SMB null session port 139 vs 445

Kioptrix SMB null session works on 139 but fails on 445: what that implies (Working Title)

by
SMB null session port 139 vs 445

Decoding the SMB Handshake: Port 139 vs. 445

Port 139 gives you a friendly handshake. Port 445 stares at you like you brought the wrong badge to the wrong building.

When an SMB null session works on 139 but fails on 445, it isnโ€™t โ€œKioptrix luck.โ€ Itโ€™s a precision clue about transport and rules: NetBIOS Session Service vs. direct-hosted SMB, SMB dialect negotiation (SMB1 vs. SMB2/3), SMB signing, and anonymous/guest policy differences, plus the ever-boring, ever-decisive firewall/ACL filter.

A null session is an SMB session attempt made with blank credentials (no real username/password). What you can do with it depends entirely on server policy: sometimes you get shallow enumeration (like share names), and sometimes you get shut down at negotiation or session setup.

Keep guessing, and you lose the only scarce resource in labs: clean time and clean notes.

This post helps you classify the failure fast: filter vs. negotiate vs. auth, using error strings and cross-client confirmation. No tool roulette. Just a repeatable, write-up-ready diagnosis method.

Label the door. Measure the failure. Move on purpose.
Fast Answer (snippet-ready):

If a null session works on TCP/139 but fails on TCP/445, it usually means the target still exposes NetBIOS/legacy SMB session setup on 139 (sometimes with looser anonymous behavior), while direct-hosted SMB on 445 is blocked by firewall/host rules, dialect negotiation differences (SMB1 vs SMB2/3), SMB signing requirements, or a policy that rejects anonymous/guest on 445. Treat it as a clue about transport + version + policy, not โ€œKioptrix luck.โ€

SMB null session port 139 vs 445

Who this is for / not for

Who this is for

  • Youโ€™re testing authorized labs (Kioptrix, HTB-style, internal ranges) and your notes say: โ€œnull on 139 OK, 445 nope.โ€
  • You want the why, not vibes: what this implies about SMB transport, dialects, and anonymous/guest policy.
  • Youโ€™re time-poor and want a repeatable troubleshooting script for write-ups (pair it with a clean logging habit, like this Kali Linux lab logging workflow).

Who this is not for

  • Anyone targeting real systems without explicit permission (if you need an ethics boundary to link in your footer/nav, use your vulnerability disclosure policy).
  • Anyone looking for exploitation instructions. This is diagnosis-first, lab-safe, and intentionally non-weaponized.
Takeaway: Treat 139 and 445 as two separate test surfaces that happen to lead toward โ€œSMB.โ€ They donโ€™t promise the same rules.
  • Same service family, different transport
  • Different defaults, different fallbacks
  • Your job is classification, not tool-roulette (if you feel yourself spiraling, borrow the OSCP rabbit hole rule and timebox it)

Apply in 60 seconds: Write โ€œ139 = NBSession, 445 = direct SMBโ€ at the top of your notes before you run anything else.

Map the ports first: 139 vs 445 in plain English

Before we diagnose, we name the beast. Microsoftโ€™s own documentation draws a crisp line: TCP/139 is NetBIOS Session Service, and TCP/445 is direct-hosted SMB (NetBIOS-less). That distinction matters because your โ€œnull session successโ€ might be riding a legacy path that 445 simply refuses to entertain.

139 = โ€œSMB via NetBIOSโ€ (legacy wrapper)

  • Think: SMB traffic carried inside a NetBIOS session.
  • Labs still show it because legacy stacks, compatibility knobs, and deliberate โ€œtraining wheelsโ€ configs exist.
  • Itโ€™s also where older discovery habits and naming quirks like to hang out.

445 = โ€œDirect-hosted SMBโ€ (modern default)

  • SMB directly over TCP, no NetBIOS session wrapper.
  • More commonly filtered, and more likely to meet modern hardening defaults first.
  • Dialect negotiation and signing expectations are often more strict here.

Letโ€™s be honestโ€ฆ your tool isnโ€™t โ€œlying,โ€ youโ€™re seeing two different doors

Same building. Different entrance. One door still accepts an old jacket and a fake mustache. The other checks IDs under bright lighting.

Show me the nerdy details

Microsoft describes direct-hosted SMB on TCP/445 as โ€œNetBIOS-less SMB trafficโ€ and lists NetBIOS Session Service on TCP/139 as a traditional transport component. In practice, clients may take different negotiation paths, and servers may have different policy/hardening behavior per listener/stack. Translation: your packet story changes when the transport changes.

๐Ÿ’ก Read the official SMB transport ports 139 vs 445 guidance

SMB null session port 139 vs 445

What it implies when null works on 139 but not 445

When you see โ€œ139 accepts anonymousโ€ but โ€œ445 fails,โ€ itโ€™s rarely one thing. Itโ€™s a stacked hint: transport first, then dialect (SMB1 vs SMB2/3), then session rules (signing, guest, anonymous). The trick is to treat each as a switch you can label, not a mystery you can argue with at 2:00 AM.

Implication #1: Transport-level filtering is likely

If 445 times out while 139 responds, your first suspect is boring and powerful: filtering. Host firewall rules, upstream ACLs, segmentation, or lab-specific routing can allow legacy NetBIOS session traffic while blocking direct SMB. Iโ€™ve seen lab networks where 445 is blocked to force students into a particular โ€œold-schoolโ€ path. Unromantic, effective.

Implication #2: SMB negotiation differs (SMB1 vs SMB2/3 expectations)

A second common pattern: 139 succeeds because your client and the server find a compatible dialect along the NetBIOS path, but 445 rejects the dialect you offered (or demands a newer one). Modern Windows guidance emphasizes controlling SMB versions, and Microsoft documents how SMBv1 can be disabled while SMBv2/3 remains available. In a lab, that can getโ€ฆ weird. Sometimes the โ€œworkingโ€ path is the legacy one because thatโ€™s the lesson.

Implication #3: Anonymous policy may be scoped by interface/path

โ€œAnonymous allowedโ€ is not always a single global truth. Guest access, anonymous restrictions, and signing requirements can behave differently depending on the service stack and settings. Microsoftโ€™s SMB signing documentation notes that signing can be required inbound, outbound, both, or neither depending on OS and configuration. That matters because an anonymous-style session without proper signing or policy alignment can simply be rejected.

Why would a host โ€œtrustโ€ 139 more than 445?

In the real world, it usually doesnโ€™t โ€œtrustโ€ it more. Itโ€™s legacy inertia or misconfiguration. In labs, it can be intentional pedagogy: leave one entrance ajar so you can learn what youโ€™re looking at, then slam the modern door so you donโ€™t skip the reading.

Takeaway: โ€œ139 works, 445 failsโ€ is a classification problem with three suspects: filter, negotiate, auth policy.
  • Filter: timeouts/resets on 445
  • Negotiate: dialect/signing mismatch
  • Auth: anonymous/guest rejected

Apply in 60 seconds: Label your failure in one word (filter/negotiate/auth) before you do any deeper enumeration.

Quick triage checklist: prove whatโ€™s failing

This is the part where most people accidentally start free-climbing a cliff in flip-flops. Donโ€™t. Your goal is not โ€œget in.โ€ Your goal is โ€œname the failure type.โ€ Once you can name it, everything else becomes smaller.

Step 1: Confirm itโ€™s not just reachability

  • Timeout usually smells like filtering or routing.
  • Immediate refusal/reset often points to host/service rule behavior.
  • Negotiation error suggests dialect/signing mismatch.
  • Access denied / logon failure suggests policy (anonymous/guest blocked). If youโ€™re seeing โ€œlogon failureโ€ specifically, anchor your notes to a single canonical explanation like SMBMap NT_STATUS_LOGON_FAILURE.

Step 2: Capture the โ€œfailure typeโ€ your client reports

Write down the exact string. Seriously. SMB errors are not poetic, but they are specific. โ€œSession setup failedโ€ versus โ€œnegotiation failedโ€ versus โ€œconnection timed outโ€ are different countries with different weather.

Step 3: Cross-check with a second SMB client

Different clients can โ€œhelpfullyโ€ fall back into guest-like behavior and still call it a win. Iโ€™ve watched people celebrate a โ€œnull sessionโ€ that was actually a restricted guest context with the permissions of a polite cardboard box. Validate with a second client so you donโ€™t build a write-up on sand.

Show me the nerdy details

Cross-client confirmation reduces false positives caused by silent fallbacks: guest sessions, cached credentials, name resolution side-effects, or a client choosing a different dialect/order of offers. Your objective in triage is stable, reproducible behavior, not one toolโ€™s optimistic interpretation.

Decision card: classify the 445 failure in 30 seconds
  • 445 times out โ†’ treat as filter (ACL/firewall/segmentation).
  • 445 negotiates then errors โ†’ treat as negotiate (dialect/signing).
  • 445 returns access denied/logon failure โ†’ treat as auth (anonymous/guest rejected). If the phrase is โ€œaccess denied,โ€ line it up with SMBMap access denied so you donโ€™t blur it with negotiation failures.

Neutral next action: Record one exact error string + whether it was timeout/reset/deny.

Curiosity gap: when โ€œnull session worksโ€ isnโ€™t what you think

Hereโ€™s the trap: โ€œnull session workedโ€ is a sentence with hidden ambiguity. Did you truly get an unauthenticated session? Or did your client slide into guest behavior? Those two can feel identical at first glance and then diverge violently when you try to do anything meaningful.

Guest fallback vs true anonymous

  • Anonymous (null): no username, no password, no identity beyond โ€œI exist.โ€
  • Guest: an identity exists, but itโ€™s intentionally underpowered and restricted.
  • Authenticated: a real user context with permissions tied to that account/group.

Share listing vs real access

Seeing share names is not the same as reading files. Think of share listing as the lobby directory. You can read the names on the wall. That doesnโ€™t mean you have the elevator key. In labs, itโ€™s common to permit shallow enumeration so you can learn the surface, while blocking actions that would shortcut the learning objective.

Hereโ€™s what no one tells youโ€ฆ SMB can hand you a brochure while locking every door

Iโ€™ve personally wasted an hour โ€œenumeratingโ€ a host that was basically saying: โ€œWelcome! Please enjoy the pamphlet. Also, absolutely not.โ€ Once you accept that enumeration is not permission, you stop confusing movement with progress.

Eligibility checklist: is this a real anonymous session?
  • Yes/No: Are you explicitly using anonymous/blank credentials (no cached creds)?
  • Yes/No: Does the server identify you as โ€œguestโ€ (or equivalent) instead of anonymous?
  • Yes/No: Can you do anything beyond listing (even a minimal metadata query)?

Neutral next action: If any answer is โ€œNo/Unsure,โ€ re-run the same probe with a second client and compare outputs.

The most common root causes (ranked)

Letโ€™s rank by what youโ€™re most likely to see, then talk about what it looks like from the outside. No heroics. Just pattern recognition.

1) Firewall/ACL blocks 445 but leaves 139 open

This is the classic. 445 times out. 139 answers. The server may be fine; the path is not. Microsoft publishes port requirements that explicitly list SMB on 445 and NetBIOS Session Service on 139. In many environments, 445 is treated as higher-risk and filtered more aggressively. In labs, it can be intentionally shaped.

2) SMB signing or session requirements differ on 445

Signing can be required depending on OS and configuration, and Microsoftโ€™s SMB signing guidance describes inbound and outbound signing as independent requirements. If the server requires signing and your session type canโ€™t satisfy it (or your clientโ€™s negotiation path differs), you get a failure that looks โ€œmysteriousโ€ until you remember: security controls rarely announce themselves with confetti.

3) SMB1 disabled or mismatched negotiation

Microsoft documents that SMBv1 is deprecated and provides guidance for enabling/disabling SMBv1/2/3. In modern setups, SMBv1 is often disabled. In lab setups, SMBv1 may exist in one place and not another, or your client may try dialects in an order that produces different results per transport. Thatโ€™s why you treat dialects as data, not assumptions.

