SMB Encryption and SMB Signing

[Jan Rude <Jan.Rude () mgm-sp com>]

Hey there,

I´m not sure, but I think that SMB Encryption is not checked in the SMB
scripts of nmap (e.g. 'smb2-security-mode.nse'). It only checks, if SMB
Signing is enabled, does it?

Background:
With SMB3 (Windows 8, Windows Server 2012 and Windows 2016) Windows now
provides 'SMB Encryption'.
SMB Encryption provides end-to-end encryption of SMB data and protects data
from eavesdropping occurrences on untrusted networks.
It uses Advanced Encryption Standard (AES)-CCM algorithm to encrypt and
decrypt the data. AES-CCM provides data integrity validation (aka signing)
for encrypted file shares, regardless of the SMB Signing settings.
Therefore, if SMB Encryption is enabled, explicit setting of SMB Signing is
NOT required!

If SMB Encryption is enabled:
> only SMB 3.0 clients are allowed to access the specified file shares
    => the client will receive an 'Access denied' error message, if it does
not support SMB3.
> Downgrade attacks to SMBv2 (which would use unencrypted access) are
mitigated.
> It is possible to explicitly allow clients to access unencrypted SMBv2
(for example if they dont support SMBv3). So in this case you have to enable
SMB Signing again to secure the connection.

Would it be possible to integrate a check for enabled SMB Encryption?

Greetings,
Jan

Attachment: smime.p7s
Description:

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/