Category: Cyber Security

Home / Cyber Security
Jun172024

SMB Signing: Prevent network takeover attacks

SMB Signing: Prevent Network Takeover Attacks

The importance of SMB signing

When testing Windows environments, we regularly see the encrypted password of a user with high privileges being sent across the network. In combination with systems where SMB signing is disabled, an attacker or malicious person can, by performing an NTLM relay attack, increase the privileges within the network. Depending on the network environment an attacker may be able to increase privileges to the highest level. 

Understanding Net-NTLM

Windows uses many different protocols for authentication. One of those protocols is Net-NTLM. This protocol is used to authenticate users over the network. There are two versions: Net-NTLMv1 and Net-NTLMv2. Both versions compute a so-called Net-NTLM hash by processing a user’s encrypted password into a random string consisting of eight bytes. Net-NTLMv1 is obviously less secure than version 2 and has been disabled by default since Windows Vista and Windows Server 2008.

Intercepting Authentication Requests

Using the tool Responder, we can intercept authentication requests sent across the network. An example is shown below:

 

An attacker can try to do two things with this hash:

  1. Attempt to crack the password offline using tools like John the Ripper or Hashcat. However, the success rate depends on the strength of the password. A strong password will not be cracked easily.
  2. Perform an NTLM relay attack against all internal systems that do not enforce SMB signing.

NTLM Relay Attack

The NTLM relay attack exploits the Net-NTLM protocol. An attacker intercepts a legitimate authentication request, alters the contents, and forwards the request to a computer that does not enforce SMB signing. This authenticates the attacker on the target system using the context of the user that sent the original authentication request. In the worst case, the attacker can use this to perform remote code execution on the system. An attacker could also use this attack to access network shares that the attacker would not normally have access to.

Performing an NTLM Relay Attack

To perform the NTLM relay attack, three tools are used: NetExec, Responder, and ntlmrelayx. Since an NTLM relay attack only works on systems which have SMB signing disabled, a list of systems on which SMB signing is disabled is required. This list can be generated using NetExec with the following command:

netexec smb 192.168.126.0/24 --gen-relay-list targets.txt
 

This checks the address range for machines that have SMB enabled and SMB signing disabled. The IP addresses that match are written to the file.

Next, we use the tools Responder and ntlmrelayx utilities. Responder is responsible for capturing the Net-NTLM hash and forwarding it to ntlmrelayx, which then authenticates itself on the specified host(s) via SMB with the hash it has received. To accomplish this, the SMB and HTTP server must be disabled in Responder’s configuration. This can be done by opening the configuration file and changing the values behind SMB and HTTP to ‘Off’. The configuration file should look like this:

Next, Responder must be started on the active network interface, in this case eth0. This can be done by running the following command:

responder -I eth0 -d -w

 

Finally, we use the ntlmrelayx utility to extract the contents of the SAM database from the target systems. To do this, we start ntlmrelayx with the following command:

python3 ntlmrelayx.py -tf targets.txt
 

Once ntlmrelayx receives a Net-NTLM hash from Responder, it tries to authenticate to the systems in the file. If authentication is successful, ntlmrelayx then attempts to extract the contents of the SAM database. To do this, the user whose hash has been captured must have local administration rights on the target system. In addition to extracting the SAM database, it is also possible to execute other system commands.

Implications of an NTLM Relay Attack

The image below shows a successful NTLM relay, where the user had local administrator rights on the target system and thus the contents of the SAM database could be extracted.

An attacker would now be in possession of the encrypted password of the local administrator. This gives the attacker local administrator rights on this system. This allows the attacker to extract the encrypted passwords of users who have or recently had a session, from memory. In the event that this includes a domain administrator, an attacker can increase privileges to Domain Admin and thus take over the entire domain.

We regularly observe that the password for the local Administrator user is reused on multiple computers. This means that an attacker can use the same password to log on to multiple computers as a local administrator. This broadens the attack vector and increases the likelihood that the attacker can increase their privileges.

Recommendation: Enable SMB signing

Systems are susceptible to an NTLM relay attack because the recipient does not verify the content and origin of the message. The most effective way to remedy this vulnerability is to enable enterprise-wide SMB signing.

SMB signing is a security mechanism in the SMB protocol. When enabled, each SMB message is sent with a signature in the SMB header field. The signature consists of the contents of the SMB message, encrypted with the AES algorithm. This allows the recipient of the SMB message to verify that the content of the message has not been changed. It also verifies the identity of the sender. If the content of the message does not match the SMB header, the recipient knows that the message has been tampered with. The recipient then drops the message. This makes it impossible to successfully perform the NTLM relay attack.

How to enable SMB signing?

SMB signing can be enabled by setting the contents of the EnableSecuritySignature and RequireSecuritySignature registry values to 1. This must be applied to both the LanManServer and the LanManWorkstation. This can be done in two ways: via a system command or via the graphical application ‘Local Group Policy Editor’ (gpedit.msc).

  1. Command line: 

Run these commands to update registry values: 

  • reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters /v EnableSecuritySignature /t REG_DWORD /d 1
  • reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters /v RequireSecuritySignature /t REG_DWORD /d 1
  • reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters /v EnableSecuritySignature /t REG_DWORD /d 1
  • reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters /v RequireSecuritySignature /t REG_DWORD /d 1

Restart the system to apply changes. 

2. Group policy editor

Navigate to Computer Configuration > Windows Settings > Local Policies > Security Options.

Enable the following policies:

  • Microsoft network client: Digitally sign communication (always)
  • Microsoft network client: Digitally sign communication (if server agrees)
  • Microsoft network server: Digitally sign communication (always)
  • Microsoft network server: Digitally sign communication (if client agrees)

Restart the system to apply changes.

3. Linux Systems: 

Edit Samba configuration file to include: 

client signing = mandatory
server signing = mandatory

Restart the system to apply changes.

Conclusion

To protect your network from NTLM relay attacks, enabling SMB signing is crucial. It ensures the integrity and authenticity of SMB messages, thereby mitigating a significant security vulnerability. Implementing SMB signing across your network can safeguard against potential attackers escalating their privileges and taking over your network.

Relevant resources

Get started with Securance's Cybersecurity Services

Are you prepared to defend your organisation against cyber threats? Securance offers robust cybersecurity services to safeguard your digital assets. Our experts can perform comprehensive security assessments, implement cutting-edge security measures, and provide continuous monitoring to protect your network from potential attacks. Contact us today to enhance your cybersecurity posture and secure your organisation’s future.

Get Started
SMB Signing FAQ

Frequently Asked Questions about SMB Signing

What is SMB signing?

SMB signing is a security mechanism in the Server Message Block (SMB) protocol that helps ensure the authenticity and integrity of SMB communications. It adds a digital signature to each SMB message, allowing the recipient to verify that the message has not been tampered with and confirming the identity of the sender.

Why is SMB signing important?

SMB signing is important because it protects against NTLM relay attacks, which can allow attackers to intercept and alter SMB messages. By enabling SMB signing, organizations can prevent unauthorized access, data tampering, and privilege escalation within their network.

How can attackers exploit disabled SMB signing?

When SMB signing is disabled, attackers can perform NTLM relay attacks. They intercept legitimate authentication requests, modify them, and forward them to a target system. This can grant the attacker unauthorized access and allow them to execute commands or access restricted data.

How do I enable SMB signing on Windows?

SMB signing can be enabled on Windows by setting specific registry values or using the Local Group Policy Editor. The required registry keys include EnableSecuritySignature and RequireSecuritySignature for both LanManServer and LanManWorkstation. Alternatively, you can navigate to Computer Configuration > Windows Settings > Local Policies > Security Options in the Local Group Policy Editor and enable the relevant policies.

How do I enable SMB signing on Linux?

On Linux systems, SMB signing can be enabled by editing the Samba configuration file. Under the global settings, add the lines 'client signing = mandatory' and 'server signing = mandatory', then restart the SMB service to apply the changes.

What tools are used to perform an NTLM relay attack?

Common tools used to perform an NTLM relay attack include NetExec, Responder, and ntlmrelayx. These tools help attackers generate a list of targets, intercept authentication requests, and relay those requests to systems without SMB signing enabled.

What are the consequences of a successful NTLM relay attack?

A successful NTLM relay attack can grant an attacker local administrator rights on a target system. This allows the attacker to extract encrypted passwords, access network shares, and potentially escalate privileges to Domain Admin, thereby compromising the entire network.

Can enabling SMB signing protect against all attacks?

While enabling SMB signing is a crucial step in protecting against NTLM relay attacks, it is not a silver bullet. Organizations should implement a comprehensive security strategy that includes regular updates, strong password policies, and network monitoring to protect against a wide range of threats.

May282024

Securance & Kiwa: Cybersecurity Solutions

Securance and Kiwa join forces on Cybersecurity and Risk Management solutions

Securance, a leader in integrated risk management and cybersecurity solutions in Europe, is excited to announce a new partnership with Kiwa, an esteemed provider of certification and compliance services. This collaboration will focus on ISO certifications and Assurance services, enhancing our offerings while maintaining our distinct expertise in our respective fields.

At Securance, our approach combines comprehensive assurance and advisory services with advanced cybersecurity measures to protect and empower businesses. By aligning with Kiwa, we aim to leverage our joint capabilities to provide more robust, industry-leading solutions tailored to the specific needs of our clients. This partnership will enable us to enhance our service delivery, particularly in areas demanding rigorous standards compliance and operational excellence.

Together, Securance and Kiwa are committed to setting new benchmarks in security, compliance, and risk management. Our collaboration will deliver scalable solutions that ensure business continuity and resilience, fostering growth and innovation in an ever-evolving digital world.

Koen van der Aa, COO of Securance, said, “We are very pleased to announce our partnership with Kiwa. This collaboration marks an important step forward for both companies as we join forces to enhance our services in risk management and cybersecurity. Together, we are committed to delivering substantial value to our clients, leveraging our combined expertise to meet the evolving needs of the market. I look forward to the opportunities and successes that lie ahead for both Kiwa and Securance.”

Marjolein Veenstra, team leader cybersecurity at Kiwa, expressed her enthusiasm for the strategic partnership, saying, “With this step, we can better serve our clients with complex certification and assurance issues. We relieve our clients in the process, allowing for a greater focus on substantive assessment. We are keen to explore opportunities to strengthen both our market position and that of our clients.”

May282024

DORA: Making the Financial Sector Stronger

DORA: Making the Financial Sector Stronger

As financial institutions increasingly rely on digital systems, the need for robust operational resilience has never been more critical. The Digital Operational Resilience Act (DORA) is a pioneering regulation aimed at fortifying the financial sector against digital disruptions. This blog explores how DORA enhances the sector’s resilience.

Understanding DORA's role

DORA is a regulatory framework introduced by the European Union to ensure the financial sector can withstand, respond to, and recover from IT-related disruptions and threats. Recognising the interconnectivity and interdependencies within the financial system, DORA aims to standardise and strengthen the sector’s digital resilience across the EU.

DORA’s importance lies in its comprehensive approach. It mandates financial entities to implement robust IT risk management processes, conduct regular threat-led penetration testing, and ensure continuous monitoring and reporting of their IT systems. By establishing a unified regulatory environment, DORA helps mitigate the fragmented approach to cybersecurity previously seen across different EU member states.

Boosting Operational Strength with DORA

Operational resilience is the ability of an organisation to deliver critical operations through disruption. DORA significantly enhances operational resilience by enforcing comprehensive IT risk management frameworks. Financial institutions must identify, assess, and mitigate IT risks, ensuring they can continue operations even under adverse conditions. Additionally, DORA mandates timely incident reporting, facilitating rapid response and coordination at both national and EU levels.

Business continuity and disaster recovery plans are central to DORA’s requirements. These plans must be regularly tested to ensure their effectiveness in real-world scenarios. Moreover, DORA sets stringent requirements for managing third-party risks, ensuring that dependencies on external service providers do not compromise operational resilience. By enforcing these practices, DORA ensures financial institutions are prepared to handle IT-related disruptions while maintaining essential services.

Better Data Handling under DORA

Data governance is a critical aspect of DORA’s framework, emphasising the need for effective strategies to manage data securely and efficiently. DORA aligns with existing data protection regulations like GDPR, ensuring that financial institutions handle customer data with utmost care and confidentiality. This involves implementing strong encryption and data masking techniques to protect sensitive information.

Ensuring data integrity and availability is paramount under DORA. Financial institutions are required to adopt robust data backup and recovery solutions, with regular testing to guarantee quick and accurate data restoration in case of disruptions. Additionally, DORA advocates for comprehensive data governance frameworks, outlining policies, procedures, and responsibilities for data management. These frameworks help maintain data quality, ensure compliance, and support informed decision-making.

Effective data handling under DORA also involves a clear incident response and reporting mechanism. Financial institutions must have protocols in place to quickly identify, contain, and report data breaches, minimising potential damage.

DORA’s strategic advantages can position financial institutions for sustained success and resilience in the future.

DORA and other Financial Laws

DORA is designed to work in harmony with other financial regulations, creating a cohesive regulatory environment. It complements the General Data Protection Regulation (GDPR) by ensuring robust cybersecurity measures are in place, safeguarding data against breaches and cyber-attacks. DORA also enhances the Revised Payment Services Directive (PSD2) by reinforcing the security of ICT systems involved in payment services, ensuring uninterrupted and secure payment processing.

Furthermore, DORA supports the Markets in Financial Instruments Directive II (MiFID II) by ensuring the ICT infrastructure underpinning financial markets remains resilient and secure. It also builds on the Network and Information Systems Directive (NIS Directive) by focusing specifically on the financial sector, ensuring tailored and stringent measures for financial institutions. By aligning with these regulations, DORA ensures a comprehensive approach to cybersecurity and operational resilience, covering various aspects of financial operations and data management.

