Quick Summary
SMB Signing Not Required is a network service misconfiguration where the SMB server does not enforce message signing. This allows attackers to perform SMB relay attacks, potentially leading to unauthorized access, credential relay, and lateral movement within the internal network.
Vulnerability Classification
| Field | Value |
|---|---|
| Vulnerability Type | SMB Misconfiguration |
| CWE ID | CWE-300 (Channel Accessible by Non-Endpoint) |
| CVE ID | N/A (Configuration Issue) |
| CVSS 4.0 Base Score | 7.5 (High) |
| CVSS Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N |
| OWASP Category | A05:2021 – Security Misconfiguration |
| Attack Surface | Internal Network |
Affected Asset / Environment
- Service: SMB (Port 445)
- Target IP: <Target IP>
- OS: Windows Server / File Server
- Testing Method: Black-box Internal Assessment
- Tool Used: Nmap, CrackMapExec
Description
The assessor observed that the SMB service running on the file server does not enforce SMB message signing. During enumeration, it was identified that the “Signing Required” configuration is set to False.
SMB signing ensures the integrity of SMB communication by digitally signing each message exchanged between client and server. When signing is not enforced, attackers within the network may intercept or relay SMB authentication requests.
Root Cause
The issue occurs due to improper configuration of Group Policy or local security policy settings where:
- “Microsoft network server: Digitally sign communications (always)” is disabled.
- SMB signing is set to “Not Required” instead of “Required”.
This misconfiguration weakens trust validation in SMB communications.
Business Impact
Exploitation of this vulnerability may allow an attacker to perform NTLM relay attacks within the network. This may result in unauthorized access to file shares, credential compromise, lateral movement, and potential domain escalation.
If exploited in enterprise environments, it might lead to data exposure, ransomware deployment, or broader domain compromise.
Technical Impact
An attacker can:
- Capture NTLM authentication hashes.
- Perform SMB relay attacks using tools like
ntlmrelayx. - Authenticate to other systems without cracking passwords.
- Access restricted shares if relayed credentials have privileges.
This significantly increases the attack surface in internal network environments.
Proof of Concept (PoC)
Step1: Detection Using Nmap
nmap --script smb2-security-mode -p 445 <target-ip>Expected Vulnerable Output:
Host script results:
| smb2-security-mode:
| 2:2:2:
|_ Message signing enabled but not requiredIf signing is “enabled but not required” → Vulnerable.
Step2: Detection Using CrackMapExec
crackmapexec smb <target-ip>Output:
SMB Signing: FalseStep3: Relay Attack Demonstration (Lab Only)
Start responder:
responder -I eth0Run NTLM relay:
ntlmrelayx.py -tf targets.txt -smb2supportIf successful, authentication will be relayed to another SMB server.
Exploitation Prerequisites
- Internal network access
- Attacker positioned in same subnet
- NTLM authentication in use
- No SMB signing enforcement
Remediation / Mitigation
It is recommended that SMB signing be enforced via Group Policy:
For Domain Controllers / File Servers:
Enable:
Microsoft network server: Digitally sign communications (always)Group Policy Path:
Computer Configuration →
Windows Settings →
Security Settings →
Local Policies →
Security Options
Additionally:
- Disable NTLM where possible
- Implement SMBv3 only
- Monitor NTLM relay attempts
- Segment internal network properly
Detection & Monitoring Recommendation
- Enable event logging for SMB authentication
- Monitor unusual NTLM traffic
- Deploy IDS/IPS signatures for NTLM relay patterns
- Use Microsoft Defender for Identity
References
- MITRE CWE-300
- Microsoft SMB Security Guidance
- NTLM Relay Attack Documentation
- OWASP Security Misconfiguration