Please enable JavaScript.
Coggle requires JavaScript to display documents.
SMB (AUTHENTICATION METHODS (KERBEROS
-by Name (Krb5ApReq - Request
…
SMB
AUTHENTICATION METHODS
KERBEROS
-by Name
Krb5ApReq - Request
Krb5ApRep - Response
Note: before the Request-Response, the workstation will contact a DC to obtain a Kerberos ticket if the machine does not have any valid tickets.
ProcessClient goes to the DC for the Kerberos ticket
DC knows where it go based on the SPN (Service Principal Names)
- normalmente tienen 2 uno para hostname y otro FQDN
Host/server01
CIFS/server01
Errors
- Target principal name is incorrect: when trying to contact an SPN that is not related to the destination. it happends when the AD account is deleted but the SPNs still exist
- More processing Data required: when downgrading to NTLM, it happends when the AD account and SPNs were deleted, there fore Kerberos authentication does not work.
when this behavior is showed up, we could see 4 negotiate protocol packages, 2 for kerberos and 2 for NTLM ////Updated: primero hace un request anonymo pero si no puede ser anonymo pasa a pedir credentials
- Correct path: Remove server AD account and Add an SPN with the cname going to the server01 account
-
-
-
SMB v3
New Functionalities
-
-
SMB Multichannel
More than 1 NIC, allows to increase bandwidth and support fault tolerance
After stablishing the conexion it scans and finds the extra NICs
Evaluation process
- Client queries the SMB server to have NIC list and its capabilities
- SMB client matches the SMB interfaces with its own ones
- if they match, SMB Client will make additional connections
SMB Direct
goes from normal flow
Nic- cpu - memory
to NIC- memory
NIC needs to be RDMA capable
requirements and configuration SMBV3.
NIC with RDMA support.
INFINIBAND
- requires infinib. switches
- Big Data centers
- no external routing
- upto 40GBps
RDMA IWARP
- external routing
- signature is slower
RDMA RoCE
- allow remote remote direct memory access over Ethernet network
- no external routing
- up to 10gbps
- any type of switch
Performance Counters
Provides Statics, Throughput, latency, IO per second
-
-
Server Message Block
445
Access shared resources
SMB: para micosoft
CIFS: version standard
SAMBA: smb para linux
STRUCTURE
- Command Code: depending on the action: read open write close
- Command Specific Parameters: # of bytes
- User data
PROCESS----> Negotiate Protocol Request
- SMB Client supported versions
- Authentication methods supported
<---- Negotiate Protocol Response
- Versions Supported and Authentications methods by Server
selects the newest version available
--> Session SetUp Request
- Setup request with authentication method and version supported
<-- Session SetUp Response
--> tree connect request
- Provides path and waits instruction on where to go
<-- tree connect response
KEYS
- Virtual circuit VC
- User identifier UID
- User identifier UID
- Process Identifier POD
- Multiplex Identifier MID
- Tree identifier TID
- FileIdentifier FID
Serach Identifier SID
SMB SIGNATURE
SMB packets signing
- Status:
off
enabled
required
used when required, partner needs to be enabled/required
SMB Hardening Level
SPN name needs to be provided and be the same, no downgrade available
allows a security level
SMB Opportunistic Lock oplock-Batch: delayed closures, cancelled when trying a new file open
- level1: reserva permisos para escritura, lectura y nadle para un solo usuario
- Level II: se le da a quienes no pueden tener un batch, varios users tienen lectura pero no escritura
- Exclusive oplock: puede hacer read and write pero locally. Como un save as
SMB LeaseIt shares the same purpose as an oplock, which allows clients to adjust their buffering policy to increase performance and to reduce network use.
- Read-caching lease: allows caching reads and can be shared by multiple clients.
- Write-caching lease: allows caching writes and is exclusive to only one client.
- Handle-caching lease: allows caching handles and can be shared by multiple clients.