Security audit - what it is and how it works
Security audit: what it covers, how it unfolds across five phases, and how it differs from a penetration test.
Read
An SMB pentest is a targeted security test of the Server Message Block protocol, a network service that shares files, printers and administrative resources in every Windows environment and that has for years been one of the most heavily abused entry points for attackers. If your port 445 is visible from the outside, if SMBv1 is still running somewhere in your network, or if you have not patched EternalBlue, an attacker does not need to guess a single password to take over a server. That is precisely why SMB vulnerabilities are tested separately and seriously, and in what follows we explain where the risks lie, what a proper test looks like and how the gaps are closed.
Our solution
Penetration testing - we find vulnerabilities before hackers do. You do not have to handle it yourself; we take care of it for your company. Request a free assessment.
Why SMB is still a favourite attack vector
SMB is older than most of the people who administer it today. It was created when the local network was treated as a safe space, so its design assumed trust between devices. That mindset has lingered in legacy systems: old protocol versions, poorly segmented networks and servers that are accidentally exposed to the internet.
The problem is that SMB is not just folder sharing. Authentication, remote administration and lateral movement all pass through it. Once an attacker gains access to a single SMB service, they use it as a springboard towards the entire domain. As a result, one forgotten server often means the compromise of the whole organisation, not just that one device.
Three classic gaps we still see
- Port 445 exposed to the internet. A server that was meant to be internal only but, due to a misconfigured firewall rule or NAT mapping, is visible from the external network. Automated scanners find it within a matter of hours.
- SMBv1 still active. A version of the protocol that Microsoft itself has declared insecure and that should be removed. It lacks modern integrity protection and is vulnerable to a whole range of attacks, including EternalBlue.
- Missing SMB signing. Without mandatory signing, a relay attack becomes possible, in which an attacker intercepts authentication and passes it on to another server as if they were a legitimate user.
EternalBlue and the lesson many have not learned
EternalBlue is the name of a vulnerability in the SMBv1 protocol, publicly disclosed in 2017. It powered WannaCry and NotPetya, the two most expensive ransomware outbreaks in history, which brought hospitals, ports and manufacturing plants around the world to a standstill. Microsoft released the patch before the wave hit, but unpatched systems fell because no one had updated them.
The sad truth is that even today, years later, we regularly find systems vulnerable to EternalBlue. These are mostly older servers running legacy applications that no one dares to touch, industrial devices and manufacturing workstations that are rarely shut down. The attack requires no user interaction: no click on a phishing link, no opening of an attachment. It is enough for the vulnerable service to be reachable on the network.
The point of the SMB pentest approach is not to tell you that EternalBlue exists - you already know that. The point is to show you exactly where in your network it still lives and how an attacker would use it for a complete compromise.
What a serious SMB pentest looks like
Real testing is not about running a single scanner and printing out a report. A scanner will give you a list of suspicions, but only manual verification shows what is genuinely exploitable. Our process at NeoBit goes through several clear phases.
1. Mapping the exposure
First we determine where SMB is listening at all. We scan port 445 (and the legacy 139) both internally and towards the internet, log every device that responds and record the protocol version and dialect. This is often where a server the client did not even know was exposed comes to light.
2. Identifying vulnerabilities
For every service found, we check whether it is vulnerable to known exploits (EternalBlue and related ones), whether SMBv1 is enabled, whether signing is mandatory and which shares are accessible anonymously or with weak credentials.
3. Controlled exploitation
A vulnerability is confirmed, not assumed. Within an agreed scope and without disrupting production, we demonstrate the real impact: file access, code execution, authentication relay or lateral movement towards other systems.
4. A report you can actually use
You receive a concrete list: which device, which vulnerability, what severity and exactly which steps to remediate it. No generic text that could be pasted onto any company.
| Element | Secure state | Risky state |
|---|---|---|
| Port 445 facing the internet | Closed, accessible only internally or via VPN | Open and visible from the public network |
| Protocol version | SMBv2/v3, SMBv1 fully removed | SMBv1 still active |
| EternalBlue patch | Installed on all systems | Unpatched legacy servers |
| SMB signing | Mandatory (required) | Disabled or optional |
| Anonymous access to shares | Disabled | Guest or null session allowed |
How SMB gaps are closed
The good news is that most of these problems can be solved without major investment - all it takes is consistency and control. After testing, the recommendations usually follow this order:
- Remove SMBv1 entirely. On modern Windows systems this is an option you can switch off, and for legacy applications you need to find a replacement or isolate them.
- Close port 445 to the internet. SMB should never be publicly exposed. Remote access goes exclusively through a VPN.
- Enable mandatory SMB signing to cut off relay attacks.
- Segment the network. Even if an attacker breaks through a single device, segmentation makes lateral movement towards critical servers much harder.
- Establish regular patching. EternalBlue was patched years ago, so the fact that we still find it shows that the problem is not the patch but the process.
Closing the gaps is not a one-off job. New vulnerabilities appear, and the environment changes every time someone adds a server or modifies a firewall rule. That is why we recommend running an SMB pentest periodically, not just once.
Where NeoBit comes in
NeoBit is a security company based in Mostar that carries out penetration testing, SOC monitoring and EDR and SIEM protection for companies in Bosnia and Herzegovina, Croatia and the wider region. SMB vulnerabilities are a frequent topic for us precisely because clients underestimate them, while the consequences of a compromise through them can be total. We do not produce automated tick-box reports; instead, we genuinely verify what is exploitable in your network and provide clear remediation steps.
If you are not sure whether your port 445 is exposed, whether SMBv1 is still running somewhere, or whether you are truly patched against EternalBlue, get in touch for an assessment. It is better that we discover it than an attacker. Contact NeoBit and arrange an initial conversation about the security of your network.
Frequently asked questions
What is an SMB pentest and what is it for?
An SMB pentest is a targeted security test of the Server Message Block protocol that Windows networks use to share files and resources. The goal is to uncover exposed services, old protocol versions and known vulnerabilities such as EternalBlue before an attacker exploits them, and to provide concrete steps for closing them.
Is EternalBlue still dangerous?
Yes. Although the patch has been available for years, we still regularly find unpatched systems, most often older servers and industrial devices. The attack requires no user interaction, so it is enough for the vulnerable SMB service to be reachable on the network for a complete compromise to occur.
Do I need an SMB pentest if port 445 is closed to the internet?
Yes, because most compromises come from the inside. If an attacker gains access to a single device on the local network, a poorly protected SMB enables lateral movement towards servers and the domain. Internal exposure is just as important as external exposure.
How often should testing be repeated?
We recommend at least once a year, and always after major changes to the infrastructure, such as new servers, changes to firewall rules or migrations. The environment is constantly changing, so a one-off test quickly becomes outdated.
Related guides: Cyber security in Bosnia and Herzegovina - a complete guide · Security assessment (security audit) - what it is and how it works · Red team, blue team and purple team - the differences
