none
how to sign in smb2(tree connect request) RRS feed

  • Question

  • I capture the packets I have sent blow:

        1. negociate protocol request packet
        2. negociate protocol response packet
        3. negociate protocol request packet
        4. negociate protocol response packet(dialect 0x0302)
        5. session setup request NTLMSSP NEGOCIATE packet
        6. session setup response NTLMSSP NEGOCIATE packet
        7. session setup request NTLMSSP AUTH packet
        8. session setup response NTLMSSP AUTH packet
        9. tree connect packet
        ...........

        The problem is in "9. tree connect packet", detail as blow:

            when received "8. session setup response NTLMSSP AUTH packet", the keys devivates:

                signing key = SMB3KDF (SessionKey, "SMBSigningKey\0", "SmbRpc\0")

            In my test, the SessionKey(a ramdom data) :

                536556E044667F63437C666F63184060

            then,

                signing key        : 0555A49AF579B439F92CC5A2517A1C0E

    when I construct the "tree connect request packet", I need to compute the signature, then

    1) Message with signature zeroed out(the signature of smb2 header):

        FE534D4240000100000000000300E01F
        08000000000000000400000000000000
        000000000000000001000000002C0100
        00000000000000000000000000000000
        09000000480028005C005C0031003200
        32002E00350031002E00340033002E00
        3200330039005C004900500043002400

    2) message length:

        112 bytes    = 64 bytes(header) + 48 bytes(data)

    3) use signing key:

        0555A49AF579B439F92CC5A2517A1C0E

    4) signing Algorithm:

        aes-128-cmac

    The signature I compute(incorrect)    : 357529A355F73EBAC4359E3D5273C45D

    However, the correct one is        : 1ad80d810f17db5099af8778b37ed7d4

    why?

    How to get the signature(0x1ad80d810f17db5099af8778b37ed7d4)?

                                



    • Edited by mckt ptu Thursday, October 31, 2019 12:33 PM
    Thursday, October 31, 2019 12:14 PM

All replies