librex 0.0.1

data/lib/rex/proto/smb/simpleclient.rb

@@ -0,0 +1,292 @@
+module Rex
+module Proto
+module SMB
+class SimpleClient
+
+require 'rex/text'
+require 'rex/struct2'
+require 'rex/proto/smb/constants'
+require 'rex/proto/smb/exceptions'
+require 'rex/proto/smb/evasions'
+require 'rex/proto/smb/crypt'
+require 'rex/proto/smb/utils'
+require 'rex/proto/smb/client'
+
+# Some short-hand class aliases
+CONST = Rex::Proto::SMB::Constants
+CRYPT = Rex::Proto::SMB::Crypt
+UTILS = Rex::Proto::SMB::Utils
+XCEPT = Rex::Proto::SMB::Exceptions
+EVADE = Rex::Proto::SMB::Evasions
+
+
+	class OpenFile
+		attr_accessor	:name, :tree_id, :file_id, :mode, :client, :chunk_size
+		
+		def initialize(client, name, tree_id, file_id)
+			self.client = client
+			self.name = name
+			self.tree_id = tree_id
+			self.file_id = file_id
+			self.chunk_size = 48000
+		end
+		
+		def delete
+			begin
+				self.close
+			rescue
+			end
+			self.client.delete(self.name, self.tree_id)
+		end
+		
+		# Close this open file
+		def close
+			self.client.close(self.file_id, self.tree_id)
+		end
+		
+		# Read data from the file
+		def read(length = nil, offset = 0)	
+			if (length == nil)
+				data = ''
+				fptr = offset
+				ok = self.client.read(self.file_id, fptr, self.chunk_size)
+				while (ok and ok['Payload'].v['DataLenLow'] > 0)
+					buff = ok.to_s.slice(
+						ok['Payload'].v['DataOffset'] + 4,
+						ok['Payload'].v['DataLenLow']
+					)
+					data << buff
+					if ok['Payload'].v['Remaining'] == 0
+						break
+					end
+					fptr += ok['Payload'].v['DataLenLow']
+					
+					begin
+						ok = self.client.read(self.file_id, fptr, self.chunk_size)
+					rescue XCEPT::ErrorCode => e
+						case e.error_code					
+						when 0x00050001
+							# Novell fires off an access denied error on EOF
+							ok = nil
+						else
+							raise e
+						end
+					end
+				end
+
+				return data
+			else
+				ok = self.client.read(self.file_id, offset, length)
+				data = ok.to_s.slice(
+					ok['Payload'].v['DataOffset'] + 4,
+					ok['Payload'].v['DataLenLow']
+				)
+				return data
+			end
+		end
+
+		def << (data)
+			self.write(data)
+		end
+
+		# Write data to the file
+		def write(data, offset = 0)	
+			# Track our offset into the remote file
+			fptr = offset
+			
+			# Duplicate the data so we can use slice!
+			data = data.dup
+			
+			# Take our first chunk of bytes
+			chunk = data.slice!(0, self.chunk_size)
+			
+			# Keep writing data until we run out
+			while (chunk.length > 0)
+				ok = self.client.write(self.file_id, fptr, chunk)
+				cl = ok['Payload'].v['CountLow']
+				
+				# Partial write, push the failed data back into the queue
+				if (cl != chunk.length)
+					data = chunk.slice(cl - 1, chunk.length - cl) + data
+				end
+				
+				# Increment our painter and grab the next chunk
+				fptr += cl
+				chunk = data.slice!(0, self.chunk_size)
+			end
+		end
+	end
+	
+	class OpenPipe < OpenFile
+		
+		# Valid modes are: 'trans' and 'rw'
+		attr_accessor :mode
+		
+		def initialize(*args)
+			super(*args)
+			self.mode = 'rw'
+			@buff = ''
+		end
+		
+		def read_buffer(length, offset=0)
+			length ||= @buff.length
+			@buff.slice!(0, length)
+		end
+		
+		def read(length = nil, offset = 0)
+			case self.mode
+			when 'trans'
+				read_buffer(length, offset)
+			when 'rw'
+				super(length, offset)
+			else
+				raise ArgumentError
+			end
+		end
+		
+		def write(data, offset = 0)
+			case self.mode
+			
+			when 'trans'
+				write_trans(data, offset)
+			when 'rw'
+				super(data, offset)
+			else
+				raise ArgumentError
+			end
+		end
+		
+		def write_trans(data, offset=0)
+			ack = self.client.trans_named_pipe(self.file_id, data)
+			doff = ack['Payload'].v['DataOffset']
+			dlen = ack['Payload'].v['DataCount']
+			@buff << ack.to_s[4+doff, dlen]
+		end
+	end
+	
+
+# Public accessors
+attr_accessor	:last_error
+
+# Private accessors
+attr_accessor	:socket, :client, :direct, :shares, :last_share
+
+	# Pass the socket object and a boolean indicating whether the socket is netbios or cifs
+	def initialize(socket, direct = false)
+		self.socket = socket
+		self.direct = direct
+		self.client = Rex::Proto::SMB::Client.new(socket)
+		self.shares = { }
+	end
+	
+	def login(name = '', user = '', pass = '', domain = '')
+
+		begin
+			
+			if (self.direct != true)
+				self.client.session_request(name)
+			end
+		
+			self.client.negotiate
+			ok = self.client.session_setup(user, pass, domain)
+		rescue ::Interrupt
+			raise $!
