| Intro | Install | Configure | Troubleshoot | Optimize | PDC | Security |
David Lechnyr <david@lechnyr.com>
Wed, 14 May 2003 10:12:06 -0700
Samba is a file and print server for Windows-based clients using TCP/IP as the underlying transport protocol. In fact, it can support any SMB/CIFS-enabled client. One of Samba's big strengths is that you can use it to blend your mix of Windows and Linux machines together without requiring a separate Windows NT/2000/2003 Server. Samba is actively being developed by a global team of about 30 active programmers and was originally developed by Andrew Tridgell.
Once long ago, there was a buzzword referred to as DCE/RPC. This stood for Distributed Computing Environment/Remote Procedure Calls and conceptually was a good idea. It was originally developed by Apollo/HP as NCA 1.0 (Network Computing Architecture) and only ran over UDP. When there was a need to run it over TCP so that it would be compatible with DECnet 3.0, it was redesigned, submitted to The Open Group, and officially became known as DCE/RPC. Microsoft came along and decided, rather than pay $20 per seat to license this technology, to reimplement DCE/RPC themselves as MSRPC. From this, the concept continued in the form of SMB (Server Message Block, or the "what") using the NetBIOS (Network Basic Input/Output System, or the "how") compatibility layer. You can run SMB (i.e., transport) over several different protocols; many different implementations arose as a result, including NBIPX (NetBIOS over IPX, NwLnkNb, or NWNBLink) and NBT (NetBIOS over TCP/IP, or NetBT). As the years passed, NBT became the most common form of implementation until the advance of "Direct-Hosted TCP" -- the Microsoft marketing term for eliminating NetBIOS entirely and running SMB by itself across TCP port 445 only. As of yet, direct-hosted TCP has yet to catch on.
Perhaps the best summary of the origins of SMB are voiced in the 1997 article titled, CIFS: Common Insecurities Fail Scrutiny:
Several megabytes of NT-security archives, random whitepapers, RFCs, the CIFS spec, the Samba stuff, a few MS knowledge-base articles, strings extracted from binaries, and packet dumps have been dutifully waded through during the information-gathering stages of this project, and there are *still* many missing pieces... While often tedious, at least the way has been generously littered with occurrences of clapping hand to forehead and muttering "crikey, what are they thinking?"
SMB: Acronym for "Server Message Block". This is Microsoft's file and printer sharing protocol.
CIFS: Acronym for "Common Internet File System". Around 1996, Microsoft apparently decided that SMB needed the word "Internet" in it, so they changed it to CIFS.
Direct-Hosted: A method of providing file/printer sharing services over port 445/tcp only using DNS for name resolution instead of WINS.
IPC: Acronym for "Inter-Process Communication". A method to communicate specific information between programs.
Marshalling: - A method of serializing (i.e., sequential ordering of) variable data suitable for transmission via a network connection or storing in a file. The source data can be re-created using a similar process called unmarshalling.
NetBIOS: Acronym for "Network Basic Input/Output System". This is not a protocol; it is a method of communication across an existing protocol. This is a standard which was originally developed for IBM by Sytek in 1983. To exaggerate the analogy a bit, it can help to think of this in comparison your computer's BIOS -- it controls the essential functions of your input/output hardware -- whereas NetBIOS controls the essential functions of your input/output traffic via the network. Again, this is a bit of an exaggeration but it should help that paradigm shift. What is important to realize is that NetBIOS is a transport standard, not a protocol. Unfortunately, even technically brilliant people tend to interchange NetBIOS with terms like NetBEUI without a second thought; this will cause no end (and no doubt) of confusion.
NetBEUI: Acronym for the "NetBIOS Extended User Interface". Unlike NetBIOS, NetBEUI is a protocol, not a standard. It is also not routable, so traffic on one side of a router will be unable to communicate with the other side. Understanding NetBEUI is not essential to deciphering SMB; however it helps to point out that it is not the same as NetBIOS and to improve your score in trivia at parties. NetBEUI was originally referred to by Microsoft as "NBF", or "The Windows NT NetBEUI Frame protocol driver". It is not often heard from these days.
