引用http://www.ubiqx.org/cifs/SMB.html
2.1.2 NBT or Not NBT
Before we actually start, there is one more thing to mention: The SMB protocol is supposed to be "transport independent". That is, SMB shouldwork over any reliable transport that meets a few basic criteria. NBT is one such transport, but SMB does not really require the NetBIOS API. It can, for instance, be run directly over TCP/IP.
Just for fun, we will refer to SMB over TCP/IP without NBT as "naked" or "raw". When running naked, SMB defaults to using TCP port 445 instead of the NBT Session Service port (TCP/139). Windows2000, WindowsXP, and Samba all support raw transport, but the large number of "legacy" Windows clients still in use suggest that NBT will not go away any time soon.
Other than the new port number, there are only two notable changes between NBT and naked transport. The first is that naked transport does not make use of the NBT SESSION REQUEST and POSITIVE SESSION RESPONSE messages. The second is that the two transports interpret the SESSION MESSAGE header a bit differently.
Recall (from section 1.6) that the NBT Session Service prepends a four-byte header to each SESSION MESSAGE, like so:
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
1 0 |
1 1 |
1 2 |
1 3 |
1 4 |
1 5 |
1 6 |
1 7 |
1 8 |
1 9 |
2 0 |
2 1 |
2 2 |
2 3 |
2 4 |
2 5 |
2 6 |
2 7 |
2 8 |
2 9 |
3 0 |
3 1 |
0 (zero) |
<reserved> |
LENGTH (17 bits) |
The LENGTH field, as shown, is 17 bits wide5. Raw TCP transport also prepends a four-byte header, but the full 24 bits are available for theLENGTH:
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
1 0 |
1 1 |
1 2 |
1 3 |
1 4 |
1 5 |
1 6 |
1 7 |
1 8 |
1 9 |
2 0 |
2 1 |
2 2 |
2 3 |
2 4 |
2 5 |
2 6 |
2 7 |
2 8 |
2 9 |
3 0 |
3 1 |
0 (zero) |
LENGTH (24 bits) |
确实在我抓包的时候,使用的445端口就是属于smb over tcpip,也就是所谓的naked/raw transport ,里面的数据包中的netbioss 的length确实是24bits,而使用139端口的时候,则不是
同时只有139端口的数据包中才会先有NBT的session request。
139包
445包
另外,我强制使用139端口的方法正是使用我上次发现的那个注册表修改大法,同时验证了,server端改变商品后,client端无法获知这个端口,导致client又默认使用139端口连接server
老机器使用 139 并客户端使用NetServerEnum2函数的包
网上下载的NetServerEnum2的包(445端口的)
这种的很奇怪。并没有先发Create 打开lanman管道和发送bind绑定接口。其实是这个lanman管道比较特殊,这是RAP协议的使用。
一般会有2种payload over smb,一个是RPC(ms-rpc),另一个就是RAP,目前我只觉得区分RAP和RPC的方法是RAP这个管道名比较特殊.关于这个RAP文章最后还有补充
另外,据查资料lanman这个RAP里面也提供了和srvsvc接口一样的枚举共享文件夹的函数NetShareEnum()
另外,根据目前分析,貌似在windows下,相当多的功能实现全是放在netbt.sys这个驱动中,
3.3.1 Meet the Plumbing: Named Pipes
As you are by now well aware, SMB is a protocol that implements a network filesystem and, of course, a network filesystem is the result of extrapolating the general concepts that lie behind a disk-based filesystem. The difference is that the network variety uses higher level protocols to stretch things out across a network.
Some disk-based filesystems (such as those used in Unix and its kin) can handle the inclusion of objects that aren't really files at all, but which--through the use of some clever abstraction layers--can be made to look and work like files. For those familiar with such things, common examples include device nodes, the contents of /proc, and Named Pipes.
We are interested in the latter.
A Named Pipe is, at its heart, an interprocess communications channel. It allows two programs running independently to exchange messages. The SMB protocol, as you have already guessed, provides support for Named Pipes, but it can stretch them out over the network so that programs on different machines can talk to one another.
[Figure 3.8]
A Named Pipe is "named" so that it can be identified by the programs that want to use it. It is a "pipe" because data is shoved in at one end and then falls gracefully out the other. CIFS Named Pipes have some additional qualities:
-
They are transported over TCP.
-
The use of
SMB (over NBT) over TCP means that Named Pipe transactions are reliable.
-
They are built on SMBtrans transactions.
-
SMBtrans allows for data transfers up to 64K in size, per transaction.
-
They are bi-directional.
