#78 Winexe can't connect to Windows 7 with SMB1 disabled
With the furor over weaknesses in SMB1 and exploits in the wild, as well as Nessus now flagging any SMB1 support as a critical vulnerability, I have been looking into what will happen to our tools as our customers begin turning off SMB1 in their efforts to keep their vulnerability scans clean.
My testing is with the latest version of winexe-winexe-waf and samba reset back as recommended here
http://rand0m.org/2015/08/05/winexe-1-1-centos-6-and-windows-2012-r2/
I also had to add gnutls and gcrypt to wscript_build. This works great with Windows 8 and Windows 10, but it fails instantly when I disable SMB1 on a Windows 7 machine. I disable it like this:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1 /f /t REG_DWORD /d 0
When configured like this, PSEXEC still works just fine. But when I run winexe against it, tcpdump shows me the 3-way handshake, then winexe sends an SMB proposal, then Windows 7 sends a TCP reset.
Any help at all would be very welcome.
Karl
TCPDUMP output:
fileserver2 5005# tcpdump -i eth0 -n -vvv host 172.26.1.102
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:52:45.908060 IP (tos 0x0, ttl 64, id 42576, offset 0, flags [DF], proto TCP (6), length 60)
172.26.1.11.41188 > 172.26.1.102.445: Flags [S], cksum 0x5ad4 (incorrect -> 0x2fb8), seq 1341018616, win 29200, options [mss 1460,sackOK,TS val 258078632 ecr 0,nop,wscale 7], length 0
11:52:45.908273 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.26.1.11 tell 172.26.1.102, length 46
11:52:45.908291 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.26.1.11 is-at 00:0c:29:20:8e:df, length 28
11:52:45.908355 IP (tos 0x0, ttl 128, id 28000, offset 0, flags [DF], proto TCP (6), length 60)
172.26.1.102.445 > 172.26.1.11.41188: Flags [S.], cksum 0x51ab (correct), seq 634378719, ack 1341018617, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 102771260 ecr 258078632], length 0
11:52:45.908379 IP (tos 0x0, ttl 64, id 42577, offset 0, flags [DF], proto TCP (6), length 52)
172.26.1.11.41188 > 172.26.1.102.445: Flags [.], cksum 0x5acc (incorrect -> 0x9f93), seq 1, ack 1, win 229, options [nop,nop,TS val 258078632 ecr 102771260], length 0
11:52:45.908503 IP (tos 0x0, ttl 64, id 42578, offset 0, flags [DF], proto TCP (6), length 246)
172.26.1.11.41188 > 172.26.1.102.445: Flags [P.], cksum 0x5b8e (incorrect -> 0x42e6), seq 1:195, ack 1, win 229, options [nop,nop,TS val 258078632 ecr 102771260], length 194
SMB PACKET: SMBnegprot (REQUEST)
SMB Command = 0x72
Error class = 0x0
Error code = 0 (0x0)
Flags1 = 0x18
Flags2 = 0x43
Tree ID = 0 (0x0)
Proc ID = 65534 (0xfffe)
UID = 0 (0x0)
MID = 0 (0x0)
Word Count = 0 (0x0)
smb_bcc=155
Dialect=PC NETWORK PROGRAM 1.0
Dialect=MICROSOFT NETWORKS 1.03
Dialect=MICROSOFT NETWORKS 3.0
Dialect=LANMAN1.0
Dialect=LM1.2X002
Dialect=DOS LANMAN2.1
Dialect=LANMAN2.1
Dialect=Samba
Dialect=NT LANMAN 1.0
Dialect=NT LM 0.12
11:52:45.908619 IP (tos 0x0, ttl 128, id 28001, offset 0, flags [DF], proto TCP (6), length 40)
172.26.1.102.445 > 172.26.1.11.41188: Flags [R.], cksum 0x1030 (correct), seq 1, ack 195, win 0, length 0
11:52:46.046671 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.26.1.102 tell 172.26.1.29, length 46
By the way, smbclient built from the same code base works perfectly if I use the -mSMB2 or -mSMB3 option (set maximum protocol).
Has anyone looked at this? winexe will soon stop working with most Windows systems.
The reason why smbclient works is it compiles against the source3 code of samba and SMB2/3 work. Source4 though which winexe and winexe-static compile against does not work with SMB2 until around 4.3.8
This is fixed now. I have made a fork that works with SMB2
Hi Mark, can you share the code fork ? I need to recompile winexe for SMB2 aswell.
Thanks
Nevermind, i found your fork. Thanks