4) NetBIOS name resolution quirks

Some workflows โ€œworkโ€ on 139 because the tool leans on NetBIOS naming behavior (or because the lab environment resolves names in ways direct SMB doesnโ€™t). If youโ€™re connecting by IP, this matters less; if youโ€™re connecting by hostname, it can matter more than you want to admit.

Why would disabling SMB1 โ€œbreakโ€ only one port?

Because your client might not behave the same way on both paths, and the serverโ€™s listener stack might not accept the same dialect sequence. Itโ€™s not that โ€œport 139 equals SMB1โ€ and โ€œport 445 equals SMB2.โ€ Itโ€™s that the negotiation story can differ depending on how you approach the service.

Show me the nerdy details

SMB negotiation involves offering dialects and agreeing on one. Signing, encryption, and guest/anonymous policy then shape whether session setup succeeds. Transport differences can influence client behavior (timeouts, fallbacks, name services) and server behavior (policy scopes, listeners, hardening). Your safest move is to record observed dialect results instead of assuming them.

Mini calculator: โ€œhow much time am I about to waste?โ€

Inputs (3): (1) Did 445 timeout? (Yes/No) (2) Do you have an exact error string? (Yes/No) (3) Did a second client agree? (Yes/No)

Output: If you answered โ€œNoโ€ to (2) or (3), assume youโ€™re 30โ€“90 minutes away from clarity. If you answered โ€œYesโ€ to both, youโ€™re often under 10 minutes from the right label (filter/negotiate/auth).

Neutral next action: Stop and capture the error string before changing anything else.

Common mistakes (the ones that waste an entire evening)

Mistake #1: Declaring โ€œSMB is openโ€ because 139 responds

Iโ€™ve done this. You see 139, you get excited, you tell your notes โ€œSMB open,โ€ and then you spend an hour wondering why the โ€œrealโ€ port doesnโ€™t work. Treat 139 and 445 as separate surfaces. โ€œSMB openโ€ is not specific enough to help Future You.

Mistake #2: Treating โ€œshare list visibleโ€ as proof of credentials

You can list shares and still be blocked from meaningful actions. This is not failure; itโ€™s information. Donโ€™t convert it into confidence you didnโ€™t earn.

Mistake #3: Not recording the exact error string

SMB errors are like street signs: ugly, essential, and surprisingly honest. If you donโ€™t write them down, you force yourself to re-drive the same road in the dark.

Mistake #4: Assuming Kioptrix behaves like a modern Windows server

Labs are Franken-systems by design. The point is to make you notice seams. If your brain expects โ€œmodern defaults,โ€ Kioptrix will happily teach you humility for the price of one evening (a broader framing that also shows up when people misread scans, like Nmap -sV service detection false positives).

Takeaway: The fastest troubleshooting is the one where you take notes like youโ€™re writing your own incident report.
  • Port + symptom + exact error string
  • Which client produced it
  • Whether behavior is reproducible

Apply in 60 seconds: Add a one-line โ€œObservationโ€ header to your notes and fill it before you run another command.

Donโ€™t do this: two traps that create false confidence

Trap #1: Tool-hopping without changing hypotheses

Swapping tools without a theory is just moving the flashlight around your room while refusing to turn the lights on. If you canโ€™t say โ€œI think this is filter/negotiate/auth,โ€ youโ€™re not troubleshooting yet. Youโ€™re orbiting.

Trap #2: Over-tuning scans before confirming basics

Donโ€™t decorate a house you havenโ€™t confirmed exists. First confirm reachability, then negotiation, then session type. After that, enumeration becomes productive instead of performative (this mindset pairs well with a tight fast enumeration routine for any VM).

Short Story: The Night I Argued With Port 445 (120โ€“180 words) โ€ฆ

I once spent a full lab session convinced the target was โ€œhalf-brokenโ€ because 139 gave me a warm handshake and 445 acted like Iโ€™d insulted its family. I tried three clients, changed flags I didnโ€™t understand, and started narrating my troubleshooting out loud like it was a documentary.

The turning point was embarrassingly small: I wrote down the exact 445 failure and realized it wasnโ€™t โ€œSMB hates me,โ€ it was โ€œ445 never truly responds.โ€ That pushed me to label it as filter, not โ€œauth weirdness.โ€ Ten minutes later, everything else snapped into place, including the reason the lab designers left 139 open in the first place: they wanted me to learn that โ€œSMBโ€ is not a single door. Itโ€™s a hallway with different locks.

โ€œSo what should I change?โ€ A decision table in words

Youโ€™re not here to collect trivia about NetBIOS. Youโ€™re here to decide what to do next without wasting your afternoon. Use this as a practical โ€œif/thenโ€ map.

If 445 times out

  • Think: network filter/ACL or segmentation.
  • Do: verify from another authorized vantage point or network segment (if your lab supports it).
  • Write: โ€œ445 = timeout; classify as filter.โ€

If 445 refuses negotiation

  • Think: dialect mismatch or session requirements (signing/hardening).
  • Do: identify which SMB versions the service accepts and whether signing is required in your environment.
  • Write: โ€œ445 = negotiate fail; classify as negotiate.โ€

If 445 returns access denied/logon failure

  • Think: anonymous disallowed on 445, or guest rules differ.
  • Do: compare anonymous policy and session identity (anonymous vs guest) between the two paths.
  • Write: โ€œ445 = policy reject; classify as auth.โ€

If 139 โ€œworksโ€ but only lists a couple items

  • Think: restricted guest-like context.
  • Do: confirm what โ€œworkedโ€ actually returned and whether the session is anonymous or guest.
  • Write: โ€œ139 = shallow enumeration; treat as lobby access.โ€
Show me the nerdy details

The same โ€œSMBโ€ label covers different layers: TCP reachability, SMB dialect agreement, and session setup with policy constraints (signing, guest/anonymous restrictions). Many failures happen before authentication is even meaningfully evaluated. Thatโ€™s why your first label should be filter/negotiate/auth.

Lab notes for Kioptrix: what this usually means in practice

Kioptrix-style labs often behave like a time capsule with a teaching agenda. If youโ€™re used to modern Windows defaults, the lab will feel like itโ€™s speaking an older dialect on purpose. Thatโ€™s not a defect. Thatโ€™s the point.

Expect legacy SMB/NetBIOS surfaces

Seeing 139 open often signals that older components are reachable. The lab designers may want you to notice that NetBIOS-era pathways exist and that they can behave differently than direct SMB.

Expect inconsistent policy edges

Labs may intentionally allow shallow enumeration on one path but block the other. It forces you to write better notes and treat โ€œsuccessโ€ as something you verify, not something you assume.

What to document in your write-up

  • Ports open and how you confirmed it (donโ€™t sleep on fundamentals like Nmap -Pn vs -sn when the lab network is doing โ€œhelpfulโ€ things)
  • Exact error strings on each port
  • Observed dialect behavior (what the client/server agreed on)
  • What โ€œworkedโ€ actually returned (share names only? any meaningful metadata?)
  • Whether a second client reproduced the same behavior (and if youโ€™re using smbclient for validation and it wonโ€™t reveal details, see smbclient canโ€™t show Samba version)
Infographic: The 445 Failure Triangle (Filter vs Negotiate vs Auth)
1) FILTER
Symptom: timeout, no response, inconsistent reachability.
Meaning: network/ACL/firewall/segmentation.
Next move: confirm path, vantage, routing.
2) NEGOTIATE
Symptom: negotiate/dialect/signing errors.
Meaning: SMB version or signing expectations mismatch.
Next move: record dialect outcome, check signing.
3) AUTH
Symptom: access denied, logon failure.
Meaning: anonymous/guest policy rejects on 445.
Next move: confirm session identity (anon vs guest).
Golden rule: Donโ€™t change tools until you can point to the triangle corner youโ€™re standing on.

