-
Notifications
You must be signed in to change notification settings - Fork 404
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check SMB signing required #55
Comments
Hey! Well, I have mixed feelings about this. On the one hand, I totally get your point as this is something I would report during a pentest. But on the other hand, I would like to avoid turning PrivescCheck into a "configuration audit tool" as far as possible. That being said, SMB signing enforcement is a big topic, that might be worth considering on its own. I'll have to think about it. :) |
@Acebond Your suggested method will currently work but not in the future. Microsoft decided to require SMB signing by default in future releases, which means the registry value "RequireSecuritySignature" does not necessarily have to be around to have SMB signing enabled. You can read it in this blog post: https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-signing-required-by-default-in-windows-insider/ba-p/3831704 According to this, a future proof method will be using the Get-SmbServerConfiguration and Get-SmbClientConfiguration Cmdlet or the CIM classes MSFT_SmbClientConfiguration and MSFT_SmbServerConfiguration. |
Commit 099b4d3 prepares the ground for handling "configuration audit" checks. It adds a new check type - |
PrivescCheck covers the majority of the host checks I'd perform except SMB signing, which is often useful to know, especially as there are a bunch of different and whacky (like https://github.com/nccgroup/Change-Lockscreen) ways to coerce a SYSTEM/user account to authenticate to a capture/relay server.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing
I've written a reference implementation below. I reckon it should probably be in the -Extended category?
The text was updated successfully, but these errors were encountered: