Server Message Block



There is a fair amount of information in this posts, here are some anchors:

Back in 2002, samba.org (Richard Sharpe) wrote a pretty good expanation of the Server Message Block (SMB), a protocol originally specified by Microsoft, IBM and Intel. Richard Sharpe wrote a good writeup and I'll be referencing him a lot.

Introduction

So, as defined by Richard Sharpe:

SMB, which stands for Server Message Block, is a protocol for sharing files, printers, serial ports, and communications abstractions such as named pipes and mail slots between computers.

At an extremely high level, SMB handles the following interactions:

  • Opening and closing files
  • Creating and deleting files
  • Reading and writing files
  • Searching for files
  • Queueing and dequeueing files in a print spool

All of the above functionality is encoded and transmitted to/from an SMB client/server.

With that in mind, SMB is a request and response protocol which literally means a client sends a request and a server responds. The image following is an example of this transaction, courtesy of Richard Sharpe:

The servers purpose is to make files, printers and pipes available to the network. For this reason, SMB is usually the central component of a Windows Environment.

Connections

Thats the general overview of what SMB is and what its purpose is. This section will cover how SMB forms its connections.

Originally, SMB ran on top of NETBEUI, which ran on top of IEEE 802.2. Now, or most commonly, SMB runs either on top of NETBIOS over TCP (NBT) or directly over TCP on TCP/445.

SMB Packet Exchange

The following example is directly from the Microsoft Docs, so make sure the give the article a read through.

To be able to connect to an SMB server, authenticate, browse and read data from a share; the following will occur (NBT is required in this scenario):

  • Packet 1: The client will establish a NETBIOS session with the server
  • Packet 2: The client and server will negotiate the Microsoft SMB Protocol Dialect
  • Packet 3: The client will then authenticate to the server
  • Packet 4: The client can then access the shares on the server
  • Packet 5: The client opens a file on the share
  • Packet 6: Finally, the client will read the file on the share
  • Packet 2: SMB_COM_NEGOTIATE: RESPONSE

    - Direction: Server to client

    - Description: The server responds to the client's request to identify the Microsoft SMB Protocol dialect that is going to be used in the session. The returned packet also includes an 8-byte random string that will be used in the next step to authenticate the client during the logon process.

  • Packet 3: SMB_COM_SESSION_SETUP_ANDX: REQUEST

    - Direction: Client to server

    - Description: This packet will include information about the clients capabilities. This packet must be sent even if the server has implemente donly share-level security.

  • Packet 3: SMB_COM_SESSION_SETUP_ANDX: RESPONSE

    - Direction: Server to client

    - Description: If the challenge/response is successful, then the server returns a valid UID which is included in the packet that the server returns to the client. If it is not accepted, the server will return an error code in this packet and deny access.

  • Packet 4: SMB_COM_TREE_CONNECT_ANDX: REQUEST

    - Direction: Client to server

    - Description: The client requests access to the share. The packet contains the fully specified path of the share in UNC format.

  • Packet 5: SMB_COM_TREE_CONNECT_ANDX: RESPONSE

    - Direction: Server to client

    - Description: If access to the share is successful, then the server will return a 16-bit tree ID (TID) that corresponds to a share. If the share does not exist or the user has insufficient credentials to access the share, the server will return an error code in this packet and deny access to the share. See appendices 6.1 for all error codes.

  • Packet 6: SMB_COM_OPEN_ANDX: REQUEST

    - Direction: Client to server

    - Description: The client sends a request to the server to open a file on accessed share on behalf of the client. This packet contains the name of the file to be opened.

  • Packet 7: SMB_COM_OPEN_ANDX: RESPONSE

    - Direction: Server to client

    - Description: If access to the file is granted, then the server returns the file ID of the requested file. If the file does not exist or the user has insufficient credentials to access the file, the server will return an error code in this packet and deny access to the file. See appendices 6.2 for all error codes.

  • Packet 8: SMB_COM_READ_ANDX: REQUEST

    - Direction: Client to server

    - Description: The client sends a request to the server to read data from the opened file on behalf of the client and return this data to the client. The file ID that is obtained by the client when the file was opened is included in this packet in order to identify which opened file the server should read data from.