NBT: Acronym for "NetBIOS over TCP"; also known as "NetBT". Allows the continued use of NetBIOS traffic proxied over TCP/IP. As a result, NetBIOS names are made to IP addresses and NetBIOS name types are conceptually equivalent to TCP/IP ports. This is how file and printer sharing are accomplished in Windows 95/98/ME. They traditionally rely on three ports: NetBIOS Name Service (nbname) via UDP port 137, NetBIOS Datagram Service (nbdatagram) via UDP port 138, and NetBIOS Session Service (nbsession) via TCP port 139. All name resolution is done via WINS, NetBIOS broadcasts, and DNS. NetBIOS over TCP is documented in RFC 1001 (Concepts and methods) and RFC 1002 (Detailed specifications).
W2K: Acronym for Windows 2000 Professional or Server
W3K: Acronym for Windows 2003 Server
If you plan on getting help, make sure to subscribe to the Samba Mailing List (available at http://www.samba.org). Optionally, you could just search mailing.unix.samba at http://groups.google.com
Currently, there are two projects that are directly related to Samba: SMBFS and CIFS network client file systems for Linux, both available in the Linux kernel itself.
SMBFS (Server Message Block File System) allows you to mount SMB shares (the protocol that Microsoft Windows and OS/2 Lan Manager use to share files and printers over local networks) and access them just like any other Unix directory. This is useful if you just want to mount such filesystems without being a SMBFS server.
CIFS (Common Internet File System) is the successor to SMB, and is actively being worked on in the upcoming version of the Linux kernel. The intent of this module is to provide advanced network file system functionality including support for dfs (heirarchical name space), secure per-user session establishment, safe distributed caching (oplock), optional packet signing, Unicode and other internationalization improvements, and optional Winbind (nsswitch) integration.
Again, it's important to note that these are implementations for client filesystems, and have nothing to do with acting as a file and print server for SMB/CIFS clients.
SMB, which stands for Server Message Block, is a generic protocol for sharing files, printers, serial ports and communications abstractions such as named pipes and mail slots between computers. Microsoft implements their own form of the SMB Protocol, to provide file and printer sharing in all versions of Windows.
Traditionally, SMB uses the following:
| Protocol | Port | Service | Description |
|---|---|---|---|
| tcp/udp | 135 | RPC Endpoint Mapper (loc-srv) DCE Endpoint Resolution (epmap) NSC Local Location Broker (loc-srv) Location Service (loc-srv) | Remote Procedure Call (RPC) services are typically used by distributed applications such as SQL server and Exchange server. RPC services are assigned TCP and UDP ports dynamically. The RPC Endpoint Mapper service provides a mapping between RPC services and their currently assigned ports. Therefore, when a client requires access to a service using RPC, it must first request a port mapping from the RPC Endpoint Mapper, then it communicates directly with the service. |
| udp | 137 | NetBIOS Name Service (netbios-ns) | Translate NetBIOS names to IP addresses, much like DNS. There are several vulnerabilities for this service: Directory traversal vulnerability in the %m macro in the smb.conf configuration file in Samba before 2.2.0a allows remote attackers to overwrite certain files via a .. in a NETBIOS name, which is used as the name for a .log file (CVE-2001-1162); The NetBIOS Name Server (NBNS) protocol does not perform authentication, which allows remote attackers to cause a denial of service by sending a spoofed Name Conflict or Name Release datagram, aka the "NetBIOS Name Server Protocol Spoofing" vulnerability (CVE-2000-0673); Denial of service in Samba NETBIOS name service daemon (CVE-1999-0810); Denial of service in WINS with malformed data to port 137 (CVE-1999-0288). Seval trojan virus' also use this port (both tcp/udp), including Chode, Qaz and Msinit. |
| udp | 138 | NetBIOS Datagram Service (netbios-dgm) | The trojan virus Chode also uses this port (tcp only). |
| tcp | 139 | NetBIOS Session Service (netbios-ssn) | File & Printer data transfer. There are several vulnerabilities for this service, most of which are specific to Windows (not Samba). Several trojan virus' use this port, including Chode, GodMessageworm, Msinit, Netlog, Network, Qaz, Sadmind and SMBRelay. |
| tcp | 445 | Direct Hosted Service (microsoft-ds) Win2k+ Server Message Block (microsoft-ds) | New method of File & Printer data transfer for W2K/WinXP/Win2003. There are several Denial-of-Service vulnerabilities for this service, most of which are specific to Windows (not Samba). |
When a logged-in user tries to connect to a remote machine network shares, for example \\server\myshare, the Windows client automatically sends the login information of the logged-in user to the SMB server before asking any username or password from the user. At this step, if the authentication fails, Windows pops up a window and asks for a username and password.
