Grab Files On The Fly: How To Protect Unencrypted Network Protocols

It’s your friendly neighborhood Microsoft Security Advisor, back with more tricks to keep your network safe. Despite your best efforts to protect your data, unencrypted network protocols might still be used. We show you how to use IPsec and SMB protection to create a web of protection around your information.

Unencrypted Network Protocols

Preparing the Environment

First of all, I will prepare my environment to have some files and some network shells. I’ll be using one of the servers, which is actually SQL, and all the server on the desktop. I will prepare a new folder which will be actually a network share for SMB, so let’s name it “Hacks Weekly” (HW).

Inside this folder, I will create a new file “VerySecret.txt“. Let’s type “CQURE” a couple of times here just to have contacts that I can recognize that is the file that I want to get.

Now let’s make advanced sharing and of course create a file with permission, allow full control for everyone. Now let’s switch to the second computer and let’s verify that I can actually get to that machine. Let’s ping SQL01. This is my server on which I will be using SQL01/HW, the share. We can open the file. This is a secret file. Yes, I have access to this file. Great. Now, what I want to show you is that I perform the man-in-the-middle attack using the ARP spoofing, and just to show you what is happening here. I will run as administrator, the ARP table. A website is quite long, so let’s delete it and I can “arp -a.” I should see in a moment after using “ping”, this is SQL01. Now there is access to, and actually, there is information about the physical address of this one.

Grab some tools from CQURE!


Using Kali Linux to Perform ARP Spoofing

To perform the ARP spoofing, I will be using the same technique as previously in one of the Hacks Weekly episodes. I will use ARP spoof from Kali Linux It’s actually designed Kali Linux as previously at the same network, so the command is quite simple. Arpspoof -i eth0 (it’s ethernet as an interface) -t (it’s a target and what is the spoofed IP address). For this one, I’m using the server to be spoofed and the IP address of the client. On another tab, I’m using the reverse order of those IP addresses, so I’m spoofing the connection in two different directions.

Unencrypted Network Protocols

Now I have the Wireshark. This Wireshark is already configured to bypass the ARP commands and packets, and of course to select the packets that have their IP address either as a source or as a destination of the SQL01. When I start this one … continue without saving, yes, of course, our previous attempt. When I start this sniffing, I will notice that there is some traffic already detected. What can be detected in this traffic, let’s see what is it actually. I already see some SMB2. It’s some protocol to actually exchange files. Let’s see why I have it right here. On the admin PC, you remember that I had the MAC address, physical address for as this one. Let’s see what has changed.

Right now, you see instead of this MAC address, this is the new MAC address in the cache because actually, my Kali Linux is sending all the time the ARP messages that he has this IP address. This is why I can see this traffic. Whenever I go to the file, and let’s try to copy just this file on the desktop, so I will minimize the window here and let’s see what will happen. Okay, I did it too much. Close > cancel > close > properties > configurations > ok. Now let’s copy the file. I’m copying the file. Of course, it was successful.
Now let’s go back to Kali Linux to see what is happening there. Let’s stop the trace and let’s go somewhere below. You can see here some of the SMB information, SMB packets. And, what is happening here?

Actually, these are all the messages that were sent to the second server. For example, I see a response to create the VerySecret file. What I’m looking right now for is Read Request and Read Response.

How To Protect Unencrypted Network Protocols

In the read response, I see the content, actually the content of the file. If I click on this one, this is the data. You can see below that it’s actually selected here that I can view the content of this file there that I was copying there actually. If I want, I can actually get the data from the packet. Let me just click on this one, and export packet bytes. Just save it, let’s say, on the desktop, and name it test.txt. Let’s see what is the content of this file. Cancel, I don’t want to close this session. Let’s see what will be in this file.

