What Is SMB and the EternalBlue Vulnerability
Table of Contents
What SMB Does
Server Message Block (SMB) is the file sharing protocol used by Windows. When you map a network drive, access a shared folder, or print to a network printer on a Windows network, SMB handles the communication. It has been a core part of Windows networking since the early 1990s.
SMB operates as a client-server protocol. The client sends requests (open file, read data, write data, close file), and the server processes them. Beyond file access, SMB also handles named pipes (inter-process communication), printer sharing, and service enumeration.
On enterprise Windows networks, SMB is everywhere. Active Directory domain controllers share SYSVOL and NETLOGON via SMB. Group policies, login scripts, and software deployment all depend on SMB file shares. It is deeply embedded in how Windows networks operate.
SMB Versions - v1, v2, v3
SMB has evolved through three major versions, each addressing limitations of the previous one.
SMBv1 (1984 originally as CIFS, updated through Windows XP/2003): The original version. Simple, widely supported, and deeply flawed. It sends authentication in easily captured formats, has no encryption, and contains buffer overflow vulnerabilities. SMBv1 is the version targeted by EternalBlue.
SMBv2 (Windows Vista/2008): Major rewrite. Reduced chattiness (fewer round trips for operations), improved performance for large file transfers, and added compound operations (multiple actions in one request). Removed many of the legacy features that created SMBv1's attack surface.
SMBv3 (Windows 8/2012 and later): Added encryption (AES-128-CCM in 3.0, AES-128-GCM in 3.1.1), secure dialect negotiation (prevents downgrade attacks), and pre-authentication integrity (SHA-512 hashing of negotiation messages to prevent tampering).
graph TD
subgraph "SMB Version Security Comparison"
V1[SMBv1 - 1984/2000] --> V1F[No encryption]
V1 --> V1G[NTLM auth vulnerable]
V1 --> V1H[Buffer overflows - EternalBlue]
V1 --> V1I[Should be disabled everywhere]
V2[SMBv2 - 2006] --> V2F[Signing optional]
V2 --> V2G[Reduced attack surface]
V2 --> V2H[Better performance]
V3[SMBv3 - 2012] --> V3F[AES encryption]
V3 --> V3G[Secure negotiation]
V3 --> V3H[Pre-auth integrity]
V3 --> V3I[Current standard]
end
Each SMB version addressed security flaws in the previous one - SMBv1 should be disabled on every system
Ports and NetBIOS
SMB uses two main ports. Port 445 is SMB Direct - the modern, preferred method where SMB runs directly over TCP. Port 139 is SMB over NetBIOS Session Service, the legacy method that adds a NetBIOS layer between SMB and TCP.
NetBIOS (Network Basic Input/Output System) was the original networking layer for Windows file sharing. It operates on ports 137 (name service), 138 (datagram), and 139 (session). Modern Windows systems use port 445 by default but often keep port 139 open for backward compatibility.
Both ports are significant from a security perspective. An attacker who can reach port 445 or 139 can attempt SMB authentication, enumerate shares, and exploit vulnerabilities in the SMB implementation.
EternalBlue - MS17-010
EternalBlue is an exploit for a buffer overflow vulnerability in the SMBv1 implementation in Windows. It was developed by the U.S. National Security Agency (NSA) as part of their offensive cyber operations toolkit. In April 2017, a group called the Shadow Brokers leaked a collection of NSA tools, and EternalBlue was among them.
The vulnerability (CVE-2017-0144, patched as MS17-010) exists in how Windows handles SMBv1 transaction requests. By sending specially crafted packets to port 445, an attacker can trigger a buffer overflow in the Windows kernel and execute arbitrary code with SYSTEM privileges. No authentication is required. No user interaction is needed. The attacker only needs to reach port 445.
graph TD
subgraph "EternalBlue Attack Flow"
A1[Attacker scans for port 445] --> A2[Sends crafted SMBv1 packets]
A2 --> A3[Buffer overflow in srv.sys]
A3 --> A4[Kernel-level code execution]
A4 --> A5[SYSTEM privileges obtained]
A5 --> A6[Install backdoor - DoublePulsar]
A6 --> A7[Load payload - ransomware or tools]
A7 --> A8[Spread to next target via SMB]
end
EternalBlue exploits SMBv1 to gain kernel-level access without any authentication
Microsoft released the MS17-010 patch in March 2017, one month before the Shadow Brokers leak. But millions of systems were not patched. The vulnerability was so severe that Microsoft took the extraordinary step of releasing patches for unsupported operating systems, including Windows XP and Windows Server 2003.
