of file access over smb and trace analysis – part 2
4 26.359326 192.168.1.6 192.168.1.8 NTLMSSP NTLMSSP:NTLM NEGOTIATE MESSAGE
5 26.650751 192.168.1.8 192.168.1.6 NTLMSSP NTLMSSP:NTLM CHALLENGE MESSAGE
6 26.835188 192.168.1.6 192.168.1.8 NTLMSSP NTLMSSP:NTLM AUTHENTICATE MESSAGE, Domain: GTSC-B7A3A93C1A, User: administrator, Workstation: GTSC-B7A3A93C1A
7 28.531328 192.168.1.8 192.168.1.6 SMB SMB:R; Session Setup Andx
The next thing in the SMB comm with the file server will the setting up of the user session. The SMB command used for this is Session Setup AndX. The 4 packets above shows this to us. Windows clients will use NTLM or Kerberos, preferrably Kerboros in most instances. This trace shows the use of NTLM as the authentication SSP, security support provider, it was chosen by the client as the file server's IP was used rather than the server name. That's the default behaviour.
Frame:
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-03-FF-66-C3-39],SourceAddress:[00-03-FF-60-C3-39]
+ Ipv4: Src = 192.168.1.6, Dest = 192.168.1.8, Next Protocol = TCP, Packet ID = 3002, Total IP Length = 246
+ Tcp: Flags=...AP..., SrcPort=1240, DstPort=Microsoft-DS(445), Len=206, Seq=2987748740 - 2987748946, Ack=4142961914, Win=65446
+ Nbtss: SESSION MESSAGE, Length =202
- Smb: C; Session Setup Andx
AsciiString Protocol: SMB
UINT8 Command: Session Setup Andx 115(0x73)
+ UINT32 NTStatus: 0x0, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_SUCCESS, Code = (0) STATUS_SUCCESS
+ SMBHeader: Command, TID: 0x0000, PID: 0xFEFF, UID: 0x0000, MID: 0x0040
+ SMBRequestSessionSetupAndXNTLMESS CSessionSetupAndXNTLMESS:
- NtlmSSP: NTLM NEGOTIATE MESSAGE
AsciiStringTerm Signature: NTLMSSP
UINT32 MessageType: Negotiate Message (0x00000001)
- NtlmsspNegotiateMessage:
+ NtlmsspNegotiateFlags NegotiateFlags: 0xE2088297 (NTLM v2128-bit encryption, Always Sign)
- NtlmsspString WorkstationDomainHeader: Length: 0, Offset: 0
UINT16 Length: 0 (0x0)
UINT16 MaximumLength: 0 (0x0)
UINT32 BufferOffset: 0 (0x0)
- NtlmsspString WorkstationNameHeader: Length: 0, Offset: 0
UINT16 Length: 0 (0x0)
UINT16 MaximumLength: 0 (0x0)
UINT32 BufferOffset: 0 (0x0)
- NtlmsspVersion Version: Windows 5.1 Build 10250 NTLMSSPv15
UINT8 ProductMajorVersion: 5 (0x5)
UINT8 ProductMinorVersion: 1 (0x1)
UINT16 ProductBuild: 10250 (0x280A)
UINT24 Reserved: 0 (0x0)
UINT8 NTLMRevisionCurrent: 15 (0xF)
netmon will show you the additional information provided in the first request from the client as you see in this screenshot. The most important part in this message in addition to the Session Setup SMB, will be the NTLM's negotiate flags. This determines things such as the level of encyrption supported, and methods that will be used for authentication. This is a 32 bit field and each bit is responsible for carrying another option.
The next the client does is a connection to the "srvsvc" named pipe on the file server.
8 28.531626 192.168.1.6 192.168.1.8 SMB SMB:C; Tree Connect Andx, Path = \\192.168.1.8\IPC$, Service = ?????
9 28.560590 192.168.1.8 192.168.1.6 SMB SMB:R; Tree Connect Andx, Service = IPC
10 52.876400 192.168.1.6 192.168.1.8 SMB SMB:C; Nt Create Andx, FileName = \srvsvc
11 54.153964 192.168.1.8 192.168.1.6 SMB SMB:R; Nt Create Andx, FID = 0x4000
12 54.182335 192.168.1.6 192.168.1.8 MSRPC MSRPC:Warning:
13 54.237065 192.168.1.8 192.168.1.6 SMB SMB:R; Write Andx, FID = 0x0000, 72 bytes
14 54.255979 192.168.1.6 192.168.1.8 SMB SMB:C; Read Andx, FID = 0x4000, 1024 bytes at Offset 0
15 54.320003 192.168.1.8 192.168.1.6 MSRPC MSRPC:Warning:
16 54.320226 192.168.1.6 192.168.1.8 MSRPC MSRPC:Warning:
17 54.701699 192.168.1.8 192.168.1.6 MSRPC MSRPC:Warning:
18 54.701932 192.168.1.6 192.168.1.8 SMB SMB:C; Close, FID = 0x4000
19 54.702385 192.168.1.8 192.168.1.6 SMB SMB:R; Close, FID = 0x0000
20 54.755524 192.168.1.6 192.168.1.8 SMB SMB:C; Nt Create Andx, FileName = \srvsvc
21 54.756530 192.168.1.8 192.168.1.6 SMB SMB:R; Nt Create Andx, FID = 0x4001
22 54.756704 192.168.1.6 192.168.1.8 MSRPC MSRPC:Warning:
23 54.757058 192.168.1.8 192.168.1.6 SMB SMB:R; Write Andx, FID = 0x0000, 72 bytes
24 54.757181 192.168.1.6 192.168.1.8 SMB SMB:C; Read Andx, FID = 0x4001, 1024 bytes at Offset 0
25 54.757448 192.168.1.8 192.168.1.6 MSRPC MSRPC:Warning:
26 54.757543 192.168.1.6 192.168.1.8 MSRPC MSRPC:Warning:
27 54.800388 192.168.1.8 192.168.1.6 MSRPC MSRPC:Warning:
28 54.800546 192.168.1.6 192.168.1.8 SMB SMB:C; Close, FID = 0x4001
29 54.801091 192.168.1.8 192.168.1.6 SMB SMB:R; Close, FID = 0x0000
This connection is required to send queries on the file share and get more information on the share.
Then the client checks to see if it's connecting to a DFS namespace:
34 68.715121 192.168.1.6 192.168.1.8 SMB SMB:C; Tree Connect Andx, Path = \\192.168.1.8\IPC$, Service = ?????
35 68.715612 192.168.1.8 192.168.1.6 SMB SMB:R; Tree Connect Andx, Service = IPC
36 68.715780 192.168.1.6 192.168.1.8 DFS DFS:Get DFS Referral Request, FileName: \192.168.1.8\c$, MaxReferralLevel: 3
37 68.812676 192.168.1.8 192.168.1.6 SMB SMB:R; Transact2, Open2 - NT Status: System - Error, Code = (14) STATUS_NO_SUCH_DEVICE
STATUS_NO_SUCH_DEVICE from the fileserver means that the share is not a Dfs namespace and that the client should connect directly to this share..
After this has been done the communication will continue with the client doing the actual tree connect to the share name directly this time. In the attached trace from the earlier post you will see that the client queries for the files with Trans2 requests and then at the end closes the tree connection with a tree disconnect, and before that also closing the file with a Close SMB. The last in the comm will be Logoff SMB to logoff the user from the file server.