Modify the default port for Windows SMB services

Modify the default port for Windows SMB services

From: http://www.xfocus.net
Created:
Article attributes: original
Article submission: tombkeeper (t0mbkeeper_at_hotmail.com)

Modify the default port for Windows SMB services

Author: Yu
Email: tombkeeper [0x40] nsfocus [0x2e] com
Tombkeeper [0x40] xfocus [0x2e] org
Completed at: 2004.07.22
Keywords: SMB, netbt, NETBIOS, netbt. sys, default port

The netbt (NetBIOS over TCPIP) service of Windows NT operating systems is used to process SMB
(Server Message Block) Related Services/customer operations.

The driver file corresponding to the netbt service is netbt. sys, and the corresponding registry key is:
HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/netbt.
Microsoft's kb 120642 and kb 314053 respectively describe Windows NT, Windows 2000, and Windows XP
Some optional parameters for this key value.

The port corresponding to the netbt service on Windows NT 4.0 is:

Nameserviceport 137/udp
Datagramport 138/udp
Sessionport 139/tcp

Starting from Windows 2000, Microsoft introduced port 445 of SMB direct over TCP. In the above 137,
Ports 138 and 139 are retained and work properly. By default, ports 445 and are always used.
Port 445 is used as the sessionport only when port 139 fails to work.
Port 445 is always open by default. To disable this port, refer to
Method, in
HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/netbt/parameters
Add a value:

Value Name: smbdeviceenabled
Type: REG_DWORD
Value Data: 0

Then restart the system.

By the way, if you want to disable port 139, refer to Microsoft's kb 299977:

1. Click Start, point to settings, and then click Network and dial-up connection.
2. Click the local connection you want to statically configure and click Properties in the File menu.
3. Click Internet Protocol (TCP/IP), click Properties, click Advanced, and then click the WINS tab.
4. Click Disable NetBIOS on TCP/IP.
5. Click OK, click OK, and click OK again.

The modification takes effect immediately without restarting the system.

Can port 445 be changed to another value? According to the analysis of netbt. sys, during service initialization,
The function nbtreadregistry calls readparameters and readsmbdeviceinfo to obtain
Netbt service configuration information:

;------------------------------------------------------------------------
Push [EBP + handle]
Push offset _ nbtconfig
Call _ readparameters @ 8; readparameters (x, x)
Push [EBP + keyhandle]
Call _ readsmbdeviceinfo @ 4; readsmbdeviceinfo (X)
;------------------------------------------------------------------------

The registry values read by readparameters are basically described in the three articles mentioned above in KB,
It is the information obtained by readsmbdeviceinfo and does not seem to have a ready-made document description. The following is reverse engineering
The readsmbdeviceinfo function of netbt. sys in 5.0.2195.6783 is as follows:

;------------------------------------------------------------------------
; _ Stdcall readsmbdeviceinfo (keyhandle)

Keyhandle = dword ptr 8

Push EBP
MoV EBP, ESP
Lea eax, [EBP + keyhandle]
Push ESI
Push eax; keyhandle
Push offset aparameterssmb; "parameters/SMB"
Push [EBP + keyhandle]; int
Call _ nbtopenregistry @ 12; nbtopenregistry (x, x, x)
MoV ESI, eax
Test ESI, ESI
Jl short setdefaultport; if the key does not exist, turn to set the default value.
Push 1
Push 1bdh; 445 by default
Push offset asessionport; "sessionport"
Push [EBP + keyhandle]
Call _ nbtreadsingleparameter @ 16; nbtreadsingleparameter (x, x)
Push 1
Push 1bdh; 445 by default
Push offset adatagramport; "datagramport"
MoV word_2ba88, ax
Push [EBP + keyhandle]
Call _ nbtreadsingleparameter @ 16; nbtreadsingleparameter (x, x)
Push [EBP + keyhandle]; handle
MoV word_2ba8a, ax
Call DS :__ imp _ zwclose @ 4; _ declspec (dllimport) zwclose (X)
JMP short return

Setdefaultport:
MoV sessionport, 1bdh; Set sessionport to 445
MoV primary ramport, 1bdh; set the primary ramport to 445

Return:
MoV eax, ESI
Pop ESI
Pop EBP
Retn 4
;------------------------------------------------------------------------

Apparently, readsmbdeviceinfo will first try to open
HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/netbt/parameters/SMB
Then, read sessionport and mongoramport respectively, and set relevant ports based on the values. If
If the key fails to be opened, switch to setdefaport port and set the two ports to the default 445 port. If the read value fails,
The third parameter of nbtreadsingleparameter also specifies the default return value 445.

