Latest Entries »

SMB Troubleshooting

I’ve been doing a lot of SMB/CIFS troubleshooting over the past few months, and i thought it’s probably about time I wrote what i’ve learned. All packet captures used wireshark.

SMB is short for server message block also known as CIFS, Common Internet File System. It is mainly used for accessing files across the network using Microsoft Windows operating systems. It can be used with or without NetBIOS.

When a client request resources on a network server a SMB Negotiate Protocol Request packet is sent from the client to the server. This packet contains the dialects that the client can support

The server then responds with the highest dialect it supports with a SMB Negotiate Protocol Response packet

In this case we are using SMB version 1. The table below describes some SMB dialects

Dialect Name SMB Version
NT LM 0.12 NT LM 0.12 SMB version 1
2(0x2) SMB 2.002 SMB Version 2
2(0x2) SMB 2.??? SMB Version 2

The Server response also includes the SMB Signing requirements, that is listed under Security Mode. The possible values can be either 3, 7, or 15. The Security Mode has 4 bits, the first is for user mode, and the second is for password encryption. I’m not sure what these two bits are for, couldnt find any documentation. The next is for SMB signing (is it enabled?), and the last is SMB signing is required. GPO settings for these are located

Windows Settings -> Security Settings -> Local Policies -> Security Options

Microsoft network client/server: Digitally Sign communiction (always)
Microsoft network client/server: Digitally Sign communications (if client agrees)

If the client and server cant agree on SMB signing requirements then the session is terminated and the client receives this error message “System error 1240 has occurred. The account is not authorized to log in from this station.”

Now that the client and server agree on SMB requirements its time to authenticate. The SMB Negotiate Protocol Response also includes supported authentication protocols, and a 8 byte random string. It’s important to note that the supported authentication protocols does not negotiate the version of NTLM, it just says it supports NTLM. The version is selected by the client, and if it’s not supported by the server, authentication fails. There is a GPO setting that configures what version of NTLM to use, it is located
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options: Network Security: LAN Manager authentication Level

The client responds by trying to authenticate, in our case it tries kerberos and fails.

The reason it fails is because kerberos relies on SPN (Service Principal Names), it doesnt have listed in it’s database (it stores the FQDN and anything else you add). Another reason it could fail is if you are using a different DNS name than the actual hostname.

The client responds with a SMB Session Setup AndX Request packet, in our case the client has decided to go with NTLM, so this first packet contains a NTLM Negotiate Message packet, or NTLMSSP_Negotiate. This packet specifies the security features of NTLM

The server responds with an SMB Session Setup AndX Response NTMLSSP_Challange packet. This packet contains the agreed security settings and a nonce, or a random number. This nonce is used by the server to verify that the client knows the correct password.
The client responds with a Setup AndX Request, NTLMSSP_Auth packet. This packet contains the username and a response that indicates that it knows the password. As you can see it sent NTLMv2. Remember that you can control what it sends, LM, NTML, or NTLMv2 with a GPO.

If the user provided correct credentials the SMB connection will continue

Another setting that could affect SMB is “Microsoft network server: Server SPN target name validation level”. A client provides a SPN (Service Principal Name) when establishing a SMB session. The server can validate this and if it doesnt match it can drop the connection. The SPN will only be sent when using the DNS name, not the IP address.

Hope this helps you in your troubleshooting endeavours. Once you know how it works under the hood it makes it easier to troubleshoot.


You need to have samba installed to use these tools. Use nblookup to lookup services that are provided by the server

nmblookup -A IP Address

This machines NetBIOS name is “KIOPTRIX”, it has file sharing enabled (“”), messenger running (“03”) and is part of “MYGROUP” workgroup.

Now we use smbclient to get information on shares, domain/work groups, etc…

smbclient -L \\NetBIOS name -I IPaddress

This machine is actually a Linux machine running Samba 2.2.1a. It has 2 open shares, IPC$ and Admin$. It’s NetBIOS name is KIOPTRIX and it shows 2 other workgroups along with 3 other machines it sees. Note for the password i just hit enter.

Now you can try connecting to a share

smbclient //$


smbclient //KIOPTRIX/ADMIN$ -I

In this case it didnt work


NetBIOS provides several services for other programs (like SMB/CIFs) including session and transport services (based off the OSI model). It runs over TCP/IP

Each service that uses NetBIOS also has a name which is limited to 16 characters, except the last character is reserved for the resource type.When a machine joins a NetBIOS network it registers its name and service by sending a network broadcast and/or by using a WINs server. A WINs server allows you to translate a NetBIOS name into an IP address. The following is a list of common services

[00] Workstation Service
[03] Messenger Service
[06] RAS Server Service
[1F] NetDDE Service
[20] Server Service
[21] RAS Client Service
[BE] Network Monitor Agent
[BF] Network Monitor Application
[03] Messenger Service
[1D] Master Browser
[1B] Domain Master Browser

[00] Domain Name
[1C] Domain Controllers
[1E] Browser Service Elections
[01h][01h]__MSBROWSE__[01h][01h] Master Browser

nbtstat is a tool that you can use to view and register NetBIOS names. To view registered names type the following

nbtstat -n

To view netbois names and services for another computer type the following:

nbtstat -a IP Address

As we said earlier NetBIOS runs over TCP/IP, here are the steps that occur for a connection to take place.

The NetBIOS name is translated into an IP address
A TCP session is established on TCP port 139
A NetBIOS session request is sent and a session is established.
Then the rest of the traffic is sent, for example file sharing traffic is sent (IE SMB).

NetBIOS Datagram are sent over UDP and are used for non-session services

Port 137 UDP – Used for NetBIOS name service
Port 138 UDP – Used for NetBIOS Datagram Service
Port 139 TCP – Used for NetBIOS sessions

If the machine has Server Service listed then they have file sharing turned on. You then can use net view to list all shares.


This HTTP header will do:

Require all traffic to go through an SSL tunnel
Refuse connections with certificate isssues

By setting this http header you can force your website to use an SSL connection for all traffic and prevent users from clicking through a certificate issue on your website.

This header can help prevent man in the middle attacks, an attacker can remove the SSL tunnel (https to http) or use a custom signed certificate (most users would click through it anyway). By setting this http header your browser wouldn’t allow this connection because it requires SSL or because of the certificate issue. The attacker could just remove this header.

This header has a parameter, max-age, when set will instruct the browser to remember the settings for this header for x amount of seconds. If a user visits a website and the browser remembers the settings then they are not vulnerable to this attack.

HTTP Framesniffing

Framesniffing is a method an attacker can use to gather information from a website that you are visiting. The attack uses html anchors to identify pieces of information on the web page.
An anchor is a way for html to identify certain pieces of html code to allow the user to jump to that section of the page. For example if you wanted the user to jump to the login section of a webpage

The #Login is the anchor of the page, it is represented with the the ‘id’ attribute, so in our example it would be

… Modern websites have several anchors embedded within them.

An attacker could trick a user into loading a page he controls and using an IFRAME load another page using the anchor, and if the page ‘jumps’ the attacker has found what he is looking for.
By using a websites internal search functions and anchors an attacker can search for specific pieces of information. Most search functions allow the user to use wildcards, such as ‘*’.*#NoResults

If the above page ‘jumps’ the attacker knows that no results have been found, but if it doesn’t jump then they have found what they are looking for. They can use this method to narrow down what they are looking for.

Framesniffing can be disabled if the website sends the “X-Frame-Options” header. The possible values for X-Frame-Options are


Setting it to deny will deny loading the page in an IFRAME and SAMEORIGIN will only allow loading the page from the same domain.

. As the time of this writing, I was not able to find a method to prevent this via the web browser (except firefox has fixed this issue)