I’ve been doing a lot of SMB/CIFS troubleshooting over the past few months, and i thought it’s probably about time I wrote what i’ve learned. All packet captures used wireshark.

SMB is short for server message block also known as CIFS, Common Internet File System. It is mainly used for accessing files across the network using Microsoft Windows operating systems. It can be used with or without NetBIOS.

When a client request resources on a network server a SMB Negotiate Protocol Request packet is sent from the client to the server. This packet contains the dialects that the client can support

The server then responds with the highest dialect it supports with a SMB Negotiate Protocol Response packet

In this case we are using SMB version 1. The table below describes some SMB dialects

Dialect Name SMB Version
NT LM 0.12 NT LM 0.12 SMB version 1
2(0x2) SMB 2.002 SMB Version 2
2(0x2) SMB 2.??? SMB Version 2

The Server response also includes the SMB Signing requirements, that is listed under Security Mode. The possible values can be either 3, 7, or 15. The Security Mode has 4 bits, the first is for user mode, and the second is for password encryption. I’m not sure what these two bits are for, couldnt find any documentation. The next is for SMB signing (is it enabled?), and the last is SMB signing is required. GPO settings for these are located

Windows Settings -> Security Settings -> Local Policies -> Security Options

Microsoft network client/server: Digitally Sign communiction (always)
Microsoft network client/server: Digitally Sign communications (if client agrees)

If the client and server cant agree on SMB signing requirements then the session is terminated and the client receives this error message “System error 1240 has occurred. The account is not authorized to log in from this station.”

Now that the client and server agree on SMB requirements its time to authenticate. The SMB Negotiate Protocol Response also includes supported authentication protocols, and a 8 byte random string. It’s important to note that the supported authentication protocols does not negotiate the version of NTLM, it just says it supports NTLM. The version is selected by the client, and if it’s not supported by the server, authentication fails. There is a GPO setting that configures what version of NTLM to use, it is located
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options: Network Security: LAN Manager authentication Level

The client responds by trying to authenticate, in our case it tries kerberos and fails.

The reason it fails is because kerberos relies on SPN (Service Principal Names), it doesnt have listed in it’s database (it stores the FQDN and anything else you add). Another reason it could fail is if you are using a different DNS name than the actual hostname.

The client responds with a SMB Session Setup AndX Request packet, in our case the client has decided to go with NTLM, so this first packet contains a NTLM Negotiate Message packet, or NTLMSSP_Negotiate. This packet specifies the security features of NTLM

The server responds with an SMB Session Setup AndX Response NTMLSSP_Challange packet. This packet contains the agreed security settings and a nonce, or a random number. This nonce is used by the server to verify that the client knows the correct password.
The client responds with a Setup AndX Request, NTLMSSP_Auth packet. This packet contains the username and a response that indicates that it knows the password. As you can see it sent NTLMv2. Remember that you can control what it sends, LM, NTML, or NTLMv2 with a GPO.

If the user provided correct credentials the SMB connection will continue

Another setting that could affect SMB is “Microsoft network server: Server SPN target name validation level”. A client provides a SPN (Service Principal Name) when establishing a SMB session. The server can validate this and if it doesnt match it can drop the connection. The SPN will only be sent when using the DNS name, not the IP address.

Hope this helps you in your troubleshooting endeavours. Once you know how it works under the hood it makes it easier to troubleshoot.