4.1 Connecting to a Share by Using a Multi-Protocol Negotiate

The following diagram shows the steps taken by a client that is negotiating SMB2 by using an SMB-style negotiate.

Client negotiating SMB2 with SMB-style negotiate

Figure 6: Client negotiating SMB2 with SMB-style negotiate

  1. The client sends an SMB negotiate packet with the string "SMB 2.002" in the dialect string list, along with the other SMB dialects the client implements.

     Smb: C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
     Protocol: SMB
     Command: Negotiate 114(0x72)
     SMBHeader: Command, TID: 0xFFFF, PID: 0xFEFF, UID: 0x0000, MID: 0x0000
     Flags: 24 (0x18)
     Bit0: (.......0) SMB_FLAGS_LOCK_AND_READ_OK: LOCK_AND_READ and WRITE_AND_CLOSE not supported (obsoleted)
     Bit1: (......0.) SMB_FLAGS_SEND_NO_ACK [not implemented]
     Bit2: (.....0..) Reserved (value is zero)
     Bit3: (....1...) SMB_FLAGS_CASE_INSENSITIVE: SMB paths are case-insensitive
     Bit4: (...1....) SMB_FLAGS_CANONICALIZED_PATHS: Canonicalized File and pathnames (obsoleted)
     Bit5: (..0.....) SMB_FLAGS_OPLOCK: No Oplocks supported for OPEN, CREATE & CREATE_NEW (obsoleted)
     Bit6: (.0......) SMB_FLAGS_OPLOCK_NOTIFY_ANY: No Notifications supported for OPEN, CREATE & CREATE_NEW (obsoleted)
     Bit7: (0.......) SMB_FLAGS_SERVER_TO_REDIR: Command - SMB is being sent from the client
     Flags2: 51283 (0xC853)
     Bit00: (...............1) SMB_FLAGS2_KNOWS_LONG_NAMES: May return long file names
     Bit01: (..............1.) SMB_FLAGS2_KNOWS_EAS: Understands extended attributes
     Bit02: (.............0..) SMB_FLAGS2_SMB_SECURITY_SIGNATURE: Not security signature-enabled
     Bit03: (............0...) Reserved
     Bit04: (...........1....) Reserved
     Bit05: (..........0.....) SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED: SMB packets are signed
     Bit06: (.........1......) SMB_FLAGS2_IS_LONG_NAME: Any path name in the request is a long name
     Bit07: (........0.......) Reserved
     Bit08: (.......0........) Reserved
     Bit09: (......0.........) Reserved
     Bit10: (.....0..........) SMB_FLAGS2_REPARSE_PATH: Not requesting Reparse path
     Bit11: (....1...........) SMB_FLAGS2_EXTENDED_SECURITY: Aware of extended security
     Bit12: (...0............) SMB_FLAGS2_DFS: No DFS namespace
     Bit13: (..0.............) SMB_FLAGS2_PAGING_IO: Read operation will NOT be permitted if has no read permission
     Bit14: (.1..............) SMB_FLAGS2_NT_STATUS: Using 32-bit NT status error codes
     Bit15: (1...............) SMB_FLAGS2_UNICODE: Using UNICODE strings
     PIDHigh: 0 (0x0)
     SecuritySignature: 0x0
     Reserved: 0 (0x0)
     TreeID: 65535 (0xFFFF)
     Reserved: 0 (0x0)
     UserID: 0 (0x0)
     MultiplexID: 0 (0x0)
     CNegotiate: 
     WordCount: 0 (0x0)
     ByteCount: 109 (0x6D)
     Dialect: PC NETWORK PROGRAM 1.0
     BufferFormat: Dialect 2(0x2)
     DialectName: PC NETWORK PROGRAM 1.0
     Dialect: LANMAN1.0
     BufferFormat: Dialect 2(0x2)
     DialectName: LANMAN1.0
     Dialect: Windows for Workgroups 3.1a
     BufferFormat: Dialect 2(0x2)
     DialectName: Windows for Workgroups 3.1a
     Dialect: LM1.2X002
     BufferFormat: Dialect 2(0x2)
     DialectName: LM1.2X002
     Dialect: LANMAN2.1
     BufferFormat: Dialect 2(0x2)
     DialectName: LANMAN2.1
     Dialect: NT LM 0.12
     BufferFormat: Dialect 2(0x2)
     DialectName: NT LM 0.12
     Dialect: SMB 2.002
     BufferFormat: Dialect 2(0x2)
     DialectName: SMB 2.002
      
      
      
    
  2. The server receives the SMB negotiate request and finds dialect "SMB 2.002". The server responds with an SMB2 negotiate.

     Smb2: R NEGOTIATE
     SMB2Header: 
     Size: 64 (0x40)
     CreditCharge: 0 (0x0)
     Status: STATUS_SUCCESS
     Command: NEGOTIATE
     Credits: 1 (0x1)
     Flags: 1 (0x1)
     ServerToRedir: ...............................1  Server to Client
     AsyncCommand:  ..............................0.  Command is not asynchronous
     Related:       .............................0..  Packet is single message
     Signed:        ............................0...  Packet is not signed
     Reserved: 0 (0x0)
     DFS:           0...............................  Command is not a DFS Operation
     NextCommand: 0 (0x0)
     MessageId: 0 (0x0)
     Reserved: 0 (0x0)
     TreeId: 0 (0x0)
     SessionId: 0 (0x0)
     RNegotiate: 
     Size: 65 (0x41)
     SecurityMode: Signing Enabled
     DialectRevision: 0x0202
     Reserved: 0 (0x0)
     Guid: {3F5CF209-A4E5-0049-A7D6-6A456D5CA5CF}
     Capabilities: 1 (0x1)
     DFS:           ...............................1  DFS available
     MaxTransactSize: 65536 (0x10000)
     MaxReadSize: 65536 (0x10000)
     MaxWriteSize: 65536 (0x10000)
     SystemTime: 127972992061679232 (0x1C6A6C21CAE2680)
     ServerStartTime: 127972985895467232 (0x1C6A6C0AD2538E0)
     SecurityBufferOffset: 128 (0x80)
     SecurityBufferLength: 30 (0x1E)
     Reserved2: 0 (0x0)
     Buffer:
      
      
    
  3. The client queries GSS for the authentication token and sends an SMB2 SESSION_SETUP Request with the output token received from GSS.

     Smb2: C SESSION SETUP
     Smb2: C SESSION SETUP
     SMB2Header: 
     Size: 64 (0x40)
     CreditCharge: 0 (0x0)
     Status: STATUS_SUCCESS
     Command: SESSION SETUP
     Credits: 126 (0x7E)
     Flags: 0 (0x0)
     ServerToRedir: ...............................0  Client to Server
     AsyncCommand:  ..............................0.  Command is not asynchronous
     Related:       .............................0..  Packet is single message
     Signed:        ............................0...  Packet is not signed
     Reserved: 0 (0x0)
     DFS:           0...............................  Command is not a DFS Operation
     NextCommand: 0 (0x0)
     MessageId: 1 (0x1)
     Reserved: 0 (0x0)
     TreeId: 0 (0x0)
     SessionId: 0 (0x0)
     CSessionSetup: 
     Size: 25 (0x19)
     VcNumber: 0 (0x0)
     SecurityMode: Signing Enabled
     Capabilities: 1 (0x1)
     DFS:            ...............................1 DFS available
     Channel: 0 (0x0)
     SecurityBufferOffset: 88 (0x58)
     SecurityBufferLength: 74 (0x4A)
     Buffer: (74 bytes)
      
      
    
  4. The server processes the token received with GSS and gets a return code indicating a subsequent round trip is required. The server responds to the client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_MORE_PROCESSING_REQUIRED and the response containing the output token from GSS.

     Smb2: R SESSION SETUP (Status=STATUS_MORE_PROCESSING_REQUIRED)
     Smb2: R SESSION SETUP (Status=STATUS_MORE_PROCESSING_REQUIRED)
     SMB2Header: 
     Size: 64 (0x40)
     CreditCharge: 0 (0x0)
     Status: STATUS_MORE_PROCESSING_REQUIRED
     Command: SESSION SETUP
     Credits: 2 (0x2)
     Flags: 1 (0x1)
     ServerToRedir: ...............................1  Server to Client
     AsyncCommand:  ..............................0.  Command is not asynchronous
     Related:       .............................0..  Packet is single message
     Signed:        ............................0...  Packet is not signed
     Reserved: 0 (0x0)
     DFS:           0...............................  Command is not a DFS Operation
     NextCommand: 0 (0x0)
     MessageId: 1 (0x1)
     Reserved: 0 (0x0)
     TreeId: 0 (0x0)
     SessionId: 4398046511113 (0x40000000009)
     RSessionSetup: 
     Size: 9 (0x9)
     SessionFlags: Normal session
     SecurityBufferOffset: 72 (0x48)
     SecurityBufferLength: 219 (0xDB)
     Buffer: (219 bytes)
      
      
    
  5. The client processes the received token with GSS and sends an SMB2 SESSION_SETUP Request with the output token received from GSS and the SessionId received on the previous response.

