SMB Security

Microsoft made the SMB protocol for Windows to enable file and printer sharing, authentication, and more, using TCP port 445. While SMB is common on networks, it can also be used by attackers to blend in with regular traffic on port 445.

SMB is a problem for modern networks because it's often set up by end-users who don't apply proper security controls. The protocol is complex and includes outdated features, some from over 20 years ago, which were not designed with modern security in mind. Additionally, many non-Windows devices like printers and medical equipment support SMB but with limited security features. All these factors make SMB less secure and harder to defend against attacks.

SMB Security Features

SMBv1
SMB v2.1
SMBv3
SMB v3.1.1

Minimum Workstation Version

XP

Win10

Win8

Win7

Minimum Server Version

Win2K3

Win2K8 R2

Win2K12

Win2K16

Encryption Support

No

No

Yes

Yes

Message Integrity/Signing

No

Yes, SHA256

Yes, AES- CMAC

Yes, AES- CMAC

MITM Resistant

No

No

Yes

Yes

Pre-Auth Verification

No

No

No

Yes

Knowing the security features of SMB from old to new versions is important. Newer SMB versions (in recent Windows) are safer than older ones. However, many organizations still use old SMB versions, which risks data security.

The chart shows new SMB features and the Windows versions needed. To use the security improvements in SMB v2/v2.1, organizations should turn off SMBv1. We can use this PowerShell command to disable SMBv1: Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol.

SMBv3 can spot MITM attacks only after authentication. SMB v3.1.1 improves this by checking for MITM attacks before authentication.

SMB Shares

An SMB share lets users read or write files on a server. It's set up by admins for specific purposes (like accounting files) or general use (like company data). Windows servers and PCs can have SMB shares that may be accessible to anyone or just to authenticated users. Attackers often exploit SMB shares to access data or gather information for further attacks.

Attackers can find SMB shares in various ways. One method in PowerShell is using Get-CimInstance -Class win32_share with a target IP or hostname. This command lists all shares, showing admin shares (ending in $) and regular shares (like Tools). By default, it uses the logged-in Windows credentials, but you can use different ones with the -Credentials option.

Get-CimInstance -Class win32_share -ComputerName Sec504Student
net.exe view \\Sec504Student /all

Get-CimInstance can only list SMB shares on systems that fully support the CIM data model, mainly Windows systems using WMI. It won’t work for SMB shares on other platforms like Linux or IoT devices.

Searching for SMB Shares: SMBeagle

Attackers use tools to find SMB servers and shares instead of doing it by hand. There are SMB-specific tools like SMBeagle by PunkSecurity.

SMBeagle is a tool for Windows or Linux that scans multiple hosts to find SMB services using given login details. It checks what files are accessible (read, write, delete) on each server share and saves the results in a CSV file for easy review or processing with PowerShell.

SMBeagle scans for SMB servers and shares and lists accessible files, but it doesn’t check file contents. We can use PowerShell or grep to find potential sensitive files, but for a deeper look into sensitive information, we'll need another tool.

Let's jump into a Lightning Labs event to reinforce this learning objective.

1) Run smbeagle with no arguments to see the help information.

smbeagle

2) SMBeagle can discover SMB file shares, and it can enumerate the files on those shares. The output can be a CSV file, or you can send the results to an Elastic Stack database.

Scan the 10.20.20.0/24 network with SMBeagle, saving the output to a CSV file. For each SMB server, try to login with the username aharris and the password Coffee123.

smbeagle -D -n 10.20.20.0/24 -c scan1.csv -u aharris -p Coffee123

SMBeagle found an SMB server at 10.20.20.192, but access was denied for aharris. However, a second host at 10.20.20.38 is accessible with multiple file shares and 17 files enumerated.

3) Next, take a look at the scan1.csv file.

cat scan1.csv

The CSV output is messy (it looks much better in Google Sheets or Excel) but the bottom line is this:

SMBeagle discovers SMB servers, enumerates accessible shares, and then builds a list of all the files in each share.

