How to decrypt SMB3 traffic

Lilia 1 Reputation point
2023-05-17T12:34:41.5466667+00:00

The method of using

netsh trace start provider=Microsoft-Windows-SMBClient

saving as pcap in NetMon doesn't produce decrypted traffic.

Described at Plugfest https://www.youtube.com/watch?v=aGG7cpLxdfQ

Windows Open Specifications
Windows Open Specifications
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Open Specifications: Technical documents for protocols, computer languages, standards support, and data portability. The goal with Open Specifications is to help developers open new opportunities to interoperate with Windows, SQL, Office, and SharePoint.
39 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gary Nebbett 5,721 Reputation points
    2023-05-17T13:08:03.2166667+00:00

    Hello Lilia,

    You need to use Message Analyzer to view the decrypted traffic; NetMon does not know how to interpret the ETW events containing the decrypted data. Among other things, the data in the ETW trace file is just the SMB data without any TCP/IP headers.

    It is possible to write a tool to extract the plaintext SMB data from an ETW trace and save it in a pcap/pcapng format (with faked TCP/IP headers); this allows Wireshark to be used to analyze the packets.

    Gary

  2. Obaid Farooqi MSFT 511 Reputation points Microsoft Employee
    2023-05-20T02:51:46.21+00:00

    This issue is now resolved. The poster was provided with the latest copy of Message Analyzer.

    For the latest copy of Message Analyzer, please send an email to dochelp at Microsoft dot com.

    Regards,

    Obaid Farooqi - MSFT

    0 comments