Ricoh smb scanning with end to end encyrption

**dalewb74** · 06-03-2021, 02:11 PM

Re: Ricoh smb scanning with end to end encyrption

something i have tried in the past to see if it works or not. are you able to bypass the server and do the setup on just 1 pc? just to see if that works or not.

**tonerhead** · 06-03-2021, 02:41 PM

Re: Ricoh smb scanning with end to end encyrption

Originally posted by dalewb74

something i have tried in the past to see if it works or not. are you able to bypass the server and do the setup on just 1 pc? just to see if that works or not.

Yes, it works to a pc. The problem is it needs to go to this server and the server requires end to end encryption. It appears the Ricohs start at smb2 then create the smb3 channel if the endpoint requires it. That's why it's failing, it needs smb3 end to end.

Thanks for the reply.

**rthonpm** · 06-03-2021, 03:00 PM

Re: Ricoh smb scanning with end to end encyrption

Is SMB encryption turned on for the share in question? Unless set to negotiate via PowerShell, the server will only allow SMB3 clients to connect to the share once SMB encryption is turned on. Keep in mind, it would have to be enabled on just the share, not the entire server otherwise sending will fail.

**tonerhead** · 06-03-2021, 03:06 PM

Re: Ricoh smb scanning with end to end encyrption

Originally posted by rthonpm

Is SMB encryption turned on for the share in question? Unless set to negotiate via PowerShell, the server will only allow SMB3 clients to connect to the share once SMB encryption is turned on. Keep in mind, it would have to be enabled on just the share, not the entire server otherwise sending will fail.

That is unknown. The IT security won't let us know the particulars of the server. It is what I suspect though. I don't think Ricohs can do pure smb3. Customer has agreed to do a wireshark capture with redactions, if needed, that we can send to Ricoh.

Thanks for your reply

**rthonpm** · 06-03-2021, 05:39 PM

Re: Ricoh smb scanning with end to end encyrption

The logic in Ricoh devices seems to be to connect via whatever the lowest version of SMB it can negotiate with another system. If the machine is connecting to the share, and SMB encryption is turned on, the only it would be able to connect is via SMB3. Is all of the firmware up to date?

**tonerhead** · 06-04-2021, 03:45 AM

Re: Ricoh smb scanning with end to end encyrption

Got a wireshark capture back from the business today. The handshake shows the Ricoh trying to negotiate SMB2 or SMB3. The server came back saying it wanted SMB3. The Ricoh sent the username across in cleartext (yes it was plain as day). The server killed the session at that point.

Firmware is current.

It is in the hands of Ricoh now. I can't believe they are so far behind on security.

**rthonpm** · 06-04-2021, 11:25 PM

Re: Ricoh smb scanning with end to end encyrption

It sounds like encryption is turned on for the entire server, and not at the individual share level. This would prevent the MFP from connecting.

Ricoh seems to have the issue of not wanting to rebuild and re-test the core OS of their machines once they have it set and working. They likely just use the same NetBSD build on all of their machines until it goes end of life, then move onto the next generation of it using the same configs they had working with the previous version.

Sent from my BlackBerry using Tapatalk

**tonerhead** · 06-05-2021, 02:19 AM

Re: Ricoh smb scanning with end to end encyrption

Originally posted by rthonpm

It sounds like encryption is turned on for the entire server, and not at the individual share level. This would prevent the MFP from connecting.

Ricoh seems to have the issue of not wanting to rebuild and re-test the core OS of their machines once they have it set and working. They likely just use the same NetBSD build on all of their machines until it goes end of life, then move onto the next generation of it using the same configs they had working with the previous version.

Sent from my BlackBerry using Tapatalk

I have heard this from Ricoh also that if encryption is turned on for the entire server, they can not connect. The customer said this is not the case however. They said if copier does true SMB3 it would work. The security on the server, they say, will not accept username/password in cleartext (SMB2). The wireshark capture definitely showed the username sent in cleartext and the server cut the connection before the password was sent. Our theory is Ricoh has a hybrid SMB2/3. Ricoh is also playing have the customer buy GlobalScan for $80k. They don't seem to rushed to come to a solution. They have told us that new firmware is expected July/August that is supposed to fix a lot of SMB issues.

Why should a customer spend $80k for a software solution when Kyocera's do it right straight out of the box.

**Brianneoe** · 06-05-2021, 01:01 PM

Re: Ricoh smb scanning with end to end encyrption

I might be all wet on this but you have nothing to lose at this point. Have you telnet into the MFP and changed "smb client auth 3" and then logout? I just ran a test on a C306 and it took..

**rthonpm** · 06-05-2021, 01:53 PM

Re: Ricoh smb scanning with end to end encyrption

Originally posted by Brianneoe

I might be all wet on this but you have nothing to lose at this point. Have you telnet into the MFP and changed "smb client auth 3" and then logout? I just ran a test on a C306 and it took..

You may be on to something here. Between this and making sure that the machine is using port 445 for SMB this may resolve the issue. It's been years since I've seen an NTLM issue in the wild, but it's definitely worth checking.

Sent from my BlackBerry using Tapatalk

**tonerhead** · 06-05-2021, 09:14 PM

Re: Ricoh smb scanning with end to end encyrption

Mother Ricoh help desk had me telnet in and set smb to "2". According to him there is 0,1,2 as options here. He did not mention a 3. I am going to try that first chance I get which probably will be on Wed. Thanks all. Will post back any results.

**Reed** · 06-06-2021, 06:54 PM

Re: Ricoh smb scanning with end to end encyrption

When I can't get smb to work I will use a little ftp file to scan to folder. You get the same results you are just using a different vehicle to get there.

**rthonpm** · 06-06-2021, 07:28 PM

Re: Ricoh smb scanning with end to end encyrption

Originally posted by Reed

When I can't get smb to work I will use a little ftp file to scan to folder. You get the same results you are just using a different vehicle to get there.

Which may require additional permission from the customer as well. Nothing like potentially adding an unauthorised server to the company's environment.

Sent from my BlackBerry using Tapatalk

**tonerhead** · 06-07-2021, 06:46 PM

Re: Ricoh smb scanning with end to end encyrption

Originally posted by Reed

When I can't get smb to work I will use a little ftp file to scan to folder. You get the same results you are just using a different vehicle to get there.

Thank you for your suggestion, but this is a no go. The whole purpose of the server is it being secured. On a side note, I have run ftp server (filezilla) on workstations and servers where the anti-virus has totally locked down smb. It works the same in the customer's eyes. One case in particular a financial planner. He has an older copier that will only do SMB1 scanning. Didn't want to upgrade (cheap bugger) filezilla was the trick for him.

Ricoh smb scanning with end to end encyrption

Ricoh smb scanning with end to end encyrption

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment