impacket icon indicating copy to clipboard operation
impacket copied to clipboard

Published 20 hours ago verified publisher icon fortra

Unable to access share using SMB 3.1.1

Open iptwLcP9 opened this issue 2 years ago • 3 comments

Configuration

impacket version: 0.10.0 Python version: 3.8.2 Target OS: Windows 10 21H1

Description

When trying to connect to the IPC$ share using SMB 3.1.1 I get an STATUS_ACCESS_DENIED error. However, it works using SMB 2 (without set the preferredDialect parameter).

Debug Output With Command String

Python script:

from impacket.smbconnection import SMBConnection, SMB2_DIALECT_311

REMOTE_HOST = '192.168.86.136'
REMOTE_PORT = 445
DOMAIN = '.'
PASSWORD = 'admin'
USERNAME = 'admin'

print('>>> Create SMB connection')
smb_connection = SMBConnection(remoteName=REMOTE_HOST, remoteHost=REMOTE_HOST, sess_port=REMOTE_PORT,
                               preferredDialect=SMB2_DIALECT_311)

print('>>> Login {}\\{}:{}'.format(DOMAIN, USERNAME, PASSWORD))
smb_connection.login(user=USERNAME, password=PASSWORD, domain=DOMAIN)

share = '\\\\{}\\IPC$'.format(smb_connection.getRemoteName())
print('>>> Connect to {}'.format(share))
tree_id = smb_connection.connectTree(share)

print('>>> Disconnect tree')
smb_connection.disconnectTree(tree_id)

print('>>> Close connection')
smb_connection.close()

Script output:

>>> Create SMB connection
>>> Login .\admin:admin
>>> Connect to \\DESKTOP-NN1GTPH\IPC$
Traceback (most recent call last):
  File "D:\Tools\impacket\impacket\smbconnection.py", line 358, in connectTree
    return self._SMBConnection.connect_tree(share)
  File "D:\Tools\impacket\impacket\smb3.py", line 1096, in connectTree
    if packet.isValidAnswer(STATUS_SUCCESS):
  File "D:\Tools\impacket\impacket\smb3structs.py", line 458, in isValidAnswer
    raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "D:/Tools/impacket/examples/my_example.py", line 29, in <module>
    tree_id = smb_connection.connectTree(share)
  File "D:\Tools\impacket\impacket\smbconnection.py", line 360, in connectTree
    raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

PCAP

Packet capture using SMB 3.1.1: smb311.pcapng Packet capture using SMB 2: smb2.pcapng

Additional context

I've found the following event in the target OS: event1004

iptwLcP9 avatar Jul 20 '22 17:07 iptwLcP9

Hi @iptwLcP9!

Thanks for the detailed report. Here's something... I'll check it out.

0xdeaddood avatar Jul 22 '22 15:07 0xdeaddood

Hi @iptwLcP9!

We aren't detecting if the server supports encryption in SMB 3.1.1. In this version, the encryption capability is no longer included in the capabilities field (SMB2_GLOBAL_CAP_ENCRYPTION bit) of the SMB Negotiate response.

I opened a PR #1373, improving some things in SMB 3.1.1. It should fixes this issue. Please check it out and let me know.

0xdeaddood avatar Jul 25 '22 01:07 0xdeaddood

It works perfectly. Thanks @0xdeaddood!

iptwLcP9 avatar Jul 25 '22 16:07 iptwLcP9