Thursday, May 27, 2010

Capturing SMB Files with Wireshark

Most corporate networks include one or more file servers where shared information is stored and shared across the network using the SMB protocol. These servers are used as a repository for different departments, which share the same infrastructure but must have access to different and separate information sets, some of which will probably be very sensitive and confidential, like files belonging to top management, Human Resources or the Legal departmens, just to name a few examples.

The access control to the information in the file servers is enforced using the SMB protocol authentication, usually integrated with some unified directory (like Microsoft Active Directory).

While the authentication can be performed in a secure way, the information flow between the server and consumer is usually not encrypted, as it happens with the default SMB configuration. This makes this information vulnerable to any sniffing activity performed in the company’s internal network.

In our effort to identify weak points of corporate networks, we wanted to demonstrate how this vulnerability could be easily exploited, so that organizations better understand the risk this vulnerability poses for them, and how to protect themselves from it.

For that purpose, we have developped a plugin for the popular network analyzer Wireshark. The plugin adds to Wireshark the ability to extract and save separately, from any network capture, either live or previously saved, the contents of any files transferred between a server and a client using the SMB protocol. We have succesfully used this plug-in in some real pentests, demonstrating the potential impact of this vulnerability.

Once installed, identifying SMB streams in a Wireshark capture is easy: click on Export->Object-> SMB, and look at the windows that pops up, which will look similar to this one:

Then, just selecting the desired file and clicking "Save As" will put the captured file on disk and allow you to open it with the right program.

Please note that not all files will be 100% captured and there are some files that will not fit into memory.

A white paper with further details, as well as the plug-in itself, are freely available at the Lab section of our Web Page.

(UPDATE) This functionality is included in the oficial version of Wireshark from release 1.5.1 on.
(UPDATE) We have released a patch that corrects some bugs in the export object SMB functionality of version 1.5.1. It has been included in development trunk from SVN revision 36979 on. For linux users you can download source code and compile it. For Windows users, a windows installer is available in our lab.


Anonymous said...

I cannot compile wireshark with eo_smb_cb

My wireshark is wireshark-1.4.0rc1

Linux is Mandriva 2008.1 with custom openssl and zlib

I have en error

gtk/libui.a(menus.o):(.data+0x14b8): undefined reference to `eo_smb_cb'
collect2: ld returned 1 exit status
gmake[2]: *** [wireshark] Error 1
gmake[2]: *** Waiting for unfinished jobs....

Many thanks


Jose Pico said...

Hi Ceres,

the last version of the patch has been compiled against version 1.5.0 (SVN Rev 33208 from /trunk) of Wireshark.

The process of including this functionality in an stable version of Wireshark is in progress. You may follow this process through wireshark bug database bug id 4451:

There you will find the history of updates of this patch and from now on, we will also be including the revision number that we use to compile the patch.



Jose Pico said...

The SMB export object functionality has been included in Wireshark development trunk, so there is no need to apply the patch anymore.
That means that if you download and compile in linux the latest Wireshark svn trunk you will have the SMB plugin included in it.

Jose Pico said...

Additional note: the compilation for Windows have also been verified and fixed by Wireshark team.

Anonymous said...

Is it included in the windows version as well?

Andy said...

The plug-in is very cool, I compiled wireshark with eo_smb_cb in BT4, and was able to capture the transfer files. it is really amazing. you guys are so great!
Just one question: how can we fix this vulnerability? thanks,


Jose Pico said...


thank you very much for your comment.

Most past and current SMB implementations don't support traffic encryption by themselves. As an alternative (if that is your case), you could use another layer to protect privacy of SMB messages:
- You can use a network layer protection, such IPSec
- You can also use SSL or TLS at transport layer to transport SMB protocol messages
- Or you could use an application that encrypts the traffic on a file before sending it over the network

Depending on the environment, you should evaluate the best available option. One obvious thing to take care of is that the option you choose must be available for implementation at the client and the server side.



Jose Pico said...

Our functionality is included in the development version of Wireshark from revision 33229 on. Compilation has been tested by wireshark team, including windows compilation.
It is not included in an stable version of Wireshark yet, so no precompiled windows version of wireshark that includes the export-object-smb functionality is available to download from wireshark home page yet.

At the moment, you can have this functionality for windows environments, by building wireshark in windows from source code.

Jose Pico said...

This post has been translated into Spanish here:

Post a Comment