[cifs-protocol] [MS-SMB2] sign for 3.3.5.15.11 FSCTL_QUERY_NETWORK_INTERFACE_INFO
Jones Syue 薛懷宗
jonessyue at qnap.com
Wed Apr 17 03:52:54 UTC 2024
Hello Dochelp,
Per multichannel test[1] and wireshark packet[2], windows client would sign
request/response pair of SMB2 Ioctl FSCTL_QUERY_NETWORK_INTERFACE_INFO.
Both [MS-SMB2] 3.3.5.15.11 and 3.2.5.14.11 looks like not mention about it,
please help clarify:
1. sign for SMB2 Ioctl FSCTL_QUERY_NETWORK_INTERFACE_INFO is expected?
2. if expected, could we update [MS-SMB2] to document this behavior? a bit
like what Tree Connect[3] and Session Setup[4] did.
Thank you :)
[1] smb server is ws2022, account is 'administrator' with password.
| smb client | sign for SMB2 Ioctl FSCTL_QUERY_NETWORK_INTERFACE_INFO?
| ------------ + ---
| ws2022 | yes
| ws2016 | yes
| ws2016 | yes
| ws2012r2 | yes
| ws2012 | yes
[2] smb server is ws2022, smb client is ws2016, account is 'administrator'.
No. |Time |Prot|Signature |Info
-----+----------+----+--------------------------------+----
35467 16:47:09.9 SMB Negotiate Protocol Request
35468 16:47:09.9 SMB2 00000000000000000000000000000000 Negotiate Protocol Response
35469 16:47:09.9 SMB2 00000000000000000000000000000000 Negotiate Protocol Request
35470 16:47:09.9 SMB2 00000000000000000000000000000000 Negotiate Protocol Response
35472 16:47:09.9 SMB2 00000000000000000000000000000000 Session Setup Request, NTLMSSP_NEGOTIATE
35473 16:47:09.9 SMB2 00000000000000000000000000000000 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
35474 16:47:09.9 SMB2 00000000000000000000000000000000 Session Setup Request, NTLMSSP_AUTH, User: \administrator
35475 16:47:09.9 SMB2 73182d37759c7741ae0caced9ef04185 Session Setup Response
35476 16:47:09.9 SMB2 ec1d8a66ebea6120e5f8c44be2ba0dc4 Tree Connect Request Tree: \\${MY_IP}\IPC$
35477 16:47:09.9 SMB2 ad4572986b7fae36168ea18c87bb8a9b Tree Connect Response
35478 16:47:09.9 SMB2 d31c1cb4e3ca5df3766faf76a3b6da8a Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO
35479 16:47:09.9 SMB2 790b171573367693323aa73ddf4de49f Ioctl Response FSCTL_QUERY_NETWORK_INTERFACE_INFO
35480 16:47:09.9 SMB2 00000000000000000000000000000000 Ioctl Request FSCTL_DFS_GET_REFERRALS, File: \${MY_IP}\ramdisk
35482 16:47:09.9 SMB2 00000000000000000000000000000000 Ioctl Response, Error: STATUS_FS_DRIVER_REQUIRED
[3] 3.3.5.7 Receiving an SMB2 TREE_CONNECT Request
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/652e0c14-5014-4470-999d-b174d7b2da87
If Connection.Dialect is "3.1.1" and Session.IsAnonymous and
Session.IsGuest are set to FALSE and the request is not signed or not
encrypted, then the server MUST disconnect the connection.
[4] 3.3.5.5.3 Handling GSS-API Authentication
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/5ed93f06-a1d2-4837-8954-fa8b833c2654
12. If the SMB2_SESSION_FLAG_IS_GUEST bit is not set in the SessionFlags
field, and Session.IsAnonymous is FALSE, the server MUST sign the final
session setup response before sending it to the client, as follows:
--
Regards,
Jones Syue | 薛懷宗
QNAP Systems, Inc.
More information about the cifs-protocol
mailing list