Getting Around PIA Blocking Outbound SMB to the Internet

 

Browsing open SMB shares you find on Shodan while maintaining your privacy can be problematic

 

Outbound SMB is sometimes blocked outbound to the Internet from residential and commercial networks, and with good reason. Attacks which trigger a victim host to authenticate to a rogue SMB server are common, and can result in the victim's Net-NTLM hash being stolen. SMB can also be blocked by a third-party VPN client. The PIA VPN client, for instance, blocks SMB outbound to the Internet when the VPN connection is enabled, which is a valuable privacy feature.

All this outbound SMB blocking, however, can a problem for Red Team operations and security research. If you're conducting a penetration test and discover that port 445 may be open on an external target, need to test Responder, or perhaps you're just checking out open shares on Shodan, you may have a hard time connecting without disclosing your IP address.

In this post, I offer two solutions which allow a successful outbound connection to an SMB server on the Internet while connected to a PIA VPN. This post is *not* in reference to PIA blocking SMB connections to *LAN* IP addresses, which is a separate issue, often related to the "Allow LAN Traffic" setting within PIA.

 

TL;DR Use PIA from your phone, or use a custom OpenVPN connection to PIA

Option 1: Use Your Phone

If you just need to check something quickly, you could consider using your phone. I found that the PIA Android app does not block outbound SMB. As for SMB Android apps, I had poor luck getting the AndSMB app to work, but was able to use the Cx File Explorer app successfully. (I can't vouch for the security of either.)

 

Option 2: OpenVPN connection to PIA

On my Ubuntu 19.10 box, I found that I was able to get around this problem by connecting to PIA via the openvpn command line application instead of the standard PIA client application. First, I navigated to https://www.privateinternetaccess.com/, clicked "Download", and then "View OpenVPN Configurations". I downloaded the one marked "OpenVPN Configuration Files (Recommended Default)". Next, I used the following command to initiate a connection to PIA's OpenVPN server:

sudo openvpn --config [region].ovpn --auth-user-pass

You'll need to replace [region] with your desired region shown in the filenames you downloaded. Each file is a config for a different region.

Once you're connected via openvpn, you can use an SMB client to connect to the target. As an example, you can use Thunar to connect to an SMB share by typing in the path at the top of the window, like so:

smb://example.com

If an authentication window pops up, be sure to enter a custom username that can't be tied back to you.

 

When I performed a test in this way against Responder to see what identifying information would be shown to the SMB target, I found a satisfactory result:

 

[SMB] NTLMv2-SSP Client   : [PIA-IP-address]
[SMB] NTLMv2-SSP Username : WORKGROUP\TEST
 

However, if you are going to try a similar strategy on a Windows box, I recommend you use a sterile machine that doesn't have a computer name or username that can be tied back to you, etc. Also, I wasn't able to test Responder with Option 1 (from a phone), but I recommend you do testing if you need to protect your phone's hostname.