RubyGems - packetgen-plugin-smb - Versions diffs - 0.5.0 → 0.6.0 - Mend

packetgen-plugin-smb 0.5.0 → 0.6.0

Files changed (22) hide show

checksums.yaml +4 -4
data/.travis.yml +3 -3
data/README.md +2 -1
data/examples/llmnr-responder +110 -0
data/examples/smb-responder +233 -0
data/lib/packetgen-plugin-smb.rb +1 -0
data/lib/packetgen/plugin/gssapi.rb +1 -1
data/lib/packetgen/plugin/ntlm.rb +211 -0
data/lib/packetgen/plugin/ntlm/authenticate.rb +197 -0
data/lib/packetgen/plugin/ntlm/av_pair.rb +117 -0
data/lib/packetgen/plugin/ntlm/challenge.rb +140 -0
data/lib/packetgen/plugin/ntlm/negotiate.rb +127 -0
data/lib/packetgen/plugin/ntlm/ntlmv2_response.rb +59 -0
data/lib/packetgen/plugin/smb/filetime.rb +6 -0
data/lib/packetgen/plugin/smb/negotiate/response.rb +1 -1
data/lib/packetgen/plugin/smb/string.rb +28 -3
data/lib/packetgen/plugin/smb2/negotiate/response.rb +5 -1
data/lib/packetgen/plugin/smb2/session_setup/request.rb +5 -1
data/lib/packetgen/plugin/smb2/session_setup/response.rb +5 -1
data/lib/packetgen/plugin/smb_version.rb +1 -1
data/packetgen-plugin-smb.gemspec +8 -3
metadata +17 -9

