Passive Discovery and Exploitation of Open SMB Shares

Server Message Block (SMB) shares are a critical component to most organizations—allowing for a central repository of files and other items that people need to access and share to do their jobs.

Often, organizations will have multiple file shares in use that are each maintained by the IT team. Typically, these files shares have specific permissions assigned to files and folders based on the Active Directory groups, to ensure the proper permissions are set.

However, you’ll often see that users will create their own open file shares on their systems to share files between employees, guest virtual machines, and others. While it is normally fine to create a share on a system, the most critical aspect is ensuring the proper permissions are set.

Unfortunately, not many people actually establish who has access to read, write, and execute within these directories. Leaving these permissions open allows for not only the exposure of the data within the share, but it could also provide an attacker with remote access to your system.

As a security professional, it is critical that you identify these vulnerabilities within your environment and lock them down.

I was recently working with a customer on just this topic. Let’s look at how to identify these systems and then how to do a little forensic analysis to better understand the threat.

Detecting Unauthorized Shares with Network Monitor

SMB shares are easy to find passively using LogRhythm Network Monitor. All I have to do is look for the application traffic as it traverses the network, then eliminate known and authorized network shares from my search. I used the below query to uncover these network shares:

Application:SMB AND _exists_:Path AND Path:(\\<laptop naming schema>*) AND -Path:(\\<whatever shares you want to ignore> OR *IPC$)

At the end of 30 days, the query turned up quite a few hits on the network.

Figure 1: Available SMB Shares on Laptops

Figure 1: Available SMB Shares on Laptops (Click on images to view larger.)

Investigating Suspicious File Shares to Triage Threat

By digging into the data, I can see the systems hosting the shares, who is accessing them, what accounts are used (not shown in this screenshot, but present in other datasets), and the files being accessed.

Figure 2: Systems and Files

Figure 2: Systems and Files (Click on images to view larger.)

As you can see, a wealth of data is made available with Network Monitor to passively investigate the flows associated with the shares available on the network.

The next step is manual verification of the shares and validation of the data contained therein. A quick investigation revealed that most of the files are not sensitive in nature, but are set up for sharing between systems and within the same team.

Figure 3: File Share on Client Machine

Figure 3: File Share on Client Machine (Click on images to view larger.)

At first glance, these don’t seem to be a big deal. But I did a little more digging into one of the shares hosted on a user’s laptop and found something a bit more concerning.

Figure 4: Customer Financial Data

Figure 4: Customer Financial Data (Click on images to view larger.)

My drill down revealed that the share left sensitive financial data exposed to everyone within the company. This type of data can be very damaging in the wrong hands. Fortunately, further auditing of this folder only showed legitimate access, and I was able to quickly eliminate the exposure.

SMB Shares as A Pivot Point

In the course of my investigation, I ran across another system (a laptop) that exhibited a more critical vulnerability. Just like the previous one, this system exposed sensitive data. But in this case, a peek into the current authorizations assigned to the share revealed that “everyone” has been granted “full control” over the defined share. This means that not only can everyone access the files contained therein, but anyone can also upload and execute arbitrary files on the remote host by way of this folder.

Figure 5: Open Laptop Share

Figure 5: Open Laptop Share (Click on images to view larger.)

To make matters worse, SMB signing was not enabled within the organization, so man-in-the-middle attacks were an additional possibility. Compounding this risk is the fact that many companies do not have an adequate antivirus, so it would be easy to use PSExec to upload and execute malware on a target host.

Even with a solid antivirus and host intrusion prevention (HIPS) solution, there is an easy way around it. We can utilize the same PSExec attack without dropping a binary at all. Below is a screenshot of a successful PowerShell PSExec attack against the target system identified above, which bypasses a majority of endpoint security controls. The good news is with a full suite of security tools, such as Carbon Black, I can detect the activity and a HIPS will block the attack if it’s configured to deny communication between workstations.

Figure 6: Exploiting an open SMB Share and gaining a shell on a remote computer

Figure 6: Exploiting an open SMB Share and gaining a shell on a remote computer (Click on images to view larger.)

This full control setting also means that whenever this laptop is taken off-premise and joined to a network using “home/work (with network sharing)” settings, these files and the system could be exposed to anyone else that happens to be scanning on that network.

Key Takeaways to Reduce Cyber Risk

As you can see, hosting local file shares significantly increases the risk to individuals and an organization.

SMB shares are one of the easiest ways for an attacker to pivot from system to system within an enterprise. This access allows attackers to steal files, migrate between systems, gather new and elevated credentials, and eventually gain access to whatever they came to take in the first place.

Traditionally, the process to detect open shares on a network can be quite cumbersome. You would need to touch each host, validate what shares are open, and remove ones that are of little concern (such as IPC$ shares).

By utilizing passive network monitoring, you can uncover these vulnerabilities within a matter of seconds, find out who is accessing the data, and what systems users are coming from—all without touching a single host. Once open and unauthorized shares are identified, permissions can be locked down to those with a particular business need to avoid exposing end-user systems to sensitive data leakage and potential compromise.

If you don’t have a Network Monitor solution, do yourself a favor and check out NetMon Freemium. Good news: It’s powerful and free.

Try NetMon Freemium

Detecting Home Network Issues with Network Monitor

How to Build a Miniature Network Monitor Device

Catching Beaconing Malware

Detecting the BlackNurse DDoS Attack with Network Monitor

The Top 8 Things to Analyze in Your Network to Detect a Compromised System

Detecting New Network Services with Behavioral Analytics