ruby_smb 0.0.8 → 0.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 203527ee7c807b85b3af96aea81bdc9f543b5f16
-  data.tar.gz: f80aa766405b6b813a5ac9a65aca3778d24f20a0
+  metadata.gz: 4447c748fa5ae3b4bade1f7da2f90b05e98f90e3
+  data.tar.gz: 0a077bd853a42f08210f527475965459347570a0
 SHA512:
-  metadata.gz: 79add85ae366057d7c77cafa684c6c3d6e842777bbf161d768dd8e206a344f712fc3cf5684a0d625c77162e1a07f8dcb7e43bf92292b9fedd0bfd8169a873375
-  data.tar.gz: 5866aa5f7aed28b0dfa8b3c147434ebefe6a6e4964618ba7d4762349f5090e826c1461950ec79a53fc52074f75eb99abc8b6a488d9901f2701b537c28aec5601
+  metadata.gz: 0284a70fde3ac94578b232fb30cfd0a2a579947104a700371cd04f78b9b29ff295ac4f90423fbb280848fc35f1095b42c9f3caa0c229dbee02a1f8480466b28e
+  data.tar.gz: 94ba89646185e15f2c2a945849948287fb01734523c092fbe410f0e8d42d31b518c53eb2689192d64358fda5493fbf791d12e3cd0e3ce2102828f0345910ad13

data/examples/tree_connect.rb

@@ -0,0 +1,27 @@
+#!/usr/bin/ruby
+
+# This example script is used for testing TreeConnect functionality
+# It will attempt to connect to a specific share and then disconnect.
+# Example usage: ruby tree_connect.rb 192.168.172.138 msfadmin msfadmin TEST_SHARE
+# This will try to connect to \\192.168.172.138\TEST_SHARE with the msfadmin:msfadmin credentials
+
+require 'bundler/setup'
+require 'ruby_smb'
+
+address  = ARGV[0]
+username = ARGV[1]
+password = ARGV[2]
+share    = ARGV[3]
+path     = "\\\\#{address}\\#{share}"
+
+sock = TCPSocket.new address, 445
+dispatcher = RubySMB::Dispatcher::Socket.new(sock)
+
+client = RubySMB::Client.new(dispatcher, smb1: true, smb2: true, username: username, password: password)
+protocol = client.negotiate
+status  = client.authenticate
+
+puts "#{protocol} : #{status}"
+
+tree = client.smb2_tree_connect(path)
+tree.disconnect!

data/lib/ruby_smb/client.rb

@@ -6,10 +6,12 @@ module RubySMB
     require 'ruby_smb/client/negotiation'
     require 'ruby_smb/client/authentication'
     require 'ruby_smb/client/signing'
+    require 'ruby_smb/client/tree_connect'
 
     include RubySMB::Client::Negotiation
     include RubySMB::Client::Authentication
     include RubySMB::Client::Signing
+    include RubySMB::Client::TreeConnect
 
     # The Default SMB1 Dialect string used in an SMB1 Negotiate Request
     SMB1_DIALECT_SMB1_DEFAULT = "NT LM 0.12"
@@ -116,6 +118,20 @@ module RubySMB
       @smb2_message_id = 0
     end
 
+    # Sets the message id field in an SMB2 packet's
+    # header to the one tracked by the client. It then increments
+    # the counter on the client.
+    #
+    # @param packet [RubySMB::GenericPacket] the packet to set the message id for
+    # @return [RubySMB::GenericPacket] the modified packet
+    def increment_smb_message_id(packet)
+      if packet.smb2_header.message_id == 0 && self.smb2_message_id != 0
+        packet.smb2_header.message_id = self.smb2_message_id
+        self.smb2_message_id += 1
+      end
+      packet
+    end
+
     def login(username: self.username, password: self.password, domain: self.domain, local_workstation: self.local_workstation )
       @domain            = domain
       @local_workstation = local_workstation
@@ -141,15 +157,22 @@ module RubySMB
     def send_recv(packet)
       case packet.packet_smb_version
         when 'SMB1'
+          if self.user_id
+            packet.smb_header.uid = self.user_id
+          end
           packet = smb1_sign(packet)
         when 'SMB2'
-          packet = smb2_sign(packet)
+          packet = increment_smb_message_id(packet)
+          packet.smb2_header.session_id = self.session_id
+          unless packet.is_a?(RubySMB::SMB2::Packet::SessionSetupRequest)
+            packet = smb2_sign(packet)
+          end
         else
           packet = packet
       end
       dispatcher.send_packet(packet)
       raw_response = dispatcher.recv_packet
-      if self.sequence_counter > 0
+      if self.signing_required && !self.session_key.empty?
         self.sequence_counter += 1
       end
       raw_response

