Server Message Block (SMB) shares are a critical component to most organizations—allowing for a central repository of files and other items that people need to access and share to do their jobs.
Often, organizations will have multiple file shares in use that are each maintained by the IT team. Typically, these files shares have specific permissions assigned to files and folders based on the Active Directory groups, to ensure the proper permissions are set.
However, you’ll often see that users will create their own open file shares on their systems to share files between employees, guest virtual machines, and others. While it is normally fine to create a share on a system, the most critical aspect is ensuring the proper permissions are set.
Unfortunately, not many people actually establish who has access to read, write, and execute within these directories. Leaving these permissions open allows for not only the exposure of the data within the share, but it could also provide an attacker with remote access to your system.
As a security professional, it is critical that you identify these vulnerabilities within your environment and lock them down.
I was recently working with a customer on just this topic. Let’s look at how to identify these systems and then how to do a little forensic analysis to better understand the threat.
Detecting Unauthorized Shares with LogRhythm Network Monitor (NetMon)
SMB shares are easy to find passively using NetMon. All I have to do is look for the application traffic as it traverses the network, then eliminate known and authorized network shares from my search. I used the below query to uncover these network shares:
At the end of 30 days, the query turned up quite a few hits on the network.
Click on images to view larger
Figure 1: Available SMB Shares on Laptops
Investigating Suspicious File Shares to Triage Threat
By digging into the data, I can see the systems hosting the shares, who is accessing them, what accounts are used (not shown in this screenshot, but present in other datasets), and the files being accessed.
Figure 2: Systems and Files
As you can see, a wealth of data is made available with NetMon to passively investigate the flows associated with the shares available on the network.
The next step is manual verification of the shares and validation of the data contained therein. A quick investigation revealed that most of the files are not sensitive in nature, but are set up for sharing between systems and within the same team.
Figure 3: File Share on Client Machine
At first glance, these don’t seem to be a big deal. But I did a little more digging into one of the shares hosted on a user’s laptop and found something a bit more concerning.
Figure 4: Customer Financial Data
My drill down revealed that the share left sensitive financial data exposed to everyone within the company. This type of data can be very damaging in the wrong hands. Fortunately, further auditing of this folder only showed legitimate access, and I was able to quickly eliminate the exposure.
SMB Shares as A Pivot Point
In the course of my investigation, I ran across another system (a laptop) that exhibited a more critical vulnerability. Just like the previous one, this system exposed sensitive data. But in this case, a peek into the current authorizations assigned to the share revealed that “everyone” has been granted “full control” over the defined share. This means that not only can everyone access the files contained therein, but anyone can also upload and execute arbitrary files on the remote host by way of this folder.
Figure 5: Open Laptop Share
To make matters worse, SMB signing was not enabled within the organization, so man-in-the-middle attacks were an additional possibility. Compounding this risk is the fact that many companies do not have an adequate antivirus, so it would be easy to use PSExec to upload and execute malware on a target host.
Even with a solid antivirus and host intrusion prevention (HIPS) solution, there is an easy way around it. We can utilize the same PSExec attack without dropping a binary at all. Below is a screenshot of a successful PowerShell PSExec attack against the target system identified above, which bypasses a majority of endpoint security controls. The good news is with a full suite of security tools, such as Carbon Black, I can detect the activity and a HIPS will block the attack if it’s configured to deny communication between workstations.
Figure 6: Exploiting an open SMB Share and gaining a shell on a remote computer (Click on images to view larger.)
This full control setting also means that whenever this laptop is taken off-premise and joined to a network using “home/work (with network sharing)” settings, these files and the system could be exposed to anyone else that happens to be scanning on that network.
Key Takeaways to Reduce Cyber Risk
As you can see, hosting local file shares significantly increases the risk to individuals and an organization.
SMB shares are one of the easiest ways for an attacker to pivot from system to system within an enterprise. This access allows attackers to steal files, migrate between systems, gather new and elevated credentials, and eventually gain access to whatever they came to take in the first place.
Traditionally, the process to detect open shares on a network can be quite cumbersome. You would need to touch each host, validate what shares are open, and remove ones that are of little concern (such as IPC$ shares).
By utilizing passive network monitoring, you can uncover these vulnerabilities within a matter of seconds, find out who is accessing the data, and what systems users are coming from—all without touching a single host. Once open and unauthorized shares are identified, permissions can be locked down to those with a particular business need to avoid exposing end-user systems to sensitive data leakage and potential compromise.
If you don’t have a network monitor solution, do yourself a favor and check out NetMon Freemium. Good news: It’s powerful and free.