Tutorial: Server Message Block (SMB)
data carving layer 7 SMB WindowsContents
Introduction
SMB is a communication protocol for shared file or printer access of Windows crap. An infamous, ill-fated and troubled protocol which arose with so many vulnerabilities in history. Hence a lot of information could be extracted until v3 came to life. This tutorial presents the plugin smbDecode which dissects SMBv1,2 and performs data carving.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow tcpStates smbDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: smb2-putty.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing SMB traffic!
smbDecode
Let’s look at the plugin configuration first:
smbDecode
vi src/smbDecode
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define SMB1_DECODE 1 // decode SMB1 (experimental)
#define SMB_SECBLOB 1 // decode security blob (experimental)
#define SMB2_NUM_DIALECT 3 // number of SMB2 dialects to store
#define SMB2_NUM_STAT 18 // number of unique SMB2 header status to store
#if SMB1_DECODE == 1
#define SMB1_NUM_DIALECT 20 // number of SMB1 dialects to store
#define SMB1_DIAL_MAXLEN 32 // maximum length for SMB1 dialects
#endif // SMB1_DECODE == 1
#define SMB_NUM_FNAME 5 // number of unique filenames to store in the flow file
#define SMB_NATIVE_NAME_LEN 64 // Max length for Native OS and LAN Manager
#define SMB2_SAVE_DATA 0 // whether or not to save files
#if SMB1_DECODE == 1
#define SMB1_SAVE_DATA 0 // whether or not to save files (SMB1, experimental)
#endif // SMB1_DECODE == 1
#define SMB_SAVE_AUTH 0 // save NTLM authentications
#define SMB_AUTH_FILE "smb_auth.txt" // stores NTLM authentications
#define SMB_SAVE_DIR "/tmp/TranSMB/" // folder for saved data
#if SMB2_SAVE_DATA == 1 || SMB1_SAVE_DATA == 1
#define SMB_MAP_FILE "smb_filenames.txt" // stores the mapping between file ID and filename
#define SMB_RM_DATADIR 1 // remove SMB_SAVE_DIR before starting
#endif // SMB2_SAVE_DATA == 1 || SMB1_SAVE_DATA == 1
//#define SMB_NUM_FILE 10
#define SMB_FNAME_LEN 512
#define SMB_STRCPY_BEHAVIOR T2_STRCPY_TRUNC
#define SMB_FILE_ID "File_Id_" // used to name saved files
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...SMB1_DECODEand SMB2_DECODEselect the type of SMB you want to decode. SMB2_NUM_DIALECT controls the number of SMB2 dialects to store. If you change that you get more of less in the flow file. SMB2_NUM_STAT and SMB_NUM_FNAME denote the number of header status and unique filenames in the flow file. We keep them as default.
SMB1_SAVE_DATA, SMB2_SAVE_DATA and SMB_SAVE_AUTH controls the extraction of SMB content and NTLM authentication string. The latter becomes obsolete, as we have a better plugin for that purpose: ntlmsspDecode. So let’s switch them on.
Recompile and run t2 on the supplied pcap including packet mode.
t2conf smbDecode -D SMB1_SAVE_DATA=1 -D SMB2_SAVE_DATA=1 -D SMB_SAVE_AUTH=1 && t2build smbDecode
t2 -r ~/data/smb2-putty.pcap -w ~/results -s================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 68530 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.8.14 02: tcpStates, 0.8.14 03: smbDecode, 0.8.14 04: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/smb2-putty.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 1303158654.391729 sec (Mon 18 Apr 2011 20:30:54 GMT) Dump stop : 1303158655.743323 sec (Mon 18 Apr 2011 20:30:55 GMT) Total dump duration: 1.351594 sec Finished processing. Elapsed time: 0.023838 sec Finished unloading flow memory. Time: 0.023908 sec Percentage completed: 100.00% Number of processed packets: 161 Number of processed bytes: 554881 (554.88 K) Number of raw bytes: 554881 (554.88 K) Number of pad bytes: 138 Number of pcap bytes: 557481 (557.48 K) Number of IPv4 packets: 161 [100.00%] Number of A packets: 50 [31.06%] Number of B packets: 111 [68.94%] Number of A bytes: 462203 (462.20 K) [83.30%] Number of B bytes: 92678 (92.68 K) [16.70%] Average A packet load: 9244.06 (9.24 K) Average B packet load: 834.94 -------------------------------------------------------------------------------- tcpStates: Aggregated tcpStatesAFlags=0x03 smbDecode: Aggregated smbStat=0x4001 smbDecode: Number of SMB packets: 161 [100.00%] smbDecode: Number of SMBv2 records: 71 -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, average: 3.00 Number of TCP packets: 161 [100.00%] Number of TCP bytes: 554881 (554.88 K) [100.00%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 2 Number of processed A flows: 1 [50.00%] Number of processed B flows: 1 [50.00%] Number of request flows: 1 [50.00%] Number of reply flows: 1 [50.00%] Total A/B flow asymmetry: 0.00 Total req/rply flow asymmetry: 0.00 Number of processed packets/flows: 80.50 Number of processed A packets/flows: 50.00 Number of processed B packets/flows: 111.00 Number of processed total packets/s: 119.12 Number of processed A+B packets/s: 119.12 Number of processed A packets/s: 36.99 Number of processed B packets/s: 82.13 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 1.48 Average full raw bandwidth: 3284306 b/s (3.28 Mb/s) Average full bandwidth : 3283489 b/s (3.28 Mb/s) Max number of flows in memory: 2 [0.00%] Memory usage: 0.01 GB [0.02%] Aggregated flowStat=0x0400000000004000 [INF] IPv4 flows
The aggregated smbStat confirms that there are SMBv2 flows and extracted files present. The packet count confirms that all packets are SMB.
