Port 445 is the door through which Windows computers share files. Every time you map a network drive, access a shared folder, or print to an office printer, that traffic flows through port 445. The protocol is called SMB, the Server Message Block, and it has been the backbone of Windows networking for decades.
It has also been the target of some of the most devastating cyberattacks ever launched.
What SMB Does
SMB is a client-server protocol that lets computers share resources over a network. Files, printers, serial ports, and even communication channels between programs called named pipes, all flow through SMB.1
When you type \\server\share into Windows Explorer, your computer opens a connection to port 445 on the server. It authenticates, establishes a session, and then treats that remote folder as if it were local. You can read files, write files, delete files. The network becomes invisible.
This is the magic that makes office networks feel seamless. Drag a file from your desktop to the shared drive. Print to the copier down the hall. Access the company intranet. Port 445 carries all of it.
How the Protocol Works
SMB operates at the application layer.2 A client sends requests, a server sends responses. The commands are things like "Open this file," "Read these bytes," "Write this data," "Close the file."
The protocol is stateful. The client establishes a session, authenticates, and maintains that connection while performing operations. This is different from stateless protocols like HTTP, where each request is independent.
Modern SMB versions run directly over TCP on port 445. Older versions required NetBIOS, using ports 137, 138, and 139. Windows 2000 eliminated the NetBIOS dependency, letting SMB communicate directly over TCP/IP.3 This made the protocol cleaner and faster, but it also made port 445 a more prominent target.
The current version, SMB 3.1.1, introduced with Windows 10, supports encryption, integrity verification, and even RDMA for high-performance storage networks.4
The History
In early 1983, Barry Feigenbaum sat at IBM and thought about a problem. DOS had file access through INT 21h, the software interrupt that let programs read and write files. But those files were local. Feigenbaum wanted to make network files feel the same way.5
He designed a protocol to do exactly that. Initially, he called it "BAF" after his own initials.6 Before release, he renamed it SMB.
The protocol was designed to be extensible. Over the years, many groups added features: Microsoft, IBM, Apple, SCO, and eventually the Samba team. Microsoft made the most substantial additions, integrating SMB into LAN Manager in 1987 and then into every version of Windows that followed.7
In 1996, Sun Microsystems announced WebNFS. Microsoft, not wanting to cede the networked file system space, rebranded SMB as CIFS, the Common Internet File System, and submitted drafts to the IETF.8 Those drafts never achieved standard status. The CIFS name faded. Microsoft continued developing SMB.
SMB 2.0 arrived with Windows Vista in 2006. It was a major rewrite. The original protocol had over a hundred commands and subcommands. SMB 2.0 reduced that to nineteen.9 Less chatter, better performance.
SMB 3.0 came with Windows 8 in 2012, adding encryption, improved signing, and support for clustered file servers. SMB 3.1.1, the current version, added pre-authentication integrity and mandatory encryption negotiation.10
The Open Source Mirror: Samba
In December 1991, a PhD student at the Australian National University named Andrew Tridgell had a problem. He was used to accessing his files over the network using PC-NFS, but he needed to connect to a DEC Pathworks server that spoke a different protocol.11
So he wrote a packet sniffer, captured the network traffic, and figured out how the protocol worked. Then he implemented it on Unix.
Tridgell released Samba in January 1992, more than a year before Windows NT shipped.12 He didn't even know his software worked with Windows until nearly two years later. The early versions were aimed at DEC Pathworks compatibility, not Microsoft.
The name "Samba" came from running grep on a dictionary, looking for words containing S, M, and B.13 A company called Syntax owned the trademark for "SMBserver," so Tridgell needed something else.
Tridgell prefers the term "network analysis" or "protocol analysis" over "reverse engineering."14 He didn't disassemble Microsoft's code. He watched the packets on the wire and figured out what they meant.
In 2008, Tridgell won Google's "Best Interoperator" award for his work on Samba and rsync.15 In 2018, the Australian National University awarded him an honorary doctorate.
