SMB Security
Microsoft made the SMB protocol for Windows to enable file and printer sharing, authentication, and more, using TCP port 445. While SMB is common on networks, it can also be used by attackers to blend in with regular traffic on port 445.
SMB is a problem for modern networks because it's often set up by end-users who don't apply proper security controls. The protocol is complex and includes outdated features, some from over 20 years ago, which were not designed with modern security in mind. Additionally, many non-Windows devices like printers and medical equipment support SMB but with limited security features. All these factors make SMB less secure and harder to defend against attacks.
SMB Security Features
Minimum Workstation Version
XP
Win10
Win8
Win7
Minimum Server Version
Win2K3
Win2K8 R2
Win2K12
Win2K16
Encryption Support
No
No
Yes
Yes
Message Integrity/Signing
No
Yes, SHA256
Yes, AES- CMAC
Yes, AES- CMAC
MITM Resistant
No
No
Yes
Yes
Pre-Auth Verification
No
No
No
Yes
Knowing the security features of SMB from old to new versions is important. Newer SMB versions (in recent Windows) are safer than older ones. However, many organizations still use old SMB versions, which risks data security.
The chart shows new SMB features and the Windows versions needed. To use the security improvements in SMB v2/v2.1, organizations should turn off SMBv1. We can use this PowerShell command to disable SMBv1: Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
.
SMBv3 can spot MITM attacks only after authentication. SMB v3.1.1 improves this by checking for MITM attacks before authentication.
SMB Shares
An SMB share lets users read or write files on a server. It's set up by admins for specific purposes (like accounting files) or general use (like company data). Windows servers and PCs can have SMB shares that may be accessible to anyone or just to authenticated users. Attackers often exploit SMB shares to access data or gather information for further attacks.
Attackers can find SMB shares in various ways. One method in PowerShell is using Get-CimInstance -Class win32_share
with a target IP or hostname. This command lists all shares, showing admin shares (ending in $
) and regular shares (like Tools
). By default, it uses the logged-in Windows credentials, but you can use different ones with the -Credentials
option.
Get-CimInstance
can only list SMB shares on systems that fully support the CIM data model, mainly Windows systems using WMI. It won’t work for SMB shares on other platforms like Linux or IoT devices.
Searching for SMB Shares: SMBeagle
Attackers use tools to find SMB servers and shares instead of doing it by hand. There are SMB-specific tools like SMBeagle by PunkSecurity.
SMBeagle is a tool for Windows or Linux that scans multiple hosts to find SMB services using given login details. It checks what files are accessible (read, write, delete) on each server share and saves the results in a CSV file for easy review or processing with PowerShell.
SMBeagle scans for SMB servers and shares and lists accessible files, but it doesn’t check file contents. We can use PowerShell or grep to find potential sensitive files, but for a deeper look into sensitive information, we'll need another tool.
Let's jump into a Lightning Labs event to reinforce this learning objective.
1) Run smbeagle with no arguments to see the help information.
2) SMBeagle can discover SMB file shares, and it can enumerate the files on those shares. The output can be a CSV file, or you can send the results to an Elastic Stack database.
Scan the 10.20.20.0/24 network with SMBeagle, saving the output to a CSV file. For each SMB server, try to login with the username aharris
and the password Coffee123
.
SMBeagle found an SMB server at 10.20.20.192, but access was denied for aharris. However, a second host at 10.20.20.38 is accessible with multiple file shares and 17 files enumerated.
3) Next, take a look at the scan1.csv file.
The CSV output is messy (it looks much better in Google Sheets or Excel) but the bottom line is this:
SMBeagle discovers SMB servers, enumerates accessible shares, and then builds a list of all the files in each share.
4) In the first SMBeagle scan, we identified a server at 10.20.20.192, but we could not list the shares or access files on the server. SMB shares are protected by permissions, and while one user may have permission to an SMB server, it's useful to try all known usernames and passwords.
Repeat the earlier SMBeagle scan, this time using the username Administrator
and the password Lakers2020$$
.
5) Display the contents of the scan 2 output.
By using a more-privileged account with SMBeagle, we are able to enumerate a lot more files, including accounting spreadsheets on the 10.20.20.192 server.