+		rescue ::Exception => e
+			n = XCEPT::LoginError.new
+			n.source = e
+			if(e.respond_to?('error_code'))
+				n.error_code   = e.error_code
+				n.error_reason = e.get_error(e.error_code)
+			end
+			raise n
+		end
+		
+		return true
+	end
+
+
+	def login_split_start_ntlm1(name = '')
+
+		begin
+			
+			if (self.direct != true)
+				self.client.session_request(name)
+			end
+			
+			# Disable extended security
+			self.client.negotiate(false)
+		rescue ::Interrupt
+			raise $!
+		rescue ::Exception => e
+			n = XCEPT::LoginError.new
+			n.source = e
+			if(e.respond_to?('error_code'))
+				n.error_code   = e.error_code
+				n.error_reason = e.get_error(e.error_code)
+			end
+			raise n
+		end
+		
+		return true
+	end
+	
+	
+	def login_split_next_ntlm1(user, domain, hash_lm, hash_nt)
+		begin
+			ok = self.client.session_setup_ntlmv1_prehash(user, domain, hash_lm, hash_nt)
+		rescue ::Interrupt
+			raise $!
+		rescue ::Exception => e
+			n = XCEPT::LoginError.new
+			n.source = e
+			if(e.respond_to?('error_code'))
+				n.error_code   = e.error_code
+				n.error_reason = e.get_error(e.error_code)
+			end
+			raise n
+		end
+		
+		return true			
+	end
+		
+	def connect(share)
+		ok = self.client.tree_connect(share)
+		tree_id = ok['Payload']['SMB'].v['TreeID']
+		self.shares[share] = tree_id
+		self.last_share = share
+	end
+	
+	def disconnect(share)
+		ok = self.client.tree_disconnect(self.shares[share])
+		self.shares.delete(share)
+	end	
+	
+	def open(path, perm)		
+		mode   = UTILS.open_mode_to_mode(perm)
+		access = UTILS.open_mode_to_access(perm)
+		
+		ok = self.client.open(path, mode, access)
+		file_id = ok['Payload'].v['FileID']
+		
+		fh = OpenFile.new(self.client, path, self.client.last_tree_id, file_id)
+	end
+	
+	def delete(*args)
+		self.client.delete(*args)
+	end
+
+	def create_pipe(path, perm = 'c')
+		disposition = UTILS.create_mode_to_disposition(perm)
+		ok = self.client.create_pipe(path, disposition)
+		file_id = ok['Payload'].v['FileID']	
+		fh = OpenPipe.new(self.client, path, self.client.last_tree_id, file_id)
+	end
+
+	def trans_pipe(fid, data, no_response = nil)
+		client.trans_named_pipe(fid, data, no_response)
+	end
+	
+end
+end
+end
+end

data/lib/rex/proto/smb/simpleclient.rb.ut.rb

@@ -0,0 +1,128 @@
+#!/usr/bin/env ruby
+
+$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..'))
