Hi there,
I'm looking for help using Wireshark to decrypt SMB3 exchanges, in order observe the protocol traffic generated by an application I'm working on. I'm having trouble working out what keys Wireshark needs to do this, and how to derive them.
I have been looking at the sample capture file on the wiki - https://wiki.wireshark.org/SampleCaptures#SMB3_encryption. The wiki states the session ID and session key to use for this file, and entering these into the "Secret session key..." dialog (under Preferences for SMB2) does indeed decrypt the data in the sample capture. These values are:
- session id 3d00009400480000
- session key 28f2847263c83dc00621f742dd3f2e7b
Looking at the sample capture data, I can find the Session Id (frame 4, and each subsequent packet in the exchange) and can see the hex value does relate to the value provided.
My problem is I'm not sure how the session key from the wiki has been derived. I have found the NTLM session key (frame 5 of the sample file), but this session key (b2e876559c9c58b0344bd5a99f8e9855) is a completely different value to the one on the wiki.
I've looked for information on SMB3 encryption, and found several Microsoft documents which include key derivation specifications (e.g. https://blogs.msdn.microsoft.com/openspecification/2017/05/26/smb-2-and-smb-3-security-in-windows-10-the-anatomy-of-signing-and-cryptographic-keys/). However I'm a cryptography novice and am finding them hard to follow.
Can anyone confirm whether the session key provided for the sample capture file can be derived from the file contents? If so can anyone explain how to do so, or at least which parts of the message are relevant?
Kind regards
David Turner
