uses the SMB_COM_NT_CREATE_ANDX command, while closing a file will use the SMB_COM_CLOSE command. The type of operation stipulates the com- mand. Table 8-2 shows a complete list of commands in the SMB specification. Table 8-2 SMB Command Codes COMMAND CODE SMB COMMAND CODES SMB_COM_CREATE_DIRECTORY 0x00 SMB_COM_DELETE_DIRECTORY 0x01 SMB_COM_OPEN 0x02 SMB_COM_CREATE 0x03 SMB_COM_CLOSE 0x04 SMB_COM_FLUSH 0x05 SMB_COM_DELETE 0x06 SMB_COM_RENAME 0x07 SMB_COM_QUERY_INFORMATION 0x08 SMB_COM_SET_INFORMATION 0x09 SMB_COM_READ 0x0A SMB_COM_WRITE 0x0B SMB_COM_LOCK_BYTE_RANGE 0x0C SMB_COM_UNLOCK_BYTE_RANGE 0x0D SMB_COM_CREATE_TEMPORARY 0x0E SMB_COM_CREATE_NEW 0x0F SMB_COM_CHECK_DIRECTORY 0x10 SMB_COM_PROCESS_EXIT 0x11 SMB_COM_SEEK 0x12 SMB_COM_LOCK_AND_READ 0x13 SMB_COM_WRITE_AND_UNLOCK 0x14 SMB_COM_READ_RAW 0x1A SMB_COM_READ_MPX 0x1B SMB_COM_READ_MPX_SECONDARY 0x1C SMB_COM_WRITE_RAW 0x1D (continued) Microsoft-Related Protocols 333 12 429759 Ch08.qxd 6/26/03 8:59 AM Page 333 Table 8-2 (continued) COMMAND CODE SMB COMMAND CODES SMB_COM_WRITE_MPX 0x1E SMB_COM_WRITE_COMPLETE 0x20 SMB_COM_SET_INFORMATION2 0x22 SMB_COM_QUERY_INFORMATION2 0x23 SMB_COM_LOCKING_ANDX 0x24 SMB_COM_TRANSACTION 0x25 SMB_COM_TRANSACTION_SECONDARY 0x26 SMB_COM_IOCTL 0x27 SMB_COM_IOCTL_SECONDARY 0x28 SMB_COM_COPY 0x29 SMB_COM_MOVE 0x2A SMB_COM_ECHO 0x2B SMB_COM_WRITE_AND_CLOSE 0x2C SMB_COM_OPEN_ANDX 0x2D SMB_COM_READ_ANDX 0x2E SMB_COM_WRITE_ANDX 0x2F SMB_COM_CLOSE_AND_TREE_DISC 0x31 SMB_COM_TRANSACTION2 0x32 SMB_COM_TRANSACTION2_SECONDARY 0x33 SMB_COM_FIND_CLOSE2 0x34 SMB_COM_FIND_NOTIFY_CLOSE 0x35 SMB_COM_TREE_CONNECT 0x70 SMB_COM_TREE_DISCONNECT 0x71 SMB_COM_NEGOTIATE 0x72 SMB_COM_SESSION_SETUP_ANDX 0x73 SMB_COM_LOGOFF_ANDX 0x74 SMB_COM_TREE_CONNECT_ANDX 0x75 SMB_COM_QUERY_INFORMATION_DISK 0x80 SMB_COM_SEARCH 0x81 334 Chapter 8 12 429759 Ch08.qxd 6/26/03 8:59 AM Page 334 Table 8-2 (continued) COMMAND CODE SMB COMMAND CODES SMB_COM_FIND 0x82 SMB_COM_FIND_UNIQUE 0x83 SMB_COM_NT_TRANSACT 0xA0 SMB_COM_NT_TRANSACT_SECONDARY 0xA1 SMB_COM_NT_CREATE_ANDX 0xA2 SMB_COM_NT_CANCEL 0xA4 SMB_COM_OPEN_PRINT_FILE 0xC0 SMB_COM_WRITE_PRINT_FILE 0xC1 SMB_COM_CLOSE_PRINT_FILE 0xC2 SMB_COM_GET_PRINT_QUEUE 0xC3 SMB_COM_READ_BULK 0xD8 SMB_COM_WRITE_BULK 0xD9 SMB_COM_WRITE_BULK_DATA 0xDA SMB_COM_TRANSACTION2 SUBCOMMAND CODES TRANS2_OPEN2 0x00 TRANS2_FIND_FIRST2 0x01 TRANS2_FIND_NEXT2 0x02 TRANS2_QUERY_FS_INFORMATION 0x03 Reserved 0x04 TRANS2_QUERY_PATH_INFORMATION 0x05 TRANS2_SET_PATH_INFORMATION 0x06 TRANS2_QUERY_FILE_INFORMATION 0x07 TRANS2_SET_FILE_INFORMATION 0x08 TRANS2_FSCTL 0x09 TRANS2_IOCTL2 0x0A TRANS2_FIND_NOTIFY_FIRST 0x0B TRANS2_FIND_NOTIFY_NEXT 0x0C TRANS2_CREATE_DIRECTORY 0x0D (continued) Microsoft-Related Protocols 335 12 429759 Ch08.qxd 6/26/03 8:59 AM Page 335 Table 8-2 (continued) COMMAND CODE SMB_COM_TRANSACTION2 SUBCOMMAND CODES TRANS2_SESSION_SETUP 0x0E TRANS2_GET_DFS_REFERRAL 0x10 TRANS2_REPORT_DFS_INCONSISTENCY 0x11 SMB_COM_NT_TRANSACTION SUBCOMMAND CODESNT_TRANSACT_CREATE 1 NT_TRANSACT_IOCTL 2 NT_TRANSACT_SET_SECURITY_DESC 3 NT_TRANSACT_NOTIFY_CHANGE 4 NT_TRANSACT_RENAME 5 NT_TRANSACT_QUERY_SECURITY_DESC 6 SMB Responses SMB responses contain specific data, depending on the command. They also contain four classes of error codes that indicate the general success or failure of a command. Figure 8-17 shows the four classes of errors and their respective error codes. Error codes also show up as 32-bit status codes of which there are too many to list in this chapter. I have included a listing of an 32-bit SMB codes in Appendix B. The following case study concerning directory access illustrates the use of SMB status codes. Many times when I am unable to access a directory on a network server, I run a protocol trace to find out what the server’s response is to my request. In this case, I was able to see a share on an NT server but was unable to access the directories within it. Figure 8-18 shows how easily you can determine the nature of a problem by looking at the SMB status codes. Take a look at Frame 11. It contains a type of status code called a DOS Error. DOS Error codes were left over from the early days of Microsoft’s LANMAN server product and are still sparsely used in NT servers. So in this case, rather than a 32-bit status code, I have received a DOS Error code, which, if you look into the detail of the packet, is Access Denied. No wonder I could not access the directories under the share. Armed with this information I was able to call the help desk and get a quick resolution to my access problem. Understanding these simple status codes, such as the Access Denied message, can save you hours of guesswork when attempting to resolve server communication problems. 336 Chapter 8 12 429759 Ch08.qxd 6/26/03 8:59 AM Page 336 Figure 8-17 SMB error codes. SUCCESS Class Class ======= SUCCESS Code ===== 0 Comment ======== The request was successful. Error ====== ERRerror ERRbadpw ERRaccess ERRinvtid ERRinvnetname ERRinvdevice ERRqfull ERRqtoobig ERRqeof ERRinvpfid ERRsmbcmd ERRsrverror ERRbadBID ERRfilespecs ERRbadLink ERRbadpermits ERRbadPID ERRsetattrmode ERRpaused ERRmsgoff ERRnoroom ERRrmuns ERRtimeout ERRnoresource ERRtoomanyuids ERRbaduid ERRusempx ERRusestd ERRcontmpx ERRbadPassword ERR_NOTIFY_ENUM_DIR ERRaccountExpired ERRbadClient ERRbadLogonTime ERRpasswordExpired ERRnosupport ERRDOS Class Error ====== ERRbadfunc ERRbadfile ERRbadpath ERRnofids ERRnoaccess ERRbadfid ERRbadmcb ERRnomem ERRbadmem ERRbadenv ERRbadformat ERRbadaccess ERRbaddata ERRbaddrive ERRremcd ERRdiffdevice ERRnofiles ERRbadshare ERRlock ERRfilexists ErrQuota ErrNotALink Code ===== 1 2 4 5 6 7 49 50 51 52 64 65 66 67 68 69 70 71 81 82 83 87 88 89 90 91 250 251 252 254 1024 2239 2240 2241 2242 65535 Code ===== 1 2 3 4 5 6 7 8 9 10 11 12 13 15 16 17 18 32 33 80 512 513 Description ============ Non-specific error code Bad password The client does not have the necessary access rights The Tid specified in a command was invalid. Invalid network name in tree connect. Invalid device Print queue full Print queue full no space. EOF on print queue dump. Invalid print file FID. The server did not recognize the command received. The server encountered an internal error, e.g., system file unavailable. (obsolete) The Fid and pathname parameters contained an invalid combination of values. (obsolete) The access permissions specified for a file or directory are not a valid combination. The attribute mode in the Set File Attribute request is invalid. Server is paused. (Reserved for messaging) Not receiving messages. (Reserved for messaging) No room to buffer message.(Reserved for messaging) Too many remote user names.