Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2024-01-22 17:25:16 +0000

Eddi gravatar image

Do you have a trace file? That JSON file is not really helpful.

SMB (or, hopefully, SMB2/3) can be quite picky during the session setup phase.

Please check your GPO and the trace file:

  • In the Session Setup Request you will find a Security Blob
  • The security blob might contain a field called LAN Manager response or NTLM response
  • Both fields should be zero

Please note, that SMB1/2/3 (or the underlying security layer) will reject the session if

  • You gave the right password
  • BUT the password comes in an outdated hash
  • AND the hashing algorithm is denied by GPO

Again, a trace file will help greatly to confirm or debunk this theory.

Best of luck

Eddi

Do you have a trace file? That JSON file is not really helpful.

SMB (or, hopefully, SMB2/3) can be quite picky during the session setup phase.

Please check your GPO and the trace file:

  • In the Session Setup Request you will find a Security Blob
  • The security blob might contain a field called LAN Manager response or NTLM response
  • Both fields should be zero
  • Expect a Kerberos ticket in a domain environment

Please note, that SMB1/2/3 (or the underlying security layer) will reject the session if

  • You gave the right password
  • BUT the password session setup response comes in with an outdated hashhash (LM or NTLM Hash)
  • AND the hashing algorithm is denied by GPO

If the client sends a hash (LM or NTLM) that is "forbidden" (disabled) on the server side, the server will reject the session. Even if you gave a valid NTLM v2 hash. Or a valid Kerberos ticket.

Again, a trace file will greatly help greatly to confirm or debunk this theory.

Best of luck

Eddi

Do you have a trace file? That JSON file is not really helpful.

Server 2003 only supports SMB v1. The newer Windows version will use SMB v3. To access shares hosted by Server 2003 you need the SMB v1 feature on the client side. This is installed as an optional Windows feature.

Even with the SMB v1 client installed you might run into trouble.

With respect to the Kerberos ticket: Please check, if the Server 2003 and newer servers share at least one common encryption algorithm. This would be visible in the Kerberos requests. I would expect RC4 on both sides.

And then some: In case your Server 2003 needs to access an SMB share hosted by a newer server:

SMB (or, hopefully, SMB2/3) can be quite picky during the session setup phase.

Please check your GPO and the trace file:

  • In the Session Setup Request you will find a Security Blob
  • The security blob might contain a field called LAN Manager response or NTLM response
  • Both fields should be zero
  • Expect a Kerberos ticket in a domain environment

Please note, that SMB1/2/3 (or the underlying security layer) will reject the session if

  • You gave the right password
  • BUT the session setup response comes with an outdated hash (LM or NTLM Hash)
  • AND the hashing algorithm is denied by GPO

If the client sends a hash (LM or NTLM) that is "forbidden" (disabled) on the server side, the server will reject the session. Even if you gave a valid NTLM v2 hash. Or a valid Kerberos ticket.

Again, a trace file will greatly help to confirm or debunk this theory.

A bit background information might come from my blog post at packet-foo.com

Best of luck

Eddi