search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
12.99k stars 3.5k forks source link

[BUG] Bad format for SMB ShadowCopy access #1718

Open PeterGabaldon opened 3 months ago

PeterGabaldon commented 3 months ago

When accessing Shadow Copies via the SMB protocol, the following format is typically utilized: '@GMT-%Y.%d.%m-%H.%M.%S'.

Impacket incorrectly implements this format by using %Y.%m.%d instead of %Y.%d.%m (noting the day before the month).

Here's a simple example:

Take note of the date in this example Shadow Snapshot:

image

Now, access it via SMB using the correct format:

image

Reference: https://www.4n6k.com/2017/02/forensics-quickie-accessing-copying.html

enj5oy commented 3 months ago

@PeterGabaldon I'm attempting to replicate your example. When I accessed the 'shadow copy' through Explorer, it reflects my current system state. Within it, you can observe a file named 'test', which bears a timestamp indicating it was created after the shadow copy was generated 2024-03-24_13-42

PeterGabaldon commented 2 months ago

Hi,

Just to clarify something after reveiwing it.

As pointed in https://github.com/fortra/impacket/pull/1719#issuecomment-2011223109, there is no problem in order to access the Shadow Snapshot through Impacket. The format is not correct, but it is working fine. Snapshots are listed using the IOCTL FSCTL_SRV_ENUMERATE_SNAPSHOTS (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-smb/5a43eb29-50c8-46b6-8319-e793a11f6226).

https://github.com/fortra/impacket/blob/37cc8f953311cf3a37eb39d47be2b14e4c5272f0/impacket/smbconnection.py#L796

I am pointing this out because maybe we could close the PR, changing the format in timestampForSnapshot may result in errors when validating timestamps at some points because Impacket may use the "bad" format and then the validation with the format fail.

For example, when using smbconecction listSnapshots (https://github.com/fortra/impacket/blob/37cc8f953311cf3a37eb39d47be2b14e4c5272f0/impacket/smbconnection.py#L796). After retreiving snapshots using this method a format error will be raised if listing/retriving files from it using smb3.py methods because the format returned by listSnapshots is the "bad" format, and after changing timestampForSnapshot with the "good" format a mismatch will occur.

PeterGabaldon commented 2 months ago

@PeterGabaldon I'm attempting to replicate your example. When I accessed the 'shadow copy' through Explorer, it reflects my current system state. Within it, you can observe a file named 'test', which bears a timestamp indicating it was created after the shadow copy was generated 2024-03-24_13-42

Hi @enj5oy,

This ShadowSnapthot is (among other) of Differential type.

image

So, this SS should be using COW or Redirect on Write. https://learn.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service#how-the-provider-creates-a-shadow-copy.

Have you compared the contents of the file after modification in the live volume with the SS?

enj5oy commented 2 months ago

@PeterGabaldon I encountered an issue on my end, but after testing everything, it works fine. I had a mistake because of the wrong UTC time