HomeWinning the SMBRelay Race
Windows 2000 Server Message Block (SMB), Microsoft's Eric Schultze has clarified the fixes necessary to guard against it. To recap: SMB is a NetBIOS protocol widely used in Windows networking to share files, printers, and other services. A new hacker tool, SMBRelay, exploits several legacy security options embedded in the NetBIOS/SMB protocols that would allow an attacker to interpose between the client and host, and "hijack" a secure session.
The exploit can be blocked by closing down NetBIOS ports at the firewall. The critical ports are UDP 137 and 138, TCP 139, TCP and UDP 445. Inside the firewall, we recommended upgrading NT systems to NTLMv2 (NT LAN Manager version 2), a 128-bit encrypted version of NT LAN Manager (NTLM). However, according
to Eric Schultze, NTLMv2 "won't prevent" an SMBRelay-type man-in-the-middle attack. Other than port filtering, the only way to secure exposed NetBIOS host-client communication is to enable SMB Server Signing. This prevents the remote host from establishing the necessary "back channel" with the target host.
SMB Server Signing supports both mutual authentication and message authentication by placing digital signatures into each SMB session, which is then verified by both the client and the server. If SMB Signing is enabled WHEN POSSIBLE on the server, then clients also enabled for SMB Signing will utilize the protocol during subsequent sessions. Otherwise they will default to legacy standards. If SMB signing is enabled ALWAYS on the server, a client will not be able to establish a session unless it is also enabled for SMB signing.
To enable SMB Signing in Windows 2000, go to the Control Panel and select Administrative Tools > Local Security Settings > Local Policies > Security Options. Under Policy double-click on Digitally sign server communications (always) or Digitally sign server communications (when possible), and select Enabled. SMB Signing can be set up in Windows NT and Windows 98 by adding a pair of keys to the Registry.
August 2nd, 2009