SMB

Section [SMB]

SMB.Server: list

Each entry corresponds to an instance of smb.SMBServerConfig

Defines a list of SMB server configuration sections. For instructions on configuring section lists, refer to the general configuration guide Array Tables for TOML.

Attributes listed below can alternatively be specified in the global [SMB] section to serve as default values for all individual server entries.

Server.Port: int

Maps to smb.SMBServerConfig.smb_port

Specifies the port on which the SMB server instance listens. This setting is required and cannot be used in the [SMB] section.

Important

This attribute must be defined within a dedicated [[SMB.Server]] section.

Server.ServerOS: str

Map to smb.SMBServerConfig.smb_server_os. May also be set in [SMB]

Defines the operating system for the SMB server. These values are used when crafting responses.

Server.ServerName: str
Server.ServerDomain: str

Map to smb.SMBServerConfig.smb_server_XXX. May also be set in [SMB]

Defines identification metadata for the SMB server. These values are used when crafting responses.

Removed in version 1.0.0.dev8: ServerName and ServerDomain were merged into SMB.Server.FQDN

Server.FQDN: str = "DEMENTOR"

Linked to smb.SMBServerConfig.smb_fqdn. Can also be set in [SMB] or [Globals]

Specifies the Fully Qualified Domain Name (FQDN) hostname used by the SMB server. The hostname portion of the FQDN will be included in server responses. The domain part is optional and will point to WORKGROUP by default.

Added in version 1.0.0.dev8.

Server.ErrorCode: str | int = nt_errors.STATUS_SMB_BAD_UID

Maps to smb.SMBServerConfig.smb_error_code. May also be set in [SMB]

Specifies the NT status code returned when access is denied. Accepts either integer codes or their string representations (e.g., "STATUS_ACCESS_DENIED"). Example values:

  • 3221225506 or "STATUS_ACCESS_DENIED"

  • 5963778 or "STATUS_SMB_BAD_UID"

For a comprehensive list of status codes, refer to the impacket.nt_errors module.

See also

Use case: Tricking Windows SMB clients into falling back to WebDav.

Server.SMB2Support: bool = true

Maps to smb.SMBServerConfig.smb2_support. May also be set in [SMB]

Enables support for the SMB2 protocol. Recommended for improved client compatibility.

Server.Challenge: str = NTLM.Challenge

Maps to smb.SMBServerConfig.ntlm_challenge

The ServerChallenge nonce used during NTLM authentication. Inherited from NTLM.Challenge; set it there to apply a fixed challenge to all protocols including SMB. Set it here (in [SMB] or [[SMB.Server]]) to override the global value for SMB specifically.

See also

NTLM.Challenge for accepted formats and behaviour.

Server.ExtendedSessionSecurity: bool = true

Removed in version 1.0.0.dev19: Deprecated: renamed to DisableExtendedSessionSecurity

Server.DisableExtendedSessionSecurity: bool = false

Linked to smb.SMBServerConfig.ntlm_disable_ess. Can also be set in [SMB]

Changed in version 1.0.0.dev19: Renamed from ExtendedSessionSecurity to explicit DisableExtendedSessionSecurity

Per-SMB override for NTLM.DisableExtendedSessionSecurity. When set in [SMB] it applies to every [[SMB.Server]] instance; when set inside a single [[SMB.Server]] block it applies only to that port. Falls back to NTLM.DisableExtendedSessionSecurity when not set here.

See also

NTLM.DisableExtendedSessionSecurity for full behavioural details.

Server.DisableNTLMv2: bool = false

Linked to smb.SMBServerConfig.ntlm_disable_ntlmv2. Can also be set in [SMB]

Per-SMB override for NTLM.DisableNTLMv2. When set in [SMB] it applies to every [[SMB.Server]] instance; when set inside a single [[SMB.Server]] block it applies only to that port. Falls back to NTLM.DisableNTLMv2 when not set here.

Warning

Enabling this against modern Windows clients (LmCompatibilityLevel 3+) will produce zero captured hashes. See NTLM.DisableNTLMv2 for full details.