In general, SMB sessions are established in the following order:
"TCP Connection" - establish 3-way handshake (connection) to port 139/tcp or 445/tcp.
"NetBIOS Session Request" - using the following "Calling Names": The local machine's NetBIOS name plus the 16th character 0x00; The server's NetBIOS name plus the 16th character 0x20
"SMB Negotiate Protocol" - determine the protocol dialect to use, which will be one of the following: PC Network Program 1.0 (Core) - share level security mode only; Microsoft Networks 1.03 (Core Plus) - share level security mode only; Lanman1.0 (LAN Manager 1.0) - uses Challenge/Response Authentication; Lanman2.1 (LAN Manager 2.1) - uses Challenge/Response Authentication; NT LM 0.12 (NT LM 0.12) - uses Challenge/Response Authentication
SMB Session Startup. Passwords are encrypted (or not) according to one of the following methods: Null (no encryption); Cleartext (no encryption); LM and NTLM; NTLM; NTLMv2. The password is then hashed and sent to the computer requesting the session (ironically, before prompting for a password).
SMB Tree Connect: Connect to a share name (e.g., \\servername\share); Connect to a service type (e.g., IPC$ named pipe)
A good way to examine this process in depth is to try out SecurityFriday's SWB program at http://www.securityfriday.com/ToolDownload/SWB/swb_doc.html. It allows you to walk through the establishment of a SMB/CIFS session step by step.
"What's fundamentally wrong is that nobody ever had any taste when they did it. Microsoft has been very much into making the user interface look good, but internally it's just a complete mess. And even people who program for Microsoft and who have had years of experience, just don't know how it works internally. Worse, nobody dares change it. Nobody dares to fix bugs because it's such a mess that fixing one bug might just break a hundred programs that depend on that bug. And Microsoft isn't interested in anyone fixing bugs -- they're interested in making money. They don't have anybody who takes pride in Windows 95 as an operating system.
People inside Microsoft know it's a bad operating system and they still continue obviously working on it because they want to get the next version out because they want to have all these new features to sell more copies of the system.
The problem with that is that over time, when you have this kind of approach, and because nobody understands it, because nobody REALLY fixes bugs (other than when they're really obvious), the end result is really messy. You can't trust it because under certain circumstances it just spontaneously reboots or just halts in the middle of something that shouldn't be strange. Normally it works fine and then once in a blue moon for some completely unknown reason, it's dead, and nobody knows why. Not Microsoft, not the experienced user and certainly not the completely clueless user who probably sits there shivering thinking "What did I do wrong?" when they didn't do anything wrong at all.
That's what's really irritating to me."
-- Linus Torvalds, from an interview with BOOT Magazine, Sept 1998
Copyright © 2003 David Lechnyr <david@lechnyr.com>
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free
Software Foundation. A copy of the license is available at http://www.gnu.org/licenses/fdl.txt.
| Intro | Install | Configure | Troubleshoot | Optimize | PDC | Security |