SMB Share Data Harvesting, Search
To analyze data on an SMB share, we need a tool that lists file names and indexes their content. Copernic Desktop Search is a popular choice among security experts. It helps search files on local or networked drives. It indexes file names and content, including compressed files and documents, and allows quick searches for specific strings in files.
Once the indexing is complete, a search for a string such as password completes almost instantly, showing you the files that match the string in the file name, or the payload content. Here we see a file match called backup.sql which includes several password records for users.
Copernic Desktop Search has some issues. It can't find partial matches in strings with underscores (e.g., searching for "access_key" won’t find "aws_access_key"). It also misses files with unknown extensions by default, though you can change this in the settings to include JSON, CSV, SQL, Markdown, and more.
Using Samba's smbclient for File Share Access
We can attack Windows systems from Linux or UNIX using the smbclient
tool from the Samba suite. Use the -L
argument to list shares on a Windows machine. For Windows 2019 or newer, set the SMB protocol version to SMB2 if you get a connection error; otherwise, leave this setting off.
We can use smbclient
to connect to a Windows system and transfer files. It gives us a command prompt like FTP, so we can navigate directories with cd
, list files with ls
, and download files with get
.
Let's jump into a Lightning Labs event to reinforce this learning objective.
1) Smbclient is a Unix tool to interact with an SMB server. We can use it to list shares, connect to shares, and upload and download files.
Start by listing the shares on the SMB server at 10.20.20.38 using the username aharris
and the password Coffee123
.
In the previous command we used Smbclient to list shares with the -L argument, logging in with the supplied credentials. When we specify the server by name or IP address, use two // characters first.
2) Smbclient will prompt you for the password, or you can enter the password on the command line after the username, separated by a percent sign. Try it now.
3) In addition to listing shares, we can also connect to a share and get an FTP-like prompt using Smbclient.
Repeat the previous command, removing the -L argument. Add a forward slash / after the server IP address, followed by the share name stuff.
4) The smb: > prompt is interactive. You can enter several Smbclient commands here. Let's try one out: run ls
to list the files on the share.
5) With the file list, you can download files using the get command.
From the smb: > prompt, download the file logo.sketch.
6) You don't have to leave the Smbclient shell or open a new terminal to run local commands. With Smbclient, any command that starts with an ! will execute in the Unix shell, not the remote Samba server.
This is useful to double-check that the file downloaded. Try it now!
7) You can download multiple files using the Smbclient tar command. The tar command will take a list of remote files and download them all, saving to a Unix tar file archive.
Download all of the logo files, creating a local tar file called logo-files.tar.
8) Exit Smbclient by entering the quit command. Do it now.
9) Back on the local system, you can extract the files in the tar archive. Run tar xvf logo-files.tar
to extract all of the files.
In this Lightning Labs event we exfiltrated the files from the 10.20.20.38 server on the Stuff share to our local system using Smbclient. Attackers will apply similar techniques, using compromised credentials and SMB access to investigate and exfiltrate data.
Using Samba's rpcclient for Target Configuration Details
The Linux tool rpcclient
is great for gathering info from SMB sessions. It was made for troubleshooting Samba but has many features. To start an SMB session with it, run:
We can type over 100 commands here, including some of the most useful ones:
enumdomusers
: This command shows users defined locally on the system and any domain users the system knows about.enumalsgroups
: This command, followed by the word domain or builtin, shows groups defined on the box. The als in the middle of enum and groups in this command's name refers to the word alias.lsaenumsid
: This command shows the Security Identifier (SID) of all users defined locally on the target Windows system.lookupnames
: This feature lets you see the SID for a username that you provide.lookupsids
: This feature converts a SID you provide into the username on the target system.srvinfo
: Shows the version of the target Windows machine.
SMB Exploits
Microsoft reports around 6 Windows SMB vulnerabilities each year. While not all are major threats, many become serious Remote Code Execution exploits like SMBleed, SMBGhost, and EternalBlue.
SMB started in 1983, but the version we know today came with Windows 2000. Microsoft keeps improving SMB security but doesn’t remove old features to avoid issues for users. For example, SMB 1.0 was only disabled by default in new installs of Windows Server 2016. Because of this, modern Windows still supports old SMB functions, some from over 10 years ago when security standards weren't as strong.
CVE-2022-24500
RCE exploit published, pulled from GitHub
CVE-2021-36972
Unauthenticated information disclosure
CVE-2020-1206
SMBleed, limited Win10 version applicability
CVE-2020-0796
SMBGhost/CoronaBlue, widespread use
CVE-2017-0144
EternalBlue, WannaCry ransomware
SMB Password Attacks
We'll cover this in the lab.
Attackers can exploit SMB to access files or run commands on a remote system, even without a specific vulnerability. Windows SMB doesn’t have a delay for wrong password attempts, allowing attackers to guess passwords quickly. While Microsoft offers protections like account lockout, attackers can bypass them.
In this example, PowerShell uses New-SmbMapping
to connect to the SMB server at \10.10.0.1\files
and maps it as drive Y. If the login works, it confirms the credentials are valid. An attacker can use this command with different usernames and passwords to find a working combination.
The password attack with New-SmbMapping
can be done either from a remote or local Windows system. An attacker can use it from their own Windows machine or from a compromised one within the network to target an SMB system. It can also be used on the same Windows system where the attacker is working to test local user accounts and access other resources.
The password attack with New-SmbMapping
can be done either from a remote or local Windows system. An attacker can use it from their own Windows machine or from a compromised one within the network to target an SMB system. It can also be used on the same Windows system where the attacker is working to test local user accounts and access other resources.
These attacks often use third-party PowerShell scripts to make things easier. For example, LocalPasswordSpray.ps1
by Beau Bullock automates local password guessing on Windows. We'll use this script in our lab. Bullock also has a DomainPasswordSpray
script for domain passwords. The SMB protocol's password security hasn't improved much, leaving it a weak spot for many organizations.
Identifying and Dropping SMB Sessions
We'll cover this in the lab also.
As defenders, we need to know how to find and stop unauthorized SMB connections. We can use the PowerShell command Get-SmbSession
to see all active SMB connections to our server. For example, it shows if a client from 10.10.75.1 has an open connection. You can also get extra details like the SMB version, connection duration, and idle time.
Before disconnecting a session, we need to change the user account's password to prevent attackers from reconnecting. We can use PowerShell's Read-Host -AsSecureString
to create a secure password, then update it with Set-LocalUser
(or Set-ADAccountPassword
for domain accounts). After changing the password, use Close-SmbSession
to end the session.
View Remote SMB shares
Get-WmiObject -Class win32_share -ComputerName serverip
net view /all \server
View Local SMB Shares
Get-SMBShare
net share
Connect SMB share
New-SmbMapping -LocalPath X: -RemotePath \server\sharename
net use \server\sharename
View Inbound Connections
Get-SmbSession
net session
Drop Inbound Connections
Close-SmbSession
net session \server /del
View Outbound SMB Mapped Connections
Get-SmbMapping
net use
Drop Outbound SMB Mapped Connections
Remove-SmbMapping -Force
net use * /del
Preparation: Defenses Against Evil SMB Sessions
Allow SMB traffic only from clients to specific servers (like file servers). Block SMB sessions between clients by configuring routers and firewalls to block TCP port 445 and NetBIOS ports (TCP/UDP 135-139). Only allow SMB traffic to systems that need it for business purposes.
Some organizations use Private VLANs (PVLANs) to control what data can enter or leave each computer on their network. PVLANs can block incoming SMB traffic to client machines and allow outgoing SMB only to certain servers.
Lab 2.4: SMB Security Investigation
In this lab, we will use both our Slingshot Linux VM and the Windows 10 VM. We'll use smbclient and rpcclient on our Linux VM to attack our Windows VM.
Verify Connectivity
On the Linux VM, let's test connectivity to the Windows VM using the ping utility:
Next, let's test the connectivity from the Windows VM to the Linux VM using Test-NetConnection
10.10.75.1 :
Let's start by enumerating shares using smbclient
.
We see a list of shares on the Windows box, including ADMIN$ , IPC$ , and C$ . These are the default admin shares.
Next, let's explore this target using the Linux rpcclient tool.
Let's use rpcclient commands to get information from the target, we should know that the rpcclient prompt has Tab autocomplete. Let's start by enumerating users:
This command lists all users on the system, including local and domain users. It shows their names and their Relative Identifiers (RIDs), which are part of the Security Identifier (SID) in hex. For example, the admin account has a RID of 0x1f4 (decimal 500).
Let's get an idea of all the commands available within rpcclient:
Let's use rpcclient to enumerate server info.
