Security : SMBDie: Crashing Windows Servers with Easy

What is SMB ?

SMB (Server Message Block) is the protocol

Microsoft uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources and servers make SMB responses in what described as a client server, request-response protocol. The problem is that is it a massive attack… this is a denial of service attack. If system administrators have turned off anonymous access, it would not be possible for a non-authenticated user to exploit this vulnerability. However, turning off anonymous access does not prevent authenticated users from this attack. In addition, an administrator can block access to SMB on TCP ports 445 and 139 at the network perimeter. This would block access from un-trusted networks. However, legitimate users could be blocked in a ‘file and print’ networking environment. Administrators could also shut down the lanman server service. However, in a ‘file and print’ networking environment this may not be a viable solution because it would block legitimate users from using file and print services on a particular server where the lanman service had been stopped.

You can get this Tool from ( HERE)

What is the attack ?
By sending a specially crafted packet request, an attacker can mount a denial of service attack on the target server machine and crash the system. The attacker could use both a user account and anonymous access to accomplish this. Though not confirmed, it may be possible to execute arbitrary code.

To run the attack you can do the following:

1.           Download the tool from a ‘trusted’ site. Remember, downloading these tools may cause you serious heartburn if you install a Trojan! Be careful

2.           Next, you need to run it so you can run the attack. Be careful, if you are running AntiVirus software (and actually update it), then the tool will be quarantined immediately. Make sure you run this (like I do) on test systems so you can learn to use them and protect against them. If you run it on your main machine, disable AntiVirus Auto protect.

3.           Open the tool as seen below. Enter the IP address / NetBIOS name and run the KILL button. Look over at your server (mine was a .NET test server although it flagged it as XP) and blammo — its toast.

How to use the tool   ?

4.           If you fix the problem, you wont be able to connect:

How to protect your systems ?

As mentioned earlier, there are services you can turn off, but if don’t want to, and then you can apply a patch. The patch eliminates the vulnerability by checking for correct inputs before responding to SMB requests, thereby eliminating the vulnerability.

Update you Windows Oprating Systems .Keep up to date !!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.