Server Message Block (SMB) protocol is a client-server communications protocol that allows files, printers, serial ports, and other resources to be shared on a network.
SMB was introduced in 1983 by Barry Feigenbaum at IBM. Over time, SMB has evolved primarily for connecting Windows computers, but over the years most other systems - like Linux and macOS - have also received the client components for connecting to SMB resources.
The protocol has since spawned several variants to meet evolving network needs over the years. During this time, SMB was widely implemented and remains one of the most popular file-sharing solutions in the workplace.
Network communication via SMB takes place using the request-response method. This is one of the most commonly used methods for communication within a network. The SMB protocol is located on the seventh layer of the OSI model (Application Layer). The client sends a request (negotiate protocol request) to a responsible server to establish a connection. It sends the server an offer of the dialects it supports.
The following dialects can be used:
To initiate an SMB session, the client sends an SMB request on TCP port 445 (from SMBv2). The server receives the request and then sends back an SMB (Negotiate Protocol) response. In addition, agreement is reached on an SMB dialect. This is followed by client/server authentication, for which SMB uses the ATM (NT LAN Manager) authentication protocol by default.
However, alternative protocols such as Kerberos can also be used here.
NTLM authentication is initiated with a "Session Setup Request" (NTLM Negotiate) to which the server responds with a "Session Setup Response" (NTLM Challenge). As soon as the client receives the NTLM challenge, it again sends a "Session Setup Request" (NTLM Authenticate) to confirm the connection between client and server.
If authentication is successful, the client can access the requested network resources. To do this, the client sends a "Tree-Connect-Request" which is answered by the server with a "Tree-Connect-Response".
In this request, the server also gives the client all information about access authorizations for the requested SMB share. If the share name has a $ at the end (like IPC$ or C$), it means the share is hidden; usually the system creates hidden shares, but users can create them too. Hidden means that the hidden shares are not listed when you go to the root of the resource. The IPC$ share is also referred to here as a NULL session connection.
This session allows Windows users to perform certain activities, e.g. B. Enumerating the names of domain accounts and network shares.
So that the redirector and server can successfully identify objects for input/output requests, so-called SMB protocol identifiers are required.
SMB uses the following identifiers for this:
The UID is used to define user-level access rights. With the "Session Setup Request" (already described above), the client gives a so-called "Session Setup ANDX" command. This is used to authenticate the user and to request a UID. The redirector sends the user's UID to the server with each request. However, several UIDs can also be assigned to a client. These are mostly access rights for system processes.
So that each request can be assigned to the correct process, it contains a PID.
The redirector can have multiple outstanding commands at the same time. With the help of the MDI, which is generated by the redirector itself, it can assign the response from the server accordingly.
The TID is generated by the server to uniquely identify the release. Each resource on the server is defined by a release. The redirecter associates the share on the client with the server's tree ID.
The FID is generated by the server. In this way, access (release) to a file is clearly identified. A different FID is generated for each individual file and request, so-called handler mapping. The FID is sent with every request for an existing object. Several FIDs can be used simultaneously in an SMB session.
The SID is generated by the server. It is responsible for a server-side lookup process. In addition, the SID can be used for caching, i.e. performance optimization.
Various SMB dialects have been published since the introduction of the SMB protocol. These have evolved over time to improve functionality, scalability, security and efficiency.
SMB was developed in its first version by IBM in 1984. It introduces OpLock as a client-side caching mechanism to reduce network traffic. As a transport source, SMB 1.0 uses the Network Basic Input/Output System (NetBios) over TCP. Current Windows versions no longer support the use of SMB v1 as it contains numerous vulnerabilities. These vulnerabilities can allow attackers remote code execution and denial of service exploits. Systems with this outdated protocol enabled offer a target for potential attacks and a high susceptibility to ransomeware since many viruses use SMB v1 to spread in the network after a successful infection.
SMB 2.0 was released with Windows Vista and Windows Server 2008. Both the communication in the network, its performance, scalability and reliability have improved. Support for WAN acceleration has also been added. In later iterations, the classic OpLock system was replaced by the OpLock leasing model, again to improve performance. Other updates included support for large maximum transfer units and improved power efficiency. These allowed clients with an active session to an SMB server to go into sleep mode.
SMB 3.0 was first introduced in Windows 8 and Windows Server 2012. It added several major upgrades to improve availability, performance, backup, security, and management. New features included SMB Multichannel, SMB Direct, Transparent Client Access Failover, Remote Volume Shadow Copy Service support, and SMB Encryption. Starting with version 3.02, it additionally included performance updates and the ability to disable support for CIFS/SMB 1.0. SMB 3.1.1 was subsequently released with Windows 2015 and Windows Server 10 in 2016. It added support for advanced encryption, integrity, and authentication to prevent Man-in-the-Middle (MitM) attacks, among other updates.
The name Samba is derived from the network protocol “SMB” and serves as a Unix/Linux implementation. It was released in 1992 and, like SMB, has been continually updated/improved. Since SMBv3 became the standard in Samba, the outdated and insecure SMB is no longer supported as a default setting in its first version.
