Tutorial: Server Message Block (SMB)

smbDecode

SMB is a communication protocol for shared file or printer access of Windows crap. An infamous, ill-fated and troubled protocol which arose with so many vulnerabilities in history. Hence a lot of information could be extracted until v3 came to life. This tutorial presents the plugin smbDecode which dissects SMBv1,2 and performs data carving.

Preparation

Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.

First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$

Then compile the following plugins

$ t2build tranalyzer2 basicFlow tcpStates smbDecode txtSink
...
BUILD SUCCESSFUL

$

If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:

$ mkdir ~/data ~/results
$

Download the sample pcap here: smb2-putty.pcap. Now you’re all set.

smbDecode

Let’s look at the plugin configuration first:

$ smbDecode
$ vi src/smbDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */

#define SMB1_DECODE     1 // decode SMB1 (experimental)
#define SMB_SECBLOB     1 // decode security blob (experimental)

#define SMB2_NUM_DIALECT  3 // number of SMB2 dialects to store
#define SMB2_NUM_STAT    18 // number of unique SMB2 header status to store

#if SMB1_DECODE == 1
#define SMB1_NUM_DIALECT 20 // number of SMB1 dialects to store
#define SMB1_DIAL_MAXLEN 32 // maximum length for SMB1 dialects
#endif // SMB1_DECODE == 1

#define SMB_NUM_FNAME      5 // number of unique filenames to store in the flow file

#define SMB_NATIVE_NAME_LEN 64 // Max length for Native OS and LAN Manager

#define SMB2_SAVE_DATA    0 // whether or not to save files
#if SMB1_DECODE == 1
#define SMB1_SAVE_DATA    0 // whether or not to save files (SMB1, experimental)
#endif // SMB1_DECODE == 1

#define SMB_SAVE_AUTH     0 // save NTLM authentications
#define SMB_AUTH_FILE     "smb_auth.txt" // stores NTLM authentications

#define SMB_SAVE_DIR      "/tmp/TranSMB/"         // folder for saved data
#if SMB2_SAVE_DATA == 1 || SMB1_SAVE_DATA == 1
#define SMB_MAP_FILE   "smb_filenames.txt" // stores the mapping between file ID and filename
#define SMB_RM_DATADIR      1 // remove SMB_SAVE_DIR before starting
#endif //  SMB2_SAVE_DATA == 1 || SMB1_SAVE_DATA == 1

//#define SMB_NUM_FILE 10
#define SMB_FNAME_LEN 512

#define SMB_STRCPY_BEHAVIOR T2_STRCPY_TRUNC

#define SMB_FILE_ID "File_Id_" // used to name saved files

/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...

SMB1_DECODEand SMB2_DECODEselect the type of SMB you want to decode. SMB2_NUM_DIALECT controls the number of SMB2 dialects to store. If you change that you get more of less in the flow file. SMB2_NUM_STAT and SMB_NUM_FNAME denote the number of header status and uniq filenames in the flow file. We them as default.

SMB1_SAVE_DATA, SMB2_SAVE_DATA and SMB_SAVE_AUTH controls the extraction of SMB content and NTLM authentication string. The latter becomes obsolete, as we have a better plugin for that purpose: ntlmssp. So let’s switch them on.

Recompile and run t2 on the supplied pcap including packet mode.