4) In the first SMBeagle scan, we identified a server at 10.20.20.192, but we could not list the shares or access files on the server. SMB shares are protected by permissions, and while one user may have permission to an SMB server, it's useful to try all known usernames and passwords.

Repeat the earlier SMBeagle scan, this time using the username Administrator and the password Lakers2020$$.

smbeagle -D -n 10.20.20.0/24 -c scan2.csv -u Administrator -p 'Lakers2020$$'

5) Display the contents of the scan 2 output.

head -n 30 scan2.csv 

By using a more-privileged account with SMBeagle, we are able to enumerate a lot more files, including accounting spreadsheets on the 10.20.20.192 server.

To analyze data on an SMB share, we need a tool that lists file names and indexes their content. Copernic Desktop Search is a popular choice among security experts. It helps search files on local or networked drives. It indexes file names and content, including compressed files and documents, and allows quick searches for specific strings in files.

Once the indexing is complete, a search for a string such as password completes almost instantly, showing you the files that match the string in the file name, or the payload content. Here we see a file match called backup.sql which includes several password records for users.

Copernic Desktop Search has some issues. It can't find partial matches in strings with underscores (e.g., searching for "access_key" won’t find "aws_access_key"). It also misses files with unknown extensions by default, though you can change this in the settings to include JSON, CSV, SQL, Markdown, and more.

Using Samba's smbclient for File Share Access

We can attack Windows systems from Linux or UNIX using the smbclient tool from the Samba suite. Use the -L argument to list shares on a Windows machine. For Windows 2019 or newer, set the SMB protocol version to SMB2 if you get a connection error; otherwise, leave this setting off.

We can use smbclient to connect to a Windows system and transfer files. It gives us a command prompt like FTP, so we can navigate directories with cd, list files with ls, and download files with get.

Let's jump into a Lightning Labs event to reinforce this learning objective.

1) Smbclient is a Unix tool to interact with an SMB server. We can use it to list shares, connect to shares, and upload and download files.

Start by listing the shares on the SMB server at 10.20.20.38 using the username aharris and the password Coffee123.

smbclient -L //10.20.20.38 -U aharris

In the previous command we used Smbclient to list shares with the -L argument, logging in with the supplied credentials. When we specify the server by name or IP address, use two // characters first.

2) Smbclient will prompt you for the password, or you can enter the password on the command line after the username, separated by a percent sign. Try it now.

smbclient -L //10.20.20.38 -U aharris%Coffee123

3) In addition to listing shares, we can also connect to a share and get an FTP-like prompt using Smbclient.

Repeat the previous command, removing the -L argument. Add a forward slash / after the server IP address, followed by the share name stuff.

smbclient //10.20.20.38/stuff -U aharris%Coffee123

4) The smb: > prompt is interactive. You can enter several Smbclient commands here. Let's try one out: run ls to list the files on the share.

ls

5) With the file list, you can download files using the get command.

From the smb: > prompt, download the file logo.sketch.

get logo.sketch

6) You don't have to leave the Smbclient shell or open a new terminal to run local commands. With Smbclient, any command that starts with an ! will execute in the Unix shell, not the remote Samba server.

This is useful to double-check that the file downloaded. Try it now!

!ls -l

7) You can download multiple files using the Smbclient tar command. The tar command will take a list of remote files and download them all, saving to a Unix tar file archive.

Download all of the logo files, creating a local tar file called logo-files.tar.

tar c logo-files.tar *

8) Exit Smbclient by entering the quit command. Do it now.

quit

9) Back on the local system, you can extract the files in the tar archive. Run tar xvf logo-files.tar to extract all of the files.

tar xvf logo-files.tar

In this Lightning Labs event we exfiltrated the files from the 10.20.20.38 server on the Stuff share to our local system using Smbclient. Attackers will apply similar techniques, using compromised credentials and SMB access to investigate and exfiltrate data.

