Server Message Block/Samba (SMB) over SealedTunnel

Overview

Xiid's SealedTunnel can wrap and secure Server Message Block (SMB)/Samba connections, protecting data sent and received from the SMB server.

SealedTunnel also allows you to close the SMB server's SMB ports at the network layer and restrict access to the local SMB port on the SMB server via the server's operating system firewall.

Set up the SMB Server Profile

First you must set up a Profile to use when deploying the STLink. The Profile will contain the Mapping Route to allow access to the SMB service listening on the SMB server.

• Sign in to the Commander Portal and navigate to the Profiles View.
• Click the orange + New Profile button in the top left.
• In the Description field enter SMB Server.
• (Optional): We highly recommend you click the Allow only one STLink to deploy with this profile switch.
• Click the Enable this Profile switch.
• (Optional): Add any Tags you would like to the profile
• Click the green Create Profile button in the bottom right

Create the Mapping Route for the Profile:

• Select the Profile you created in the previous section
• Click on the Routes tab in the modal
• Click the orange Add Route button and select New Route
• In the Name field, enter SMB Access
• In the Description field, enter SMB File Share Access
• (Optional): Add any Tags you would like to add to the Route
• Click the orange Next button in the bottom right
• On the next step, select Mapping (Exit) for the Map Type
• Select TCP for the protocol
• In the Map To IP:Port field, enter 127.0.0.1:445
• Click the green Save button in the bottom right of the modal

Your profile is now ready to use on your SMB server.

Deploy the SMB Server STLink

Using the Profile you created above, you can now deploy the STLink on the SMB server. Follow the directions in the STLink Getting Started section to install the STLink on your SMB server.

Once the STLink is deployed using the Profile, it will have the SMB Mapping ready to use.

Windows Client-Side Setup

WARNING

You should set up client-side connections on loopback address 127.0.0.1. Windows may not recognize SMB connections on other loopback addresses.

The steps below are used to set up drive mappings and access to the SMB Server via Windows File Explorer. The Windows instructions are more involved than the Linux instructions due to the additional Windows services that need to be permanently stopped.

Stop the Lanman Service

On the Windows client machine, you must stop the Lanman Service and prevent it from starting up again. The Lanman Service exposes port 445 on the machine for SMB communications.

There's a number of security concerns and known exploits for the service, so disabling it is beneficial.

Keep in mind, when the Lanman Service is disabled, all other SMB/File Sharing communication will no longer work.

Run the following script in an Administrator Powershell:

$netBTParametersPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters"

IF(Test-Path -Path $netBTParametersPath) {
    Set-ItemProperty -Path $netBTParametersPath -Name "SMBDeviceEnabled" -Value 0
}

Set-Service lanmanserver -StartupType Disabled

Stop-Service lanmanserver -Force

Open Services, either through the Start menu or through Task Manager, and confirm that the Lanman Server service is Stopped.

Add the Client Binding

With the Lanman Server service stopped, we can now add the Binding Route to access the SMB server on the client machine. If you have not deployed an STLink on the client machine, follow the steps in the STLink Getting Started section to deploy the STLink first.

Find the deployed STLink in the STLinks table in the STLinks View and click on it.

• Click the Routes tab in the modal
• Click the orange Add Route button and click New Route
• In the General step, enter SMB File Access in the Name field
• In the Description field, enter SMB SealedTunnel File Access
• Optionally select any Tags that you would like to assign to the Route
• Click the orange Next button
• In the Route Info step, enter Binding (Entry) for the Route Type
• For the Bind To IP:Port field, enter 127.0.0.1:445
• Optionally enter anything in the Helper Text field
• Click the orange Next button
• In the Mapping step, select the SMB File Server STLink in the STLink to Route to dropdown
• In the STLink Mapping table below, select the SMB File Share Access route we set up previously
• Click the green Save button

You will now have access to the SMB server on the client from 127.0.0.1. You can test access by opening Windows File Explorer and entering \\127.0.0.1 in the browse field. You will need to have a shared folder configured on the SMB server.

Map the Drive

To map the network drive for your new SMB Server, follow the below instructions.

• Open Windows File Explorer on the client machine
• Right click This PC and click Map network drive..
• In the Drive Mapping dialog, select the drive letter you would like to map the SMB server to
• In the Folder field, enter \\127.0.0.1 and any additional directories for the SMB server
• Choose your authentication preferences and then click the Finish button

The SMB server will now be available at the chosen network drive through the SealedTunnel.

Linux Client-side Setup

After installing the Samba client on the Linux machine, you can set up a SealedTunnel connection on any SMB-enabled port.

Ensure that the binding interface for SMB is set to the lo (loopback) interface and that the /32 CIDR block is set on the interfaces flag of the /etc/samba/smb.conf file. This setting will ensure that SMB is available on all loopback addresses under the CIDR block.

If you intend to use loopback addresses in the 127.* or 127.0.* range, adjust the CIDR block to /8 or /16 respectively.

After your SMB interface has been set properly, set up a binding on port 445 on any of the authorized loopback addresses.

You will now be able to access the SMB server directly through the SealedTunnel.