Penetration Tester Interview Q&A…What is Server Message Block (SMB) Signing?
Good Ole SMB signing. I love seeing this not required during a penetration test. Before we talk about specific attacks, let’s look at what this really is.
SMB signing (also known as security signatures) is a security mechanism in the SMB protocol. SMB signing means that every SMB message contains a signature that is generated by using the session key. The client puts a hash of the entire message into the signature field of the SMB header.
SMB signing helps secure communications and data across the networks, there is a feature available which digitally signs SMB communications between devices at the packet layer. When you enable this feature the recipient of the SMB communication to authenticate who they are and confirm that the data is genuine. This can help safeguard against attacks such as man-in-the-middle (MITM) attacks.
SMB is a file protocol used within Windows, Linux and other storage devices. SMB allows devices to have the ability to share and store files easily and allow devices and/or people to access these said files. SMB has been around for a great many years and Microsoft have been trying to ensure that the first version of SMB is no longer used due to inherent security risks as well as there are newer versions available that do a lot more.
There is one problem, however, although SMB signing is available on all versions of Windows, it’s currently only enabled on Domain Controllers. If you want to enable this feature you must specially enable it within Group Policy (or the Local Security Policy). In larger organizations, it’s recommended that this is enabled on all devices as it helps protect information and reduce the chances of information leakage or additional attacks.
We will discuss SMB attacks at a later date, but understand why SMB signing is critical and even though it is rated as a Low vulnerability on most management platforms, for the Blue side, you need to fix this issue.