Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Decrypting SMB3 exchanges

From: David Turner <david.turner () zupa co uk>
Date: Fri, 16 Nov 2018 13:51:46 +0000
Hi there,

I'm looking for help using Wireshark to decrypt SMB3 exchanges, in order observe the protocol traffic generated by an 
application I'm working on. I'm having trouble working out what keys Wireshark needs to do this, and how to derive them.

I have been looking at the sample capture file on the wiki - https://wiki.wireshark.org/SampleCaptures#SMB3_encryption. 
The wiki states the session ID and session key to use for this file, and entering these into the "Secret session 
key..." dialog (under Preferences for SMB2) does indeed decrypt the data in the sample capture. These values are:
 - session id 3d00009400480000
 - session key 28f2847263c83dc00621f742dd3f2e7b

Looking at the sample capture data, I can find the Session Id (frame 4, and each subsequent packet in the exchange) and 
can see the hex value does relate to the value provided.

My problem is I'm not sure how the session key from the wiki has been derived. I have found the NTLM session key (frame 
5 of the sample file), but this session key (b2e876559c9c58b0344bd5a99f8e9855) is a completely different value to the 
one on the wiki.

I've looked for information on SMB3 encryption, and found several Microsoft documents which include key derivation 
specifications (e.g. 
https://blogs.msdn.microsoft.com/openspecification/2017/05/26/smb-2-and-smb-3-security-in-windows-10-the-anatomy-of-signing-and-cryptographic-keys/).
 However I'm a cryptography novice and am finding them hard to follow.

Can anyone confirm whether the session key provided for the sample capture file can be derived from the file contents? 
If so can anyone explain how to do so, or at least which parts of the message are relevant?
 
Kind regards
David Turner   
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: