Recently, there is a vulnerability related to SMBv3.1 (CVE-2020-0796) that been released without any patch during that time. SMB which also known as Server Message Block Protocol is a network service that used for file sharing protocol that been installed on Microsoft Windows.
Microsoft’s Security Advisory have explained such as follows:
An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client, to exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
For those are want to know which SMB version that system or application uses, they can use nmap script in this activity.
Below are the affected version of Windows that immediately need to update their security:
The script can be identified here would be smb-protocol that been found in /usr/share/nmap/script if using Kali Linux Operating System like the screenshot below
To use the script above in information gathering process, can run the script by typing the command nmap –script smb-protocols -p 445 <ip address>
Another way to verify that your SMBv3 is been vulnerable to the exploit is by using SMBGhost
The above screenshot is the way of installation SMBGhost into your machine by using the command
git clone https://github.com/ollypwn/SMBGhost.git
To run the SMBGhost scanner, the user will need to execute the command that show in the screenshot. It will take some times to get the result of the scanner and it will show either “Vulnerable” or “Not Vulnerable” depending on the machine.
Last Thursday, Microsoft has released a guideline on how to prevent this vulnerability from getting worse. While waiting for the patch update on the vulnerability, there is a workaround for this vulnerability which is disabling SMBv3 service on the Windows Operating System.
To disable SMBv3, the administrator need to execute the command below either in the command prompt or manually change within Windows Registry.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force