SMB Protocol and Features

SMB Protocol and Features: A Comprehensive Guide for GIAC GCIH

Introduction to SMB Protocol

The Server Message Block (SMB) protocol is one of the most critical protocols in network environments, particularly in Windows-based networks. Understanding SMB is essential for the GIAC GCIH (GIAC Certified Incident Handler) certification, as it plays a central role in reconnaissance, scanning, enumeration, and exploitation activities that incident handlers must detect and respond to.

Why is SMB Important?

SMB is important for several key reasons:

1. Ubiquity in Enterprise Networks: SMB is the backbone of file sharing, printer sharing, and inter-process communication in virtually every Windows environment. Its widespread use makes it a prime target for attackers.

2. Attack Surface: SMB has historically been associated with some of the most devastating attacks in cybersecurity history, including WannaCry, NotPetya, and EternalBlue. Understanding SMB is critical for incident handlers who must detect and respond to such threats.

3. Enumeration Goldmine: SMB exposes a wealth of information during the enumeration phase, including user accounts, shares, group memberships, password policies, and more. Attackers routinely leverage SMB for reconnaissance.

4. Lateral Movement: Once inside a network, attackers frequently use SMB for lateral movement, executing commands remotely, and exfiltrating data.

What is SMB?

SMB (Server Message Block) is a network file sharing protocol that allows applications and users on a network to read and write to files, request services from server programs, and communicate with other devices. It operates as an application-layer protocol primarily over TCP port 445 (direct SMB over TCP) or historically over NetBIOS on TCP ports 137, 138, and 139.

Key SMB Versions:

- SMB 1.0 (SMBv1/CIFS): The original version, introduced with Windows NT. It is now considered insecure and deprecated. SMBv1 is the version exploited by EternalBlue (MS17-010). It lacks encryption and has numerous security vulnerabilities.

- SMB 2.0: Introduced with Windows Vista and Server 2008. It reduced the chattiness of the protocol by combining multiple commands into a single request, improved performance, and added support for symbolic links.

- SMB 2.1: Introduced with Windows 7 and Server 2008 R2. Added oplock leasing mechanisms and large MTU support.

- SMB 3.0 (formerly SMB 2.2): Introduced with Windows 8 and Server 2012. Added SMB encryption (AES-CCM), SMB Direct (RDMA support), SMB Multichannel, and transparent failover for high availability.

- SMB 3.0.2: Introduced with Windows 8.1 and Server 2012 R2. Added the ability to disable SMBv1 completely.

- SMB 3.1.1: Introduced with Windows 10 and Server 2016. Added pre-authentication integrity using SHA-512, AES-128-GCM encryption, and mandatory secure negotiation. This is the most secure version of SMB.

How SMB Works

Connection Establishment:

1. TCP Connection: The client establishes a TCP connection to the server on port 445 (or port 139 for legacy NetBIOS-based connections).

2. Protocol Negotiation: The client sends an SMB Negotiate Protocol Request, listing the SMB dialects it supports. The server responds with the highest mutually supported dialect. This is a critical step because attackers can force protocol downgrade attacks if SMBv1 is still enabled.

3. Authentication (Session Setup): The client authenticates using NTLM or Kerberos authentication. In SMBv1, LM and NTLM authentication were common, which are now considered weak.

4. Tree Connect: The client connects to a specific share on the server (e.g., \\server\share).

5. File Operations: The client can now perform file operations such as open, read, write, close, and delete.

Key SMB Features Relevant to Security:

- Named Pipes: SMB supports inter-process communication (IPC) through named pipes over the IPC$ share. Named pipes are extensively used for remote administration, RPC calls, and are a common attack vector. Tools like PsExec use named pipes for remote command execution.

- IPC$ Share (Null Sessions): The IPC$ share is a special administrative share used for inter-process communication. Historically, null sessions (anonymous connections to IPC$) allowed attackers to enumerate extensive information including usernames, shares, groups, and password policies without any credentials. This was particularly problematic in SMBv1 and older Windows versions.

- Administrative Shares: Windows creates hidden administrative shares by default: C$, D$, ADMIN$, IPC$. These are accessible to administrators and are commonly used by attackers for lateral movement (e.g., copying malware to C$ and executing it via a service).

- SMB Signing: SMB signing provides integrity protection by digitally signing SMB packets, preventing man-in-the-middle attacks and SMB relay attacks. When SMB signing is not required (only enabled but not mandatory), attackers can perform SMB relay attacks to capture and relay authentication credentials. SMB signing is enabled but not required by default on Windows workstations, and required by default on domain controllers.

- SMB Encryption: Available in SMB 3.0 and later, SMB encryption uses AES to encrypt data in transit, protecting against eavesdropping. SMB 3.1.1 uses AES-128-GCM for improved performance and security.

SMB in Reconnaissance and Enumeration

Attackers and penetration testers leverage SMB extensively during the enumeration phase:

- Share Enumeration: Tools like smbclient, CrackMapExec, and smbmap can list available shares, including hidden shares, and check for read/write access.

- User Enumeration: Using null sessions or authenticated sessions, tools like enum4linux, rpcclient, and nmap smb-enum-users can enumerate domain users, groups, and SIDs.

- Password Policy Enumeration: Attackers can query the password policy (lockout threshold, minimum length, complexity) to plan password spraying attacks.

- OS and Version Detection: SMB negotiation reveals operating system version, SMB dialect, and other fingerprinting information.

