312-50V9 · Question #554
Null sessions are un-authenticated connections (not using a username or password.) to an NT or 2000 system. Which TCP and UDP ports must you filter to check null sessions on your network?
The correct answer is D. 139 and 445. Null sessions in Windows environments exploit unauthenticated anonymous connections over NetBIOS and SMB, which operate on ports 139 and 445.
Question
Null sessions are un-authenticated connections (not using a username or password.) to an NT or 2000 system. Which TCP and UDP ports must you filter to check null sessions on your network?
Options
- A137 and 139
- B137 and 443
- C139 and 443
- D139 and 445
How the community answered
(38 responses)- A3% (1)
- B3% (1)
- C5% (2)
- D89% (34)
Why each option
Null sessions in Windows environments exploit unauthenticated anonymous connections over NetBIOS and SMB, which operate on ports 139 and 445.
Port 137 is the NetBIOS Name Service used for name resolution queries, not for establishing null sessions; null sessions require session-layer ports 139 and 445.
Port 443 is HTTPS (SSL/TLS web traffic) and has no role in null session establishment; it is unrelated to NetBIOS or SMB communication.
Port 443 is HTTPS and is unrelated to null sessions; filtering only port 139 is insufficient because modern Windows systems also accept direct SMB connections on port 445.
Null sessions establish anonymous connections to Windows IPC$ shares using NetBIOS Session Service (TCP port 139) and direct SMB hosting (TCP/UDP port 445). Filtering both ports prevents unauthenticated enumeration of users, groups, password policies, and shares from Windows NT/2000 systems. These two ports are the primary vectors through which null session attacks are conducted.
Concept tested: Windows null session attack vectors and port filtering
Source: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/restrict-null-sessions
Topics
Community Discussion
No community discussion yet for this question.