SF17EU - 10: SMB Handshake: The Devil Lies in the Detail (Eduard Blenkers)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

my name is Eddie and I've the pleasure of presenting to you a few details on SMB this talk will focus just on very one special phase where the client is connecting to the server we will look at certain flags which are exchanged during the handshake and from there we will examine the behavior of the client and server system whatever we see here can be controlled in Windows through parameters through properties of a share through a group policy object or through just a registry setting now before we dive into that there is one critical point that Betty has slightly covered in her presentation when a client connects to a server your Windows workstations and your Windows servers both have to observe a large and long history of SMB file sharing now SMB goes back to 1982 so that's 25 years of network protocol right there that protocol has been expanded features were added until it is now in a shape that we use in Windows 10 and Server 2016 so the majority of trace files and details that are covered here will refer to Windows 7 Windows 10 and Server 2016 and now just a quick question here who of you is using Windows or more interested in Windows in a domain environment like an enterprise network in domains that's quite a number of people here ok who of you is more concerned with Windows in smaller networks that use work groups or home networks just one two three okay now we focus on enterprise networks and certain things are different in enterprise networks we will get to that now the first thing that happens when the client establishes this after the client has tapped established a TCP connection it goes to the server and offers a selection of SMB dialects so we call it necessary SMB dialect if a workstation is like supports SMB one like it was used in Windows XP for example or SMB - in the variations from Windows Vista and Windows 7 and starting with Windows 8 and smb3 version was introduced and each version brings with it certain capabilities certain features the very old versions of SMB would only allow plaintext authentication which is a big no-no in today's world so the later we had various encryption various methods to exchange encrypted passwords currently we hopefully all use Kerberos tickets to authenticate against the file server and these capabilities were added over time and the workstation and the server has to find a common set of parameters to identify how they can request certain functions or deliver certain results now what we see here is on a newer system on a Windows 10 system you would see a selection of available dialects and you see here in several numbers added now this one starts right away with SMB - now SMB - has been introduced with Windows Vista I've covered that in my talk at shark fest last year and it was with SMB one and SMB - who of you would not know the fundamental differences between SMB 1 & 2 we feel like I could be would you feel more calm if I spent just two minutes talking about that okay who of you has still no I will not ask you but please ask yourself because it's embarrassing if you have to raise your hand and I want to embarrass you anybody here but probably you will have in your network somewhere a computer running Windows XP Server 2003 or anything older the other day I have encountered somewhere a Windows 95 system which was like oh my god we still have these now these systems run with an older version of SMB that version of SMB was actually goes all the way back to a gentleman called Barry Feigenbaum who at that time worked with IBM and has developed a protocol that would exchange files without using tcp/ip so that very old protocol which was in land manager Ned Bui NetBIOS all that writes directly on an ethernet frame or a totem ring if you still remember tone rings and later IP headers were added to that and the protocol was found in Windows NT in Windows 2000 in Windows XP and was like every player in the storage industry and a lot of companies working in the IT industry added features to that open protocol and if you look at an old handshake from NT 4 you might see things like an ex Eric's related SMB dialect so there is all a lot of detail and a lot of old junk that was more more added to that protocol and it was very hard for Microsoft to maintain all these dialects they brought with themselves a number of restrictions which definitely slowed down SMB and made file access especially in a geographic dispersed network very difficult so if you have say one server here in Europe and you have a workstation sittin in the United States you have several thousand kilometers or miles distance between these two workstations and response times are greatly driven by the speed of light or by the speed was that bits can travel over the cable over the wire now we cannot change the speed of light so the protocol has been changed to allow better performance or will these wide area networks that is one of the huge differences and one of the huge advantages in using smb2 now that was introduced with Windows Vista now we are at Windows 10 we had several major updates in the in the Windows operating system and most notably but the beginning of the year a set of vulnerabilities became known in the old SMB protocol they are known as eternal blue who feels heard about eternal blue wanna try that Petya thing now here hands go up actually this refer to a certain vulnerability in the SMB protocol and I talked about the old SMB protocol as it is found up and to