Windows Basics 133
TCP 139 NetBIOS Session Service, also known as SMB over NetBIOS, lets you manage
connections between NetBIOS-enabled clients and applications and is associated with port
TCP 139. The service is used by NetBIOS to establish connections and tear them down
when they are no longer needed.
TCP 445 SMB over TCP, or Direct Host, is a service designed to improve network access
and bypass NetBIOS use. This service is available only in versions of Windows starting at
Windows 2000 and later. SMB over TCP is closely associated with TCP 445.
UDP 161 and 162 SNMP is a protocol used to manage and monitor network devices and
hosts. The protocol is designed to facilitate messaging, monitoring, auditing, and other
capabilities. SNMP works on two ports: 161 and 162. Listening takes place on 161 and
traps are received on 162.
TCP/UDP 389 Lightweight Directory Access Protocol (LDAP) is used by many applica-
tions; two of the most common are Active Directory and Exchange. The protocol is used to
exchange information between two parties. If the TCP/UDP 389 port is open, it indicates
that one of these or a similar product may be present.
TCP/UDP 3268 Global Catalog Service associated with Microsoft’s Active Directory and
runs on port 3368, on Windows 2000 systems, and later. Service is used to locate informa-
tion within Active Directory.
TCP 25 Simple Mail Transfer Protocol (SMTP) is used for the transmission of messages in
the form of e-mail across networks. By standard, the SMTP protocol will be accessible on
TCP 25.
I can’t stress this enough: You must know your ports for the exam as well
as in the field. Fortunately, for the exam there are only a handful of ports
that you must remember (including their TCP/UDP status). In the field you
will frequently be presented with port numbers that aren’t mentioned
on the CEH, and in those cases you must be prepared by having a list of
ports printed out or in a document on your computer or smartphone. Just
because CEH doesn’t test on a topic doesn’t mean you won’t run into it.Commonly Exploited Services
The Windows OS is popular with both users and attackers for various reasons, but for now
let’s focus on attackers and what they exploit.
Windows has long been known for running a number of services by default, each of
which opens up a can of worms for a defender and a target of opportunity for an attacker.
Each service on a system is designed to provide extra features and capabilities to the system
such as file sharing, name resolution, and network management, among others. Windows
can have around 30 or so services running by default, not including the ones that individual
applications may install.