data/lib/packetgen/plugin/ntlm/authenticate.rb ADDED

@@ -0,0 +1,197 @@
+# This file is part of packetgen-plugin-smb.
+# See https://github.com/sdaubert/packetgen-plugin-smb for more informations
+# Copyright (C) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+# frozen_string_literal: true
+module PacketGen::Plugin
+  class NTLM
+    # NTLM Challenge message
+    # @author Sylvain Daubert
+    class Authenticate < NTLM
+      # void MIC
+      VOID_MIC = ([0] * 16).pack('C').freeze
+      update_field :type, default: NTLM::TYPES['authenticate']
+      # @!attribute lm_response
+      #   A LM_RESPONSE or LMV2_RESPONSE structure that contains the computed
+      #   LM response to the challenge.
+      #   @return [PacketGen::Types::String]
+      # @!attribute lm_response_len
+      #   16-bit unsigned integer that defines the size in bytes of
+      #   {#lm_response} in {#payload}.
+      #   @return [Integer]
+      # @!attribute lm_response_maxlen
+      #   16-bit unsigned integer that should be equal to {#lm_response_len}.
+      #   @return [Integer]
+      # @!attribute lm_response_offset
+      #   A 32-bit unsigned integer that defines the offset, in bytes, from
+      #   the beginning of the AUTHENTICATE MESSAGE to {#lm_response} in {#payload}.
+      #   @return [Integer]
+      define_in_payload :lm_response, PacketGen::Types::String
+      # @!attribute nt_response
+      #   A NTLM_RESPONSE or NTLMV2_RESPONSE structure that contains the computed
+      #   NT response to the challenge.
+      #   @return [Ntlmv2Response]
+      # @!attribute nt_response_len
+      #   16-bit unsigned integer that defines the size in bytes of
+      #   {#nt_response} in {#payload}.
+      #   @return [Integer]
+      # @!attribute nt_response_maxlen
+      #   16-bit unsigned integer that should be equal to {#nt_response_len}.
+      #   @return [Integer]
+      # @!attribute nt_response_offset
+      #   A 32-bit unsigned integer that defines the offset, in bytes, from
+      #   the beginning of the AUTHENTICATE MESSAGE to {#nt_response} in {#payload}.
+      #   @return [Integer]
+      define_in_payload :nt_response, Ntlmv2Response
+      # @!attribute domain_name
+      #  Name of the client authentication domain.
+      #  @return [SMB::String]
+      # @!attribute domain_name_len
+      #  2-byte {#domain_name} length
+      #  @return [Integer]
+      # @!attribute domain_name_maxlen
+      #  2-byte {#domain_name} max length. Should be equal to {#domain_name_len}.
+      #  @return [Integer]
+      # @!attribute domain_name_offset
+      #  4-byte {#domain_name} offset from  the beginning of the AUTHENTICATE
+      #  MESSAGE in {#payload}
+      #  @return [Integer]
+      define_in_payload :domain_name, SMB::String, null_terminated: false
+      # @!attribute user_name
+      #  Name of the user to be authenticated.
+      #  @return [SMB::String]
+      # @!attribute user_name_len
+      #  2-byte {#user_name} length
+      #  @return [Integer]
+      # @!attribute user_name_maxlen
+      #  2-byte {#user_name} max length. Should be equal to {#user_name_len}.
+      #  @return [Integer]
+      # @!attribute user_name_offset
+      #  4-byte {#user_name} offset from  the beginning of the AUTHENTICATE
+      #  MESSAGE in {#payload}
+      #  @return [Integer]
+      define_in_payload :user_name, SMB::String, null_terminated: false
+      # @!attribute workstation
+      #  Name of the client machine.
+      #  @return [SMB::String]
+      # @!attribute workstation_len
+      #  2-byte {#workstation} length
+      #  @return [Integer]
+      # @!attribute workstation_maxlen
+      #  2-byte {#workstation} max length. Should be equal to {#workstation_len}.
+      #  @return [Integer]
+      # @!attribute workstation_offset
+      #  4-byte {#workstation} offset from  the beginning of the AUTHENTICATE
+      #  MESSAGE in {#payload}
+      #  @return [Integer]
+      define_in_payload :workstation, SMB::String, null_terminated: false
+      # @!attribute session_key
+      #  The client's encrypted random session key. On
+      #  @return [PacketGen::Types::String]
+      # @!attribute session_key_len
+      #  2-byte {#session_key} length
+      #  @return [Integer]
+      # @!attribute session_key_maxlen
+      #  2-byte {#session_key} max length. Should be equal to {#session_key_len}.
+      #  @return [Integer]
+      # @!attribute session_key_offset
+      #  4-byte {#session_key} offset from  the beginning of the AUTHENTICATE
+      #  MESSAGE in {#payload}.
+      #  @return [Integer]
+      define_in_payload :session_key, PacketGen::Types::String
+      # @!attribute flags
+      #   Negotiate flags
+      #   @return [Integer]
+      # @!group Negotiate flags
+      # @!attribute nego56?
+      #   Also known as +flags_w?+.
+      #   @return [Boolean]
+      # @!attribute key_exch?
+      #   Also known as +flags_v?+
+      #   @return [Boolean]
+      # @!attribute nego128?
+      #   Also known as +flags_u?+
+      #   @return [Boolean]
+      # @!attribute version?
+      #   Also known as +flags_t+
+      #   @return [Integer]
+      # @!attribute target_info?
+      #   Also known as +flags_s?+
+      #   @return [Boolean]
+      # @!attribute non_nt_session_key?
+      #   Also known as +flags_r?+
+      #   @return [Boolean]
+      # @!attribute identify?
+      #   Also known as +flags_q+
+      #   @return [Boolean]
+      # @!attribute ext_session_security?
+      #   Also known as +flags_p?+
+      #   @return [Boolean]
+      # @!attribute target_type_server?
+      #   Also known as +flags_o?+
+      #   @return [Boolean]
+      # @!attribute target_type_domain?
+      #   Also known as +flags_n?+
+      #   @return [Boolean]
+      # @!attribute always_sign?
+      #   Also known as +flags_m?+
+      #   @return [Boolean]
+      # @!attribute oem_target_info_supplied?
+      #   Also known as +flags_l?+
+      #   @return [Boolean]
+      # @!attribute oem_domain_supplied?
+      #   Also known as +flags_k?+
+      #   @return [Boolean]
+      # @!attribute anonymous?
+      #   Also known as +flags_j?+
+      #   @return [Boolean]
+      # @!attribute ntlm?
+      #   Also known as +flags_h?+
+      #   @return [Boolean]
+      # @!attribute lm_key?
+      #   Also known as +flags_g?+
+      #   @return [Boolean]
+      # @!attribute datagram?
+      #   Also known as +flags_f?+
+      #   @return [Boolean]
+      # @!attribute seal?
+      #   Also known as +flags_e?+
+      #   @return [Boolean]
+      # @!attribute sign?
+      #   Also known as +flags_d?+
+      #   @return [Boolean]
+      # @!attribute request_target?
+      #   Also known as +flags_c?+
+      #   @return [Boolean]
+      # @!attribute oem?
+      #   Also known as +flags_b?+
+      #   @return [Boolean]
+      # @!attribute unicode?
+      #   Also known as +flags_a?+
+      #   @return [Boolean]
+      define_negotiate_flags
+      # @!endgroup Negotiate flags
+      # @!attribute version
+      #  8-byte version information
+      #  @return [String]
+      define_field_before :payload, :version, PacketGen::Types::String, static_length: 8, default: VOID_VERSION
+      # @!attribute mic
+      #  16-byte message integrity code
+      #  @return [String]
+      define_field_before :payload, :mic, PacketGen::Types::String, static_length: 16, default: VOID_MIC
+    end
+  end
+end