Next step (one concrete action)

Do the โ€œtwo-port, one-questionโ€ check: perform the same minimal anonymous probe against 139 and 445, and record exact errors and dialect negotiation results. Then label 445โ€™s failure as filter, negotiate, or auth before you do anything else. That single label prevents most rabbit holes and makes your write-up reproducible.

Takeaway: Your fastest path is not โ€œmore enumeration.โ€ Itโ€™s โ€œone clean classification.โ€
  • Same probe on both ports
  • Exact strings, not paraphrases
  • One-word label: filter/negotiate/auth

Apply in 60 seconds: Create a three-line note template: โ€œ139 result: ___ / 445 result: ___ / Label: ___โ€.

SMB null session port 139 vs 445

FAQ

1) What is a null session in SMB, and what does it allow?

A null session is an SMB session attempt without a real username/password. What it allows depends entirely on server policy. In many environments, it allows little or nothing. In labs, it may allow limited enumeration so you can observe the service surface safely.

2) Why is port 139 still open on some systems if 445 exists?

Legacy compatibility, older stacks, and sometimes deliberate configuration choices. Microsoft documentation distinguishes NetBIOS Session Service (139) from direct-hosted SMB (445). In labs, 139 may be left open to expose older behaviors for learning.

3) Does โ€œnull session workedโ€ mean I have real access to SMB shares?

Not necessarily. You might be seeing share names without meaningful permissions. Or your client may have fallen back into guest-like access. Treat โ€œworkedโ€ as โ€œI observed something,โ€ then verify what identity and permissions you actually have.

4) Whatโ€™s the difference between anonymous, guest, and authenticated SMB access?

Anonymous is no credentials. Guest is a restricted identity (often with minimal permissions). Authenticated is a real user context with group/ACL-based access. They can look similar during shallow enumeration and diverge sharply when you attempt real actions.

5) If 445 fails but 139 works, is that a firewall issue or an SMB version issue?

It can be either. Use symptoms: timeouts lean toward filtering; negotiation errors lean toward dialect/signing mismatch; access denied/logon failure leans toward policy. Label the failure first, then drill down.

6) How can SMB signing affect anonymous or legacy connections?

Signing requirements can prevent certain session types or negotiation paths from succeeding if the client and server canโ€™t agree on signing behavior. Microsoftโ€™s SMB signing guidance explains that signing can be required inbound, outbound, both, or neither, depending on configuration.

7) Can SMB1/SMB2 negotiation differences cause one port to fail and not the other?

Yes, especially when client behavior differs by transport and when server hardening or legacy support is uneven. Microsoft provides guidance on enabling/disabling SMB versions; modern environments commonly disable SMBv1, while labs may intentionally expose older behaviors.

8) In Kioptrix-style labs, what should I record to make my troubleshooting reproducible?

Record ports, exact error strings, observed dialect behavior, what โ€œsuccessโ€ returned (share names only vs anything more), and whether a second client reproduced the same outcome. Thatโ€™s enough for a reader to follow your logic without you narrating your pain.

Conclusion

Remember the hook, that feeling of โ€œwhy is 445 acting haunted?โ€ Hereโ€™s the closure: itโ€™s not haunted. Itโ€™s different rules at a different door. When a null-style probe works on 139 but fails on 445, youโ€™re staring at a diagnostic postcard that says, โ€œCheck the path, then the dialect, then the policy.โ€ If you do nothing else, do the two-port check, capture the error strings, and label the failure as filter, negotiate, or auth. Thatโ€™s a real next step you can complete in 15 minutes, and it makes your Kioptrix notes read like a professional operator instead of a sleep-deprived diary.

If you want to go one level deeper (still safely), Microsoftโ€™s documentation on SMB versions and SMB signing is worth skimming because it explains how version and signing requirements shape whether sessions succeed at all.

๐Ÿ’ก Read the official SMB versions (SMBv1/SMBv2/SMBv3) guidance

๐Ÿ’ก Read the official SMB signing guidance

Last reviewed: 2026-02