Skip to content

SMB exploiter only works with SMBv1 #3577

New issue
New issue
Closed
Closed
SMB exploiter only works with SMBv1#3577
Assignees
ilija-lazoroski
Labels
BugAn error, flaw, misbehavior or failure in the Monkey or Monkey Island.Complexity: MediumExploitImpact: HighReported by user
Milestone
v2.3.0
@mssalvatore

Description

@mssalvatore
mssalvatore
opened on Aug 9, 2023

Describe the bug

A user has reported that the SMB exploiter only works if SMBv1 is enabled. If SMBv1 is disabled, propagation fails with the following event:

ExploitationEvent(
    source=UUID('35b9a0c6-4b32-47da-9f05-90e81c9dc4af'),
    target=IPv4Address(REDACTED),
    timestamp=1691594367.2392383,
    tags=frozenset({'smb-exploiter', 'attack-t1021', 'attack-t1110', 'attack-t1210'}),
    success=False,
    exploiter_name='SMB',
    error_message="Failed to authenticate over SMB with identity=Username(username='hacker') secret=Password(password=SecretStr('**********')): Error occurs while reading from remote(10054)"
)

Tasks

  • Disable SMBv1 on at least one of the SMB test machines. (0d) @ilija-lazoroski
    • Reproduce the issue
    • Update the packer/terraform scripts as necessary
  • Fix it! (0d) @ilija-lazoroski
    • Copy the fix to WMI and test

Hints

I haven't investigated this much, but my money is on the preferred_dialect parameter being the cause of the issue.

https://github.com/guardicore/monkey/blob/e587368339a9c23a9045f0ff9eeece15e7f03a7b/monkey/agent_plugins/exploiters/smb/src/smb_client.py#L77C5-L83C13

Metadata

Metadata

Assignees

Labels

BugAn error, flaw, misbehavior or failure in the Monkey or Monkey Island.Complexity: MediumExploitImpact: HighReported by user

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions