packetgen-plugin-smb 0.3.0 → 0.6.2

data/lib/packetgen-plugin-smb.rb

@@ -1,12 +1,15 @@
+# frozen_string_literal: true
+
 # This file is part of packetgen-plugin-smb.
 # See https://github.com/sdaubert/packetgen-plugin-smb for more informations
 # Copyright (C) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
 # This program is published under MIT license.
 
-# frozen_string_literal: true
-
 require 'packetgen'
 require_relative 'packetgen/plugin/smb_version'
 require_relative 'packetgen/plugin/gssapi'
+require_relative 'packetgen/plugin/netbios'
 require_relative 'packetgen/plugin/smb'
 require_relative 'packetgen/plugin/smb2'
+require_relative 'packetgen/plugin/llmnr'
+require_relative 'packetgen/plugin/ntlm'

data/lib/packetgen/plugin/gssapi.rb

@@ -1,10 +1,10 @@
+# frozen_string_literal: true
+
 # This file is part of packetgen-plugin-smb.
 # See https://github.com/sdaubert/packetgen-plugin-smb for more informations
 # Copyright (C) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
 # This program is published under MIT license.
 
-# frozen_string_literal: true
-
 require 'rasn1'
 
 module PacketGen::Plugin
@@ -75,7 +75,7 @@ module PacketGen::Plugin
                content: [sequence_of(:mech_types, RASN1::Types::ObjectId, explicit: 0, class: :context),
                          bit_string(:req_flags, explicit: 1, class: :context, constructed: true, optional: true),
                          octet_string(:mech_token, explicit: 2, class: :context, constructed: true, optional: true),
-                         octet_string(:mech_list_mic, explicit: 3, class: :context, constructed: true, optional: true)]
+                         any(:mech_list_mic, explicit: 3, class: :context, constructed: true, optional: true)]
     end
 
     # GSS API Negotiation Token Response
@@ -86,7 +86,7 @@ module PacketGen::Plugin
         'accept-incomplete' => 1,
         'reject' => 2,
         'request-mic' => 3
-      }
+      }.freeze
       sequence :token, explicit: 1, class: :context, constructed: true,
                content: [enumerated(:negstate, enum: NEG_STATES, explicit: 0, class: :context, constructed: true, optional: true),
                          objectid(:supported_mech, explicit: 1, class: :context, constructed: true, optional: true),
@@ -101,17 +101,20 @@ module PacketGen::Plugin
                      model(:token_resp, NegTokenResp)]
 
     # @param [Hash] args
-    # @param [Symbol] :type +:init+ or +:response+ to force selection of
+    # @option args [Symbol] :token +:init+ or +:response+ to force selection of
     #  token CHOICE.
     def initialize(args={})
       token = args.delete(:token)
       super
-      self[:gssapi].chosen = (token == :init) ? 0 : 1
+      self[:gssapi].chosen = token == :init ? 0 : 1
     end
+
     # Populate Object from +str+
     # @param [String] str
     # @return [self]
     def read(str)
+      return self if str.nil?
+
       parse!(str, ber: true)
       self
     end
@@ -121,5 +124,7 @@ module PacketGen::Plugin
     def sz
       to_der.size
     end
+
+    alias to_s to_der
   end
 end

data/lib/packetgen/plugin/llmnr.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+# This file is part of packetgen-plugin-smb.
+# See https://github.com/sdaubert/packetgen-plugin-smb for more informations
+# Copyright (C) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+
+module PacketGen::Plugin
+  # Link-Local Multicast Name Resolution (LLMNR) header ({https://tools.ietf.org/html/rfc4795 RFC 4795}).
+  # @author Sylvain Daubert
+  class LLMNR < PacketGen::Header::DNS
+    # UDP port number
+    UDP_PORT = 5355
+    # MAC address used with IPv4 multicast addresses
+    MAC_IPV4_MCAST = '01:00:5e:00:00:fc'
+
+    # @api private
+    # @note This method is used internally by PacketGen and should not be
+    #       directly called
+    def added_to_packet(packet)
+      packet.instance_eval <<-END_OF_DEFINITION
+      def llmnrize(**kwargs)
+        llmnr = headers.find { |hdr| hdr.is_a? PacketGen::Plugin::LLMNR }
+        llmnr.llmnrize(**kwargs)
+      end
+      END_OF_DEFINITION
+    end
+
+    # Fixup IP header according to RFC 4795:
+    # * optionally set destination address,
+    # * set TTL to 1 if destination is a mcast address,
+    # * set MAC destination address to {MAC_IPV4_MCAST} if destination address is a mcast one.
+    # This method may be called as:
+    #    # first way
+    #    pkt.llmnr.llmnrize
+    #    # second way
+    #    pkt.llmnrize
+    # @param [String,nil] dst destination address. May be a dotted IP
+    #   address (by example '224.0.0.252').
+    # @return [void]
+    def llmnrize(dst: nil)
+      ip = ip_header(self)
+      ip.dst = dst unless dst.nil?
+      ip.ttl = 1 if ip[:dst].mcast?
+
+      # rubocop:disable Lint/SuppressedException
+      begin
+        llh = ll_header(self)
+        llh.dst = MAC_IPV4_MCAST if ip[:dst].mcast?
+      rescue PacketGen::FormatError
+      end
+      # rubocop:enable Lint/SuppressedException
+    end
+  end
+  PacketGen::Header.add_class LLMNR
+  PacketGen::Header::UDP.bind LLMNR, sport: LLMNR::UDP_PORT
+  PacketGen::Header::UDP.bind LLMNR, dport: LLMNR::UDP_PORT
+end