$ t2conf smbDecode -D SMB1_SAVE_DATA=1 -D SMB2_SAVE_DATA=1 -D SMB_SAVE_AUTH=1  && t2build smbDecode
...
$ t2 -r ~/data/smb2-putty.pcap -w ~/results -s
================================================================================
Tranalyzer 0.8.10 (Anteater), Tarantula. PID: 7844
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.10
    02: tcpStates, 0.8.10
    03: smbDecode, 0.8.10
    04: txtSink, 0.8.10
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406077 (406.08 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51069 (51.07 K)
Processing file: /home/wurst/data/smb2-putty.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1303158654.391729 sec (Mon 18 Apr 2011 20:30:54 GMT)
Dump stop : 1303158655.743323 sec (Mon 18 Apr 2011 20:30:55 GMT)
Total dump duration: 1.351594 sec
Finished processing. Elapsed time: 0.001534 sec
Finished unloading flow memory. Time: 0.001576 sec
Percentage completed: 100.00%
Number of processed packets: 161
Number of processed bytes: 554881 (554.88 K)
Number of raw bytes: 554881 (554.88 K)
Number of pad bytes: 138
Number of pcap bytes: 557481 (557.48 K)
Number of IPv4 packets: 161 [100.00%]
Number of A packets: 50 [31.06%]
Number of B packets: 111 [68.94%]
Number of A bytes: 462203 (462.20 K) [83.30%]
Number of B bytes: 92678 (92.68 K) [16.70%]
Average A packet load: 9244.06 (9.24 K)
Average B packet load: 834.94
--------------------------------------------------------------------------------
tcpStates: Aggregated tcpStatesAFlags=0x03
smbDecode: Aggregated smbStat=0x4001
smbDecode: Number of SMB packets: 161 [100.00%]
smbDecode: Number of SMBv2 records: 65
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of TCP packets: 161 [100.00%]
Number of TCP bytes: 554881 (554.88 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 2
Number of processed A flows: 1 [50.00%]
Number of processed B flows: 1 [50.00%]
Number of request     flows: 1 [50.00%]
Number of reply       flows: 1 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed   packets/flows: 80.50
Number of processed A packets/flows: 50.00
Number of processed B packets/flows: 111.00
Number of processed total packets/s: 119.12
Number of processed A+B   packets/s: 119.12
Number of processed A     packets/s: 36.99
Number of processed   B   packets/s: 82.13
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 1.48
Average full raw bandwidth: 3284306 b/s (3.28 Mb/s)
Average full bandwidth : 3283489 b/s (3.28 Mb/s)
Max number of flows in memory: 2 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows

The aggregated smbStat confirms that there are SMBv2 flows and extracted files present. The packet count confirms that all packets are SMB.

$ tawk -V smbStat=0x4001

The smbStat column with value 0x4001 is to be interpreted as follows:

   bit | smbStat | Description
   =============================================================================
     0 | 0x0001  | Flow is SMB
    14 | 0x4000  | SMB2 files present

Looking into the results directory, besides the flow and packet file, you see also the authentication file, which is empty, as there is no authentication NTLM hash present. Sorry.

$ cd ~/results
$ ls
smb2-putty_flows.txt  smb2-putty_headers.txt  smb2-putty_packets.txt  smb2-putty_smb_auth.txt
$ cat smb2-putty_smb_auth.txt
$

The flow file shows all relevant information of the SMB header and content, including the names of the extracted files.

$ cd ~/results
$ tcol smb2-putty_flows.txt
%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP           srcIPCC  srcIPOrg           srcPort  dstIP           dstIPCC  dstIPOrg           dstPort  l4Proto  tcpStatesAFlags  smbStat  smb1NDialects  smb1Dialects  smb2NDialects  smb2Dialects  smbNHdrStat  smbHdrStat                                   smbOpcodes  smbNOpcodes                            smbPrevSessId       smbNativeOS  smbNativeLanMan  smbPrimDom  smbTargName  smbDomName  smbUserName  smbHostName  smbNTLMServChallenge  smbNTProofStr  smbSessionKey  smbGUID  smbSFlags_secM_caps     smbBootT  smbMaxSizeT_R_W  smbPath  smbShareT  smbShareF_caps_acc                smbNFiles  smbFiles
A     1        0x0400000000004000  1303158654.391729  1303158655.743323  1.351594  1           3        eth:ipv4:tcp  00:0c:29:d5:c1:e5  00:0c:29:90:2d:08  0x0800              192.168.47.129  07       "Private network"  49212    192.168.47.128  07       "Private network"  445      6        0x03             0x4001   0                            0                            0                                                         0x0007d360  0_0_0_0_0_5_5_0_8_7_0_0_1_0_1_2_3_2_1  0x0000000000000000  ""           ""               ""          ""           ""          ""           ""           ""                    ""             ""             ""       0x0000_0x00_0x00000000  0.000000  0_0_0            ""       0x00       0x00000000_0x00000000_0x00000000  2          "";"putty.exe"
B     1        0x0400000000004001  1303158654.392248  1303158655.528305  1.136057  1           3        eth:ipv4:tcp  00:0c:29:90:2d:08  00:0c:29:d5:c1:e5  0x0800              192.168.47.128  07       "Private network"  445      192.168.47.129  07       "Private network"  49212    6        0x03             0x0001   0                            0                            4            0x00000000;0xc0000120;0x0000010c;0x00000103  0x0007c360  0_0_0_0_0_5_5_0_8_7_0_0_0_0_1_3_3_2_2  0x0000000000000000  ""           ""               ""          ""           ""          ""           ""           ""                    ""             ""             ""       0x0000_0x00_0x00000000  0.000000  0_0_0            ""       0x00       0x00000000_0x00000000_0x00000000  0

