SMB Signing: Prevent Network Takeover Attacks

The importance of SMB signing

When testing Windows environments, we regularly see the encrypted password of a user with high privileges being sent across the network. In combination with systems where SMB signing is disabled, an attacker or malicious person can, by performing an NTLM relay attack, increase the privileges within the network. Depending on the network environment an attacker may be able to increase privileges to the highest level. 

Understanding Net-NTLM

Windows uses many different protocols for authentication. One of those protocols is Net-NTLM. This protocol is used to authenticate users over the network. There are two versions: Net-NTLMv1 and Net-NTLMv2. Both versions compute a so-called Net-NTLM hash by processing a user’s encrypted password into a random string consisting of eight bytes. Net-NTLMv1 is obviously less secure than version 2 and has been disabled by default since Windows Vista and Windows Server 2008.

Intercepting Authentication Requests

Using the tool Responder, we can intercept authentication requests sent across the network. An example is shown below:

 

An attacker can try to do two things with this hash:

  1. Attempt to crack the password offline using tools like John the Ripper or Hashcat. However, the success rate depends on the strength of the password. A strong password will not be cracked easily.
  2. Perform an NTLM relay attack against all internal systems that do not enforce SMB signing.

NTLM Relay Attack

The NTLM relay attack exploits the Net-NTLM protocol. An attacker intercepts a legitimate authentication request, alters the contents, and forwards the request to a computer that does not enforce SMB signing. This authenticates the attacker on the target system using the context of the user that sent the original authentication request. In the worst case, the attacker can use this to perform remote code execution on the system. An attacker could also use this attack to access network shares that the attacker would not normally have access to.

Performing an NTLM Relay Attack

To perform the NTLM relay attack, three tools are used: NetExec, Responder, and ntlmrelayx. Since an NTLM relay attack only works on systems which have SMB signing disabled, a list of systems on which SMB signing is disabled is required. This list can be generated using NetExec with the following command:

netexec smb 192.168.126.0/24 --gen-relay-list targets.txt
 

This checks the address range for machines that have SMB enabled and SMB signing disabled. The IP addresses that match are written to the file.

Next, we use the tools Responder and ntlmrelayx utilities. Responder is responsible for capturing the Net-NTLM hash and forwarding it to ntlmrelayx, which then authenticates itself on the specified host(s) via SMB with the hash it has received. To accomplish this, the SMB and HTTP server must be disabled in Responder’s configuration. This can be done by opening the configuration file and changing the values behind SMB and HTTP to ‘Off’. The configuration file should look like this:

Next, Responder must be started on the active network interface, in this case eth0. This can be done by running the following command:

responder -I eth0 -d -w

 

Finally, we use the ntlmrelayx utility to extract the contents of the SAM database from the target systems. To do this, we start ntlmrelayx with the following command:

python3 ntlmrelayx.py -tf targets.txt
 

Once ntlmrelayx receives a Net-NTLM hash from Responder, it tries to authenticate to the systems in the file. If authentication is successful, ntlmrelayx then attempts to extract the contents of the SAM database. To do this, the user whose hash has been captured must have local administration rights on the target system. In addition to extracting the SAM database, it is also possible to execute other system commands.

Implications of an NTLM Relay Attack

The image below shows a successful NTLM relay, where the user had local administrator rights on the target system and thus the contents of the SAM database could be extracted.

An attacker would now be in possession of the encrypted password of the local administrator. This gives the attacker local administrator rights on this system. This allows the attacker to extract the encrypted passwords of users who have or recently had a session, from memory. In the event that this includes a domain administrator, an attacker can increase privileges to Domain Admin and thus take over the entire domain.

We regularly observe that the password for the local Administrator user is reused on multiple computers. This means that an attacker can use the same password to log on to multiple computers as a local administrator. This broadens the attack vector and increases the likelihood that the attacker can increase their privileges.

Recommendation: Enable SMB signing

Systems are susceptible to an NTLM relay attack because the recipient does not verify the content and origin of the message. The most effective way to remedy this vulnerability is to enable enterprise-wide SMB signing.

SMB signing is a security mechanism in the SMB protocol. When enabled, each SMB message is sent with a signature in the SMB header field. The signature consists of the contents of the SMB message, encrypted with the AES algorithm. This allows the recipient of the SMB message to verify that the content of the message has not been changed. It also verifies the identity of the sender. If the content of the message does not match the SMB header, the recipient knows that the message has been tampered with. The recipient then drops the message. This makes it impossible to successfully perform the NTLM relay attack.

