SMB Protocol Attacks

Server Message Block underpins Windows file sharing and Active Directory communication. Understanding SMB security—both the protocol's vulnerabilities and common misconfigurations—enables attacks against enterprise networks where Windows dominates.

SMB Fundamentals

SMB enables file sharing, printer access, and inter-process communication across networks. Windows systems use SMB extensively for legitimate purposes: accessing network drives, applying group policy, authenticating to domain resources.

Multiple SMB versions exist with different security properties. SMBv1 suffered from vulnerabilities exploited by EternalBlue and related attacks. SMBv2 and SMBv3 improve security but retain compatibility with older authentication mechanisms that create opportunities.

SMB authentication commonly uses NTLM or Kerberos. NTLM's challenge-response mechanism has known weaknesses that enable relay attacks. Understanding these authentication flows reveals exploitation techniques.

Share Enumeration

Discovering accessible shares is fundamental to SMB assessment. Null sessions—connections without credentials—can sometimes enumerate shares and users. Authenticated enumeration reveals more but requires captured credentials.

Tools like smbclient, smbmap, and CrackMapExec streamline share enumeration. Beyond just finding shares, assess what permissions your access provides. Read access enables data exfiltration. Write access enables payload delivery.

Hidden shares ending in $ don't appear in normal browsing but are still accessible. Administrative shares like C$ and ADMIN$ provide powerful access when credentials permit.

Authentication Attacks

NTLM relay captures authentication and forwards it to other systems. If a user authenticates to your attacker-controlled resource, you can relay that authentication to a different target. Successful relay grants the victim's privileges on the target system.

SMB signing prevents relay attacks by cryptographically binding authentication to specific sessions. When signing isn't required—still common—relay attacks succeed. Assessment includes verifying signing requirements across target networks.

Credential capture through tools like Responder poisons name resolution to redirect authentication attempts. Users seeking network resources connect to attacker systems, disclosing credential hashes for cracking or relay.

Vulnerability Exploitation

Legacy vulnerabilities like EternalBlue (MS17-010) provide unauthenticated remote code execution against vulnerable systems. While patching has reduced prevalence, unpatched systems still exist in isolated networks and legacy environments.

More recent SMB vulnerabilities emerge periodically. SMBGhost (CVE-2020-0796) affected SMBv3 compression. Understanding vulnerability space helps target assessment efforts effectively.