Let's list the groups. First, we'll get the domain groups (those created locally or by the domain admin).
Next, we get the internal groups, usually the default ones set by Microsoft.
Here are the machine's groups with their names and RIDs in hex.
Let’s use rpcclient's lookupnames
to check a few more accounts, beginning with sec504.
We see the SID for the sec504 account with RID 1000. Now, let’s look up the administrator account.
We see the administrator SID with RID 500.
Now let's look up a name that is a group, not a user, by adding an s at the end of administrator:
Here is the administrator's group SID (group SIDs are usually shorter).
Let's use rpcclient queryuser
with RID 500 to get detailed info about the original Windows administrator account. Even if the administrator account is renamed, it still has a RID of 500.
The output shows the account name, last password change time, and logon failure count. Let's run this command again using the user account RID 1000.
For RID 500, the timestamps are blank (01 Jan 1970 for 32-bit time and 14 Sep 30828 for 64-bit time), meaning the Administrator account hasn’t logged in. However, RID 1000 shows valid timestamps for logon, password last set, and password change fields.
Next, let's use PowerShell on our Windows machine to disconnect SMB sessions.
We have an incoming session from a client named sec504 using rpcclient from Linux to Windows. To end this session, let's run Close-SmbSession -Force
in the pipeline.
Finding Weak Passwords
In this part of the lab, we'll first create 100 users with a script and then try to attack their passwords.
Next, we’ll use the LocalPasswordSpray PowerShell module to carry out a password spray attack on the Windows VM. Let's import the module to implement the password spray attack.
A password spray attack is a brute-force method where an attacker attempts a few common passwords across many accounts to avoid triggering lockouts.
From the PowerShell prompt, let's start the password spray attack, specifying a single password to use as a password guess on all local accounts.
In this lab, we explored how an attacker can use SMB access to their advantage. With smbclient
, an attacker can view and connect to SMB shares to upload or download files. Using rpcclient
, they can gather information about the SMB server, like user details and password policies. Usually, some access, like a valid username and password, is needed to use these tools. Even standard user access can allow an attacker to gather information and exploit SMB for privilege escalation.
An attacker who gains access to a Windows system, such as through phishing, can use tools like PowerShell and net.exe to attack user accounts. In this lab, we performed a password spray attack to find weak passwords.
Bonus Lab
Using the username erigby
and the password weddingrice
, identify and enumerate the SMB target system, answering the following questions:
What is the IP address of the SMB target server (in the range 172.30.0.2-254)?
What is the minimum SMB version permitted by the target server?
What other valid username exists on the server?
Does the server enforce complex passwords for the second valid username?
What is Eleanor Rigby's GoFundMe password?
1) What is the IP address of the SMB target server (in the range 172.30.0.2-254)?
Let's start by identifying the server with an Nmap host discovery scan.
We can see that the target SMB server is 172.30.0.22.
Answer: 172.30.0.22
2) What is the minimum SMB version permitted by the target server?
Next, let's Identify the minimum SMB version on the server using the Nmap -A argument.
Nmap couldn't fully identify the server response, but the Nmap Script Engine (NSE) shows it's a Samba server supporting SMBv2.
we can also find the SMB version with the smbclient
tool by logging in and using the -m
option.
The output shows that the SMB target server supports SMBv3 and SMBv2, but not SMBv1 (NTv1).
Answer: SMBv2
3) What other valid username exists on the server?
Now, let's list the valid users on the target server.
The rpcclient enumdomusers
command lists local Samba/Linux users, and it found a new user named fmackenzie
.
Answer: fmackenzie
4) Does the server enforce complex passwords for the second valid username?
To get details about password policies on the server, we'll use the rpcclient getdompwinfo
tool.
This output shows that getdompwinfo
reveals the default minimum password length is 5 for Samba servers. Running getusrdompwinfo
with a user RID (the first user on a Samba server is 1000, found with queryuser
) shows the password settings, including that the server doesn't require a complex password (DOMAIN_PASSWORD_COMPLEX is 0).
Answer: No
5) What is Eleanor Rigby's GoFundMe password?
Let's examine the contents of the Data share using the smbclient tool.
Let's check the 1Password folder to see what information we can find.
We found a file named data.1pif
. Let's move it to our attack machine to check what's inside.
Last updated