Interpreting "Redirect SMB" Attacks

Interpreting "Redirect SMB" Attacks

A few days ago, Cylance released a vulnerability that affects Windows systems. Attackers can redirect to the SMB protocol and use man-in-the-middle attacks to steal user authentication information. What is this attack? What is "Redirect SMB? The vulnerability defense team of the computer manager conducts a detailed technical analysis on these issues and shares the analysis results with you.

0x01 SMB/SMB2 (Server Message Block)

The main character of this event is SMB.

SMB is an extension of the CIFS (Common Internet File System) protocol. It is mainly used to access shared files on the network and print services. The relationship between SMB and other protocols is as follows:


SMB can directly use the TCP port for transmission (port 445) or NetBIOS for transmission (TCP port 139 ). Taking direct TCP port transmission as an example, each SMB message must have a 4-byte header. The first byte of the packet header is 0 (network byte order, the same below), followed by 3 bytes to indicate the length of the SMB message; The packet body is longer.



After windows vista, The SMB2 protocol is introduced, and some fields are extended based on the original SMB protocol.

SMB/SMB2 authentication has multiple protocols, and the most used is the NTLM authentication protocol.

NTLM supports Challenge/Response encrypted communication. The Security Authentication message sequence is as follows:


0x02 redirect to the SMB protocol using HTTP

Take Win7x86 + IE11 as an example to see how IE handles the redirect request returned by HTTP.



After obtaining the status code returned by the HTTP request, IE calls CINetHttp: RedirectRequest to process the redirection request if it is redirected to 301, 302, 303, and 307.

Construct a webpage redirected to the file Protocol


When IE accesses this webpage, it can capture packets that access the SMB server.



It can be seen that the current user's logon credential is sent to the server through the SMB2 protocol for authentication. If the server (10.4.75.32 in the server) is a "man-in-the-middle" that has been maliciously hijacked, the user's logon credential will be leaked.

Possible attack methods are not limited to webpage access. As long as normal HTTP network requests can be hijacked, personal information can be redirected to the SMB protocol and sent to malicious servers.

0x03 defense suggestions

As you can see, redirecting to the SMB protocol is a big risk. Non-user-initiated SMB requests should be prohibited. You also need to be cautious when accessing the internet shared server through the SMB protocol.

As a precaution, you can disable access to TCP ports 139 and 445. If you do need to access shared files or print services on the network, open the TCP 139 and 445 ports temporarily while confirming that the server is trusted.