This is Leafpad, and as you can see, it’s exactly the same file that I was creating and copying. Basically, the SMB protocol is not encrypted. Whenever I’m going to copy these files or any files actually, I will not be able to protect those files. Of course, this can be enabled and when I want to do this with the newest version of Windows, and actually with SMB3 I can enable the encryption. But you must note that the clients that will not support SMB version 3 will not be able to access the shares. If you have still some Windows 7, which doesn’t support the SMB3, then you will not be able to enable the encryption on the share or you will not be able to actually access this share with Windows 7.

Does Encrypting The File Itself Work?

Let’s see what will happen if I just encrypt the file. I will just click here, properties, on this file. This is on SQL01, so on the source computer in the, sorry, it’s not in the security, of course, in the advanced. I want to encrypt the content of the, to secure the data. Ok > apply > encrypt the file only. Let’s see what will happen.

You might see here, this is the padlock, so the file is encrypted. Of course, I can open the file. Let’s change it to CQ2 to see the change. Let’s save this one. Now let’s try to do the same thing again. I have Wireshark running here. I will add the share information that I want to see SMB2. Okay. Let’s start > continue without saving. This time I will be limiting the results in the Wireshark only to SMB2. Again, I’m going to copy the file. Ok > replace the file > ok. The file is copied. It might take a little bit longer because I needed the certificate to copy the file. Again, if I do this right now, it will be much faster because I already have the certificate that was used for encryption the files. Remember that it must be decrypted before re-encrypting it on the second server. As you can see here, the file is no longer encrypted.

Remember one thing: when we are using EFS, it’s encrypting the files only on one server, when the data are addressed. Let’s see if I can see the response right now when it’s already encrypted on the second server. This is read as a response. And as you can see here, again, I can see the content of the file.

It’s actually showing you that when the data are on the move, even if they were encrypted on one server or even if they will be encrypted on the second server in the folder, because I can create a folder and make it encrypted, and the content of the file will be encrypted here. So if I even create a folder, encrypt it. I want to encrypt the folder. Just need to modify it. Okay. Encrypted. Security, of course, advanced, encrypt the content of the folder. Okay. The folder is encrypted. The advanced encrypted content of the data.

Even if I copy the file right now directly from one source to another one, which is encrypted, let’s go there. The file is encrypted on local. While I was copying the file, it was also encrypted at the same time. Basically, you will see the new information here about the response, read request, write a response. Here we are searching for the response, from the bottom. Yeah, here, this, the new response. Again, the file is visible. Even if the source destination folder is using EFS, on the move on the network the data are visible. And as you can see I’m doing this from the second machine, so it’s not on the machine from which I’m copying it to which I’m copying the file. So basically, it’s visible on the network.

Ensuring SMB Shares are Encrypted

Okay, so what we can do next? Now I will encrypt the SMB, but to do that I will actually enable the encryption on one of the shares.

unencrypted network protocols

Because we have possibilities to actually set the configuration servers, so all the network shares will be encrypted, and this can be done to SMB server configuration, and to verify that we are doing this just search for encrypted data. In most cases, it’s not encrypting all the SMB shares.

So I want to encrypt only single one, this is the share name. Yes, I want to modify this one. And to be sure that I’m using the new session which is using the encryption, I will close the old SMB sessions which I currently have here. So let’s go back to the folder or maybe I will even change the content of the file to see the difference there that it’s CQURE 3, so let’s modify it, CQURE 3, not 4. Okay, that’s enough. And let’s switch to the Kali Linux, let’s start it, continue without saving. So start it and let’s go again to the same share. This is SQ01 and then copying again the same file to replace. So after I copied it, let’s see it, stop. And now let’s see what we have here.

Already I can see that there is information about encrypted SMB3 So I have different messages here and as you can see it’s much more of those messages to come to the file. So actually I do not see information about the share, about the files, I do not see the name of the file here, and I can go further down till the end and try to see the responses. I do not see any response that can be visible. It was read data and it was written responses here, still searching for those and there is absolutely no possibility to see the content of the actual file that was sent. So I was right in creating the request and that’s all. I cannot see actually the content of the file anything there. This is encrypted content, so it’s blocking the possibility to see the file.