- Vulnerability Scanning: Nmap scripts like smb-vuln-ms17-010 can detect if a system is vulnerable to EternalBlue and similar exploits.

Common SMB Attacks:

- EternalBlue (MS17-010): A critical remote code execution vulnerability in SMBv1 that was used by WannaCry and NotPetya. It exploits a buffer overflow in the SMBv1 transaction handling.

- SMB Relay Attacks: When SMB signing is not required, an attacker can intercept NTLM authentication and relay it to another server to gain unauthorized access. Tools like Responder and ntlmrelayx (from Impacket) are commonly used.

- Pass-the-Hash: SMB's NTLM authentication can be abused with stolen password hashes without needing to crack them. Tools like PsExec, smbexec, and wmiexec support pass-the-hash.

- Brute Force/Password Spraying: SMB authentication can be targeted for brute force or password spraying attacks, especially when account lockout policies are lenient.

- SMBGhost (CVE-2020-0796): A vulnerability in SMB 3.1.1 compression that allows remote code execution, affecting Windows 10 and Server 2019.

Key SMB Ports to Remember:

- TCP 445: Direct SMB over TCP (modern, most common)
- TCP 139: SMB over NetBIOS Session Service
- UDP 137: NetBIOS Name Service
- UDP 138: NetBIOS Datagram Service

Important Tools for SMB Enumeration and Exploitation:

- enum4linux / enum4linux-ng: Comprehensive SMB enumeration tool
- smbclient: Linux SMB client for connecting to shares
- smbmap: SMB share enumeration and access checking
- CrackMapExec (CME): Swiss army knife for SMB/AD pentesting
- rpcclient: RPC client for querying SMB/RPC services
- Nmap NSE scripts: smb-enum-shares, smb-enum-users, smb-vuln-*, smb-os-discovery
- Impacket: Python library with tools like smbexec, psexec, ntlmrelayx
- Responder: LLMNR/NBT-NS/MDNS poisoner for capturing NTLM hashes
- Metasploit: Various SMB auxiliary and exploit modules

Defensive Measures:

- Disable SMBv1 on all systems
- Enforce SMB signing on all devices (not just domain controllers)
- Enable SMB encryption where possible (SMB 3.0+)
- Restrict access to administrative shares
- Block SMB ports (445, 139) at the network perimeter
- Implement network segmentation to limit lateral movement via SMB
- Monitor for anomalous SMB traffic patterns
- Apply patches promptly for SMB vulnerabilities
- Disable null sessions and restrict anonymous access

---

Exam Tips: Answering Questions on SMB Protocol and Features

1. Know Your Port Numbers: Be absolutely certain of SMB port numbers. TCP 445 is direct SMB, TCP 139 is SMB over NetBIOS, UDP 137 is NetBIOS Name Service, UDP 138 is NetBIOS Datagram Service. Exam questions frequently test port knowledge.

2. Understand SMB Versions and Their Security Implications: Know which version introduced which feature. SMBv1 = insecure, no encryption, EternalBlue target. SMB 3.0 = introduced encryption. SMB 3.1.1 = pre-authentication integrity, AES-GCM. Questions may ask which version should be disabled (SMBv1) or which supports encryption.

3. SMB Signing is a Favorite Exam Topic: Remember that SMB signing prevents relay attacks. It is required by default on domain controllers but only enabled (not required) on workstations. If a question mentions SMB relay attacks, the mitigation is enforcing SMB signing.

4. Null Sessions: Understand that null sessions connect to IPC$ anonymously and can enumerate users, shares, groups, and policies. Know that modern Windows versions restrict null session access significantly, but legacy systems may still be vulnerable.

5. EternalBlue (MS17-010): This is a high-priority exam topic. Know that it targets SMBv1, it was used by WannaCry and NotPetya, the mitigation is patching and disabling SMBv1, and the Nmap script to detect it is smb-vuln-ms17-010.

6. Tool Recognition: Be able to identify the purpose of tools from their command output. Recognize enum4linux output (user enumeration, share listing), smbclient syntax, Nmap SMB script output, and Responder's role in capturing hashes.

7. Administrative Shares: Know the default administrative shares (C$, ADMIN$, IPC$) and their purposes. ADMIN$ maps to the Windows directory and is used by PsExec-style tools.

8. Read Questions Carefully for Version Clues: If a question mentions a specific Windows version, map it to the SMB version it supports. Windows XP/2003 = SMBv1 only. Windows 7/2008 R2 = SMB 2.1. Windows 10/2016+ = SMB 3.1.1.

9. SMB Relay vs. SMB Capture: Understand the difference. SMB capture (using Responder) captures NTLM hashes that need to be cracked. SMB relay (using ntlmrelayx) forwards authentication in real-time without cracking. Relay requires SMB signing to NOT be enforced on the target.

10. Elimination Strategy: When unsure, eliminate obviously wrong answers first. If an answer mentions SMB running on UDP 445 or SMBv3 being vulnerable to EternalBlue, eliminate it immediately. Use your knowledge of protocol fundamentals to narrow down choices.

11. Think Like an Incident Handler: The GCIH exam focuses on detection and response. When you see SMB-related scenarios, think about what artifacts would be left behind, what logs to check (Windows Security Event Log, IDS alerts), and what the appropriate response would be.

12. Practice with Scenarios: Many GCIH questions are scenario-based. Practice identifying attack types from network captures or tool output. If you see traffic on port 445 with multiple failed authentication attempts from one source to many destinations, think password spraying. If you see NTLM authentication being forwarded, think SMB relay.