Modify the default port of Windows SMB-related services to:
http://www.xfocus.net
Creation time: 2004-08-05
Article attribute: original
Article submission:
Tombkeeper (T0MBKEEPER_AT_HOTMAIL.COM)
Modify the default port of Windows SMB-related services
Servers: Yu
Email: Tombkeeper [0x40] nsfocus [0x2e] COM
Tombkeeper [0x40] xfocus [0x2e] org
Completed in: 2004.07.22
Keywords: SMB, NetBt, NetBIOS, NetBt.sys, default port
NetBt (NetBIOS over TCPIP) service for the Windows NT Series operating system is used to process SMB
(Server Message Block) related service / customer operation.
The corresponding driver file corresponding to the NetBT service is NetBt.sys, the corresponding registry key is:
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / NETBT.
Microsoft's KB 120642 and KB 314053 describe Windows NT, Windows 2000, Windows XP, respectively.
Partial optional parameters of this key value.
The corresponding port corresponding to the NetBT service is:
NameservicePort 137 / UDP
DataGramport 138 / UDP
Sessionport 139 / TCP
Starting from Windows 2000, Microsoft introduces 445 ports of the SMB Direct Over TCP. The above 137,
Although the port 138, 139 is reserved and can work normally, but by default, the system always uses 445 terminals.
The mouth will use the 139 port as sessionport in the case of the 445 port work failure.
The 445 port is always open by default. If you want to turn off the port, you can refer to Microsoft KB 301673.
Method, in
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / NetBT / parameters
Add a value:
Value name: SMBDeviceEnabled
TYPE: REG_DWORD
Value Data: 0
Then restart the system.
By the way, if you want to turn off the 139 port, you can refer to Microsoft's KB 299977:
1. Click Start, point to Settings, and then click Network and Dial.
2. Click the local connection you wish to static configuration, click the properties in the File menu.
3. Click the Internet Protocol (TCP / IP), click Properties, click Advanced, and then click the WINS tab.
4. Click NetBIOS to disable TCP / IP.
5, click OK, click OK, click OK again.
Modification will take effect immediately without having to restart the system.
Can this 445 port not change to another value? Analyze NetBt.sys, when the service is initialized,
Functions NBTREADREGISTRY call Readparameters and ReadSmbDeviceInfo from the registry
NetBT service configuration information:
; ------------------------------------------------- -----------------------
Push [EBP HANDLE]
Push offset _nbtconfigcall _readparameters @ 8; Readparameters (x, x)
Push [EBP KeyHandle]
Call _readsmbDeviceInfo @ 4; ReadsmbDeviceInfo (x)
; ------------------------------------------------- -----------------------
The registry value read by the readparameters is basically relevant in the three KB mentioned above, but
It is the information obtained by ReadSmbDeviceInfo, which seems to have no ready-made document description. Below is the reverse engineering
The 5.0.2195.6783 version of NetBt.sys's readsmbDeviceInfo function:
; ------------------------------------------------- -----------------------
__stdcall readsmbDeviceInfo (KeyHandle)
KeyHandle = DWORD PTR 8
Push EBP
MOV EBP, ESP
Lea Eax, [EBP KeyHandle]
PUSH ESI
Push Eax; KeyHandle
Push Offset AparametersMB; "Parameters / SMB"
Push [EBP KeyHandle]; INT
Call _nbtopenregistry @ 12; NBTopenregistry (x, x, x)
Mov ESI, EAX
Test ESI, ESI
Jl short setdefault; if the key does not exist, turn to set the default value
Push 1
Push 1BDH; Default 445
Push Offset ASessionPort; "Sessionport"
Push [EBP KeyHandle]
Call _nbtreadsingleParameter @ 16; NBTReadsingleParameter (x, x, x, x)
Push 1
Push 1BDH; Default 445
Push Offset Adatagramport; "DataGramport"
MOV Word_2ba88, AX
Push [EBP KeyHandle]
Call _nbtreadsingleParameter @ 16; NBTReadsingleParameter (x, x, x, x)
Push [EBP KeyHandle]; Handle
MOV Word_2ba8a, AX
Call DS: __ ivp__zwclose @ 4; __declspec (dllimport) ZWClose (x)
JMP Short Return
SetDefault:
Mov sessionport, 1bdh; set sessionport is 445
Mov DataGramport, 1BDH; Set DataGramport is 445
Return:
MOV EAX, ESI
POP ESI
POP EBP
Retn 4
; ------------------------------------------------- ----------------------- Obviously, readsmbDeviceInfo will try to open
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / NETBT / Parameters / SMB
The sessionport and DataGramport are then read separately, and the associated port is set according to the value. If
The key failed, then turned to setdefaultport, set the two ports to the default 445, if the read value fails,
The third type of NBTReadsingleParameter also specifies the default return value 445.