Okay, but how about this when cannot actually use SMB3 and the encryption on this share. So let me first disable this, so I will false. Okay, yes I want to disable this one, let’s close all of the searches so again this session without encryption.

Up here let’s verify it again on the Wireshark that this time I will see the content. File copy without saving and on the other PC let’s copy the file again, replace, let’s see if this is, again encrypted. But I see the name of the file, so probably soon I will see the content of the file as well.

Search request encrypted, still encrypted, see the session that was previous. Let’s try to see the content of the file. This is the content of the file, this time I see it, perfect. I’m at the first attempt so I stop it and this time I want to enable the IP circuit between those two computers. So I will be actually enabling already predefined rules which I have in the advanced file rules I have connection security rules and I will enable this rule, this rule is to point connection between my server and my client. And it’s using identification method for Kerberos version 5 when the endpoint one is using the 445 as a port number.

Using Kerberos for Authentication

Basically, I’m enabling this IPsec only for the connection for SMB. I need to enable the similar rule on the second server, server SQL1, and what I’m doing here, I’m requiring actually that always there’s authentication using Kerberos version five on those settings. So advanced settings, I also prepared the same rule. The same endpoints, the same rule, remember when you’re defining it that this is the rule for port 445 on the file server, not on the client computer. So this is the first rule, let’s try to do it. There is a security situation let’s see in the quick mode. Currently, I can see here that there is already an association between those two but without encryption.

I can ensure that I’m communicating with the correct server and that I cannot actually modify the content of the file on the fly, but I’m not using encryption yet. To do this I need to set up the rule for protecting the SMB. Right now this rule is disabled here, but it’s quite a simple solution when I’m protecting in general. Okay, allow the connection if it’s secure, so this is very important, in the customize I already set it that it’s required the connection to be encrypted and I can add dynamic negotiate the encryption for this. And what is the scope, this is quite important because if you forget about this one you can end up with no possibility to actually access network shares to this server. So I’m only choosing that from this client the connection must be encrypted.

unencrypted network protocols

And program and it’s actually ported. It’s 445 as local port.

Okay I enable this > enable this rule > let’s go to the second server > admin, and on this one this is outgoing rule and it’s very similar to the previous one, it’s properties, it’s using program and so of course port on remote host as 445 and in the scope I’m choosing that this is on for this computer. So if it’s for example dummy controller I’m not using that, enforcing that it must be encrypted. And the same settings here, require connection to be encrypted. Ok > apply > ok. And enable this rule as well. Let’s try to close this session, and let’s open it again, let’s see what will happen, let’s go back to the quick mode and now I have the second session here and as you can see right now I’m using as well an encryption. Let’s reset the Wireshark, let’s start it, continue without saving, and now I will try to copy the file again. So I can minimize this one, copy the file again, replace the file destination, and as you can see in Wireshark, I absolutely do not see any SMB protocol. So if I stop it and now I will remove the feeder for SMB. Unfortunately, my Wireshark just crashed. Sometimes that happens.

So let’s restart it again, it should be quite fast to do it. Yes > privileges > internet and IP > address (and not ARP). So let’s start it again, continue without saving. And again I will try to copy the file. Okay, copied. As you can see here if I stop it there is absolutely no information about SMB at all but I see a lot of ESP, encapsulating security payload, which is actually showing that I’m using here IP site between those two computers for sending the files and SMB of course.

How To Protect Unencrypted Network Protocols

There is only redirect of ECMP but it’s not from this host. So we have a couple of options for that one, and for protecting our files. The same is with other protocols which do not have encryption by default, for example, iSCSI or if we are talking about SQL server it may be seen already in one of the videos in which I or Paula are showing the vulnerabilities on such protocols.

Of course the newer version of those protocols already have the encryption in those, but usually what we see is that there is no encryption on SMB and this is because of the compatibility. Though it’s even worse that no one thinks that the files are really not encrypted when they are on the network and we can see the content of it. That’s all for today. Thank you!

Curious about the best ways to protect data? Take a Data Protection Techniques training from CQURE CybeBytes series.

Data Protection Training