Introducing new Vectra AI Platform coverage for Copilot and Microsoft Azure

Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Attack Technique

SMB Scanning

SMB scanning is a technique used by network administrators to manage company resources and ensure authorized access. It’s also a prime target for attackers seeking to find entry points or exploit vulnerabilities.

Definition
How it works
Why attackers use it
Detection
FAQs
Definition

What is SMB scanning?

SMB stands for Server Message Block, a protocol for sharing files, printers and other network resources. It’s commonly used in Windows environments, where it’s often paired with NTLM authentication. SMB scanning is used by administrators to probe the network for open SMB ports. However, it can also be used by attackers to launch SMB relay attacks. 

How it works

How do SMB relay attacks work?

With this technique, attackers take advantage of the SMB protocol's built-in trust in network users. The attacker uses scanning to identify available accounts to target, then intercepts and manipulates a valid authentication session. By capturing and relaying authentication traffic, the attacker impersonates the user to gain unauthorized access. 

Here’s a common SMB relay attack progression:

  1. The attacker positions themselves as a "man-in-the-middle" by intercepting SMB traffic between a client and a legitimate server. This can be achieved by network-level techniques such as ARP spoofing or DNS poisoning to reroute SMB traffic through the attacker’s machine.
  2. Once in the middle, the attacker intercepts the SMB authentication request sent by the client, which typically includes hashed credentials rather than plaintext passwords.
  3. The attacker then relays the intercepted credentials to another target server that also uses SMB for authentication, effectively impersonating the legitimate user. Since the NTLM (New Technology LAN Manager) authentication process does not validate the source of the authentication message, the attacker can bypass this protection mechanism and gain access to the server.
SMB relay attack process
Why attackers use it

Why do attackers use SMB relay attacks?

SMB relay attacks allow attackers to infiltrate networks without having to crack password hashes. Once inside the network, they can use SMB scanning to locate other vulnerable accounts and either progress the attack or gain deeper access.

Platform Detections

How to prevent and detect SMB relay attacks

To defend against SMB relay attacks, organizations should implement a combination of network security measures and employee education. For example, you can require SMB signing to validate authentication attempts and replace NTLM with stronger, more secure authentication methods.

In addition, it’s crucial to monitor the network for suspicious SMB activity. 

The Vectra AI Platform includes powerful AI-driven detections to find network-based threats, including SMB scanning and SMB relay attacks. By leveraging machine learning and behavioral analysis, Vectra AI quickly identifies unusual patterns of SMB activity so SOC teams can stop attacks before they start.

Detection
SMB Account Scan
Learn more
Explore all detections

Protect your network with advanced detections

The SMB Account Scan is one of dozens of advanced AI-driven detections available in the Vectra AI Platform, which covers 90% of relevant MITRE ATT&CK techniques.

Explore the Platform
Learn more

FAQs