SMB2 Protocol Negotiation

This is one of the few times when looking at SMBv2 you will need to use SMBv1 commands. The initial negotiation request will always be sent out as SMBv1. It makes sense when you think about it, SMB does not have ‘backwards compatibility’, instead it relies on negotiating to the lowest common denominator.

To find the initial request use the following SMBv1 command

smb.cmd == 0x72

If the server responds using the SMB2 protocol a second negotiation is sent. This time on SMB2.

To see all SMB2 negotiation and responses you will need the following command

smb2.cmd == 0

During the negotiation you are able to see what capabilities the server has, what the client has and any negotiated authentication/encryption technique. You can also see the time that is set on the server, as well as its Timezone.

Why do I care?

There is a lot of useful information in here to help with Server identification and potentially geographical location. Looking at the capabilities of the server can with OS identification; is it a Windows box, a NAS etc.

Using the SMBv1 filter you are able to see the first communication between the two devices, aiding in timeline building.

This entry was posted in Network Analytics, SMB and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s