Port description: Port 137 is mainly used for "NetBIOS name service" and belongs to UDP port. Users only need to send a request to the port 137 of a computer on the local area network or the Internet to get the computer name, registered user name, whether the main domain controller is installed, and whether IIS is running.

Port vulnerability: Because it is a UDP port, it is easy for an attacker to obtain the information of the target computer by sending a request, and some information can be directly used to analyze vulnerabilities, such as IIS services. In addition, by capturing the data packets being communicated through port 137, the startup and shutdown times of the target computer can be obtained, so that special tools can be used to attack. Why did the port 137 leak this packet into the network? This is because port 137 is used for the computer name management function of Windows network communication protocol-"NetBIOS(NBT over TCP/IP (NBT)".

Computer name management refers to the function of computers in Windows network to obtain the actual IP address through the name used for mutual identification-NetBIOS name. You can use the 137 port in two ways.

One method is to manage computer names between computers in the same group by using the broadcast function. When a computer starts up or connects to the network, it will ask all computers in the same group if any computer uses the same NetBIOS name as itself. If each computer receiving the query uses the same NetBIOS name as itself, it will send a notification packet. These communications are performed by using port 137.

Another method is to use WINS(Windows Internet Name Service) to manage computer names. The computer named WINS server has a lookup table of IP address and NetBIOS name. When the system is started or connected to the network, the WINS client sends its NetBIOS name and IP address to the WINS server. When communicating with other computers, it sends the NetBIOS name to the WINS server and asks for the IP address. This method also uses port 137.

As mentioned above, in order to obtain the IP address of the communication object, the port 137 must exchange many data packets. In these packets, there is a lot of information. When broadcasting is used to manage computer names, this information will be sent to all computers. If NBT is used, the computer itself will spread its details to the outside without the user's knowledge. By setting the "custom IP rule" of Skynet firewall, the potential threat of port 445 can be limited. First, double-click to open the main interface of Skynet Firewall, then click the "Customize IP Rules" button on the right side of the interface, click "Add New Rules" in the pop-up rule menu, and click the "TCP" tab option in the pop-up window for adding new rules. Enter a number from 445 to 0 for the local port in the option, and all other ports are filled with 0. If the conditions are met, select "intercept", then check the options of "alarm" and "record", finally fill in the above symptoms and signs in "name" and "description" as descriptions, and click OK to complete the operation. In Kingsoft Netdart, we need to click "Edit IP Rule" in the tool and click "Add IP Rule" in the pop-up window. The specific setting method is the same as Skynet. However, Kingsoft Netdart adds the protection of port 445 by default.

When the computer doesn't have a firewall installed, we can manually shut it down through the registry, enter "regedit" in the start menu to open the registry editor, and then click the branch of "HKEY- Local-Machine \ System \ Current Control Set \ Service \ netbt \ Parameters" in turn to create a new double-byte value named "SMBDeviceEnabled". Finally, double-click the "SMBDeviceEnabled" option and set its value to "0" in the pop-up numerical setting interface. Close the registry editing interface, restart the system, and the 445 service port will be completely closed.