how-to block ads
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| Re: Windows File Sharing: Facing The Mystery said by Daniel  :Old vs. NewWhen connecting to a Windows 2000/XP machine that has both NetBIOS over TCP and direct hosting enabled (from a client machine that's also using them), both types of connectivity will be attempted. The service responding first will be accepted and continued, i.e. if NetBIOS responds first then an RST will be sent to TCP/445, and vice versa. Do you have a cite for this? I've seen this anecdotally, but whenever I've looked at this in a home (workgroup) environment, the CIFS client has always selected tcp/445 over tcp/139.
And again anecdotally, I can't recall seeing any of the infected systems spreading malware via Windows remote logins choosing tcp/139 over tcp/445.
(Note that in Microsoft's implementation -- NT 5.0 and up -- one can disable either 445 or 139; tcp/445 via the SMBDeviceEnabled Registry value in the NBT driver SCM parameters, and tcp/139 via the network adapter TCP/IP properties.)
It would also be interesting to see what the Samba SMB client does...
Also, the relationship between MSRPC and SMB/CIFS isn't precise -- but I think Dave is already addressing that.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org | |
|  dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
| Re: Windows File Sharing: Facing The Mystery said by psloss :Do you have a cite for this? I just tried this with Ethereal running (Win2000 to Win2000).
If I connect to a machine I have never connected to ever before, then I see a SYN to TCP/445 immediately followed by a SYN to TCP/139. Eventually, the second connection gets reset.
If I connect to a machine that I connect to often, then only the 445 connection is sent, so there's some memory in the system.
I imagine the odds are that 445 will be chosen, since (a) the 445 connection request is fractionally ahead of the 139 connection request on the wire, (b) smb-over-native involves one less layer than smb-over-nbt, so maybe the turnaround time is a little less.
(I didn't pay close attention to looking at how far the 445 connection setup had to proceed -- there are several SMBs needed for complete connection setup after the TCP connection is ready -- before the 139 connection was abandoned). | |
| | psloss
Premium
join:2002-02-24
Alpharetta, GA
1 edit | Re: Windows File Sharing: Facing The Mystery said by dave :(I didn't pay close attention to looking at how far the 445 connection setup had to proceed -- there are several SMBs needed for complete connection setup after the TCP connection is ready -- before the 139 connection was abandoned). In the Microsoft server-side implementations I tested, my recollection (which is going on 18 months or thereabouts, so it's fuzzy) is that the 139 connection gets reset even before the negotiate protocol SMB appeared (chronologically) in the Ethereal logs.
But I'd have to go snag the old logs to see for sure what they show; for now, it's easy enough to fire up Ethereal to take a look at a current domain and/or workgroup setup.
And it should be fairly simple to hack something together to send a SYN on 139 before 445...I'll have to try that in some spare time...
(Edit: spelling)
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org
| |
| 
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
| said by psloss :said by Daniel :Old vs. NewWhen connecting to a Windows 2000/XP machine that has both NetBIOS over TCP and direct hosting enabled (from a client machine that's also using them), both types of connectivity will be attempted. The service responding first will be accepted and continued, i.e. if NetBIOS responds first then an RST will be sent to TCP/445, and vice versa. Do you have a cite for this? I do.
said by Microsoft :If both the direct hosted and NBT interfaces are enabled, both methods are tried at the same time and the first to respond is used. This allows Windows to function properly with operating systems that do not support direct hosting of SMB traffic. » support.microsoft.com/default.as···;Q204279
--
dmiessler.com - grep understanding knowledge | |
| | psloss
Premium
join:2002-02-24
Alpharetta, GA
| Re: Windows File Sharing: Facing The Mystery said by Daniel :I do. said by Microsoft :If both the direct hosted and NBT interfaces are enabled, both methods are tried at the same time and the first to respond is used. This allows Windows to function properly with operating systems that do not support direct hosting of SMB traffic. » support.microsoft.com/default.as···;Q204279 Cool. Thanks. I think Dave's explanation about the sequencing of the SYNs, though, is worth noting.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org | |
| | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| Re: Windows File Sharing: Facing The Mystery said by psloss :I think Dave's explanation about the sequencing of the SYNs, though, is worth noting. Agreed.
Dave, can I include that in the piece?
--
dmiessler.com - grep understanding knowledge | |
| | | | dave
Premium,MVM
join:2000-05-04
not in ohio | Re: Windows File Sharing: Facing The Mystery Sure - it's hardly an innvoative piece of work! | |
| | | |
|
