SMBetray—Backdooring and breaking signatures

The presentation discusses the vulnerabilities of SMB protocol and the importance of implementing encryption and signing to protect against attacks.

• SMB protocol is vulnerable to attacks if encryption and signing are not implemented
• Attackers can inject fake files and directories, replace legitimate files with links that execute their code, and steal copies of files passed over the network
• SMB version 1 does not use signing or encryption by default, while SMB version 2 and 3 support encryption but it is not enabled by default
• Enabling encryption and signing is important to protect against attacks
• Organizations should require encryption and signing to be enabled

The presenter demonstrated how an attacker can inject fake files and directories and replace legitimate files with links that execute their code. They also showed how SMB version 1 does not use signing or encryption by default, making it vulnerable to attacks. The presenter emphasized the importance of enabling encryption and signing to protect against these types of attacks.

When it comes to taking advantage of SMB connections, most tools available to penetration testers aim for system enumeration or for performing relay attacks to gain RCE. If signatures are required, or if the victims relayed are not local admins anywhere, that can put a real stint in leveraging SMB to gain any serious footholds in a network. Fortunately, the mentioned attacks are only the tip of the iceberg of the ways to gain RCE with insecure SMB connections – and there’s a new tool to help take full advantage of these opportunities.