an including Windows XP this allows an attacker by crafting special packets to take control of the vulnerable workstation or the server and by now we have seen very very various waves of malware that have exploited that vulnerability so if you look at one a cry if you use that wanna cry as a term or petia or not petia which was malware wave that hit mainly the Ukraine and a few systems in the neighboring country these mavar's caused great damage they basically left a computer unresponsive or unusable so you want to remove your old XP systems and among the more popular or more well-known companies or the more well-known victims of that vulnerability are FedEx and the shipping company Maersk both of these companies have stated that this murder tech has caused financial losses in the area of approximately 300 million dollars so get rid of SMB 1 because for the most companies loss of $300,000,000 is probably deadly so you have to be very big to cover with that to be able to do shoulder that type of loss and certainly it is a lot cheaper to upgrade your infrastructure no matter what it costs it's probably cheaper than 300 million to upgrade to newer equipment now still today your workstation can be enabled to go into that XP compatibility mode but a modern Windows 10 system will tell you know at least we want to have the functional level of a Server 2008 if you want to have a communication between Windows 10 and XP or Server 2016 and XP you have to fiddle your configuration but the big messages turn off that hasn't be one thing and therefore we only look at SMB - I'll show you one short trace file how it looks when the Windows 7 system establishes a connection so you will notice that in the protocol column here you'll notice the first line this SMB as a protocol and all other lines are labeled as and B - now by the way everything I'm looking at here only covers the SM the application layer so I'm looking at SMB or SMB - I'm not looking at TCP at TCP handshakes at window sizes etc retransmissions i'm not interested in that for the purpose of this talk now you see that the workstation sends one single SMB packet and that SMB packet will be understood by other implementations of SMB like Server 2003 and by latest but latest server like a server 2016 and here the server sorry the client presents a number of dialects that it would support and see here the old PC network program land manager one windows for workgroups 3.11 one so you can hear use like literally 20 year old protocols to exchange data now note that we have here SMB two with three question marks which indicates hey remote server I could speak various variations of the SMB protocol but let's see what do we have here Microsoft had ultimately decided that this list could grow forever and ever and become very long so they've decided with SMB - we just sent here one general white card character and the server will then say well if you speak as a B - something let's see what exactly can you do or what exact version we can find and where is it in the next step the server will the client will present here the available isn't between something common dialect versions that they could use and they usually client and server choose the highest common protocol dialect that is in general what we want to see is usually there are exceptions which we leave out for the second so the client offers a selection of available dialects and the server will choose the highest common version starting with Windows 8 Microsoft pulled a very interesting marketing stunt they added a version number and they bumped the version number to smb3 this was a marketing decision as far as I know the internal packet structures the signature which makes Wireshark decide owes that as a B or a zombie to that signature has been left intact so it's the same signature for smb2 and smb3 and therefore client and server therefore Wireshark will decode that whole thing as SMB to Wireshark cannot at this time this smb3 and said oh that is version three we know that from the handshake because we see three point something in the handshake but Wireshark will display version two and three in SMB with the display filter as a beetle smb3 is everything Windows 8 and later so when I analyze that type of traffic there are two main filters which start my investigation the first one is I focus on the TCP ports which can be 139 and 445 both are used without more or less for the same purpose in 1:39 wait just for compatibility reasons and compatibility with NT for one extra exchange of information but all major current traffic's work on part 4 4 5 now if I'm only interested once the TCP handshake has been sorted out and we see that there's no packet loss no retransmissions etc I start in my analysis or focus my analysis just on the protocol versions of the application layer SMB or smb2 now remember the display filter SMB true will also cover smb3 the most important takeaway message that I want to give you is turn off SMB 1 there are several articles on the Microsoft home page how you can do that turn it off there's there are several methods around you can fiddle with the registry you can play write a number of PowerShell scripts you can use your group policy option in a domain or network so but just turn it off one feature that I find very interesting is called SMB multipath SMB multipath breaks a certain habit that we that is time tested so for the last 25 years we have seen that an SMB connection limits itself to one TCP connection so there's a strict relationship I access one share which uses one TCP connection that's it that brings in itself certain limits you've probably seen Jasper's talk about TCP if you remember things like receive side window receive the transmit windows from using TCP the detection of packet drops and the reaction to tracert traffic packet drops that can cause tcp to throw its whole cent rate and so that you will not saturate a link in other terms if you have one TCP connection and you have a 10 gigabit link between the client and the server you're likely to have it probably running at seven point five gigabit in the long run in terms of use depending on the recovery algorithms how TCP reacts to the packet loss now to get around that Microsoft has added SMB multipathing which means the client can use multiple TCP sessions not just for a second what is happening when the client connects to the server we had that creek negotiate protocol request where the client is introduces its own available version numbers the server sets one respect selects one of these versions and then the client would authenticate itself that is done with that statement called session setup request and the response now the workstation usually knows which share I want to accept a access and we have to find out in this file I've created a server called dc1 and I've added a share called trace files now you can guess what you'll find on that share and it is possible that the data is replicated between various servers that process of replicating the same information the same files over various servers is done with a feature called the distributed file system that is very common if you load login scripts or if you load policies from a special volume called sis wall so there's one share found on every domain controller which is the sysvol share where you'll find group policy files where you find logon script and other information now that would be a typical DFS and able share and the client can select each one of the available servers using a feature which I will not cover right now the server the client can decide to choose a geographically close server to obtain the information now to find out if that special share is accessible through DFS the client makes a special connection to that thing called IPC dollar IP C stands for inter process communication and allows exchange general exchange of information and now the client is asking hey I need to know about that thing had trace files would that share be available as a DFS share and the responses no first we gotta say this is pending I'm working on that stay with me and within the same millisecond we got a no status not found which means it's not DFS enabled it's not a decision if that chair is available on that server or not that will be determined in the next step it's just the information that share trace files is not DFS and enable great whatever do you server I would like to access the trace file share here directly on you and that is what we get the tree connect response and now we can access files on that share if now probably a virtual drive letters drive letter like s or X or whatever your your shares holder whatever you specify now this sequence of event has been used billions and billions of times in communications between client and server SMB multipath change that because right now everything is happening in one TCP connection starting with Windows 8 we got multipathing and now after the client makes the initial connection to the server and ask a server would you have more than one network interface we see here that special query IO control query network interface info and the the server then responds and go say hey yes look here I got a bunch of ipv4 address ipv6 addresses go pick something and have a bunch of of network interfaces that you can use to access data from me and if you look here the server reports like these are all 10 gigabit interfaces that's great so we have here like one six seven eight different into a dresses each of them with the 10 gigabit bandwidth so we can suck a lot of data from that server let's go now you all work in the networking area how would your backbone respond to a client pulling down 40 50 60 gigabit with one get request from the server I dare say that about every buffer between the server and the client will be full you will have packet drops in unrelated sessions you might have unless your quality of service is really well configured you might lose telephone calls or but you will encounter all types of problems well let's see also if you have a firewall between your client and your server we'll see what happens next the number of states in the state table for the firewall will go up what also will happen is the client needs extra round-trip times to use all these multi passes so if you have very long network with a lot of bandwidth you have to decide if multipathing is really good for you now as soon as the client has learned hey great I know a number I'm no aware of several IP addresses for the server look what it is doing it is adding like you at this time it's just eleven which is what I could roughly fit on that slide here is opening eleven or may even more TCP connections and SMB connections to that server and note that all these IP version 4 addresses were found in the state in the earlier statement that we've seen in the first screenshot and I've added all these colorful lines here by using a virus shark feature which is right click on the line and colorized conversation TCP and that allows me to visualize the behavior of the client and as he oh my he's not opening a number of TCP sessions and each of these TCP sessions or here's a slide so that you can find that out just a right-click here on the on the side and then you'll find here in there one step lower the information colorized conversation now since we now have a number of TCP sessions and they all refer to one as a big connection between client and server I want to focus on all information it could be exchanged between client and server I can write very very long display filters which rely on the IP addresses and TCP ports what these become very hard to manage there's a high chance that a skip is written TCP port and I just forgot part number 55 50 thousand and 10 or 11 or 12 or whatever I have overlooked here in my long chain so instead as part of the handshake the server will assign an SMB session ID to the client and that session ID is this long number shown here in the gasm B header in the SMB 2 header and I can right click on that number because it's so long that I cannot just type it up without a typo and I use that function you prepare a filter selected and now I have the matching TCP filter or the matching display filter up in my filter line here that gives me all the packets related to just this individual connection between client and server no matter which TCP connection is being used just excuse me for one second Angelo giving I'm giving you a hard time I still ok with all your movie things ok good last year I was running around and he had a very hard time tracking with the camera and it looked a bit bumpy I guess so ok here we go now you're the handshake for every single handshake or every single TCP section client and server will redo the negotiation of the SMB dialect there are very few situations where the dialect can change depending on the resource which you access from a server so it can might be that you have a mixed version of their cluster of Windows servers with running mixed versions and in that situation the server might revert not to the highest available dialect number but the highest available common dialect number for all servers so it might be that the server downgrades to something that 2012 server can understand even if you've 2016 server could do more and now please note that here the client repeats its authentication it goes like hey here's my session setup request so you know that it's really me the client who has been authenticated earlier and then we're asking something some information about a file so there's no three connect statement no query for a distributed file system all that has been done in a different TCP section and now we just continue working with whatever the user wants us to do what I personally find very impressive and both implementations from Microsoft and how Wireshark detects that and handles it is it might be that one TCP session is used to open a file and the second TCP session is used to close the file so that's within one as a be session it's just the stream of application whatever the user is doing the client is just transporting through the SMB protocol all the requests and they are split over multiple TCP sessions and Wireshark detects that please note that here I've chosen a display filter which focuses on one single TCP session and let's say that a closed statement has is in frame 395 and the fire handler was opened in 394 and that frame number 394 is not visible it's happening in a different TCP session so if you are just focusing on one TCP session just on a single server IP address chances are that you are missing parts of the picture you only get a fragment of the required traffic and it what not make sense just look at that closed statement without the other information it only makes sense in the context of the SMB session so focus your analysis on the smb2 session ID when we want to analyze that little part of the handshake there again the two takeaway messages that I want to give you one is focus on the session of the DSMB session ID and the second one is just a brief look at the TCP session it could be that your Windows server has multiple interfaces and one is just dedicated to for backup purposes or one interface is just dedicated for management purposes so if the client tries to access that backup or management network it might be isolated and that can cause a bit of TCP trouble there but it should be easy to spot that if the soon request goes unanswered so you have to make sure that the client that the server would not offer this special IP address that protected IP address to to the client now the important part is that these all these many TCP sessions running over multiple ten gigabit links there are servers just pushing data into the network that can overload your van especially if the systems of client and server are geographically dispersed luckily we can get away with that situation where with the overload situation there is a concept in Windows where you can define you all your subnets so you can configure all available networks in your Active Directory you can link these network addresses to a concept called a site in the active directory which is usually like a building or a city or just one entity where your company is present one part of your network and using again a GPO feature policy based quality of service you can define or you can limit the number of bits per second that a server would send into that network segment so your server might have two ten gigabit interfaces but you as network administrators aware that the slowest link is 100 megabit you can tell that information to the server stored in the active directory and the server itself will limit it and just not exceed