[cifs-protocol] [MS-SMB2] Selective Signing of ioctl FSCTL_QUERY_NETWORK_INTERFACE_INFO requests - TrackingID#2406060040007612

Jones Syue 薛懷宗 jonessyue at qnap.com
Fri Jun 7 08:44:53 UTC 2024

> Thanks for digging in further and I can assure you that I appreciate 
> the bluntness. Just to clarify, is your concern that signing 
> conditions do not cover all conditions where Windows signs the 
> FSCTL_QUERY_NETWORK_INTERFACE_INFO request? If so, what condition is not 
> covered?
> Or, is the concern that " Windows-based clients do not selectively sign 
> requests" from behavior note 104 should be more specific to say
> " Windows-based clients do not selectively sign requests beyond what 
> is described in this document"?

Thank you Kristian for kind feedback! 
Let me take earilier thread with wireshark captures as an example, it is
Windows-based env (ws2022 oprerates as server, ws2016 operates as client),
through wireshark packet captures there are two ioctl requests with two 
Windows-base client seems to be biased to sign the former one, and the
latter one is not signed: 
1. No. 35478 signature is none zeros, means Windows-based client signs 
2. No. 35480 signature is all zeros, means Windows-based client does not 
   sign this Ioctl FSCTL_DFS_GET_REFERRALS request.
Per my test with different Windows-based clients, including
ws2012/ws2012r2/ws2016/ws2019/ws2022, it looks like Windows-based clients
always sign the Ioctl FSCTL_QUERY_NETWORK_INTERFACE_INFO request, this 
behavior looks good to me.
However my concern is this behavior is not explicitly mentioned in 
[MS-SMB2] so it is a not clear to me, and i am looking forward to having 
this behavior document in [MS-SMB2] :)

Consider the No. 35476, Windows-based client signs Tree Connect request,
this behavior is explicitly documented in [MS-SMB2] so this looks clear to
me[1][2], so i am expecting something like 'client MUST sign Ioctl 
FSCTL_QUERY_NETWORK_INTERFACE_INFO request' could be mentioned in [MS-SMB2]

No.  |Time      |Prot|Signature                       |Info
35467 16:47:09.9 SMB                                   Negotiate Protocol Request
35468 16:47:09.9 SMB2 00000000000000000000000000000000 Negotiate Protocol Response
35469 16:47:09.9 SMB2 00000000000000000000000000000000 Negotiate Protocol Request
35470 16:47:09.9 SMB2 00000000000000000000000000000000 Negotiate Protocol Response
35472 16:47:09.9 SMB2 00000000000000000000000000000000 Session Setup Request, NTLMSSP_NEGOTIATE
35473 16:47:09.9 SMB2 00000000000000000000000000000000 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
35474 16:47:09.9 SMB2 00000000000000000000000000000000 Session Setup Request, NTLMSSP_AUTH, User: \administrator
35475 16:47:09.9 SMB2 73182d37759c7741ae0caced9ef04185 Session Setup Response
35476 16:47:09.9 SMB2 ec1d8a66ebea6120e5f8c44be2ba0dc4 Tree Connect Request Tree: \\${MY_IP}\IPC$
35477 16:47:09.9 SMB2 ad4572986b7fae36168ea18c87bb8a9b Tree Connect Response
35478 16:47:09.9 SMB2 d31c1cb4e3ca5df3766faf76a3b6da8a Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO
35479 16:47:09.9 SMB2 790b171573367693323aa73ddf4de49f Ioctl Response FSCTL_QUERY_NETWORK_INTERFACE_INFO
35480 16:47:09.9 SMB2 00000000000000000000000000000000 Ioctl Request FSCTL_DFS_GET_REFERRALS, File: \${MY_IP}\ramdisk
35482 16:47:09.9 SMB2 00000000000000000000000000000000 Ioctl Response, Error: STATUS_FS_DRIVER_REQUIRED

[1] Signing the Message

[2] Receiving an SMB2 TREE_CONNECT Request
If Connection.Dialect is "3.1.1" and Session.IsAnonymous and 
Session.IsGuest are set to FALSE and the request is not signed or not 
encrypted, then the server MUST disconnect the connection.


Jones Syue | 薛懷宗
QNAP Systems, Inc.

More information about the cifs-protocol mailing list