11.1 Our Very First Live SMBs | Implementing CIFS: The Common Internet File System

We need to capture a few SMBs to see what they look like up close. That means it's time to take a look at the wire and see what's there to be seen. Fire up your protocol analyzer, and then your SMB client. If you can configure your test server to allow anonymous connections (no username, no password) it will simplify things at this stage. If you can't, then things won't run quite as they are shown below. Don't worry, it will be close enough.

For this example, we will use the Exists.java program that comes with jCIFS. It is a very simple utility that does nothing more than verify the existence of the object specified by the given SMB URL string, like so:

graphics/179fig01.gif

The above shows that we were able to access the HOME share on node SMEDLEY . A similar test can be performed using Samba's smbclient , or with the NET USE command under Windows: ^[1]

^[1] When working with the NET USE command, it is important to remember to close the connection to the server using the /d command-line option. Type NET HELP at the DOS prompt for more information.

graphics/179fig02.gif

These simple commands will generate the packets we want to capture and study. Stop your sniffer and take a look at the trace. You should see a chain of events similar to the following:

 No. Source   Destination      Protocol Info --- -------  ---------------  -------- -----------------------------   1 Marika   255.255.255.255  NBNS     Name query   2 Smedley  Marika           NBNS     Name query response   3 Marika   Smedley          TCP      34102 > netbios-ssn [SYN]   4 Smedley  Marika           TCP      netbios-ssn > 34102 [SYN, ACK]   5 Marika   Smedley          TCP      34102 > netbios-ssn [ACK]   6 Marika   Smedley          NBSS     Session request   7 Smedley  Marika           NBSS     Positive session response   8 Marika   Smedley          TCP      34102 > netbios-ssn [ACK]  9 Marika   Smedley          SMB      Negotiate Protocol Request   10 Smedley  Marika           SMB      Negotiate Protocol Response  11 Marika   Smedley          SMB      Session Setup AndX Request  12 Smedley  Marika           SMB      Session Setup AndX Response  13 Marika   Smedley          TCP      34102 > netbios-ssn [FIN, ACK]  14 Smedley  Marika           TCP      netbios-ssn > 34102 [FIN, ACK]  15 Marika   Smedley          TCP      34102 > netbios-ssn [ACK]

The above is edited output from an Ethereal capture. ^[2] The packets were generated using the jCIFS Exists utility, as described above. In this case jCIFS was talking to an old Windows 95 system, but any SMB server should produce the same or similar results.

^[2] The original was much more detailed and interesting. It had to be edited so that it would fit on the page, and because all those details can be distracting.

The trace is reasonably simple. The first thing that node MARIKA does is send a broadcast NBT Name query to find node SMEDLEY , and SMEDLEY responds. Packets 3, 4, and 5 show the TCP session being created. (Note that netbios-ssn is the descriptive name given to port 139.) Packets 6 and 7 are the NBT SESSION REQUEST/SESSION RESPONSE exchange, and packet 8 is an ACK message, which is just TCP taking care of its business.

Packets 9 and 10 are what we want. These are our first SMBs.