Using Samba's rpcclient for Target Configuration Details

The Linux tool rpcclient is great for gathering info from SMB sessions. It was made for troubleshooting Samba but has many features. To start an SMB session with it, run:

rpcclient -U aharris 10.20.20.38

We can type over 100 commands here, including some of the most useful ones:

  • enumdomusers: This command shows users defined locally on the system and any domain users the system knows about.

  • enumalsgroups: This command, followed by the word domain or builtin, shows groups defined on the box. The als in the middle of enum and groups in this command's name refers to the word alias.

  • lsaenumsid: This command shows the Security Identifier (SID) of all users defined locally on the target Windows system.

  • lookupnames: This feature lets you see the SID for a username that you provide.

  • lookupsids: This feature converts a SID you provide into the username on the target system.

  • srvinfo: Shows the version of the target Windows machine.

SMB Exploits

Microsoft reports around 6 Windows SMB vulnerabilities each year. While not all are major threats, many become serious Remote Code Execution exploits like SMBleed, SMBGhost, and EternalBlue.

SMB started in 1983, but the version we know today came with Windows 2000. Microsoft keeps improving SMB security but doesn’t remove old features to avoid issues for users. For example, SMB 1.0 was only disabled by default in new installs of Windows Server 2016. Because of this, modern Windows still supports old SMB functions, some from over 10 years ago when security standards weren't as strong.

CVE
Notes

CVE-2022-24500

RCE exploit published, pulled from GitHub

CVE-2021-36972

Unauthenticated information disclosure

CVE-2020-1206

SMBleed, limited Win10 version applicability

CVE-2020-0796

SMBGhost/CoronaBlue, widespread use

CVE-2017-0144

EternalBlue, WannaCry ransomware

SMB Password Attacks

We'll cover this in the lab.

Attackers can exploit SMB to access files or run commands on a remote system, even without a specific vulnerability. Windows SMB doesn’t have a delay for wrong password attempts, allowing attackers to guess passwords quickly. While Microsoft offers protections like account lockout, attackers can bypass them.

PS C:\tools> Import-Module .\LocalPasswordSpray.ps1
PS C:\tools> Invoke-LocalPasswordSpray -Password Password123
PS C:\> $user = 'alexander'
PS C:\> $pass = 'Password123'
PS C:\> New-SmbMapping -LocalPath Y: -RemotePath \\192.168.1.73\files -UserName $user -Password $pass

In this example, PowerShell uses New-SmbMapping to connect to the SMB server at \10.10.0.1\files and maps it as drive Y. If the login works, it confirms the credentials are valid. An attacker can use this command with different usernames and passwords to find a working combination.

The password attack with New-SmbMapping can be done either from a remote or local Windows system. An attacker can use it from their own Windows machine or from a compromised one within the network to target an SMB system. It can also be used on the same Windows system where the attacker is working to test local user accounts and access other resources.

The password attack with New-SmbMapping can be done either from a remote or local Windows system. An attacker can use it from their own Windows machine or from a compromised one within the network to target an SMB system. It can also be used on the same Windows system where the attacker is working to test local user accounts and access other resources.

These attacks often use third-party PowerShell scripts to make things easier. For example, LocalPasswordSpray.ps1 by Beau Bullock automates local password guessing on Windows. We'll use this script in our lab. Bullock also has a DomainPasswordSpray script for domain passwords. The SMB protocol's password security hasn't improved much, leaving it a weak spot for many organizations.

Identifying and Dropping SMB Sessions

We'll cover this in the lab also.

As defenders, we need to know how to find and stop unauthorized SMB connections. We can use the PowerShell command Get-SmbSession to see all active SMB connections to our server. For example, it shows if a client from 10.10.75.1 has an open connection. You can also get extra details like the SMB version, connection duration, and idle time.

