New We plan on releasing bi-monthly edits and updates to the OS-CFDB project! Please check out the search function!

SMB Signing Disabled

4

VSR

6.0 – 7.9

CVSS

High

Risk

OS-CFDB-1008

ID

Finding Metadata

Finding Service(s)

Service
Internal Penetration Testing
External Penetration Testing

NIST 800-53 Control(s)

NIST
CM-2
CM-6
IA-2
IA-3

Finding Development

Author Name Twitter Handle Email Created Updated

Technical Information

Description

The technical overview of a finding, not meant to be all-inclusive.

Server Message Block (SMB) is the file protocol most commonly used by Windows. This protocol allows communication for network file sharing or accessing remote resources of a server. SMB singing specifically is supported on all versions of SMB (1,2,3) but only enabled on Domain Controllers by default. This security feature allows the protocol to ensure authenticity at the packet level.

Impact

How a finding result will affect an organization.

If an attacker gains access to the LAN (Local Area Network), it enables the ability to send specially crafted packets using LLMNR (Link-Local Multicast Name Resolution) spoofing to direct network share access queries to the attacker. Using this MITM (Man-In-The-Middle) attack, an attacker can capture NTLM and NTLMv2 (Windows Challenge/Response Protocol) credentials and potentially brute force these to gain access to resources on the network.

Recommendation

Current plan of action recomended.

The assessment team recommends that SMB signing enabled via GPO policy or registry for the In-Scope network hosts. If this is not possible due to business constraints, core servers and resources should allow SMB signing to prevent GPO tampering or credential compromise of high-value accounts.