SMB Analysis OPSEC 2016

Transcription

1 SMB Analysis

2

3 If Malware crafts a packet to negotiate only using LanMan v1, then Unlocked server will use it Security game over

4 Goal SMB Analysis Attacker Actions Where have they been What have they looked at Patterns of activity or targeting Corroborate findings from other sources, eg IOC s

5 Common Attack APT Login to user workstation from remote Read the user s files Surf to internal sites and access the data Copy and paste from shares or NAS to attacker space Exfiltrate the data

6 PTH Client to Client shares over SMB Unusual hours File share access from same account but from different machines, LANS or countries Enumeration of large number of files or shares Large copy actions

7 Analysis Steps Filter full SMB captures Load into Wireshark Apply Display Filters Hide the crap GPO, SMB announcements etc Gpt.ini and sysvol Read attacker actions Note: cannot capture filter for smb2, but use port 445

8

9 One of the three NetBIOS services is a name service Over NBT operates on UDP 137 or (rarely) TCP 137 Other services include: Datagram service (like UDP) UDP 138 Session Service (like TCP) TCP 139 Note: direct host SMB uses TCP 445, no NetBIOS Microsoft wants to be rid of NetBIOS

10 Filter 137, 138, 139, 445 IF apply SMB or SMB2 you will miss remote registry access events SAMR, LSARPC, DERPC Test filters first Tshark tweak

11 SMB2 19 Commands (old ver 100 s) Protocol Negotiation File, Directory and Volume Access Other Echo, oplock_break

12 Typical SMB Session Negotiate Protocol Session Setup Tree Connect Trans2, query file info NT Create, open or create Locking andx lock Read andx Locking andx unlock Close Tree Disconnect Logoff andx Multiple per file

13 SMB Remains Active Sessions can be Stacked inside a single Transport Layer Session Remains active until Network connection times out User closes the session User De-authenticates Connection fails a server-side security check SMB2 works on a credit system Like TCP window

14 FIDS SMB refers to File Handles or FIDS 16 bit integer SMB2 transaction FID only occurs once in either request or response, but not both Normal filtering is useless Wireshark gets it, when you filter for FID it operates on all packets

15 File Name Request or Response = NO FILE NAME Wireshark to the rescue Artificial field is created Puts FID and Filename MORE it will add info about how and when FID was opened DEMO FID DEMO SMB response time stats

16 Conversations Easy way to get list of all TCP connections Quick overview of all CIFS clients

17 SMB in Action - Filters SMB OpCodes

18 Protocol Negotiation Look for reduced security eg lanman 1 Smb.cmd == 0x72 Smb2.cmd == 0

19 Security Mode Mode 1: User level access control Password 1: Server supports challenge/resp Signatures 0: Server does not support SMB sigs (HMAC 256) Sig Req 0:Server does not require SMB sigs

20 Session Establishment Session Setup AndX Request/Response Usually needs a few TCP packets to set up User authentication Contains PID from client (pivot for our IOCs, logs memory etc.) Contains OS build info Server assigns a User ID (2bytes) Smb.cmd == 0x73

21 Session Setup AndX Data Point Value User ID (UID) Authentication Mechanism Server OS type, version, service pack Active Directory Domain Name Active Directory Username

22 Stackable Many Many Concurrent sessions Identified by their Mulitplex ID values Random value set by client, allows for pairing of request and response packets Contains GSS-API generic security service auth SPNEGO simple protocol negotiation

23 SMB Action Services Tree Connect AndX Request/Response Server assigns a Tree ID (TID) Shows access to services Same UID already received Smb.cmd == 0x75 Smb2.cmd == 3

24 SMB Obtain Network Directory Metadata Trans2 Request/Response Forensic WIN Can see MAC Times Smb.cmd == 0x32 && smb.trans2.cmd == 0x0005 && smb.qpi_loi == 1004 Not in SMB2

25 Create Response in SMB2 Contains MAC times of File smb2.create.action == 1

26 SMB Opening a File NT Create AndX Request/Response Server performs ACL check before opening Server assigns FID, only for session So track with File Name Not FID Client sends smb.file field (useful) Smb.cmd == 0xa2

27 Better way to track Smb.cmd == 0xa2 &&!smb.fid and smb.file Quickly finds all smb traffic with a file name (smb2.cmd == 5) && (smb2.flags.response == 1)

28 NOTE: SMB command also creates a new resource. If a resource does not exist and client has permissions, a new file will be created. Could be an issue with tracking, eg file did not exist Contains file based commands Maximal access rights Maximal guest access rights

29 Create AndX Response Access Rights Access Right Authenticated Account Guest Account Delete File Write File Attributes Write Content

30 Create AndX Response Access Rights MetaData Item MACB Meaning Value (UTC if required) Last Write M Time content of file was last updated Last Access A Time file was last opened Change C Time metadata of file was last updated Created B Time file was created on disk End of File N/A Last byte of File (file size)

31 Locking and Unlocking a file Locking AndX Request/Response Prevents concurrent access to same resource Smb.cmd == 0x24 Smb2.cmd == 0x0a Contains session FID

32 SMB Reading from File Read AndX Request/Response Client supplies a FID, requested number of bytes, offset to start reading. Server responds. Uses byte offset for partial reads Large Files require MANY exchanges Packet is 1440 bytes Minus Overhead is 1000 bytes for file Inefficient

33 SMB2 Block is Larger 65,536 bytes combine with a 116 byte SMB2 header Forms the full block.

34 Each exchange has SMB headers mixed into file contents CAN T Follow the Stream SMB Aware Carving MUST be used (network miner) Smb.cmd == 0x2e Smb2.cmd == 8

35 SMB Closing a File Close AndX Request/Response DeAssigns the FID value Smb.cmd == 0x04 smb2.cmd == 6

36 SMB Tree Disconnection Signals end of SMB session for the resource De-Assigns TID value Any new connection will require full negotiation Once TID de-assigned Stop Tracking Smb.cmd == 0x71 Smb2.cmd ==4

37 SMB Logoff Logoff AndX Request May not happen for each file access as client can keep it open Signals De-Assignment of UID and PID Can See multiple as sessions can be Tree d Smb.cmd == 0x74 Smb2.cmd == 2

38 Other Filters Boot Time Smb2.boot_time File Name Client Requested to Access Smb.file File writing smb2.write_data

39 More Filters Process ID smb(2).pid == xx User ID smb.uid == xxx Tree ID smb(2).tid == xxx File ID smb(2).fid == xxx

40 More Filters Identify upload of exe (smb.create.action == 2) and (smb.file matches \. (?i)exe ) Identify exe being opened (smb.create.action == 1) and (smb.file matches \. (?i)exe ) Identify Host OS smb.native_os && smb.native_lanman

41 Persistence - AT Scheduling of Remote Jobs ATSVC scheduler Atsvc.opnum == 0 0 Add scheduled Job 1 Delete scheduled job 2 Enumerate lists of scheduled jobs 3 Get info about a scheduled job

42 Remove Clutter Lots of group policy, syn traffic, smb file update eg browser Use a filter to get rid of it ((smb2.filename) &&!(smb2.filename == browser )) &&!(smb2.filename contains {31B2F D-11D2-945F- 00C04FB984F9}\\gpt.ini ) Note if gpo number pukes just use \\gpt.ini

43 SMB IO Graphs Use those filters in IO Graphs Can display SMB activity over time Useful visual track DEMO

44 SMB Carving Wireshark DEMO File Export Objects SMB/SMB2 Network Miner DEMO