ruby_smb 0.0.18 → 0.0.19

data/examples/negotiate.rb

@@ -7,7 +7,6 @@
 require 'bundler/setup'
 require 'ruby_smb'
 
-
 def run_negotiation(address, smb1, smb2)
   # Create our socket and add it to the dispatcher
   sock = TCPSocket.new address, 445

data/examples/negotiate_with_netbios_service.rb

@@ -0,0 +1,36 @@
+#!/usr/bin/ruby
+
+# This script is for testing the NetBIOS Session Service Request on port 139/tcp.
+# Example usage: ruby negotiate.rb 192.168.172.138 NBNAME
+# This will connect to 192.168.172.138 (139/TCP) and request a NetBIOS session with NBNAME as the called name. 
+# If successful, a SMB negotiation is performed using this NetBIOS session.
+# The default *SMBSERVER name is used if the NetBIOS name is not provided.
+
+require 'bundler/setup'
+require 'ruby_smb'
+
+def run_negotiation(address, smb1, smb2, netbios_name)
+  sock = TCPSocket.new address, 139
+  dispatcher = RubySMB::Dispatcher::Socket.new(sock)
+
+  client = RubySMB::Client.new(dispatcher, smb1: smb1, smb2: smb2, username: 'msfadmin', password: 'msfadmin')
+  begin
+    client.session_request(netbios_name)
+  rescue RubySMB::Error::NetBiosSessionService => e
+    puts "NetBIOS Session refused with #{netbios_name}: #{e.message}"
+    return
+  end
+  puts "NetBIOS Session granted with #{netbios_name}, negotiating..."
+  smb_version = client.negotiate
+  puts "#{smb_version} successfully negotiated."
+end
+
+address      = ARGV[0]
+netbios_name = ARGV[1] || '*SMBSERVER'
+
+# Negotiate with both SMB1 and SMB2 enabled on the client
+run_negotiation(ARGV[0], true, true, netbios_name)
+# Negotiate with only SMB1 enabled
+run_negotiation(ARGV[0], true, false, netbios_name)
+# Negotiate with only SMB2 enabled
+run_negotiation(ARGV[0], false, true, netbios_name)

data/examples/net_share_enum_all.rb

@@ -0,0 +1,30 @@
+#!/usr/bin/ruby
+
+# This example script is used for testing NetShareEnumAll functionality
+# It will attempt to connect to a host and enumerate shares.
+# Example usage: ruby net_share_enum_all.rb 192.168.172.138 msfadmin msfadmin
+# This will try to connect to \\192.168.172.138 with the msfadmin:msfadmin credentials
+
+require 'bundler/setup'
+require 'ruby_smb'
+
+address  = ARGV[0]
+username = ARGV[1]
+password = ARGV[2]
+path     = "\\\\#{address}\\IPC$"
+
+sock = TCPSocket.new address, 445
+dispatcher = RubySMB::Dispatcher::Socket.new(sock, read_timeout: 60)
+
+client = RubySMB::Client.new(dispatcher, smb1: false, smb2: true, username: username, password: password)
+protocol = client.negotiate
+status = client.authenticate
+
+puts "#{protocol} : #{status}"
+
+begin
+  shares = client.net_share_enum_all(address)
+  puts shares
+rescue => e
+  puts "failed to enum shares: #{e.message}, #{e.backtrace_locations}"
+end

data/examples/read_file.rb

@@ -0,0 +1,39 @@
+#!/usr/bin/ruby
+
+# This example script is used for testing the reading of a file.
+# It will attempt to connect to a specific share and then read a specified file.
+# Example usage: ruby read_file.rb 192.168.172.138 msfadmin msfadmin TEST_SHARE short.txt
+# This will try to connect to \\192.168.172.138\TEST_SHARE with the msfadmin:msfadmin credentials
+# and read the file short.txt
+
+require 'bundler/setup'
+require 'ruby_smb'
+
+address  = ARGV[0]
+username = ARGV[1]
+password = ARGV[2]
+share    = ARGV[3]
+file     = ARGV[4]
+path     = "\\\\#{address}\\#{share}"
+
+sock = TCPSocket.new address, 445
+dispatcher = RubySMB::Dispatcher::Socket.new(sock)
+
+client = RubySMB::Client.new(dispatcher, smb1: true, smb2: true, username: username, password: password)
+protocol = client.negotiate
+status = client.authenticate
+
+puts "#{protocol} : #{status}"
+
+begin
+  tree = client.tree_connect(path)
+  puts "Connected to #{path} successfully!"
+rescue StandardError => e
+  puts "Failed to connect to #{path}: #{e.message}"
+end
+
+file = tree.open_file(filename: file)
+
+data = file.read
+puts data
+file.close

