Security

Reply
Highlighted
Contributor II

Re: Clearpass V6.6.2 SMB version supported

@coremon

 

I was able to validate with wireshark captures the process on how DCERPC took place both before and after the SMBv2 / SMBv3 patch. 

 

Before Patch

- DCERPC was used with ntlm wrapper inside mschap module by only connecting to 445/tcp. 

 

After Patch

- DCERPC was used with 135/tcp and 49152-65535/tcp. 445/tcp is no longer performing DCERPC for the user authenticaiton, and im not sure if the ntlm wrapper is needed anymore. 

- It seems as DCERPC is still used with 445/tcp when the domain services are restarted, although it doesn't appear its happening for user auth.

- It seems for both SMBv1 enabled / disabled, the same behavior is taken place and DCERPC no longer happens over 445/tcp for the user. 

 

 

My baseline is only based on 4-5 wireshark captures amongst 6.6.5 and 6.6.7 with the SMB patch. There could be some slight variances from what I listed above. 

 

I would love to still see the doucmentation by aruba that NTLMv2 is supported now, along with docuemntation on how the DCERPC ports changed. 

Justin Kwasnik | ACMX# 598 | ACCX# 638
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: