[jabroni_salad]

Yes. If you have LLMNR, NTLM enabled, unsigned SMB allowed, and nonencrypted LDAP bindings then your domain controller can be popped with zero effort by metasploit.

Legacy protocols can be very sticky and most repeat pentest engagements I am able to use the same exact method every time because they will never get addressed. Modern windows (since like vista-era) will use better stuff out of the box but will also allow downgrade attacks in the name of compatibility.

Hell, I still find SMBv1 in a lot of places.

[SV_BubbleTime]

>Hell, I still find SMBv1 in a lot of places.

It cost me thousands of dollars last year to get our MSP to disable SMBv1 and force correct policies. They "Needed to audit for a week" to make sure this "didn't break older software". It was annoying I even had to ask that they didn't come to me saying "We won't support you if you have SMBv1 enabled".

[charcircuit]

Why hasn't Microsoft at least sandboxed these protocols if they are so bad in regards to security?

[gruez]

It's not broken in terms of the implementation (eg. buffer overflows). The protocol itself is fundamentally broken. Sandboxing http isn't going to protect your credit card information, and sandboxing md5 isn't going to prevent people from finding collisions.