Category: Technology


SMB Troubleshooting

I’ve been doing a lot of SMB/CIFS troubleshooting over the past few months, and i thought it’s probably about time I wrote what i’ve learned. All packet captures used wireshark.

SMB is short for server message block also known as CIFS, Common Internet File System. It is mainly used for accessing files across the network using Microsoft Windows operating systems. It can be used with or without NetBIOS.

When a client request resources on a network server a SMB Negotiate Protocol Request packet is sent from the client to the server. This packet contains the dialects that the client can support

The server then responds with the highest dialect it supports with a SMB Negotiate Protocol Response packet

In this case we are using SMB version 1. The table below describes some SMB dialects

Dialect Name SMB Version
NT LM 0.12 NT LM 0.12 SMB version 1
2(0x2) SMB 2.002 SMB Version 2
2(0x2) SMB 2.??? SMB Version 2

The Server response also includes the SMB Signing requirements, that is listed under Security Mode. The possible values can be either 3, 7, or 15. The Security Mode has 4 bits, the first is for user mode, and the second is for password encryption. I’m not sure what these two bits are for, couldnt find any documentation. The next is for SMB signing (is it enabled?), and the last is SMB signing is required. GPO settings for these are located

Windows Settings -> Security Settings -> Local Policies -> Security Options

Microsoft network client/server: Digitally Sign communiction (always)
Microsoft network client/server: Digitally Sign communications (if client agrees)


If the client and server cant agree on SMB signing requirements then the session is terminated and the client receives this error message “System error 1240 has occurred. The account is not authorized to log in from this station.”

Now that the client and server agree on SMB requirements its time to authenticate. The SMB Negotiate Protocol Response also includes supported authentication protocols, and a 8 byte random string. It’s important to note that the supported authentication protocols does not negotiate the version of NTLM, it just says it supports NTLM. The version is selected by the client, and if it’s not supported by the server, authentication fails. There is a GPO setting that configures what version of NTLM to use, it is located
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options: Network Security: LAN Manager authentication Level


The client responds by trying to authenticate, in our case it tries kerberos and fails.

The reason it fails is because kerberos relies on SPN (Service Principal Names), it doesnt have 192.168.1.63 listed in it’s database (it stores the FQDN and anything else you add). Another reason it could fail is if you are using a different DNS name than the actual hostname.

The client responds with a SMB Session Setup AndX Request packet, in our case the client has decided to go with NTLM, so this first packet contains a NTLM Negotiate Message packet, or NTLMSSP_Negotiate. This packet specifies the security features of NTLM

The server responds with an SMB Session Setup AndX Response NTMLSSP_Challange packet. This packet contains the agreed security settings and a nonce, or a random number. This nonce is used by the server to verify that the client knows the correct password.
The client responds with a Setup AndX Request, NTLMSSP_Auth packet. This packet contains the username and a response that indicates that it knows the password. As you can see it sent NTLMv2. Remember that you can control what it sends, LM, NTML, or NTLMv2 with a GPO.

If the user provided correct credentials the SMB connection will continue

Another setting that could affect SMB is “Microsoft network server: Server SPN target name validation level”. A client provides a SPN (Service Principal Name) when establishing a SMB session. The server can validate this and if it doesnt match it can drop the connection. The SPN will only be sent when using the DNS name, not the IP address.

Hope this helps you in your troubleshooting endeavours. Once you know how it works under the hood it makes it easier to troubleshoot.

You need to have samba installed to use these tools. Use nblookup to lookup services that are provided by the server

nmblookup -A IP Address

This machines NetBIOS name is “KIOPTRIX”, it has file sharing enabled (“”), messenger running (“03”) and is part of “MYGROUP” workgroup.

Now we use smbclient to get information on shares, domain/work groups, etc…

smbclient -L \\NetBIOS name -I IPaddress

This machine is actually a Linux machine running Samba 2.2.1a. It has 2 open shares, IPC$ and Admin$. It’s NetBIOS name is KIOPTRIX and it shows 2 other workgroups along with 3 other machines it sees. Note for the password i just hit enter.

Now you can try connecting to a share

smbclient //192.168.1.104/ADMIN$

or

smbclient //KIOPTRIX/ADMIN$ -I 192.168.1.104

In this case it didnt work

Strict-Transport-Security

This HTTP header will do:

Require all traffic to go through an SSL tunnel
Refuse connections with certificate isssues

By setting this http header you can force your website to use an SSL connection for all traffic and prevent users from clicking through a certificate issue on your website.

