I am using Powershell and ADSI to enumerate users in local groups on remote computers. Well, to be honest, I also used Python and win32net, but result is the same, so I guess that choice of language doesn't matter here. What I do in Powershell, is
$groupname = 'Administrators'
$group = [ADSI]("WinNT://$computer/$groupname")
$group.invoke("Members") | foreach {
.......
and then follows the code which process results
where $computer
is IP address or hostname of remote machine. What happens underneath is that SMB2 session to target machine is opened and different SMB2 protocol operations are performed, e.g., Tree Connect, lsa_LookupSids2, etc. Finally, result is returned and there is no issue with result itself.
I've noticed that sometimes there is a side effect. If remote computer has several network interfaces (e.g., runs virtual machine with IP address under NAT), these network interfaces and their IP addresses are listed by using FSCTL_QUERY_NETWORK_INTERFACE_INFO
. After result (usernames) has been returned from the primary IP address (original target IP), source machine tries to connect to another IPs, which she got from that SMB2 query. Since these IPs are under NAT, TCP session is dropped.
What I also noticed is that such behaviour depends on source machine. Original test with such behaviour was performed on Windows 2012 server. I also tried to run same code from Windows 7 and there were no FSCTL_QUERY_NETWORK_INTERFACE_INFO
queries at all. Naturally, no additional tries to contact these private IPs under NAT. Could such behaviour (listing of all possible network interfaces) be configured in any way on source machine? Some SMB2 related settings in registry or maybe something else?
Ok, after some investigation I found an answer. It seems that Windows 2012 Server has some additional functionality, related to SMB3, called multichanneling. It tries to combine several network interfaces (if such are available) to increase throughput. In order to do it client first queries server about it's interfaces/IPs (response is sent in my case). Then it tries to establish another session with these IPs (which didn't work for me because of NAT). Disabling/enabling of functionality for the client can be done in a following manner:
One could also enable or disable this functionality on server side. More info on this subject can be found here https://blogs.technet.microsoft.com/josebda/2012/06/28/the-basics-of-smb-multichannel-a-feature-of-windows-server-2012-and-smb-3-0/