SMB

There are currently 3 major versions of SMB version 3 is quite new (2012) and has been implemented on the latest versions of Windows (8, 2012), Samba 4.1+ and macOS 10.10 Yosemite.

I say ‘quite new’ as it takes a while to phase in new protocols like this. At the time of writing I would expect most organisations to be running MS Server 2008 to Server 2016.

The above chart (from here) shows that as different OS’s communicate they drop to the lower version of SMB to enable transfer. From this we can extrapolate that MS Server 2016 will use v3+ with MS Server 2012 upwards.

SMB History

There is a lot out there about SMB History, but the basic takeaway is Micrsoft needed something that allowed the sharing of resources across a network. They were beaten to it by a couple of vendors, but as MS had pretty much cornered the market… well you can guess the rest 🙂

If you want an in-depth history, there are many sites on the ‘net that provide that, I would only be copy/pasting someone else’s work.

SMB v1 was released mid 90’s

SMB v2 was released with Vista (mid 2000’s) and provided a host of updates both security and operations

SMB v3  was released with Server 2012 and is sometimes referred to as SMB2.2. This is most relevant to us when looking at Wireshark filters. There is no filter ‘smb3’ only

smb || smb2

SMB !=CIFS

Well technically SMB2+ != CIFS.

CIFS was a term used for NT4 operating systems, it does not apply to later versions of SMB.

Why do I care?

SMB is the way a Windows environment would open files on a remote server. This means you can actually see the username that opened the file!

Imagine having full packet capture when you get a phone call explaining some sensitive information has just appeared on Pastebin. The management are losing their shit and you could potentially be the one to answer the big question; whodunnit?

Over the next post or so I will look at how to find that information.