This header can help prevent man in the middle attacks, an attacker can remove the SSL tunnel (https to http) or use a custom signed certificate (most users would click through it anyway). By setting this http header your browser wouldn’t allow this connection because it requires SSL or because of the certificate issue. The attacker could just remove this header.

This header has a parameter, max-age, when set will instruct the browser to remember the settings for this header for x amount of seconds. If a user visits a website and the browser remembers the settings then they are not vulnerable to this attack.

HTTP Framesniffing

Framesniffing is a method an attacker can use to gather information from a website that you are visiting. The attack uses html anchors to identify pieces of information on the web page.
An anchor is a way for html to identify certain pieces of html code to allow the user to jump to that section of the page. For example if you wanted the user to jump to the login section of a webpage

http://www.someurl.com/login#Login

The #Login is the anchor of the page, it is represented with the the ‘id’ attribute, so in our example it would be

… Modern websites have several anchors embedded within them.

An attacker could trick a user into loading a page he controls and using an IFRAME load another page using the anchor, and if the page ‘jumps’ the attacker has found what he is looking for.
By using a websites internal search functions and anchors an attacker can search for specific pieces of information. Most search functions allow the user to use wildcards, such as ‘*’.

http://www.someurl.com/search.aspx?q=w*#NoResults

If the above page ‘jumps’ the attacker knows that no results have been found, but if it doesn’t jump then they have found what they are looking for. They can use this method to narrow down what they are looking for.

Framesniffing can be disabled if the website sends the “X-Frame-Options” header. The possible values for X-Frame-Options are

Deny
SAMEORIGIN

Setting it to deny will deny loading the page in an IFRAME and SAMEORIGIN will only allow loading the page from the same domain.

. As the time of this writing, I was not able to find a method to prevent this via the web browser (except firefox has fixed this issue)

Certificates

So i’ve never really understood how certificates/ssl really works. Dont get me wrong, i understand how it works to a certain extent. I public/private key, shared key, CAs, etc… So i thought it would be a good time to write something up. I’m going to start with the basics and get those out of the way first.

Terms:

Message: The data to be encoded.

Hash Function: Is a one way function that takes data and converts it to a fixed size bit string which is called a hash value, message digest, and a few other things. The slightest change to the message will completely change the hash value. The chances of 2 different messages creating the same hash value are extremely rare. Some algorithms used include MD4, MD5, SHA-0, SHA-1, SHA-256, and SHA-512.

Asymmetric key: A shared key is used to encrypt and decrypt the message

Symmetric keys: A public/private key is used to encrypt and decrypt the message. If a message is encrypted with the public key, the corresponding private key is used to decrypt the data, and vice versa. The public and private key are tied together and no other private/public key can decrypt the message. Normally the private key is kept private and the public key is given out to anyone who asks for it.

Digital Signature: Is a way to verify that a message has not been altered, and you know who the message is from. The sender runs the message through the hash function to create a hash value. Then the hash is encrypted using the private key. The message and the digital signature are combined and sent to the recipient. Now the recipient decrypts the digital signature and creates a hash of the message. If the 2 hashes are the same then we know the holder of the key pair sent the message and that it hasn’t been altered.

Digital Certificate: A document that uses a digital signature to bind a public key to a user/organization. It only binds the public key, as the private key is kept private so only that user can decrypt the data. The digital certificate can contain several pieces including name, address, etc… Digital Certificates are normally issued by a CA, or Certificate Authority.

Ok, so that was a little more than just basic terms :). But if you understand that you should be able to follow along.

When you visit a website over an SSL connection your browser requests the digital certificate, and the server happily sends it back as shown in the following screenshot.

Now that you have the digital certificate, we need to perform some checks. Using the digital signature we can confirm that the certificate was not alerted in transit. It also makes sure that it is still valid (certificates are only valid for a certain date range), and it has not been revoked. Most browsers include in their code the serial numbers of certificates that have been revoked, but they can also check the Certification Revocation List (CRL), which is not performed often.

So how do you really know that you can trust this certificate? I can create my own certificate and present it to you, i’m telling you that ‘you can trust me’. A trusted 3rd party, or Certificate Authority, issues certificates and validates that they who they say they are. These certificate authorities have a certificate installed on your browser, and when you run across a certificate issued by them your browser trusts that certificate (given that it’s not revoked and it is still valid).

This is just 1 example of digital certificates, there are many more, like in smart cards or in emails.