data/lib/ruby_smb/client/authentication.rb

@@ -136,12 +136,11 @@ module RubySMB
         response = smb2_ntlmssp_negotiate
         challenge_packet = smb2_ntlmssp_challenge_packet(response)
         session_id = challenge_packet.smb2_header.session_id
+        self.session_id = session_id
         challenge_message = smb2_type2_message(challenge_packet)
         raw = smb2_ntlmssp_authenticate(challenge_message, session_id)
         response = smb2_ntlmssp_final_packet(raw)
-        response_code = response.status_code
-        self.session_id = response.smb2_header.session_id if response_code.name == "STATUS_SUCCESS"
-        response_code
+        response.status_code
       end
 
       # Takes the raw binary string and returns a {RubySMB::SMB2::Packet::SessionSetupResponse}
@@ -185,7 +184,9 @@ module RubySMB
         type1_message = ntlm_client.init_context
         packet = RubySMB::SMB2::Packet::SessionSetupRequest.new
         packet.set_type1_blob(type1_message.serialize)
-        packet.smb2_header.message_id = 1 #self.smb2_message_id
+        # This Message ID should always be 1, but thanks to Multi-Protocol Negotiation
+        # the Message ID can be out of sync at this point so we re-synch it here.
+        packet.smb2_header.message_id = 1
         self.smb2_message_id = 2
         packet
       end
@@ -225,8 +226,6 @@ module RubySMB
         packet = RubySMB::SMB2::Packet::SessionSetupRequest.new
         packet.smb2_header.session_id = session_id
         packet.set_type3_blob(type3_message.serialize)
-        packet.smb2_header.message_id = self.smb2_message_id
-        self.smb2_message_id += 1
         packet
       end
 

data/lib/ruby_smb/client/negotiation.rb

@@ -1,3 +1,4 @@
+require 'securerandom'
 module RubySMB
   class Client
     # This module holds all of the methods backing the {RubySMB::Client#negotiate} method
@@ -114,11 +115,9 @@ module RubySMB
       # @ return [RubySMB::SMB2::Packet::NegotiateRequest] a completed SMB2 Negotiate Request packet
       def smb2_negotiate_request
         packet = RubySMB::SMB2::Packet::NegotiateRequest.new
-        packet.smb2_header.message_id = self.smb2_message_id
-        # Increment the message id when doing SMB2
-        self.smb2_message_id += 1
         packet.security_mode.signing_enabled = 1
         packet.add_dialect(SMB2_DIALECT_DEFAULT)
+        packet.client_guid = SecureRandom.random_bytes(16)
         packet
       end
     end

data/lib/ruby_smb/client/signing.rb

@@ -17,7 +17,9 @@ module RubySMB
       # @return [RubySMB::GenericPacket] the packet, signed if needed
       def smb1_sign(packet)
         if self.signing_required && !self.session_key.empty?
-          packet.smb_header.security_features = self.sequence_counter
+          # Pack the Sequence counter into a int64le
+          packed_sequence_counter = [self.sequence_counter].pack('Q<')
+          packet.smb_header.security_features = packed_sequence_counter
           signature = OpenSSL::Digest::MD5.digest(self.session_key + packet.to_binary_s)[0,8]
           packet.smb_header.security_features = signature
           self.sequence_counter += 1
@@ -35,8 +37,10 @@ module RubySMB
       # @return [RubySMB::GenericPacket] the packet, signed if needed
       def smb2_sign(packet)
         if self.signing_required && !self.session_key.empty?
+          packet.smb2_header.flags.signed = 1
+          packet.smb2_header.signature = "\x00" * 16
           hmac = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, self.session_key, packet.to_binary_s)
-          packet.smb2_header.signature = hmac
+          packet.smb2_header.signature = hmac[0,16]
           packet
         else
           packet