The packet file currently does not decode SMB specifics. If there is human readable text you can see it in l7Content. Look at the end, there is the beginning of the file download.

$ tcol smb2-putty_packets.txt
%pktNo  flowInd  flowStat            time               pktIAT    flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP           srcIPCC  srcIPOrg         srcPort  dstIP           dstIPCC  dstIPOrg         dstPort  l4Proto  tcpStatesAFlags  l7Content
1       1        0x0400000000004000  1303158654.391729  0.000000  0.000000      3        eth:ipv4:tcp             00:0c:29:d5:c1:e5  00:0c:29:90:2d:08  0x0800   192.168.47.129  07       Private network  49212    192.168.47.128  07       Private network  445      6        0x01             .....SMB@...................$.......................................9....................................... ...x.......x.....u.t.t.(...............DHnQ....................................MxAc................ ...RqLs............X.......................
2       1        0x0400000000004001  1303158654.392248  0.000000  0.000000      3        eth:ipv4:tcp             00:0c:29:90:2d:08  00:0c:29:d5:c1:e5  0x0800   192.168.47.128  07       Private network  445      192.168.47.129  07       Private network  49212    6        0x01             .....SMB@...................$.......................................Y.......I#.........^.......^.......^............................]................... ...................MxAc............
3       1        0x0400000000004000  1303158654.392462  0.000733  0.000733      3        eth:ipv4:tcp             00:0c:29:d5:c1:e5  00:0c:29:90:2d:08  0x0800   192.168.47.129  07       Private network  49212    192.168.47.128  07       Private network  445      6        0x01             .....SMB@...............p...%.......................................)...X...................]..................$.CM .SMB@...................&.......................................)...P...................]................
4       1        0x0400000000004001  1303158654.392625  0.000377  0.000377      3        eth:ipv4:tcp             00:0c:29:90:2d:08  00:0c:29:d5:c1:e5  0x0800   192.168.47.128  07       Private network  445      192.168.47.129  07       Private network  49212    6        0x01             .....SMB@...............`...%.......................................\t.H......3Ic......eh.............SMB@...................&.......................................\t.H.................N.T.F.S.....
5       1        0x0400000000004000  1303158654.392669  0.000207  0.000940      3        eth:ipv4:tcp             00:0c:29:d5:c1:e5  00:0c:29:90:2d:08  0x0800   192.168.47.129  07       Private network  49212    192.168.47.128  07       Private network  445      6        0x01             ...h.SMB@...................'.......................................)... ...h...............]...............
6       1        0x0400000000004001  1303158654.392780  0.000155  0.000532      3        eth:ipv4:tcp             00:0c:29:90:2d:08  00:0c:29:d5:c1:e5  0x0800   192.168.47.128  07       Private network  445      192.168.47.129  07       Private network  49212    6        0x01             ...h.SMB@...................'.......................................\t.H. .............z.......z.............
7       1        0x0400000000004000  1303158654.392848  0.000179  0.001119      3        eth:ipv4:tcp             00:0c:29:d5:c1:e5  00:0c:29:90:2d:08  0x0800   192.168.47.129  07       Private network  49212    192.168.47.128  07       Private network  445      6        0x01             ...X.SMB@...................(...............................................]...............
8       1        0x0400000000004001  1303158654.393261  0.000481  0.001013      3        eth:ipv4:tcp             00:0c:29:90:2d:08  00:0c:29:d5:c1:e5  0x0800   192.168.47.128  07       Private network  445      192.168.47.129  07       Private network  49212    6        0x01             ...|.SMB@...................(.......................................<...........................................................
9       1        0x0400000000004000  1303158654.393818  0.000970  0.002089      3        eth:ipv4:tcp             00:0c:29:d5:c1:e5  00:0c:29:90:2d:08  0x0800   192.168.47.129  07       Private network  49212    192.168.47.128  07       Private network  445      6        0x01             ...D.SMB@...............................................................
10      1        0x0400000000004001  1303158654.394101  0.000840  0.001853      3        eth:ipv4:tcp             00:0c:29:90:2d:08  00:0c:29:d5:c1:e5  0x0800   192.168.47.128  07       Private network  445      192.168.47.129  07       Private network  49212    6        0x01             ...I.SMB@... ...............#.......................................\t........
11      1        0x0400000000004000  1303158654.395456  0.001638  0.003727      3        eth:ipv4:tcp             00:0c:29:d5:c1:e5  00:0c:29:90:2d:08  0x0800   192.168.47.129  07       Private network  49212    192.168.47.128  07       Private network  445      6        0x01             ...@.SMB@...................).......................................9........................... ...........D...x...........p.u.t.t.y...e.x.e.......(...............DHnQ.................... ...............AlSi............................MxAc....................QFid................ ...RqLs....8.[.............................
12      1        0x0400000000004000  1303158654.395566  0.000110  0.003837      3        eth:ipv4:tcp             00:0c:29:d5:c1:e5  00:0c:29:90:2d:08  0x0800   192.168.47.129  07       Private network  49212    192.168.47.128  07       Private network  445      6        0x01             ...X.SMB@...................*...............................................E...............
13      1        0x0400000000004001  1303158654.395869  0.001768  0.003621      3        eth:ipv4:tcp             00:0c:29:90:2d:08  00:0c:29:d5:c1:e5  0x0800   192.168.47.128  07       Private network  445      192.168.47.129  07       Private network  49212    6        0x01
14      1        0x0400000000004001  1303158654.396389  0.000520  0.004141      3        eth:ipv4:tcp             00:0c:29:90:2d:08  00:0c:29:d5:c1:e5  0x0800   192.168.47.128  07       Private network  445      192.168.47.129  07       Private network  49212    6        0x01             ...H.SMB@...................).......................................Y....................................................... .......a....................... ...............MxAc............8........... ...RqLs....8.[............................. ...............DHnQ........................ ...QFid....2....... P......................
15      1        0x0400000000004001  1303158654.396473  0.000084  0.004225      3        eth:ipv4:tcp             00:0c:29:90:2d:08  00:0c:29:d5:c1:e5  0x0800   192.168.47.128  07       Private network  445      192.168.47.129  07       Private network  49212    6        0x01             ...|.SMB@...................*.......................................<...........................................................
16      1        0x0400000000004000  1303158654.396493  0.000927  0.004764      3        eth:ipv4:tcp             00:0c:29:d5:c1:e5  00:0c:29:90:2d:08  0x0800   192.168.47.129  07       Private network  49212    192.168.47.128  07       Private network  445      6        0x01
17      1        0x0400000000004000  1303158654.397133  0.000640  0.005404      3        eth:ipv4:tcp             00:0c:29:d5:c1:e5  00:0c:29:90:2d:08  0x0800   192.168.47.129  07       Private network  49212    192.168.47.128  07       Private network  445      6        0x01             ...h.SMB@...................+.......................................).......h...............a...............
18      1        0x0400000000004001  1303158654.397332  0.000859  0.005084      3        eth:ipv4:tcp             00:0c:29:90:2d:08  00:0c:29:d5:c1:e5  0x0800   192.168.47.128  07       Private network  445      192.168.47.129  07       Private network  49212    6        0x01             ...`.SMB@...................+.......................................\t.H.............w.z.............
19      1        0x0400000000004000  1303158654.397416  0.000283  0.005687      3        eth:ipv4:tcp             00:0c:29:d5:c1:e5  00:0c:29:90:2d:08  0x0800   192.168.47.129  07       Private network  49212    192.168.47.128  07       Private network  445      6        0x01             ...h.SMB@...................,.......................................!.......`.......a.......................
20      1        0x0400000000004001  1303158654.397657  0.000325  0.005409      3        eth:ipv4:tcp             00:0c:29:90:2d:08  00:0c:29:d5:c1:e5  0x0800   192.168.47.128  07       Private network  445      192.168.47.129  07       Private network  49212    6        0x01             ...B.SMB@...................,.........................................
21      1        0x0400000000004000  1303158654.398668  0.001252  0.006939      3        eth:ipv4:tcp             00:0c:29:d5:c1:e5  00:0c:29:90:2d:08  0x0800   192.168.47.129  07       Private network  49212    192.168.47.128  07       Private network  445      6        0x01             ...p.SMB@.......\t...........-.......................................1.p.............a...............................MZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\r\n$.........B...,A..,A..,A..EA..,A..LA..,A..#A..,A..qA..,A..5A..,Aj.qA..,A..-A..,A..sAQ.,A..rA..,A..vA..,ARich..,A........................PE..L.....4F...............\n.....`.......w............@..........................`............
...

