Section 16.3. Exercises


16.3. Exercises

You are embarking on a course of discovery. The first part of the exercise requires two MS Windows 9x/Me systems. We called one machine WINEPRESSME and the other MILGATE98. Each needs an IP address; we used 10.1.1.10 and 10.1.1.11. The test machines need to be networked via a hub. A UNIX/Linux machine is required to run Ethereal to enable the network activity to be captured. It is important that the machine from which network activity is captured must not interfere with the operation of the Windows workstations. It is helpful for this machine to be passive (does not send broadcast information) to the network.

For these exercises, our test environment consisted of a SUSE 9.2 Professional Linux Workstation running VMWare 4.5. The following VMWare images were prepared:

  • Windows 98 name: MILGATE98

  • Windows Me name: WINEPRESSME

  • Windows XP Professional name: LightrayXP

  • Samba-3.0.20 running on a SUSE Enterprise Linux 9

Choose a workgroup name (MIDEARTH) for each exercise.

The network captures provided on the CD-ROM included with this book were captured using Ethereal version 0.10.6. A later version suffices without problems, but an earlier version may not expose all the information needed. Each capture file has been decoded and listed as a trace file. A summary of all packets has also been included. This makes it possible for you to do all the studying you like without the need to perform the time-consuming equipment configuration and test work. This is a good time to point out that the value that can be derived from this book really does warrant your taking sufficient time to practice each exercise with care and attention to detail.

16.3.1. Single-Machine Broadcast Activity

In this section, we start a single Windows 9x/Me machine, then monitor network activity for 30 minutes.

MONITORING WINDOWS 9X STEPS

1.

Start the machine from which network activity will be monitored (using ethereal). Launch ethereal, click Capture

  1. Update list of packets in real time

  2. Automatic scrolling in live capture

  3. Enable MAC name resolution

  4. Enable network name resolution

  5. Enable transport name resolution

Click OK.

2.

Start the Windows 9x/Me machine to be monitored. Let it run for a full 30 minutes. While monitoring, do not press any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes.

3.

At the conclusion of 30 minutes, stop the capture. Save the capture to a file so you can go back to it later. Leave this machine running in preparation for the task in Section 16.3.2.

4.

Analyze the capture. Identify each discrete message type that was captured. Note what transport protocol was used. Identify the timing between messages of identical types.

16.3.1.1 Findings

The summary of the first 10 minutes of the packet capture should look like Figure 16.1. A screenshot of a later stage of the same capture is shown in Figure 16.2.

Figure 16.1. Windows Me Broadcasts The First 10 Minutes


Figure 16.2. Windows Me Later Broadcast Sample


Broadcast messages observed are shown in Table 16.1. Actual observations vary a little, but not by much. Early in the startup process, the Windows Me machine broadcasts its name for two reasons: first to ensure that its name would not result in a name clash, and second to establish its presence with the Local Master Browser (LMB).

Table 16.1. Windows Me Startup Broadcast Capture Statistics

Message

Type

Num

Notes

WINEPRESSME<00>

Reg

8

4 lots of 2, 0.6 sec apart

WINEPRESSME<03>

Reg

8

4 lots of 2, 0.6 sec apart

WINEPRESSME<20>

Reg

8

4 lots of 2, 0.75 sec apart

MIDEARTH<00>

Reg

8

4 lots of 2, 0.75 sec apart

MIDEARTH<1d>

Reg

8

4 lots of 2, 0.75 sec apart

MIDEARTH<1e>

Reg

8

4 lots of 2, 0.75 sec apart

MIDEARTH<1b>

Qry

84

300 sec apart at stable operation

__MSBROWSE__

Reg

8

Registered after winning election to Browse Master

JHT<03>

Reg

8

4 x 2. This is the name of the user that logged onto Windows

Host Announcement WINE-PRESSME

Ann

2

Observed at 10 sec

Domain/Workgroup Announcement MIDEARTH

Ann

18

300 sec apart at stable operation

Local Master Announcement WINEPRESSME

Ann

18

300 sec apart at stable operation

Get Backup List Request

Qry

12

6 x 2 early in startup, 0.5 sec apart

Browser Election Request

Ann

10

5 x 2 early in startup

Request Announcement WINEPRESSME

Ann

4

Early in startup


From the packet trace, it should be noted that no messages were propagated over TCP/IP; all messages employed UDP/IP. When steady-state operation has been achieved, there is a cycle of various announcements, re-election of a browse master, and name queries. These create the symphony of announcements by which network browsing is made possible.

For detailed information regarding the precise behavior of the CIFS/SMB protocols, refer to the book "Implementing CIFS: The Common Internet File System," by Christopher Hertel, (Prentice Hall PTR, ISBN: 013047116X).

16.3.2. Second Machine Startup Broadcast Interaction

At this time, the machine you used to capture the single-system startup trace should still be running. The objective of this task is to identify the interaction of two machines in respect to broadcast activity.

MONITORING OF SECOND MACHINE ACTIVITY

1.

On the machine from which network activity will be monitored (using ethereal), launch ethereal and click Capture

  1. Update list of packets in real time

  2. Automatic scrolling in live capture

  3. Enable MAC name resolution

  4. Enable network name resolution

  5. Enable transport name resolution

Click OK.

2.

Start the second Windows 9x/Me machine. Let it run for 15 to 20 minutes. While monitoring, do not press any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes.

3.

At the conclusion of the capture time, stop the capture. Be sure to save the captured data so you can examine the network data capture again at a later date should that be necessary.

4.

Analyze the capture trace, taking note of the transport protocols used, the types of messages observed, and what interaction took place between the two machines. Leave both machines running for the next task.

16.3.2.1 Findings

Table 16.2 summarizes capture statistics observed. As in the previous case, all announcements used UDP/IP broadcasts. Also, as was observed with the last example, the second Windows 9x/Me machine broadcasts its name on startup to ensure that there exists no name clash (i.e., the name is already registered by another machine) on the network segment. Those wishing to explore the inner details of the precise mechanism of how this functions should refer to "Implementing CIFS: The Common Internet File System."

Table 16.2. Second Machine (Windows 98) Capture Statistics

Message

Type

Num

Notes

MILGATE98<00>

Reg

8

4 lots of 2, 0.6 sec apart

MILGATE98<03>

Reg

8

4 lots of 2, 0.6 sec apart

MILGATE98<20>

Reg

8

4 lots of 2, 0.75 sec apart

MIDEARTH<00>

Reg

8

4 lots of 2, 0.75 sec apart

MIDEARTH<1d>

Reg

8

4 lots of 2, 0.75 sec apart

MIDEARTH<1e>

Reg

8

4 lots of 2, 0.75 sec apart

MIDEARTH<1b>

Qry

18

900 sec apart at stable operation

JHT<03>

Reg

2

This is the name of the user that logged onto Windows

Host Announcement MIL-GATE98

Ann

14

Every 120 sec

Domain/Workgroup Announcement MIDEARTH

Ann

6

900 sec apart at stable operation

Local Master Announcement WINEPRESSME

Ann

6

Insufficient detail to determine frequency


Observation of the contents of Host Announcements, Domain/Workgroup Announcements, and Local Master Announcements is instructive. These messages convey a significant level of detail regarding the nature of each machine that is on the network. An example dissection of a Host Announcement is given in Figure 16.3.

Figure 16.3. Typical Windows 9x/Me Host Announcement


16.3.3. Simple Windows Client Connection Characteristics

The purpose of this exercise is to discover how Microsoft Windows clients create (establish) connections with remote servers. The methodology involves analysis of a key aspect of how Windows clients access remote servers: the session setup protocol.

CLIENT CONNECTION EXPLORATION STEPS

1.

