cdelafuente-r7
commented
2 years ago Thanks @zeroSteiner ! It looks good to me. I tested against Windows 11 21H2 and verified it negotiated AES-256-GCM, AES-256-CCM, AES-128-GCM and AES-128-CCM. I also verified it still work with Windows 10 (both AES-128-GCM and AES-128-CCM).
However, the SMB Server seems to break when trying to parse a Negotiate request from Windows 11. It looks like two new Negotiate Context types have been added: SMB2_RDMA_TRANSFORM_CAPABILITIES and SMB2_SIGNING_CAPABILITIES. Since this is out of scope, I'll create a specific ticket to fix this.
That said, I'll go ahead and land it.
Closes #203.
This adds AES-256 support which was recently added by Microsoft. Luckily the KDF remains the same. It also swaps the order of the algorithms, it looks like Windows expects them to be in order of priority. This will prefer the AES-256 variants, and fail back to the AES-128 variants. Once landed, Metasploit's smb_version module will automatically identify when AES-256 can be negotiated.
You need to test this with a fully up to date Windows 11 system. I don't think AES-256 is available for Windows 10. I also double checked that AES-128 negotiation and encryption still works correctly.
Server 2019 uses AES-128, while Windows 11 negotiates AES-256. This can be confirmed using Wireshark and inspecting the negotiate response frame form the server.
This may introduce conflicts with 197 that will also need to be updated so the server also supports AES-256.