none
How to decrypt SMB version 3 encrypted traffic ? RRS feed

  • Question

  • HI,

    There is an option to decrypt traffice of SMB 3 ?

    Please advice.
    Thanks.


    • Edited by Itay-av17 Monday, January 25, 2016 5:13 PM chagne question
    Monday, January 25, 2016 8:53 AM

All replies

  • Hi Itay-av17,

     

    I see that you edited your original post and changed your original question.  The response immediately below is based on your original text, followed by an answer for your edited question:

     

    The purpose of this forum is to support the Open Specifications documentation. You can read about the Microsoft Open Specifications program at https://msdn.microsoft.com/en-us/openspecifications/default

     

    The library of Open Specification documents is located at https://msdn.microsoft.com/library/dd208104.aspx.

     

    Primarily we work with third-party implementers of the on-the-wire protocols (i.e., non-Microsoft endpoints)

     

    While you cite the files sharing protocols, your question is closer to platform support question and would be best addressed by one of the Technet forums, like the Server Platform Networking forum at https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverPN&filter=alltypes&sort=lastpostdesc.

     

    In general: The SMB 2 and SMB 3 protocols are discussed in the same document: [MS-SMB2] “Server Message Block (SMB) Protocol Versions 2 and 3” and is available as a PDF download at https://technet.microsoft.com/en-us/evalcenter/cc246482.aspx?f=255&MSPPError=-2147217396.  Both the client and server negotiate a protocol “dialect” via a [MS-SMB2] 2.2.3 SMB2_NEGOTIATE Request and a [MS-SMB2] 2.2.4 SMB2_NEGOTIATE Response.  The “dialects” are more granular that just SMB 2 or 3, and even many features within a specific dialect are optional.  See [MS-SMB2] 1.7 Versioning and Capability Negotiation.  To determine what dialect is actually negotiated, you should be using tools as Message Analyzer, Network Monitor or Wireshark to see the on-the-wire network traffic.

     

    How to engineer a specific negotiation between two Windows machines would be a great topic for a post to the Technet forum.  If you have a specific question about on-the-wire SMB2/3 observations using [MS-SMB2], we might be able to help via this forum (as a new post) or by mail to “dochelp (at) Microsoft (dot) com

     

    As for your updated post, “[Is t]here is an option to decrypt traffic of SMB 3 ?”, it is possible.  Please see the presentation “Decrypting SMB3 Protocol” at https://channel9.msdn.com/Events/Open-Specifications-Plugfests/Redmond-Interoperability-Protocols-Plugfest-2015/Decrypting-SMB3-Protocol


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team

    Monday, January 25, 2016 5:54 PM
    Moderator