search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.31k stars 3.54k forks source link

Unable to access share using SMB 3.1.1 #1370

Closed iptwLcP9 closed 1 year ago

iptwLcP9 commented 2 years ago

Configuration

impacket version: 0.10.0 Python version: 3.8.2 Target OS: Windows 10 21H1

Description

When trying to connect to the IPC$ share using SMB 3.1.1 I get an STATUS_ACCESS_DENIED error. However, it works using SMB 2 (without set the preferredDialect parameter).

Debug Output With Command String

Python script:

from impacket.smbconnection import SMBConnection, SMB2_DIALECT_311

REMOTE_HOST = '192.168.86.136'
REMOTE_PORT = 445
DOMAIN = '.'
PASSWORD = 'admin'
USERNAME = 'admin'

print('>>> Create SMB connection')
smb_connection = SMBConnection(remoteName=REMOTE_HOST, remoteHost=REMOTE_HOST, sess_port=REMOTE_PORT,
                               preferredDialect=SMB2_DIALECT_311)

print('>>> Login {}\\{}:{}'.format(DOMAIN, USERNAME, PASSWORD))
smb_connection.login(user=USERNAME, password=PASSWORD, domain=DOMAIN)

share = '\\\\{}\\IPC$'.format(smb_connection.getRemoteName())
print('>>> Connect to {}'.format(share))
tree_id = smb_connection.connectTree(share)

print('>>> Disconnect tree')
smb_connection.disconnectTree(tree_id)

print('>>> Close connection')
smb_connection.close()

Script output:

>>> Create SMB connection
>>> Login .\admin:admin
>>> Connect to \\DESKTOP-NN1GTPH\IPC$
Traceback (most recent call last):
  File "D:\Tools\impacket\impacket\smbconnection.py", line 358, in connectTree
    return self._SMBConnection.connect_tree(share)
  File "D:\Tools\impacket\impacket\smb3.py", line 1096, in connectTree
    if packet.isValidAnswer(STATUS_SUCCESS):
  File "D:\Tools\impacket\impacket\smb3structs.py", line 458, in isValidAnswer
    raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "D:/Tools/impacket/examples/my_example.py", line 29, in <module>
    tree_id = smb_connection.connectTree(share)
  File "D:\Tools\impacket\impacket\smbconnection.py", line 360, in connectTree
    raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

PCAP

Packet capture using SMB 3.1.1: smb311.pcapng Packet capture using SMB 2: smb2.pcapng

Additional context

I've found the following event in the target OS: event1004

0xdeaddood commented 2 years ago

Hi @iptwLcP9!

Thanks for the detailed report. Here's something... I'll check it out.

0xdeaddood commented 2 years ago

Hi @iptwLcP9!

We aren't detecting if the server supports encryption in SMB 3.1.1. In this version, the encryption capability is no longer included in the capabilities field (SMB2_GLOBAL_CAP_ENCRYPTION bit) of the SMB Negotiate response.

I opened a PR #1373, improving some things in SMB 3.1.1. It should fixes this issue. Please check it out and let me know.

iptwLcP9 commented 2 years ago

It works perfectly. Thanks @0xdeaddood!