SMB with Activity Directory

Wireshark: Determining a SMB and NTLM
version in a Windows environment
The last few days I am playing around with wire shark and I must say I enjoy
working with this program. It has saved the day for me a couple of times by giving me
information that is only retrieved by looking at packet level. In this article I was looking
at SMB and NTLM traffic in a windows environment. I noticed that our XP based
network was running NTLMv1 that is considered unsecure. Let’s change this fast!

Intro
NTLM over a Server Message Block (SMB) transport is one of the most common
uses of NTLM authentication and encryption. Kerberos Protocol Extensions (KILE) is
the preferred authentication method of an SMB session in Windows Server operating
system and Windows Client operating systems. However, when a client attempts to
authenticate to an SMB server using the KILE protocol and fails, it can attempt to
authenticate with NTLM.
The NT LAN Manager (NTLM) Authentication Protocol is used in Microsoft
Windows Networks for authentication between clients and servers. NTLM is used by
application protocols to authenticate remote users and, optionally, to provide session
security when requested by the application. There are two major variants of the NTLM
authentication protocol: the connection-oriented variant and the connectionless variant.
Each of these variants has three versions: LM, NTLMv1, and NTLMv2. In addition to
authentication, the NTLM protocol optionally provides for session security—specifically
message integrity and confidentiality through signing and sealing functions in NTLM.
For more in depth information I urge you to read this Microsoft NTLM documentation.
The following picture will show a protocol flow of NTLM and Simple and Protected
Generic Security Service Application Program Interface Negotiation Mechanism
(SPNEGO) authentication of an SMB session.

1

SMB with Activity Directory

Step 1 and 2 – The SMB protocol negotiates protocol-specific options using the
SMB_COM_NEGOTIATE request and response messages. The client will send its
supported dialects and the server will respond with the highest possible dialect. The
following dialect values are possible (older dialects are excluded here):

Step 3 – The client sends an SMB_COM_SESSION_SETUP_ANDX request
message. Assuming that NTLM authentication is negotiated, within this message an
NTLM NEGOTIATE_MESSAGE is embedded.

2


SMB with Activity Directory

Step 4 – The server responds with an SMB_COM_SESSION_SETUP_ANDX
response message within which an NTLM CHALLENGE_MESSAGE is embedded. The
message includes an 8-byte random number, called a “challenge”, that the server
generates and sends in the ServerChallenge field of the message.
Step 5 – The client extracts the ServerChallenge field from the NTLM
CHALLENGE_MESSAGE and sends an NTLM AUTHENTICATE_MESSAGE to the
server (embedded in an SMB_COM_SESSION_SETUP_ANDX request message). If the
challenge and the response prove that the client knows the user’s password, the
authentication succeeds and the client’s security context is now established on the server.
Step 6 – The server sends a success message embedded in an
SMB_COM_SESSION_SETUP_ANDX response message.


Wiresharking
This article will only show how to find out which SMB and NTLM versions are
used on your windows servers and windows clients while using Wireshark. This is very
useful to know because it has a great impact on your security. There are many documents
on the internet that show that LM and NTLMv1 are insecure these days therefore we
need to ensure that these authentication methods are not allowed inside the windows
network. Thus we need to ensure that NTLMv2 only is allowed. This behavior can be
changed on windows servers and clients at the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
REG_DWORD Valuename: lmcompatibilitylevel
The following values can be used:

3


SMB with Activity Directory

So you’re actually configuring a minimum security level here. Now let’s take a
look which values are used by default per OS type:

We can conclude that if we have an XP client and a windows 2008 R2 server with
default settings it will always use NTLMv1. If we use an Windows 7 or Vista client and a
windows 2008 R2 server it will use NTLMv2. Lets fire up Wireshark and take a look
what’s happening “on the wire”.

4


SMB with Activity Directory


Windows XP client and Windows 2008 R2 server (default settings)
In this scenario a Windows XP client (10.0.0.2) tries to connect to a Windows
2008 R2 Server (10.0.0.1) share. Let’s take a look at the SMB negotiate protocol request:

The highest possible dialect that the Windows XP client can speak is NT LM 0.12.
Thus SMB v1.0. Let’s take a look how the Windows 2008 R2 server will respond:

5


SMB with Activity Directory

The Windows 2008 R2 server responds its capable of SMB v1.0 (NT LM 0.12)
and this is used to access the share. Let’s take a look which version of NTLM it uses by
looking at the Session setup andX request: NTLMSSP_AUTH packet.

6


SMB with Activity Directory

There is no NTMLv2 section here so it is using NTLMv1. Thus insecure !!

7


SMB with Activity Directory

Windows 7 client and Windows 2008 R2 server (default settings)
In this scenario a Windows 7 Client (10.0.0.3) tries to connect to a Windows 2008

R2 Server (10.0.0.1) share. Let’s take a look at the SMB negotiate protocol request:

The highest possible dialect that the Windows 7 client can speak is SMB 2.???.
Thus SMB v2.0 Wildcard. Let’s take a look how the Windows 2008 R2 server will
respond:

8


SMB with Activity Directory

The Windows 2008 R2 server responds its capable of 0x02ff (hexadecimal value
for SMBv2.0 wildcard). You can also see that the protocol column switches from SMB to
SMB2. Now the Windows 7 clients needs to know which SMB2 version will be used for
communication. . Let’s take a look at the new SMB2 negotiate protocol request:

9


SMB with Activity Directory

The highest possible SMB2 dialect that the Windows 7 client can speak is more
specific now. It can use 0x0202 or 0x0210. Thus SMB v2.002 or SMB v2.1. Let’s take a
look how the Windows 2008 R2 server will respond:

10


SMB with Activity Directory


The Windows 2008 R2 server responds its capable of 0x210 (hexadecimal value
for SMBv2.1) and this is used to access the share. Let’s take a look which version of
NTLM it uses by looking at the Session setupRequest, NTLMSSP_AUTH packet.

11


SMB with Activity Directory

The picture clearly shows that there is an NTLMv2 response.
Is there a quicker way to determine NTLMv1 or NTLMv2 authentication? Yes.
We can do this by entering ntlmssp.ntlmv2response into the filter field. Wireshark will
filter out ntlmv2 traffic only.

12


SMB with Activity Directory

Back to our little problem. We have a network running with XP clients and
windows 2008 R2 server with default settings on GPO level. We saw that NTLMv1 will
be used for authentication and thus insecure. We need to change this so the XP machines
will authenticate by using NTLMv2. We can achieve this by change the
Lmcompatibilitylevel value to 5. The best way to achieve this is by placing all Windows
XP clients into an OU and configure a computer GPO policy.

13


SMB with Activity Directory


Or

Note : You can choosen “Send LM & NTLM – user MTLMv2 session secureity if
negotiated”

14


SMB with Activity Directory

Before you change the server side to Lmcompatibilitylevel value 5 you must be
absolutely sure that every Windows XP Client uses NTLMv2 or your phone will start
ringing very often. You can achieve this by changing the default domain controllers
policy or by placing a GPO on an OU with servers. When the server and client side are
changed to NTLMv2 you have achieved the highest NTLM authentication possible. Thus
15


SMB with Activity Directory

the most secure NTLM form possible. This ends my article about Determining a SMB
and NTLM version in a windows environment. I hope it’s useful somehow and feel free
to comment.

Copy link : />
16