06 Apr, 2023

Server Message Block (SMB)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

SMB stands for Server Message Block. It is a protocol that is used for network file sharing and printer sharing. SMB was first developed by Microsoft for their Windows operating system, but it has since been implemented by other operating systems such as Unix, Linux, and macOS. SMB allows multiple computers to access the same files and resources over a network, and it also provides authentication and encryption to protect data from unauthorized access. SMB has evolved over the years, with the latest version being SMB3, which provides faster file transfer speeds, better security features, and improved performance over high-latency networks.

SMB common ports

Port 445 (TCP and UDP): This port is commonly used by SMB over TCP without the need for NetBIOS.

Port 139 (TCP and UDP): This port was used by the earlier version of SMB (SMB 1.0) which operated on NetBIOS over TCP/IP (NBT).

Port 138 (UDP): This port was used by the earlier version of SMB (SMB 1.0) for datagram services over NetBIOS.

Port 137 (UDP): This port was used by the earlier version of SMB (SMB 1.0) for name services over NetBIOS.

Standard commands from unauthorized users

nbtstat: This command is used to display the current NetBIOS over TCP/IP (NBT) connections and related information. It can be used to gather information about the SMB server and the network.

net view: This command is used to display a list of shared resources on the network. Unauthorized users might use this command to try to identify vulnerable SMB servers.

net use: This command is used to connect to a shared SMB resource or map a network drive. Unauthorized users might use this command to gain access to sensitive data.

smbclient: This command is a Linux utility used to connect to SMB/CIFS servers. Unauthorized users might use this command to attempt to gain access to an SMB server from a Linux system.

Tools for using protocol SMB

Manual Tools:

  • nmap – a network exploration and security auditing tool that can be used to scan for open SMB ports.

  • enum4linux – a tool for enumerating SMB shares and discovering vulnerabilities in SMB implementations.

  • smbclient – a command-line tool that can be used to connect to SMB/CIFS servers and perform various operations, such as downloading files, uploading files, and executing commands.

  • smbmap – a tool that can be used to enumerate SMB shares and perform various operations, such as downloading files, uploading files, and executing commands.

  • Metasploit – a penetration testing framework that includes many SMB exploits and modules for testing SMB vulnerabilities.

  • Responder – a tool for performing LLMNR and NBT-NS poisoning attacks to capture user credentials, which can be used to gain access to SMB shares.

  • Wireshark – a network protocol analyzer that can be used to capture and analyze SMB traffic.

  • CrackMapExec – a tool for testing and exploiting SMB vulnerabilities, including password spraying attacks, pass-the-hash attacks, and more.

  • BloodHound – a tool for visualizing and analyzing complex Active Directory environments, which can be used to identify and exploit SMB vulnerabilities.

  • SAMRi10 – a tool for enumerating and manipulating SAM databases on Windows 10 systems, which can be used to obtain user credentials for SMB shares.

Automated Tools:

  • OpenVAS – an open-source vulnerability scanner that includes SMB scanning and testing capabilities.

  • Nessus – a commercial vulnerability scanner that includes SMB scanning and testing capabilities.

  • Qualys – a cloud-based vulnerability scanner that includes SMB scanning and testing capabilities.

  • Retina – a commercial vulnerability scanner that includes SMB scanning and testing capabilities.

  • Rapid7 – a suite of vulnerability management and penetration testing tools that includes SMB scanning and testing capabilities.

  • Nikto – a web server vulnerability scanner that includes SMB scanning and testing capabilities.

  • Acunetix – a web application vulnerability scanner that includes SMB scanning and testing capabilities.

  • Burp Suite – a web application security testing tool that includes SMB scanning and testing capabilities.

  • ZAP – a web application security testing tool that includes SMB scanning and testing capabilities.

  • OWASP Zed Attack Proxy – a web application security testing tool that includes SMB scanning and testing capabilities.

Browser Plugins:

  • Hackbar – a Firefox add-on that can be used to test and exploit web application vulnerabilities, including SMB vulnerabilities.

  • EditThisCookie – a Chrome extension that can be used to test and exploit web application vulnerabilities, including SMB vulnerabilities.

Last five known CVE for SMB

CVE-2022-46181 – Gotify server is a simple server for sending and receiving messages in real-time per WebSocket. Versions prior to 2.2.2 contain an XSS vulnerability that allows authenticated users to upload .html files. An attacker could execute client side scripts **if** another user opened a link. The attacker could potentially take over the account of the user that clicked the link. The Gotify UI won’t natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify. The vulnerability has been fixed in version 2.2.2. As a workaround, you can block access to non image files via a reverse proxy in the `./image` directory.

CVE-2022-40216 – Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin <= 1.9.10.69 on WordPress.

CVE-2022-35251 – A cross-site scripting vulnerability exists in Rocket.chat <v5 due to style injection in the complete chat window, an adversary is able to manipulate not only the style of it, but will also be able to block functionality as well as hijacking the content of targeted users. Hence the payloads are stored in messages, it is a persistent attack vector, which will trigger as soon as the message gets viewed.

CVE-2022-3033 – If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv=”refresh”</code> attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn’t affect users who have changed the default Message Body display setting to ‘simple html’ or ‘plain text’. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.

CVE-2022-30273 – The Motorola MDLC protocol through 2022-05-02 mishandles message integrity. It supports three security modes: Plain, Legacy Encryption, and New Encryption. In Legacy Encryption mode, traffic is encrypted via the Tiny Encryption Algorithm (TEA) block-cipher in ECB mode. This mode of operation does not offer message integrity and offers reduced confidentiality above the block level, as demonstrated by an ECB Penguin attack against any block ciphers.

Useful information

– SMB stands for Server Message Block, which is a protocol used for file and printer sharing in Windows operating systems.

– SMB was originally developed by IBM in the 1980s for use in its LAN Manager product.

– SMB has evolved over the years, with SMBv2 being introduced in Windows Vista and SMBv3 being introduced in Windows 8 and Windows Server 2012.

– SMB operates over TCP/IP and typically uses ports 139 and 445.

– SMB supports both shared and distributed file systems.

– SMB supports various authentication and authorization mechanisms, including NTLM and Kerberos.

– SMB can be used to access files and printers on remote systems, as well as to share files and printers on local systems.

– SMB can be used to access and manipulate file system metadata, such as permissions and attributes.

– SMB can be used to access remote registry entries and to execute remote commands.

– SMB can be used to perform remote procedure calls (RPCs) for various management and administrative tasks.

– SMB is vulnerable to various security threats, including man-in-the-middle attacks, SMB relay attacks, and SMB signing downgrade attacks.

– SMB can be secured using various measures, such as SMB encryption, SMB signing, and access control.

– SMB is used by various other protocols and services, such as NetBIOS, NBT-NS, and LLMNR.

– SMB is widely used in enterprise environments and is a common target for attackers seeking to gain unauthorized access to sensitive data.

– SMB is supported by various third-party tools and utilities, such as Wireshark, nmap, and Metasploit.

– Microsoft recommends using SMBv3 for improved performance, security, and reliability.

– SMB has been criticized for its complexity and lack of interoperability with non-Windows systems.

– SMB is constantly evolving, with new features and improvements being added in each new version.

– SMB is used by millions of users and organizations worldwide, making it a critical component of many IT infrastructures.

– SMB is an important technology to understand for IT professionals working with Windows systems or involved in network security and administration.

Known banners

Windows 95/98/ME: SMB 1.0 [1]
Windows NT 4.0: SMB 1.0 [2]
Windows 2000: SMB 1.0 [2]
Windows XP: SMB 1.0 3
Windows Server 2003: SMB 1.0 3
Windows Vista: SMB 2.0 [^4]
Windows Server 2008: SMB 2.0 [^4]
Windows 7: SMB 2.1 [^5]
Windows Server 2008 R2: SMB 2.1 [^5]
Windows 8: SMB 3.0 [^6]
Windows Server 2012: SMB 3.0 [^6]
Windows 8.1: SMB 3.0 [^6]
Windows Server 2012 R2: SMB 3.0 [^6]
Windows 10: SMB 3.0 [^6]
Windows Server 2016: SMB 3.0 [^6]
Windows Server 2019: SMB 3.1.1 [^7]

Books for studies SMB

Inside SMB Networking by Darril Gibson – This book provides a comprehensive overview of SMB networking and covers topics such as network architecture, protocols, and security. It also includes practical examples and exercises to help readers apply their knowledge.

Troubleshooting Windows Server with PowerShell by Derek Schauland – This book covers various troubleshooting techniques for Windows Server, including SMB troubleshooting using PowerShell. It provides practical examples and step-by-step instructions for resolving common SMB issues.

Windows Internals, Part 2: Covering Windows Server 2008 R2 and Windows 7 by Mark Russinovich – This book provides an in-depth look at the internal workings of Windows operating systems, including SMB protocols and services. It is intended for advanced users and IT professionals.

Windows Server 2016: Inside Out by Orin Thomas – This book provides a comprehensive guide to Windows Server 2016, including SMB networking and security. It covers topics such as file services, DFS, and network printing.

Windows Server 2019 Inside Out by Orin Thomas – This book provides a comprehensive guide to Windows Server 2019, including SMB networking and security. It covers topics such as file services, DFS, and network printing.

Mastering Windows Server 2016 by Jordan Krause – This book provides a detailed guide to Windows Server 2016, including SMB networking and security. It covers topics such as Active Directory, DNS, and DHCP, as well as file and print services.

The Accidental Administrator: Linux Server Step-by-Step Configuration Guide by Don R. Crawley – While not specifically focused on SMB, this book provides a comprehensive guide to Linux server administration, including file and print services that can be used to complement SMB services.

List of Payload for Server Message Block

  1. Malware payloads: Malware can be delivered through SMB, including Trojans, ransomware, viruses, and worms.

  2. Exploit payloads: Exploits can be used to target vulnerabilities in SMB, such as the EternalBlue vulnerability that was famously used in the WannaCry ransomware attack.

  3. Credential theft payloads: SMB can be used to steal credentials, including usernames and passwords, by intercepting authentication traffic.

  4. Denial-of-service payloads: SMB can be used to launch a denial-of-service attack by flooding the network with traffic or by sending malformed packets that crash the target system.

  5. File-based payloads: SMB can be used to transfer files between systems, including malicious files such as scripts, executables, and configuration files.

Mitigation

  1. Regularly update the operating system and any software that uses SMB. Patches are often released to address security vulnerabilities and it is important to stay current with these updates.

  2. Older versions of SMB, such as SMBv1, have known vulnerabilities and should be disabled. Consider using SMBv2.1 or higher for enhanced security features.

  3. Implement strong password policies to prevent unauthorized access to systems and data. Make sure to use complex passwords that are difficult to guess.

  4. Implement access controls and limit access to critical systems and data to only authorized users. This can help prevent unauthorized access and reduce the potential impact of a security breach.

  5. Use firewalls to restrict access to SMB ports from untrusted networks. Also, consider using network segmentation to isolate critical systems and data from the rest of the network.

  6. Consider using encryption for SMB traffic to protect against eavesdropping and other interception attacks.

  7. Use intrusion detection and prevention systems to monitor network traffic for suspicious activity and prevent attacks before they can do damage.

Conclusion

Server Message Block (SMB) protocol is an important networking protocol used for file sharing and other network services in Windows operating systems. Each version of Windows has a corresponding SMB server version, with the latest versions using SMB 3.0 or higher.

Other Services

Ready to secure?

Let's get in touch