Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_SIGNING_DISABLED.NASL
HistoryJan 19, 2012 - 12:00 a.m.

SMB Signing not required

2012-01-1900:00:00
This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
4073
JSON

Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct man-in-the-middle attacks against the SMB server.

##
# (C) Tenable Network Security, Inc.
##

include('compat.inc');

if (description)
{
  script_id(57608);
  script_version("1.20");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/10/05");

  script_name(english:"SMB Signing not required");

  script_set_attribute(attribute:"synopsis", value:
"Signing is not required on the remote SMB server.");
  script_set_attribute(attribute:"description", value:
"Signing is not required on the remote SMB server. An unauthenticated,
remote attacker can exploit this to conduct man-in-the-middle attacks
against the SMB server.");
  # https://support.microsoft.com/en-us/help/887429/overview-of-server-message-block-signing
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?df39b8b3");
  script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/library/cc731957.aspx");
  # http://technet.microsoft.com/en-us/library/cc786681%28WS.10%29.aspx
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?74b80723");
  script_set_attribute(attribute:"see_also", value:"https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html");
  # https://library.netapp.com/ecmdocs/ECMP1196993/html/GUID-084BBC00-EBD4-4899-AD85-9628368D3AF2.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a3cac4ea");
  script_set_attribute(attribute:"solution", value:
"Enforce message signing in the host's configuration. On Windows, this
is found in the policy setting 'Microsoft network server: Digitally
sign communications (always)'. On Samba, the setting is called 'server
signing'. See the 'see also' links for further details.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"manual");
  script_set_attribute(attribute:"cvss_score_rationale", value:"Based on analysis of vulnerability");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/01/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/19");

  script_set_attribute(attribute:"plugin_type", value: "remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");
  script_copyright(english:"This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("find_service2.nasl");
  script_require_ports("Services/smb", 139, 445);
  exit(0);
}

include('byte_func.inc');
include('smb_func.inc');

# Get the smb port
port = kb_smb_transport();
if (!port) port = 139;

# Ensure the port is open.
if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);

# Open a socket
s = open_sock_tcp(port);
if (!s) audit(AUDIT_SOCK_FAIL, port);

# Send the SMB_COM_NEGOTIATE packet
session_init(socket:s);
result = smb_negotiate_protocol(extended:TRUE);

if (s) close(s);
if (isnull(result)) audit(AUDIT_RESP_BAD, port);

protocol = ord(result);

# SMBv1
if (protocol == 0xFF)
{
  # Packet too small
  if (strlen(result) < SMB_HDR_SIZE + 1) audit(AUDIT_RESP_BAD, port);

  # If the negotiated dialect is NT LAN Manager, 
  # the structure of the SMB_COM_NEGOTIATE response is as follows.
  #
  #   SMB_Parameters
  #   {
  #     UCHAR  WordCount;          result[SMB_HDR_SIZE + 0x00]
  #     Words
  #     {
  #       USHORT   DialectIndex;   result[SMB_HDR_SIZE + 0x01]
  #       UCHAR    SecurityMode;   result[SMB_HDR_SIZE + 0x03]
  #       USHORT   MaxMpxCount;
  #       USHORT   MaxNumberVcs;
  #       ULONG    MaxBufferSize;
  #       ULONG    MaxRawSize;
  #       ULONG    SessionKey;
  #       ULONG    Capabilities;
  #       FILETIME SystemTime;
  #       SHORT    ServerTimeZone;
  #       UCHAR    ChallengeLength;
  #     }
  #   }
  #   SMB_Data
  #   {
  #     USHORT ByteCount;
  #     Bytes
  #   {
  #     UCHAR  Challenge[];
  #     SMB_STRING  DomainName[];
  #   }

  security_flags = get_byte(blob:result, pos:SMB_HDR_SIZE + 0x03);
  if (isnull(security_flags)) audit(AUDIT_RESP_BAD, port);

  if ((security_flags & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) == 0)
  {
    security_warning(port:port);
    exit(0);
  }
}
# SMBv2+
else if (protocol == 0xFE)
{
  # Packet too small
  if (strlen(result) < SMB2_HDR_SIZE + 1) audit(AUDIT_RESP_BAD, port);

  security_flags = get_word (blob:result, pos:SMB2_HDR_SIZE + 0x02);
  if (isnull(security_flags)) audit(AUDIT_RESP_BAD, port);

  if ((security_flags & SMB2_NEGOTIATE_SIGNING_REQUIRED) == 0)
  {
    security_warning(port:port);
    exit(0);
  }
}
# Unknown Protocol
else audit(AUDIT_RESP_BAD, port);

audit(AUDIT_HOST_NOT, 'affected');
JSON