8

SMB is a well-known network file sharing protocol, and I assume it's supposed to be used internally only. At my company I found someone connecting to a share on a server on the Internet over port 445 using SMB. Is there any risk in allowing such connections? I'm thinking if someone were able to MitM they be able to capture sensitive data.

expertsnipo
  • 93
  • 1
  • 1
  • 7
  • 1
    All the answers seem to be about allowing inbound internet access to smb services (which I thought was well established td be a bad idea but anyway), but the quetion looks like it's asking about outbound connections to unknown services? – StarWeaver Mar 29 '17 at 09:03
  • Simply having the port open and SMB services active allows two-way communications. In any case, I believe most of these answers are addressing the risks on both ends. Certainly at the server, with a shared drive. But also on the client side if there are any shared resources there. – SDsolar Mar 29 '17 at 17:18
  • If you can obtain a username and a hash, you're in: Microsoft gave us a publicly-available exploit for this back in the XP days: https://security.stackexchange.com/questions/168940/what-harm-is-there-in-obtaining-password-hashes-in-a-windows-environment and it still works just fine. – SDsolar Sep 07 '17 at 13:43

3 Answers3

4

I'm not sure what operating system you are using, or if/what firewalls you have implemented, but exposing the SMB service with unfiltered access from the internet is asking to be compromised.

Also, a Man in the Middle attack would be the least of your worries. Someone could easily gain root access to your computer and consequently your entire network. Famously, the ms08_067_netapi exploits the SMB service on Windows XP on port 445 using a relative path stack corruption. I could easily execute this and gain root access in less than a minute assuming I know an IP address. For any random attacker, port scans are done across the internet continuously. Someone will find your open port.

I would recommend that you close that port and find a different solution for what you're trying to accomplish.

SuperAdmin
  • 320
  • 1
  • 11
  • 1
    "That was fast: Thousands of computers now compromised with leaked tools, researchers say": https://www.cyberscoop.com/fast-thousands-computers-now-compromised-leaked-nsa-tools-researchers-say/ - USING PORT 445 (SMB) – SDsolar Apr 22 '17 at 03:27
  • @SDsolar I'm glad I was shutting down access to Internet-connected SMB shares before all that happened. – expertsnipo May 16 '17 at 13:06
  • Yeah, me, too. Sounds like you dodged the bullet. – SDsolar May 17 '17 at 18:51
3

There is a risk of exposing your credentials via broken SMB NTLMSSP_NEGOTIATE implementation, as descibed here: https://www.cybersecurity-help.cz/blog/167.html

Valery Marchuk
  • 546
  • 2
  • 6
  • WannaCrypt does not need credentials. It is too risky to have those ports exposed, period. Reference: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ – SDsolar May 16 '17 at 20:57
  • Also, if you get hashes, here is how to use them: Microsoft gave us a publicly-available exploit for this back in the XP days: https://security.stackexchange.com/questions/168940/what-harm-is-there-in-obtaining-password-hashes-in-a-windows-environment and it still works just fine. – SDsolar Sep 07 '17 at 13:44
2

Yes it is risky.

While I don't know about any "exploits" that may be out there in the wild, what I do know is that anybody with the right username and password could get access to the disk drives that are exposed.

Presumably there is an administrator-level account on the computer that would allow full access.

I don't believe SMB limits the speed at which someone could run a dictionary of most-used passwords to try to get into Administrator, but it is possible to do it slowly, even if it does.

All in all, it seems like a bad idea to do it without first setting up an encrypted tunnel of some kind like a VPN. Or like SCP in Linux.

SDsolar
  • 977
  • 1
  • 6
  • 25
  • Turns out Microsoft gave us a publicly-available exploit for this back in the XP days: https://security.stackexchange.com/questions/168940/what-harm-is-there-in-obtaining-password-hashes-in-a-windows-environment and it still works just fine. – SDsolar Sep 07 '17 at 13:45