Ask Your Question

How to find a caller like an exe or script or user account who accessed an SMB share via wireshark?

asked 2018-04-18 14:16:04 +0000

SunMan gravatar image

Hello Team,

Is it possible to capture who accessed SMB share like an .exe or user ID or something like that. I am trying to figure out why a connection was made from source IP to destination ID on an SMB share.

thank you SunMan

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-04-19 18:40:13 +0000

Eddi gravatar image

Hello SunMan

Short answer

Your best bet is a program like ProcessMonitor from Sysinternals on the source system. Another helpful tool could be the Ressource Monitor, which is part of the Windows distribution. The destination system only looks at a user ID to allow or deny access to a network resource. Under rare circumstances a Kerberos ticket could identify the program.

Technical Background

SMB uses one or more TCP connections. If you the command netstat -ano you will notice, that these ports are (on a Windows system) linked to process ID 4. This is the Windows kernel itself. The TCP connection is established by a driver, which is part of the kernel.

Within the TCP connection SMB will establish it's own session, which is independent from TCP. In the most recent versions of Windows client and server can even use multiple interfaces to overcome certain limits imposed by TCP. If possible, a single logical SMB session can be split over two or more TCP connections.

To maximize confusion multiple SMB sessions for multiple users can share a single TCP connections. Each user would authenticate with a different username or Kerberos ticket, while client and server maintain a single TCP connection. This scenario can be observed on terminal servers.

SMB uses internally a "Tree ID" and a "File ID" to access a file on the remote server. The Tree ID refers to the share like firstshare in \myserver\firstshare. A new TreeID is used if the client connects to \myserver\secondshare on the same server.

Once the TreeID is defined you will see a "Create" command which specify the file name. Only then the real IO requests get started. These are visible as "Read" and "Write" commands, plus a few other commands to obtain information like file size or time stamps.

None of this allows you to track down a process ID on the client side.

Good luck.

edit flag offensive delete link more


Thanks Eddi.

SunMan gravatar imageSunMan ( 2018-04-22 19:44:38 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-04-18 14:16:04 +0000

Seen: 1,586 times

Last updated: Apr 19 '18