Service:
netbios-ssn
Protocol:
TCPPort:
139Used for:
File and printer sharing in Windows networksWhy It’s Open
Used by SMB over NetBIOS for Windows file and printer sharing before SMB over TCP/445 became common.
Common Risks
- SMB Exploits: Legacy SMB 1.0 vulnerabilities (e.g., EternalBlue) often used this port.
- Credential Theft: Man-in-the-middle attacks can capture NTLM hashes.
- Unauthorized Access: If shared folders aren’t locked down.
Want to save time on reporting?
Let PentestPad generate, track, and export your reports - automatically.
Enumeration & Testing
Nmap Check
nmap -p 139 --script smb-os-discovery
nbtscanWhat to Look For
| Checkpoint | What it means |
|---|---|
| Open shares | Risk of data exposure |
| SMBv1 in use | Vulnerable to known exploits |
| Null sessions | Allows unauthenticated access |
Known Exploits
- CVE-1999-0504 NetBIOS NULL session allows unauthorized access to shares. 🔗 NVD Entry
Mitigation
- Disable SMBv1 and NetBIOS if possible.
- Move to SMB over port 445 with secure settings.
- Use proper authentication and share permissions.
Real-Life Example
Port 139 has been a favorite target for ransomware, worms, and lateral movement in Windows environments for over two decades.
TL;DR
- Service: NetBIOS Session Service
- Risks: Unauthorized access, information disclosure
- Mitigation: Disable NetBIOS over TCP/IP if not needed, restrict access