data/lib/packetgen/plugin/netbios.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+# This file is part of PacketGen
+# See https://github.com/sdaubert/packetgen-plugin-smb for more informations
+# Copyright (C) 2016 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+
+# frozen_string_literal: true
+
+module PacketGen::Plugin
+  # Module to group all NetBIOS headers
+  # @author Sylvain Daubert
+  module NetBIOS
+  end
+end
+
+require_relative 'netbios/name'
+require_relative 'netbios/session'
+require_relative 'netbios/datagram'

data/lib/packetgen/plugin/netbios/datagram.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+# This file is part of PacketGen
+# See https://github.com/sdaubert/packetgen-plugin-smb for more informations
+# Copyright (C) 2016 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+
+module PacketGen::Plugin
+  # Module to group all NetBIOS headers
+  # @author Sylvain Daubert
+  module NetBIOS
+    # NetBIOS Datagram Service messages.
+    # @author Sylvain Daubert
+    class Datagram < PacketGen::Header::Base
+      # Give protocol name
+      # @return [String]
+      def self.protocol_name
+        'NetBIOS::Datagram'
+      end
+
+      # Port number for NetBIOS Session Service over TCP
+      UDP_PORT = 138
+
+      # Datagram packet types
+      TYPES = {
+        'direct_unique' => 0x10,
+        'direct_group' => 0x11,
+        'broadcast' => 0x12,
+        'error' => 0x13,
+        'query_request' => 0x14,
+        'positive_query_resp' => 0x15,
+        'negative_query_resp' => 0x16,
+      }.freeze
+
+      # @!attribute type
+      #  8-bit session packet type
+      #  @return [Integer]
+      define_field :type, PacketGen::Types::Int8Enum, enum: TYPES
+      # @!attribute flags
+      #  8-bit flags
+      #  @return [Integer]
+      define_field :flags, PacketGen::Types::Int8
+      # @!attribute dgm_id
+      #  16-bit next transaction ID for datagrams
+      #  @return [Integer]
+      define_field :dgm_id, PacketGen::Types::Int16
+      # @!attribute src_ip
+      #  Source IP address
+      # @return [IP::Addr]
+      define_field :src_ip, PacketGen::Header::IP::Addr
+      # @!attribute src_port
+      #  Source port
+      # @return [IP::Addr]
+      define_field :src_port, PacketGen::Types::Int16
+      # @!attribute dgm_length
+      #  Length of data + second level of encoded names. Not present in error datagram.
+      # @return [Integer]
+      define_field :dgm_length, PacketGen::Types::Int16, optional: ->(h) { h.type != 0x13 }
+      # @!attribute packet_offset
+      # Not present in error datagram.
+      # @return [Integer]
+      define_field :packet_offset, PacketGen::Types::Int16, optional: ->(h) { h.type != 0x13 }
+      # @!attribute error_code
+      #  Error code. Only present in error datagrams.
+      #  @return [Integer]
+      define_field :error_code, PacketGen::Types::Int16, optional: ->(h) { h.type == 0x13 }
+      # @!attribute src_name
+      #  NetBIOS source name. Only present in direct_unique, direct_group and broadcast datagrams.
+      #  @return []
+      define_field :src_name, Name, default: '', optional: ->(h) { (h.type >= 0x10) && (h.type <= 0x12) }
+      # @!attribute dst_name
+      #  NetBIOS destination name. Present in all but error datagrams.
+      #  @return []
+      define_field :dst_name, Name, default: '', optional: ->(h) { h.type != 0x13 }
+      # @!attribute body
+      #  User data. Ony present in direct_unique, direct_group and broadcast datagrams.
+      #  @return [String]
+      define_field :body, PacketGen::Types::String, optional: ->(h) { (h.type >= 0x10) && (h.type <= 0x12) }
+
+      # @!attribute :rsv
+      #  4-bit rsv field. 4 upper bits of {#flags}
+      #  @return [Integer]
+      # @!attribute :snt
+      #  2-bit SNT (Source end-Node Type) field from {#flags}.
+      #  @return [Integer]
+      # @!attribute f
+      #  First packet flag. If set then this is first
+      #  (and possibly only) fragment of NetBIOS datagram.
+      #  @return [Boolean]
+      # @!attribute m
+      #  More flag. If set then more NetBIOS datagram
+      #  fragments follow.
+      #  @return [Boolean]
+      define_bit_fields_on :flags, :rsv, 4, :snt, 2, :f, :m
+
+      # Compute and set {#dgm_length} field
+      # @return [Integer] calculated length
+      def calc_length
+        length = self[:body].sz
+        length += self[:src_name].sz if present?(:src_name)
+        length += self[:dst_name].sz if present?(:dst_name)
+        self.dgm_length = length
+      end
+    end
+    PacketGen::Header.add_class Datagram
+    PacketGen::Header::UDP.bind Datagram, dport: Datagram::UDP_PORT, sport: Datagram::UDP_PORT
+  end
+end