Security: The Dark Side of Port 445
Port 445 has been called "one of the most dangerous ports on the Internet."16 The reason is simple: SMB is designed to give remote computers access to your files. If that access is misconfigured or exploited, attackers get everything.
EternalBlue and the NSA
Sometime before 2017, the National Security Agency discovered a vulnerability in Microsoft's SMBv1 implementation. Rather than report it to Microsoft, they developed an exploit called EternalBlue and kept it for offensive operations.17
In August 2016, a group calling themselves the Shadow Brokers appeared. They claimed to have stolen hacking tools from the NSA. Over the following months, they leaked firewall exploits, implants, and scripts.18
On March 14, 2017, Microsoft released security bulletin MS17-010, patching a critical vulnerability in SMBv1.19 Someone had warned them.
One month later, on April 14, 2017, the Shadow Brokers released their most devastating dump. It included EternalBlue.20
WannaCry
On May 12, 2017, at 07:44 UTC, a ransomware worm called WannaCry began spreading across the Internet. It scanned for computers with port 445 exposed, used EternalBlue to break in, and then encrypted every file it could find.21
Within hours, WannaCry had infected over 200,000 computers in 150 countries. Hospitals in the UK's National Health Service were locked out of patient records. Factories at Nissan and Renault stopped production.22
Then, at 15:03 UTC, a security researcher named Marcus Hutchins noticed something strange. The malware, before executing, tried to connect to a gibberish domain name: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. If the domain resolved, WannaCry stopped.23
The domain wasn't registered. Hutchins registered it for $10.69.24
The worm kept spreading, but it stopped executing. Hutchins had accidentally activated a kill switch built into the malware. No one knows exactly why the creators included it, possibly to prevent analysis in sandbox environments that resolve all domains.
NotPetya
Six weeks later, on June 27, 2017, another attack used EternalBlue. This one was different.
NotPetya appeared to be ransomware. It encrypted files and demanded payment. But it was a lie. There was no decryption key. The ransom was theater. NotPetya was designed purely to destroy.25
The attack began in Ukraine, spreading through a compromised update to a popular tax preparation software called M.E.Doc.26 Within hours, it had escaped Ukraine's borders and spread worldwide.
Maersk, the shipping giant that handles 20% of global container trade, lost its entire IT infrastructure. The company had to rebuild 45,000 PCs and 4,000 servers.27 Cost: $300 million.
Merck, the pharmaceutical company, lost 30,000 computers and 7,500 servers. The attack disrupted production of Gardasil 9, the HPV vaccine.28 Cost: $870 million.
The radiation monitoring system at the Chernobyl nuclear plant went offline.29
Total damage: over $10 billion. The White House called it "the most destructive and costly cyberattack in history."30
The US and UK governments attributed NotPetya to the Russian military, specifically the GRU's Sandworm unit.31
Related Ports
Port 445 doesn't work alone. Here are its neighbors:
| Port | Protocol | Description |
|---|---|---|
| 137 | NetBIOS Name Service | Name resolution for older SMB |
| 138 | NetBIOS Datagram | Connectionless messaging |
| 139 | NetBIOS Session | SMB over NetBIOS (legacy) |
| 445 | SMB | Direct SMB over TCP |
| 3268 | LDAP Global Catalog | Active Directory lookups |
| 88 | Kerberos | Authentication for domain environments |
Older Windows systems used ports 137-139 for SMB over NetBIOS. Modern systems use port 445 directly. If you're troubleshooting file sharing, check both.
Frequently Asked Questions
The Weight of Port 445
Port 445 carries contradictions. It makes Windows networks feel seamless, the shared folder that just works, the printer that appears automatically. It also carried the most destructive cyberattacks in history.
Barry Feigenbaum designed SMB in 1983 to make network files feel local. He succeeded beyond anything he could have imagined. Today, that 40-year-old design decision runs beneath every Windows domain, every Active Directory forest, every corporate network that shares files between machines.
And when the NSA's stolen weapon escaped and burned through the world's networks, it was port 445 that let it in.
Every port carries something. Port 445 carries the trust that makes networks work, and the consequences when that trust is betrayed.
Was this page helpful?