Server Message Block (SMB) Security
Common SMB related vulnerabilities
- Microsoft Windows SMBv1 Multiple Vulnerabilities
- SMB Signing Disabled
- Microsoft Windows SMB NULL Session Authentication
- Microsoft Windows SMB Shares Unprivileged Access
Network Discovery:
TCP port 5357 - Web Services on Devices API (WSDAPI)
File and Printer Sharing:
TCP port 135 - Remote Procedure Call (RPC)
TCP port 139 - NETBIOS Session Service
TCP port 445 - Server Message Block (SMB)
Host Assessment:
Vulnerability Assessment:
TCP port 139 - NETBIOS Session Service
TCP port 445 - Server Message Block (SMB)
By disable NetBIOS over TCP/IP (TCP Port 139), NETBIOS name discovery will be prevented |
Microsoft Windows SMBv1 Multiple Vulnerabilities
Vulnerability Assessment:
NSE script smb-protocols can be used to check if the server supported NT LM 0.12 (SMBv1).
Host Assessment:
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}
Remediation:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force
Verification:
SMB Signing Disabled
Vulnerability Assessment:Host Assessment:
Remediation:
set Microsoft network server: Digitally sign communication (always) to Enabled.
If Microsoft network server: Digitally sign communications (always) is disabled, SMB signing is completely disabled. Completely disabling all SMB signing leaves computers more vulnerable to session hijacking attacks.
Note:
- Enabling this setting may cause slower file copy and network performance on client computers.
- Enabling this setting will prevent clients that cannot negotiate SMB signing from communicating with servers and with domain controllers. This causes operations such as domain joins, user and computer authentication, or network access by programs to fail.
Verification:
Microsoft Windows SMB NULL Session Authentication
Vulnerability Assessment:
Host Assessment:
Remediation:
set Network access: Do not allow anonymous enumeration of SAM accounts and Network access: Do not allow anonymous enumeration of SAM accounts and shares to Enabled.
Verification:
Microsoft Windows SMB Shares Unprivileged Access
Vulnerability Assessment:
Host Assessment:
Remediation:
Turn on Password protected sharing.
Verification:
Log Analysis for SMB Session Authentication
Reference
- How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server, https://support.microsoft.com/en-my/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and
- Restricting information available to anonymous logon users, https://support.microsoft.com/en-my/help/143474/restricting-information-available-to-anonymous-logon-users
- Service overview and network port requirements for Windows, https://support.microsoft.com/en-my/help/823659/client-service-and-program-issues-can-occur-if-you-change-security-set
- SANS Penetration Testing | SMB Relay Demystified and NTLMv2 Pwnage with Python | SANS Institute, https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python
- Server Message Block: SMB Relay Attack (Attack That Always Works), https://cqureacademy.com/blog/penetration-testing/smb-relay-attack