB allows remote attackers to execute arbitrary code or conduct SMB relay attacks via a crafted response, potentially exploiting NetBIOS. |
| CVE-2003-0352 | NetBIOS Name Service (NBNS) Query Response Overflow | High | Buffer overflow in the NetBIOS Name Service (NBNS) query response allows remote attackers to execute arbitrary code via a long NBNS name, leading to denial of service or potentially code execution. |
| CVE-2000-0072 | NetBIOS Session Service Denial of Service | Low | A denial-of-service vulnerability exists in the NetBIOS Session Service (port 139) due to improper handling of malformed packets. |
Malware Associations
- WannaCry ransomware
- Petya/NotPetya ransomware
- Conficker worm
- Various botnets exploiting SMB vulnerabilities
Common Software
- Windows File and Printer Sharing
- Samba (Linux file sharing)
- Older versions of Microsoft SQL Server
- Older versions of Microsoft Exchange Server
- Legacy applications relying on NetBIOS
- Applications using NetBIOS API for network communication
Find all devices with port 139 open
ScaniteX scans millions of IPs to find devices with specific ports open. Perfect for security research and network auditing.
Start Mass Scanning