The smbStat column with value 0x4001 is to be interpreted as follows:
bit | smbStat | Description
=============================================================================
0 | 0x0001 | Flow is SMB
14 | 0x4000 | SMB2 files present
Looking into the results directory, besides the flow and packet file, you see also the authentication file, which is empty, as there is no authentication NTLM hash present. Sorry.
ls ~/results
smb2-putty_flows.txt smb2-putty_headers.txt smb2-putty_packets.txt smb2-putty_smb_auth.txt
cat ~/results/smb2-putty_smb_auth.txt
The flow file shows all relevant information of the SMB header and content, including the names of the extracted files.
tcol ~/results/smb2-putty_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags smbStat smb1NDialects smb1Dialects smb2NDialects smb2Dialects smbNHdrStat smbHdrStat smbOpcodes smbNOpcodes smbPrevSessId smbNativeOS smbNativeLanMan smbPrimDom smbTargName smbDomName smbUserName smbHostName smbNTLMServChallenge smbNTProofStr smbSessionKey smbGUID smbSFlags_secM_caps smbBootT smbMaxSizeT_R_W smbPath smbShareT smbShareF_caps_acc smbNFiles smbFiles
A 1 0x0400000000004000 1303158654.391729 1303158655.743323 1.351594 1 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 "Private network" 49212 192.168.47.128 07 "Private network" 445 6 0x03 0x4001 0 0 0 0x0007d360 0_0_0_0_0_5_5_0_8_7_0_0_1_0_1_2_3_2_1 0x0000000000000000 "" "" "" "" "" "" "" "" "" "" "" 0x0000_0x00_0x00000000 0.000000 0_0_0 "" 0x00 0x00000000_0x00000000_0x00000000 2 "";"putty.exe"
B 1 0x0400000000004001 1303158654.392248 1303158655.528305 1.136057 1 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 "Private network" 445 192.168.47.129 07 "Private network" 49212 6 0x03 0x0001 0 0 4 0x00000000;0xc0000120;0x0000010c;0x00000103 0x0007c360 0_0_0_0_0_5_5_0_8_7_0_0_0_0_1_3_3_2_2 0x0000000000000000 "" "" "" "" "" "" "" "" "" "" "" 0x0000_0x00_0x00000000 0.000000 0_0_0 "" 0x00 0x00000000_0x00000000_0x00000000 0The packet file currently does not decode SMB specifics. If there is human readable text you can see it in l7Content. Look at the end, there is the beginning of the file download.
tcol ~/results/smb2-putty_packets.txt
%pktNo flowInd flowStat time pktIAT flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags l7Content
1 1 0x0400000000004000 1303158654.391729 0.000000 0.000000 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 .....SMB@...................$.......................................9....................................... ...x.......x.....u.t.t.(...............DHnQ....................................MxAc................ ...RqLs............X.......................
2 1 0x0400000000004001 1303158654.392248 0.000000 0.000000 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 .....SMB@...................$.......................................Y.......I#.........^.......^.......^............................]................... ...................MxAc............
3 1 0x0400000000004000 1303158654.392462 0.000733 0.000733 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 .....SMB@...............p...%.......................................)...X...................]..................$.CM .SMB@...................&.......................................)...P...................]................
4 1 0x0400000000004001 1303158654.392625 0.000377 0.000377 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 .....SMB@...............`...%.......................................\t.H......3Ic......eh.............SMB@...................&.......................................\t.H.................N.T.F.S.....
5 1 0x0400000000004000 1303158654.392669 0.000207 0.000940 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 ...h.SMB@...................'.......................................)... ...h...............]...............
6 1 0x0400000000004001 1303158654.392780 0.000155 0.000532 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 ...h.SMB@...................'.......................................\t.H. .............z.......z.............
7 1 0x0400000000004000 1303158654.392848 0.000179 0.001119 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 ...X.SMB@...................(...............................................]...............
8 1 0x0400000000004001 1303158654.393261 0.000481 0.001013 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 ...|.SMB@...................(.......................................<...........................................................
9 1 0x0400000000004000 1303158654.393818 0.000970 0.002089 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 ...D.SMB@...............................................................
10 1 0x0400000000004001 1303158654.394101 0.000840 0.001853 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 ...I.SMB@... ...............#.......................................\t........
11 1 0x0400000000004000 1303158654.395456 0.001638 0.003727 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 ...@.SMB@...................).......................................9........................... ...........D...x...........p.u.t.t.y...e.x.e.......(...............DHnQ.................... ...............AlSi............................MxAc....................QFid................ ...RqLs....8.[.............................
12 1 0x0400000000004000 1303158654.395566 0.000110 0.003837 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 ...X.SMB@...................*...............................................E...............
13 1 0x0400000000004001 1303158654.395869 0.001768 0.003621 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01
14 1 0x0400000000004001 1303158654.396389 0.000520 0.004141 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 ...H.SMB@...................).......................................Y....................................................... .......a....................... ...............MxAc............8........... ...RqLs....8.[............................. ...............DHnQ........................ ...QFid....2....... P......................
15 1 0x0400000000004001 1303158654.396473 0.000084 0.004225 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 ...|.SMB@...................*.......................................<...........................................................
16 1 0x0400000000004000 1303158654.396493 0.000927 0.004764 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01
17 1 0x0400000000004000 1303158654.397133 0.000640 0.005404 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 ...h.SMB@...................+.......................................).......h...............a...............
18 1 0x0400000000004001 1303158654.397332 0.000859 0.005084 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 ...`.SMB@...................+.......................................\t.H.............w.z.............
19 1 0x0400000000004000 1303158654.397416 0.000283 0.005687 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 ...h.SMB@...................,.......................................!.......`.......a.......................
20 1 0x0400000000004001 1303158654.397657 0.000325 0.005409 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 ...B.SMB@...................,.........................................
21 1 0x0400000000004000 1303158654.398668 0.001252 0.006939 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 ...p.SMB@.......\t...........-.......................................1.p.............a...............................MZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\r\n$.........B...,A..,A..,A..EA..,A..LA..,A..#A..,A..qA..,A..5A..,Aj.qA..,A..-A..,A..sAQ.,A..rA..,A..vA..,ARich..,A........................PE..L.....4F...............\n.....`.......w............@..........................`............
...The extracted download is stored under /tmp/TranSMB as configured in the header file. Here you see two executables of putty and a text file matching the file IDs with the actual file names.
ls /tmp/TranSMB
File_Id_00000161-0000-0000-b500-0000ffffffff_1 File_Id_0000016d-0000-0000-c100-0000ffffffff_1 smb_filenames.txt
cat /tmp/TranSMB/smb_filenames.txt
File_Id_00000161-0000-0000-b500-0000ffffffff_1 putty.exe
File_Id_0000016d-0000-0000-c100-0000ffffffff_1 putty.exeThe script smbrename, located in the smbDecode directory, converts all file IDs into nicely directories of different file types.
If you move to the BIN folder, you see the putty executables properly named. If you apply hexedit to one file the content will match with the download of the packet file.
$T2PLHOME/smbDecode/smbrename
ls
APP AUD BIN CHM CONF DB DLL DOC EMPTY ENC HTM IMG LNK LOG MAIL PDF PPT SPEC TMP TXT URL VID XLS XML ZIP
cd BIN
ls BIN
'putty_1(1).exe' putty_1.exe
hexedit putty_1.exe
00000000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 MZ......................@...........................
00000034 00 00 00 00 00 00 00 00 00 01 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E ....................!..L.!This program cannot be run
00000068 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 AD 8A 42 12 E9 EB 2C 41 E9 EB 2C 41 E9 EB 2C 41 FA E3 45 41 EB EB 2C 41 EC E7 4C 41 in DOS mode....$.........B...,A..,A..,A..EA..,A..LA
0000009C EB EB 2C 41 EC E7 23 41 F2 EB 2C 41 FA E3 71 41 EB EB 2C 41 13 C8 35 41 ED EB 2C 41 6A E3 71 41 E6 EB 2C 41 E9 EB 2D 41 F6 EA 2C 41 EC E7 73 41 51 EB 2C 41 ..,A..#A..,A..qA..,A..5A..,Aj.qA..,A..-A..,A..sAQ.,A
...Conclusion
Don’t forget to reset the plugin configuration for the next tutorial.
t2conf smbDecode --reset && t2build smbDecode
Have fun analyzing.