See also

NTLM.DisableNTLMv2 for full behavioural details.

class smb.SMBServerConfig

Configuration class for entries under SMB.Server

Represents the configuration for a single SMB server instance.

smb_port: int

Corresponds to SMB.Server.Port

smb_server_os: str = "Windows"

Corresponds to SMB.Server.ServerOS

smb_server_name: str = "DEMENTOR"

Corresponds to SMB.Server.ServerName

Removed in version 1.0.0.dev8: Merged into SMB.Server.FQDN

smb_server_domain: str = "WORKGROUP"

Corresponds to SMB.Server.ServerDomain

Removed in version 1.0.0.dev8: Merged into SMB.Server.FQDN

smb_fqdn: str = "DEMENTOR"

Corresponds to SMB.Server.FQDN

Added in version 1.0.0.dev8.

smb_error_code: str | int = nt_errors.STATUS_SMB_BAD_UID

Corresponds to SMB.Server.ErrorCode

You can use set_smb_error_code() to set this attribute using a string or an integer.

smb2_support: bool = True

Corresponds to SMB.Server.SMB2Support

ntlm_challenge: bytes

Corresponds to NTLM.Challenge

Populated at startup from the global [NTLM] section. A cryptographically random value is used if NTLM.Challenge is not configured.

ntlm_disable_ess: bool = False

Corresponds to NTLM.DisableExtendedSessionSecurity

When True, ESS is suppressed in the CHALLENGE_MESSAGE and clients produce plain NetNTLMv1 hashes instead of NetNTLMv1-ESS.

ntlm_disable_ntlmv2: bool = False

Corresponds to NTLM.DisableNTLMv2

When True, TargetInfoFields is omitted from the CHALLENGE_MESSAGE. Level 0–2 clients fall back to NTLMv1; level 3+ clients fail with no capture.

Protocol Behaviour

Authentication Flow

The SMB handler accepts NTLM tokens in two forms:

  • NTLM SSP — the security buffer begins with NTLMSSP\0 and is consumed directly by the three-message NTLM handshake (NEGOTIATE CHALLENGE AUTHENTICATE).

  • GSSAPI / SPNEGO — the buffer is wrapped in a negTokenInit (tag 0x60) or negTokenTarg (tag 0xA1) envelope. Dementor unwraps the SPNEGO layer, performs the NTLM handshake internally, and returns appropriately wrapped negTokenTarg responses.

In both cases the captured hash is passed to NTLM_report_auth() and stored in the session database.

Protocol Version Negotiation

All SMB connections start with an SMB_COM_NEGOTIATE / SMB2_NEGOTIATE exchange. When SMB.Server.SMB2Support is enabled (the default):

  • An SMB1 client that includes any SMB2 or SMB3 dialect string receives an SMB2_NEGOTIATE_RESPONSE and the connection is silently upgraded to SMB2/SMB3. If the client advertises the wildcard "SMB 2.???" dialect, Dementor selects the highest dialect it supports (3.1.1); otherwise it selects the last SMB2 dialect in the client’s list.

  • A native SMB2/SMB3 client (SMB2_NEGOTIATE) receives a response selecting the highest common dialect from the supported set (2.002, 2.1, 3.0, 3.0.2, 3.1.1).

  • A pure SMB1 client (no SMB2 dialect strings) receives the SMB1 extended-security negotiate response and continues over SMB1.

SMB 3.1.1 Negotiate Contexts

When the negotiated dialect is SMB 3.1.1, the SMB2_NEGOTIATE_RESPONSE includes the mandatory negotiate context list:

  • SMB2_PREAUTH_INTEGRITY_CAPABILITIES — SHA-512 integrity algorithm with a cryptographically random 32-byte salt.

  • SMB2_ENCRYPTION_CAPABILITIES — echoes the cipher the client advertised (falls back to AES-128-GCM if the context is absent or unparseable).

  • SMB2_SIGNING_CAPABILITIES — echoes the signing algorithm the client advertised (falls back to AES-CMAC).

Session Logoff

SMB2_LOGOFF requests are handled: Dementor clears the local authenticated flag, returns an SMB2_LOGOFF_RESPONSE with STATUS_SUCCESS, and logs the event via the protocol logger.

Note

Tree Connect (SMB_COM_TREE_CONNECT_ANDX / SMB2_TREE_CONNECT) is not currently implemented. Connections are terminated after authentication, which is sufficient for credential capture but may prevent some clients from retrying via alternative protocols.

Default Configuration

SMB configuration section (all options)
 1[SMB]
 2# FQDN = "DEMENTOR"                       # also settable in [Globals]
 3ServerOS = "Windows"
 4SMB2Support = true
 5ErrorCode = "STATUS_SMB_BAD_UID"
 6# Challenge = "1337LEET"                  # overrides [NTLM] for all SMB servers
 7# DisableExtendedSessionSecurity = false  # overrides [NTLM] for all SMB servers
 8# DisableNTLMv2 = false                   # overrides [NTLM] for all SMB servers
 9
10[[SMB.Server]]
11Port = 139
12
13[[SMB.Server]]
14Port = 445
15# Per-server overrides (highest priority):
16# FQDN = "other.corp.com"
17# ServerOS = "Windows Server 2022"
18# ErrorCode = "STATUS_ACCESS_DENIED"
19# SMB2Support = true
20# Challenge = "hex:aabbccddeeff0011"
21# DisableExtendedSessionSecurity = false
22# DisableNTLMv2 = false