“Going full ninja” is becoming a major nuisance for SMBs. Companies on the rise tend to put cybersecurity on hold – huge mistake! From ransomware to your run-of-the-mill phishing email, everything’s set out to get you. It’s not paranoia – just stating the obvious. So, what’s this about going, full ninja?
Well, it has something to do with today’s topic – the SMB relay attack. Sounds fancy, but truth be told, anyone with access to Kali and some basic Metasploit skills can orchestrate this type of cyberattack.
Is it an article-worthy subject do? I believe it is. You see, SMB relay attacks do work and they can be devastating. MITMs (Man-in-the-Middle attacks) are never good news. But that’s a story for another time. Let’s talk about SMB Relay attacks.
What is an SMB?
No, it’s not the acronym for Small to Medium-Sized Business or Super Mario Brothers. It stands for Server Message Block, a network file-sharing protocol that operates on the Application and Presentation Layers, but heavily reliant on lower-level protocols (i.e. TCP/IP and NetBIOS).
The SMB protocol allows a client (i.e. your machine) to communicate with a server and, by extension, with the other network-based resources. It’s also called a serverclient protocol. SMB governs everything from internetwork file-sharing to doc-editing on a remote machine.
Even the “out of paper” alert you receive on your computer when trying to print a document is the work of the SMB protocol.
The Server Message Block uses TCP port 445 for connection and, of course, data transmission. If the resource requested is located on the web, the address resolution is handled through the DNS.
For smaller networks, the address resolution mantled is passed to the LLMNR (Local Multicast Name Resolution). Now, how this works is that the client can only ‘talk’ with the server after completing a three-way ‘broshake’.
I won’t bother going into the technical details of this process, but I’ll give you a quick run-down of the process:
- NetBIOS session established between the client and the server,
- Server and client negotiation the SMB protocol dialect,
- Client logs on to the server with the proper credentials,
- Client will connect to a shared resource hosted on the server (i.e. wireless printer),
- Client opens a file on the share, and,
- Client reads or edits the requested resource. That would be a top-level overview of what happens during a regular SMB exchange.
How does an SMB Relay Attack Happen?
The SMB Relay attack abuses the NTLM challenge-response protocol. Commonly, all SMB sessions used the NTML protocol for encryption and authentication purposes (i.e. NTLM over SMB). However, most sysadmins switched to KILE over SMB after research proved that the first version of NTLM is susceptible to Man-in-the-Middle attacks, the SMB Relay attack counting among them.
Now, in normal client-server communication, there are a series of requests followed by responses. The idea behind an SMB Relay attack is to position yourself between the client and the server in order to capture the data packets transmitted between the two entities.
As to the purpose of this action, it’s easy to guess – capture password hashes, bit of conv from IMs, and other types of info that can be used to dupe the server – one goal to rule them all. Now, to understand what happens during an SMB relay, I’ve decided to take the highwayman’s high way and include a step-by-step example.
Obviously, I’ll leave out some of the details. After all, we’re not hackers, and we don’t intend on taking on the hacker’s hat (i.e. the black one, of course) anytime soon. Enjoy!
Step 1. Scanning the network. A tool like NMAP is used to scan out the network for shares and IP addresses. Alternatively, you can use Metasploit to quickly map out network shares.
Kind of useless if you don’t know the target’s credentials, but still a great go-to solution. Now, if you feel lucky, you can also use Windows’ Explorer to discover network shares. This only works only if the hosts have enabled the access-based enumeration features.
Step 2. Using Metasploit or a similar tool, to conduct the attack. Remember that the purpose of this endeavor is to capture and ‘listen’ to enough auth packets in order to trick the server into believing that the attacker is actually the user.
Step 3. If the server’s running NTLM version 2.0, you would need to approach this differently, and that way would be the Impacket (i.e. collection of network protocols).
Step 4. The payload’s created with msfvenom. After that, we can use Metasploit to commence the Meterpreter session. Be warned – your payload is doomed to fail if the target machine doesn’t have administrator rights to the duped server.
Step 5. Once the payload’s delivered, you would have gained access to the shell. That’s it! You’re in and can do whatever you want (or not).
Protecting your assets against SMB relay attacks
So, what can one do to protect your corporate assets from this type of MITM attack? Believe it or not, SMB relay attacks are a corporate nightmare since most servers run on legacy. Not to worry; everything can be fixed. On that note, here’s a couple of advice on how to keep your network and endpoints safe.
1. Remove the first version of SMB
Besides the fact that this protocol belongs in a museum, not a modern corporate network architecture, it’s very unreliable security-wise. The best way to go about this would be to ditch SMB1 and replace it with SMB 3.0 or higher.
Microsoft’s SMB 3.1.1 released a while back has tons of new security-centric features including integrity check and AES-128 encryption. Microsoft’s TechCommunity forum has a great and detailed tutorial on how to remove SMB1.
2. Regulate outbound SMB destinations
A firewall with advanced control is the best way to restrict the outbound SMB destination (i.e. ensuring that it doesn’t point to a hacker-controlled server).
Heimdal™ Security’s Thor Vigilance Enterprise (also part of Thor Premium Enterprise) packs advanced firewall features, that will not only give you granular control over what happens inside and outside your network but will also prevent MITM attacks, including SMB relays.
Simple Antivirus protection is no longer enough.
Thor Premium Enterprise
is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
- Next-gen Antivirus which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Protection against data leakage, APTs, ransomware and exploits;
3. Implement UNC Hardening
Back in 2015, Microsoft introduced UNC Hardening in SMB comms to bolster security. What UMC does is to ‘force’ SMB to use client-defined security rather than relying on the server’s requirement.
To enforce UNC Hardening, please consult Microsoft’s MS15-011 article, under the “Configuring UNC Hardened Access through Group Policy.”
SMB relay attacks don’t have the same potency as ransomware such as Ryuk or RobbinHood, but they can provide the necessary ‘backdoor’ to those two and others. As always, play it safe, keep your apps and software up-to-date, and employ great cybersecurity.