VLANs and subnets and SMB1 oh my

dlogan

@johnpoz

Ok, 1st capture, after a reboot, only 1 nic is enabled on the Server 2019 VM. I start a capture to host 10.10.10.12 and attempt opening the folder using \\10.10.10.12\002\ it fails: trackhound-to-002-nic1-vlan111-during-fail.pcapng

2nd capture on the same interface, after enabling a 2nd NIC with IP 10.10.10.2 in the same VLAN as the 10.10.10.12 machine. This time the connection to \\10.10.10.12\002\ is successful: trackhound-to-002-nic1-vlan111-during-success-after-enabling-nic2.pcapng

Another capture going on at the same time as the success but capturing all traffic on the 2nd NIC: trackhound-nic2-vlan110-during-success.pcapng

johnpoz

Your seeing error called name not present..

Yeah that is going to be problem..

https://osqa-ask.wireshark.org/questions/53776/what-does-called-name-not-present-mean

In the 2nd one your never doing a session request.. I just see NBNS in there - your trying to just get a browse list?

Your problem is the server doesn't know who you are, and says that - so the client says thanks and sends FIN.. Its just sending a generic name SMBSERV as its name..

edit: I haven't played with the limitation of windows 95 in years and years.. Its time for a martini - work call ran way longer than the 30 mins scheduled.. Customer going down the qos rabbit hole ;) If I find some time I might fire up a 95/8 vm.. But a google for that specific error will give you the details of the problem.

dlogan

@johnpoz
I thought you might be interested to hear that some computers work while others do not. As far as I can tell it's based on the NIC / NIC driver installed.

After your suggestion here, I started paying more attention to the Netbios messages in Wireshark for both connections that work and those that don't.

It seems they all fail with their initial attempt, always geting the "called name not present" message.

The ones that fail pretty much stop there.

The ones that successfully connect follow up the "called name not present" with an nbtstat.

So I pop open cmd prompt and run nbtstat -A 10.10.10.12. It's successful on machines where it connects.

On machines that won't connect, not only does it "fail" but not one single packet is sent out the network interface when the command is entered. It literally fails without trying.

So far:

• My MacBook running Windows 10 in Bootcamp with a Broadcom 802.11ac wifi card (2020 Broadcom driver) -- works

• My Dell laptop with docking station ethernet Realtek USB 2020 Realtek driver -- works

• Old Dell Precision workstation with onboard Broadcom NetExtreme -- fail

• Same old Dell Precision workstation with a PCI Intel Pro 1000 GT with 2010 Microsoft driver -- works

• Dell Optiplex with onboard Realtek - fail

• Same Dell Optiplex with Intel PCIe CT desktop adapter with 2018 Intel driver -- fail

• Intel NUC with onboard i219-v network card 2020 Intel drivers -- works

• HP Elitedesk 600 G1 with onboard Intel i217-LM and 2020 Intel drivers -- fail

I wish I could figure out what kind of PCIe network card I could buy that would work.

johnpoz

the network nic shouldn't matter at all..

What is the output of the command.. the command runs... What OS are you running that command on..

dlogan

@johnpoz But it does. Same machine, same IP address, same VLAN, different NIC and it starts working.

When it's not working, it says "Host not found"

When it is working it outputs:
Ethernet 2:
Node IpAddress: [10.10.101.101] Scope Id: []

       NetBIOS Remote Machine Name Table

   Name               Type         Status
---------------------------------------------
MAZATROL640M   <00>  UNIQUE      Registered
WORKGROUP      <00>  GROUP       Registered
MAZATROL640M   <03>  UNIQUE      Registered
MAZATROL640M   <20>  UNIQUE      Registered
WORKGROUP      <1E>  GROUP       Registered

MAC Address = 00-E0-98-83-33-26

johnpoz

Do you have netbios over tcp enabled... Here for example... Enabled works.. Disabled fails

dlogan

@johnpoz I understand you don't want to believe me but it's the NIC. Yes, Netbios settings have been default on all NICs involved in the process.

johnpoz

In the 30 years I have been in the biz.. Never seen a nic do such a thing.. Driver sure, setting sure.. NOT nic..

See how when don't have enabled it comes back with 0.0.0.0 for the nic IP.. Yours is showing the IP.

dlogan

@johnpoz Well the different NICs have different drivers, so there you go. In my small testing group, updating NIC drivers did not fix any of them.

johnpoz

I find it hard to believe a driver would disable netbios... Look in the driver settings.. Does the command come back with IP for the interface, or all zero's ??

What OSes? If command doesn't come back with IP listed for the interface, then no it wouldn't be able to send the traffic.

Load the netbios name via LMHOSTS

Are these virtual machines? And your looking at the settings in the virtual nic?

AKEGEC

@dlogan , there is also a possibility of some hardware probs that could make a change on the settings, eg if there is some power shortage or outage in the hardware components.
Was there a smb relay attack? If so try to enable smb signin on all devices, disable ntlm authentication on network.