Introduction to Network Trace Analysis 5: SMB



 Core Infrastructure and Security Blog:

Howdy everyone, it’s your favorite Software Engineer, Will, back again talking about the Server Message Block (SMB) protocol!

Why talk about SMB?

Let's start off with the question, what is this whole SMB thing anyway? SMB is a network file system protocol. This means that it can allow Machine A to read and write files on Machine B. This protocol serves as the backbone of much of the Enterprise Windows Ecosystem. For example, did you know that the group policy SYSVOL is an SMB share? Pretty cool right?

In recent history, there have been  tons  of improvements to SMB. For the sake of understanding the protocol we will not be talking about things like:
But, we may touch on these in a later blog post:
What I would like to hammer home is that there is a large amount of existing Microsoft content about SMB. Since those articles were written, there has been a ton of work done on the SMB PowerShell Cmdlets. If you ever need to make ANY changes to SMB, the recommendation is to use either policy or the SMB Cmdlets instead of directly interfacing with the Windows Registry.

Client Cmdlets: Set-SmbClientConfiguration (SmbShare) | Microsoft Learn

Server Cmdlets: Set-SmbServerConfiguration (SmbShare) | Microsoft Learn

Protocol Overview

The SMB protocol is a call and response protocol. It operates over TCP port 445, by default. Versions of Windows released in the Fall of 2024 and later allow alternative SMB ports.

The SMB client makes a request, and the server responds to that request. The start of every SMB connection follows an identical pattern.

The flow of a new SMB connection is as follows:
  • SMB Dialect Negotiation
    • What language do we speak?
    • SMB 1.0 (deprecated)
    • SMB 2.0
    • SMB 3.0
  • SMB Capability Negotiation
    • What can we both do?
    • SMB Signing
    • SMB Encryption
    • etc...
  • User Authentication (Session Setup)
    • Who are you?
    • NTLM
    • Kerberos
  • Tree Connect
    • What is the base of the point of connection (i.e. share name)?
Everything after this is up to the client to ask for. We will give some examples of what the client can do later.


 Read more:

techcommunity.microsoft.com

Introduction to Network Trace Analysis 5: SMB? Sounds good to me!

Let's start off with the question, what is this whole SMB thing anyway? SMB is a network file system protocol. This means that it can allow Machine A to..
techcommunity.microsoft.com
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
SMB security hardening in Windows Server 2025 and Windows 11
Replies
0
Views
571
Brink
Brink
  • Article Article
ChatGPT adds improvements to data analysis for OneDrive and Google Drive
Replies
0
Views
781
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom