SMBSystem HardeningWindows

SMB Signing Disabled

SMB Signing Disabled

Server Message Block (SMB) signing is a method to digitally sign SMB packets, allowing the recipient of the SMB packets to confirm their authenticity. Microsoft have a great write up here.

The Problem

SMB signing is either not enabled or not required by default. This default configuration is a security risk because an adversary can conduct a man-in-the-middle attack to intercept these unsigned SMB packets; relaying them to the intended recipient, AKA ‘SMB Relay Attack’, as shown below.

SMB relay attack

Leveraging the previously blogged vulnerability ‘Disabling NetBIOS over TCP/IP and LLMNR‘, responder intercepts the Net-NTLM hashes and passes them to which performs the MiTM SMB relay attack.

If you’d like to read more on performing this attack @byt3bl33d3r has produced a nice write up here.

Are You Vulnerable?

If you’re reading this, it’s likely that it’s been identified during a penetration test or a vulnerability scan. You can confirm the finding yourself using nmap with the following syntax:

nmap -sSVC -p 445 <IP ADDRESS HERE>

Which should produce similar results to the screenshot below.

Nmap results

The Solution

Enabling SMB Signing

Edit the domain Group Policy to enforce SMB signing by making the following adjustments to the Group Policy:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
  • Microsoft network server: Digitally sign communications (always)
  • Microsoft network server: Digitally sign communications (if client agrees)
  • Microsoft network client: Digitally sign communications (always)
  • Microsoft network client: Digitally sign communications (if client agrees)

Changes to make to GP

Whilst you’re at it

  • Microsoft network client: Send unencrypted password to third-party SMB servers (disabled)
  • Microsoft network server: Server SPN target name validation level (Accept if provided by client)
  • Network Security: LAN Manager authentication level (Send NTMLv2 response only. Refuse LM & NTLM)
  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers (Audit all)

Finally to push the GP changes open up cmd or Powershell and type:

gpupdate /force

Auto Pwnage

True to his style @rd_pentest has created a ntlmrelay wrapper. If you haven’t seen Rich’s work, his GitHub profile is really worth visiting here. Rich’s tools basically make life so much easier!

**Please remember to test these changes in a dev environment before pushing live**