Security research

How to detect the Microsoft SMBGhost vulnerability with

Updated at
Article tags

For the past couple of weeks, a critical RCE vulnerability found in Microsoft Server Message Block 3.1.1 (SMBv3) has kept both the Microsoft users and the security community on their toes.

To help our customers better detect if their Windows hosts were affected by the critical SMBGhost vulnerability, we developed and added a new, dedicated scanner on

As you may know by now, we don’t create new tools for every vulnerability that pops up. Here’s what drove us to build a new scanner and expand the platform.

This vulnerability is particularly serious because it is “wormable” and has the potential to spread quickly from a vulnerable system to another across the internal network. What’s more, the vulnerability reminds of the EternalBlue exploit that caused the WannaCry outbreak.

1. What we know about the SMBGhost vulnerability

On March 10, 2020, during its monthly Patch Tuesday, Microsoft leaked information about a serious SMB vulnerability, which was accidentally discovered by security researchers.

Tracked asCVE-2020-0796, the RCE vulnerability exists in the way Microsoft Server Message Block 3.0 (SMBv3) handles certain requests.

Microsoft SMB v3.1.1 is a protocol mostly used in new operating systems, which means it impacts machines that run: Windows 10(versions 1903 and 1909) and Windows Server (1903 and 1909).

The vulnerability doesn’t expose older versions like Windows 7, 8, or 8.1 because they don’t support SMBv3.1.1 compression.

To exploit this vulnerability, an unauthenticated attacker sends a specially crafted packet to the targeted SMBv3 server and “convinces users to connect to it”, Microsoft said in the security advisory update.

Successful exploitation could allow hackers to execute code on the target SMB Server or SMB Client. However, a working RCE exploit hasn’t been spotted until we published this article. It seems to be difficult to create one, considering the existing safeguards implemented in the Windows kernel.

An in-depth technical analysis of this vulnerability concluded that certain SMB packets could cause a buffer overflow and crash the Windows host by getting the BSOD (Blue Screen of Death) message.

Proof of concepts to create a denial of service attack (BSOD) are already available, including short demo videos from security researchers.

2. How does the SMBGhost scanner work?

Our goal with this tool is to make it easy to discover if your Windows machines run the risk of exposure to the SMBGhost vulnerability.

The SMBGhost scanner we developed checks the SMB version of the target host o identify if the SMB service has compression enabled. It starts by scanning the TCP 445 port, commonly used by the Windows file sharing service.

The scanner also allows you to detect Windows hosts that are not vulnerable(e.g. they don’t support SMBv3.1.1 or they have SMBv3 compression disabled).

To verify these settings, our tool tries to initiate an SMB negotiation with the target server, proposing the SMB version 3.1.1 Dialect: 0x0311and compression enabled NegotiateContextCount: 2.If the SMB response packet includes the proposed settings, our scanner declares that the target is potentially vulnerable to SMBGhost.

Here’s a sample report of a SMBGhost scan:

sample report of a SMBGhost scan

3. Secure your Windows hosts with this update

Microsoft already released a security patch for the vulnerability discovered in the SMBv3 protocol, known as KB4551762, in an update for Windows 10, version 1909, and Windows 10, version 1903. We recommend applying these software updates as soon as possible!

In a security advisory, the company also offers some workaround solutions to disable SMBv3 compression or block TCP port 445.

4. Discover vulnerable Windows hosts with the SMBGhost scanner

We created this scanner to help you easily scan Windows hosts and detect this RCE vulnerability. Whether you’re a sysadmin or a security consultant, you can use this scanner to perform easy security tests and detect if your Windows machines are impacted by the SMBGhost vulnerability.

Get vulnerability research & write-ups

In your inbox. (No fluff. Actionable stuff only.)

Related articles

Suggested articles

Discover our ethical hacking toolkit and all the free tools you can use!

Create free account


© 2013-2024 has a LinkedIn account it's very active on

Join over 45,000 security specialists to discuss career challenges, get pentesting guides and tips, and learn from your peers. Follow us on LinkedIn! has a YouTube account where you can find tutorials and useful videos

Expert pentesters share their best tips on our Youtube channel. Subscribe to get practical penetration testing tutorials and demos to build your own PoCs!

G2 award badge recognized as a Leader in G2’s Spring 2023 Grid® Report for Penetration Testing Software. Discover why security and IT pros worldwide use the platform to streamline their penetration and security testing workflow.

OWASP logo is a Corporate Member of OWASP (The Open Web Application Security Project). We share their mission to use, strengthen, and advocate for secure coding standards into every piece of software we develop.