Legacy network services: SMBv1, SNMP, anonymous FTP, WebDAV and SMTP relay
Legacy network services are protocols or protocol versions whose official support has ended or whose security weaknesses are documented and uncorrectable. Their presence on a network typically results from compatibility with old (legacy) systems, never-modified default configuration, or unawareness of their existence. During a pentest, these services are among the first targets as they often offer direct exploitation paths.
SMBv1 and EternalBlue
SMBv1 is the protocol exploited by EternalBlue (MS17-010), the vulnerability used by WannaCry and NotPetya in 2017. Microsoft disabled SMBv1 by default in Windows 10 and Windows Server 2016. But systems upgraded from older versions may still have it enabled. SMB message signing (SMB Signing) is a complementary protection: without it, an attacker positioned on the network can perform NTLM relay attacks.
Disabling SMBv1 (PowerShell)
# Vérifier si SMBv1 est actif :
Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
# Désactiver SMBv1 :
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
# Activer la signature SMB (obligatoire pour clients et serveurs) :
Set-SmbServerConfiguration -RequireSecuritySignature $true
Set-SmbClientConfiguration -RequireSecuritySignature $true
Default SNMP community strings
SNMP (Simple Network Management Protocol) uses "community strings" as a rudimentary authentication mechanism. The default values public (read) and private (write) are known to all attackers. With the public community, an attacker can extract the entire device configuration (network interfaces, routes, ARP, users). With private, they can modify the configuration. SNMPv1 and v2 transmit community strings in plaintext. Use SNMPv3 with authentication and encryption.
Anonymous FTP
Anonymous FTP access allows connecting to an FTP server without credentials (username "anonymous", any password). If the accessible directory contains configuration files, backups, or sensitive data, the attacker can download them without authentication. If write permissions are enabled, they can upload files (webshells if the directory is accessible via HTTP).
WebDAV enabled
WebDAV (Web Distributed Authoring and Versioning) is an HTTP extension that allows file manipulation on a web server. A WebDAV accessible without authentication or with default credentials allows an attacker to list, download, upload, and delete files. If WebDAV is enabled on a directory accessible by the web server, uploading a webshell leads to code execution.
Open SMTP relay
An open SMTP relay accepts sending emails for any domain, even those it doesn't manage. Historically normal (emails needed to transit through any server), this is now a prohibited configuration that allows sending spam and phishing using your infrastructure as a relay. SMTP servers must be configured to only accept sending to domains they manage (closed relay), or for authenticated hosts only.
IKE aggressive mode (IPsec VPN)
IKE aggressive mode (used in IPsec VPNs with PSK) is vulnerable to Pre-Shared Key hash capture. In aggressive mode, the server sends its hash before authentication is complete, allowing an attacker to intercept this hash and submit it to an offline attack (dictionary or brute force). Prefer IKE main mode (Main Mode) or migrate to IKEv2 which doesn't have this problem.
Further reading
A question after reading?
Want to identify active legacy services on your network? Send a message.
Or book a 30-minute scoping call directly
Book a call →