Daily Blog #512: Forensic Lunch Test Kitchen 10/19/18

Hello Reader,
        Another test kitchen on the books! Tonight we took a break from ObjectIDs and took a look at something I've been wanting to test for awhile, smb brute forcing tools. We ran a couple SMB Brute forcing tools:

• Hydra
• Medusa
• Ncrack
• Nmap's SMB login script
• Metasploits smb_login module
• Patator

And then went into the windows event logs to determine what they left behind that would make it obvious this was a third party smb network client trying to brute force in and not a native windows smb client. 

We learned:

• Windows 10 does not have logon failure auditing on by default
• Hydra, Medusa, Nmap and Ncrack will provide the IP Address instead of the workstation name in the event logs, which isn't normal
• Metasploit's smb_login module will set the workstation name to WORKSTATION in the event logs, which isn't normal
• Patator which is using the impacket smbconnect script passes in a null workstation name, which is again not normal
• That as of Windows 8 and Sever 2012 there is a new event log source called SMBServer which logs just SMB data, including SMB authentication failures. Very useful when the security log rolls over and is on by default!

You can watch the video here: