This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SMB response terminates comms

0

I'm having an issue with failed SMB communications and cannot determine the source of the response behavior from a Windows 7 PC. Was hoping that anyone might be able to help.

Here's the response packet:

No. Time Source Destination Protocol Info 1425 34.647499 192.168.1.74 192.168.1.68 SMB Negotiate Protocol Response

Frame 1425: 475 bytes on wire (3800 bits), 475 bytes captured (3800 bits) Ethernet II, Src: Dell_24:7e:41 (00:21:9b:24:7e:41), Dst: Xerox_c3:73:c7 (00:00:aa:c3:73:c7) Internet Protocol, Src: 192.168.1.74 (192.168.1.74), Dst: 192.168.1.68 (192.168.1.68) Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 60933 (60933), Seq: 1, Ack: 195, Len: 409 NetBIOS Session Service SMB (Server Message Block Protocol)

0000 00 00 aa c3 73 c7 00 21 9b 24 7e 41 08 00 45 00 ....s..!.$~A..E. 0010 01 cd 41 9e 40 00 80 06 00 00 c0 a8 01 4a c0 a8 [email protected] 0020 01 44 01 bd ee 05 31 a6 d8 8b 95 e2 ce 1c 80 18 .D....1......... 0030 01 04 85 9e 00 00 01 01 08 0a 00 0d 45 17 00 03 ............E... 0040 f3 e9 00 00 01 95 ff 53 4d 42 72 00 00 00 00 88 .......SMBr..... 0050 01 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 4e 03 00 00 01 00 11 09 00 03 32 00 01 00 04 11 N.........2..... 0070 00 00 00 00 01 00 00 00 00 00 fc e3 01 80 f1 99 ................ 0080 ad 07 98 4f cb 01 2c 01 00 50 01 40 de 4e df 0e ...O..,[email protected] 0090 59 3b 48 bd 5f 89 c6 ca bd 06 05 60 82 01 3c 06 Y;H._........<. 00a0 06 2b 06 01 05 05 02 a0 82 01 30 30 82 01 2c a0 .+........00..,. 00b0 1a 30 18 06 0a 2b 06 01 04 01 82 37 02 02 1e 06 .0...+.....7.... 00c0 0a 2b 06 01 04 01 82 37 02 02 0a a2 82 01 0c 04 .+.....7........ 00d0 82 01 08 4e 45 47 4f 45 58 54 53 01 00 00 00 00 ...NEGOEXTS..... 00e0 00 00 00 60 00 00 00 70 00 00 00 ec b9 81 d6 13 ......p........ 00f0 c2 3c a6 38 35 7f e7 b4 f1 c5 93 6f 2d b0 e5 45 .<.85......o-..E 0100 88 52 cc b7 a0 eb 9a ea fa 9b 68 93 11 6c 1a fd .R........h..l.. 0110 8a ca 2b b7 d1 7a c6 14 df 0c 6e 00 00 00 00 00 ..+..z....n..... 0120 00 00 00 60 00 00 00 01 00 00 00 00 00 00 00 00 ...`............ 0130 00 00 00 5c 33 53 0d ea f9 0d 4d b2 ec 4a e3 78 ...3S....M..J.x 0140 6e c3 08 4e 45 47 4f 45 58 54 53 03 00 00 00 01 n..NEGOEXTS..... 0150 00 00 00 40 00 00 00 98 00 00 00 ec b9 81 d6 13 [email protected] 0160 c2 3c a6 38 35 7f e7 b4 f1 c5 93 5c 33 53 0d ea .<.85......3S.. 0170 f9 0d 4d b2 ec 4a e3 78 6e c3 08 40 00 00 00 58 [email protected] 0180 00 00 00 30 56 a0 54 30 52 30 27 80 25 30 23 31 ...0V.T0R0'.%0#1 0190 21 30 1f 06 03 55 04 03 13 18 54 6f 6b 65 6e 20 !0...U....Token 01a0 53 69 67 6e 69 6e 67 20 50 75 62 6c 69 63 20 4b Signing Public K 01b0 65 79 30 27 80 25 30 23 31 21 30 1f 06 03 55 04 ey0'.%0#1!0...U. 01c0 03 13 18 54 6f 6b 65 6e 20 53 69 67 6e 69 6e 67 ...Token Signing 01d0 20 50 75 62 6c 69 63 20 4b 65 79 Public Key

The Win 7 machine appears to be asking the client to begin signing but I've tried everything I can think of to simulate this behavior - Security Policies, Lanman registry edits, etc. to no avail. Successful communication does not include the mechToken in the security blob. When we see this, all comms stop.

Does anyone know what can cause this behavior? Any assistance will be greatly appreciated. Thanks!

asked 30 Nov '10, 10:15

MarkMcD's gravatar image

MarkMcD
1111
accept rate: 0%


One Answer:

3

I converted your hex dump to a trace file to get this SMB decode of your packet:

alt text

The interesting part is the server offering two authentication mechanisms to the client: The well understood NTLMSSP or a less known mechType 1.3.6.1.4.1.311.2.2.30.

This mechtype can be found in a patent filed by Microsoft. The text can be found here

It looks like the the "Microsoft live sign-on assistant" tampers with the SMB authentication. One report is found in a technet forum

A topic in the discussion shows reads

For reference, please see the following samba bug report: https://bugzilla.samba.org/show_bug.cgi?id=7577

Alas, your post does not state the client OS. Given the postings I would not be surprised to hear that it's a samba client.

The obvious solution would be a) to uninstall the Live sign-on assistant or b) apply the fix to the samba client

answered 07 Dec '10, 13:54

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

edited 07 Dec '10, 14:52

Wow..packethunter, talk about going the mile! (converting it to pcap, I mean)

(07 Dec '10, 17:22) hansangb