SessionPort and DataGramport correspond to the port of TCP and UDP, respectively. But I have never seen it.
UDP's SMB session, so it is more important to sessionport.
Then NBTCREATEADDRESSOBJECTS opens the port based on this information, creates the service:
; ------------------------------------------------- -----------------------
MOV EAX, [EBP VAR_8]
MOV CX, sessionport; TCP port value
MOV ESI, Offset AsmbServer; "* SMBServer"
MOV [EAX 1F2H], CX
MOV EAX, [EBP VAR_8]
MOV CX, DataGramport; UDP port value
MOV [EAX 1F6H], CX
MOV EAX, [EBP VAR_8]
MOV [EAX 1F4H], DI
MOV EAX, [EBP VAR_8]
Lea Edi, [EAX 1F8H]
Movsd
Movsd
Movsd
Movsd
Push [EBP VAR_8]
PUSH 0
Push 7F000001H
Call _nbtcreateaddressObjects @ 12; NBTCREATEADDRESSOBJECTS (X, X, X)
; ------------------------------------------------- -----------------------
Clear the process, the method will come out.
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / NETBT / Parameters / SMB
This item is not available by default, so the program will always turn to setdefaultport, if we handle
Building an SMB item and the following two values, the system will set the port according to the value we created. This is the easiest way of doing
law. Of course, if you like, manually modify NetBt.sys is also possible. Below is a port set to
Registration example of 555:
; ------------------------------------------------- -----------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / NetBT / parameters / SMB]
"Sessionport" = dword: 0000022b
"Datagramport" = dword: 0000022b; ---------------------------------------------------------------------------------------- ------------------------------
The modifications mentioned above will affect the server and client at the same time. That is, if we change the port to
555, then not only the machine's SMB Direct Over TCP will monitor 555 ports, access SMB services for other machines
Try to connect to the 555 port when you will also. In other words, false let us do the same changes in two computers, then
These two computers can be shared normally, but other computers cannot access them.
What is the use of this port?
1. Sometimes the 445 port of this machine is sometimes used, for example, do some SMB session hijacking tests.
2. If you want to access network sharing by blocking a firewall with ports such as 445, 139, you can use the server and
Both the client's sessionport is set to 80, so that between the two will pass the 80-port for SMB sessions.
Moreover, in general, this modification does not affect access to other normal servers because 80 is established.
After the connection fails, the client will automatically transfer to 139 ports.
3. If we follow the method mentioned, 139 port is disabled, and all systems in a network will be
All modifications are a common value, then the shared access between these machines is still not affected.
But any foreign access will fail. This enhances security to some extent and resist malicious invasion.
And some worms.
Can 139 ports can be changed to other? It is also possible, however, there is no elegant party like it.
Method, you can only rely on the corresponding location in the NetBt.sys file or dynamically modify the memory. 5.0.2195.6783 version
NetBt.sys Set the code of the port part as follows:
; ------------------------------------------------- -----------------------
66 C7 86 F2 01 00 00 8B 00 MOV WORD PTR [ESI 1F2H], 8BH; 139
66 C7 86 F4 01 00 00 89 00 MOV WORD PTR [ESI 1F4H], 89H; 137
66 C7 86 F6 01 00 00 8A 00 MOV WORD PTR [ESI 1F6H], 8AH; 138
; ------------------------------------------------- -----------------------
Windows XP and Windows 2003 are different from Windows 2000, and the code is somewhat different.
Here is the code of the 5.2.3790.69 version NetBt.sys setting port part:
; ------------------------------------------------- -----------------------
66 C7 86 F8 01 00 00 8B 00 MOV WORD PTR [ESI 1F8H], 8BH; 139
66 C7 86 FA 01 00 00 89 00 MOV WORD PTR [ESI 1FAH], 89H; 137
66 C7 86 FC 01 00 00 8A 00 MOV WORD PTR [ESI 1FCH], 8AH; 138
; ------------------------------------------------- ----------------------- Obviously, the difference between opcode is the offset, so it is easy to write Windows 2000,
Windows XP and Windows 2003 Dynamic or Static Patch Codes.
reference:
TCP / IP and NBT configuration parameters for Windows 2000 or Windows NT:
http://support.microsoft.com/default.aspx?kbid=120642
Windows XP TCP / IP and NBT Configuration Parameters:
Http://support.microsoft.com/default.aspx?kbid=314053
You Cannot Make More One CLIENT Connection over a Nat Device
http://support.microsoft.com/default.aspx?kbid=301673