data/lib/packetgen/plugin/netbios/name.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+# This file is part of PacketGen
+# See https://github.com/sdaubert/packetgen-plugin-smb for more informations
+# Copyright (C) 2016 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+
+module PacketGen::Plugin
+  # Module to group all NetBIOS headers
+  # @author Sylvain Daubert
+  module NetBIOS
+    # NetBIOS Name.
+    # @author Sylvain Daubert
+    class Name < PacketGen::Header::DNS::Name
+      # Size, in bytes, of an encoded NetBIOS name
+      ENCODED_NAME_SIZE = 32
+
+      # Read a NetBIOS name from a string
+      # @param [String] str
+      # @return [Name] self
+      def from_human(str)
+        clear
+        return self if str.nil?
+
+        encoded_name = encode_name(str)
+        super(encoded_name)
+      end
+
+      # Get a human readable string
+      # @return [String]
+      def to_human
+        encoded_name = super
+        decode_name(encoded_name)
+      end
+
+      private
+
+      def encode_name(name)
+        basename, *scope_id = name.split('.')
+        basename = '' if basename.nil?
+        scope_id = scope_id.join('.')
+        encoded_name = +''
+        basename.each_byte do |byte|
+          a = (byte >> 4) + 0x41
+          b = (byte & 0xf) + 0x41
+          encoded_name << [a, b].pack('C2')
+        end
+        encoded_name << 'CA' * ((ENCODED_NAME_SIZE - encoded_name.size) / 2) if encoded_name.size < ENCODED_NAME_SIZE
+        encoded_name << ".#{scope_id}" if scope_id
+        encoded_name
+      end
+
+      def decode_name(encoded_name)
+        name = +''
+        encoded_name.partition('.').first.scan(/../).map do |duo|
+          a = (duo[0].ord - 0x41) & 0xf
+          b = (duo[1].ord - 0x41) & 0xf
+          name << (a << 4 | b).chr
+        end
+        name.strip
+      end
+    end
+  end
+end

