ruby_smb 1.0.4 → 2.0.2

data/lib/ruby_smb/client/encryption.rb

@@ -0,0 +1,62 @@
+module RubySMB
+  class Client
+    # Contains the methods for handling encryption / decryption
+    module Encryption
+      def smb3_encrypt(data)
+        unless @client_encryption_key
+          case @dialect
+          when '0x0300', '0x0302'
+            @client_encryption_key = RubySMB::Crypto::KDF.counter_mode(
+              @session_key,
+              "SMB2AESCCM\x00",
+              "ServerIn \x00"
+            )
+          when '0x0311'
+            @client_encryption_key = RubySMB::Crypto::KDF.counter_mode(
+              @session_key,
+              "SMBC2SCipherKey\x00",
+              @preauth_integrity_hash_value
+            )
+          else
+            raise RubySMB::Error::EncryptionError.new('Dialect is incompatible with SMBv3 encryption')
+          end
+          ######
+          # DEBUG
+          #puts "Client encryption key = #{@client_encryption_key.each_byte.map {|e| '%02x' % e}.join}"
+          ######
+        end
+
+        th = RubySMB::SMB2::Packet::TransformHeader.new(flags: 1, session_id: @session_id)
+        th.encrypt(data, @client_encryption_key, algorithm: @encryption_algorithm)
+        th
+      end
+
+      def smb3_decrypt(th)
+        unless @server_encryption_key
+          case @dialect
+          when '0x0300', '0x0302'
+            @server_encryption_key = RubySMB::Crypto::KDF.counter_mode(
+              @session_key,
+              "SMB2AESCCM\x00",
+              "ServerOut\x00"
+            )
+          when '0x0311'
+            @server_encryption_key = RubySMB::Crypto::KDF.counter_mode(
+              @session_key,
+              "SMBS2CCipherKey\x00",
+              @preauth_integrity_hash_value
+            )
+          else
+            raise RubySMB::Error::EncryptionError.new('Dialect is incompatible with SMBv3 decryption')
+          end
+          ######
+          # DEBUG
+          #puts "Server encryption key = #{@server_encryption_key.each_byte.map {|e| '%02x' % e}.join}"
+          ######
+        end
+
+        th.decrypt(@server_encryption_key, algorithm: @encryption_algorithm)
+      end
+    end
+  end
+end

data/lib/ruby_smb/client/negotiation.rb

@@ -17,10 +17,28 @@ module RubySMB
         # internally to be able to retrieve the negotiated dialect later on.
         # This is only valid for SMB1.
         response_packet.dialects = request_packet.dialects if response_packet.respond_to? :dialects=
-        parse_negotiate_response(response_packet)
-      rescue RubySMB::Error::InvalidPacket, Errno::ECONNRESET
-        error = 'Unable to Negotiate with remote host'
-        error << ', SMB1 may be disabled' if smb1 && !smb2
+        version = parse_negotiate_response(response_packet)
+        if @dialect == '0x0311'
+          update_preauth_hash(request_packet)
+          update_preauth_hash(response_packet)
+        end
+
+        # If the response contains the SMB2 wildcard revision number dialect;
+        # it indicates that the server implements SMB 2.1 or future dialect
+        # revisions and expects the client to send a subsequent SMB2 Negotiate
+        # request to negotiate the actual SMB 2 Protocol revision to be used.
+        # The wildcard revision number is sent only in response to a
+        # multi-protocol negotiate request with the "SMB 2.???" dialect string.
+        if @dialect == '0x02ff'
+          self.smb2_message_id += 1
+          version = negotiate
+        end
+        version
+      rescue RubySMB::Error::InvalidPacket, Errno::ECONNRESET, RubySMB::Error::CommunicationError => e
+        version = request_packet.packet_smb_version
+        version = 'SMB3' if version == 'SMB2' && !@smb2 && @smb3
+        version = 'SMB2 or SMB3' if version == 'SMB2' && @smb2 && @smb3
+        error = "Unable to negotiate #{version} with the remote host: #{e.message}"
         raise RubySMB::Error::NegotiationFailure, error
       end
 
