8

Over the last couple of years, I've developed a fairly keen interest in Penetration Testing & Information Security. Throughout this time, I've acquired (and accumulated) a range of different devices with network capabilities, primarily, in an effort to learn more about various security auditing techniques. Below is an excerpt of an nmap scan of one such device:

Host script results:
| smb-os-discovery: 
|   OS: Windows 10 Home 10240 (Windows 10 Home 6.3)
|   NetBIOS computer name: MARK
|   Workgroup: WORKGROUP
|_  System time: 2015-09-24T23:38:38-06:00
| smb-security-mode: 
|   Account that was used for smb scripts: <blank>
|   User-level authentication
|   SMB Security: Challenge/response passwords supported   
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

My question is specifically regarding the following statement:
Message signing disabled (dangerous, but default).
What is message signing; what is the danger?

Any examples of working exploits would be appreciated.

voices
  • 1,649
  • 7
  • 22
  • 36
  • 1
    Exploit engine here -- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/november/introducing-chuckle-and-the-importance-of-smb-signing/ – atdre Nov 23 '15 at 13:53

1 Answers1

12

Message signing, in this context, refers to SMB (Server Message Block) signing.

Server Message Block (SMB) is a common Windows "application-layer" network protocol, and signing is a feature that allows SMB communications to be digitally "signed" at the "packet-level". The subsequent "signature" provides a mechanism by which a recipient can verify the authenticity of a source.

For example, it is important for Domain Controllers to have SMB signing enabled because SMB is the protocol used by clients to download Group Policy information, and SMB signing provides a way to certify that the client is receiving a genuine Group Policy.

SMB signing is supported on all versions of Windows, but is only enabled by default on Domain Controllers.

Nmap is letting you know that:

  1. SMB signing is disabled;
  2. This is the more dangerous — or less secure — option (as opposed to having SMB signing enabled);
  3. This is the default setting for the system you are scanning.
Michael
  • 5,393
  • 2
  • 32
  • 57
user83426
  • 310
  • 2
  • 9
  • 1
    So basically, it's like a checksum? – voices Sep 26 '15 at 10:26
  • 3
    @tjt263 Better than a checksum. If you get 2 messages with the same digital signature, you know they were sent by the same person. Checksums are identical regardless of who added it to a message. – Navin Sep 26 '15 at 11:21