The extracted download is stored under /tmp/TranSMB as configured in the header file. Here you see two executables of putty and a text file matching the file IDs with the actual file names.

$ cd /tmp/TranSMB
$ ls
File_Id_00000161-0000-0000-b500-0000ffffffff_1  File_Id_0000016d-0000-0000-c100-0000ffffffff_1  smb_filenames.txt
$ cat smb_filenames.txt
File_Id_00000161-0000-0000-b500-0000ffffffff_1	putty.exe
File_Id_0000016d-0000-0000-c100-0000ffffffff_1	putty.exe
$

The script smbrename, located in the smbDecode directory, converts all file IDs into nicely directories of different file types.

If you move to BIN you see the putty executables properly named. If you apply hexedit to one file the content will match with the download of the packet file.

$ ~/tranalyzer2/plugins/smbDecode/smbrename
$ ls
APP  AUD  BIN  CHM  CONF  DB  DLL  DOC  EMPTY  ENC  HTM  IMG  LNK  LOG  MAIL  PDF  PPT  SPEC  TMP  TXT  URL  VID  XLS  XML  ZIP
$ cd BIN
$ ls
ls BIN
'putty_1(1).exe'   putty_1.exe
$ hexedit putty_1.exe
00000000   4D 5A 90 00  03 00 00 00  04 00 00 00  FF FF 00 00  B8 00 00 00  00 00 00 00  40 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  MZ......................@...........................
00000034   00 00 00 00  00 00 00 00  00 01 00 00  0E 1F BA 0E  00 B4 09 CD  21 B8 01 4C  CD 21 54 68  69 73 20 70  72 6F 67 72  61 6D 20 63  61 6E 6E 6F  74 20 62 65  20 72 75 6E  ....................!..L.!This program cannot be run
00000068   20 69 6E 20  44 4F 53 20  6D 6F 64 65  2E 0D 0D 0A  24 00 00 00  00 00 00 00  AD 8A 42 12  E9 EB 2C 41  E9 EB 2C 41  E9 EB 2C 41  FA E3 45 41  EB EB 2C 41  EC E7 4C 41   in DOS mode....$.........B...,A..,A..,A..EA..,A..LA
0000009C   EB EB 2C 41  EC E7 23 41  F2 EB 2C 41  FA E3 71 41  EB EB 2C 41  13 C8 35 41  ED EB 2C 41  6A E3 71 41  E6 EB 2C 41  E9 EB 2D 41  F6 EA 2C 41  EC E7 73 41  51 EB 2C 41  ..,A..#A..,A..qA..,A..5A..,Aj.qA..,A..-A..,A..sAQ.,A
...

Don’t forget to reset the plugin configuration for the next tutorial.

$ t2conf smbDecode --reset && t2build smbDecode
...
$

Have fun analyzing.