  • Packet 9: SMB_COM_READ_ANDX: RESPONSE

    - Direction: Server to client

    - Description: The server returns the requested file data in this packet. An error here is unlikely given that access to the server, share, and file has been granted. It can happen in some situations, however: for example, if access to a share is changed between the time the file is opened and the time it is read from.

That is how SMB operates at a fairly simple level. It takes several different interactions before SMB is willing to grant access to a remote share, and this does require NETBIOS. It is also possible to directly connect to SMB over TCP and gives the opportunity to remove NBT.

SMB over TCP

SMB does support the option to directly connect to it over 445 and ignore NBT. As seen in the above packets explanation, packet 1 does attempt to obtain the NETBIOS name. But, this is not required.

SMB Security

To secure SMB, Microsoft have kindly allowed for encryption to take place. SMB Encryption is end-to-end encryption for SMB data and it is easy to configure. This will boost the confidentiality of the data on the shares and can be done in cmd like so: Set-SmbShare –Name sharename -EncryptData $true

And in PowerShell: Set-SmbServerConfiguration –EncryptData $true

With that said, there are some considerations that are required before doing that, and they can be found here.

In addition to encryption, Microsoft supports is SMB Signing. SMB Signing will sign communcations at the packet layer. By signing the packet, the recipient can confirm the point of origin and its authenticity. By verifying the origin and its authenticity, this can defend against relaying attacks that require machines to participate in the challenge and response procedure in order to obtian NTLMv1/2s.

SMB Signing dates back to Windows 2000 and has had support since. Each version of SMB will support this and has varying defaults based on the version.

SMBv1

There are two ways to configure SMB Signing; Group Policy and Registry. GPO's being the easiest. Below is the configurations and the defaults for the client in bold.

Setting Group Policy Setting Registry Keys
Required Digitally sign communications (always) – Enabled RequireSecuritySignature = 1
Enabled Digitally sign communications (if server agrees) – Enabled EnableSecuritySignature = 1, RequireSecuritySignature = 0
Disabled Digitally sign communications (if server agrees) – Disabled EnableSecuritySignature = 0, RequireSecuritySignature = 0

And here is the default server configuration:

Setting Group Policy Setting Registry Keys
Required Digitally sign communications (always) – Enabled RequireSecuritySignature = 1
Enabled Digitally sign communications (if client agrees) – Enabled EnableSecuritySignature = 1, RequireSecuritySignature = 0
Disabled Digitally sign communications (if client agrees) – Disabled EnableSecuritySignature = 0, RequireSecuritySignature = 0

NOTE:

Required  Digitally sign communications (always) – Enabled  RequireSecuritySignature = 1

The above is the default for Domain Controllers.

SMBv2

The difference between SMBv1 and v2 is that Microsoft decided to simplify the configuration to this:

Setting Group Policy Setting Registry Key
Required Digitally sign communications (always) – Enabled RequireSecuritySignature = 1
Not Required Digitally sign communications (always) – Disabled RequireSecuritySignature = 0

By default, the Required option is set on Domain Controllers and the Server/Client configuration is set to Not Required.

Enumerating SMB Signing

There are three good nmap scripts for this:

Firstly, smb-protocols: nmap --script smb-protocols -p139,445 192.168.50.53 -Pn -n

                                
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-05 14:53 BST
Nmap scan report for 192.168.50.53
Host is up (0.00053s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:9B:05:0F (Oracle VirtualBox virtual NIC)

Host script results:
| smb-protocols: 
|   dialects: 
|     NT LM 0.12 (SMBv1) [dangerous, but default]
|     2.02
|     2.10
|     3.00
|_    3.02

Nmap done: 1 IP address (1 host up) scanned in 1.45 seconds

Secondly, smb-security-mode: nmap --script smb-security-mode -p139,445 192.168.50.53 -Pn -n

                                
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-05 14:54 BST
Nmap scan report for 192.168.50.53
Host is up (0.00047s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:9B:05:0F (Oracle VirtualBox virtual NIC)

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds

Thirdly, smb2-security-mode: nmap --script smb2-security-mode -p139,445 192.168.50.53 -Pn -n

                                
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-05 14:54 BST
Nmap scan report for 192.168.50.53
Host is up (0.00047s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:9B:05:0F (Oracle VirtualBox virtual NIC)

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

All three of these scripts are great for identifying SMB Security. If a full list of machines with no security signing is required, here is some greppery to achieve it:

cat file.nmap | grep -e "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]$\|message_signing" | cut -d " " -f5 | grep -e "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]$"

Courtesy of @michaeljranaldo.

Or just use cme smb 192.168.0.1 --gen-relay-list.

Conclusion

SMB is a hugely important protocol within the Windows environment and the purpose of this post was to explore it in a way that I can understand it and learn from. I plan on expanding this overtime, but for now, this will do.


References

What is SMB?

SMB Protocol Packet Exchange Scenario

SMB_COM_NEGOTIATE

SMB Protocol Dialects

SMB_COM_NEGOTIATE

SMB_COM_SESSION_SETUP_ANDX

SMB_COM_TREE_CONNECT_ANDX

Working With the Universal Naming Convention (UNC Path)

SMB_COM_TREE_CONNECT_ANDX

SMB_COM_OPEN_ANDX

SMB_COM_READ_ANDX

SMB over TCP

SMB Security

Introducing

Chuckle and the importance of SMB Signing

An Introduction to the SMB Protocol

SMB: Packet

The basics of SMB Signing for both SMBv1 and v2.


Appendices

6.1: SMB_COM_TREE_CONNECT_ANDX Error Codes

SMB error class

SMB error code

NT status code

POSIX equivalent

Description

ERRDOS (0x01)

ERRbadpath

(0x0003)

STATUS_OBJECT_PATH_NOT_FOUND

(0xC000003A)

ENOENT

The share path does not reference a valid resource.

ERRDOS (0x01)

ERRnoaccess

(0x0005)

STATUS_LOGON_FAILURE

(0xC000006D)

EPERM

The server rejected the client logon attempt.

ERRDOS (0x01)

ERRnomem

(0x0008)

STATUS_INSUFF_SERVER_RESOURCES

(0xC0000205)

ENOMEM

The server is out of resources. Out of memory or TIDs.

ERRDOS (0x01)

ERRpaused

(0x0046)

STATUS_SHARING_PAUSED

(0xC00000CF)

The server is temporarily paused.

ERRDOS (0x01)

ERRreqnotaccep

(0x0047)

STATUS_REQUEST_NOT_ACCEPTED

(0xC00000D0)

The server has no more connections available.

ERRSRV

(0x02)

ERRerror

(0x0001)

STATUS_INVALID_SMB

(0x00010002)

Invalid SMB. Not enough parameter bytes were sent.

ERRSRV

(0x02)

ERRbadpw

(0x0002)

STATUS_LOGON_FAILURE

(0xC000006D)

Incorrect password during logon attempt.

ERRSRV

(0x02)

ERRaccess

(0x0004)

STATUS_ACCESS_DENIED

(0xC0000022)

The user is not authorized to access the resource.

ERRSRV

(0x02)

ERRinvnetname

(0x0006)

STATUS_BAD_NETWORK_NAME

(0xC00000CC)

The share path is not valid.

ERRSRV

(0x02)

ERRinvdevice

(0x0007)

STATUS_BAD_DEVICE_TYPE

(0xC00000CB)

Resource type invalid. Value of Service field in the request was invalid.

ERRSRV

(0x02)

ERRbaduid

(0x005B)

STATUS_SMB_BAD_UID

(0x005B0002)

The UID supplied is not defined to the session.

6.2: SMB_COM_OPEN_ANDX Error Codes

SMB error class

SMB error code

NT status code

POSIX equivalent

Description

ERRDOS

(0x01)

ERRbadfile

(0x0002)

STATUS_NO_SUCH_FILE

(0xC000000F)

ENOENT

The named file was not found.

ERRDOS

(0x01)

ERRbadpath

(0x0003)

STATUS_OBJECT_PATH_SYNTAX_BAD

(0xC000003B)

ENOENT

The file path syntax is invalid.

