Navigation Menu

Skip to content
This repository has been archived by the owner on Dec 6, 2023. It is now read-only.

SMB Signing False Positive #307

Closed
0xSeanG opened this issue May 1, 2019 · 7 comments
Closed

SMB Signing False Positive #307

0xSeanG opened this issue May 1, 2019 · 7 comments

Comments

@0xSeanG
Copy link

0xSeanG commented May 1, 2019

Steps to reproduce

  1. cme smb [target] (reports no signing)
  2. nmap --script smb2-security-mode.nse [target] (reports signing enabled and required)

Command string used

cme smb [target]

CME verbose output (using the --verbose flag)

n/a - cme error

CME Version (cme --version)

4.0.1dev

OS

Kali

Target OS

Windows 10

Detailed issue explanation

confirmed local sec pol matches the nmap results
image
@awsmhacks
Copy link
Contributor

Hmm, wondering if this is due to out-of-date impacket submodule or what exactly.
Can you check what responder's runfinger shows for the smb_signing? https://github.com/lgandx/Responder/blob/master/tools/RunFinger.py

i see a commit in april in impacket changing how the signing flag was obtained in smb3.py (smb3 covers v2+v3) so that might be it? ill try and test myself soon.

I'm guessing --gen-relay-list is showing the host as not requiring signing as well?

@0xSeanG
Copy link
Author

0xSeanG commented May 1, 2019
edited

Correct on gen-relay-list... I'll check on runfinger in the morning and report back

@awsmhacks
Copy link
Contributor

tested on win7 and its working as it should, must be win10 specific. testing that next

@0xSeanG
Copy link
Author

0xSeanG commented May 2, 2019

Having issues with RunFinger.py... which makes me think the issue may be on my end and not the tool... Some of the w10 machines finger printed accurately.

@awsmhacks
Copy link
Contributor

starting to test on win10.
Trying to get a baseline and getting weird results though.

Using regedit to flip flags on and off and just so we're on the same page.
hklm\system\currentcontrolset\services\lanmanserver\parameters

  • enablesececuritysignature
  • requiresecuritysignature
  • SMB1
  • SMB2
  1. With enabled and required turned off (set to 0), smb1 off, and smb2 on, verified with powershell via Get-SmbServerConfiguration
  • Nmap is still shows message signing enabled, but not required so something is broken with that.

image
image

  1. Now turning on requiresecuritysignature:
    Nmap shows enabled and required. (even with messagesigning disabled so maybe smb2 has signing always enabled and you only toggle required/not required?)
    I did confirm that CME isnt detecting that change though, still shows signing as false.
    Going to start digging around for whats up.

@awsmhacks
Copy link
Contributor

It's an issue in impacket, which cme uses for smb connection stuffs.
Fixed in the latest version though so you need to update the submodule. then rebuild cme
To manually do this:

from the root of where you have cme cloned i.e. /opt/CrackMapExec
# cd cme/thirdparty/impacket/
# git fetch
...stuff...
# git pull
...stuff...
# cd ../../../           (change back to root folder of cme)
# ./setup.py install

image

@mpgn
Copy link
Contributor

mpgn commented Apr 20, 2020

Should be fixed so i'm closing, thank you @awsmhacks :)

@mpgn mpgn closed this as completed Apr 20, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@awsmhacks @mpgn @0xSeanG