Common Weaknesses in SMB

• Multiple vulnerabilities in Microsoft Windows SMBv1
• SMB Signing not enabled
• Microsoft Windows SMB using NULL Session Authentication
• Microsoft Windows SMB Shares accessible without privileges

Network Exploration

TCP port 5357: Web Services on Devices API (WSDAPI)

File and Printer Sharing

TCP port 135: Remote Procedure Call (RPC)
TCP port 139: NETBIOS Session Service
TCP port 445: Server Message Block (SMB)

Disabling NetBIOS over TCP/IP (TCP Port 139) stops NETBIOS name discovery.

Numerous vulnerabilities in Microsoft Windows SMBv1

Checking for Weaknesses:

The NSE script “smb-protocols” helps determine if a server supports “NT LM 0.12 (SMBv1)”.

System Evaluation:

1

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Fixing the Issue:

1

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force

Confirming the Fix:

SMB Signing Not Enabled

Checking for Weaknesses:

System Evaluation:

Fixing the Issue:

Enable the “Microsoft network server: Digitally sign communication (always)” setting.

Disabling “Microsoft network server: Digitally sign communications (always)” completely disables SMB signing. This leaves computers open to attacks that hijack sessions.

Things to Consider:

• Enabling this might make file copying and network performance slower on client computers.
• Enabling this will stop clients that can’t use SMB signing from talking to servers and domain controllers. This will cause issues with actions like joining a domain, user and computer authentication, or network access for programs.

Confirming the Fix:

Microsoft Windows SMB using NULL Session Authentication

Checking for Weaknesses:

System Evaluation:

Fixing the Issue:

Enable both “Network access: Do not allow anonymous enumeration of SAM accounts” and “Network access: Do not allow anonymous enumeration of SAM accounts and shares”.

Confirming the Fix:

Microsoft Windows SMB Shares Accessible Without Privileges

Checking for Weaknesses:

System Evaluation:

Fixing the Issue:

Activate password-protected sharing.

Confirming the Fix:

Analyzing Logs for SMB Session Authentication

Additional Resources

• How to work with SMBv1, SMBv2, and SMBv3 in Windows: https://support.microsoft.com/en-my/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and
• Limiting what anonymous users can see: https://support.microsoft.com/en-my/help/143474/restricting-information-available-to-anonymous-logon-users
• Windows services and the network ports they use: https://support.microsoft.com/en-my/help/823659/client-service-and-program-issues-can-occur-if-you-change-security-set
• Understanding SMB Relay Attacks: https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python
• More on SMB Relay Attacks: https://cqureacademy.com/blog/penetration-testing/smb-relay-attack