-
As with other protocols that we have studied, data may be sent and received over the same connection.
-
They are filesystem abstractions.
-
CIFS Named Pipes can be opened, closed, read from, and written to.
These features make CIFS Named Pipes ideal for transporting network function calls, which is one of the key ways (but not the only way) they are used. The Remote Administration Protocol (RAP) and Microsoft's Remote Procedure Call implementation (MS-RPC) are both built on top of Named Pipes.
Although they are filesystem abstractions, CIFS Named Pipes are kept separate from the real files and directories made available by the SMB Server Service. They are placed in a special share--the IPC$ share--which is "hidden". You won't be able to browse to it using the Windows Network Neighborhood tool. If you know it's there, however, you can access it just as you would any other SMB share. Specifically, by sending a SESSION SETUPfollowed by a TREE CONNECT.
所以平时调用RPC打开管道时,需要先打开这个ipc$共享目录,因为这些管道或者maillost都是放在这个共享目录里面的。平时我们看到打开一个正常的共享目录如test1,然后打开文件file1的话,也是会看到先打开(使用tree connect命令)这个文件目录test1,返回tree id ,后面打开文件file1时候,smb头的tree id就晓得这个文件是在哪的了。打开管道也是这样,在打开管道如\srvsvc时,tree id标识的就是先前打开的ipc$共享目录
|
Hidden Expense Alert: Share names that end with a dollar sign ('$') are considered "hidden" shares. It is expected that client software will not display hidden share names unless specifically asked to do so. Note that it is the client, not the server, that takes care of hiding the hidden shares. Samba'ssmbclient tool and the jCIFS List.java utility will both happily display hidden share names for you. |
|
Named Pipes within the IPC$ share have names that match the following format:
\PIPE\
pipename
...where pipename is determined by the service that created the pipe. Because they are filesystem abstractions, it would be logical to assume that the full name of a Named Pipe (in UNC format) would look something like this:
\\
server \IPC$\PIPE\
pipename
As it turns out, however, the DOS, OS/2, and Windows functions that manipulate Named Pipes abbreviate the name by removing "\IPC$" from the string, which gives:
\\
server \PIPE\
pipename
Named Pipes are created on the SMB server side by applications and tools that are willing to provide specialized services. The architecture is quite analogous to services that register NetBIOS names to make themselves available, it's just that there are more intervening protocol layers which provide additional features. For example, Named Pipes can take advantage of the SMB authentication and MAC signing mechanisms.
Microsoft has created several services that use Named Pipes, but the set of services that are actually available will vary depending upon the host OS and/or the CIFS implementation. Luke K. C. Leighton's book DCE/RPC over SMB: Samba and Windows NT Domain Internals (which we have referenced often) lists several known pipes that offer services based on MS-RPC.
Our particular interest, however, is with the specific Named Pipe that will connect us to the Remote Administration Protocol service. That pipe is:
\PIPE\LANMAN
We will be using it a little later on, when we dig into the one RAP function that is commonly used by the Browser Service: the NetServerEnum2 function.
...and that is really all we have to say about CIFS Named Pipes.
There is, of course, a lot more that could be said. Named Pipes can be used in a variety of ways to support a variety of different kinds of operations. Our goal, however, is to explore the Browse Service, so the scope of this discussion is purposfully limited.
补充个RAP的资料
1.5 Prerequisites/Preconditions
This topic has not yet been rated - Rate this topic
The Remote Administration Protocol has the following preconditions:
-
The SMB dialect negotiated between a Remote Administration Protocol client and a server has to be for Microsoft LAN Manager version 1.0 or later, as specified in [MS-SMB] section3.2.4.2.2.
-
The Remote Administration Protocol also relies on a client establishing a connection to an SMB server. Before a client can issue Remote Administration Protocol commands, it has to establish a connection to the server and successfully perform a TreeConnect SMB to the "IPC$" share on the server. For more details about TreeConnect SMB and IPC$ shares, see [MS-SMB] section 2.2.4.7.1, and [MS-CIFS] section 3.2.4.42.
下文来自ftp://ftp.microsoft.com/developr/drg/CIFS/cifsrap2.txt
RAP is layered on the CIFS Transact SMB, which provides reliable message
delivery, security, and messages larger than the underlying network
maximum packet size. When used for RAP, the name field in the Transact
SMB is always set to "\PIPE\LANMAN". The Transact SMB is sent on a
session/connection that is established to the remote server using a
SessionSetupAndX SMB, and using a TID obtained by doing a
TreeConnectAndX SMB to a share named "IPC$".
http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_ethereal.html