Tunneling SMB over SSH: Secure file sharing

Standard

Suppose you’re at an open wireless hotspot and wish to connect the Samba server from your Windows laptop, but you don’t want to send data (documents, authentication hashes etc.) over the air in plain text.

Using SSH tunnels, you can encrypt all your network traffic and redirect it through a trusted computer when you’re connected to an untrusted network. The goal of this hack is to enable Windows users securely access shared files on any Samba server.

So, what are SSH Tunnels? In addition to providing remote shell access and command execution, SSH servers can forward ports to the other end of your connection. This can be extremely useful to protect any traffic that you need to keep private. In a nutshell, it is accomplished by binding to a local port, encrypting the traffic, sending the encrypted data to the remote machine, and then decrypting it and sending it to the remote host and port you specify.

Samba and Windows use port 139 for file sharing. At first glance, it seems that the easy solution is to tunnel connections from port 139 on your Windows computer to the Samba server. Then you can easily connect to the remote share by connecting to “localhost”. But since Windows always uses port 139 for file sharing, you must disable local file sharing to make the port forwarding.

So, how do we tunnel SMB over SSH and keep local file sharing working? We’re going to use a virtual network adapter. Basically, a virtual network adapter is a software application that allows a computer to connect to a network. We’re going to add a virtual adapter to our Windows computer and create a SSH tunnel over the virtual interface.

To add a virtual network adapter in Windows, use the following steps:

  1. In the Control Panel click on Add Hardware.
  2. In the Add Hardware Wizard, select “Yes, I have already connected the hardware” and click Next. Scroll down the list and click on “Add a new hardware device”.
  3. Select “Install the hardware that I manually select from a list”. From the hardware types, select Network Adapters and choose Microsoft Loopback Adapter.
  4. Go through the installation procedure.

The next step is to configure the new virtual adapter.

  1. Go to Network Connections configuration panel.
  2. Right click on the Microsoft Loopback Adapter and select Properties.
  3. Select Internet Protocol (TCP/IP) and click on the Properties button.
  4. Check “Use the following IP address” option and enter the chosen IP address (e.g. 10.0.0.1) and the subnet mask (255.255.255.0). If you have a gateway and DNS servers in your network, enter them too.
  5. Click on the Advanced button and in the WINS tab, select “Disable NetBIOS over TCP/IP”.

Setup the SSH Tunnel

Now that you have a properly configured virtual adapter, it’s time to setup the SSH tunnel between the Samba server and your computer. We assume that OpenSSH is already running on the Samba server. For the SSH client software we’re going to use Putty, a free SSH client that supports port forwarding.

Fire up Putty on your computer and enter the host name or IP address of your Samba server (e.g. 192.168.0.104). In the Tunnels options, in the “Source port” type 10.0.0.1:139 (the IP we used in our example) and in the “Destination” type 127.0.0.1:139. Click on “Add” and then “Open”. Once you authenticate, you’re ready to access the Samba server over the virtual adapter.

To test your SSH tunnel, just navigate from Windows explorer to \\10.0.0.1. If everything goes well, you’d prompted to enter a username and password to access the shares. Enjoy!

smb-ssh-share.jpg

When things go wrong

If things don’t work, make sure that both Samba and Putty are running and properly configured. If you’re running Windows XP SP2 in a closed environment (no access to the Internet for updates), make sure to install KB884020.