the bandwidth that you have configured even if multiple clients are sending requests at the same time which means we avoid TCP packet loss just in the first place and of course the important messages it's a $300 message for everybody was encountering that was threatened by old as imbue systems get rid of hasn't behaved on now before we just stop that and get eyghon to pack into caching I'm doing a lot of talking here I hope I'm not too fast but I want to do something that has never been done at shark fest before please look to your left look to your right and I would like to give you like 90 seconds to talk to your neighbor and explain to him the most important point that you just took away from the first couple of slides said okay I gives you 90 seconds just go ahead talk to each other what was the most important thing that you took away here from this part okay I hope you could explain all all of you got something from that if you struggle with something right now that would be good idea ago okay maybe come back to me later and we will save a few minutes for questions and answers that means I didn't explain myself clearly enough and I have to rego until that topic again or if we can clarify that up here for everybody else okay next topic is caching when a client is retrieving data from a server the server may allow the client to cache the files or cache certain information either locally or even transmit the files to other systems on the same network and go like hey I have some information here if you're interested so we can do client-side caching and they call that either you can cache it locally depending on the configuration I show you how that looks in a second or we have something called a branch cache where you have a network segments where all your workstations reside and the client retrieves files from a central site and would store it cache it locally and make it available for other systems who are interested in just the same file so it only crosses the network link once that is called a branch cache can be stored either on all the workstations in one network segment or depending on how you design your network you might have one dedicated server which is used as a local cache and that would be called a hosted cache now that caching is part of the properties for a share this screenshot here is taken from a server 2016 where I've configured a share and you're guided through Vizard and that wizard will ask you at one setting here do you allow the workstation to cache data from this share and we can even make it more specific ago ok you enable the BranchCache for that file share which means the data is not just available to this one client but it would be available to all systems either in the same subnet or in the whole building if you want to configure it like that so allow caching of share now this is one of the points where we have to do a very fine FFF to take a very good look at at the trace file now first of all when the server responds and the tree connect responds remember reconnect statement happens when I access a certain share name here it is called cashing your text is the UCI bracket cashing with branch cache is enabled and the server would indicate that here with this single bit enabled hash version one is true which indicates hey you can catch that somewhere using the branch cache feature there are two different types available and able hash version one and two which are different implementation of that branch caching feature depending on what functional level you have you can filter for that using the display filter as a B to share underscore Flex enable hash version one luckily we don't have to remember these long topics here actually let me show you a little trick and Wireshark that should be visible I hope you can read all that and when I start typing in Wireshark a filter name for example like the one we've seen here on the slide you see that smb2 dot share underscore flex unfortunately I cannot make this big here this is the filter line so I'm typing it here as soon as I type things here and start share underscore Flags Wireshark would offer an auto completion feature and would show me all the available filters that fit here or you can find it here in the status blind at the end of your screen this is completely unreadable on the on the large screen that is why I've typed it in notepad well as soon as I start to type something here dot and you see out here a list of available filters comes up now the good part is with my limited brain capacity I could never remember is it share - flags or share underscore flag share point flex now that Auto completion feature is very nice because it shows me like these are the available selections and if I type it fast enough my boss will not notice that I'm just reading it off the list you know thinks I'm God and packet analysis because I know all the filters of my heart I'd certainly do not especially not for such a big protocol like SMB - now the server can also forbid the client to cache files now it might be good reason to do that either because you know that this is highly volatile data or you know for certain reasons you want to don't want to have it on your workstations disk because you don't trust the workstation so the server can forbid the client to to cache data now note that here in the share flex we have the number three zero so the three would be two bits correct I would expect that two bits are set to one in this number if you look at the Wireshark decode you will notice that the lowest bit is decoded the second lowest bit is