Day 12: Wireshark – Inspecting SMB Traffic and NetBIOS Name Service

Objective: Analyze SMB/CIFS traffic to detect unauthorized share enumeration or NetBIOS name service queries. The goal is to use Wireshark to filter and inspect SMB-related packets and find indicators of suspicious file share access or enumeration.

Challenge Description: In this scenario, an internal host is scanning the network for SMB/CIFS (file sharing) servers. This may involve NetBIOS Name Service (NBNS) queries or SMB negotiation requests. Your task is to identify SMB-related traffic and uncover any embedded flags within the SMB communication.

Tools: Wireshark.

Steps to Solve:

- Filter for SMB and NetBIOS traffic: use smb (for older SMB) and smb2 (for SMB2/3) or nbns. - Look for NetBIOS name queries (nbns) showing the host looking up names or domains. - Examine SMB sessions: filter by tcp.port == 445 (SMB) if needed. - In SMB traffic, inspect negotiation requests, session setup, and tree connect packets. - Search for any ASCII text or unexpected values in SMB name fields. Right-click packets and choose “Show Packet Bytes” if needed to see raw text in SMB payloads. - Check for any flags in share names or file names if file browsing or open is attempted. - If needed, use “Export Objects” (File → Export Objects → SMB) to extract file shares.

Simulated Lab:

1. Filter for NetBIOS name service (NBNS). Apply the filter nbns. You see a few NBNS queries such as “Name query NB Internet: Host A”. 3. Switch to SMB/CIFS filtering. Use smb2 (if SMB2 is present) or smb. If the capture uses SMB2, it will show more fields. Otherwise use nbss or tcp.port==445. 4. Find SMB traffic. You see SMB2 negotiation and session setup messages between internal host and a file server. For example, SMB2 Tree Connect Request for a share. 5. Examine share or file names. Open a tree connect request. In Packet Details under SMB2, you might see Tree Name: \\SERVER\. If a share name includes, 6. Check for hidden text. Maybe the share name is TSEC_SHARE or the file being accessed is named flag.txt with content. If needed, right-click on an SMB packet and view “Packet Bytes” to see the actual text. 7. Export file if needed. If the SMB session included reading a file, use File → Export Objects → SMB to see if a file like secret.txt was transferred. The list might show it; extract if present. 8. Flag discovery. Suppose you find the share name was . 9. Record the flag. The hidden flag uncovered in SMB traffic or NetBIOS queries is.

By filtering SMB and NetBIOS traffic, you identified an unusual SMB share name or NetBIOS name containing a TSEC flag.