BLOG     |     FORUM
Welcome, Guest
Username: Password: Remember me
All your questions answered real quick by Unleash Networks Engineers.
  • Page:
  • 1
  • 2

TOPIC: Plugins for \"modern\" SMB

Plugins for \"modern\" SMB 14 years 8 months ago #79

Looks like the SMB plugin that comes with the Unsniff download only looks at the \"old-fashioned\" SMB on ports 137, 138, and 139 - i.e. the ones that are implemented on top of NetBios..

How about an SMB plugin that works with the current version on port 445 (SMB over TCP)? Anything like that floating around?
The administrator has disabled public write access.

Re:Plugins for \"modern\" SMB 14 years 8 months ago #80

  • netscript
  • netscript's Avatar
Hello Scott,

It works for the new SMB also. You have to do a small step to associate port 445 with the Netbios-Session service.

To make it work,

1. Select “Plugins” -> “Manage Access Points” from the main menu.

2. Click on the TCP item and press the “New TCP Access Point” button above the list.

3. Enter 445 for the TCP Port value, and select NB-SSN from the drop down combo. (You can type NB-SSN to select)


See the comments section in this post for more details ( www.unleashnetworks.com/blog/?p=21#comments )


Regards,
Vivek Rajan
Unleash Networks
The administrator has disabled public write access.

Re:Plugins for \"modern\" SMB 14 years 8 months ago #81

Yes, I saw this on the blog last night, after I had made my post.

This procedure is not working for me. I have \"Enable User Objects\" checked in the Application Settings\General menu, and in the Access Point Manager I added the new TCP access point (port 445 to NB-SSN) as you described. In the Customize Plugins window the SMB \"Extract User Objects\" setting is True. I opened a new capture window after performing/verifying the configuration.

My experiment consists of selecting a file on a remote network share, copying it, and pasting it to a local folder. I see lots of SMB packets, between port 445 on the server and port 4979 on my machine, and lots of them SMB data blocks. Several seconds after the file appears to have transferred successfully, I stop the capture. But the capture window lists no User Objects, PDUs, or Sessions.

Please let me know if there is something additional I need to do to enable a valid User Objects capture from SMB. Thanks-

S. O'Hare
AVI
The administrator has disabled public write access.

Re:Plugins for \"modern\" SMB 14 years 8 months ago #82

  • netscript
  • netscript's Avatar
Hi,

<i>But the capture window lists no User Objects, PDUs, or Sessions. </i>

Thanks, this is a big clue. The absence of sessions indicate that Unsniff is not able to sync up to an existing \"SMB share\" TCP connection. Unsniff, by default, expects to catch the initial TCP handshake. This helps it track the PDUs accurately by accouting for lost packets/retransmissions etc.

Luckily, there is an advanced feature of Unsniff that allows you to butt into an existing TCP connection. We tried on our test setup and it works. Here is how you use it:

1. Go to Tools->Customize->Advanced
2. Scroll down to the \"Miscellaneous\" section
3. Locate the \"Track TCP Session with missing SYN\" option
4. Change it to \"True\"

Now try to capture or to import your already captured session. It ought to work.

Thanks a lot for your patience,

Regards,
Vivek Rajan
Unleash Networks
The administrator has disabled public write access.

Re:Plugins for \"modern\" SMB 14 years 8 months ago #93

I tried this and now I am getting the SMB Sessions and PDUs (good!), but the User Objects mostly are being missed. The one time when it did work, all the files involved were very small - i.e. the sessions contained no \"SMB Data Block\" packets. I hope this is another clue.. I shall try and test it some more.

Another funny thing was, when it worked (i.e. with the small files), each file appeared TWICE in the User Objects list.
The administrator has disabled public write access.

Re:Plugins for \"modern\" SMB 14 years 8 months ago #94

Hi Vivek -

I have run a few more tests, using single file transfers of various sizes, and it is beginning to look like the filesize is a key factor in whether or not the SMB User Objects get picked up. Small files that do not require a new SMB Data Block packet are working, and files that are larger are not working.

Maybe it is just something in my own setup here that is making this happen, but I have not been able to figure it out so far. Also, that filename problem could be a significant issue.

Scott
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Moderators: vivek [unleash]
Time to create page: 0.048 seconds