Server Message Block (SMB) protocol is a communication protocol that allows users to communicate with remote servers and computers, which they can open, share, edit files, and even share and utilize resources. With the expansion of telecommunications, this protocol has been a prime target for threat actors to gain unauthorized access to sensitive data and devices. In 2017, we introduced 5 general ways to protect your network from SMB risks. In this article, we examine some specific attacks, and revisit the practices that will protect your environment from this attack vector.
Notable SMB-related attacks
The SMB protocol operates on a client-server model, utilizing TCP Port 445 for communication. This protocol comprises different versions, with the older versions recognized for their low security and susceptibility to attacks. The following attacks exploited SMB vulnerabilities, resulting in significant damage and widespread losses across global systems.
- WannaCry ransomware – In May 2017, this ransomware attack targeted thousands of Microsoft Windows systems worldwide. This ransomware leveraged the EternalBlue exploit, originally created by a hacker group known as Shadow Brokers. By 2019, there were more than 12,000 variants of this ransomware in the wild.
- Emotet trojan – This trojan initially functioned as a banking Trojan back in 2014. However, it transformed into self-propagating malware in 2017 by exploiting the EternalBlue vulnerability. It typically spreads through malicious spam emails as attachments and then deploys ransomware. Its activity ceased in January, 2021.
- TrickBot trojan – This trojan, originating in 2016, remains active to this day and is capable of pilfering financial information and account credentials. It leverages the EternalChampion exploit developed by Shadow Brokers to facilitate lateral network propagation.
How does SMB work?
SMB device sharing and file transfer involve a step-by-step process between a client and a server.
- SMB client request – Through the SMB protocol, the client device sends a request to the SMB server, seeking to access shared resources.
- Authentication – After establishing a session with the server, the client transmits its identification credentials to the server. The server then verifies whether the client is authorized to access the requested resources.
- Resource access – Upon successful authentication, the client gains the ability to transfer, read, and write data to shared files, access shared devices, and execute tasks on them.
- Session termination – When the client has completed its tasks, it can terminate the SMB communication, releasing the resources on both the client and server sides.
SMB authentication methods
There are several authentication mechanisms that the SMB protocol uses to ensure secure and authorized access to shared resources.
- NT LAN Manager (NTLM) - NTLM, an outdated authentication protocol, is used in legacy Windows and SMB versions. It uses a challenge-response system, with the server sending a random challenge to the client. Although compatible with older systems, NTLM is considered less secure and poses security risks due to its susceptibility to attacks.
- Kerberos - This is a secure authentication protocol using symmetric key cryptography and a Key Distribution Center (KDC). Kerberos is the recommended authentication protocol for ensuring secure SMB communications within Active Directory (AD) domains.
- SMB2 and SMB3 Authentication Extensions - SMB2 and SMB3, the latest versions of SMB, introduce significant security improvements:
- Pre-Authentication Integrity (SMB2/3): Enhances security by verifying packet integrity during authentication, ensuring data remains secure.
- Secure Dialect Negotiation (SMB3): Ensures secure version and security setting negotiation, aligning the protocol with modern security requirements.
It is crucial to prioritize modern authentication methods for robust data protection and security.
SMB relay attack
SMB relay attacks exploit SMB's NTLM authentication, potentially allowing attackers to impersonate users and gain unauthorized access. This attack is facilitated by specific prerequisites such as SMB signing disabled on the target, local network access, and user credentials with remote login permissions.
The SMB relay attack sequence is as follows:
- Identifying vulnerable workstation IPs.
- Initiating necessary relay attack tools for the attack.
- Intercepting user hashes, often through events like LLMNR Poisoning.
- Using the intercepted credentials to gain unauthorized access.
To protect against SMB relay attacks, apply these defensive measures: remove the first SMB version, enable SMB signing on all devices, disable network-wide NTLM authentication, and impose local admin restrictions.
Best practices for safeguarding against SMB attacks
- Use the latest SMB versions – Replace SMB1 with SMB 3.0 or higher. SMB 3.0 and later versions, including SMB 3.1.1, introduced numerous security enhancements. These include end-to-end data encryption, secure dialect negotiation, and pre-authentication integrity, securing data from eavesdropping and Man in the Middle (MitM) attacks.
- Apply regular updates - Regularly update your OS and SMB software with security patches. Vendors release these patches to fix vulnerabilities. Staying up to date prevents known vulnerabilities and keeps your SMB implementation secure.
- Segment your network – Divide your network into subnetworks to limit the impact of breaches and reduce the risk of lateral movement of threat actors.
- Use a firewall with advanced controls to regulate outbound SMB destinations to prevent connections to potentially malicious servers.
SMB is a fundamental protocol for resource sharing, offering immense benefits for collaborative work and data access. However, its historical vulnerabilities, including the potential for relay attacks, make it a prime target for malicious actors. It is imperative for organizations to defend against these threats by implementing best practices while leveraging the protocol's benefits.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.