data/lib/ruby_smb/client/tree_connect.rb

@@ -0,0 +1,86 @@
+module RubySMB
+  class Client
+
+    # This module contains all of the methods for a client to connect to a
+    # remote share or named pipe.
+    module TreeConnect
+
+      #
+      # SMB 1 Methods
+      #
+
+      # Sends a request to connect to a remote Tree and returns the
+      # {RubySMB::SMB1::Tree}
+      #
+      # @param share [String] the share path to connect to
+      # @return [RubySMB::SMB1::Tree] the connected Tree
+      def smb1_tree_connect(share)
+        request = RubySMB::SMB1::Packet::TreeConnectRequest.new
+        request.smb_header.tid = 65535
+        request.data_block.path = share
+        raw_response = send_recv(request)
+        begin
+          response = RubySMB::SMB1::Packet::TreeConnectResponse.read(raw_response)
+        rescue EOFError
+          response = RubySMB::SMB1::Packet::ErrorPacket.read(raw_response)
+        end
+        smb1_tree_from_response(share, response)
+      end
+
+      # Parses a Tree structure from a Tree Connect Response
+      #
+      # @param share [String] the share path to connect to
+      # @param response [RubySMB::SMB1::Packet::TreeConnectResponse] the response packet to parse into our Tree
+      # @return [RubySMB::SMB1::Tree]
+      def smb1_tree_from_response(share,response)
+        unless response.smb_header.command == RubySMB::SMB1::Commands::SMB_COM_TREE_CONNECT
+          raise RubySMB::Error::InvalidPacket, "Not a TreeConnectResponse"
+        end
+        unless response.status_code == WindowsError::NTStatus::STATUS_SUCCESS
+          raise RubySMB::Error::UnexpectedStatusCode, response.status_code.name
+        end
+        RubySMB::SMB1::Tree.new(client: self, share: share, response: response)
+      end
+
+      #
+      # SMB2 Methods
+      #
+
+      # Sends a request to connect to a remote Tree and returns the
+      # {RubySMB::SMB2::Tree}
+      #
+      # @param share [String] the share path to connect to
+      # @return [RubySMB::SMB2::Tree] the connected Tree
+      def smb2_tree_connect(share)
+        request = RubySMB::SMB2::Packet::TreeConnectRequest.new
+        request.smb2_header.tree_id = 65535
+        request.encode_path(share)
+        raw_response = send_recv(request)
+        begin
+          response = RubySMB::SMB2::Packet::TreeConnectResponse.read(raw_response)
+        rescue EOFError
+          response = RubySMB::SMB2::Packet::ErrorPacket.read(raw_response)
+        end
+        smb2_tree_from_response(share, response)
+      end
+
+      # Parses a Tree structure from a Tree Connect Response
+      #
+      # @param share [String] the share path to connect to
+      # @param response [RubySMB::SMB2::Packet::TreeConnectResponse] the response packet to parse into our Tree
+      # @return [RubySMB::SMB2::Tree]
+      def smb2_tree_from_response(share,response)
+        unless response.smb2_header.command == RubySMB::SMB2::Commands::TREE_CONNECT
+          raise RubySMB::Error::InvalidPacket, "Not a TreeConnectResponse"
+        end
+        unless response.status_code == WindowsError::NTStatus::STATUS_SUCCESS
+          raise RubySMB::Error::UnexpectedStatusCode, response.status_code.name
+        end
+        RubySMB::SMB2::Tree.new(client: self, share: share, response: response)
+      end
+
+    end
+
+
+  end
+end

data/lib/ruby_smb/generic_packet.rb

@@ -161,7 +161,7 @@ module RubySMB
     def process_array_field(array_field, depth)
       array_field_str = ''
       array_field.each do |sub_field|
-        fields = sub_field.class.fields.fields
+        fields = sub_field.class.fields.raw_fields
         sub_field_hashes = self.class.walk_fields(fields)
         sub_field_hashes.each do |sub_field_hash|
           name = sub_field_hash[:name]

data/lib/ruby_smb/smb1.rb

@@ -12,5 +12,5 @@ module RubySMB::SMB1
   require 'ruby_smb/smb1/data_block'
   require 'ruby_smb/smb1/dialect'
   require 'ruby_smb/smb1/packet'
-
+  require 'ruby_smb/smb1/tree'
 end

data/lib/ruby_smb/smb1/bit_field.rb

@@ -5,6 +5,10 @@ module RubySMB
       require 'ruby_smb/smb1/bit_field/header_flags2'
       require 'ruby_smb/smb1/bit_field/security_mode'
       require 'ruby_smb/smb1/bit_field/capabilities'
+      require 'ruby_smb/smb1/bit_field/tree_connect_flags'
+      require 'ruby_smb/smb1/bit_field/optional_support'
+      require 'ruby_smb/smb1/bit_field/directory_access_mask'
+      require 'ruby_smb/smb1/bit_field/file_access_mask'
     end
   end
 end

