The access control to the information in the file servers is enforced using the SMB protocol authentication, usually integrated with some unified directory (like Microsoft Active Directory).
While the authentication can be performed in a secure way, the information flow between the server and consumer is usually not encrypted, as it happens with the default SMB configuration. This makes this information vulnerable to any sniffing activity performed in the company’s internal network.
In our effort to identify weak points of corporate networks, we wanted to demonstrate how this vulnerability could be easily exploited, so that organizations better understand the risk this vulnerability poses for them, and how to protect themselves from it.
For that purpose, we have developped a plugin for the popular network analyzer Wireshark. The plugin adds to Wireshark the ability to extract and save separately, from any network capture, either live or previously saved, the contents of any files transferred between a server and a client using the SMB protocol. We have succesfully used this plug-in in some real pentests, demonstrating the potential impact of this vulnerability.
Once installed, identifying SMB streams in a Wireshark capture is easy: click on Export->Object-> SMB, and look at the windows that pops up, which will look similar to this one:
(UPDATE) This functionality is included in the oficial version of Wireshark from release 1.5.1 on.
(UPDATE) We have released a patch that corrects some bugs in the export object SMB functionality of version 1.5.1. It has been included in development trunk from SVN revision 36979 on. For linux users you can download source code and compile it. For Windows users, a windows installer is available in our lab.
Posts
9 comments:
I cannot compile wireshark with eo_smb_cb
My wireshark is wireshark-1.4.0rc1
Linux is Mandriva 2008.1 with custom openssl and zlib
I have en error
gtk/libui.a(menus.o):(.data+0x14b8): undefined reference to `eo_smb_cb'
collect2: ld returned 1 exit status
gmake[2]: *** [wireshark] Error 1
gmake[2]: *** Waiting for unfinished jobs....
Many thanks
ceres
Hi Ceres,
the last version of the patch has been compiled against version 1.5.0 (SVN Rev 33208 from /trunk) of Wireshark.
The process of including this functionality in an stable version of Wireshark is in progress. You may follow this process through wireshark bug database bug id 4451: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4451
There you will find the history of updates of this patch and from now on, we will also be including the revision number that we use to compile the patch.
Regards,
Jose
The SMB export object functionality has been included in Wireshark development trunk, so there is no need to apply the patch anymore.
That means that if you download and compile in linux the latest Wireshark svn trunk you will have the SMB plugin included in it.
Additional note: the compilation for Windows have also been verified and fixed by Wireshark team.
Is it included in the windows version as well?
The plug-in is very cool, I compiled wireshark with eo_smb_cb in BT4, and was able to capture the transfer files. it is really amazing. you guys are so great!
Just one question: how can we fix this vulnerability? thanks,
Andy
Andy,
thank you very much for your comment.
Most past and current SMB implementations don't support traffic encryption by themselves. As an alternative (if that is your case), you could use another layer to protect privacy of SMB messages:
- You can use a network layer protection, such IPSec
- You can also use SSL or TLS at transport layer to transport SMB protocol messages
- Or you could use an application that encrypts the traffic on a file before sending it over the network
Depending on the environment, you should evaluate the best available option. One obvious thing to take care of is that the option you choose must be available for implementation at the client and the server side.
Regards,
Jose
Our functionality is included in the development version of Wireshark from revision 33229 on. Compilation has been tested by wireshark team, including windows compilation.
It is not included in an stable version of Wireshark yet, so no precompiled windows version of wireshark that includes the export-object-smb functionality is available to download from wireshark home page yet.
At the moment, you can have this functionality for windows environments, by building wireshark in windows from source code.
This post has been translated into Spanish here: http://www.webhostinghub.com/support/es/misc/de-archivos-smb
Post a Comment