Configure a Windows 9x/Me machine (MILGATE98) with a share called Stuff. Create a Full Access control password on this share.

2.

Configure another Windows 9x/Me machine (WINEPRESSME) as a client. Make sure that it exports no shared resources.

3.

Start both Windows 9x/Me machines and allow them to stabilize for 10 minutes. Log on to both machines using a user name (JHT) of your choice. Wait approximately 2 minutes before proceeding.

4.

Start ethereal (or the network sniffer of your choice).

5.

From the WINEPRESSME machine, right-click Network Neighborhood, select Explore, select My Network Places

6.

When the share called Stuff is being displayed, stop the capture. Save the captured data in case it is needed for later analysis.

7.

From the top of the packets captured, scan down to locate the first packet that has interpreted as Session Setup AndX, User: anonymous; Tree Connect AndX, Path: \\MILGATE98\IPC$.

8.

In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request, and Tree Connect AndX Request. Examine both operations. Identify the name of the user Account and what password was used. The Account name should be empty. This is a NULL session setup packet.

9.

Return to the packet capture sequence. There will be a number of packets that have been decoded of the type Session Setup AndX. Locate the last such packet that was targeted at the \\MILGATE98\IPC$ service.

10.

Dissect this packet as per the previous one. This packet should have a password length of 24 (characters) and should have a password field, the contents of which is a long hexadecimal number. Observe the name in the Account field. This is a User Mode session setup packet.

16.3.3.1 Findings and Comments

The IPC$ share serves a vital purpose[3] in SMB/CIFS-based networking. A Windows client connects to this resource to obtain the list of resources that are available on the server. The server responds with the shares and print queues that are available. In most but not all cases, the connection is made with a NULL username and a NULL password.

[3] TOSHARG2, Sect 4.5.1

The two packets examined are material evidence of how Windows clients may interoperate with Samba. Samba requires every connection setup to be authenticated using valid UNIX account credentials (UID/GID). This means that even a NULL session setup can be established only by automatically mapping it to a valid UNIX account.

Samba has a special name for the NULL, or empty, user account: it calls it the guest account. The default value of this parameter is nobody; however, this can be changed to map the function of the guest account to any other UNIX identity. Some UNIX administrators prefer to map this account to the system default anonymous FTP account. A sample NULL Session Setup AndX packet dissection is shown in Figure 16.4.

Figure 16.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request


When a UNIX/Linux system does not have a nobody user account (/etc/passwd), the operation of the NULL account cannot validate and thus connections that utilize the guest account fail. This breaks all ability to browse the Samba server and is a common problem reported on the Samba mailing list. A sample User Mode session setup AndX is shown in Figure 16.5.

Figure 16.5. Typical Windows 9x/Me User SessionSetUp AndX Request


The User Mode connection packet contains the account name and the domain name. The password is provided in Microsoft encrypted form, and its length is shown as 24 characters. This is the length of Microsoft encrypted passwords.

16.3.4. Windows 200x/XP Client Interaction with Samba-3

By now you may be asking, "Why did you choose to work with Windows 9x/Me?"

First, we want to demonstrate the simple case. This book is not intended to be a detailed treatise on the Windows networking protocols, but rather to provide prescriptive guidance for deployment of Samba. Second, by starting out with the simple protocol, it can be demonstrated that the more complex case mostly follows the same principles.

The following exercise demonstrates the case that even MS Windows XP Professional with up-to-date service updates also uses the NULL account, as well as user accounts. Simply follow the procedure to complete this exercise.

To complete this exercise, you need a Windows XP Professional client that has been configured as a domain member of either a Samba-controlled domain or a Windows NT4 or 200x Active Directory domain. Here we do not provide details for how to configure this, as full coverage is provided earlier in this book.

STEPS TO EXPLORE WINDOWS XP PRO CONNECTION SET-UP

1.

Start your domain controller. Also, start the ethereal monitoring machine, launch ethereal, and then wait for the next step to complete.

