Mike-Crowley/Verify-SmbSigning.ps1

## Verify-SmbSigning.ps1
# Define parameters
$captureFile = "C:\tmp\mycapture.pcap"
$tsharkPath = "C:\Program Files\Wireshark\tshark.exe"
$RemoteIP = "192.168.1.10"
$TestShare = "\\server1.example.com\admin$"
$User = "user1@example.org"
$Password = "FAKE-Password"

$TestPassword = ConvertTo-SecureString -AsPlainText -String $Password -Force
$TestCred = [Management.Automation.PSCredential]::new($User, $TestPassword)

# Get network interfaces
$interfaces = & $tsharkPath -D | Where-Object {
    $_ -notmatch 'etwdump'
} | ForEach-Object {
    if ($_ -match '^\d+\.\s+(.+)') {
        $interfacePath = $Matches[1] -replace '^(.+?)\s+\(.*\)$', '$1'
        "-i `"$interfacePath`""
    }
}

# More specific capture filter for just the SMB traffic between hosts
$captureFilter = "(host $RemoteIp) and ((tcp port 445) or (tcp port 139))"
$interfaceArgs = $interfaces -join ' '
$tsharkArgs = "$interfaceArgs -w `"$captureFile`" -f `"$captureFilter`""

$process = Start-Process -FilePath $tsharkPath -ArgumentList $tsharkArgs -NoNewWindow -PassThru
Start-Sleep -Seconds 2

New-PSDrive -Name tmpDrive -PSProvider FileSystem -Root $TestShare -Credential $TestCred -ErrorAction SilentlyContinue
Start-Sleep -Seconds 5

Stop-Process $process
Start-Sleep -Seconds 2

if (Get-PSDrive tmpDrive -ErrorAction SilentlyContinue) {
    Remove-PSDrive tmpDrive
}

# Output JSON with more specific display filter
# & $tsharkPath -r "$captureFile" -Y "(ip.addr eq $RemoteIp) and (smb2 or smb)" -T json | out-file C:\tmp\outFile.json
$captureData = & $tsharkPath -r "$captureFile" -Y "(ip.addr eq $RemoteIp) and (smb2 or smb)" -T json | convertfrom-json

$captureData | where-object { $null -ne $_._source.layers.smb2."Session Setup Request (0x01)"."smb2.sec_mode_tree"."smb2.sec_mode.sign_required" } | ForEach-Object {
    [pscustomobject]@{
        "Source"               = $_._source.layers.ip."ip.src"
        "Destination"          = $_._source.layers.ip."ip.dst"
        "Client_Requires_Sign" = $true -eq $_._source.layers.smb2."Session Setup Request (0x01)"."smb2.sec_mode_tree"."smb2.sec_mode.sign_required"
        "Server_Requires_Sign" = $true -eq $_._source.layers.smb2."Negotiate Response (0x00)"."smb2.sec_mode_tree"."smb2.sec_mode.sign_required"
        "Session_Id"           = $_._source.layers.smb2."SMB2 Header"."smb2.sesid"
    }
} | Format-Table


<# Sample Output:
    Source      Destination Client_Requires_Sign Server_Requires_Sign Session_Id
    ------      ----------- -------------------- -------------------- ----------
    192.168.1.9 192.168.1.10                   True                False 0x0000000000000000
    192.168.1.9 192.168.1.10                   True                False 0x00009028cc000c81
    192.168.1.9 192.168.1.10                   True                False 0x0000000000000000
    192.168.1.9 192.168.1.10                   True                False 0x00009008b8000d09
    192.168.1.9 192.168.1.10                   True                False 0x00009008b8000d09
#>
	# Define parameters
	$captureFile = "C:\tmp\mycapture.pcap"
	$tsharkPath = "C:\Program Files\Wireshark\tshark.exe"
	$RemoteIP = "192.168.1.10"
	$TestShare = "\\server1.example.com\admin$"
	$User = "user1@example.org"
	$Password = "FAKE-Password"

	$TestPassword = ConvertTo-SecureString -AsPlainText -String $Password -Force
	$TestCred = [Management.Automation.PSCredential]::new($User, $TestPassword)

	# Get network interfaces
	$interfaces = & $tsharkPath -D \| Where-Object {
	$_ -notmatch 'etwdump'
	} \| ForEach-Object {
	if ($_ -match '^\d+\.\s+(.+)') {
	$interfacePath = $Matches[1] -replace '^(.+?)\s+\(.*\)$', '$1'
	"-i `"$interfacePath`""
	}
	}

	# More specific capture filter for just the SMB traffic between hosts
	$captureFilter = "(host $RemoteIp) and ((tcp port 445) or (tcp port 139))"
	$interfaceArgs = $interfaces -join ' '
	$tsharkArgs = "$interfaceArgs -w `"$captureFile`" -f `"$captureFilter`""

	$process = Start-Process -FilePath $tsharkPath -ArgumentList $tsharkArgs -NoNewWindow -PassThru
	Start-Sleep -Seconds 2

	New-PSDrive -Name tmpDrive -PSProvider FileSystem -Root $TestShare -Credential $TestCred -ErrorAction SilentlyContinue
	Start-Sleep -Seconds 5

	Stop-Process $process
	Start-Sleep -Seconds 2

	if (Get-PSDrive tmpDrive -ErrorAction SilentlyContinue) {
	Remove-PSDrive tmpDrive
	}

	# Output JSON with more specific display filter
	# & $tsharkPath -r "$captureFile" -Y "(ip.addr eq $RemoteIp) and (smb2 or smb)" -T json \| out-file C:\tmp\outFile.json
	$captureData = & $tsharkPath -r "$captureFile" -Y "(ip.addr eq $RemoteIp) and (smb2 or smb)" -T json \| convertfrom-json

	$captureData \| where-object { $null -ne $_._source.layers.smb2."Session Setup Request (0x01)"."smb2.sec_mode_tree"."smb2.sec_mode.sign_required" } \| ForEach-Object {
	[pscustomobject]@{
	"Source" = $_._source.layers.ip."ip.src"
	"Destination" = $_._source.layers.ip."ip.dst"
	"Client_Requires_Sign" = $true -eq $_._source.layers.smb2."Session Setup Request (0x01)"."smb2.sec_mode_tree"."smb2.sec_mode.sign_required"
	"Server_Requires_Sign" = $true -eq $_._source.layers.smb2."Negotiate Response (0x00)"."smb2.sec_mode_tree"."smb2.sec_mode.sign_required"
	"Session_Id" = $_._source.layers.smb2."SMB2 Header"."smb2.sesid"
	}
	} \| Format-Table


	<# Sample Output:
	Source Destination Client_Requires_Sign Server_Requires_Sign Session_Id
	------ ----------- -------------------- -------------------- ----------
	192.168.1.9 192.168.1.10 True False 0x0000000000000000
	192.168.1.9 192.168.1.10 True False 0x00009028cc000c81
	192.168.1.9 192.168.1.10 True False 0x0000000000000000
	192.168.1.9 192.168.1.10 True False 0x00009008b8000d09
	192.168.1.9 192.168.1.10 True False 0x00009008b8000d09
	#>
No results found