data/lib/packetgen/plugin/ntlm/av_pair.rb ADDED

@@ -0,0 +1,117 @@
+# This file is part of packetgen-plugin-smb.
+# See https://github.com/sdaubert/packetgen-plugin-smb for more informations
+# Copyright (C) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+# frozen_string_literal: true
+module PacketGen::Plugin
+  class NTLM
+    # Known AvPair IDs
+    AVPAIR_TYPES = {
+      'EOL' => 0,
+      'ComputerName' => 1,
+      'DomainName' => 2,
+      'DnsComputerName' => 3,
+      'DnsDomainName' => 4,
+      'DnsTreeName' => 5,
+      'Flags' => 6,
+      'Timestamp' => 7,
+      'SingleHost' => 8,
+      'TargetName' => 9,
+      'ChannelBindings' => 10
+    }.freeze
+    # AVPAIR structure, with value of type {SMB::String}.
+    AvPair = PacketGen::Types::AbstractTLV.create(type_class: PacketGen::Types::Int16leEnum,
+                                                  length_class: PacketGen::Types::Int16le,
+                                                  value_class: SMB::String)
+    AvPair.define_type_enum AVPAIR_TYPES
+    class AvPair
+      def initialize(options={})
+        super
+        self[:value] = self[:value].class.new(null_terminated: false).read(self.value)
+      end
+    end
+    # EOL AVPAIR structure, with no value
+    EOLAvPair = PacketGen::Types::AbstractTLV.create(type_class: PacketGen::Types::Int16leEnum,
+                                                     length_class: PacketGen::Types::Int16le)
+    EOLAvPair.define_type_enum AVPAIR_TYPES
+    # Timestamp AVPAIR structure, with value of type {SMB::Filetime}.
+    TimestampAvPair = PacketGen::Types::AbstractTLV.create(type_class: PacketGen::Types::Int16leEnum,
+                                                           length_class: PacketGen::Types::Int16le,
+                                                           value_class: SMB::Filetime)
+    TimestampAvPair.define_type_enum AVPAIR_TYPES
+    # Int32le AVPAIR structure, with value a {PacketGen::Types::Int32le}.
+    Int32leAvPair = PacketGen::Types::AbstractTLV.create(type_class: PacketGen::Types::Int16leEnum,
+                                                         length_class: PacketGen::Types::Int16le,
+                                                         value_class: PacketGen::Types::Int32le)
+    Int32leAvPair.define_type_enum AVPAIR_TYPES
+    # String AVPAIR structure, with value a {PacketGen::Types::String}.
+    StringAvPair = PacketGen::Types::AbstractTLV.create(type_class: PacketGen::Types::Int16leEnum,
+                                                        length_class: PacketGen::Types::Int16le,
+                                                        value_class: PacketGen::Types::String)
+    StringAvPair.define_type_enum AVPAIR_TYPES
+    # Specialized array containing {AvPair AvPairs}.
+    class ArrayOfAvPair < PacketGen::Types::Array
+      set_of AvPair
+      # Get unicode property
+      # @return [Boolean]
+      def unicode
+        @unicode
+      end
+      alias unicode? unicode
+      # Set unicode property
+      # @param [Boolean] unicode
+      # @return [Boolean]
+      def unicode=(unicode)
+        @unicode = unicode
+        each { |avpair| avpair.value.unicode = unicode if avpair.value.respond_to? :unicode= }
+        unicode
+      end
+      # @return [String]
+      def to_s
+        self.unicode = unicode
+        super
+      end
+      private
+      def record_from_hash(hsh)
+        obj = AvPair.new(type: hsh[:type])
+        klass = real_type(obj)
+        avpair = klass.new
+        avpair.type = hsh[:type]
+        avpair[:value].unicode = unicode? if avpair[:value].respond_to?(:unicode=)
+        avpair[:value].read(hsh[:value])
+        avpair.length = hsh[:length] || avpair[:value].sz
+        avpair
+      end
+      def real_type(obj)
+        case obj.type
+        when AVPAIR_TYPES['EOL']
+          EOLAvPair
+        when AVPAIR_TYPES['Timestamp']
+          TimestampAvPair
+        when AVPAIR_TYPES['Flags']
+          Int32leAvPair
+        when AVPAIR_TYPES['SingleHost'], AVPAIR_TYPES['ChannelBindings']
+          StringAvPair
+        else
+          AvPair
+        end
+      end
+    end
+  end
+end

