Tutorial: Server Message Block (SMB)
Contents
smbDecode
SMB is a communication protocol for shared file or printer access of Windows crap. An infamous, ill-fated and troubled protocol which arose with so many vulnerabilities in history. Hence a lot of information could be extracted until v3 came to life. This tutorial presents the plugin smbDecode which dissects SMBv1,2 and performs data carving.
Preparation
Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.
First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins
. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.
$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$
Then compile the following plugins
$ t2build tranalyzer2 basicFlow tcpStates smbDecode txtSink
...
BUILD SUCCESSFUL
$
If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:
$ mkdir ~/data ~/results
$
Download the sample pcap here: smb2-putty.pcap. Now you’re all set.
smbDecode
Let’s look at the plugin configuration first:
$ smbDecode
$ vi src/smbDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define SMB1_DECODE 1 // decode SMB1 (experimental)
#define SMB_SECBLOB 1 // decode security blob (experimental)
#define SMB2_NUM_DIALECT 3 // number of SMB2 dialects to store
#define SMB2_NUM_STAT 18 // number of unique SMB2 header status to store
#if SMB1_DECODE == 1
#define SMB1_NUM_DIALECT 20 // number of SMB1 dialects to store
#define SMB1_DIAL_MAXLEN 32 // maximum length for SMB1 dialects
#endif // SMB1_DECODE == 1
#define SMB_NUM_FNAME 5 // number of unique filenames to store in the flow file
#define SMB_NATIVE_NAME_LEN 64 // Max length for Native OS and LAN Manager
#define SMB2_SAVE_DATA 0 // whether or not to save files
#if SMB1_DECODE == 1
#define SMB1_SAVE_DATA 0 // whether or not to save files (SMB1, experimental)
#endif // SMB1_DECODE == 1
#define SMB_SAVE_AUTH 0 // save NTLM authentications
#define SMB_AUTH_FILE "smb_auth.txt" // stores NTLM authentications
#define SMB_SAVE_DIR "/tmp/TranSMB/" // folder for saved data
#if SMB2_SAVE_DATA == 1 || SMB1_SAVE_DATA == 1
#define SMB_MAP_FILE "smb_filenames.txt" // stores the mapping between file ID and filename
#define SMB_RM_DATADIR 1 // remove SMB_SAVE_DIR before starting
#endif // SMB2_SAVE_DATA == 1 || SMB1_SAVE_DATA == 1
//#define SMB_NUM_FILE 10
#define SMB_FNAME_LEN 512
#define SMB_STRCPY_BEHAVIOR T2_STRCPY_TRUNC
#define SMB_FILE_ID "File_Id_" // used to name saved files
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...
SMB1_DECODE
and SMB2_DECODE
select the type of SMB you want to decode. SMB2_NUM_DIALECT
controls the number of SMB2 dialects to store. If you change that you get more of less in the flow file. SMB2_NUM_STAT
and SMB_NUM_FNAME
denote the number of header status and uniq filenames in the flow file. We them as default.
SMB1_SAVE_DATA
, SMB2_SAVE_DATA
and SMB_SAVE_AUTH
controls the extraction of SMB content and NTLM authentication string. The latter becomes obsolete, as we have a better plugin for that purpose: ntlmssp. So let’s switch them on.
Recompile and run t2
on the supplied pcap including packet mode.
$ t2conf smbDecode -D SMB1_SAVE_DATA=1 -D SMB2_SAVE_DATA=1 -D SMB_SAVE_AUTH=1 && t2build smbDecode
...
$ t2 -r ~/data/smb2-putty.pcap -w ~/results -s
================================================================================
Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 68530
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
01: basicFlow, 0.8.14
02: tcpStates, 0.8.14
03: smbDecode, 0.8.14
04: txtSink, 0.8.14
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K)
Processing file: /home/wurst/data/smb2-putty.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1303158654.391729 sec (Mon 18 Apr 2011 20:30:54 GMT)
Dump stop : 1303158655.743323 sec (Mon 18 Apr 2011 20:30:55 GMT)
Total dump duration: 1.351594 sec
Finished processing. Elapsed time: 0.023838 sec
Finished unloading flow memory. Time: 0.023908 sec
Percentage completed: 100.00%
Number of processed packets: 161
Number of processed bytes: 554881 (554.88 K)
Number of raw bytes: 554881 (554.88 K)
Number of pad bytes: 138
Number of pcap bytes: 557481 (557.48 K)
Number of IPv4 packets: 161 [100.00%]
Number of A packets: 50 [31.06%]
Number of B packets: 111 [68.94%]
Number of A bytes: 462203 (462.20 K) [83.30%]
Number of B bytes: 92678 (92.68 K) [16.70%]
Average A packet load: 9244.06 (9.24 K)
Average B packet load: 834.94
--------------------------------------------------------------------------------
tcpStates: Aggregated tcpStatesAFlags=0x03
smbDecode: Aggregated smbStat=0x4001
smbDecode: Number of SMB packets: 161 [100.00%]
smbDecode: Number of SMBv2 records: 71
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of TCP packets: 161 [100.00%]
Number of TCP bytes: 554881 (554.88 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed flows: 2
Number of processed A flows: 1 [50.00%]
Number of processed B flows: 1 [50.00%]
Number of request flows: 1 [50.00%]
Number of reply flows: 1 [50.00%]
Total A/B flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed packets/flows: 80.50
Number of processed A packets/flows: 50.00
Number of processed B packets/flows: 111.00
Number of processed total packets/s: 119.12
Number of processed A+B packets/s: 119.12
Number of processed A packets/s: 36.99
Number of processed B packets/s: 82.13
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 1.48
Average full raw bandwidth: 3284306 b/s (3.28 Mb/s)
Average full bandwidth : 3283489 b/s (3.28 Mb/s)
Max number of flows in memory: 2 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows
$
The aggregated smbStat
confirms that there are SMBv2 flows and extracted files present. The packet count confirms that all packets are SMB.
