The Microsoft Server Message Block (SMB) protocol is mostly used for local network file sharing and access to remote services in many businesses who use Windows PCs in their environment. SMB is also a really good example of low-hanging fruit for attackers, because it’s a protocol used across many services and has a lengthy history of insecure configurations or implementation bugs. For threat actors, this means they can fairly easily gain access to a server using the SMB protocol and then pivot from that server into other services and applications across the company.
Since many organizations still rely on SMB, new exploits, threats, and breaches related to the protocol are published regularly. MalwareBytes Labs indicated that, at the end of last year, two well-known malware attacks, Emotet and Trickbot, were tied to SMB vulnerabilities. Remember WannaCry and its many EternalBlue and EternalX cohorts? They were also connected to an SMB vulnerability, according to our friends at MalwareBytes. As attackers gain access through SMB servers, they utilize worm-like functionality in both malware attacks to slowly propagate through the organization.
What’s new in Censys?
We’ve recently added massive amounts of new Internet scan data about SMB ports, including:
- This data helps you identify which mechanisms and version of Windows each SMB port is communicating with. Microsoft created a useful overview of SMB authentication that is worth exploring.
SMB capability flags:
- Distributed File System
- Multi-Credit Operations
- Multi-Channel Sessions
- Persistent Handles
- Leasing / Directory Leasing
Target name of the host found in SMB messages
For pentesting and threat hunting folks, this means you can now more easily track hosts vulnerable to Windows malware attacks like WannaCry and EternalBlue, and analyze this more in-depth data on each affected host.
Finding SMB Protocol in Censys
The easiest way to get started with our new SMB reporting in Censys is to search for the SMB tag:
All of the additional SMB data we’ve added in this update is now included in the existing SMB tag.
Acknowledging that we sound a bit like a broken record, the critical takeaway for our corporate security readers is to ensure that any SMB services you’re using are patched and up-to-date.
It’s also a good idea to take a look at who has access to these hosts and if there are some users with more access than they need.
Microsoft has a dizzying array of security options available that can provide you with a locked down system, but it’s complicated. This documentation may be a good place to start, as well as the Microsoft Security Baseline Tool. Ensure that these hosts are well configured and secure, especially when they’re Internet accessible.
Subscribe to get product updates, interesting research nuggets, and more straight to your inbox. Also, don’t forget to follow us on Twitter.