SMB Signing Not Enforced

SMB (Server Message Block) signing is a security mechanism that adds a cryptographic signature to each SMB packet, ensuring message integrity and authenticity. When SMB signing is not required (i.e., set to "enabled" but not "required"), clients and servers may negotiate unsigned SMB sessions, leaving the communication channel vulnerable to man-in-the-middle attacks. By default, only Windows domain controllers require SMB signing; all other Windows systems merely enable it without requiring it, creating a significant attack surface across typical enterprise environments.

The vulnerability is particularly impactful because SMB is the primary file-sharing and inter-process communication protocol in Windows environments. It is used for accessing network shares, domain authentication, Group Policy distribution, remote administration, and numerous other critical functions. When SMB signing is not enforced, an attacker positioned on the network can intercept and relay NTLM authentication attempts without needing to crack the underlying credentials.

SMB relay attacks remain one of the most reliable and high-impact techniques in internal network penetration testing. The attack requires only network-level access (no credentials) and can result in immediate administrative access to servers and workstations. The combination of LLMNR/NBT-NS poisoning with SMB relay against hosts that do not require SMB signing is a textbook internal network compromise path.

The attack chain begins with the adversary positioning themselves to intercept network authentication traffic. Using tools like Responder or Inveigh, the attacker poisons LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) responses on the local network segment. When a victim system attempts to resolve a hostname that DNS cannot resolve, it falls back to these multicast/broadcast protocols. The attacker responds to these queries, claiming to be the requested resource, causing the victim's system to initiate an NTLM authentication handshake with the attacker.

Instead of capturing and cracking the NTLM hash (which can be time-consuming for strong passwords), the attacker relays the authentication attempt in real-time to a different target system that does not require SMB signing. Using ntlmrelayx (from Impacket) or MultiRelay (from Responder), the attacker forwards the victim's NTLM authentication messages to the target, effectively authenticating as the victim on the target system. If the victim has administrative privileges on the target, the attacker gains administrative access without ever knowing the victim's password.

The practical execution involves running Responder to capture authentication attempts (responder -I eth0 -wrd) alongside ntlmrelayx targeting hosts without SMB signing (ntlmrelayx.py -tf nosigning.txt -smb2support). The relay tool can be configured to execute commands, dump SAM hashes, deploy implants, or establish interactive sessions on successfully relayed targets. This technique can be further enhanced by triggering authentication attempts through techniques like the PrinterBug (SpoolSample), PetitPotam, or DFSCoerce, which force specific high-value targets like domain controllers to authenticate to the attacker.

• Man-in-the-middle attacks allowing interception and modification of SMB traffic including file transfers and administrative commands
• NTLM relay attacks enabling administrative access to servers and workstations without credential cracking
• Lateral movement across the domain by relaying privileged user authentications to multiple target systems
• Credential harvesting through forced authentication combined with hash capturing tools
• Domain compromise when authentication from privileged accounts (Domain Admins) is relayed to domain controllers or other high-value targets
• Covert persistence establishment through relayed sessions used to deploy backdoors, create accounts, or modify system configurations
• Data exfiltration by intercepting or redirecting file share access through manipulated SMB sessions

1. Enable and require SMB signing on ALL Windows systems (not just domain controllers) via Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options - set "Microsoft network server: Digitally sign communications (always)" and "Microsoft network client: Digitally sign communications (always)" to Enabled
2. Deploy the GPO change in phases, starting with a pilot group, as requiring SMB signing can cause compatibility issues with legacy systems and may introduce a minor performance overhead (typically 5-10%)
3. Disable LLMNR via Group Policy: Computer Configuration > Administrative Templates > Network > DNS Client > Turn off multicast name resolution = Enabled
4. Disable NBT-NS on all network interfaces via DHCP option or through network adapter configuration: Network Adapter > TCP/IP Properties > Advanced > WINS > Disable NetBIOS over TCP/IP
5. Implement Extended Protection for Authentication (EPA) and require Channel Binding Tokens for NTLM authentication to mitigate relay attacks at the protocol level
6. Migrate to Kerberos-only authentication where possible and consider disabling NTLM entirely through the GPO setting "Network security: Restrict NTLM: Incoming NTLM traffic" set to "Deny all"
7. Deploy network-level monitoring for LLMNR/NBT-NS traffic and SMB relay indicators using IDS rules or EDR solutions

Start by identifying all hosts in the target environment that do not require SMB signing. CrackMapExec provides the most efficient method: crackmapexec smb target_range --gen-relay-list nosigning.txt. This command scans the specified IP range and outputs a list of hosts where SMB signing is not required. Alternatively, use Nmap with the smb2-security-mode script: nmap -p 445 --script smb2-security-mode -oA smb_signing target_range. Hosts reporting "Message signing enabled but not required" are vulnerable to relay attacks.

To demonstrate the impact, set up a relay attack chain (with explicit authorisation). First, start ntlmrelayx targeting the hosts without signing: ntlmrelayx.py -tf nosigning.txt -smb2support -i (the -i flag spawns interactive SMB shells on successful relay). Simultaneously, run Responder to poison LLMNR/NBT-NS: responder -I eth0 -wrd (ensure the SMB and HTTP servers in Responder are disabled to avoid conflicts with ntlmrelayx). Wait for authentication attempts to be captured and relayed, or actively trigger them using coercion techniques like PetitPotam: python3 PetitPotam.py listener_ip target_ip.

Document the percentage of systems in the environment that do not require SMB signing (typically 90%+ in environments without hardening). Report each successful relay with the source (victim) identity, target host, and access level obtained. For environments where active exploitation is out of scope, the mere identification of SMB signing not being required, combined with active LLMNR/NBT-NS responses, constitutes a reportable finding. Use crackmapexec smb target -u '' -p '' --shares to test for null session access as additional evidence of SMB misconfiguration.