Sessionport and datagramport correspond to TCP and UDP ports respectively. But I have never seen
For udp smb sessions, sessionport is more important.

Then, nbtcreateaddressobjects opens the port based on the information and creates a service:

;------------------------------------------------------------------------
MoV eax, [EBP + var_8]
MoV CX, sessionport; TCP port value
MoV ESI, offset asmbserver; "* smbserver"
MoV [eax + 1f2h], CX
MoV eax, [EBP + var_8]
MoV CX, datagramport; UDP port value
MoV [eax + 1f6h], CX
MoV eax, [EBP + var_8]
MoV [eax + 1f4h], Di
MoV eax, [EBP + var_8]
Lea EDI, [eax + 1f8h]
Movsd
Movsd
Movsd
Movsd
Push [EBP + var_8]
Push 0
Push 7f000001h
Call _ nbtcreateaddressobjects @ 12; nbtcreateaddressobjects (x, x, x)
;------------------------------------------------------------------------

After the process is clarified, the method will come out.
HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/netbt/parameters/SMB
This item is not available by default, so the program will always turn to setdefaultport. If we manually create
Create the SMB entry and the following two values, and the system will set the port according to the value we created. This is the simplest task.
Method. Of course, if you want to, you can also manually modify netbt. sys. Below is a set port
Registry example of 555:

;------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/netbt/parameters/SMB]
"Sessionport" = DWORD: 0000022b
"Datagramport" = DWORD: 0000022b
;------------------------------------------------------------------------

The modifications mentioned above will affect both the server and the client. That is to say, if we change the port
555, not only does the local SMB direct over TCP listen to port 555 and access the smb service of other machines
Will also try to connect to port 555. That is to say, if we make the same changes to the two computers
The two computers can communicate with each other normally, but other computers cannot access them.

How can I modify this port?

1. Sometimes port 445 of the local machine is needed in the study, for example, some SMB session hijacking tests.

2. If you want to access network sharing through a firewall that blocks ports such as 445 and 139, you can
The sessionport of the client is set to 80, so that SMB sessions are performed between the two through port 80.
In general, this modification does not affect access to other normal servers, because
After the connection fails, the client automatically switches to port 139.

3. If we disable port 139 as mentioned at the beginning and
The shared access between these machines is not affected,
However, any external access will fail. To some extent, this can enhance security and defend against malicious intrusion.
And some worms.

Can port 139 be changed to another one? Yes, but it's not as elegant as above.
You can only modify the netbt. SYS file or dynamically modify the corresponding location in the memory. 5.0.2195.6783
The code for netbt. sys port setting is as follows:

;------------------------------------------------------------------------
66 C7 86 F2 01 00 00 8B 00 mov word PTR [ESI + 1f2h], 8bh; 139
66 C7 86 F4 01 00 00 89 00 mov word PTR [ESI + 1f4h], 89 h; 137
66 C7 86 F6 01 00 8A 00 mov word PTR [ESI + 1f6h], 8ah; 138
;------------------------------------------------------------------------

Windows XP and Windows 2003 have different structures and different codes,
The following code sets the port in netbt. sys 5.2.20.0.69:

;------------------------------------------------------------------------
66 C7 86 F8 01 00 8B 00 mov word PTR [ESI + 1f8h], 8bh; 139
66 C7 86 fa 01 00 00 89 00 mov word PTR [ESI + 1fah], 89 h; 137
66 C7 86 FC 01 00 8A 00 mov word PTR [ESI + 1fch], 8ah; 138
;------------------------------------------------------------------------

Obviously, the difference between Opcodes is the offset, so it is easy to write support for Windows 2000,
Dynamic or static patch code for Windows XP and Windows 2003.

Refer:

TCP/IP and NBT configuration parameters for Windows 2000 or Windows NT:
Http://support.microsoft.com/default.aspx? Kbid = 120642

For Windows XP, the TCP/IP and NBT configuration parameters are as follows:
Http://support.microsoft.com/default.aspx? Kbid = 314053

You cannot make more than one client connection over a NAT device
Http://support.microsoft.com/default.aspx? Kbid = 301673