What is SMB
Server Message Block (SMB) operates as an Application-layer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. Most usage of SMB involves computers running Microsoft Windows.
SMB was originally designed to run on top of the NetBIOS API.
NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. NetBIOS is not a networking protocol and strictly is an API.
How SMB Authentication works
SMB uses NTLM protocol for authentication. NTLM is a challenge-response authentication protocol. It uses an encrypted challenge/response protocol to authenticate a user without sending the user’s password over the wire. More theory available in AD page.
Problems with SMB and NTLM implementation
It was found that the challenges generated are not unique and are repeating in a very short period (2 seconds while doing attack) of time. Thus, an attacker can predict the challenges or built a dictionary of challenge-response.
NOTE - In all these attacks, we are not letting any connection open. We are just connecting and then disconnecting over and again. However, In SmbRelay attacks, the sessions are kept open unlike this situation.
- Passive replay attack
If challenges are repeated one can eavesdrop on the traffic and built a dictionary of challenge-response to get unauthorized access to server. An attacker can repeatedly make authentication requests to server until it gets the challenge which is there in the attacker’s dictionary. This attack is called passive replay attack.
To mitigate this vulnerability a new timestamp field was introduced in client responses. It makes old generated responses invalidated as their timestamp becomes older and the server can differnetiate between the recently generated and a month older responses. Thus, an attacker cannot use a month older responses.
- Active collection of duplicate challenges (mainly used)
In this attack, the attacker actively collects challenges which are repeating in a short period of time from the server by repeatedly sending the authentication packet to the sever. The attacker then starts building up the dictionary.
The attacker makes the client to connect to him and when one connects to it, the attacker presents the client with the challenges collected in the previous step and gathers the corresponding responses to complete the dictionary.
- Active prediction of challenges
When an attacker can predict the challenge it can pretend to be the server to client and send the challenge to client which is to be generated by the server next. Now, attacker will get the response from the client which it can use to authenticate itself to the real server.