smb2: support true anonymous (null session) NTLM bind#36
Merged
Conversation
Allow NTLMInitiator with empty User/Password/Hash to establish an SMB anonymous (null) session instead of refusing at dial time. - client.go: drop the dial-time guard that rejected empty-user NTLM initiators outright. - internal/ntlm/client.go: add an anonymous AUTHENTICATE branch per [MS-NLMP] 3.1.5.1.2 -- empty NtChallengeResponse, a single 0x00 byte LmChallengeResponse, NTLMSSP_ANONYMOUS set, no MIC and no session key. DomainName/UserName/Workstation are forced empty and the signing, sealing and key-exchange flags are cleared (leaving KEY_EXCH set with a zero-length EncryptedRandomSessionKey makes strict servers such as Samba reject the bind with STATUS_INVALID_PARAMETER). - initiator.go: nil-guard Sum/SessionKey/infoMap so the keyless anonymous path cannot panic. Verified against Samba: a server permitting null sessions accepts the bind (logged as ANONYMOUS LOGON, S-1-5-7) and lists shares; a server with restrict anonymous=2 fails gracefully via os.ErrPermission; authenticated binds are unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds support for establishing a true SMB anonymous (null) session in the vendored
go-smb2engine (pkg/third_party/smb2). Previously anNTLMInitiatorwith an empty username was rejected at dial time withInternalError{"Anonymous account is not supported yet. Use guest account instead"}, before any packet was sent. This blockedsmbclient -N-style null-session share enumeration, which is inherited by everything built on this engine.A null session is NTLM anonymous authentication ([MS-NLMP] §3.1.5.1.2): the client sends an
AUTHENTICATE_MESSAGEwith theNTLMSSP_NEGOTIATE_ANONYMOUSflag set, an emptyNtChallengeResponse, a single0x00-byteLmChallengeResponse, no MIC, and no session key (null sessions are never signed). The scaffolding for this existed but was never finished.Changes
client.go— remove the dial-time guard that rejected empty-user NTLM initiators outright, so an anonymous bind proceeds to negotiate + session setup.internal/ntlm/client.go— add an anonymous branch to theAUTHENTICATEbuilder:NtChallengeResponse, single0x00-byteLmChallengeResponse, no MIC, no session key;NTLMSSP_NEGOTIATE_ANONYMOUSset;DomainName/UserName/Workstationforced empty per spec;SIGN/SEAL/KEY_EXCH/ALWAYS_SIGNflags cleared — leavingKEY_EXCHset with a zero-lengthEncryptedRandomSessionKeycauses strict servers (e.g. Samba) to reject the bind withSTATUS_INVALID_PARAMETER;initiator.go— nil-guardSum,SessionKey, andinfoMapso the keyless anonymous path cannot panic.internal/ntlm/ntlm_test.go— addTestAnonymousAuthenticateasserting the on-wireAUTHENTICATEfields (anonymous flag set, empty NT response, 1-byte LM response, empty domain/user/workstation, no session key, zero MIC).The authenticated NTLMv2 path and the existing
IS_NULL/IS_GUESThandling insession.goare unchanged.Wire compatibility
The resulting token matches what impacket and Windows clients send for an anonymous bind (empty NT response, 1-byte LM response, no key, no MIC), and additionally sets the explicit
NTLMSSP_NEGOTIATE_ANONYMOUSflag that Windows clients set and [MS-NLMP] describes.Testing
go build ./...,go vet ./pkg/third_party/smb2/..., andgo test ./pkg/third_party/smb2/...all pass (including the new unit test).ANONYMOUS LOGON(S-1-5-7) with empty client domain/account/workstation — a genuine null logon, not a guest mapping. Against a server withrestrict anonymous = 2, the operation now fails gracefully with a server status (surfaced asos.ErrPermission) instead of the old client-side error, with no panic. An authenticated (user + password) bind against the same server is unaffected.