+
+require 'rex/test'
+require 'rex/proto/smb'
+require 'rex/proto/dcerpc'
+require 'rex/socket'
+
+class Rex::Proto::SMB::SimpleClient::UnitTest < Test::Unit::TestCase
+
+	Klass = Rex::Proto::SMB::SimpleClient
+
+	# Alias over the Rex DCERPC protocol modules
+	DCERPCPacket   = Rex::Proto::DCERPC::Packet
+	DCERPCClient   = Rex::Proto::DCERPC::Client
+	DCERPCResponse = Rex::Proto::DCERPC::Response
+	DCERPCUUID     = Rex::Proto::DCERPC::UUID
+	XCEPT          = Rex::Proto::SMB::Exceptions
+
+	FILE_CREATE = 0x10
+	FILE_TRUNC  = 0x02
+	FILE_OPEN   = 0x01
+
+
+	def test_smb_open_share
+		user = 'SMBTest'
+		pass = 'SMBTest'
+		share = 'C$'
+
+		write_data = ('A' * (1024 * 8))
+		filename = 'smb_tester.txt'
+		begin
+		Timeout.timeout($_REX_TEST_TIMEOUT) {
+		s = Rex::Socket.create_tcp(
+			'PeerHost' => $_REX_TEST_SMB_HOST,
+			'PeerPort' => 445
+		)
+
+		c = Klass.new(s, true)
+
+		begin
+	        c.login('*SMBSERVER', user, pass)
+		rescue XCEPT::LoginError
+			flunk('login failure')
+		end
+
+		c.connect(share)
+
+		f = c.open(filename, 'rwct')
+	    f << write_data
+		f.close
+
+		f = c.open(filename, 'ro')
+	    d = f.read()
+	    f.close
+
+		c.delete(filename)
+		c.disconnect(share)
+
+		s.close
+		}
+		rescue Timeout::Error
+			flunk('timeout')
+		end
+	end
+
+	def test_smb_dcerpc
+		begin
+		Timeout.timeout($_REX_TEST_TIMEOUT) {
+		s = Rex::Socket.create_tcp(
+			'PeerHost' => $_REX_TEST_SMB_HOST,
+			'PeerPort' => 445
+		)
+
+		c = Klass.new(s, true)
+
+		user = ''
+		pass = ''
+
+		begin
+			c.login('*SMBSERVER', user, pass)
+		rescue XCEPT::LoginError
+			flunk('login failure')
+		end
+
+		c.connect('IPC$')
+		f = c.create_pipe('\BROWSER')
+
+		bind, ctx = DCERPCPacket.make_bind_fake_multi(
+			'4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
+			10,
+			4
+		)
+
+		# Evasion techniques:
+		# 	1) Write the bind out a few bytes at a time with a random offset
+		#	2) Read the response back a few bytes at a time with a random offset
+
+		# Write the bind request out in random chunk sizes
+		while (bind.length > 0)
+		    f.write( bind.slice!(0, (rand(20)+5)), rand(1024)+1 )
+		end
+
+		d = ''
+		# Read the response back a few bytes a time
+		begin
+		    while(true)
+			    t = (f.read((rand(20)+5), rand(1024)+1))
+				last if ! t.length
+				d << t
+			end
+		rescue XCEPT::NoReply
+		end
+
+		r = DCERPCResponse.new(d)
+		assert_equal(r.type, 12)
+		assert_equal(r.ack_result[ctx-0], 0)
+		assert_equal(r.ack_result[ctx-1], 2)
+
+		s.close
+		}
+		rescue Timeout::Error
+			flunk('timeout')
+		end
+	end
+end
+

data/lib/rex/proto/smb/utils.rb

@@ -0,0 +1,514 @@
+require 'rex/text'
+require 'rex/proto/smb/constants'
+
+module Rex
+module Proto
+module SMB
+class Utils
+
+CONST = Rex::Proto::SMB::Constants
+
+	# Creates an access mask for use with the CLIENT.open() call based on a string
+	def self.open_mode_to_access(str)
+		access = CONST::OPEN_ACCESS_READ | CONST::OPEN_SHARE_DENY_NONE
+		str.each_byte { |c|
+			case [c].pack('C').downcase
+				when 'w'
+					access |= CONST::OPEN_ACCESS_READWRITE
+			end
+		}
+		return access
+	end
+	
+	# Creates a mode mask for use with the CLIENT.open() call based on a string
+	def self.open_mode_to_mode(str)
+		mode = 0
+		
+		str.each_byte { |c|
+			case [c].pack('C').downcase
+				when 'x' # Fail if the file already exists
+					mode |= CONST::OPEN_MODE_EXCL
+				when 't' # Truncate the file if it already exists
+					mode |= CONST::OPEN_MODE_TRUNC
+				when 'c' # Create the file if it does not exist
+					mode |= CONST::OPEN_MODE_CREAT	
+				when 'o' # Just open the file, clashes with x
+					mode |= CONST::OPEN_MODE_OPEN
+			end
+		}
+
+		return mode
+	end
+	
+	# Returns a disposition value for smb.create based on permission string
+	def self.create_mode_to_disposition(str)
+		str.each_byte { |c|
+			case [c].pack('C').downcase
+				when 'c' # Create the file if it does not exist
+					return CONST::CREATE_ACCESS_OPENCREATE
+				when 'o' # Just open the file and fail if it does not exist
+					return CONST::CREATE_ACCESS_EXIST
+			end
+		}
+
+		return CONST::CREATE_ACCESS_OPENCREATE
+	end
+
+	# Convert a 64-bit signed SMB time to a unix timestamp
+	def self.time_smb_to_unix(thi, tlo)
+		(((thi << 32) + tlo) / 10000000) - 11644473600
+	end
+
+	# Convert a unix timestamp to a 64-bit signed server time
+	def self.time_unix_to_smb(unix_time)
+		t64 = (unix_time + 11644473600) * 10000000
+		thi = (t64 & 0xffffffff00000000) >> 32
+		tlo = (t64 & 0x00000000ffffffff)
+		return [thi, tlo]
+	end
+
+	# Convert a name to its NetBIOS equivalent
+	def self.nbname_encode(str)
+		encoded = ''
+		for x in (0..15)
+			if (x >= str.length)
+				encoded << 'CA'
+			else
+				c = str[x, 1].upcase[0,1].unpack('C*')[0]
+				encoded << [ (c / 16) + 0x41, (c % 16) + 0x41 ].pack('CC')
+			end
+		end
+		return encoded
+	end
+	
+	# Convert a name from its NetBIOS equivalent
+	def self.nbname_decode(str)
+		decoded = ''
+		str << 'A' if str.length % 2 != 0
+		while (str.length > 0)
+			two = str.slice!(0, 2).unpack('C*')
+			if (two.length == 2)
+				decoded << [ ((two[0] - 0x41) * 16) + two[1] - 0x41 ].pack('C')
+			end
+		end
+		return decoded
+	end
+
+	#
+	# Prepends an ASN1 formatted length field to a piece of data
+	#
+	def self.asn1encode(str = '')
+		res = ''
+
+		# If the high bit of the first byte is 1, it contains the number of
+		# length bytes that follow
+
+		case str.length
+			when 0 .. 0x7F
+				res = [str.length].pack('C') + str
+			when 0x80 .. 0xFF
+				res = [0x81, str.length].pack('CC') + str
+			when 0x100 .. 0xFFFF
+				res = [0x82, str.length].pack('Cn') + str
+			when  0x10000 .. 0xffffff
+				res = [0x83, str.length >> 16, str.length & 0xFFFF].pack('CCn') + str
+			when  0x1000000 .. 0xffffffff
+				res = [0x84, str.length].pack('CN') + str
+			else
+				raise "ASN1 str too long"
+		end
+		return res
+	end
+	
+	def self.make_ntlmv2_secblob_init(domain = 'WORKGROUP', name = 'WORKSTATION', flags=0x80201)
+		blob = 
+		"\x60" + self.asn1encode(		
+			"\x06" + self.asn1encode(
+				"\x2b\x06\x01\x05\x05\x02"
+			) +	
+			"\xa0" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa0" + self.asn1encode(
+						"\x30" + self.asn1encode(
+							"\x06" + self.asn1encode(
+								"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
+							)
+						)
+					) +
+					"\xa2" + self.asn1encode(
+						"\x04" + self.asn1encode(
+							"NTLMSSP\x00" +
+							[1, flags].pack('VV') +
+
+							[
+								domain.length,  #length
+								domain.length,  #max length
+								32
+							].pack('vvV') +
+
+							[
+								name.length,	#length
+								name.length, 	#max length
+								domain.length + 32
+							].pack('vvV') +	
+
+							domain + name
+						)
+					)
+				)
+			)
+		)
+
+		return blob	
+	end
+
+	def self.make_ntlmv2_secblob_auth(domain, name, user, lmv2, ntlm, flags = 0x080201)
+		
+		lmv2 ||= "\x00" * 24
+		ntlm ||= "\x00" * 24		
+	
+		domain_uni = Rex::Text.to_unicode(domain)
+		user_uni   = Rex::Text.to_unicode(user)
+		name_uni   = Rex::Text.to_unicode(name)
+		session    = ''
+		
+		ptr  = 64 
+		blob =
+			"\xa1" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa2" + self.asn1encode(
+						"\x04" + self.asn1encode(
+					
+							"NTLMSSP\x00" +
+							[ 3 ].pack('V') +
+							
+							[	# Lan Manager Response
+								lmv2.length,
+								lmv2.length,
+								(ptr)
+							].pack('vvV') +
+							
+							[	# NTLM Manager Response
+								ntlm.length,
+								ntlm.length,
+								(ptr += lmv2.length)
+							].pack('vvV') +		
+									
+							[	# Domain Name
+								domain_uni.length,
+								domain_uni.length,
+								(ptr += ntlm.length)
+							].pack('vvV') +		
+			
+							[	# Username
+								user_uni.length,
+								user_uni.length,
+								(ptr += domain_uni.length)
+							].pack('vvV') +		
+			
+							[	# Hostname
+								name_uni.length,
+								name_uni.length,
+								(ptr += user_uni.length)
+							].pack('vvV') +		
+							
+							[	# Session Key (none)
+								session.length,
+								session.length,
+								(ptr += name_uni.length)
+							].pack('vvV') +		
+			
+							[ flags ].pack('V') +
+				
+							lmv2 +
+							ntlm +
+							domain_uni +
+							user_uni +
+							name_uni + 
+							session + "\x00"
+					)
+				)
+			)
+		)
+		return blob
+	end
+
+
+	def self.make_negotiate_secblob_resp(account, domain)
+		blob = 
+		"\x60" + self.asn1encode(		
+			"\x06" + self.asn1encode(
+				"\x2b\x06\x01\x05\x05\x02"
+			) +	
+			"\xa0" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa0" + self.asn1encode(
+						"\x30" + self.asn1encode(
+							"\x06" + self.asn1encode(
+								"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"
+							) +
+							"\x06" + self.asn1encode(
+								"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"
+							) +
+							"\x06" + self.asn1encode(
+								"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03"
+							) +	
+							"\x06" + self.asn1encode(
+								"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
+							)																						
+						)
+					) +
+					"\xa3" + self.asn1encode(
+						"\x30" + self.asn1encode(
+							"\xa0" + self.asn1encode(
+								"\x1b" + self.asn1encode(
+									account + '@' + domain
+								)
+							)
+						)
+					)
+				)
+			)
+		)
+
+		return blob	
+	end	
+
+	def self.make_ntlmv2_secblob_chall(win_domain, dns_domain, win_name, dns_name, chall, flags)
+		
+		win_domain = Rex::Text.to_unicode(win_domain)
+		dns_domain = Rex::Text.to_unicode(dns_domain)
+		win_name = Rex::Text.to_unicode(win_name)
+		dns_name = Rex::Text.to_unicode(dns_name)
+		
+		addr_list  = ''
+		addr_list  << [2, win_domain.length].pack('vv') + win_domain
+		addr_list  << [1, win_name.length].pack('vv') + win_name
+		addr_list  << [4, dns_domain.length].pack('vv') + dns_domain
+		addr_list  << [3, dns_name.length].pack('vv') + dns_name
+		addr_list  << [5, dns_domain.length].pack('vv') + dns_domain
