Ricoh smb scanning with end to end encyrption

Re: Ricoh smb scanning with end to end encyrption

Filezilla is one of the few providers that does offer a secure, SFTP, option that won't get you banned from a customer location. Filezilla(R) Secure FTP on Windows Server 2019

Re: Ricoh smb scanning with end to end encyrption

would changing the smb authentication level from lvl2 to lvl3 or even lvl4 in the web interface do anything for this. admittedly I am looking at an IM C3000 where I saw this setting. I admit I'm a little out of my depth on this subject.
I do recognize most of what you guys are saying are words.

Re: Ricoh smb scanning with end to end encyrption

Have you tried enabling Kerberos encryption?
Kerberos Authentication Encryption Setting | User Guide | IM 350, IM 430

That should at least enable the login ticket between the MFP and the server to be encrypted, which may get you working.

Sent from my BlackBerry using Tapatalk

Re: Ricoh smb scanning with end to end encyrption

First thing, SMB is a challenge-response protocol which means the client (MFP) presents a challenge list of SMB version dialects (contained in the SMB negotiate protocol request packet). The server responds by either accepting a dialect or refusing the connection.

Current gen Kyocera's going back to the 1 series present SMB NTLM 1.2 through SMB 3.0 to the server. The server decides to accept it's minimum version. There is no need to restrict the versions on the outgoing SMB connections as the endpoint server controls the version to be used.

You will need to examine the SMB negotiate protocol request packet from a network capture on your Ricoh to see the SMB versions it presents to the server.
Wireshark will give you the answer.

If it is presenting a v3 dialect then it may be that the implementation of SMB v3 is not functioning. Kyocera had this problem where the SMBv3 API firmware would mangle the filepath and fail the transfer.

This was also viewable in Wireshark as Invalid file path notifications within the protocol stream.

Re: Ricoh smb scanning with end to end encyrption

I am really an ignorant idiot when it comes to Wireshark. The business still hasn't gotten back to us about trying again. When I am running wireshark in the office, no matter what I do, I can see the username in cleartext. It is at this point the customer's network shuts down the smb scanning. The wireshark they did for us, showed the username sent in cleartext and the smb session cancelled. I could see the negociation it seemed like it would try for smb3 but never settle on it (I can't read wireshark). Mother Ricoh is no help what so ever, like they don't care.

We are somewhat blackboxed on this. Business doesn't let us know anything about their network security and are not going out of their way to help us either.

Hopefully we are going to try again soon. Ricoh is supposed to have smb patch out soon. Will post back any new news.

Re: Ricoh smb scanning with end to end encyrption

Sounds like SSL/TLS communication is set to default to cleartext.

Set network security to level 2.

You may also need to specify the SSL/TLS encrypted communication modeThe above is from the Cxx03 security guide. You may want to check the Security Guide for the IM350 for any differences.

Re: Ricoh smb scanning with end to end encyrption


Most people don't enjoy reading Wiresharks but I'm just weird that way. I've spent so much time going over this with people I have these nice screenshots. I always find examples of someting succeeding help to compare to ones that go wrong.

The first one is the MFP's initial Negotiate Protocol Request packet (In Wireshark you double click on it and open the SMB portion). It shows a robust list of SMB versions presented to a server on connection.

The second is an example of a session which succeeds to negotiate to SMB3. Notice the several negotiate protocol requests as they settle on a version.
It shows the final Server Response packet where the version for the session is dictated.

The example shows the version is listed as a dialect code.You can look them up online.

This case fails on Active Directory authentication because of a config error. (incorrect username, pwd, etc) Shown in Wireshark as a 'Logon failure'

MFP_SMB_Dialects.jpgVersion_Negotiation.jpg

SMB 3.0 is the minimum version with 'end-to-end' encryption. It is built in to the protocol and you can see a reference to encryption in the second screenshot listed next to 'capabilities'

Re: Ricoh smb scanning with end to end encyrption

Thanks, it is similar to what we are seeing. The trouble is for some stupid reason you can see the username sent in cleartext, at that point security shuts the data stream down. The customer doesn't want even the username sent in cleartext. We can not figure out why it does it. We have cyphertext only checked, it still does it. Firmware is current. I think RIcoh is aware of problem but would rather sell their software streamline nx. They keep promising us a solution but are not delivering.

Re: Ricoh smb scanning with end to end encyrption

Hope this helps.

