Ask Your Question
0

How can I find clients that are using SMB1?

asked 2019-12-12 11:52:54 +0000

SP gravatar image

updated 2019-12-13 04:36:53 +0000

Guy Harris gravatar image

Hi,

I want to run network capture on domain controllers to identify the clients connected to them using SMB1.0, I also want to minimize the file size of the capture.

so how to capture network traffic with a string like "Tree Connect Request" and "Tree Connect Response"

Regards, SP

edit retag flag offensive close merge delete

3 Answers

Sort by » oldest newest most voted
0

answered 2019-12-12 20:08:11 +0000

Guy Harris gravatar image

updated 2019-12-12 21:12:36 +0000

Those strings don't appear in the packets; they come from Wireshark, which interprets the numerical value of the SMB request code.

But if all you want is to detect SMB1, and the auditing Graham Bloice mentions isn't possible, that's more than you need; you don't need to look for particular SMB messages, you just need to look for SMB1 messages of any type.

You could try looking for any TCP packets to or from port 139 or port 445 in which the first byte of the TCP payload is 0 (a NetBIOS-over-TCP "session message", or a regular SMB-over-TCP message) and bytes 5, 6, 7 and 8 are 0xff 0x5e 0x4d 0x42:

(tcp port 139 or 445) and tcp[((tcp[12:1] & 0xF0) >> 2):1] = 0x00 and tcp[((tcp[12:1] & 0xF0) >> 2) + 4:4] = 0xff534d42

(The filter fetches the data offset from the TCP header, multiplies it by 4, and adds it to the 20 and 24 in the TCP payload test, so that it works even with TCP segments that have TCP options.)

(This reminds me - I really need to add string comparison, byte-string comparison, and a direct way to access the UDP and TCP payload to the capture filter mechanism in libpcap....)

edit flag offensive delete link more

Comments

Thank you Guy for sharing the capture Filter, I have tested this in my LAB and gives me the result as expected, but need to check each captured packet to see which version of SMB it had negotiated, can I get that information in Info Column so that packet can be easily identify SMB version?

SP gravatar imageSP ( 2019-12-13 07:56:10 +0000 )edit

If the packet has 0xff 0x53 0x4d 0x42 in it, it's SMB1, and the capture filter will match it.

If the packet has 0xfe 0x53 0x4d 0x42 in it, it's SMB2 or SMB3, and the capture filter will not match it.

So the way to check which version of SMB is being used in a packet captured using that capture filter is "if it was captured, it's SMB1, otherwise it's SMB2/SMB3 or it's not SMB at all".

Guy Harris gravatar imageGuy Harris ( 2019-12-13 09:20:46 +0000 )edit

in that case the capture is only for Negotiate Protocol Response, in the captured packets, I can see the requested dialect SMB 2.002 and SMB 2.???, considering this dialect, I assume that the captured packet communication is for SMB 2.x and above.

SP gravatar imageSP ( 2019-12-13 10:48:36 +0000 )edit
0

answered 2019-12-12 12:29:58 +0000

grahamb gravatar image

Can't you use the built-in SMB1 auditing to discover this, or are your DC's too old?

edit flag offensive delete link more

Comments

See this article on SMB1, including the registry setting to allow audits on Server 2008 or later.

grahamb gravatar imagegrahamb ( 2019-12-12 20:22:50 +0000 )edit

That article doesn't seem to directly address SMB1; did you want to link to a different article?

Here's a PowerShell script to audit for systems with SMB1 installed, although I don't know if that'll catch older systems where it wasn't a feature that needed to be installed (or non-Windows systems using SMB1 - several UN*Xes also have SMB client VFSes, including the one on which I'm typing this).

This posting about SMB1 says:

We provide SMB1 usage auditing in Windows 10, Windows Server 2016, and Windows Server 2012 R2/Windows 8.1 via an update, just to be sure. That way you can configure your Windows Servers to see if disabling SMB1 would break someone:

Set-SmbServerConfiguration –AuditSmb1Access $true

Then just examine the SMBServer\Audit event log on the systems. If you have older servers than WS2012 R2, now is good time to talk upgrade ...

(more)
Guy Harris gravatar imageGuy Harris ( 2019-12-12 20:43:42 +0000 )edit

Yep, wrong link. It's been a long week in the day job, this is the link I'd meant to post.

grahamb gravatar imagegrahamb ( 2019-12-12 21:40:58 +0000 )edit

I am aware of Set-SmbServerConfiguration –AuditSmb1Access $true command, but this is only applicable to Windows 2012 R2, all my DC's are 2008 R2. I want to disable SMB1 on DC's, but would like to check what clients are communicating on SMB1 before disabling it.

SP gravatar imageSP ( 2019-12-13 09:04:02 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-12-12 11:52:54 +0000

Seen: 9,759 times

Last updated: Dec 13 '19