data/examples/rename_file.rb

@@ -0,0 +1,41 @@
+#!/usr/bin/ruby
+
+# This example script is used for testing the deleting of a file.
+# It will attempt to connect to a specific share and then rename a specified file.
+# Example usage: ruby rename_file.rb 192.168.172.138 msfadmin msfadmin TEST_SHARE short.txt shortrenamed.txt
+# This will try to connect to \\192.168.172.138\TEST_SHARE with the msfadmin:msfadmin credentials
+# and rename the file short.txt
+
+require 'bundler/setup'
+require 'ruby_smb'
+
+address  = ARGV[0]
+username = ARGV[1]
+password = ARGV[2]
+share    = ARGV[3]
+file     = ARGV[4]
+new_name = ARGV[5]
+path     = "\\\\#{address}\\#{share}"
+
+sock = TCPSocket.new address, 445
+dispatcher = RubySMB::Dispatcher::Socket.new(sock)
+
+client = RubySMB::Client.new(dispatcher, smb1: true, smb2: true, username: username, password: password)
+
+protocol = client.negotiate
+status = client.authenticate
+
+puts "#{protocol} : #{status}"
+
+begin
+  tree = client.tree_connect(path)
+  puts "Connected to #{path} successfully!"
+rescue StandardError => e
+  puts "Failed to connect to #{path}: #{e.message}"
+end
+
+file = tree.open_file(filename: file, write: true, delete: true)
+
+data = file.rename(new_name)
+puts data
+file.close

data/examples/tree_connect.rb

@@ -19,7 +19,7 @@ dispatcher = RubySMB::Dispatcher::Socket.new(sock)
 
 client = RubySMB::Client.new(dispatcher, smb1: true, smb2: true, username: username, password: password)
 protocol = client.negotiate
-status  = client.authenticate
+status = client.authenticate
 
 puts "#{protocol} : #{status}"
 
@@ -27,8 +27,6 @@ begin
   tree = client.tree_connect(path)
   puts "Connected to #{path} successfully!"
   tree.disconnect!
-rescue Exception => e
+rescue StandardError => e
   puts "Failed to connect to #{path}: #{e.message}"
 end
-
-

data/examples/write_file.rb

@@ -0,0 +1,40 @@
+#!/usr/bin/ruby
+
+# This example script is used for testing the writing to a file.
+# It will attempt to connect to a specific share and then write to a specified file.
+# Example usage: ruby write_file.rb 192.168.172.138 msfadmin msfadmin TEST_SHARE test.txt "data to write"
+# This will try to connect to \\192.168.172.138\TEST_SHARE with the msfadmin:msfadmin credentials
+# and write "data to write" the file test.txt
+
+require 'bundler/setup'
+require 'ruby_smb'
+
+address  = ARGV[0]
+username = ARGV[1]
+password = ARGV[2]
+share    = ARGV[3]
+file     = ARGV[4]
+data     = ARGV[5]
+path     = "\\\\#{address}\\#{share}"
+
+sock = TCPSocket.new address, 445
+dispatcher = RubySMB::Dispatcher::Socket.new(sock)
+
+client = RubySMB::Client.new(dispatcher, smb1: true, smb2: true, username: username, password: password)
+protocol = client.negotiate
+status = client.authenticate
+
+puts "#{protocol} : #{status}"
+
+begin
+  tree = client.tree_connect(path)
+  puts "Connected to #{path} successfully!"
+rescue StandardError => e
+  puts "Failed to connect to #{path}: #{e.message}"
+end
+
+file = tree.open_file(filename: file, write: true, disposition: RubySMB::Dispositions::FILE_OVERWRITE_IF)
+
+result = file.write(data: data)
+puts result.to_s
+file.close

data/lib/ruby_smb.rb

@@ -8,8 +8,13 @@ require 'windows_error/nt_status'
 # [[MS-SMB] Server Mesage Block (SMB) Protocol Version 1](https://msdn.microsoft.com/en-us/library/cc246482.aspx)
 # [[MS-SMB2] Server Mesage Block (SMB) Protocol Versions 2 and 3](https://msdn.microsoft.com/en-us/library/cc246482.aspx)
 module RubySMB
+  require 'ruby_smb/dispositions'
+  require 'ruby_smb/impersonation_levels'
   require 'ruby_smb/gss'
   require 'ruby_smb/field'
+  require 'ruby_smb/nbss'
+  require 'ruby_smb/fscc'
+  require 'ruby_smb/dcerpc'
   require 'ruby_smb/generic_packet'
   require 'ruby_smb/dispatcher'
   require 'ruby_smb/error'

data/lib/ruby_smb/client.rb

@@ -1,5 +1,4 @@
 module RubySMB
-
   # Represents an SMB client capable of talking to SMB1 or SMB2 servers and handling
   # all end-user client functionality.
   class Client
@@ -8,20 +7,23 @@ module RubySMB
     require 'ruby_smb/client/signing'
     require 'ruby_smb/client/tree_connect'
     require 'ruby_smb/client/echo'
+    require 'ruby_smb/client/utils'
 
     include RubySMB::Client::Negotiation
     include RubySMB::Client::Authentication
     include RubySMB::Client::Signing
     include RubySMB::Client::TreeConnect
     include RubySMB::Client::Echo
+    include RubySMB::Client::Utils
 
     # The Default SMB1 Dialect string used in an SMB1 Negotiate Request
-    SMB1_DIALECT_SMB1_DEFAULT = "NT LM 0.12"
+    SMB1_DIALECT_SMB1_DEFAULT = 'NT LM 0.12'.freeze
     # The Default SMB2 Dialect string used in an SMB1 Negotiate Request
-    SMB1_DIALECT_SMB2_DEFAULT = "SMB 2.002"
+    SMB1_DIALECT_SMB2_DEFAULT = 'SMB 2.002'.freeze
     # Dialect value for SMB2 Default (Version 2.02)
     SMB2_DIALECT_DEFAULT = 0x0202
-
+    # The default maximum size of a SMB message that the Client accepts (in bytes)
+    MAX_BUFFER_SIZE = 4356
 
     # The dispatcher responsible for sending packets
     # @!attribute [rw] dispatcher
@@ -54,6 +56,54 @@ module RubySMB
     #   @return [String]
     attr_accessor :peer_native_os
 
+    # The Native LAN Manager of the Peer/Server.
+    # Currently only available with SMB1.
+    # @!attribute [rw] peer_native_lm
+    #   @return [String]
+    attr_accessor :peer_native_lm
+
+    # The Primary Domain of the Peer/Server.
+    # Currently only available with SMB1 and only when authentiation
+    # without NTLMSSP is used.
+    # @!attribute [rw] primary_domain
+    #   @return [String]
+    attr_accessor :primary_domain
+
+    # The Netbios Name of the Peer/Server.
+    # @!attribute [rw] default_name
+    #   @return [String]
+    attr_accessor :default_name
+
+    # The Netbios Domain of the Peer/Server.
+    # @!attribute [rw] default_domain
+    #   @return [String]
+    attr_accessor :default_domain
+
+    # The Fully Qualified Domain Name (FQDN) of the computer.
+    # @!attribute [rw] dns_host_name
+    #   @return [String]
+    attr_accessor :dns_host_name
+
+    # The Fully Qualified Domain Name (FQDN) of the domain.
+    # @!attribute [rw] dns_domain_name
+    #   @return [String]
+    attr_accessor :dns_domain_name
+
+    # The Fully Qualified Domain Name (FQDN) of the forest.
+    # @!attribute [rw] dns_tree_name
+    #   @return [String]
+    attr_accessor :dns_tree_name
+
+    # The OS version number (<major>.<minor>.<build>) of the Peer/Server.
+    # @!attribute [rw] os_version
+    #   @return [String]
+    attr_accessor :os_version
+
+    # The negotiated dialect.
+    # @!attribute [rw] dialect
+    #   @return [Integer]
+    attr_accessor :dialect
+
     # The Sequence Counter used for SMB1 Signing.
     # It tracks the number of packets both sent and received
     # since the NTLM session was initialized with the Challenge.
@@ -96,32 +146,48 @@ module RubySMB
     #   @return [String]
     attr_accessor :user_id
 
+    # The maximum size of a SMB message that the Client accepts (in bytes)
+    # Its default value is equal to {MAX_BUFFER_SIZE}.
+    # @!attribute [rw] max_buffer_size
+    #   @return [Integer]
+    attr_accessor :max_buffer_size
+
     # @param dispatcher [RubySMB::Dispacther::Socket] the packet dispatcher to use
     # @param smb1 [Boolean] whether or not to enable SMB1 support
     # @param smb2 [Boolean] whether or not to enable SMB2 support
-    def initialize(dispatcher, smb1: true, smb2: true, username:,password:, domain:'.', local_workstation:'WORKSTATION')
-      raise ArgumentError, 'No Dispatcher provided' unless dispatcher.kind_of? RubySMB::Dispatcher::Base
+    def initialize(dispatcher, smb1: true, smb2: true, username:, password:, domain: '.', local_workstation: 'WORKSTATION')
+      raise ArgumentError, 'No Dispatcher provided' unless dispatcher.is_a? RubySMB::Dispatcher::Base
       if smb1 == false && smb2 == false
         raise ArgumentError, 'You must enable at least one Protocol'
       end
       @dispatcher        = dispatcher
       @domain            = domain
       @local_workstation = local_workstation
-      @password          = password.encode("utf-8") || ''.encode("utf-8")
+      @password          = password.encode('utf-8') || ''.encode('utf-8')
       @sequence_counter  = 0
       @session_id        = 0x00
       @session_key       = ''
       @signing_required  = false
       @smb1              = smb1
       @smb2              = smb2
-      @username          = username.encode("utf-8") || ''.encode("utf-8")
+      @username          = username.encode('utf-8') || ''.encode('utf-8')
+      @max_buffer_size   = MAX_BUFFER_SIZE
+
+      negotiate_version_flag = 0x02000000
+      flags = Net::NTLM::Client::DEFAULT_FLAGS |
+        Net::NTLM::FLAGS[:TARGET_INFO] |
+        negotiate_version_flag
 
       @ntlm_client = Net::NTLM::Client.new(
         @username,
         @password,
         workstation: @local_workstation,
-        domain: @domain
+        domain: @domain,
+        flags: flags
       )
+      
+      @tree_connects = []
+      @open_files = {}
 
       @smb2_message_id = 0
     end
@@ -145,12 +211,12 @@ module RubySMB
     # @param echo [Integer] the number of times the server should echo (ignored in SMB2)
     # @param data [String] the data the server should echo back (ignored in SMB2)
     # @return [WindowsError::ErrorCode] the NTStatus of the last response received
-    def echo(count: 1, data: '' )
-      if smb2
-        response = smb2_echo
-      else
-        response = smb1_echo(count:count, data:data)
-      end
+    def echo(count: 1, data: '')
+      response = if smb2
+                   smb2_echo
+                 else
+                   smb1_echo(count: count, data: data)
+                 end
       response.status_code
     end
 
@@ -161,8 +227,8 @@ module RubySMB
     # @param packet [RubySMB::GenericPacket] the packet to set the message id for
     # @return [RubySMB::GenericPacket] the modified packet
     def increment_smb_message_id(packet)
-      if packet.smb2_header.message_id == 0 && self.smb2_message_id != 0
-        packet.smb2_header.message_id = self.smb2_message_id
+      if packet.smb2_header.message_id.zero? && smb2_message_id != 0
+        packet.smb2_header.message_id = smb2_message_id
         self.smb2_message_id += 1
       end
       packet
@@ -170,20 +236,32 @@ module RubySMB
 
     # Performs protocol negotiation and session setup. It defaults to using
     # the credentials supplied during initialization, but can take a new set of credentials if needed.
-    def login(username: self.username, password: self.password, domain: self.domain, local_workstation: self.local_workstation )
+    def login(username: self.username, password: self.password, domain: self.domain, local_workstation: self.local_workstation)
+      negotiate
+      session_setup(username, password, domain, true,
+                    local_workstation: local_workstation)
+    end
+
+    def session_setup(user, pass, domain, do_recv=true,
+                      local_workstation: self.local_workstation)
       @domain            = domain
       @local_workstation = local_workstation
-      @password          = password.encode("utf-8") || ''.encode("utf-8")
-      @username          = username.encode("utf-8") || ''.encode("utf-8")
-
+      @password          = pass.encode('utf-8') || ''.encode('utf-8')
+      @username          = user.encode('utf-8') || ''.encode('utf-8')
+
+      negotiate_version_flag = 0x02000000
+      flags = Net::NTLM::Client::DEFAULT_FLAGS |
+        Net::NTLM::FLAGS[:TARGET_INFO] |
+        negotiate_version_flag
+      
       @ntlm_client = Net::NTLM::Client.new(
-        @username,
-        @password,
-        workstation: @local_workstation,
-        domain: @domain
+          @username,
+          @password,
+          workstation: @local_workstation,
+          domain: @domain,
+          flags: flags
       )
 
-      negotiate
       authenticate
     end
 
@@ -211,26 +289,22 @@ module RubySMB
     # @return [String] the raw response data received
     def send_recv(packet)
       case packet.packet_smb_version
-        when 'SMB1'
-          if self.user_id
-            packet.smb_header.uid = self.user_id
-          end
-          packet = smb1_sign(packet)
-        when 'SMB2'
-          packet = increment_smb_message_id(packet)
-          packet.smb2_header.session_id = self.session_id
-          unless packet.is_a?(RubySMB::SMB2::Packet::SessionSetupRequest)
-            packet = smb2_sign(packet)
-          end
-        else
-          packet = packet
+      when 'SMB1'
+        packet.smb_header.uid = user_id if user_id
+        packet = smb1_sign(packet)
+      when 'SMB2'
+        packet = increment_smb_message_id(packet)
+        packet.smb2_header.session_id = session_id
+        unless packet.is_a?(RubySMB::SMB2::Packet::SessionSetupRequest)
+          packet = smb2_sign(packet)
+        end
+      else
+        packet = packet
       end
       dispatcher.send_packet(packet)
       raw_response = dispatcher.recv_packet
 
-      if self.signing_required && !self.session_key.empty?
-        self.sequence_counter += 1
-      end
+      self.sequence_counter += 1 if signing_required && !session_key.empty?
       raw_response
     end
 
@@ -240,11 +314,55 @@ module RubySMB
     # @return [RubySMB::SMB1::Tree] if talking over SMB1
     # @return [RubySMB::SMB2::Tree] if talking over SMB2
     def tree_connect(share)
-      if smb2
+      connected_tree = if smb2
         smb2_tree_connect(share)
       else
         smb1_tree_connect(share)
       end
+      @tree_connects << connected_tree
+      connected_tree
+    end
+
+    # Returns array of shares
+    #
+    # @return [Array] of shares
+    # @param [String] host
+    def net_share_enum_all(host)
+      if smb2
+        smb2_net_share_enum_all(host)
+      else
+        smb1_net_share_enum_all(host)
+      end
+    end
+    
+    #
+    # SMB2 Methods
+    #
+
+    # Sends a request to connect to a remote host and returns the Array
+    # of shares
+    #
+    # @return [Array] List of shares
+    # @param [String] host
+    def smb2_net_share_enum_all(host)
+
+      tree = tree_connect("\\\\#{host}\\IPC$")
+
+      named_pipe = tree.open_file(filename: "srvsvc",
+                                  write: true,
+                                  read: true,
+                                  disposition: RubySMB::Dispositions::FILE_OPEN_IF)
+
+      handle = Dcerpc::Handle.new(named_pipe)
+
+      handle.bind(endpoint: Dcerpc::Srvsvc)
+      handle.request(
+          opnum: Dcerpc::Srvsvc::NetShareEnumAll::Opnum,
+          stub: Dcerpc::Srvsvc::NetShareEnumAll,
+          options:{host: host}
+      )
+      shares = Dcerpc::Srvsvc::NetShareEnumAll.parse_response(handle.response)
+      shares.map{|s|{name: s[0], type: s[1], comment: s[2]}}
     end
 
     # Resets all of the session state on the client, setting it
@@ -260,6 +378,41 @@ module RubySMB
       self.smb2_message_id  = 0
     end
 
+    # Requests a NetBIOS Session Service using the provided name.
+    #
+    # @param name [String] the NetBIOS name to request
+    # @return [TrueClass] if session request is granted
+    # @raise [RubySMB::Error::NetBiosSessionService] if session request is refused
+    def session_request(name = '*SMBSERVER')
+      encoded_called_name = nb_name_encode("#{name.upcase.ljust(15)}\x20")
+      encoded_calling_name = nb_name_encode("#{''.ljust(15)}\x00")
+
+      session_request = RubySMB::Nbss::SessionRequest.new
+      session_request.session_header.session_packet_type = RubySMB::Nbss::SESSION_REQUEST
+      session_request.called_name  = "\x20#{encoded_called_name}\x00"
+      session_request.calling_name = "\x20#{encoded_calling_name}\x00"
+      session_request.session_header.packet_length = session_request.do_num_bytes - session_request.session_header.do_num_bytes
+
+      dispatcher.send_packet(session_request, nbss_header: false)
+      raw_response = dispatcher.recv_packet(full_response: true)
+      session_header =  RubySMB::Nbss::SessionHeader.read(raw_response)
+      if session_header.session_packet_type == RubySMB::Nbss::NEGATIVE_SESSION_RESPONSE
+        negative_session_response =  RubySMB::Nbss::NegativeSessionResponse.read(raw_response)
+        raise RubySMB::Error::NetBiosSessionService, "Session Request failed: #{negative_session_response.error_msg}"
+      end
 
+      return true
+    end
+
+    def nb_name_encode(name)
+      encoded_name = ''
+      name.each_byte do |char|
+        first_half = (char >> 4) + 'A'.ord
+        second_half = (char & 0xF) + 'A'.ord
+        encoded_name << first_half.chr
+        encoded_name << second_half.chr
+      end
+      encoded_name
+    end
   end
 end