2.

Start the Windows XP Client and wait 5 minutes before proceeding.

3.

On the machine from which network activity will be monitored (using ethereal), launch ethereal and click Capture

  1. Update list of packets in real time

  2. Automatic scrolling in live capture

  3. Enable MAC name resolution

  4. Enable network name resolution

  5. Enable transport name resolution

Click OK.

4.

On the Windows XP Professional client, press Ctrl-Alt-Delete to bring up the domain logon screen. Log in using valid credentials for a domain user account.

5.

Now proceed to connect to the domain controller as follows: Start {[+] Entire Network {[+] Microsoft Windows Network {[+] Midearth {[+] Frodo {[+] data. Close the explorer window. In this step, our domain name is Midearth, the domain controller is called Frodo, and we have connected to a share called data.

6.

Stop the capture on the ethereal monitoring machine. Be sure to save the captured data to a file so that you can refer to it again later.

7.

If desired, the Windows XP Professional client and the domain controller are no longer needed for exercises in this chapter.

8.

From the top of the packets captured, scan down to locate the first packet that has interpreted as Session Setup AndX Request, NTLMSSP_AUTH.

9.

In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request. Expand the packet decode information, beginning at the Security Blob: entry. Expand the GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP keys. This should reveal that this is a NULL session setup packet. The User name: NULL so indicates. An example decode is shown in Figure 16.6.

Figure 16.6. Typical Windows XP NULL Session Setup AndX Request


10.

Return to the packet capture sequence. There will be a number of packets that have been decoded of the type Session Setup AndX Request. Click the last such packet that has been decoded as Session Setup AndX Request, NTLMSSP_AUTH.

11.

In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request. Expand the packet decode information, beginning at the Security Blob: entry. Expand the GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP keys. This should reveal that this is a User Mode session setup packet. The User name: jht so indicates. An example decode is shown in Figure 16.7. In this case the user name was jht. This packet decode includes the Lan Manager Response: and the NTLM Response:. The values of these two parameters are the Microsoft encrypted password hashes: respectively, the LanMan password and then the NT (case-preserving) password hash.

Figure 16.7. Typical Windows XP User Session Setup AndX Request


12.

The passwords are 24-character hexadecimal numbers. This packet confirms that this is a User Mode session setup packet.

16.3.4.1 Discussion

This exercise demonstrates that, while the specific protocol for the Session Setup AndX is handled in a more sophisticated manner by recent MS Windows clients, the underlying rules or principles remain the same. Thus it is demonstrated that MS Windows XP Professional clients still use a NULL-Session connection to query and locate resources on an advanced network technology server (one using Windows NT4/200x or Samba). It also demonstrates that an authenticated connection must be made before resources can be used.

16.3.5. Conclusions to Exercises

In summary, the following points have been established in this chapter:

  • When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast-oriented messaging protocols to provide knowledge of network services.

  • Network browsing protocols query information stored on browse masters that manage information provided by NetBIOS Name Registrations and by way of ongoing host announcements and workgroup announcements.

  • All Samba servers must be configured with a mechanism for mapping the NULL-Session to a valid but nonprivileged UNIX system account.

  • The use of Microsoft encrypted passwords is built right into the fabric of Windows networking operations. Such passwords cannot be provided from the UNIX /etc/passwd database and thus must be stored elsewhere on the UNIX system in a manner that Samba can use. Samba-2.x permitted such encrypted passwords to be stored in the smbpasswd file or in an LDAP database. Samba-3 permits use of multiple passdb backend databases in concurrent deployment. Refer to TOSHARG2, Chapter 10, "Account Information Databases."



    Samba-3 by Example. Practical Exercises to Successful Deployment
    Samba-3 by Example: Practical Exercises to Successful Deployment (2nd Edition)
    ISBN: 013188221X
    EAN: 2147483647
    Year: 2005
    Pages: 142

    Similar book on Amazon

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net