What is the SMB protocol, and how does it work?

The SMB protocol (the Server Message Block) is a network protocol that enables users to communicate with remote computers and servers (e.g., to share resources or files). It’s also referred to as the server/client protocol because the server has a resource that it can share with the client.

Like any network file-sharing protocol, the SMB needs network ports to communicate with other systems. When this protocol was developed, the SMB used port 139 to facilitate computer communication on the same network. However, since the development of Windows 2000, the SMB has used port 445 and the TCP network protocol.

Check out our video on SMB below.

The SMB protocol is known as the response-request protocol. SMB operates at the application layer (i.e., where the user interacts with software apps). However, it uses lower network levels to transmit data, such as the transport layer like TCP or UDP.

Here’s a summary of how the SMB works:

1. First, the client (e.g., a user’s computer, mobile device, or printer) sends an SMB request to the server to initiate a connection.
2. The server receives this request and sends an SMB response back to the client.
3. When this response is received, it establishes a communication channel.
4. The device (e.g., a user’s computer) can then interact with the server to request access to shared resources or perform specific actions.

Here’s an example of how the SMB works in real life. Let’s say that the printer in your office is connected to the office administrator’s computer. If you want to print a document, your computer (the client) sends the office administrator’s computer (the server) a request to print it and uses the SMB protocol to do it. The server will then respond to the client with the request’s status (e.g., queued, printed, or out of ink).

Over the years, many SMB versions have become available, bringing unique improvements and updates to address performance issues and security risks. Let’s look at the main versions of the SMB protocol.

• SMB 1.0 was initially introduced in 1984 by IBM as part of their PC network program for file sharing in a DOS (disk operating system) environment. Implementing SMB 1.0 was a big step towards simplified networked file sharing. Microsoft modified and updated this version in 1990, incorporating it into their Windows operating system.
• CIFS improved the SMBv1 protocol, delivering better performance, support for long file names, and more advanced security features. Its release in 1996 coincided with the new Windows 95 operating system.
• SMB 2.0 was released with Windows Vista in 2006, bringing about another boost in performance and efficiency. SMB 2.0 could deliver data much faster than SMBv1, thanks to various optimizations (such as a reduced number of commands and subcommands).
• SMB 2.1 came out with Windows 7, continuing to improve the outstanding inefficiencies of the previous version. SMB 2.1 reduced protocol overhead by minimizing the amount of data exchanged between client and server, improved bandwidth efficiency, and delivered even better performance.
• SMB 3.0 was introduced with Windows 8 with more updates and fixes. The most notable improvement SMB 3.0 brought was enhanced security — this protocol version was the first to support end-to-end encryption.
• SMB 3.02 was released with Windows 8.1. Among many other updates, this version offered the ability to increase security and performance by completely disabling SMBv1.
• SMB 3.1.1 was released in 2015 with Windows 10. This iteration brought additional security improvements, such as more robust encryption, protection against man-in-the-middle attacks, and mutual authentication. SMB 3.1.1 also included performance optimizations such as more efficient data transfer and reduced latency.

SMB uses open ports (i.e., actively accepting incoming connections and traffic) to facilitate communication across the network. The two main ports the SMB uses are 139 and 445. Here’s what you need to know about them:

• Port 139. The earlier versions of the SMB protocol primarily ran in small-scale LAN environments using the now outdated NetBIOS network architecture. SMB mainly used port 139 to allow communication between different machines on the network.
• Port 445. With the development of Windows 2000, Microsoft changed SMB to operate on top of TCP and use a dedicated IP port — port 445. This port is more secure because it supports encryption and digital signing of SMB packets. Port 139 doesn’t offer these security mechanisms and is more susceptible to eavesdropping and other attacks.

Generally, port 445 is preferred over port 139. In addition to being more secure, it offers better compatibility with modern SMB versions and is more firewall-friendly.

Generally speaking, SMB is considered secure and is still widely used by organizations. However, several SMB vulnerabilities have been discovered over the years, resulting in a few high-profile hacking incidents.

In 2017, the US National Security Agency (NSA) found a vulnerability in the SMBv1 protocol (known as EternalBlue). It allowed an attacker to execute their code without the user noticing. If one device were to become infected, the hacker could gain access to the whole network and every device connected to it.

Another notable cyberattack was the release and spread of the WannaCry ransomware. The WannaCry ransomware attack was a cryptoworm that targeted Windows machines, with hackers consequently demanding payments from users wanting to retrieve their encrypted data. This attack affected almost 200,000 Windows devices across 150 countries.

In addition to ransomware attacks, here are other ways cybercriminals may target the SMB protocol:

• Brute force attacks. A brute force attack is when a hacker repeatedly tries various combinations of usernames and passwords to gain access to a system, account, or platform. When it comes to SMB, attackers may attempt to guess SMB user account credentials by trying various combinations of characters.
• Man-in-the-middle attacks. An SMB man-in-the-middle attack is a cyberattack where an attacker intercepts communication between two parties using the SMB protocol. Using these attacks, hackers may manipulate data exchanged between the client and the server or steal sensitive information.
• Distributed denial-of-service (DDoS) attacks. A DDoS attack involves a hacker flooding a server or network with fake requests that prevent users from accessing it. DDoS attacks may target the SMB protocol and potentially disrupt SMB services by flooding it with malicious or fake requests.

While the SMB protocol is generally considered safe, it’s important to be mindful of potential vulnerabilities and do what you can to prevent them. Here’s how to protect yourself when using SMB:

• Use strong authentication. Using strong, complex passwords for your SMB user accounts can help protect you from brute-force attacks. Make sure you also use multi-factor authentication (MFA) to make it harder for hackers to access your accounts.
• Don’t delay updates. Never ignore notifications to update your apps or software. These updates often contain important security patches to keep you safe from malware, bugs, and other vulnerabilities developers have discovered.

Using a VPN is an excellent way to boost your overall digital security and privacy, making you more secure online. Here’s how NordVPN protects you:

• NordVPN secures remote access for your employees. With user authentication, you can protect your sensitive networks from intruders and secure specific remote work devices. Helping to protect your network from rogue hackers armed with malware. NordVPN also comes with Meshnet, a feature that lets users access devices remotely while still benefiting from encryption.
• Threat Protection reduces the risk of malware. The WannaCry attack breached an entire network by infecting one device connected to it. NordVPN’s Threat protection feature helps block infected pop-up ads and potential phishing sites, often used to execute massive network attacks like the ones we’ve mentioned. It also helps you identify malware-ridden files and blocks trackers.