data/lib/ruby_smb/smb1/bit_field/directory_access_mask.rb

@@ -0,0 +1,38 @@
+module RubySMB
+  module SMB1
+    module BitField
+      # An Access Mask bit field used to describe the permissions on a Directory, as defined in
+      # [2.2.1.4.2 Directory_Access_Mask](https://msdn.microsoft.com/en-us/library/ff470234.aspx)
+      class DirectoryAccessMask < BinData::Record
+        endian  :little
+        bit1    :read_attr,       label: 'Read Attributes'
+        bit1    :delete_child,    label: 'Delete Child'
+        bit1    :traverse,        label: 'Traverse'
+        bit1    :write_ea,        label: 'Write Extended Attributes'
+        bit1    :read_ea,         label: 'Read Extended Attributes'
+        bit1    :add_subdir,      label: 'Add Subdirectory'
+        bit1    :add_file,        label: 'Add File'
+        bit1    :list,            label: 'List Directory'
+        # byte boundary
+        bit7    :reserved,        label: 'Reserved Space'
+        bit1    :write_attr,      label: 'Write Attributes'
+
+        # byte boundary
+        bit3    :reserved2,       label: 'Reserved Space'
+        bit1    :synchronize,     label: 'Synchronize'
+        bit1    :write_owner,     label: 'Write Owner'
+        bit1    :write_dac,       label: 'Write DAC'
+        bit1    :read_control,    label: 'Read Control'
+        bit1    :delete_access,   label: 'Delete'
+        # byte boundary
+        bit1    :generic_read,    label: 'Generic Read'
+        bit1    :generic_write,   label: 'Generic Write'
+        bit1    :generic_execute, label: 'Generic Execute'
+        bit1    :generic_all,     label: 'Generic All'
+        bit2    :reserved3
+        bit1    :maximum,         label: 'Maximum Allowed'
+        bit1    :system_security, label: 'System Security'
+      end
+    end
+  end
+end

data/lib/ruby_smb/smb1/bit_field/file_access_mask.rb

@@ -0,0 +1,38 @@
+module RubySMB
+  module SMB1
+    module BitField
+      # An Access Mask bit field used to describe the permissions on a File, Printer, or named Pipe. As defined in
+      # [2.2.1.4.1 File_Pipe_Printer_Access_Mask](https://msdn.microsoft.com/en-us/library/ff469915.aspx)
+      class FileAccessMask < BinData::Record
+        endian  :little
+        bit1    :read_attr,       label: 'Read Attributes'
+        bit1    :delete_child,    label: 'Delete Child'
+        bit1    :execute,         label: 'Traverse'
+        bit1    :write_ea,        label: 'Write Extended Attributes'
+        bit1    :read_ea,         label: 'Read Extended Attributes'
+        bit1    :append_data,     label: 'Append Data'
+        bit1    :write_data,      label: 'Write Data'
+        bit1    :read_data,       label: 'Read Data'
+        # byte boundary
+        bit7    :reserved,        label: 'Reserved Space'
+        bit1    :write_attr,      label: 'Write Attributes'
+
+        # byte boundary
+        bit3    :reserved2,       label: 'Reserved Space'
+        bit1    :synchronize,     label: 'Synchronize'
+        bit1    :write_owner,     label: 'Write Owner'
+        bit1    :write_dac,       label: 'Write DAC'
+        bit1    :read_control,    label: 'Read Control'
+        bit1    :delete_access,   label: 'Delete'
+        # byte boundary
+        bit1    :generic_read,    label: 'Generic Read'
+        bit1    :generic_write,   label: 'Generic Write'
+        bit1    :generic_execute, label: 'Generic Execute'
+        bit1    :generic_all,     label: 'Generic All'
+        bit2    :reserved3
+        bit1    :maximum,         label: 'Maximum Allowed'
+        bit1    :system_security, label: 'System Security'
+      end
+    end
+  end
+end

