Tag Archive: windows

SMB Troubleshooting

I’ve been doing a lot of SMB/CIFS troubleshooting over the past few months, and i thought it’s probably about time I wrote what i’ve learned. All packet captures used wireshark.

SMB is short for server message block also known as CIFS, Common Internet File System. It is mainly used for accessing files across the network using Microsoft Windows operating systems. It can be used with or without NetBIOS.

When a client request resources on a network server a SMB Negotiate Protocol Request packet is sent from the client to the server. This packet contains the dialects that the client can support

The server then responds with the highest dialect it supports with a SMB Negotiate Protocol Response packet

In this case we are using SMB version 1. The table below describes some SMB dialects

Dialect Name SMB Version
NT LM 0.12 NT LM 0.12 SMB version 1
2(0x2) SMB 2.002 SMB Version 2
2(0x2) SMB 2.??? SMB Version 2

The Server response also includes the SMB Signing requirements, that is listed under Security Mode. The possible values can be either 3, 7, or 15. The Security Mode has 4 bits, the first is for user mode, and the second is for password encryption. I’m not sure what these two bits are for, couldnt find any documentation. The next is for SMB signing (is it enabled?), and the last is SMB signing is required. GPO settings for these are located

Windows Settings -> Security Settings -> Local Policies -> Security Options

Microsoft network client/server: Digitally Sign communiction (always)
Microsoft network client/server: Digitally Sign communications (if client agrees)

If the client and server cant agree on SMB signing requirements then the session is terminated and the client receives this error message “System error 1240 has occurred. The account is not authorized to log in from this station.”

Now that the client and server agree on SMB requirements its time to authenticate. The SMB Negotiate Protocol Response also includes supported authentication protocols, and a 8 byte random string. It’s important to note that the supported authentication protocols does not negotiate the version of NTLM, it just says it supports NTLM. The version is selected by the client, and if it’s not supported by the server, authentication fails. There is a GPO setting that configures what version of NTLM to use, it is located
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options: Network Security: LAN Manager authentication Level

The client responds by trying to authenticate, in our case it tries kerberos and fails.

The reason it fails is because kerberos relies on SPN (Service Principal Names), it doesnt have listed in it’s database (it stores the FQDN and anything else you add). Another reason it could fail is if you are using a different DNS name than the actual hostname.

The client responds with a SMB Session Setup AndX Request packet, in our case the client has decided to go with NTLM, so this first packet contains a NTLM Negotiate Message packet, or NTLMSSP_Negotiate. This packet specifies the security features of NTLM

The server responds with an SMB Session Setup AndX Response NTMLSSP_Challange packet. This packet contains the agreed security settings and a nonce, or a random number. This nonce is used by the server to verify that the client knows the correct password.
The client responds with a Setup AndX Request, NTLMSSP_Auth packet. This packet contains the username and a response that indicates that it knows the password. As you can see it sent NTLMv2. Remember that you can control what it sends, LM, NTML, or NTLMv2 with a GPO.

If the user provided correct credentials the SMB connection will continue

Another setting that could affect SMB is “Microsoft network server: Server SPN target name validation level”. A client provides a SPN (Service Principal Name) when establishing a SMB session. The server can validate this and if it doesnt match it can drop the connection. The SPN will only be sent when using the DNS name, not the IP address.

Hope this helps you in your troubleshooting endeavours. Once you know how it works under the hood it makes it easier to troubleshoot.

You need to have samba installed to use these tools. Use nblookup to lookup services that are provided by the server

nmblookup -A IP Address

This machines NetBIOS name is “KIOPTRIX”, it has file sharing enabled (“”), messenger running (“03”) and is part of “MYGROUP” workgroup.

Now we use smbclient to get information on shares, domain/work groups, etc…

smbclient -L \\NetBIOS name -I IPaddress

This machine is actually a Linux machine running Samba 2.2.1a. It has 2 open shares, IPC$ and Admin$. It’s NetBIOS name is KIOPTRIX and it shows 2 other workgroups along with 3 other machines it sees. Note for the password i just hit enter.

Now you can try connecting to a share

smbclient //$


smbclient //KIOPTRIX/ADMIN$ -I

In this case it didnt work


NetBIOS provides several services for other programs (like SMB/CIFs) including session and transport services (based off the OSI model). It runs over TCP/IP

Each service that uses NetBIOS also has a name which is limited to 16 characters, except the last character is reserved for the resource type.When a machine joins a NetBIOS network it registers its name and service by sending a network broadcast and/or by using a WINs server. A WINs server allows you to translate a NetBIOS name into an IP address. The following is a list of common services

[00] Workstation Service
[03] Messenger Service
[06] RAS Server Service
[1F] NetDDE Service
[20] Server Service
[21] RAS Client Service
[BE] Network Monitor Agent
[BF] Network Monitor Application
[03] Messenger Service
[1D] Master Browser
[1B] Domain Master Browser

[00] Domain Name
[1C] Domain Controllers
[1E] Browser Service Elections
[01h][01h]__MSBROWSE__[01h][01h] Master Browser

nbtstat is a tool that you can use to view and register NetBIOS names. To view registered names type the following

nbtstat -n

To view netbois names and services for another computer type the following:

nbtstat -a IP Address

As we said earlier NetBIOS runs over TCP/IP, here are the steps that occur for a connection to take place.

The NetBIOS name is translated into an IP address
A TCP session is established on TCP port 139
A NetBIOS session request is sent and a session is established.
Then the rest of the traffic is sent, for example file sharing traffic is sent (IE SMB).

NetBIOS Datagram are sent over UDP and are used for non-session services

Port 137 UDP – Used for NetBIOS name service
Port 138 UDP – Used for NetBIOS Datagram Service
Port 139 TCP – Used for NetBIOS sessions

If the machine has Server Service listed then they have file sharing turned on. You then can use net view to list all shares.


Windows Credentials Editor

Windows Credentials Editor (WCE) allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes and Kerberos tickets).
This can be used, for example, to perform pass-the-hash on Windows, obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.) which can be used to perform further attacks, obtain Kerberos tickets and reuse them in other Windows or Unix systems.
Supports Windows XP, 2003, Vista, 7 and 2008.

Download it here