Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SMB Encryption and SMB Signing

From: Paulino Calderon <paulino () calderonpale com>
Date: Mon, 17 Dec 2018 18:28:44 -0500
Hello Jan,

The script smb2-security-mode only checks the message signing configuration but we have smb2-capabilities 
(https://nmap.org/nsedoc/scripts/smb2-capabilities.html) that does (or should) check if Encryption is enabled. 

Cheers.




On Nov 26, 2018, at 06:07, Jan Rude <Jan.Rude () mgm-sp com> wrote:

Hey there,

I´m not sure, but I think that SMB Encryption is not checked in the SMB
scripts of nmap (e.g. 'smb2-security-mode.nse'). It only checks, if SMB
Signing is enabled, does it?

Background:
With SMB3 (Windows 8, Windows Server 2012 and Windows 2016) Windows now
provides 'SMB Encryption'.
SMB Encryption provides end-to-end encryption of SMB data and protects data
from eavesdropping occurrences on untrusted networks.
It uses Advanced Encryption Standard (AES)-CCM algorithm to encrypt and
decrypt the data. AES-CCM provides data integrity validation (aka signing)
for encrypted file shares, regardless of the SMB Signing settings.
Therefore, if SMB Encryption is enabled, explicit setting of SMB Signing is
NOT required!

If SMB Encryption is enabled:

only SMB 3.0 clients are allowed to access the specified file shares

   => the client will receive an 'Access denied' error message, if it does
not support SMB3.

Downgrade attacks to SMBv2 (which would use unencrypted access) are

mitigated.

It is possible to explicitly allow clients to access unencrypted SMBv2

(for example if they dont support SMBv3). So in this case you have to enable
SMB Signing again to secure the connection.

Would it be possible to integrate a check for enabled SMB Encryption?

Greetings,
Jan
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: