Detecting Windows clients with SMB signing disabled
SMB, unarguably the most important protocol of Windows-based hosts, supports message signing to help hosts confirm the origin and authenticity of the data transmitted. Unfortunately, this is disabled by default for all systems except Domain Controllers (DCs). This makes Windows hosts susceptible to Man in the Middle (MitM) attacks, leading to remote code execution through SMB poisoning/relaying.
This recipe shows how to obtain the SMB signing configuration of Windows machines with Nmap.
How to do it...
Open your terminal and enter the following Nmap command:
$ nmap -p137,139,445 --script smb-security-mode <target>
If SMB message signing is disabled, you should see the message_signing:
disabled
message:
PORT STATE SERVICE 445/tcp open microsoft-ds MAC Address: 9C:2A:70:10:84:BF (Hon Hai Precision Ind.) Host script results: | smb-security-mode: | ...