decoded and then there are six bits which are not explained but clearly Windows is using two of these flags here so to spot that I have to take a really good look at the trace file and I have to examine these share flecks and if I suspect that sharing or that local caching could help me I really have to dive into that luckily the Bioshock developers who are in charge of the SMB 2d code which is mostly Richard was doing a lot of heavy lifting Richard are you here oh no it's not here it's it's a pity so Richard Clara is doing one of the is doing a great job in maintaining that there's already a bug request open that someone requests a decode for that flag so once in a while when Microsoft adds new features to the protocol it takes some time until really the last details are covered in Wireshark but over time they would certainly all come in now caching can help you a lot if you use that branch caching feature the workstation will send a request hey I want to access that share the server gels will branch caching is enabled you see here that version one hash tag is being set and then the workstation will retrieve a hash now branch caching works is the server splits a file up into roughly spoke into 64 kilobyte blocks it chops it up into tiny pieces and the client will first ask for a hash code of that interesting 64 kilobyte block and instead of sending that 64 kilobit block a kilobyte block over the line we only transmit a short hash code and then the workstation would ask all the neighbors or the conf cache holes and as hey is that piece of information available somewhere here in my side and only if nobody has that piece of data then we transfer the whole data block and you configure that as most things in a Windows network by using group policies so your policy editor goes like policies administrative templates Network branch cache congratulations here is a whole set of things that you can configure now this caching only kicks in by default if the round-trip time between client and server is at 80 milliseconds you can set that to zero which means the client will always try to cache there might be situations when you feel like whoo well I have my own bunch of fiber cables here for a cross-atlantic cable and I'm not worried about bandwidth but the number of TCP turns hurt me a lot in my application and you probably want to turn off that caching now that depends on each and every individual share and on the way how your users use the the the infrastructure so the important part is caching can be helpful but check if it would be useful for you it does not make sense to use the distributed branch cache for your data stored in a user profile anybody got an idea why that could be I mean if I download files from my user profile with my personal documents my pictures and whatever I have I don't want that onto my workstation there is nobody else interested in that but if you have a file share with a lot of say company policies or marketing documents that a lot of people have access to and a lot of people need it makes sense that you copy it once and only the changed files or change portions will be replaced so that might be a typical candidate that you put on a shed or on a branch cache in a bird share but for my files nobody else but me with my workstation will access these files one more part before we start with questions and answers which is encryption starting with Windows 8 Microsoft has added encryption as an optional parameter to smb3 so the client again your server administrator will maybe increase it a bit the server administrator will define as a property of all the share this has to be encrypted this does not rely to data on the disk but this refers to data in transit so when a client accesses this share using smb3 the file the data will be encrypted in transit unfortunately it is very hard for us to investigate that in Wireshark again here's a screenshot the tree Connect statement is where a lot of important details are revealed about the configuration of the share and this time you see here's the number 8 is set which means one bit has been set and Wireshark decrypted and decodes it and goes again oh yes encrypted data required that is the where where the server orders the client you have to encrypt all your requests and I will encrypt all my responses note that here again the two bits ville 3 are defined which means something which is currently not decoded with Wireshark two point four point two once this bit has been detected by the client everything else will be encrypted and all you'll see is like encrypted smb3 and you cannot tell from the decode if that is a file open operation if data is being read if data is being written if some NOC management is happening or any other interesting things are happening on that wire so no look into that I'm sorry well wait a second encryption is clearly an SMB 3 feature it has been introduced with Windows 8 now you might be tempted to break out that Windows 7 box and go like hey let's go to that share and let's start the application and see what's happening no such luck here's the client sending at reconnect through the share code confidential and getting an access denied so even though we are giving the right username and password the server will reject access and will tell you access denied now that could also be a return code for sorry we are missing the ACL on the server you're missing the rights in the file system but unfortunately that access denied refers to a lack of protocol so the workstation does not support encryption the server notes remember the server knows from the handshake oh we've chosen SMB 2.1 here for that Windows 7 client and now we are requesting an SMB 3 feature and instead of sending data out in plain text Microsoft will not give you the Windows server will not give you access to that data you need something newer at least Windows 8 to access that share so that is a bit misleading personally I would have hoped for something more understandable which hint points me into the right direction like missing file system feature or encryption required but well that's what we get now again the important part is mb3 allows encryption of SMB traffic but that requires Server 2012 or later or Windows 8 Windows 10 or later anything older will get the slightly confusing message access denied sorry please say again yes that is certainly one thing that access denied is certainly available as an error code that can be translated into something for the user but it's probably one of the cases where you have a hard time in destroying that so it's they would not understand the return code yes definitely yes so axis T naught is probably not a bad choice because every smb2 implementation would understand as a access denied yes sir yes yes so if you see that excess tonight you have to go for the SMB version that has been requested and going ah it's that my problem yes and you have to dig a bit deeper definitely the most important part again I cannot emphasize this enough get rid of as be one even if you find that boring yes there's a whole bunch of systems I know turning off SMB one can be painful there are scanners out which would store the documents which have been scanned through SMB one on a file share so you'll suddenly have to replace that scanner so there are all types of devices around which still speak as a b-1 you might have Point of Sales terminals which are running with a special version of Windows XP no chance that you will get get them with SMB just start a project to replace all these old devices please please pretty please so that brings me to the end of my presentation not exactly an hour and 15 minutes but we certainly have time for whatever question you have as long as I can answer them Christian please you want to take a picture like this ah okay no more questions is that because I overwhelmed you or you don't dare asking questions yes sir I'm not sure if you can do that actually I did not deep too deep into the windows policies but as soon as the server administrator checks the box and girls like use encryption then this is what the windows 7 system does and I think it makes a lot of sense because you have confidential data you don't want to have any expose it just because you have one old device from from a policy making sense but there might be ways around that you can certainly downgrade it you can tell it like well you said trick with the distributed cluster thing okay yeah that is very well possible so the question is there might be or the commanders there might be a feature available in Windows that enables all the client to access the encrypted shares using unencrypted traffic basically so you lower your security requirements for all those systems if you decide to do that okay well and everybody has to decide that case by case yes yes so for a number of years I think starting with Windows 2000 Microsoft has added IPSec and you can force through a group policy encryption of traffic between two systems based on IPSec and in general you have to use IPSec right from the beginning and use it even for DNS and whatever other traffic you have here is Richard thank you very much so by the way this is Richard who is doing a great job in with the Avaya the SMB des sector and for those who did not hear it let me repeat that you try to put in a change that every SMB one packet will be flagged in read through the wire shark expert indicating a potential security problem yes just like a TCP like like a spanning two year college e change or something like that yes absolutely excellent I would love to see that in Wireshark [Applause] any more comments or questions yes please for the police vital for the BranchCache how that works actually file is the files are stored in an encrypted method on the cache holes so you have either the workstations that are all so the question was like how would data be stored for that BranchCache thing and no no no if a piece is here a piece is there so it's not like the full file it may be stored on one system if you'll have one hosted cache and define that one server to be your caching server but if you have a distributed cache data can be found anywhere there's not necessarily is it restricted to one system a bit like a torrent yes and it would be stored in an encrypted method and the master keeps all that is it's documented from Microsoft it is generated when you create your domain and the process is not exactly easy to follow but there is a distort and an encrypted and protected way and unless you know that key you will not be able to retrieve the data that fragment from the from the hard disk so to decode that you have to be a member of the domain and need access to that key any more questions well I hope you're not sorry that I'm adding 50 extra minutes to your break then thank you very much for attending the session and please enjoy the rest of shortest [Applause]

Info

Channel: SharkFest Wireshark Developer and User Conference

Views: 4,268

Rating: undefined out of 5

Keywords: SharkFest, Wireshark, Network Analysis

Id: L5U9dPR4UCY

Channel Id: undefined

Length: 56min 16sec (3376 seconds)

Published: Thu Nov 09 2017