Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, October 23, 2014 11:34 PM
Hi,
I have a Windows 2012 server and a Windows 8 client. I have enabled SMB encryption using the following Powershell command.
Set-SmbServerConfiguration –EncryptData $true
I have a share on my Windows 2012 server and from my windows 8 client I mapped the share. The SMB traffic is encrypted.
I used Microsoft Message Analyzer to capture the traffic. How can I decrypt the SMB traffic ?
I tried Using the Decryption Feature of message analyzer. How can I get the Windows 2012 server certificate that I can add to message analyzer so that I would be able to decrypt the packets?
I have administrator privileges. Thanks for your help.
All replies (6)
Friday, October 24, 2014 1:41 PM ✅Answered | 1 vote
The Decryption tool is specifically for TLS/SSL. While we don't have a way to decrypt the traffic after the fact, you can use the SMB File Sharing scenarios to capture the traffic unencrypted in the first place. By default they don't show on the Quick Trace menu, but you can mark them as a favorite by clicking the star next to the scenario. To do this:
- File->New Session->Live Trace
- Find the scenario in the list (you could search on SMB)
- Click the star next to each entry you want to show up in the quick trace
You can also just run the scenario from here by selecting it and hitting start. The advantage of this advanced configuration is that you can build your own scenarios, for instance to capture both wire and SMB unencrypted traffic at the same, add filters, and even capture from multiple remote machines.
Paul
Friday, October 24, 2014 8:39 PM
Thanks for your response Paul.
Previously I used the "Local Network Interfaces" live trace scenario and I mapped a share marked with SMB encryption. I am able to capture the SMB traffic along with other TCP traffic.
As SMB encryption is enabled on the Server, over the wire I do not get see the requests and response details. I can just see "TransformMessage, Encrypted" message. This is expected. Even Network monitor does the same by hiding the frame details.
I want to know, if by using message analyzer, can I decrypt these encrypted SMB traffic ? i.e. is there a way to see the SMB header and other details using message analyzer for the packets that are encrypted ?
As per your suggestion, I tried using "SMB2 Client Full Payloads" live trace scenario, but I am unable to capture the packets. Nothing gets captured over the wire.
- Prag
Tuesday, October 28, 2014 1:14 PM
If you capture SMB encrypted packets from the network adapter using "Local Network Interfaces" the data can not be decrypted afterwards. You will see the TransformMessage, and this is expected.
You should be able to use the SMB Client (if you are capturing from the client), or SMB Server (if you are capturing on the server side), so see the capture the data unencrypted.
Are you capturing from the server or client side?
Thanks,
Paul
Tuesday, October 28, 2014 1:51 PM
Thanks Paul. I thought there would be a way to decrypt the packets captured using "Local Network Interfaces".
By using SMB client trace scenario I am able to see the data unencrypted.
So anyone having a message analyzer tool would be able to see the unencrypted traffic by using appropriate SMB trace scenario and can peep into the packets. Is this expected ?
Tuesday, October 28, 2014 1:57 PM
Yes, anybody with admin privileges can see the data unencrypted. It was always possible, even before we exposed it though ETW, but before that it would require a debugger to see the data in memory.
Paul
Tuesday, October 28, 2014 2:14 PM
Thanks for your help Paul.