SMB v1 Supported Detection Scanner

This scanner detects the use of SMB version 1.0 in digital assets. SMBv1 is an outdated and insecure file-sharing protocol that may expose systems to serious vulnerabilities if enabled.

Short Info


Level

Informational

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

17 days 19 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

Server Message Block (SMB) is a protocol used by Windows systems for file and printer sharing across a network. SMB version 1 (SMBv1) is the earliest version and has been deprecated due to significant security vulnerabilities. Despite this, some legacy systems and applications may still rely on SMBv1. IT administrators in enterprise networks may encounter SMBv1 in environments with older Windows versions or embedded devices. Its continued support is typically for backward compatibility but presents a high security risk. Identifying systems with SMBv1 enabled is critical for network hardening and modernization efforts.

This detection identifies whether SMB version 1.0 is supported on the target system. The presence of SMBv1 is considered a security misconfiguration due to its known vulnerabilities and lack of modern encryption features. The protocol has been exploited in major attacks such as WannaCry and NotPetya. Detecting SMBv1 enables security teams to take action to disable it and migrate to safer alternatives. This helps reduce the risk of lateral movement and remote code execution within networks. SMBv1 support should be removed wherever possible to maintain a secure infrastructure.

The scanner uses a JavaScript-based SMB client to initiate a connection on the target system's SMB port (445). It performs an SMB handshake and queries protocol support information. The detection logic looks for the key "SupportV1": true in the response, which confirms SMBv1 capability. No authentication is needed, making this a passive and safe check. The result is parsed and evaluated for SMBv1 support before reporting detection. The technique is suitable for identifying legacy protocol usage across internal and external assets.

If SMBv1 is enabled, systems become vulnerable to a variety of exploits, including remote code execution and denial-of-service attacks. The lack of security controls like encryption and proper signing in SMBv1 makes it a weak point in modern networks. Attackers can exploit it to propagate malware or gain unauthorized access to files and devices. SMBv1 exposure also increases the attack surface of enterprise environments. Removing it is essential to prevent lateral movement during targeted attacks. Continued support for SMBv1 poses a significant security liability.

REFERENCES

Get started to protecting your digital assets