SMB Relay Attacks Explained: Why You MUST Enable SMB Signing Immediately

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in today's video i'm going to show you a cyber attack that can happen in your network even if you've applied every patch to your operating system from windows then i'm going to show you a way that you can stop that tech from happening in your own network hi i'm william and welcome to the smb secure youtube channel where we're focused on practical information security tips and strategies of small and mid-sized companies to help you improve your security defenses and reduce the risk of breaches the attack we're going to talk about today is smb relay attacks then we're going to look at why you need smb signing turned on to prevent this kind of attack we use this attack constantly in penetration tests when we're hired to break into a company's computer system when we are doing what's called an internal assessment where we are on their network we constantly find organizations vulnerable to smb relay attacks we also commonly find this vulnerability when we're doing a vulnerability assessment that smb signing is not enabled the sme protocol was invented way back in the 1980s and as you know everything in cyber security has progressed at a very rapid pace so if you're using technology developed back in the 80s there's very likely some vulnerability that you need to be aware of and yes smb has been revised and modified over the years but overall it's riddled with weaknesses that you really have to be aware of if you're going to use it in your organization you want to harden against those attacks so let's look at how smb relay attacks work so i have two computers here i have a windows computer which as you can see if i do who am i i am the local administrator i also have a cali computer and what i'm going to do is on the cali computer i'm going to start a tool called responder and what responder is going to do is as users in this network in this lab we're only targeting one computer but if i was on a penetration test i would be targeting maybe a whole subnet of computers i would run this attack in the morning as users are booting up and log in but it's the basics of what's going to happen here is responder is going to look out for certain types of requests this can be dns request it could be http request it could be smb requests and in this case i've turned off all of the other types of attacks the intercept and relay attacks and i'm only running the smv attack so we're gonna run a responder with pseudo privileges on my ethernet interface and now responder is listing for events and when it sees an smb request or a broadcast looking for a an address on the network it's going to reply back and say hey i'm that device so we can see poison answers being sent for various locations to various machines now i'm going to come over to my other device in this network we're going to go to file explorer and i want to make sure i'm going to get a password hash because that's what intercept is the intercept attack is doing when a host goes to a system they put in the address they're gonna the attacker will say i'm that address give me your password so i'm gonna go to a file share that i know doesn't exist so that i know responder has a chance to reply i'm going to go to file server and i'm going to try to go there go back to cali and look what happened cali sent a poison answer to my computer saying hey i'm file server give me your password and look what it did it gave us the password see we have the hash now we have the ntlmv2 hash of that and at this point i have a local administrator hash of a user that i can now use and begin relaying that now in this example this hash was on a domain hash it's just a local user hash but the concept is still the same i can take the hash and we use something like metasploit i can begin passing that around the network and using that local user to gain access to other systems so as you saw it is very easy for an attacker to go from no access in your network to an administrator with that simple smb relay attack but you can prevent this type of attack by simply implementing smb signing what is smb signing smb signing places a digital signature into every block or packet of smb traffic it does that to authenticate or verify that the sender is who they say they are and it sends that to the servers to prevent what's called a man-in-the-middle attacks and it guarantees that smb communications are not altered in transit you remember the difference in tcp and udp right tcp protocol streams every packet that is sent it gets a verification back udp doesn't do that well with smb on the tcp we can do that signing that we just talked about so that every packet is signed so it can var the receiver the server and the client can verify that the sender is who they say they are so in that smb relay attack we just talked about when the attacker sends that fake broadcast out and says i am whatever file share or smb share you're looking for they might get a hash but when they take that hash to use it at the file server the server is going to verify that the client wanting to connect is who they say they are and that is done with that digital signature that we talked about with smb signing and the server is going to look at the signature say hey you are not user you don't get access to the files in the share as you go about implementing smb signing or enabling it in your network there's something to keep in mind smb signing can be set to enabled or enforce okay when smb signing is enabled it's possible for clients that support smb signing to connect and it's also possible for clients that do not support smd signing to connect this also means a host could choose or request not to use smb signing however when smb signing is required both computers and that smb connection must support smb signing the smb connection is not successful if one computer does not support smb signing what happens when smb relay is attempted when smb signing is implemented like we mentioned a few minutes ago when that server hosting that file share or that smb share gets that fake uh connection request trying to act like another user it looks at that digital signature and it knows you are not who you say you are you don't have access and you can tie this into other security components of your network and you could recognize this as an smb relay attack you could isolate that host until it can be investigated there's lots of ways you can respond to that kind of an incident smb signing can be deployed via gpo if you are in a active directory environment or you can manually change the registry keys that enforce the smb signing this can be done with registry keys or in the local security policy so sme signing or the lack thereof is a common vulnerability that we find in networks we regularly use it to gain access to systems in active directory environments in windows environments it is a common way for an attacker to escalate privileges to move loudly through a network because a lot of times devices have the same local administrator account it sets that up for ease of access and we regularly find this as a simple way to get into systems so if you want to harden your organization go and implement smb signing in your organization and you can prevent smb relay attacks and attackers from using those smb hashes they are able to collect

Info

Channel: The Infosec Academy

Views: 11,972

Rating: undefined out of 5

Keywords: information security, Windows Security, SMB Signing, SMB Relay Attacks, Network Security

Id: XtyDwOs2tKA

Channel Id: undefined

Length: 8min 32sec (512 seconds)

Published: Tue Feb 02 2021