BIPI
BIPI

SMB Enumeration and Exploitation: Null Sessions, Signing, EternalBlue Era Lessons

Cybersecurity

SMB is still the loudest single protocol on internal networks. A pentester reference covering null sessions, signing, share enumeration, and post-EternalBlue lessons.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 3, 2024 · 9 min read

#smb#network-pentest#enumeration#recon

SMB is the workhorse of internal Windows networks. It carries file access, printer traffic, named pipes, and a remarkable amount of administrative tooling. Every internal engagement starts with an SMB sweep, because the protocol leaks more information per packet than almost anything else still in production.

The first sweep

NetExec (the successor to CrackMapExec) is the right starting tool. A network-wide sweep returns OS, domain, signing status, SMB version, and null session reachability in one pass.

  • nxc smb 10.0.0.0/24 to map the estate
  • nxc smb 10.0.0.0/24 -u '' -p '' --shares to find null-session accessible shares
  • nxc smb 10.0.0.0/24 --gen-relay-list relay.txt to list signing-disabled relay targets
  • rpcclient -U '' -N target to test for anonymous RPC and pull domain users via lookupsids

Null sessions in modern Windows

Default Windows since 2003 SP1 restricts null session shares and pipes. But misconfigured fileservers, NAS appliances, and legacy Samba shares still allow anonymous access. When found, they often give up password policy, user lists, and group membership without authentication.

enum4linux-ng is still useful for legacy Samba targets. SMBMap, smbclient -L, and rpcclient cover the rest.

Signing and why it matters

SMB signing required on the server side blocks NTLM relay to SMB. The default on workstations and member servers is signing enabled but not required, which is not enough. SMB signing required must be set via GPO across the estate.

Signing not required on a domain controller is not just a relay risk. It is a structural defect in the build pipeline that produced that DC.

Share enumeration

Authenticated share enumeration reveals more than most teams realise. We routinely find IT admin shares with cleartext credentials in PowerShell scripts, build server shares with unsigned binaries, and backup shares readable by Domain Users. The Snaffler tool indexes these at scale.

  • nxc smb targets.txt -u user -p pass --shares -- to list reachable shares
  • snaffler.exe -s -o snaffle.log -- crawls shares for high-signal files
  • Search for unattend.xml, sysprep.inf, GPP cpassword, .kdbx, .ovpn, .ps1 with plaintext creds

The EternalBlue era lessons

MS17-010 is mostly gone but its lessons are not. The reason it spread to hundreds of thousands of hosts was a combination of unpatched SMBv1, flat networks, and absent egress filtering. The successor risks are SMB over QUIC misconfiguration, exposed SMB to the internet on cloud VMs, and SMBv1 still enabled on legacy printers and OT devices.

Other notable SMB-era CVEs

  • SMBGhost (CVE-2020-0796) for SMBv3 compression, mostly patched but still found
  • PetitPotam coercion via MS-EFSRPC over SMB named pipes, see our NTLM relay article
  • PrintNightmare (CVE-2021-1675 / CVE-2021-34527) via SMB-loaded spooler drivers

Remediation

  1. SMB signing required everywhere via GPO. Test before enforcing to catch legacy clients.
  2. Disable SMBv1 on every Windows host. Audit printers and storage appliances for SMBv1 fallback.
  3. Block SMB at the firewall between user VLANs and server VLANs. Most lateral movement dies here.
  4. Run Snaffler against the estate before an attacker does. Remediate cleartext credential shares.
  5. Disable null session shares via RestrictAnonymous and RestrictAnonymousSAM registry values.

SMB is not going away. Treat it as a privileged protocol, restrict it like one, and the easiest internal lateral movement paths close immediately.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.