data/lib/ruby_smb/smb1/bit_field/optional_support.rb

@@ -0,0 +1,19 @@
+module RubySMB
+  module SMB1
+    module BitField
+      # The OptionalSupport bit-field for an SMB1 TreeConnect Response Packet
+      # [2.2.4.7.2 Server Response Extensions](https://msdn.microsoft.com/en-us/library/cc246331.aspx)
+      class OptionalSupport < BinData::Record
+        endian  :little
+        bit2    :reserved,              label: 'Reserved Space',             initial_value: 0
+        bit1    :extended_signature,    label: 'Extended Signature',         initial_value: 0
+        bit1    :unique_filename,       label: 'Unique Filename',            initial_value: 0
+        bit2    :csc_mask,              label: 'CSC Mask',                   initial_value: 0
+        bit1    :dfs,                   label: 'DFS Share',                  initial_value: 0
+        bit1    :search,                label: 'Exclusive Search Bits',      initial_value: 1
+        bit8    :reserved2,             label: 'Reserved Space',             initial_value: 0
+
+      end
+    end
+  end
+end

data/lib/ruby_smb/smb1/bit_field/tree_connect_flags.rb

@@ -0,0 +1,18 @@
+module RubySMB
+  module SMB1
+    module BitField
+      # The Flags bit-field for an SMB1 TreeConnect Request Packet
+      # [2.2.4.7.1 Client Request Extensions](https://msdn.microsoft.com/en-us/library/cc246330.aspx)
+      class TreeConnectFlags < BinData::Record
+        endian  :little
+        bit4    :reserved,              label: 'Reserved Space',             initial_value: 0
+        bit1    :extended_response,     label: 'Extended Response',          initial_value: 1
+        bit1    :extended_signature,    label: 'Extended Signature',         initial_value: 0
+        bit1    :reserved2,             label: 'Reserved Space',             initial_value: 0
+        bit1    :disconnect,            label: 'Disconnect Tree',            initial_value: 0
+        bit4    :reserved3,             label: 'Reserved Space',             initial_value: 0
+        bit4    :reserved4,             label: 'Reserved Space',             initial_value: 0
+      end
+    end
+  end
+end

data/lib/ruby_smb/smb1/commands.rb

@@ -1,8 +1,10 @@
 module RubySMB
   module SMB1
     module Commands
+      SMB_COM_TREE_DISCONNECT = 0x71
       SMB_COM_NEGOTIATE       = 0x72
       SMB_COM_SESSION_SETUP   = 0x73
+      SMB_COM_TREE_CONNECT    = 0x75
       SMB_COM_NO_ANDX_COMMAND = 0xFF
     end
   end

data/lib/ruby_smb/smb1/packet.rb

@@ -7,6 +7,10 @@ module RubySMB
       require 'ruby_smb/smb1/packet/negotiate_response_extended'
       require 'ruby_smb/smb1/packet/session_setup_request'
       require 'ruby_smb/smb1/packet/session_setup_response'
+      require 'ruby_smb/smb1/packet/tree_connect_request'
+      require 'ruby_smb/smb1/packet/tree_connect_response'
+      require 'ruby_smb/smb1/packet/tree_disconnect_request'
+      require 'ruby_smb/smb1/packet/tree_disconnect_response'
     end
   end
 end

data/lib/ruby_smb/smb1/packet/tree_connect_request.rb

@@ -0,0 +1,34 @@
+module RubySMB
+  module SMB1
+    module Packet
+
+      # This class represents an SMB1 TreeConnect Request Packet as defined in
+      # [2.2.4.7.1 Client Request Extensions](https://msdn.microsoft.com/en-us/library/cc246330.aspx)
+      class TreeConnectRequest < RubySMB::GenericPacket
+
+        # A SMB1 Parameter Block as defined by the {TreeConnectRequest}
+        class ParameterBlock < RubySMB::SMB1::ParameterBlock
+          and_x_block          :andx_block
+          tree_connect_flags   :flags
+          uint16               :password_length, label: 'Password Length', initial_value: 0x01
+        end
+
+        class DataBlock < RubySMB::SMB1::DataBlock
+          stringz  :password, label: 'Password Field', initial_value: '',    length: lambda { self.parent.parameter_block.password_length }
+          stringz  :path,     label: 'Resource Path'
+          stringz  :service,  label: 'Resource Type',  initial_value: '?????'
+        end
+
+        smb_header        :smb_header
+        parameter_block   :parameter_block
+        data_block        :data_block
+
+        def initialize_instance
+          super
+          smb_header.command = RubySMB::SMB1::Commands::SMB_COM_TREE_CONNECT
+        end
+
+      end
+    end
+  end
+end