SMB Relay Attack
The SMB relay attack has been around for years, and publicly available tools make the attack easier to carry out. The attack can result in a full network compromise with relatively little effort or expertise on the part of the attacker, making this a very common technique. What’s worse, we’ve noticed many organizations are vulnerable to this attack and might not even know it. Here’s what you need to know.
SMB stands for Server Message Block, and it is a protocol that allows Windows machines to communicate with one another. For example, SMB allows administrators to connect to remote hosts for administrative tasks. It also facilitates access to resources, printing over a network, and file sharing.
SMB is an essential protocol in Windows (and thus most business) environments, but it’s had its fair share of issues. The WannaCry ransomware outbreak from May 2017 exploited a vulnerability in the SMB protocol (MS17-010). The SMB relay attack exploits a (different) weakness in the SMB protocol, but the impact can be just as damaging.
SMB Relay Attack
The SMB relay attack takes advantage of the very connectivity that the protocol provides so that attackers can gain access to a system that holds the data they seek.
In this attack, a threat actor on the internal network intercepts hashed credentials being transmitted by an authenticating host (often by conducting a man in the middle attack). These credentials are then “relayed” to a system the attacker desires to access. If these credentials are valid on that system, the attacker gains access.
In our experience, a typical attack happens like this:
- The attacker, either from his or her own system or a compromised host, starts a tool that listens for requests to network resources.
- When a legitimate host on the network makes a request, the attacker’s tool answers that request.
- The legitimate host then attempts to authenticate to the attacker’s tool, sending its hashed credentials to them instead of the intended target.
- The attacker then relays these credentials to a target of his or her choosing and attempts to compromise sensitive information.
The SMB MultiRelay utility for the Responder tool was released in 2016, which made this attack even faster and easier. The tool can help you determine whether systems in the environment are vulnerable to this attack, and helps attackers compromise the admin and privileged accounts that will have maximum impact. It does most of the hard work for you. Plus, it’s free.
Organizations need to be aware of their risk for this attack, especially since most business environments rely pretty heavily on the SMB protocol. But there are some mitigations.
Enable SMB Signing
The SMB relay attack only works on systems that have SMB signing disabled. During an SMB relay attack, the attacker must rewrite an intercepted packet to an IP address of the attacker’s choosing. Digitally signing the packet allows the receiving system to verify whether an attacker has tampered with the packet. If a portion of the packet has been altered, the signature will no longer correspond to the actual content.
Enabling SMB signing is the only way to prevent the attack altogether. This fix may impact performance, but the impact shouldn’t be significant on modern networks. There is also a chance that some non-Windows systems running SMB do not support signing. Usually though, enabling SMB signing is a relatively easy fix for most environments.
Disable LLMNR and NBNS
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBNS) are name resolution protocols that make the SMB relay attack easier. When LLMNR and NBNS broadcast requests for certain resources, the Responder tool can respond and intercept sensitive data in the process. Most modern networks no longer need these protocols, so disabling them can mitigate the SMB relay attack while having very little impact on performance.
Limit Domain/Local Admins
This will not prevent the attack itself, but it may mitigate the impact. SMB relay attacks aim to intercept privileged and admin account credentials since these accounts will provide the most access. Limiting admin activity will reduce the opportunities for an attacker to intercept these hashed credentials.
Conduct Device Configuration & Interrogation Review
Regular security reviews, such as a device configuration and interrogation review, will also help detect whether the environment/device has enabled SMB signing and is aligned with security best practices. This review analyzes the security policy and registry entries for the device to determine whether effective hardening has been conducted.
When issues like SMB vulnerabilities are identified by these reviews, take them seriously. Attacks like SMB relay may begin as obscure methods known only on the dark web, but they soon turn in to Python scripts and then automated tools that even novice hackers can use. A strong defensive posture and regular testing is the best way to address these risks before it’s too late.