(Reserved for messaging) Operation timed out. No resources currently available for request. Too many Uids active on this session. The Uid is not known as a valid user identifier on this session. Temporarily unable to support Raw, use MPX mode. Temporarily unable to support Raw, use standard read/write. Continue in MPX mode. (obsolete) Too many files have changed since the last time a NT_TRANSACT_NOTIFY_CHANGE was issued Cannot access the server from this workstation. Cannot access the server at this time. Function not supported. Description ============ Invalid function. File not found Directory invalid Too many open files Access denied, Invalid file handle. Memory control blocks destroyed. Insufficient server memory to perform the requested function. Invalid memory block address. Invalid environment. Invalid format. Invalid open mode. Invalid data Invalid drive specified. A Delete Directory request attempted to remove the server's current directory. Not same device (e.g., a cross volume rename was attempted) A File Search command can find no more files matching the specified criteria. The sharing mode specified for an Open conflicts with existing FIDs on the file. A Lock request conflicted with an existing lock or specified an invalid mode, or an Unlock requested attempted to remove a lock held by another process. The file named in the request already exists. The operation would cause a quota limit to be exceeded. A link operation was performed on a pathname that was not a link Microsoft-Related Protocols 337 12 429759 Ch08.qxd 6/26/03 8:59 AM Page 337 Figure 8-18 SMB status code—Access Denied. NOTE Microsoft SMB uses two levels of file security, share level and user level. Share level security applies only to a shared resource, such as a printer or directory. User level rights can override share level rights, which can make troubleshooting difficult because share rights and user level rights can differ. CROSS-REFERENCE Please refer to Appendix B for a full listing of SMB status codes. SMB Operations Analysis SMB is probably one of the most complex protocols an analyst could wish (or not) to encounter. It would be impossible to cover every SMB command and response used in Microsoft environments, so I have chosen to explore the most common ones used in the majority of network operations. SMB is almost like a multilayered protocol unto itself, as it has multiple layers and command extensions. In the following examples, I examine these layers, which SMB calls subcommands. In my years of analysis, I have discovered few problems with the SMB protocol itself. Microsoft has done a fantastic job of weeding out small bugs and providing quick fixes. In this section, I intend to cover several exam- ples that illustrate the inner workings of SMB. 338 Chapter 8 12 429759 Ch08.qxd 6/26/03 8:59 AM Page 338 Initial Connection SMB is a command/response oriented protocol. In order to send an SMB com- mand to a server, you must first connect with something called the IPC$ share. IPC stands for interprocess communication. It is a resource on all SMB servers that represents the SMB command/response system. When you are sending commands using core SMB commands, such as the SMB Transaction com- mand, you are actually communicating with the IPC$ share. NOTE IPC$ is referred to with a dollar sign because it is a hidden share. All hidden shares have a dollar sign attached to the end of the share name. Connecting to the IPC$ share enables interprocess communication. There are several types of interprocess communication, and I will further discuss them in the “Interprocess Communication” section later in this chapter. For now, take a look at Figure 8-19. It illustrates a client connection to the IPC$ of an SMB server. NOTE It should be noted that when I refer to an SMB server, I am referring to any host that has the ability to provide SMB file services. In Microsoftland, this means just about any host, including Windows 98, NT, 2000, and XP. The versions of SMB on various versions of Windows differ slightly in the commands they use to perform certain tasks. In Figure 8-19, you can see the following steps taking place: 1. TCP three-way handshake (Frames 1–3) 2. NetBIOS session establishment (Frame 4–5) 3. SMB version negotiation (Frames 6–7) 4. SMB authentication (Frames 8–11) 5. Connection to IPC$ share (Frames 12–13) Figure 8-19 Packet analysis of Windows 2000 authentication. Microsoft-Related Protocols 339 12 429759 Ch08.qxd 6/26/03 8:59 AM Page 339 Now, I want to examine the inner workings of Steps 3 through 5—version negotiation, authentication, and the IPC$ connection. Version Negotiation Having evolved throughout the years, SMB has many versions. Because these many versions exist, it is necessary for hosts to query SMB servers as to what version of SMB they can support. The following is a decode of Frame 6 from Figure 8-19: Packet #6 SMB (Server Message Block Protocol) SMB Header Server Component: SMB Response in: 7 SMB Command: Negotiate Protocol (0x72) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x18 Flags2: 0xc853 Reserved: 000000000000000000000000 Tree ID: 0 Process ID: 65279 User ID: 0 Multiplex ID: 0 Negotiate Protocol Request (0x72) Word Count (WCT): 0 Byte Count (BCC): 98 Requested Dialects Dialect: PC NETWORK PROGRAM 1.0 Dialect: LANMAN1.0 Dialect: Windows for Workgroups 3.1a Dialect: LM1.2X002 Dialect: LANMAN2.1 Dialect: NT LM 0.12 In the last lines of this decode example, the client is telling the SMB server which SMB versions (or dialects) it can support using the SMBNegotiate com- mand. In its response, the server will choose the version that it wishes the client to use. As seen in the following example (a decode of Frame 7 in Figure 8-19), the server chooses dialect 5. Packet #7 SMB (Server Message Block Protocol) SMB Header Server Component: SMB Response to: 6 Time from request: 0.000558000 seconds SMB Command: Negotiate Protocol (0x72) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x98 Flags2: 0xc853 340 Chapter 8 12 429759 Ch08.qxd 6/26/03 8:59 AM Page 340 Reserved: 000000000000000000000000 Tree ID: 0 Process ID: 65279 User ID: 0 Multiplex ID: 0 Negotiate Protocol Response (0x72) Word Count (WCT): 17 Dialect Index: 5, greater than LANMAN2.1 Security Mode: 0x03 Max Mpx Count: 10 Max VCs: 1 Max Buffer Size: 4356 Max Raw Buffer: 65536 Session Key: 0x00000000 Capabilities: 0x8000e3fd System Time: Jan 13, 2003 23:22:36.742609024 Server Time Zone: 300 min from UTC Key Length: 0 Byte Count (BCC): 16 Server GUID: F8DAD40959CB2A4E99E8331C3FB6B416 SMB Authentication After choosing a version of SMB to use, the client now must perform authenti- cation with the SMB server. This authentication is accomplished by using the NT LanManager Secure Service Provider (abbreviated NTLMSSP). NTLMSSP uses what is known as a challenge response system, which enables the client to provide its server password in an encrypted format. The NTLMSSP process is performed using the SMB SessionSetupAndX command. NOTE From a protocol standpoint, Windows NT and 2000 security features are very complex. Readers wishing to learn more about Microsoft’s security implementation can refer to Luke Kenneth Casson Leighton’s excellent book DCE/RPC over SMB: Samba and Windows NT Domain Internals from Macmillan Technical Publishing. Referring back to Figure 8-19, Frames 8 through 11 contain the NTLMSSP challenge and response process. Normally, when the guest account is active on a server, the IPC$ is available for connection by any users. For this example, I disabled the guest account. Not having the guest account enabled forces clients to submit a valid username and password for the SMB server. Frame 9 (in the decode that follows) shows the response to the NTLMSSP negotiate command in Frame 8. Packet #9 SMB (Server Message Block Protocol) SMB Header Server Component: SMB Microsoft-Related Protocols 341 12 429759 Ch08.qxd 6/26/03 8:59 AM Page 341 Response to: 8 Time from request: 0.000440000 seconds SMB Command: Session Setup AndX (0x73) NT Status: STATUS_MORE_PROCESSING_REQUIRED (0xc0000016) Flags: 0x98 Flags2: 0xc807 Reserved: 000000000000000000000000 Tree ID: 0 Process ID: 65279 User ID: 2048 Multiplex ID: 16 Session Setup AndX Response (0x73) Word Count (WCT): 4 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 235 Action: 0x0000 0 = Guest: Not logged in as GUEST Security Blob Length: 118 Byte Count (BCC): 192 Security Blob: 4E544C4D53535000020000000A000A00 NTLMSSP Native OS: Windows 5.0 Native LAN Manager: Windows 2000 LAN Manager It is in this example where you can see your first SMB Status code indicating that more processing is required. You can also see in the Action section that the guest account is not enabled. This forces the client to supply a valid login and password using the NTLMSSP challenge/response process. IPC$ Connection Once the authentication process is complete and the user is authorized, the client will make a connection to the IPC$ share as shown in the following decode of Frame 12 of Figure 8-19: Packet #12 SMB (Server Message Block Protocol) SMB Header Server Component: SMB Response in: 13 SMB Command: Tree Connect AndX (0x75) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x18 Flags2: 0xc807 Reserved: 000000000000000000000000 Tree ID: 0 Process ID: 65279 User ID: 2048 Multiplex ID: 48 342 Chapter 8 12 429759 Ch08.qxd 6/26/03 8:59 AM Page 342 [...]... Transaction2 - Function, Byte In/Out Request Word count: 15 [90 ] Total Param Bytes: 36 [91 -92 ] Total Data Bytes: 0 [93 -94 ] Param Bytes To Recv: 2 [95 -96 ] Data Bytes To Recv: 40 [97 -98 ] Setup Bytes To Recv: 0 [99 ] Reserved: 0x00 [100] Flags: 0x0000 [101-102] Timeout (millisec.): 0 [103-106] Reserved: 0x0000 [107-108] Params This Buffer: 36 [1 09- 110] Params Bytes Offset: 68 [111-112] Data This Buffer:... SMB Header NT Create AndX Response (0xa2) Word Count (WCT): 42 AndXCommand: No further commands Reserved: 00 AndXOffset: 135 Oplock level: Level II oplock granted (3) FID: 0x4003 Create action: Open (if file exists open it, else fail) (1) Created: Dec 2, 2002 11: 09: 56.0 699 996 94 Last Access: Jan 13, 2003 00:00:00.000000000 Last Write: Jan 1, 2003 21:21:22.000000000 Change: Jan 1, 198 0 00:00:00.000000000... action: Open (if file exists open it, else fail) (1) Microsoft-Related Protocols Created: Dec 2, 2002 11: 09: 56.0 699 996 94 Last Access: Jan 13, 2003 00:00:00.000000000 Last Write: Jan 1, 2003 21:21:22.000000000 Change: Jan 1, 198 0 00:00:00.000000000 File Attributes: 0x00000020 Allocation Size: 8 192 End Of File: 458 File Type: Disk file or directory (0) IPC State: 0x0007 Is Directory: This is NOT a