That’s pretty amazing.  They should be blocked inbound and outbound.

Blaster worm was like 13 years ago?  At that time, if you connected a brand new 
Windows computer to a non firewalled Internet connection, it would be infected 
within seconds, before you could run Windows Update.

I also remember people would get these little system notification windows 
popping up on their screen.

I think we used to block port 1434 due to the MS SQL Slammer worm, I forget how 
long ago we stopped that.

From: Zach Underwood 
Sent: Monday, September 19, 2016 11:50 AM
Subject: Re: [AFMUG] everyone should be blocking SMB ports

My work has its own IP address and get upstream from atnt and charter. The smb 
ports are not blocked.



On Sep 19, 2016 12:47 PM, "Josh Luthman" <> wrote:

  Cable/Telco probably. 

  WISP?  I dunno...

  Josh Luthman
  Office: 937-552-2340
  Direct: 937-552-2343
  1100 Wayne St
  Suite 1337
  Troy, OH 45373

  On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett <> wrote:

    i think everyone has been blocking those ports since 1998-ish (or at least 
you should be) 


    On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood <> 

      This was written from the view point of windows AD setup can affect home 
users  too since MS makes people use MS live accounts to log in to windows.

      Outside servers can get username/domain/password hash. Once a remote 
server has the login info they could connect to VPN, Office365 or an other 
service that using AD domain user info.
      See attachment for example. I got the example from a VM with a test 
account on it.

      Microsoft based browsers like IE and Edge can be induced to make a 
outbound smb connection to a remote server. In this connection Microsoft will 
send over username, domain, and password hash. The remote server then can do a 
decryption of the password hash using brute force, password, dictionary and 
rainbow tables.  

      The fastest way to stop this is to block all of the smb networks ports on 
the edge firewall for incoming and outgoing. The ports are 137-138udp, 
137tcp,139tcp, 445tcp


      Testing site:


      Zach Underwood (RHCE,RHCSA,RHCT,UACA) 
      My website

Reply via email to