Wednesday 24 August 2011

What is behind file and printer sharing in Microsoft networks

Let's say our IP address is 192.168.0.1 and public folder is put on share on 192.168.0.2 machine.

What happens when we type \\192.168.0.2 in Windows Explorer on the local machine? Windows Explorer is a process and we are issuing a command "List all network shares on \\192.168.0.2". Explorer does some magic and a list of all shared folders appears in its right pane. But what is behind that magic? Under the bonnet a special file sharing protocol is engaged and a whole set of messages is exchanged between workstation (the client; machine that wants to access shared files on a remote host) and a server (remote host that shares resources). We can monitor these packets in the Wireshark:

client <-> server
-> TCP: syn
<- TCP: syn, ack
-> TCP: ack
-> SMB: Negotiate Protocol Request
<- TCP: ack
<- SMB: Negotiate Protocol Response
-> SMB: Session Setup AndX Request, NTLMSSP_NEGOTIATE
<- SMB: Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
-> SMB: Session Setup AndX Request, NTLMSSP_AUTH, User: TEST-PC\test_user
<- SMB: Session Setup AndX Response; accept-completed
...
-> SMB: Tree Connect AndX Request, Path: \\192.168.0.2\IPC$
<- SMB: Tree Connect AndX Response, NT Status: STATUS_SUCCESS
-> SMB: NT Create AndX Request, Path: \srvsvc
<- SMB: NT Create AndX Response, FID: 0xabc
-> SMB: Trans2 Request, QUERY_FILE_INFO, FID: 0xabc, Query File Standard Info
<- SMB: Trans2 Response, FID: 0xabc, QUERY_FILE_INFO
-> DCERPC: Bind: call_id:2, 2 context items, 1st SRVSVC v3.0
<- SMB: Write AndX Response, FID: 0x3ba7, 116 bytes
-> SMB: Read AndX Request, FID: 0x3ba7, 1024 bytes at offset 0
<- DCERPC: Bind_ack: call_id: 2 accept max_xmit: 4280 max_recv: 4280
-> SRVSVC: NetShareEnumAll request
<- SMB: Write AndX Response, FID: 0x3ba7, 100 bytes
-> SMB: Read AndX Request, FID: 0x3ba7, 1024 bytes at offset 0
<- SMB: Read AndX Response, FID: 0x3ba7, 1024 bytes
-> SMB: Read AndX Request, FID: 0x3ba7, 2228 bytes at offset 0
<- SRVSVC: NetShareEnumAll response
-> SMB: Close Request, FID: 0x3ba7
<- SMB: Close Response, FID: 0x3ba7
...
-> SMB: Trans2 Request, GET_DFS_REFERRAL, File: \\192.168.0.2\public
<- SMB: Trans2 Response, GET_DFS_REFERRAL, Error: STATUS_NOT_FOUND
-> SMB: Tree Connect AndX Request, Path: \\192.168.0.2\PUBLIC
<- SMB: Tree Connect AndX Response, Error: STATUS_LOGON_FAILURE
...
-> SMB: Trans2 Request, GET_DFS_REFERRAL, File: \\192.168.0.2\public2
<- SMB: Trans2 Response, GET_DFS_REFERRAL, Error: STATUS_NOT_FOUND
-> SMB: Tree Connect AndX Request, Path: \\192.168.0.2\PUBLIC2
<- SMB: Tree Connect AndX Response, Error: STATUS_LOGON_FAILURE
...
-> SMB: Tree Disconnect Request
<- SMB: Tree Disconnect Response
-> SMB: Logoff AndX Request
<- SMB: Logoff AndX Response
-> TCP: ack

We can see that client establishes TCP connection on server's port microsoft-ds (445) and that further communication uses SMB protocol. SMB stands for Server Message Block, an application layer protocol for accessing shared resources on a network. SMB lays on the top of NetBIOS over TCP/IP. SMB is a client-server, request-response protocol that is based on sessions: client establishes connection to the server and then sends SMB requests to browse directories, open/read/write files etc. SMB uses NT Domain authentication to control access to shared resources.

"Session Setup" SMB message includes the user account, a hash function of the encrypted password and logon domain. A domain controller will examine all this information to determine whether the client has permissions to complete this command.

For each shared resource a set of permissions can be defined (which user/group/domain member can open/read/write/browse). SMB protocol authentication has two levels: user and share.

If we type \\192.168.0.2\public in Windows Explorer, SMB authentication considers credentials we used to log on to Windows and permissions defined on share. For example, if our host and 192.168.0.2 are on the same domain and we are logged on to our machine with local credentials, authentication dialog will appear:

------------------------------------------------------------------
Windows Security [x]
------------------------------------------------------------------
Enter Network Password
Enter your password to connect to: 192.168.0.2
------------------------------------------------------------------
User name:
Password:
Domain:
------------------------------------------------------------------
[] Remember my credentials
------------------------------------------------------------------
OK | Cancel
------------------------------------------------------------------

We need to type domain name, domain user name and password.

If both machines are workgroup machines, we need to type a proper credentials defined on 192.168.0.2.

Article "SMB: The Server Message Block Protocol" explains SMB authentication in depth.

Let us go back to Windows Explorer. Does it implement BSD itself? Does it establish connection between client and server machines itself? No. Connection is actually established between the network-related services (applications) running on client and server. Windows Explorer (and any other process which needs network share access support) just uses these services which use BSD to communicate.