Get-SmbSession
Get-SmbSession | Select-Object ClientComputerName, Dialect, SecondsExists, SecondsIdle
PS C:\> $Password = Read-Host -AsSecureString

PS C:\> Set-LocalUser -Name sec504 -Password $Password
PS C:\> Close-SmbSession -ClientComputerName 10.10.75.1 -Force

Before disconnecting a session, we need to change the user account's password to prevent attackers from reconnecting. We can use PowerShell's Read-Host -AsSecureString to create a secure password, then update it with Set-LocalUser (or Set-ADAccountPassword for domain accounts). After changing the password, use Close-SmbSession to end the session.

Functionality
PowerShell
CMD Command

View Remote SMB shares

Get-WmiObject -Class win32_share -ComputerName serverip

net view /all \server

View Local SMB Shares

Get-SMBShare

net share

Connect SMB share

New-SmbMapping -LocalPath X: -RemotePath \server\sharename

net use \server\sharename

View Inbound Connections

Get-SmbSession

net session

Drop Inbound Connections

Close-SmbSession

net session \server /del

View Outbound SMB Mapped Connections

Get-SmbMapping

net use

Drop Outbound SMB Mapped Connections

Remove-SmbMapping -Force

net use * /del

Preparation: Defenses Against Evil SMB Sessions

Allow SMB traffic only from clients to specific servers (like file servers). Block SMB sessions between clients by configuring routers and firewalls to block TCP port 445 and NetBIOS ports (TCP/UDP 135-139). Only allow SMB traffic to systems that need it for business purposes.

Some organizations use Private VLANs (PVLANs) to control what data can enter or leave each computer on their network. PVLANs can block incoming SMB traffic to client machines and allow outgoing SMB only to certain servers.

Lab 2.4: SMB Security Investigation

In this lab, we will use both our Slingshot Linux VM and the Windows 10 VM. We'll use smbclient and rpcclient on our Linux VM to attack our Windows VM.

Verify Connectivity

On the Linux VM, let's test connectivity to the Windows VM using the ping utility:

ping 10.10.0.1

Next, let's test the connectivity from the Windows VM to the Linux VM using Test-NetConnection 10.10.75.1 :

Test-NetConnection 10.10.75.1

Let's start by enumerating shares using smbclient.

smbclient -L //10.10.0.1 -U sec504

We see a list of shares on the Windows box, including ADMIN$ , IPC$ , and C$ . These are the default admin shares.

Next, let's explore this target using the Linux rpcclient tool.

rpcclient 10.10.0.1 -U sec504

Let's use rpcclient commands to get information from the target, we should know that the rpcclient prompt has Tab autocomplete. Let's start by enumerating users:

This command lists all users on the system, including local and domain users. It shows their names and their Relative Identifiers (RIDs), which are part of the Security Identifier (SID) in hex. For example, the admin account has a RID of 0x1f4 (decimal 500).

Let's get an idea of all the commands available within rpcclient:

help

Let's use rpcclient to enumerate server info.

srvinfo

Let's list the groups. First, we'll get the domain groups (those created locally or by the domain admin).

enumalsgroups domain

Next, we get the internal groups, usually the default ones set by Microsoft.

enumalsgroups builtin

Here are the machine's groups with their names and RIDs in hex.

Let’s use rpcclient's lookupnames to check a few more accounts, beginning with sec504.

lookupnames sec504

We see the SID for the sec504 account with RID 1000. Now, let’s look up the administrator account.

lookupnames administrator

We see the administrator SID with RID 500.

Now let's look up a name that is a group, not a user, by adding an s at the end of administrator:

lookupnames administrators

Here is the administrator's group SID (group SIDs are usually shorter).

Let's use rpcclient queryuser with RID 500 to get detailed info about the original Windows administrator account. Even if the administrator account is renamed, it still has a RID of 500.

queryuser 500

The output shows the account name, last password change time, and logon failure count. Let's run this command again using the user account RID 1000.

queryuser 1000

For RID 500, the timestamps are blank (01 Jan 1970 for 32-bit time and 14 Sep 30828 for 64-bit time), meaning the Administrator account hasn’t logged in. However, RID 1000 shows valid timestamps for logon, password last set, and password change fields.