Sounds like Cleartext/Ciphertext as the SSL/TLS encrypted communication mode. You may need to change it to either Ciphertext Only or Ciphertext Priority. The following is from the Security section of the online IM 350/350F/4230F/430Fb User Guide (Full Version).

Enabling SSL/TLS

After installing the device certificate in the machine, enable the SSL/TLS setting using a web browser from networked computers. (We use Web Image Monitor installed on this machine.)
This procedure is used for a self-signed certificate or a certificate issued by a certificate authority.
Open a web browser from a networked computer, and then log in to Web Image Monitor as the network administrator.
For details on how to log in, see Administrator Login Method.

Point to [Device Management], and then click [Configuration].

Click [SSL/TLS] under "Security".

For IPv4 and IPv6, select "Active" if you want to enable SSL/TLS.

Select the encryption communication mode for "Permit SSL/TLS Communication".

Select [Ciphertext Only], [Ciphertext Priority], or [Ciphertext / Cleartext] as the encrypted communication mode.

When you set "Permit SSL/TLS Communication" to [Ciphertext Only], communication will not be possible if you select a protocol that does not support a web browser, or specify an encryption strength setting only. If this is the case, enable communication by setting [Permit SSL / TLS Communication] to [Ciphertext / Cleartext] using the machine's control panel, and then specify the correct protocol and encryption strength.
To avoid the "The page cannot be displayed" message when you access Web Image Monitor without encryption, we recommend you select [Ciphertext / Cleartext].

Re: Ricoh smb scanning with end to end encyrption

Thanks will check into it.

Re: Ricoh smb scanning with end to end encyrption

Do not bother it will not affect your problem.

SMB does not use SSL/TLS. That’s for email/web.

SMB does not behave like SSL/TLS.

As you saw in the Wireshark, SMB uses the NTLM protocol for authentication.
NTLM sends Domain and Username as a Unicode or OEM hex string. Wireshark decodes it to text. There is no option within the protocol to change this.

NTLM NEVER transmits a password, it uses a key encoded with the password.

NTLM has a few vulnerabilities but they have more to do with hijacking the session than getting credentials as username/password.

This protocol is typically used internally and not over the internet so ‘listening’ on the network to capture this would have to be inside the business.

I don’t know what ‘stopped by security’ means about when Domain/Username is sent(normally unencrypted), is that a person or some software? Hard to imagine software shutting down every NTLM auth on the network.

Logged on Domain clients already know the username when making SMB connections so that may be the difference they are seeing but unless your running a Windows client joined to the domain with logged on user on the MFP I don’t think there is a way to change this.

It (MFP) will need to tell the server who it is authenticating and to what Domain and there is no encryption method for this by definition. There is a method to confirm password match on both ends with a sort of shared key, and encryption for the data sent, but this alarm over ‘clear’ text is because they are not used to seeing it, but it’s perfectly normal.

Re: Ricoh smb scanning with end to end encyrption

You know, the more I listen to this thread, I am thinking the IT at this business is full of crap. I really don't think they know what they want. I'm sure their IT knowledge and security are eons beyond myself or the company I work for. They will not really help us to get this to work.

1. They have told me the Ricoh sends username in cleartext. Their security software on this server cuts the communication at that point.

2. The crazy thing is I can browse from the copier to the server and the share folder. As I browse to the server, it asks for username and password. I enter these and it lets me continue to browse the server to the share folder just fine. At this point I scan a document and it cacks. So it is accepting username and password just fine in browsing.

3. We are not allowed to know what, why, how they are doing in security.

4. Kyoceras work flawlessly.

What is Kyocera doing right? All of the same settings are in the Ricoh.

Re: Ricoh smb scanning with end to end encyrption

Are they using a different type of authentication on the Kyoceras?

Re: Ricoh smb scanning with end to end encyrption

Is there a way on this Ricoh model to force SMB v3 client only?

Re: Ricoh smb scanning with end to end encyrption

I tend to agree, most IT flunkies don’t really understand the technology.

Sadly it comes back to getting a Wireshark capture as the only way to see what’s going on.

It will show exactly where the conversation breaks due to the security.

As you have seen Kyocera transmits the Domain/username the same as Ricoh in Unicode probably rather than OEM code.

We can assume if they are forcing SMB 3 on the server that the Ricoh offers SMB 3 or it wouldn’t move on to the NTLMSSP_Auth stage, and perhaps there is a problem with Ricoh negotiation there…
…but it’s all guess work without a capture.

SharkTap 1G $189.00 on Amazon.

P.S. In case you didn’t know the Wireshark samples I provided are from a Kyocera.