Port 139 – NetBIOS Session Service

Why It’s Open

Port 139/TCP is the NetBIOS Session Service — the transport SMB used before Microsoft added direct SMB-over-TCP on port 445. It’s still open on most modern Windows systems because the NetBIOS over TCP/IP stack is enabled by default and on older domains that haven’t been migrated. Seeing 139 and 445 together is the classic Windows fingerprint.

Common Risks

• SMBv1 legacy exploits. EternalBlue (MS17-010), MS08-067, and related remote code execution bugs. SMBv1 should not exist on a modern network.
• NULL session enumeration. Older Windows accepts unauthenticated sessions that leak users, groups, shares, and password policy.
• Credential relaying. NTLM responses captured from port 139 can be relayed to other hosts still accepting NTLM authentication.
• Share misconfiguration. World-writable or world-readable shares are still common in the wild, especially on file servers and NAS devices.
• Lateral movement. Any foothold in a Windows network makes 139/445 the primary lateral-movement target.

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

Book a Demo

Enumeration & Testing

Nmap fingerprinting and vuln check

nmap -p 139,445 -sV --script="smb-os-discovery,smb-enum-shares,smb-enum-users,smb-protocols,smb-security-mode,smb-vuln-*" <target>

NetBIOS name scan

nbtscan -r <target>/24
nmblookup -A <target>

Null-session enumeration

enum4linux -a <target>
enum4linux-ng -A <target>

rpcclient -U "" -N <target>
# inside rpcclient:
#   srvinfo
#   enumdomusers
#   querydominfo

List shares with smbclient

smbclient -L //<target>/ -N
smbclient -L //<target>/ -U '<user>%<pass>'
smbclient //<target>/<share> -N

CrackMapExec / NetExec sweep

crackmapexec smb <target>/24 -u '' -p ''
crackmapexec smb <target>/24 -u <user> -p <pass> --shares --users --groups
netexec smb <target>/24 -u <user> -p <pass> --shares

Metasploit modules

use auxiliary/scanner/smb/smb_version
use auxiliary/scanner/smb/smb_enumshares
use auxiliary/scanner/smb/smb_enumusers
use auxiliary/scanner/smb/smb_login
use auxiliary/scanner/smb/smb_ms17_010
use exploit/windows/smb/ms17_010_eternalblue

Capture and relay NTLM (Responder + ntlmrelayx)

sudo responder -I eth0 -wv
impacket-ntlmrelayx -tf targets.txt -smb2support

What to Look For

Known CVEs

• CVE-2017-0144 — MS17-010, “EternalBlue.” Unauthenticated RCE in SMBv1. The most consequential Windows vulnerability of the decade.
• CVE-2008-4250 — MS08-067. Pre-auth RCE via the Server service. The bug that made Conficker.
• CVE-1999-0519 — NetBIOS null session allows unauthenticated share enumeration. The classic.
• CVE-2020-0796 — “SMBGhost.” SMBv3 compression bug, pre-auth RCE on Windows 10/Server 2019.

Mitigation

• Disable SMBv1 entirely. PowerShell: Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol. On older systems: Set-SmbServerConfiguration -EnableSMB1Protocol $false.
• Disable NetBIOS over TCP/IP on adapters that don’t need it. Reduces the attack surface to just port 445.
• Enforce SMB signing via Group Policy to prevent relay.
• Block 139 at the perimeter firewall in every environment — there is no reason 139 should ever leave a management VLAN.
• Patch for MS17-010 and MS08-067 on any legacy host still in production.
• Disable anonymous access via RestrictAnonymous=2.

Real-World Example

In May 2017, WannaCry used EternalBlue (SMBv1 RCE on port 139/445) to propagate through hundreds of thousands of unpatched Windows systems in a single weekend, including NHS hospitals, FedEx, Telefónica, and Renault factories. The patch had been available for two months. Port 139 has been the worm surface for Windows for nearly three decades and will continue to be until SMBv1 is extinct.

TL;DR

• Service: NetBIOS Session Service (SMB over NetBIOS)
• Default port: 139/TCP
• Biggest risk: SMBv1 RCE + null session enumeration
• Mitigation: disable SMBv1, enforce signing, block at the perimeter, patch MS17-010