May 9, 2019

Take My Credentials Please – WST

Server Message Block (SMB) is the network sharing protocol that is commonly used in organizations to allow systems within the same network to share files. SMB requires ports 139 or 445 to be open, to communicate with other systems.

One way that an attacker can take advantage of this protocol, is if an organization’s outbound SMB traffic is not blocked at the firewall.  An attacker can send an email containing links to a resource such as an image on a remote server. If a user clicks the link, a Windows workstation will try to authenticate to the remote share and sends your encrypted credentials to the remote server. After this happens an attacker can attempt to crack the encryption using readily available tools on the internet and collect the credentials. At this point it’s simply a matter of time before a persistent attacker can find a place on your network to use these credentials for further attacks.

SMB security best practices would be to block all versions of SMB at the network boundary by blocking TCP port 139 and 445 plus all related UDP protocols (137,138), for boundary devices.

Link to CISA best practices:

Past Weekly Security Tips – WST