Server Message Block (SMB) is a network communication protocol used by Windows-based computers to share files, printers, and other resources on a local area network (LAN) or wide area network (WAN). SMB allows applications on different devices to read and write files and to request services from server programs in a computer network.SMB is a request-response protocol, meaning that a client sends a request to a server, and the server responds to the request. SMB generally uses port numbers 139 and 445.
For example, a client might request to read a file from a server, and the server would respond by sending the contents of the file to the client.
It is important to know about the Server Message Block (SMB) protocol because it is widely used in many organizations for file sharing and network printing. SMB protocol has been used for decades but recently it was found to be vulnerable to a number of security threats such as WannaCry ransomware attack that exploited SMB v1 vulnerabilities in 2017. So lets talk about Server Message Block (SMB) and understand its basics.
SMB has evolved over time, with different versions (1.0, 2.0, 2.1 and 3.x) that each have their own features and capabilities. SMB 3.x, also known as SMB 3.1.1 and SMB 3.1.2, is the most recent version of the protocol and introduced many new features such as support for transparent failover, support for SMB Direct (SMB over Remote Direct Memory Access), and improved encryption.
There are several types of cyber attacks that can target the Server Message Block (SMB) protocol:
- SMB Relay Attack: This is a type of man-in-the-middle attack where an attacker intercepts SMB traffic and forwards it to another machine, allowing the attacker to gain unauthorized access to the network.
- SMB Replay Attack: This is a type of attack where an attacker intercepts and records valid SMB traffic, and then replays the traffic at a later time to gain unauthorized access to the network.
- SMB Brute-force Attack: This is a type of attack where an attacker repeatedly tries different combinations of username and password in order to gain access to a network.
- SMB Credential Dumping: This is a type of attack where an attacker is able to extract username and password information from a target system by exploiting vulnerabilities in the SMB protocol.
- SMB Worm: This is a type of malware that spreads itself through networks by exploiting vulnerabilities in the SMB protocol.
EternalBlue: This is an exploit that was leaked by a hacking group called the Shadow Brokers, it was used to exploit a vulnerability in SMBv1 and it was used in the WannaCry ransomware attack in 2017. - SMBGhost: This is a vulnerability that affected the SMBv3 protocol, it allows an attacker to execute arbitrary code on a target system, it was disclosed in 2020.
- SMB Signing Bypass Attack: This is a type of attack where an attacker is able to bypass the security measures in place to protect against SMB replay attacks by modifying the SMB signature.
- SMB Anonymous Login Attack: This is a type of attack where an attacker is able to gain access to a network by logging in as an anonymous user.
- SMB Null Session Attack: This is a type of attack where an attacker is able to gain access to a network by connecting to an SMB share without providing a username and password.
- SMB File Share Enumeration Attack: This is a type of reconnaissance attack where an attacker is able to enumerate the files and folders on an SMB share.
- SMB Share Access Attack: This is a type of attack where an attacker is able to gain access to an SMB share that they should not have access to.
- SMB DLL Hijacking Attack: This is a type of attack where an attacker is able to execute arbitrary code on a target system by placing a malicious DLL in a directory that is searched by the SMB service.
There are several Windows event IDs that are related to the Server Message Block (SMB) protocol. These event IDs can be used to monitor and troubleshoot SMB-related issues, as well as to detect potential security threats. Some examples of event IDs related to SMB are:
- Event ID 4656: This event ID is generated when a handle to an object is requested. It can be used to monitor for attempts to access sensitive files or folders on a network share.
- Event ID 4663: This event ID is generated when an attempt is made to access a file or folder on a network share. It can be used to monitor for attempts to access sensitive files or folders on a network share.
- Event ID 4624: This event ID is generated when a user logs on to a system. It can be used to monitor for unauthorized logon attempts.
- Event ID 4625: This event ID is generated when a logon attempt fails. It can be used to monitor for failed logon attempts and to detect potential brute-force attacks.
- Event ID 5142: This event ID is generated when a network share is accessed. It can be used to monitor for attempts to access sensitive files or folders on a network share.
- Event ID 5145: This event ID is generated when a file is read from or written to a network share. It can be used to monitor for attempts to access sensitive files or folders on a network share.
- Event ID 55: This event ID is generated when a user attempts to access a network share that they do not have permission to access. It can be used to detect attempts to access unauthorized files or folders on a network share.
- Event ID 5038: This event ID is generated when a service is stopped or started. It can be used to monitor for changes to SMB-related services on a system.
- Event ID 5140: This event ID is generated when a network share is accessed and it contains information about the access and the user who accessed it.
- Event ID 4688: This event ID is generated when a new process is created on a system. It can be used to detect the creation of new processes that may be associated with SMB-based attacks.
- Event ID 4689: This event ID is generated when a process exits. It can be used to detect the termination of processes that may be associated with SMB-based attacks.
- Event ID 7045: This event ID is generated when a service is installed on a system. It can be used to detect the installation of new services that may be associated with SMB-based attacks.
- Event ID 7040: This event ID is generated when a service is started. It can be used to detect the start of new services that may be associated with SMB-based attacks.
- Event ID 7036: This event ID is generated when a service changes state. It can be used to detect changes to the status of SMB-related services on a system.
- Event ID 642: This event ID is generated when a new user is added to a system. It can be used to detect the creation of new user accounts that may be associated with SMB-based attacks.
- Event ID 4738: This event ID is generated when a user’s account information is changed. It can be used to detect changes to user accounts that may be associated with SMB-based attacks.
There are several direct mitigations for securing SMB, many of which are low or no cost to an organization:
- Disable SMB v1 protocol, update and patch Against SMB Vulnerabilities
- Keep systems and software updated with the latest patches and security updates to protect against SMB vulnerabilities
- Block SMB at the Network Level or Implement network level security measures such as firewalls to block unauthorized access to SMB protocol
- Apply host level restrictions and protections to limit the impact of any potential SMB-based attack
- Use strong authentication methods such as multifactor authentication to protect SMB connections
Protect Data and Use Encryption for SMB
Mitre Mapping:
Reference:
https://www.sans.org/white-papers/37472/
https://learn.microsoft.com/en-us/windows/win32/fileio/microsoft-smb- protocol-and-cifs-protocol-overview
https://docs.netapp.com/us-en/ontap/nas-audit/smb-events-audit-concept.html
Thank you for reading! Now you have a bit more information about SMB I wish you good luck in your future endeavors. :)