directory... of the filename when referring to the opened file The following is the decode of the CreateAndX response from the server Frame 8 ( 197 bytes on wire, 197 bytes captured) SMB (Server Message Block Protocol) SMB Header NT Create AndX Response (0xa2) Word Count (WCT): 42 AndXCommand: No further commands Reserved: 00 AndXOffset: 135 Oplock level: Batch oplock granted (2) FID: 0x4002 Create action: Open (if...Microsoft-Related Protocols Tree Connect AndX Request (0x75) Word Count (WCT): 4 AndXCommand: No further commands Reserved: 00 AndXOffset: 76 Flags: 0x0008 Password Length: 1 Byte Count (BCC): 33 Password: 00 Path: \\Michelle\IPC$ Service: ????? SMB clients use the TreeConnectAndX command when making a connection to a resource share Take particular note in the decode... Trans2 command contains the subcommand Query Path Information For the analyzer to be able to figure out what the subcommand is, there needs to be some indicator in the SMB packet of the subcommand code There is Look at the frame decode The Setup Words field contains the SMB command code of the Trans2 subcommand In the decode, you can see that it is 0x0500 But wait, didn’t I just say that the subcommand specified... bytes captured) SMB (Server Message Block Protocol) SMB Header NT Create AndX Request (0xa2) Word Count (WCT): 24 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 57054 Reserved: 00 File Name Len: 28 Create Flags: 0x00000016 Root FID: 0x00000000 Access Mask: 0x000200 89 Allocation Size: 0 File Attributes: 0x00000000 3 49 350 Chapter 8 Share Access: 0x00000001 Disposition: Open... specified in the SMB standard By reversing the nibbles in the decimal 10, you get 01, which when paired with the low order-byte 04, gives you 0x104 The response to the request for Information Level 0x104 is decoded as follows using Ethereal Packet #2 QUERY_PATH_INFORMATION Parameters EA Error offset: 0 Padding: 0001 QUERY_PATH_INFORMATION Data Created: Dec 2, 2002 11: 09: 56.0 699 996 94 Last Access: Jan 13,... Figure 8- 19, you can see the server response to the IPC$ share connection request Packet #13 SMB Header Server Component: SMB Response to: 12 Time from request: 0.000532000 seconds SMB Command: Tree Connect AndX (0x75) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x98 Flags2: 0xc807 Reserved: 000000000000000000000000 Tree ID: 2048 Process ID: 652 79 User ID: 2048 Multiplex ID: 48 Tree Connect AndX Response... them Batch and exclusive oplocks are used for Write mode access, while something called Level II oplocks are used for read access Here is the decode for the Oplock Break request from the server Frame 13 (113 bytes on wire, 113 bytes captured) SMB (Server Message Block Protocol) SMB Header Locking AndX Request (0x24) Word Count (WCT): 8 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: . Request Word count: 15 [90 ] Total Param Bytes: 36 [91 -92 ] Total Data Bytes: 0 [93 -94 ] Param Bytes To Recv: 2 [95 -96 ] Data Bytes To Recv: 40 [97 -98 ] Setup Bytes To Recv: 0 [99 ] Reserved: 0x00 [100] Flags:. 652 79 User ID: 2048 Multiplex ID: 48 342 Chapter 8 12 4 297 59 Ch08.qxd 6/26/03 8: 59 AM Page 342 Tree Connect AndX Request (0x75) Word Count (WCT): 4 AndXCommand: No further commands Reserved: 00 AndXOffset:. 11: 09: 56.0 699 996 94 Last Access: Jan 13, 2003 00:00:00.000000000 Last Write: Jan 1, 2003 21:21:22.000000000 Change: Jan 1, 198 0 00:00:00.000000000 File Attributes: 0x00000020 Allocation Size: 8 192 End