Next, let's use PowerShell on our Windows machine to disconnect SMB sessions.

Get-SmbSession

We have an incoming session from a client named sec504 using rpcclient from Linux to Windows. To end this session, let's run Close-SmbSession -Force in the pipeline.

Get-SmbSession | Close-SmbSession -Force

Finding Weak Passwords

In this part of the lab, we'll first create 100 users with a script and then try to attack their passwords.

.\Add-TempUsers.ps1

Next, we’ll use the LocalPasswordSpray PowerShell module to carry out a password spray attack on the Windows VM. Let's import the module to implement the password spray attack.

A password spray attack is a brute-force method where an attacker attempts a few common passwords across many accounts to avoid triggering lockouts.

Import-Module .\LocalPasswordSpray.ps1

From the PowerShell prompt, let's start the password spray attack, specifying a single password to use as a password guess on all local accounts.

Invoke-LocalPasswordSpray -Password Winter2023

In this lab, we explored how an attacker can use SMB access to their advantage. With smbclient, an attacker can view and connect to SMB shares to upload or download files. Using rpcclient, they can gather information about the SMB server, like user details and password policies. Usually, some access, like a valid username and password, is needed to use these tools. Even standard user access can allow an attacker to gather information and exploit SMB for privilege escalation.

An attacker who gains access to a Windows system, such as through phishing, can use tools like PowerShell and net.exe to attack user accounts. In this lab, we performed a password spray attack to find weak passwords.

Bonus Lab

Using the username erigby and the password weddingrice, identify and enumerate the SMB target system, answering the following questions:

  1. What is the IP address of the SMB target server (in the range 172.30.0.2-254)?

  2. What is the minimum SMB version permitted by the target server?

  3. What other valid username exists on the server?

  4. Does the server enforce complex passwords for the second valid username?

  5. What is Eleanor Rigby's GoFundMe password?

1) What is the IP address of the SMB target server (in the range 172.30.0.2-254)?

Let's start by identifying the server with an Nmap host discovery scan.

nmap -sn 172.30.0.1-254

We can see that the target SMB server is 172.30.0.22.

Answer: 172.30.0.22

2) What is the minimum SMB version permitted by the target server?

Next, let's Identify the minimum SMB version on the server using the Nmap -A argument.

nmap -A 172.30.0.22

Nmap couldn't fully identify the server response, but the Nmap Script Engine (NSE) shows it's a Samba server supporting SMBv2.

we can also find the SMB version with the smbclient tool by logging in and using the -m option.

smbclient -U erigby -L 172.30.0.22 -m SMB3
smbclient -U erigby -L 172.30.0.22 -m SMB2
smbclient -U erigby -L 172.30.0.22 -m NT1

The output shows that the SMB target server supports SMBv3 and SMBv2, but not SMBv1 (NTv1).

Answer: SMBv2

3) What other valid username exists on the server?

Now, let's list the valid users on the target server.

rpcclient 172.30.0.22 -U erigby
rpcclient $> enumdomusers

The rpcclient enumdomusers command lists local Samba/Linux users, and it found a new user named fmackenzie.

Answer: fmackenzie

4) Does the server enforce complex passwords for the second valid username?

To get details about password policies on the server, we'll use the rpcclient getdompwinfo tool.

getdompwinfo
getusrdompwinfo 1000

This output shows that getdompwinfo reveals the default minimum password length is 5 for Samba servers. Running getusrdompwinfo with a user RID (the first user on a Samba server is 1000, found with queryuser) shows the password settings, including that the server doesn't require a complex password (DOMAIN_PASSWORD_COMPLEX is 0).

Answer: No

5) What is Eleanor Rigby's GoFundMe password?

Let's examine the contents of the Data share using the smbclient tool.

smbclient -U erigby //172.30.0.22/data -m SMBV2

Let's check the 1Password folder to see what information we can find.

We found a file named data.1pif. Let's move it to our attack machine to check what's inside.

Last updated