So which services are we talking about?

If you open Control Panel\Network and Internet\Network Connections and look the properties of Local Area Connection, you will see it uses:

  • Client for Microsoft Networks - Allows your computer to access resources on a Microsoft Network. The Client for Microsoft Networks component is actually the Workstation service. If you remove this service, the Netlogon and RPC Locator services are also removed. Uninstalling Client for Microsoft Networks disables server message block (SMB) protocol
  • File and Printer Sharing for Microsoft Networks - Allows other computers to access resources on your computer using a Microsoft Network. The File and Printer Sharing for Microsoft Networks component is the equivalent of the Server service

Relevant services in Service Manager are:

Service Display Name: Workstation
Service Name: LanmanWorkstation
Path: C:\Windows\System32\svchost.exe -k NetworkService
Description: Creates and maintains client network connections to remote servers using the SMB protocol. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Dependants: Computer Browser, Netlogon,...
This service can be configured with NET CONFIG command.

Service Display Name: Server
Service Name: LanmanServer
Path: C:\Windows\system32\svchost.exe -k netsvcs
Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Dependants: Computer Browser,...
This service can be configured with NET CONFIG command.

Service Display Name: Netlogon
Service Name: Netlogon
Path: C:\Windows\system32\lsass.exe
Description: Maintains a secure channel between this computer and the domain controller for authenticating users and services. If this service is stopped, the computer may not authenticate users and services and the domain controller cannot register DNS records. If this service is disabled, any services that explicitly depend on it will fail to start.
Dependants: None

Story about resource sharing is not simple. Windows uses various protocols on the top of SMB. Some of them are:

Remote Administration Protocol (MS-RAP):
NetServerEnum2 obtains a list of all servers (that have put some resources on share) in a network.
NetShareEnum obtains a list of all shared resources on a specific server.

Common Internet File System (CIFS) Browser Protocol (Microsoft Browser Protocol). Local host gets a list of all shared resources on neighbouring computers via it (filter BROWSER packets in Wireshark). It lays on the top of SMB Mailslot Protocol (Mailslot Name: \MAILSLOT\BROWSE). Hosts from range 192.168.0.xxx send messages to Browse Server (e.g. 192.168.0.255). Host Announcement, Domain/Workgroup Announcement, Local Master Announcement, Request Announcement, Browser Election Request, Become Backup Browser, Get Backup List Announcement...are some of its commands.

SMB Mailslot Protocol (MS-MAIL) lays on the top of SMB and is unidirectional interprocess communications (IPC) protocol between a client and server. A mailslot server creates a mailslot, and a mailslot client writes messages to the mailslot created by the server. The server then reads these messages, thus achieving communication between the client and server. Netlogon Remote Protocol uses it (\MAILSLOT\NET\NETLOGON) to locate domain controllers. Common Internet File System (CIFS) Browser Protocol uses it (\MAILSLOT\LANMAN and \MAILSLOT\BROWSE) for inter-machine communication.

Following picture (source URL) displays all Microsoft networking protocols and their dependencies:


One more thing. We can use NET USE command in order to establish SMB session:

net use \\host_name password /USER:DOMAIN_NAME\user_name

NET USE command sends "Session Setup AndX Request" out:

client <-> server
-> TCP: syn
<- TCP: syn, ack
-> TCP: ack
-> SMB: Negotiate Protocol Request
<- TCP: ack
<- SMB: Negotiate Protocol Response
-> SMB: Session Setup AndX Request, NTLMSSP_NEGOTIATE
<- SMB: Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
-> SMB: Session Setup AndX Request, NTLMSSP_AUTH, User: TEST-PC\test_user
<- SMB: Session Setup AndX Response; accept-completed
-> SMB: Tree Connect AndX Request, Path: \\192.168.0.2\IPC$
<- SMB: Tree Connect AndX Response, STATUS_SUCCESS
-> TCP: ack

Links and references:

Shared resource (Wikipedia)
Browser service (Wikipedia)
Description of the Microsoft Computer Browser Service
Just what is SMB?
Net use
Net Use Command
Disable NetBIOS and SMB to protect public Web servers
How to disable NetBIOS over TCP/IP?
How to Disable SMB 2.0 on Windows Vista/2008
Comparing TCP and SMB Connections for Windows XP Embedded-based Devices
Network access validation algorithms and examples for Windows Server 2003, Windows XP, and Windows 2000
Server Message Block (SMB) Protocol Specification
File Session Traffic
Copy File (Remote to Local)
NetBIOS (Wikipedia)
NetBIOS over TCP/IP (Wikipedia)
NetBIOS Over TCP/IP (MSDN)
NetBIOS over TCP/IP (TCP/IP Fundamentals for Microsoft Windows)
NetBIOS NULL Sessions: The Good, The Bad, and The Ugly
Connecting to NetBIOS Resources Using DNS Names or IP Addresses
NET command
Windows NET USE / NetBIOS commands
NETBIOS HACKING
Remote Network Penetration via NetBios Hack/Hacking
Service overview and network port requirements for the Windows Server system
Network Connections Concepts (MSDN)
Client for Microsoft Networks
Troubleshooting Unwanted "Access Denied" Messages in Domain-Based Networks
Network Access Validation Algorithm and Example
Microsoft SMB Protocol and CIFS Protocol Overview
member of both Workgroup and Domain

No comments: