Using Wireshark to examine SMB Signing Requirements
When a client connects to a server using SMB it sends a “Negotiate Protocol Request”. In response to this, the server replies with a “Negotiate Protocol Response”. This response reveals whether SMB signing is enabled and whether it is required at the client, the server, or both.
The “Security Mode” in the response will be one of: 3, 7 or 15 which correspond with the Hexadecimal equivalent of the 4 bits UCHAR:
bit 0: 0 = share
bit 0: 1 = user
bit 1: 1 = encrypt passwords
bit 2: 1 = Security Signatures (SMB sequence numbers) enabled
bit 3: 1 = Security Signatures (SMB sequence numbers) required
- If SMB signing is disabled at the server, the value is 3.
- If SMB signing is enabled and not required at the server, the value is 7.
- If SMB signing is enabled and required at the server, the value is 15.
If SMB Signing is enabled and required at both the client and the server, or if SMB signing is disabled at both the client and the server, the connection is successful;
If SMB signing is enabled and required at the client and disabled at the server, the connection to the TCP session is gracefully closed after the Dialect Negotiation, and the client receives the Windows error message “System error 1240 has occurred. The account is not authorized to log in from this station.”
Screenshot of Security Mode:
