Permanant Link For Entry #863

Am I Using SMBv2?

So I wanted to see if I was using the new and improved SMBv2 with my ReadyNAS and its newer version of SAMBA.

It turns out SMBv2 is negotiated when the client sends a "Negotiate Protocol Request" (which has a display filter of "(smb.cmd == 0x72)" in Wireshark or tShark).

According to some vulnerability research at g-laurent's site:
"The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for futher communication."

This explains why it was rather tricky to try and find a Negotiate Protocol Request (even using NET USE /d). I discovered if you restart the Workstation service (and Computer Browser which is its dependency) that should be enough to make Windows drop the SMB connections and allow you to capture the negotiation packet.

From there one can then use the details on richardkok's site to determine what is being negotiated.

Which, to put it simply involves looking at the SMB value in this request under "Requested Dialects" and checking the requested dialect in the response is 0x02ff (SMB v2 flag). In my case it appears even with the client asking for SMBv2, the Netgear ReadyNAS running RAIDiator-4.1.9-T15 running SAMBA 3.5.15 returned NT LM 0.12 (SMB v1) as Samba support for SMB2 was experimental in this version and was not fully implemented until SAMBA 3.6.