{"id":1252,"date":"2011-04-13T17:26:36","date_gmt":"2011-04-13T16:26:36","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=1252"},"modified":"2011-04-13T17:26:36","modified_gmt":"2011-04-13T16:26:36","slug":"using-wireshark-to-examine-smb-signing-requirements","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=1252","title":{"rendered":"Using Wireshark to examine SMB Signing Requirements"},"content":{"rendered":"

When a client connects to a server using SMB it sends a “Negotiate Protocol Request”.\u00a0 In response to this, the server replies with a “Negotiate Protocol Response”.\u00a0 This response reveals whether SMB signing is enabled and whether it is required at the client, the server, or both.<\/p>\n

The “Security Mode” in the response will be one of: 3, 7 or 15 which correspond with the Hexadecimal equivalent of the 4 bits UCHAR:<\/p>\n

bit 0: 0 = share
\nbit 0: 1 = user
\nbit 1: 1 = encrypt passwords
\nbit 2: 1 = Security Signatures (SMB sequence numbers) enabled
\nbit 3: 1 = Security Signatures (SMB sequence numbers) required<\/p>\n