How to enable SMB signing?

SMB signing can be enabled by setting the contents of the EnableSecuritySignature and RequireSecuritySignature registry values to 1. This must be applied to both the LanManServer and the LanManWorkstation. This can be done in two ways: via a system command or via the graphical application ‘Local Group Policy Editor’ (gpedit.msc).

  1. Command line: 

Run these commands to update registry values: 

  • reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters /v EnableSecuritySignature /t REG_DWORD /d 1
  • reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters /v RequireSecuritySignature /t REG_DWORD /d 1
  • reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters /v EnableSecuritySignature /t REG_DWORD /d 1
  • reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters /v RequireSecuritySignature /t REG_DWORD /d 1

Restart the system to apply changes. 

2. Group policy editor

Navigate to Computer Configuration > Windows Settings > Local Policies > Security Options.

Enable the following policies:

  • Microsoft network client: Digitally sign communication (always)
  • Microsoft network client: Digitally sign communication (if server agrees)
  • Microsoft network server: Digitally sign communication (always)
  • Microsoft network server: Digitally sign communication (if client agrees)

Restart the system to apply changes.

3. Linux Systems: 

Edit Samba configuration file to include: 

client signing = mandatory
server signing = mandatory

Restart the system to apply changes.

Conclusion

To protect your network from NTLM relay attacks, enabling SMB signing is crucial. It ensures the integrity and authenticity of SMB messages, thereby mitigating a significant security vulnerability. Implementing SMB signing across your network can safeguard against potential attackers escalating their privileges and taking over your network.

Relevant resources

Get started with Securance's Cybersecurity Services

Are you prepared to defend your organisation against cyber threats? Securance offers robust cybersecurity services to safeguard your digital assets. Our experts can perform comprehensive security assessments, implement cutting-edge security measures, and provide continuous monitoring to protect your network from potential attacks. Contact us today to enhance your cybersecurity posture and secure your organisation’s future.

SMB Signing FAQ

Frequently Asked Questions about SMB Signing

What is SMB signing?

SMB signing is a security mechanism in the Server Message Block (SMB) protocol that helps ensure the authenticity and integrity of SMB communications. It adds a digital signature to each SMB message, allowing the recipient to verify that the message has not been tampered with and confirming the identity of the sender.

Why is SMB signing important?

SMB signing is important because it protects against NTLM relay attacks, which can allow attackers to intercept and alter SMB messages. By enabling SMB signing, organizations can prevent unauthorized access, data tampering, and privilege escalation within their network.

How can attackers exploit disabled SMB signing?

When SMB signing is disabled, attackers can perform NTLM relay attacks. They intercept legitimate authentication requests, modify them, and forward them to a target system. This can grant the attacker unauthorized access and allow them to execute commands or access restricted data.

How do I enable SMB signing on Windows?

SMB signing can be enabled on Windows by setting specific registry values or using the Local Group Policy Editor. The required registry keys include EnableSecuritySignature and RequireSecuritySignature for both LanManServer and LanManWorkstation. Alternatively, you can navigate to Computer Configuration > Windows Settings > Local Policies > Security Options in the Local Group Policy Editor and enable the relevant policies.

How do I enable SMB signing on Linux?

On Linux systems, SMB signing can be enabled by editing the Samba configuration file. Under the global settings, add the lines 'client signing = mandatory' and 'server signing = mandatory', then restart the SMB service to apply the changes.

What tools are used to perform an NTLM relay attack?

Common tools used to perform an NTLM relay attack include NetExec, Responder, and ntlmrelayx. These tools help attackers generate a list of targets, intercept authentication requests, and relay those requests to systems without SMB signing enabled.

What are the consequences of a successful NTLM relay attack?

A successful NTLM relay attack can grant an attacker local administrator rights on a target system. This allows the attacker to extract encrypted passwords, access network shares, and potentially escalate privileges to Domain Admin, thereby compromising the entire network.

Can enabling SMB signing protect against all attacks?

While enabling SMB signing is a crucial step in protecting against NTLM relay attacks, it is not a silver bullet. Organizations should implement a comprehensive security strategy that includes regular updates, strong password policies, and network monitoring to protect against a wide range of threats.

Share this blog

December 18, 2024

Common cryptographic vulnerabilities Cryptography is often used in the most...

    July 16, 2024

    Detecting and bypassing anti-Adversary-in-the-Middle (AitM) tokens Within the Advanced Red...

      July 15, 2024

      What is XXE (XML eXternal Entity) injection? A lot of...