Pradeep Kulkarni & Sameer Patil, Quick Heal

Windows SMB protocol provides shared access to resources in a network. Since its development in the 1990’s, many exploits have been developed by taking advantage of the vulnerabilities present in the protocol. Unpatched versions of SMB are being exploited remotely without any user interaction which is a critical in nature. The Shadow Brokers leak in 2017 contained some high profile SMB exploits. Currently we see ransomware, cryptominer and banking trojans(like Trickbot) are using these exploits to spread across a network.

SMB allows two remote machines to connect using named pipes. Hence SMB is also a medium for exploiting vulnerabilities in other drivers, DLLs and other windows services (like netapi, ASN.1, nwapi32.dll, NetDDE service etc..)

In this talk, we will go through various famous SMB exploits seen in the wild like the NetAPI vulnerability exploited in Conficker worm,EternalBlue and other Shadow Brokers leaked exploits targeting SMB . To conclude we present an insight of how to safeguard the network from various SMB attacks.