data/lib/packetgen/plugin/ntlm/challenge.rb ADDED

@@ -0,0 +1,140 @@
+# This file is part of packetgen-plugin-smb.
+# See https://github.com/sdaubert/packetgen-plugin-smb for more informations
+# Copyright (C) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+# frozen_string_literal: true
+module PacketGen::Plugin
+  class NTLM
+    # NTLM Challenge message
+    # @author Sylvain Daubert
+    class Challenge < NTLM
+      update_field :type, default: NTLM::TYPES['challenge']
+      # @!attribute target_name
+      #   Name of the server authentication realm. Must be expressed in the
+      #   negotiated character set.
+      #   @return [SMB::String]
+      # @!attribute target_name_len
+      #   16-bit unsigned integer that defines the size in bytes of
+      #   {#target_name} in {#payload}. This field is set only if {#request_target?}
+      #   is set.
+      #   @return [Integer]
+      # @!attribute target_name_maxlen
+      #   16-bit unsigned integer that should be equal to {#target_name_len}.
+      #   @return [Integer]
+      # @!attribute target_name_offset
+      #   A 32-bit unsigned integer that defines the offset, in bytes, from
+      #   the beginning of the CHALLENGE MESSAGE to {#target_name} in {#payload}.
+      #   This field is set only if {#request_target?} is set.
+      #   @return [Integer]
+      define_in_payload :target_name, SMB::String, null_terminated: false
+      # @!attribute flags
+      #   Negotiate flags
+      #   @return [Integer]
+      # @!group Negotiate flags
+      # @!attribute nego56?
+      #   Also known as +flags_w?+.
+      #   @return [Boolean]
+      # @!attribute key_exch?
+      #   Also known as +flags_v?+
+      #   @return [Boolean]
+      # @!attribute nego128?
+      #   Also known as +flags_u?+
+      #   @return [Boolean]
+      # @!attribute version?
+      #   Also known as +flags_t+
+      #   @return [Integer]
+      # @!attribute target_info?
+      #   Also known as +flags_s?+
+      #   @return [Boolean]
+      # @!attribute non_nt_session_key?
+      #   Also known as +flags_r?+
+      #   @return [Boolean]
+      # @!attribute identify?
+      #   Also known as +flags_q+
+      #   @return [Boolean]
+      # @!attribute ext_session_security?
+      #   Also known as +flags_p?+
+      #   @return [Boolean]
+      # @!attribute target_type_server?
+      #   Also known as +flags_o?+
+      #   @return [Boolean]
+      # @!attribute target_type_domain?
+      #   Also known as +flags_n?+
+      #   @return [Boolean]
+      # @!attribute always_sign?
+      #   Also known as +flags_m?+
+      #   @return [Boolean]
+      # @!attribute oem_target_info_supplied?
+      #   Also known as +flags_l?+
+      #   @return [Boolean]
+      # @!attribute oem_domain_supplied?
+      #   Also known as +flags_k?+
+      #   @return [Boolean]
+      # @!attribute anonymous?
+      #   Also known as +flags_j?+
+      #   @return [Boolean]
+      # @!attribute ntlm?
+      #   Also known as +flags_h?+
+      #   @return [Boolean]
+      # @!attribute lm_key?
+      #   Also known as +flags_g?+
+      #   @return [Boolean]
+      # @!attribute datagram?
+      #   Also known as +flags_f?+
+      #   @return [Boolean]
+      # @!attribute seal?
+      #   Also known as +flags_e?+
+      #   @return [Boolean]
+      # @!attribute sign?
+      #   Also known as +flags_d?+
+      #   @return [Boolean]
+      # @!attribute request_target?
+      #   Also known as +flags_c?+
+      #   @return [Boolean]
+      # @!attribute oem?
+      #   Also known as +flags_b?+
+      #   @return [Boolean]
+      # @!attribute unicode?
+      #   Also known as +flags_a?+
+      #   @return [Boolean]
+      define_negotiate_flags
+      # @!endgroup Negotiate flags
+      # @!attribute challenge
+      #   64-bit value containing the NTLM challenge.
+      #   @return [String]
+      define_field_before :payload, :challenge, PacketGen::Types::String, static_length: 8, default: VOID_CHALLENGE
+      # @!attribute reserved
+      #   64-bit reserved field
+      #   @return [Integer]
+      define_field_before :payload, :reserved, PacketGen::Types::Int64le
+      # @!attribute target_info
+      #   @return [ArrayOfAvPair]
+      # @!attribute target_info_len
+      #   16-bit unsigned integer that defines the size in bytes of
+      #   {#target_info} in {#payload}. This field is set only if {#target_info?}
+      #   is set.
+      #   @return [Integer]
+      # @!attribute target_info_maxlen
+      #   16-bit unsigned integer that should be equal to {#target_info_len}.
+      #   @return [Integer]
+      # @!attribute target_info_offset
+      #   A 32-bit unsigned integer that defines the offset, in bytes, from
+      #   the beginning of the CHALLENGE MESSAGE to {#target_info} in {#payload}.
+      #   This field is set only if {#target_info?} is set.
+      #   @return [Integer]
+      define_in_payload :target_info, ArrayOfAvPair
+      # @!attribute version
+      #  8-byte version information
+      #  @return [String]
+      define_field_before :payload, :version, PacketGen::Types::String, static_length: 8, default: VOID_VERSION
+    end
+  end
+end