Nmap Development mailing list archives
SMB Encryption and SMB Signing
From: Jan Rude <Jan.Rude () mgm-sp com>
Date: Mon, 26 Nov 2018 11:07:29 +0000
Hey there, I´m not sure, but I think that SMB Encryption is not checked in the SMB scripts of nmap (e.g. 'smb2-security-mode.nse'). It only checks, if SMB Signing is enabled, does it? Background: With SMB3 (Windows 8, Windows Server 2012 and Windows 2016) Windows now provides 'SMB Encryption'. SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on untrusted networks. It uses Advanced Encryption Standard (AES)-CCM algorithm to encrypt and decrypt the data. AES-CCM provides data integrity validation (aka signing) for encrypted file shares, regardless of the SMB Signing settings. Therefore, if SMB Encryption is enabled, explicit setting of SMB Signing is NOT required! If SMB Encryption is enabled:
only SMB 3.0 clients are allowed to access the specified file shares
=> the client will receive an 'Access denied' error message, if it does not support SMB3.
Downgrade attacks to SMBv2 (which would use unencrypted access) are
mitigated.
It is possible to explicitly allow clients to access unencrypted SMBv2
(for example if they dont support SMBv3). So in this case you have to enable SMB Signing again to secure the connection. Would it be possible to integrate a check for enabled SMB Encryption? Greetings, Jan
Attachment:
smime.p7s
Description:
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- SMB Encryption and SMB Signing Jan Rude (Nov 26)
- Re: SMB Encryption and SMB Signing Paulino Calderon (Dec 17)