$ tawk -V smbStat=0x4001
The smbStat column with value 0x4001 is to be interpreted as follows:
bit | smbStat | Description
=============================================================================
0 | 0x0001 | Flow is SMB
14 | 0x4000 | SMB2 files present
Looking into the results directory, besides the flow and packet file, you see also the authentication file, which is empty, as there is no authentication NTLM hash present. Sorry.
$ cd ~/results
$ ls
smb2-putty_flows.txt smb2-putty_headers.txt smb2-putty_packets.txt smb2-putty_smb_auth.txt
$ cat smb2-putty_smb_auth.txt
$
The flow file shows all relevant information of the SMB header and content, including the names of the extracted files.
$ cd ~/results
$ tcol smb2-putty_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags smbStat smb1NDialects smb1Dialects smb2NDialects smb2Dialects smbNHdrStat smbHdrStat smbOpcodes smbNOpcodes smbPrevSessId smbNativeOS smbNativeLanMan smbPrimDom smbTargName smbDomName smbUserName smbHostName smbNTLMServChallenge smbNTProofStr smbSessionKey smbGUID smbSFlags_secM_caps smbBootT smbMaxSizeT_R_W smbPath smbShareT smbShareF_caps_acc smbNFiles smbFiles
A 1 0x0400000000004000 1303158654.391729 1303158655.743323 1.351594 1 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 "Private network" 49212 192.168.47.128 07 "Private network" 445 6 0x03 0x4001 0 0 0 0x0007d360 0_0_0_0_0_5_5_0_8_7_0_0_1_0_1_2_3_2_1 0x0000000000000000 "" "" "" "" "" "" "" "" "" "" "" 0x0000_0x00_0x00000000 0.000000 0_0_0 "" 0x00 0x00000000_0x00000000_0x00000000 2 "";"putty.exe"
B 1 0x0400000000004001 1303158654.392248 1303158655.528305 1.136057 1 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 "Private network" 445 192.168.47.129 07 "Private network" 49212 6 0x03 0x0001 0 0 4 0x00000000;0xc0000120;0x0000010c;0x00000103 0x0007c360 0_0_0_0_0_5_5_0_8_7_0_0_0_0_1_3_3_2_2 0x0000000000000000 "" "" "" "" "" "" "" "" "" "" "" 0x0000_0x00_0x00000000 0.000000 0_0_0 "" 0x00 0x00000000_0x00000000_0x00000000 0
The packet file currently does not decode SMB specifics. If there is human readable text you can see it in l7Content. Look at the end, there is the beginning of the file download.
$ tcol smb2-putty_packets.txt
%pktNo flowInd flowStat time pktIAT flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags l7Content
1 1 0x0400000000004000 1303158654.391729 0.000000 0.000000 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 .....SMB@...................$.......................................9....................................... ...x.......x.....u.t.t.(...............DHnQ....................................MxAc................ ...RqLs............X.......................
2 1 0x0400000000004001 1303158654.392248 0.000000 0.000000 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 .....SMB@...................$.......................................Y.......I#.........^.......^.......^............................]................... ...................MxAc............
3 1 0x0400000000004000 1303158654.392462 0.000733 0.000733 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 .....SMB@...............p...%.......................................)...X...................]..................$.CM .SMB@...................&.......................................)...P...................]................
4 1 0x0400000000004001 1303158654.392625 0.000377 0.000377 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 .....SMB@...............`...%.......................................\t.H......3Ic......eh.............SMB@...................&.......................................\t.H.................N.T.F.S.....
5 1 0x0400000000004000 1303158654.392669 0.000207 0.000940 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 ...h.SMB@...................'.......................................)... ...h...............]...............
6 1 0x0400000000004001 1303158654.392780 0.000155 0.000532 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 ...h.SMB@...................'.......................................\t.H. .............z.......z.............
7 1 0x0400000000004000 1303158654.392848 0.000179 0.001119 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 ...X.SMB@...................(...............................................]...............
8 1 0x0400000000004001 1303158654.393261 0.000481 0.001013 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 ...|.SMB@...................(.......................................<...........................................................
9 1 0x0400000000004000 1303158654.393818 0.000970 0.002089 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 ...D.SMB@...............................................................
10 1 0x0400000000004001 1303158654.394101 0.000840 0.001853 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 ...I.SMB@... ...............#.......................................\t........
11 1 0x0400000000004000 1303158654.395456 0.001638 0.003727 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 ...@.SMB@...................).......................................9........................... ...........D...x...........p.u.t.t.y...e.x.e.......(...............DHnQ.................... ...............AlSi............................MxAc....................QFid................ ...RqLs....8.[.............................
12 1 0x0400000000004000 1303158654.395566 0.000110 0.003837 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 ...X.SMB@...................*...............................................E...............
13 1 0x0400000000004001 1303158654.395869 0.001768 0.003621 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01
14 1 0x0400000000004001 1303158654.396389 0.000520 0.004141 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 ...H.SMB@...................).......................................Y....................................................... .......a....................... ...............MxAc............8........... ...RqLs....8.[............................. ...............DHnQ........................ ...QFid....2....... P......................
15 1 0x0400000000004001 1303158654.396473 0.000084 0.004225 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 ...|.SMB@...................*.......................................<...........................................................
16 1 0x0400000000004000 1303158654.396493 0.000927 0.004764 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01
17 1 0x0400000000004000 1303158654.397133 0.000640 0.005404 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 ...h.SMB@...................+.......................................).......h...............a...............
18 1 0x0400000000004001 1303158654.397332 0.000859 0.005084 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 ...`.SMB@...................+.......................................\t.H.............w.z.............
19 1 0x0400000000004000 1303158654.397416 0.000283 0.005687 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 ...h.SMB@...................,.......................................!.......`.......a.......................
20 1 0x0400000000004001 1303158654.397657 0.000325 0.005409 3 eth:ipv4:tcp 00:0c:29:90:2d:08 00:0c:29:d5:c1:e5 0x0800 192.168.47.128 07 Private network 445 192.168.47.129 07 Private network 49212 6 0x01 ...B.SMB@...................,.........................................
21 1 0x0400000000004000 1303158654.398668 0.001252 0.006939 3 eth:ipv4:tcp 00:0c:29:d5:c1:e5 00:0c:29:90:2d:08 0x0800 192.168.47.129 07 Private network 49212 192.168.47.128 07 Private network 445 6 0x01 ...p.SMB@.......\t...........-.......................................1.p.............a...............................MZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\r\n$.........B...,A..,A..,A..EA..,A..LA..,A..#A..,A..qA..,A..5A..,Aj.qA..,A..-A..,A..sAQ.,A..rA..,A..vA..,ARich..,A........................PE..L.....4F...............\n.....`.......w............@..........................`............
...
The extracted download is stored under /tmp/TranSMB as configured in the header file. Here you see two executables of putty and a text file matching the file IDs with the actual file names.
$ cd /tmp/TranSMB
$ ls
File_Id_00000161-0000-0000-b500-0000ffffffff_1 File_Id_0000016d-0000-0000-c100-0000ffffffff_1 smb_filenames.txt
$ cat smb_filenames.txt
File_Id_00000161-0000-0000-b500-0000ffffffff_1 putty.exe
File_Id_0000016d-0000-0000-c100-0000ffffffff_1 putty.exe
$
The script smbrename
, located in the smbDecode directory, converts all file IDs into nicely directories of different file types.
If you move to BIN
you see the putty executables properly named. If you apply hexedit to one file the content will match with the download of the packet file.
$ ~/tranalyzer2/plugins/smbDecode/smbrename
$ ls
APP AUD BIN CHM CONF DB DLL DOC EMPTY ENC HTM IMG LNK LOG MAIL PDF PPT SPEC TMP TXT URL VID XLS XML ZIP
$ cd BIN
$ ls
ls BIN
'putty_1(1).exe' putty_1.exe
$ hexedit putty_1.exe
00000000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 MZ......................@...........................
00000034 00 00 00 00 00 00 00 00 00 01 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E ....................!..L.!This program cannot be run
00000068 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 AD 8A 42 12 E9 EB 2C 41 E9 EB 2C 41 E9 EB 2C 41 FA E3 45 41 EB EB 2C 41 EC E7 4C 41 in DOS mode....$.........B...,A..,A..,A..EA..,A..LA
0000009C EB EB 2C 41 EC E7 23 41 F2 EB 2C 41 FA E3 71 41 EB EB 2C 41 13 C8 35 41 ED EB 2C 41 6A E3 71 41 E6 EB 2C 41 E9 EB 2D 41 F6 EA 2C 41 EC E7 73 41 51 EB 2C 41 ..,A..#A..,A..qA..,A..5A..,Aj.qA..,A..-A..,A..sAQ.,A
...
Don’t forget to reset the plugin configuration for the next tutorial.
$ t2conf smbDecode --reset && t2build smbDecode
...
$
Have fun analyzing.