Re: Clearpass V6.6.2 SMB version supported
09-22-2017 09:52 AM
I was able to validate with wireshark captures the process on how DCERPC took place both before and after the SMBv2 / SMBv3 patch.
- DCERPC was used with ntlm wrapper inside mschap module by only connecting to 445/tcp.
- DCERPC was used with 135/tcp and 49152-65535/tcp. 445/tcp is no longer performing DCERPC for the user authenticaiton, and im not sure if the ntlm wrapper is needed anymore.
- It seems as DCERPC is still used with 445/tcp when the domain services are restarted, although it doesn't appear its happening for user auth.
- It seems for both SMBv1 enabled / disabled, the same behavior is taken place and DCERPC no longer happens over 445/tcp for the user.
My baseline is only based on 4-5 wireshark captures amongst 6.6.5 and 6.6.7 with the SMB patch. There could be some slight variances from what I listed above.
I would love to still see the doucmentation by aruba that NTLMv2 is supported now, along with docuemntation on how the DCERPC ports changed.