Contents:
An SMB Relay attack or abuses the NTLM challenge-response protocol. All SMB sessions use the NTML protocol for encryption and authentication purposes (i.e. NTLM over SMB).
In this article, we’re going to talk about how SMB relay attacks work and how they can impact your business.
What you’ll find in this article.
- What is an SMB?
- SMB protocol.
- How does an SMB Relay Attack Happen?
- Protecting your assets against SMB relay attacks.
What is an SMB?
SMB stands for Server Message Block, a network file-sharing protocol that operates on the Application and Presentation Layers, but is heavily reliant on lower-level protocols (i.e., TCP/IP and NetBIOS).
The SMB protocol allows a client (i.e., your machine) to communicate with a server and, by extension, with the other network-based resources.
It belongs to the server-client family of network protocols. SMB governs everything from internetwork file-sharing to doc-editing on a remote machine.
Even the “out of paper” alert you receive on your computer when trying to print a document is the work of the SMB protocol.
The Server Message Block uses TCP port 445 for connection and, of course, data transmission.
The address resolution is handled through the DNS if the requested resource is located on the web.
For smaller networks, the address resolution mantled is passed to the LLMNR (Local Multicast Name Resolution).
SMB protocol
Now, how this works is that the client can only ‘talk’ with the server after completing a three-way handshake.
I won’t bother going into the technical details of this process, but I’ll give you a quick run-down of the process.
- NetBIOS session established between the client and the server,
- Server and client negotiation the SMB protocol dialect,
- Client logs on to the server with the proper credentials,
- Client will connect to a shared resource hosted on the server (i.e. wireless printer),
- Client opens a file on the share, and,
- Client reads or edits the requested resource. That would be a top-level overview of what happens during a regular SMB exchange.
How does an SMB Relay Attack Happen?
MITM SMB relay attacks abuse the NTLM challenge-response network protocol.
Commonly, all SMB sessions used the NTML protocol for encryption and authentication purposes (i.e. NTLM over SMB).
However, most sysadmins switched to KILE over SMB after research proved that the first version of NTLM is susceptible to Man-in-the-Middle attacks, the SMB Relay attack counting among them.
Now, in normal client-server communication, there are a series of requests followed by responses.
The idea behind an SMB Relay attack is to position yourself between the client and the server in order to capture the data packets transmitted between the two entities.
As to the purpose of this action, it’s easy to guess.
It’s used to capture password hashes, bit of conv from IMs, and other types of info that can be used to dupe the server – one goal to rule them all.
Now, to understand what happens during an SMB relay, I’ve decided to take the highwayman’s highway and include a step-by-step example.
Obviously, I’ll leave out some of the details. After all, we’re not hackers, and we don’t intend on taking on the hacker’s hat (i.e., the black one, of course) anytime soon. Here’s how the attacker relays info via SMB.
Successful SMB Relay Attack steps
Step 1. Scanning the network.
A tool like Nmap is used to scan out the network for shares and IP addresses. Read more about how to use Nmap to enhance network security.
Alternatively, you can use Metasploit to quickly map out network shares.
Kind of useless if you don’t know the target’s credentials, but still a great go-to solution.
Now, if you feel lucky, you can also use Windows’ Explorer to discover network shares.
This only works only if the hosts have enabled the access-based enumeration features.
Step 2. Using Metasploit or similar to conduct the relay attack.
Remember that the purpose of this endeavor is to capture and ‘listen’ to enough auth packets in order to trick the server into believing that the attacker is actually the user and finally to gain access into the target network.
Step 3. Using Impacket.
If the server’s running NTLM authentication version 2.0, you would need to approach this differently, and that way would be the Impacket (network communication protocol).
Step 4. Create payload with msfvenom.
After that, we can use Metasploit to commence the Meterpreter session. Be warned – your payload is doomed to fail if the target machine doesn’t have local administrator restrictions to the duped server.
Step 5. Deliver payload.
Once the payload’s delivered, you would have gained access to the interactive shell. That’s it! You’re in and can do whatever you want (relay credentials).
Protecting your assets against SMB relay attacks
So, what can one do to protect your corporate assets from this type of MITM attack?
Believe it or not, SMB relay attacks are a corporate nightmare since most servers run on legacy.
Here’s how you can safeguard your corporate assets and network traffic.
1. Remove the first version of SMB
Besides the fact that this protocol belongs in a museum, not a modern corporate network architecture, it’s very unreliable security-wise.
The best way to go about this would be to ditch SMB1 and replace it with SMB 3.0 or higher.
Microsoft’s SMB 3.1.1 released a while back has tons of new security-centric features including integrity check and AES-128 encryption.
Microsoft’s TechCommunity forum has a great and detailed tutorial on how to remove SMB1 and secure SMB traffic. Some other stuff you might learn from TechCommunity’s tutorial:
- Enable SMB signing.
- Manage SMB packets.
- Figure out – SMB signing disabled vs. SMB signing enabled.
2. Regulate outbound SMB destinations
A firewall with advanced control is the best way to restrict the outbound SMB destination (i.e., ensuring that it doesn’t point to a hacker-controlled server).
Heimdal® Next-Gen Antivirus, Firewall & MDM (also part of Endpoint Security Software) packs advanced firewall features, that will not only give you granular control over what happens inside and outside your network but will also bolster your network security.
3. Implement UNC Hardening
Back in 2015, Microsoft introduced UNC Hardening in SMB comms to bolster security.
What UMC does is to ‘force’ SMB to use client-defined security rather than relying on the server’s requirement.
To enforce UNC Hardening, please consult Microsoft’s MS15-011 article, under the “Configuring UNC Hardened Access through Group Policy.”
Conclusion
SMB relay attacks don’t have the same potency as ransomware such as Ryuk or RobbinHood, but they can provide the necessary ‘backdoor’ to those two and others. As always, play it safe, keep your apps and software up-to-date, and employ great cybersecurity.