WannaCry
WannaCry struck on May 12, 2017, roughly one month after EternalBlue became public. It combined EternalBlue (for initial exploitation and spreading) with DoublePulsar (a backdoor implant, also from the NSA leak) and a ransomware payload that encrypted files and demanded Bitcoin payment.
WannaCry was a worm - it spread automatically without user interaction. Once it infected one machine on a network, it scanned for other machines with port 445 open and used EternalBlue to infect them. It spread across network boundaries, moving from one organization to another wherever SMB was reachable.
The impact was massive. The UK's National Health Service (NHS) was severely affected - hospitals diverted ambulances, cancelled surgeries, and lost access to patient records. Telefonica in Spain, FedEx, Renault, and organizations in over 150 countries were hit. Estimates suggest over 200,000 systems were infected within the first few days.
WannaCry's spread was accidentally slowed by a security researcher (MalwareTech) who registered a domain name that the malware checked as a kill switch. But the damage was already extensive.
NotPetya
Six weeks after WannaCry, on June 27, 2017, NotPetya appeared. It was significantly more destructive. While it disguised itself as ransomware (displaying a ransom note and demanding Bitcoin), it was actually a wiper - it destroyed data permanently with no way to recover it, even if the ransom was paid.
NotPetya used EternalBlue for spreading but also incorporated Mimikatz (a credential harvesting tool) to extract passwords and authentication tokens from memory. It used those credentials to spread via SMB and WMI (Windows Management Instrumentation) to systems that were patched against EternalBlue. This made it far more effective at lateral movement than WannaCry.
NotPetya's initial infection vector was a compromised update for M.E.Doc, a Ukrainian tax accounting software. From there, it spread globally. Maersk (the shipping company) lost its entire IT infrastructure and had to reinstall 45,000 PCs and 4,000 servers. Merck, FedEx's TNT Express, and many other multinationals suffered billions in damages.
NotPetya is widely attributed to Russian military intelligence (GRU) and is considered one of the most destructive cyberattacks in history.
SMB Exposure in 2026
Despite WannaCry and NotPetya, SMB port 445 remains exposed on the public internet on hundreds of thousands of systems. Shodan searches consistently find systems responding on port 445 from every country.
Some are legacy systems that cannot be updated. Some are misconfigured cloud instances where security groups accidentally allow port 445 from the internet. Some are small business servers set up by someone who did not understand the risk.
Every one of them is a target. Automated scanning tools continuously probe port 445 across the entire IPv4 address space, testing for EternalBlue and other SMB vulnerabilities.
Defense and Hardening
The defenses against SMB-based attacks are clear and well-documented.
Disable SMBv1. There is almost no legitimate reason to run SMBv1 in 2026. Windows 10 version 1709 and later disable SMBv1 by default on clean installations. For older systems, disable it explicitly through PowerShell (Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol) or Group Policy.
Never expose port 445 to the internet. No firewall rule should allow inbound connections to port 445 from the public internet. This applies to cloud instances, VPN configurations, and any network boundary.
Patch promptly. The MS17-010 patch was available before WannaCry. Every organization that was patched was protected. The patch had been available for two months when WannaCry hit.
Enable SMB signing and encryption. SMBv3 supports AES encryption. Enable it. SMB signing prevents man-in-the-middle tampering. Require it on all domain controllers and file servers.
Segment your network. Not every device needs SMB access to every other device. Limit SMB traffic to the specific paths that need it. Workstations should only reach the file servers they need, not every other workstation.
Understanding network protocols and their vulnerabilities is essential for defending your environment. The BLEShark Nano helps you explore the wireless side of your network, identifying devices that may be running outdated or vulnerable services.
Get the BLEShark Nano - $36.99+