SMB Signing Not Required

Detects 'Missing Authorization' vulnerability in SMB when signing is not required on the remote server. This check helps identify servers with insecure configurations that may allow unauthorized access.

Short Info


Level

Medium

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

18 days 22 hours

Scan only one

Domain, IPv4, Subdomain

Toolbox

-

Server Message Block (SMB) is a network file sharing protocol primarily used by Windows-based systems for providing shared access to files, printers, and serial ports. It is widely deployed in enterprise environments and critical infrastructure for inter-process communication and resource access. System administrators use SMB to enable file transfers and remote administrative tasks across corporate networks. The SMB protocol runs over TCP port 445 and often integrates with Active Directory for authentication. Due to its ubiquity, it becomes a high-value target for attackers seeking lateral movement within networks. Ensuring secure configuration of SMB services is vital for protecting internal assets from unauthorized access.

The vulnerability arises when SMB servers do not require signing, allowing unauthorized parties to interact with the service without integrity verification. SMB signing is a mechanism used to prevent man-in-the-middle attacks and ensure message authenticity. When signing is disabled or not required, malicious actors may tamper with SMB traffic or impersonate legitimate users. This opens the door for credential interception, unauthorized access to shared resources, and exploitation of further vulnerabilities. Systems with signing disabled are particularly vulnerable in environments lacking other strong access controls. The absence of signing creates a security gap that attackers can exploit during lateral movement or privilege escalation.

The vulnerability is identified by checking the SMBv2 metadata for the presence of flags indicating that signing is enabled but not required. The detection logic specifically looks for a response containing `"SigningEnabled": true` and `"SigningRequired": false`, which signifies that the server allows unsigned communication despite supporting signing. This check is performed over port 445 using test credentials. The presence of this insecure configuration means that clients can connect to the SMB service without message signing, reducing the integrity and security of SMB sessions. Exploiting this misconfiguration requires network access to the target but no authentication. The detection relies on enumerating SMBv2 capabilities through crafted protocol requests.

If this vulnerability is exploited, attackers can perform man-in-the-middle attacks, tamper with SMB data packets, or impersonate trusted systems. Sensitive files shared via SMB could be accessed, altered, or stolen. It also increases the likelihood of credential theft through NTLM relay attacks. Attackers may use this vector to pivot across systems in a network, gaining unauthorized access to broader resources. The compromised SMB configuration weakens the overall network security posture. In enterprise environments, this could lead to significant data breaches and service disruptions.

Get started to protecting your digital assets