Planning for the future with DORA

DORA is not just about compliance; it is a strategic tool that offers long-term benefits. Financial institutions adhering to DORA’s stringent requirements can demonstrate their commitment to operational resilience and cybersecurity, building trust with customers and stakeholders. This enhances the institution’s reputation as a secure and reliable entity, attracting more customers and business partners.

Implementing DORA’s frameworks can also lead to improved operational efficiency. Streamlined processes, regular testing, and continuous monitoring help in identifying and addressing issues proactively, reducing downtime and operational costs. Moreover, DORA’s emphasis on continuous improvement and adaptation ensures that financial institutions are prepared for future challenges. By staying ahead of emerging threats and regulatory changes, institutions can maintain their resilience and relevance in a rapidly evolving landscape.

Conclusion: DORA represents a significant step forward

In conclusion, DORA represents a significant step forward in strengthening the financial sector’s operational resilience. By integrating comprehensive IT risk management, data governance, and alignment with other regulations, DORA provides a robust framework for financial institutions to thrive amidst digital challenges. Leveraging DORA’s strategic advantages can position financial institutions for sustained success and resilience in the future.

Get started with Securance's Advisory Services

Are you ready to enhance your organisation’s resilience under DORA? Securance offers comprehensive advisory services to help you navigate this regulatory landscape. We can conduct a thorough gap analysis to identify your current standing concerning DORA and assist you in implementing necessary measures. Contact us today to secure your future.

Get Started
Apr292024

Building Cyber Resilience with Assurance Services

Building a cyber resilient culture: The rol of Assurance and Advisory Services

In today’s high-stakes business environment, creating a robust cyber resilient culture is less about installing advanced firewalls and more about strategic foresight. For today’s business leaders, the challenge lies not just in responding to threats but in proactively embedding resilience into the organizational fabric. Assurance and advisory services are not just support mechanisms—they are strategic tools that transform cybersecurity from a necessary backend operation into a front-line business advantage. This blog post examines how these services integrate cyber resilience into business strategy, transforming potential vulnerabilities into competitive strengths.

The strategic imperative of cyber resilience

As the digital threat landscape expands, the nature and frequency of these threats evolve. Cyber resilience is becoming a critical element of strategic planning, ensuring that your organization can anticipate, respond to, and recover from cyber incidents. This capability is essential not only for maintaining operational continuity but also for protecting stakeholder interests and building trust in the market.

How Assurance and Advisory Services enhance a cyber resilient culture

Aligning Cybersecurity with business goals

Assurance services evaluate and refine your cybersecurity measures to ensure they align with your business objectives. This strategic alignment transforms cybersecurity from a cost center into a source of strategic value, embedding risk management into the fabric of your business development.

Developing a robust Governance Framework

Effective cybersecurity governance integrates risk management with everyday business processes. Advisory services are instrumental in creating frameworks that make cybersecurity a component of organizational governance, ensuring decisions at all levels safeguard your security posture without stifling innovation.

Ensuring compliance and adopting best practices

Navigating the maze of compliance and best practices is a formidable challenge. Assurance services not only help your organization comply with these regulations but also encourage the adoption of best practices that can set you ahead of industry standards. This proactive stance mitigates risks while enhancing operational efficiency and building trust with clients and regulators.

The challenge lies not just in responding to threats but in proactively embedding resilience into the organizational fabric.

Educating and empowering your workforce

Advisory services also focus on training staff across all levels of your organization to understand and manage cybersecurity risks effectively. This approach cultivates a shared sense of responsibility, turning every employee into a proactive participant in your cybersecurity framework.

Refining incident response and recovery

The true test of resilience is in responding to and recovering from cyber incidents. Advisory services help develop swift and effective strategies for incident management, minimizing downtime and potential damage, and leveraging these experiences to strengthen future defenses.

The business benefits of a cyber resilient culture

Incorporating assurance and advisory services into your cybersecurity strategy enhances your organizational security by:

✓ Promoting proactive Risk Management: Shifting focus from reactive security fixes to proactive risk identification and management.

✓ Creating a unified security vision: Ensuring consistency in security strategies across all business units and levels of your organization.

✓ Building stakeholder confidence: Demonstrating commitment to comprehensive security standards which strengthens stakeholder trust.

✓ Encouraging continual improvement: Fostering a culture of continuous evaluation and adjustment, which is vital for keeping pace with evolving cyber threats.

Conclusion

For today’s business leaders, cultivating a cyber resilient culture is essential. Assurance and advisory services are key to this process, providing the necessary expertise and oversight to weave cybersecurity into your corporate strategy effectively. These services don’t just protect—they enable your business to thrive in a digitally-driven marketplace, positioning your organization as a proactive, resilient market leader.