     Smb2: C SESSION SETUP
     Smb2: C SESSION SETUP
     SMB2Header: 
     Size: 64 (0x40)
     CreditCharge: 0 (0x0)
     Status: STATUS_SUCCESS
     Command: SESSION SETUP
     Credits: 125 (0x7D)
     Flags: 0 (0x0)
     ServerToRedir: ...............................0  Client to Server
     AsyncCommand:  ..............................0.  Command is not asynchronous
     Related:       .............................0..  Packet is single message
     Signed:        ............................0...  Packet is not signed
     Reserved: 0 (0x0)
     DFS:           0...............................  Command is not a DFS Operation
     NextCommand: 0 (0x0)
     MessageId: 2 (0x2)
     Reserved: 0 (0x0)
     TreeId: 0 (0x0)
     SessionId: 4398046511113 (0x40000000009)
     CSessionSetup: 
     Size: 25 (0x19)
     VcNumber: 0 (0x0)
     SecurityMode: Signing Enabled
     Capabilities: 1 (0x1)
     DFS:            ...............................1 DFS available
     Channel: 0 (0x0)
     SecurityBufferOffset: 88 (0x58)
     SecurityBufferLength: 245 (0xF5)
     Buffer: (245 bytes)
      
      
    
  6. The server processes the token received with GSS and gets a successful return code. The server responds to client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_SUCCESS and the response containing the output token from GSS.

     Smb2: R SESSION SETUP
     Smb2: R SESSION SETUP
     SMB2Header: 
     Size: 64 (0x40)
     CreditCharge: 0 (0x0)
     Status: STATUS_SUCCESS
     Command: SESSION SETUP
     Credits: 3 (0x3)
     Flags: 9 (0x9)
     ServerToRedir: ...............................1  Server to Client
     AsyncCommand:  ..............................0.  Command is not asynchronous
     Related:       .............................0..  Packet is single message
     Signed:        ............................1...  Packet is signed
     Reserved: 0 (0x0)
     DFS:           0...............................  Command is not a DFS Operation
     NextCommand: 0 (0x0)
     MessageId: 2 (0x2)
     Reserved: 0 (0x0)
     TreeId: 0 (0x0)
     SessionId: 4398046511113 (0x40000000009)
     RSessionSetup: 
     Size: 9 (0x9)
     SessionFlags: Normal session
     SecurityBufferOffset: 72 (0x48)
     SecurityBufferLength: 29 (0x1D)
     Buffer: (29 bytes)
      
      
    
  7. The client completes the authentication and sends an SMB2 TREE_CONNECT Request with the SessionId for the session, and a tree connect request containing the Unicode share name "\\smb2server\IPC$".

     Smb2: C TREE CONNECT \\smb2server\IPC$
     SMB2Header: 
     Size: 64 (0x40)
     CreditCharge: 0 (0x0)
     Status: STATUS_SUCCESS
     Command: TREE CONNECT
     Credits: 123 (0x7B)
     Flags: 0 (0x0)
     ServerToRedir: ...............................0  Client to Server
     AsyncCommand:  ..............................0.  Command is not asynchronous
     Related:       .............................0..  Packet is single message
     Signed:        ............................0...  Packet is not signed
     Reserved: 0 (0x0)
     DFS: 0...............................  Command is not a DFS Operation
     NextCommand: 0 (0x0)
     MessageId: 3 (0x3)
     Reserved: 0 (0x0)
     TreeId: 0 (0x0)
     SessionId: 4398046511113 (0x40000000009)
     CTreeConnect: 
     Size: 9 (0x9)
     Reserved: 0 (0x0)
     PathOffset: 72 (0x48)
     PathLength: 34 (0x22)
     Share: \\smb2server\IPC$
      
      
    
  8. The server responds with an SMB2 TREE_CONNECT Response with MessageId of 3, CreditResponse of 5, Status equal to STATUS_SUCCESS, SessionId of 0x40000000009, and TreeId set to the locally generated identifier 0x1.

     Smb2: R TREE CONNECT TID=0x1
     SMB2Header: 
     Size: 64 (0x40)
     CreditCharge: 0 (0x0)
     Status: STATUS_SUCCESS
     Command: TREE CONNECT
     Credits: 5 (0x5)
     Flags: 1 (0x1)
     ServerToRedir: ...............................1  Server to Client
     AsyncCommand:  ..............................0.  Command is not asynchronous
     Related:       .............................0..  Packet is single message
     Signed:        ............................0...  Packet is not signed
     Reserved: 0 (0x0)
     DFS:           0...............................  Command is not a DFS Operation
     NextCommand: 0 (0x0)
     MessageId: 3 (0x3)
     Reserved: 0 (0x0)
     TreeId: 1 (0x1)
     SessionId: 4398046511113 (0x40000000009)
     RTreeConnect: 
     Size: 16 (0x10)
     ShareType: Pipe
     Reserved: 0 (0x0)
     Flags: No Caching
     Capabilities: 0 (0x0)
     MaximalAccess: 2032127 (0x1F01FF)
      
      
    

Further operations can now continue, using the SessionId and TreeId generated in the connection to this share.