+		addr_list  << [0, 0].pack('vv')
+
+		ptr  = 0 
+		blob =
+			"\xa1" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa0" + self.asn1encode(
+						"\x0a" + self.asn1encode(
+							"\x01"
+						)
+					) +
+					"\xa1" + self.asn1encode(
+						"\x06" + self.asn1encode(
+							"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
+						)
+					) +
+					"\xa2" + self.asn1encode(
+						"\x04" + self.asn1encode(
+							"NTLMSSP\x00" +
+							[2].pack('V') +
+							[
+								win_domain.length,  # length
+								win_domain.length,  # max length
+								(ptr += 48)
+							].pack('vvV') +
+							[ flags ].pack('V') +
+							chall + 
+							"\x00\x00\x00\x00\x00\x00\x00\x00" +
+							[
+								addr_list.length,  # length
+								addr_list.length,  # max length
+								(ptr += win_domain.length) 
+							].pack('vvV') +
+							win_domain + 
+							addr_list
+						)
+					)
+				)	
+			)
+
+		return blob
+	end
+
+	def self.make_ntlmv2_secblob_success
+		blob =
+			"\xa1" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa0" + self.asn1encode(
+						"\x0a" + self.asn1encode(
+							"\x00"
+						)
+					)
+				)	
+			)
+		return blob
+	end
+	
+	#
+	# Process Type 3 NTLM Message (in Base64)
+	#
+	def self.process_type3_message(message)
+		decode = Rex::Text.decode_base64(message.strip)
+		type = decode[8]
+		if (type == 3)
+			domoff = decode[32]	 # domain offset
+			domlen = decode[28]	 # domain length
+			useroff = decode[40] # username offset
+			userlen = decode[36] # username length
+			hostoff = decode[48] # hostname offset
+			hostlen = decode[44] # hostname length
+			lmoff = decode[16]	 # LM hash offset
+			lmlen = decode[12]	 # LM hash length
+			ntoff = decode[24]	 # NT hash offset
+			ntlen = decode[20]	 # NT hash length
+
+			domain = decode[domoff..domoff+domlen-1]
+			user = decode[useroff..useroff+userlen-1]
+			host = decode[hostoff..hostoff+hostlen-1]
+			lm = decode[lmoff..lmoff+lmlen-1].unpack("H*")
+			nt = decode[ntoff..ntoff+ntlen-1].unpack("H*")
+		
+			return domain, user, host, lm, nt
+		else
+			return "", "", "", "", ""
+		end
+	end
+	
+	#	 
+	# Process Type 1 NTLM Messages, return a Base64 Type 2 Message
+	#
+	def self.process_type1_message(message, nonce = "\x11\x22\x33\x44\x55\x66\x77\x88", win_domain = 'DOMAIN', 
+					win_name = 'SERVER', dns_name = 'server', dns_domain = 'example.com', downgrade = true)
+
+		dns_name = Rex::Text.to_unicode(dns_name + "." + dns_domain)
+		win_domain = Rex::Text.to_unicode(win_domain)
+		dns_domain = Rex::Text.to_unicode(dns_domain)
+		win_name = Rex::Text.to_unicode(win_name)
+		decode = Rex::Text.decode_base64(message.strip)
+
+		type = decode[8]
+
+		if (type == 1)
+			# A type 1 message has been received, lets build a type 2 message response
+
+			reqflags = decode[12..15]
+			reqflags = Integer("0x" + reqflags.unpack("h8").to_s.reverse)
+
+			if (reqflags & CONST::REQUEST_TARGET) == CONST::REQUEST_TARGET
+
+				if (downgrade)
+					# At this time NTLMv2 and signing requirements are not supported
+					if (reqflags & CONST::NEGOTIATE_NTLM2_KEY) == CONST::NEGOTIATE_NTLM2_KEY
+						reqflags = reqflags - CONST::NEGOTIATE_NTLM2_KEY
+					end
+					if (reqflags & CONST::NEGOTIATE_ALWAYS_SIGN) == CONST::NEGOTIATE_ALWAYS_SIGN
+						reqflags = reqflags - CONST::NEGOTIATE_ALWAYS_SIGN
+					end				
+				end
+
+				flags = reqflags + CONST::TARGET_TYPE_DOMAIN + CONST::TARGET_TYPE_SERVER				
+				tid = true
+
+				tidoffset = 48 + win_domain.length
+				tidbuff = 
+					[2].pack('v') +				# tid type, win domain
+					[win_domain.length].pack('v') +
+					win_domain +
+					[1].pack('v') +				# tid type, server name
+					[win_name.length].pack('v') +
+					win_name +
+					[4].pack('v')	+			 # tid type, domain name
+					[dns_domain.length].pack('v') +
+					dns_domain +
+					[3].pack('v')	+			# tid type, dns_name
+					[dns_name.length].pack('v') +
+					dns_name
+			else
+				flags = CONST::NEGOTIATE_UNICODE + CONST::NEGOTIATE_NTLM
+				tid = false
+			end
+
+			type2msg = "NTLMSSP\0" + # protocol, 8 bytes
+				   "\x02\x00\x00\x00"		# type, 4 bytes
+
+			if (tid)
+				type2msg +=	# Target security info, 8 bytes. Filled if REQUEST_TARGET
+				[win_domain.length].pack('v') +	 # Length, 2 bytes
+				[win_domain.length].pack('v')	 # Allocated space, 2 bytes
+			end
+
+			type2msg +="\x30\x00\x00\x00" + #		Offset, 4 bytes
+				 [flags].pack('V') +	# flags, 4 bytes
+				 nonce +		# the nonce, 8 bytes
+			 	 "\x00" * 8		# Context (all 0s), 8 bytes
+
+			if (tid)
+				type2msg +=		# Target information security buffer. Filled if REQUEST_TARGET
+					[tidbuff.length].pack('v') +	# Length, 2 bytes
+					[tidbuff.length].pack('v') +	# Allocated space, 2 bytes
+					[tidoffset].pack('V') +		# Offset, 4 bytes (usually \x48 + length of win_domain)
+					win_domain +			# Target name data (domain in unicode if REQUEST_UNICODE)
+									# Target information data
+					tidbuff +			#	Type, 2 bytes
+									#	Length, 2 bytes
+									#	Data (in unicode if REQUEST_UNICODE)
+					"\x00\x00\x00\x00"		# Terminator, 4 bytes, all \x00
+			end
+
+			type2msg = Rex::Text.encode_base64(type2msg).delete("\n") # base64 encode and remove the returns
+		else
+			# This is not a Type2 message
+			type2msg = ""
+		end
+
+		return type2msg
+	end
+	
+	#
+	# Downgrading Type messages to LMv1/NTLMv1 and removing signing
+	#
+	def self.downgrade_type_message(message)
+		decode = Rex::Text.decode_base64(message.strip)
+
+		type = decode[8]
+
+		if (type > 0 and type < 4)
+			reqflags = decode[12..15] if (type == 1 or type == 3)
+			reqflags = decode[20..23] if (type == 2)
+			reqflags = Integer("0x" + reqflags.unpack("h8").to_s.reverse)
+
+			# Remove NEGOTIATE_NTLMV2_KEY and NEGOTIATE_ALWAYS_SIGN, this lowers the negotiation
+			# down to LMv1/NTLMv1.
+			if (reqflags & CONST::NEGOTIATE_NTLM2_KEY) == CONST::NEGOTIATE_NTLM2_KEY
+				reqflags = reqflags - CONST::NEGOTIATE_NTLM2_KEY
+			end
+			if (reqflags & CONST::NEGOTIATE_ALWAYS_SIGN) == CONST::NEGOTIATE_ALWAYS_SIGN
+				reqflags = reqflags - CONST::NEGOTIATE_ALWAYS_SIGN
+			end				
+			
+			# Return the flags back to the decode so we can base64 it again
+			flags = reqflags.to_s(16)
+			0.upto(8) do |idx|
+				if (idx > flags.length)
+					flags.insert(0, "0")
+				end
+			end
+
+			idx = 0
+			0.upto(3) do |cnt|
+				if (type == 2)
+					decode[23-cnt] = Integer("0x" + flags[idx .. idx + 1])
+				else
+					decode[15-cnt] = Integer("0x" + flags[idx .. idx + 1])
+				end
+				idx += 2
+			end
+			
+		end
+		return Rex::Text.encode_base64(decode).delete("\n") # base64 encode and remove the returns 
+	end
+	
+end
+end
+end
+end