data/lib/packetgen/plugin/netbios/session.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+# This file is part of PacketGen
+# See https://github.com/sdaubert/packetgen-plugin-smb for more informations
+# Copyright (C) 2016 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+
+module PacketGen::Plugin
+  # Module to group all NetBIOS headers
+  # @author Sylvain Daubert
+  module NetBIOS
+    # NetBIOS Session Service messages.
+    # @author Sylvain Daubert
+    class Session < PacketGen::Header::Base
+      # Give protocol name
+      # @return [String]
+      def self.protocol_name
+        'NetBIOS::Session'
+      end
+
+      # Port number for NetBIOS Session Service over TCP
+      TCP_PORT = 139
+      # Port number for NetBIOS Session Service over TCP (mainly used yb {SMB2})
+      TCP_PORT2 = 445
+
+      # Session packet types
+      TYPES = {
+        'message' => 0,
+        'request' => 0x81,
+        'positive_response' => 0x82,
+        'negative_response' => 0x83,
+        'retarget_response' => 0x84,
+        'keep_alive' => 0x85,
+      }.freeze
+
+      # @!attribute type
+      #  8-bit session packet type
+      #  @return [Integer]
+      define_field :type, PacketGen::Types::Int8Enum, enum: TYPES
+      # @!attribute length
+      #  17-bit session packet length
+      #  @return [Integer]
+      define_field :length, PacketGen::Types::Int24
+      # @!attribute body
+      #  @return [String]
+      define_field :body, PacketGen::Types::String
+
+      # Compute and set {#length} field
+      # @return [Integer] calculated length
+      def calc_length
+        PacketGen::Header::Base.calculate_and_set_length(self, header_in_size: false)
+      end
+
+      # @api private
+      # @note This method is used internally by PacketGen and should not be
+      #       directly called
+      # @since 2.7.0 Set TCP sport according to bindings, only if sport is 0.
+      #  Needed by new bind API.
+      def added_to_packet(packet)
+        return unless packet.is? 'TCP'
+        return unless packet.tcp.sport.zero?
+
+        packet.tcp.sport = TCP_PORT
+      end
+    end
+    PacketGen::Header.add_class Session
+    PacketGen::Header::TCP.bind Session, dport: Session::TCP_PORT
+    PacketGen::Header::TCP.bind Session, sport: Session::TCP_PORT
+    PacketGen::Header::TCP.bind Session, dport: Session::TCP_PORT2
+    PacketGen::Header::TCP.bind Session, sport: Session::TCP_PORT2
+  end
+end

data/lib/packetgen/plugin/ntlm.rb

@@ -0,0 +1,211 @@
+# frozen_string_literal: true
+
+# This file is part of packetgen-plugin-smb.
+# See https://github.com/sdaubert/packetgen-plugin-smb for more informations
+# Copyright (C) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+
+module PacketGen::Plugin
+  # Base class for NTLM authentication protocol.
+  # @author Sylvain Daubert
+  class NTLM < PacketGen::Types::Fields
+    # NTLM message types
+    TYPES = {
+      'negotiate' => 1,
+      'challenge' => 2,
+      'authenticate' => 3
+    }.freeze
+
+    # NTLM signature
+    SIGNATURE = "NTLMSSP\0"
+
+    # void version
+    VOID_VERSION = [0].pack('q').freeze
+    VOID_CHALLENGE = VOID_VERSION
+
+    # @!attribute signature
+    #  8-byte NTLM signature
+    #  @return [String]
+    define_field :signature, PacketGen::Types::String, static_length: 8, default: SIGNATURE
+    # @!attribute type
+    #  4-byte message type
+    #  @return [Integer]
+    define_field :type, PacketGen::Types::Int32leEnum, enum: TYPES
+    # @!attribute payload
+    #  @return [String]
+    define_field :payload, PacketGen::Types::String
+
+    class <<self
+      # @api private
+      # Return fields defined in payload one.
+      # @return [Hash]
+      attr_accessor :payload_fields
+
+      # Create a NTLM object from a binary string
+      # @param [String] str
+      # @return [NTLM]
+      def read(str)
+        ntlm = self.new.read(str)
+        type = TYPES.key(ntlm.type)
+        return ntlm if type.nil?
+
+        klass = NTLM.const_get(type.capitalize)
+        klass.new.read(str)
+      end
+
+      # Define a flags field.
+      # @return [void]
+      def define_negotiate_flags
+        define_field_before :payload, :flags, PacketGen::Types::Int32le
+        define_bit_fields_on :flags, :flags_w, :flags_v, :flags_u, :flags_r13, 3,
+                             :flags_t, :flags_r4, :flags_s, :flags_r,
+                             :flags_r5, :flags_q, :flags_p, :flags_r6,
+                             :flags_o, :flags_n, :flags_m, :flags_r7,
+                             :flags_l, :flags_k, :flags_j, :flags_r8,
+                             :flags_h, :flags_r9, :flags_g, :flags_f,
+                             :flags_e, :flags_d, :flags_r10, :flags_c,
+                             :flags_b, :flags_a
+        alias_method :nego56?, :flags_w?
+        alias_method :key_exch?, :flags_v?
+        alias_method :nego128?, :flags_u?
+        alias_method :version?, :flags_t?
+        alias_method :target_info?, :flags_s?
+        alias_method :non_nt_session_key?, :flags_r?
+        alias_method :identify?, :flags_q?
+        alias_method :ext_session_security?, :flags_p?
+        alias_method :target_type_server?, :flags_o?
+        alias_method :target_type_domain?, :flags_n?
+        alias_method :always_sign?, :flags_m?
+        alias_method :oem_workstation_supplied?, :flags_l?
+        alias_method :oem_domain_supplied?, :flags_k?
+        alias_method :anonymous?, :flags_j?
+        alias_method :ntlm?, :flags_h?
+        alias_method :lm_key?, :flags_g?
+        alias_method :datagram?, :flags_f?
+        alias_method :seal?, :flags_e?
+        alias_method :sign?, :flags_d?
+        alias_method :request_target?, :flags_c?
+        alias_method :oem?, :flags_b?
+        alias_method :unicode?, :flags_a?
+        alias_method :old_flags_a=, :flags_a=
+        alias_method :old_flags=, :flags=
+
+        class_eval do
+          def flags_a=(value)
+            self.old_flags_a = value
+            self.class.payload_fields.each do |name, _|
+              attr = send(name)
+              attr.unicode = value if attr.respond_to?(:unicode=)
+            end
+
+            value
+          end
+
+          def flags=(value)
+            self.old_flags = value
+            self.flags_a = value & 1
+          end
+        end
+      end
+
+      # Define a field in payload. Also add +name_len+, +name_maxlen+ and
+      # +name_offset+ fields.
+      # @param [Symbol] name name of field.
+      # @param [Class,nil] type type of +name+ field.
+      # @param [Hash] options type's options needed at build time
+      # @return [void]
+      def define_in_payload(name, type=SMB::String, options={})
+        @payload_fields ||= {}
+        @payload_fields[name] = [type, options]
+
+        define_field_before :payload, :"#{name}_len", PacketGen::Types::Int16le
+        define_field_before :payload, :"#{name}_maxlen", PacketGen::Types::Int16le
+        define_field_before :payload, :"#{name}_offset", PacketGen::Types::Int32le
+
+        attr_accessor name
+      end
+    end
+
+    # @abstract This method is meaningful for {NTLM} subclasses only.
+    def initialize(options={})
+      super
+      return if self.class.payload_fields.nil?
+
+      self.class.payload_fields.each do |name, type_and_opt|
+        type, options = type_and_opt
+        content = if type.new.respond_to?(:unicode?)
+                    type.new(options.merge(unicode: unicode?))
+                  else
+                    type.new(options)
+                  end
+        send(:"#{name}=", content)
+      end
+    end
+
+    # @abstract This class is meaningful for {NTLM} subclasses only.
+    # Populate object from a binary string
+    # @param [String] str
+    # @return [self]
+    def read(str)
+      super
+      return self if self.class.payload_fields.nil?
+
+      self.class.payload_fields.each do |name, type_and_opt|
+        type, options = type_and_opt
+        offset_in_payload = send(:"#{name}_offset") - offset_of(:payload)
+        length = send(:"#{name}_len")
+        content = if type.new.respond_to?(:unicode?)
+                    type.new(options.merge(unicode: unicode?))
+                  else
+                    type.new(options)
+                  end
+        content.read(payload[offset_in_payload, length]) if length.positive?
+        send(:"#{name}=", content)
+      end
+
+      self
+    end
+
+    # @abstract This class is meaningful for {NTLM} subclasses only.
+    # Calculate and set +len+, +maxlen+ and +offset+ fields defined for
+    # fields in {#payload}.
+    # @return [void]
+    def calc_length
+      return self if self.class.payload_fields.nil?
+
+      previous_len = 0
+      self.class.payload_fields.each do |name, _type_and_opt|
+        send(:"#{name}_len=", 0)
+        send(:"#{name}_offset=", offset_of(:payload) + previous_len)
+
+        field = send(name)
+        next unless field && !field.empty?
+
+        length = field.respond_to?(:sz) ? field.sz : field.size
+        send(:"#{name}_len=", length)
+        send(:"#{name}_maxlen=", length)
+        previous_len = length
+      end
+    end
+
+    # @abstract This class is meaningful for {NTLM} subclasses only.
+    # @return [String]
+    def to_s
+      s = super
+      return s if self.class.payload_fields.nil?
+
+      self.class.payload_fields.each do |name, _type_and_opt|
+        attr = send(name)
+        attr.unicode = unicode? if attr.respond_to?(:unicode=)
+        s << attr.to_s unless attr.nil? || send("#{name}_len").zero?
+      end
+      s
+    end
+  end
+end
+
+require_relative 'ntlm/av_pair'
+require_relative 'ntlm/ntlmv2_response'
+require_relative 'ntlm/negotiate'
+require_relative 'ntlm/challenge'
+require_relative 'ntlm/authenticate'