ERRDOS

(0x01)

ERRbadpath

(0x0003)

STATUS_OBJECT_PATH_INVALID

(0xC0000039)

ENOTDIR

A component of the path-prefix was not a directory.

ERRDOS

(0x01)

ERRnofids

(0x0004)

STATUS_OS2_TOO_MANY_OPEN_FILES

(0x00040001)

STATUS_TOO_MANY_OPENED_FILES

(0xC000011F)

ENFILE

Too many open files, no more FIDs available.

ERRDOS

(0x01)

ERRnoaccess

(0x0005)

STATUS_ACCESS_DENIED

(0xC0000022)

EACCESS

A component of the path-prefix denied search permission OR requested access permission is denied for the file OR open mode failure.

ERRDOS

(0x01)

ERRnoaccess

(0x0005)

STATUS_FILE_IS_A_DIRECTORY

(0xC00000BA)

EISDIR

Named file is an existing directory and requested open mode is write or read/write.

ERRDOS

(0x01)

ERRnomem

(0x0008)

STATUS_INSUFF_SERVER_RESOURCES

(0xC0000205)

ENOMEM

The server is out of resources.

ERRDOS

(0x01)

ERRbadshare

(0x0020)

STATUS_SHARING_VIOLATION

(0xC0000043)

EAGAIN

File exists, mandatory file/record locking is set, and there are outstanding record locks on the file.

ERRSRV

(0x02)

ERRerror

(0x0001)

STATUS_INVALID_SMB

(0x00010002)

Invalid SMB. Not enough parameter bytes were sent or the ANDX command is invalid.

ERRSRV

(0x02)

ERRerror

(0x0001)

EFAULT

Path points outside the allocated address space of the process.

ERRSRV

(0x02)

ERRerror

(0x0001)

EINTR

A signal was caught during the open operation.

ERRSRV

(0x02)

ERRerror

(0x0001)

ENXIO

Generic server open failure

ERRSRV

(0x02)

ERRerror (0x0001)

EEXIST

The file could not be created because another file with attributes that do not match those specified in the SMB_Parameters.Words.FileAttrs field already exists and has a conflicting name.

ERRSRV

(0x02)

ERRerror (0x0001)

EMFILE

The maximum number of file descriptors available on the server for this session are currently open.

ERRSRV

(0x02)

ERRerror (0x0001)

ENOSPC

No space left on device. The system is out of resources required to create the file.

ERRSRV

(0x02)

ERRerror (0x0001)

EROFS

Read-Only File System. Write or read/write access was requested on a file existing within a read-only file system.

ERRSRV

(0x02)

ERRerror (0x0001)

ETXTBSY

Text file is busy. Write or read/write access was requested on a batch script that is currently being executed.

ERRSRV

(0x02)

ERRerror

(0x0001)

STATUS_ACCESS_DENIED

(0xC0000022)

EROFS

Named file resides on read-only file system, and requested access permission is write or read/write.

ERRSRV

(0x02)

ERRaccess

(0x0004)

STATUS_NETWORK_ACCESS_DENIED

(0xC00000CA)

Permission conflict between requested permission and permissions for the shared resource: for example, open for write of a file in a read-only file system subtree.

ERRSRV

(0x02)

ERRinvtid

(0x0005)

STATUS_SMB_BAD_TID

(0x00050002)

The TID is no longer valid.

ERRSRV

(0x02)

ERRinvdevice

(0x0007)

STATUS_BAD_DEVICE_TYPE

(0xC00000CB)

Server does not support the requested device type.

ERRSRV

(0x02)

ERRbaduid

(0x005B)

STATUS_SMB_BAD_UID

(0x005B0002)

The UID supplied is not defined to the session, or the user identified by the UID does not have sufficient privileges.

ERRHRD

(0x03)

ERRnowrite

(0x0013)

STATUS_MEDIA_WRITE_PROTECTED

(0xC00000A2)

EROFS

Attempt to write to a read-only file system.

ERRHRD

(0x03)

ERRdata

(0x0017)

STATUS_DATA_ERROR

(0xC000003E)

EIO

Disk I/O error.