SMB Enumeration & Exploitation & Hardening
What is SMB?
SMB (Server Message Block) is a network protocol for accessing files, printers and other devices
on the network. Server Message Block provides file sharing, network browsing, printing services,
and interprocess communication over a network. Most usage of SMB involves computers
running Microsoft Windows, where it was known as “Microsoft Windows Network” before the
introduction of Active Directory. SMB uses TCP 139 and TCP 445 ports by default. Latest SMB
version is SMBv3. SMB has been the subject of numerous vulnerabilities from past to present.
Lets talk about some of these.
The Most Popular SMB Vulnerabilities
This is the most recent SMB vulnerability was announced. An information disclosure vulnerability
published on Microsoft Server Message Block 3.1.1 (SMBv3). An attacker who successfully
exploited the vulnerability could obtain information to further compromise the user’s system. To
exploit a server, an unauthenticated attacker could send a specially crafted packet to a targeted
SMBv3 server. To exploit a client, an unauthenticated attacker would need to configure a
malicious SMBv3 server and convince a user to connect to it.
Affected versions are Windows 10 versions 1903, 1909, 2004.
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block
3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the
vulnerability could gain the ability to execute code on the target server or client. To exploit the
vulnerability against a server, an unauthenticated attacker could send a specially crafted packet
to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated
attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
• Windows 10 Version 1903 for 32-bit Systems
• Windows 10 Version 1903 for ARM64-based Systems
• Windows 10 Version 1903 for x64-based Systems
• Windows 10 Version 1909 for 32-bit Systems
• Windows 10 Version 1909 for ARM64-based Systems
• Windows 10 Version 1909 for x64-based Systems
• Windows Server, version 1903 (Server Core installation)
• Windows Server, version 1909 (Server Core installation)
The most severe of the vulnerabilities could allow remote code execution if an attacker sends
specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server. On 2017,
WannaCry Ransomware which targeted computers running the Microsoft Windows operating
system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
WannaCry Ransomware propagated through EternalBlue (MS17-010).
This is a remote code execution vulnerability. An attacker who successfully exploited this
vulnerability could take complete control of an affected system remotely. On Microsoft Windows
2000-based, Windows XP-based, and Windows Server 2003-based systems, an attacker could
exploit this vulnerability over RPC without authentication and could run arbitrary code.
SMB is one of the most important service. So it is very important for a pentester. First things first,
we need get some information.
Port Scanning – Check Service is Up
Nmap can be used for port scanning. Basic nmap command for SMB service check is in the
Nmblookup is a tool in the Kali Linux distribution. Nmblookup collects NetBIOS over TCP/IP client
used to lookup NetBIOS names.
Checking SMB Properties
Nmap can check SMB mode and SMB properties with basic scripts.
SMB Share Listing
Enum4Linux is a great tool for SMB Scanning. Enum4Linux checks all SMB Enumeration types with
-A (do all enumeration) parameter. Enum4Linux checks for null session, share listing, domain info,
password policy and etc.
Exploiting SMB Vulnerabilities
Now, we know how to enumerate SMB service. A computer with MS17-010 vulnerability was
detected using enumeration methods. So, let’s exploit it.
Metasploit framework will be used, for exploitation phase.
Then, select the module and use it.
Every module on the metaspolit framework needs some parameters to exploit. So, we need to
set required parameters in the module options.
Read/Write a File With SMB Service
We can write a malicious code on the target. Let’s check it on the target.
SMBv1 is a very old version of SMB. This makes it insecure. When you use SMB1, we lose key
protections offered by later SMB protocol versions:
• Pre-authentication Integrity (SMB 3.1.1+): Protects against security downgrade attacks.
• Secure Dialect Negotiation (SMB 3.0, 3.02): Protects against security downgrade attacks.
• Encryption (SMB 3.0+): Prevents inspection of data on the wire, MiTM attacks. In SMB
3.1.1 encryption performance is even better than signing!
• Insecure guest auth blocking (SMB 3.0+ on Windows 10+): Protects against MiTM
• Better message signing (SMB 2.02+): HMAC SHA-256 replaces MD5 as the hashing
algorithm in SMB 2.02, SMB 2.1 and AES-CMAC replaces that in SMB 3.0+. Signing
performance increases in SMB2 and 3.
Starting in Windows 8.1 and Windows Server 2012 R2, removal of the SMB1 feature possible and
Remove SMBv1 on the server with powershell;
When using operating systems older than Windows 8.1 and Windows Server 2012 R2, we can’t
remove SMB1 but we can disable it.
For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008
“HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type
DWORD -Value 0 –Force
Enable SMB Signing
SMB Signing is a feature through which communications using SMB can be digitally signed at the
packet level. Digitally signing the packets enables the recipient of the packets to confirm their
point of origination and their authenticity. This security mechanism in the SMB protocol helps
avoid issues like tampering of packets and “man in the middle” attacks. SMB signing is available
in all currently supported versions of Windows, but it’s only enabled by default on Domain
To enable SMB Signing;
- Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters
- From the Edit menu select New – DWORD value
- Add the following two values EnableSecuritySignature and RequireSecuritySignature if they do
- You should set to 0 for disable (the default) or 1 to enable. Enabling EnableSecuritySignature
means if the client also has SMB signing enabled then that is the preferred communication
method, but setting RequireSecuritySignature to enabled means SMB signing MUST be used and
so if the client is not SMB signature enabled then communication will fail.
Disable Null Sessions
Null sessions are a weakness that can be exploited through shared folders (including the default
shared folders) on computers in your environment.
To disable Null Sessions;
Add RestrictNullSessAccess with the value 1 in the registry key
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters. This registry value
toggles null session shared folders on or off to control whether the Server service restricts
unauthenticated clients’ access to named resources.
SMB is one of the most important services. We must restrict access to SMB services.
Cut inbound SMB access at the corporate firewalls
Block TCP/ port 445 inbound from the internet at your hardware firewalls.
Cut outbound SMB access at the corporate firewall with exceptions for specific IP ranges
It is extremely unlikely you’ll need to allow any outbound SMB to the Internet unless you’re using
it as part of a public cloud offering. With Azure Files SMB you could instead use a VPN. You should
be restricting that outbound traffic to only those service IP ranges.
Configure Windows Defender Firewall for inbound and outbound blocks
The key thing to understand is blocking both inbound and outbound communications in a very
deterministic way using rules that include exceptions and add additional connection security.
Disable SMB Server if truly unused
Disable SMB server if you are not using.
Apply Security Patches
Keep your server up to date and apply critical security patches immediately.