SMB Signing False Positive

[0xSeanG]

Steps to reproduce

1. cme smb [target] (reports no signing)
2. nmap --script smb2-security-mode.nse [target] (reports signing enabled and required)

Command string used

cme smb [target]

CME verbose output (using the --verbose flag)

n/a - cme error

CME Version (cme --version)

4.0.1dev

OS

Kali

Target OS

Windows 10

Detailed issue explanation

confirmed local sec pol matches the nmap results

[awsmhacks]

Hmm, wondering if this is due to out-of-date impacket submodule or what exactly. Can you check what responder's runfinger shows for the smb_signing? https://github.com/lgandx/Responder/blob/master/tools/RunFinger.py

i see a commit in april in impacket changing how the signing flag was obtained in smb3.py (smb3 covers v2+v3) so that might be it? ill try and test myself soon.

I'm guessing --gen-relay-list is showing the host as not requiring signing as well?

[0xSeanG]

Correct on gen-relay-list... I'll check on runfinger in the morning and report back

[awsmhacks]

tested on win7 and its working as it should, must be win10 specific. testing that next

[0xSeanG]

Having issues with RunFinger.py... which makes me think the issue may be on my end and not the tool... Some of the w10 machines finger printed accurately.

[awsmhacks]

starting to test on win10. Trying to get a baseline and getting weird results though.

Using regedit to flip flags on and off and just so we're on the same page. hklm\system\currentcontrolset\services\lanmanserver\parameters

• enablesececuritysignature
• requiresecuritysignature
• SMB1
• SMB2

1. With enabled and required turned off (set to 0), smb1 off, and smb2 on, verified with powershell via Get-SmbServerConfiguration
   • Nmap is still shows message signing enabled, but not required so something is broken with that.

2. Now turning on requiresecuritysignature:
   Nmap shows enabled and required. (even with messagesigning disabled so maybe smb2 has signing always enabled and you only toggle required/not required?) I did confirm that CME isnt detecting that change though, still shows signing as false. Going to start digging around for whats up.

[awsmhacks]

It's an issue in impacket, which cme uses for smb connection stuffs.
Fixed in the latest version though so you need to update the submodule. then rebuild cme To manually do this:

from the root of where you have cme cloned i.e. /opt/CrackMapExec
# cd cme/thirdparty/impacket/
# git fetch
...stuff...
# git pull
...stuff...
# cd ../../../           (change back to root folder of cme)
# ./setup.py install

[mpgn]

Should be fixed so i'm closing, thank you @awsmhacks :)