SMB exploiter only works with SMBv1

[mssalvatore]

Describe the bug

A user has reported that the SMB exploiter only works if SMBv1 is enabled. If SMBv1 is disabled, propagation fails with the following event:

ExploitationEvent(
    source=UUID('35b9a0c6-4b32-47da-9f05-90e81c9dc4af'),
    target=IPv4Address(REDACTED),
    timestamp=1691594367.2392383,
    tags=frozenset({'smb-exploiter', 'attack-t1021', 'attack-t1110', 'attack-t1210'}),
    success=False,
    exploiter_name='SMB',
    error_message="Failed to authenticate over SMB with identity=Username(username='hacker') secret=Password(password=SecretStr('**********')): Error occurs while reading from remote(10054)"
)

Tasks

• [x] Disable SMBv1 on at least one of the SMB test machines. (0d) @ilija-lazoroski
  • [x] Reproduce the issue
  • [x] Update the packer/terraform scripts as necessary
• [x] Fix it! (0d) @ilija-lazoroski
  • [x] Copy the fix to WMI and test

Hints

I haven't investigated this much, but my money is on the preferred_dialect parameter being the cause of the issue.

https://github.com/guardicore/monkey/blob/e587368339a9c23a9045f0ff9eeece15e7f03a7b/monkey/agent_plugins/exploiters/smb/src/smb_client.py#L77C5-L83C13

[ilija-lazoroski]

It seems that the preferred dialect is SMBv1: https://github.com/fortra/impacket/blob/master/impacket/smb.py#L69

[ilija-lazoroski]

Initial test:

Enabled SMBv1:

Disabled SMBv1: I was able to reproduce the issue with the same message: error_message="Failed to authenticate over SMB with identity=Username(username='m0nk3y') secret=Password(password=SecretStr('**')): Error occurs while reading from remote(104)")]

[ilija-lazoroski]

Configured a machine to only use SMBv1 and a machine to use SMBv2/v3. Based on the fix in which I have added log statement to check the SMB dialect in use, we can see that one of the machines is using NT LM 0.12 which is SMBv1 and the other uses 768 which is SMBv2 or 0x300 in hexdecimal.