@@ -32,8 +50,8 @@ module RubySMB
       def negotiate_request
         if smb1
           smb1_negotiate_request
-        elsif smb2
-          smb2_negotiate_request
+        else
+          smb2_3_negotiate_request
         end
       end
 
@@ -50,7 +68,7 @@ module RubySMB
           packet = RubySMB::SMB1::Packet::NegotiateResponseExtended.read raw_data
           response = packet if packet.valid?
         end
-        if smb2 && response.nil?
+        if (smb2 || smb3) && response.nil?
           packet = RubySMB::SMB2::Packet::NegotiateResponse.read raw_data
           response = packet if packet.valid?
         end
@@ -95,26 +113,93 @@ module RubySMB
         when RubySMB::SMB1::Packet::NegotiateResponseExtended
           self.smb1 = true
           self.smb2 = false
+          self.smb3 = false
           self.signing_required = packet.parameter_block.security_mode.security_signatures_required == 1
           self.dialect = packet.negotiated_dialect.to_s
           # MaxBufferSize is largest message server will receive, measured from start of the SMB header. Subtract 260
           # for protocol overhead. Then this value can be used for max read/write size without having to factor in
           # protocol overhead every time.
           self.server_max_buffer_size = packet.parameter_block.max_buffer_size - 260
+          self.negotiated_smb_version = 1
+          self.session_encrypt_data = false
           'SMB1'
         when RubySMB::SMB2::Packet::NegotiateResponse
           self.smb1 = false
-          self.smb2 = true
-          self.signing_required = packet.security_mode.signing_required == 1
+          unless packet.dialect_revision.to_i == 0x02ff
+            self.smb2 = packet.dialect_revision.to_i >= 0x0200 && packet.dialect_revision.to_i < 0x0300
+            self.smb3 = packet.dialect_revision.to_i >= 0x0300 && packet.dialect_revision.to_i < 0x0400
+          end
+          self.signing_required = packet.security_mode.signing_required == 1 if self.smb2 || self.smb3
           self.dialect = "0x%04x" % packet.dialect_revision
           self.server_max_read_size = packet.max_read_size
           self.server_max_write_size = packet.max_write_size
           self.server_max_transact_size = packet.max_transact_size
           # This value is used in SMB1 only but calculate a valid value anyway
           self.server_max_buffer_size = [self.server_max_read_size, self.server_max_write_size, self.server_max_transact_size].min
-          'SMB2'
+          self.negotiated_smb_version = self.smb2 ? 2 : 3
+          self.server_guid = packet.server_guid
+          self.server_start_time = packet.server_start_time.to_time if packet.server_start_time != 0
+          self.server_system_time = packet.system_time.to_time if packet.system_time != 0
+          case self.dialect
+          when '0x02ff'
+          when '0x0300', '0x0302'
+            if packet&.capabilities&.encryption == 1
+              self.encryption_algorithm = RubySMB::SMB2::EncryptionCapabilities::ENCRYPTION_ALGORITHM_MAP[RubySMB::SMB2::EncryptionCapabilities::AES_128_CCM]
+            end
+            self.session_encrypt_data = self.session_encrypt_data && !self.encryption_algorithm.nil?
+          when '0x0311'
+            parse_smb3_capabilities(packet)
+            self.session_encrypt_data = self.session_encrypt_data && !self.encryption_algorithm.nil?
+          else
+            self.session_encrypt_data = false
+          end
+          return "SMB#{self.negotiated_smb_version}"
+        else
+          error = 'Unable to negotiate with remote host'
+          if packet.status_code == WindowsError::NTStatus::STATUS_NOT_SUPPORTED
+            error << ", SMB2" if @smb2
+            error << ", SMB3" if @smb3
+            error << ' not supported'
+          end
+          raise RubySMB::Error::NegotiationFailure, error
+        end
+      end
+
+      def parse_smb3_capabilities(response_packet)
+        nc = response_packet.find_negotiate_context(
+          RubySMB::SMB2::NegotiateContext::SMB2_PREAUTH_INTEGRITY_CAPABILITIES
+        )
+        @preauth_integrity_hash_algorithm = RubySMB::SMB2::PreauthIntegrityCapabilities::HASH_ALGORITM_MAP[nc&.data&.hash_algorithms&.first]
+        unless @preauth_integrity_hash_algorithm
+          raise RubySMB::Error::EncryptionError.new(
+            'Unable to retrieve the Preauth Integrity Hash Algorithm from the Negotiate response'
+          )
+        end
+        # Set the encryption the client will use, prioritizing AES_128_GCM over AES_128_CCM
+        nc = response_packet.find_negotiate_context(
+          RubySMB::SMB2::NegotiateContext::SMB2_ENCRYPTION_CAPABILITIES
+        )
+        @server_encryption_algorithms = nc&.data&.ciphers&.to_ary
+        if @server_encryption_algorithms.nil? || @server_encryption_algorithms.empty?
+          raise RubySMB::Error::EncryptionError.new(
+            'Unable to retrieve the encryption cipher list supported by the server from the Negotiate response'
+          )
+        end
+        if @server_encryption_algorithms.include?(RubySMB::SMB2::EncryptionCapabilities::AES_128_GCM)
+          @encryption_algorithm = RubySMB::SMB2::EncryptionCapabilities::ENCRYPTION_ALGORITHM_MAP[RubySMB::SMB2::EncryptionCapabilities::AES_128_GCM]
+        else
+          @encryption_algorithm = RubySMB::SMB2::EncryptionCapabilities::ENCRYPTION_ALGORITHM_MAP[@server_encryption_algorithms.first]
+        end
+        unless @encryption_algorithm
+          raise RubySMB::Error::EncryptionError.new(
+            'Unable to retrieve the encryption cipher list supported by the server from the Negotiate response'
+          )
         end
 
+        nc = response_packet.find_negotiate_context(
+          RubySMB::SMB2::NegotiateContext::SMB2_COMPRESSION_CAPABILITIES
+        )
+        @server_compression_algorithms = nc&.data&.compression_algorithms&.to_ary || []
       end
 
       # Create a {RubySMB::SMB1::Packet::NegotiateRequest} packet with the
@@ -127,10 +212,17 @@ module RubySMB
         # while being guaranteed to work with any modern Windows system. We can get more sophisticated
         # with switching this on and off at a later date if the need arises.
         packet.smb_header.flags2.extended_security = 1
+        # Recent Mac OS X requires the unicode flag to be set on the Negotiate
+        # SMB Header request, even if this packet does not contain string fields
+        # (see Flags2 SMB_FLAGS2_UNICODE definition in "2.2.3.1 The SMB Header"
+        # documentation:
+        # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/69a29f73-de0c-45a6-a1aa-8ceeea42217f
+        packet.smb_header.flags2.unicode = 1
         # There is no real good reason to ever send an SMB1 Negotiate packet
         # to Negotiate strictly SMB2, but the protocol WILL support it
         packet.add_dialect(SMB1_DIALECT_SMB1_DEFAULT) if smb1
         packet.add_dialect(SMB1_DIALECT_SMB2_DEFAULT) if smb2
+        packet.add_dialect(SMB1_DIALECT_SMB2_WILDCARD) if smb2 || smb3
         packet
       end
 
@@ -139,11 +231,60 @@ module RubySMB
       # may want to communicate over SMB1
       #
       # @ return [RubySMB::SMB2::Packet::NegotiateRequest] a completed SMB2 Negotiate Request packet
-      def smb2_negotiate_request
+      def smb2_3_negotiate_request
         packet = RubySMB::SMB2::Packet::NegotiateRequest.new
         packet.security_mode.signing_enabled = 1
-        packet.add_dialect(SMB2_DIALECT_DEFAULT)
         packet.client_guid = SecureRandom.random_bytes(16)
+        packet.set_dialects(SMB2_DIALECT_DEFAULT.map {|d| d.to_i(16)}) if smb2
+        packet = add_smb3_to_negotiate_request(packet) if smb3
+        packet
+      end
+
+      # This adds SMBv3 specific information: SMBv3 supported dialects,
+      # encryption capability, Negotiate Contexts if the dialect requires them
+      #
+      # @param packet [RubySMB::SMB2::Packet::NegotiateRequest] the NegotiateRequest
+      #   to add SMB3 specific info to
+      # @param dialects [Array<String>] the dialects to negotiate. This must be
+      #   an array of strings. Default is SMB3_DIALECT_DEFAULT
+      # @return [RubySMB::SMB2::Packet::NegotiateRequest] a completed SMB3 Negotiate Request packet
+      # @raise [ArgumentError] if dialects is not an array of strings
+      def add_smb3_to_negotiate_request(packet, dialects = SMB3_DIALECT_DEFAULT)
+        dialects.each do |dialect|
+          raise ArgumentError, 'Must be an array of strings' unless dialect.is_a? String
+          packet.add_dialect(dialect.to_i(16))
+        end
+        packet.capabilities.encryption = 1
+
+        if packet.dialects.include?(0x0311)
+          nc = RubySMB::SMB2::NegotiateContext.new(
+            context_type: RubySMB::SMB2::NegotiateContext::SMB2_PREAUTH_INTEGRITY_CAPABILITIES
+          )
+          nc.data.hash_algorithms << RubySMB::SMB2::PreauthIntegrityCapabilities::SHA_512
+          nc.data.salt = SecureRandom.random_bytes(32)
+          packet.add_negotiate_context(nc)
+
+          @preauth_integrity_hash_value = "\x00" * 64
+          nc = RubySMB::SMB2::NegotiateContext.new(
+            context_type: RubySMB::SMB2::NegotiateContext::SMB2_ENCRYPTION_CAPABILITIES
+          )
+          nc.data.ciphers << RubySMB::SMB2::EncryptionCapabilities::AES_128_CCM
+          nc.data.ciphers << RubySMB::SMB2::EncryptionCapabilities::AES_128_GCM
+          packet.add_negotiate_context(nc)
+
+          nc = RubySMB::SMB2::NegotiateContext.new(
+            context_type: RubySMB::SMB2::NegotiateContext::SMB2_COMPRESSION_CAPABILITIES
+          )
+          # Adding all possible compression algorithm even if we don't support
+          # them yet. This will force the server to disclose the support
+          # algorithms in the repsonse.
+          nc.data.compression_algorithms << RubySMB::SMB2::CompressionCapabilities::LZNT1
+          nc.data.compression_algorithms << RubySMB::SMB2::CompressionCapabilities::LZ77
+          nc.data.compression_algorithms << RubySMB::SMB2::CompressionCapabilities::LZ77_Huffman
+          nc.data.compression_algorithms << RubySMB::SMB2::CompressionCapabilities::Pattern_V1
+          packet.add_negotiate_context(nc)
+        end
+
         packet
       end
     end

data/lib/ruby_smb/client/signing.rb

@@ -40,6 +40,25 @@ module RubySMB
         end
         packet
       end
+
+      def smb3_sign(packet)
+        if !session_key.empty? && (signing_required || packet.is_a?(RubySMB::SMB2::Packet::TreeConnectRequest))
+          case @dialect
+          when '0x0300', '0x0302'
+            signing_key = RubySMB::Crypto::KDF.counter_mode(@session_key, "SMB2AESCMAC\x00", "SmbSign\x00")
+          when '0x0311'
+            signing_key = RubySMB::Crypto::KDF.counter_mode(@session_key, "SMBSigningKey\x00", @preauth_integrity_hash_value)
+          else
+            raise RubySMB::Error::SigningError.new('Dialect is incompatible with SMBv3 signing')
+          end
+
+          packet.smb2_header.flags.signed = 1
+          packet.smb2_header.signature = "\x00" * 16
+          hmac = OpenSSL::CMAC.digest('AES', signing_key, packet.to_binary_s)
+          packet.smb2_header.signature = hmac[0, 16]
+        end
+        packet
+      end
     end
   end
 end

data/lib/ruby_smb/client/tree_connect.rb

@@ -38,7 +38,7 @@ module RubySMB
           )
         end
         unless response.status_code == WindowsError::NTStatus::STATUS_SUCCESS
-          raise RubySMB::Error::UnexpectedStatusCode, response.status_code.name
+          raise RubySMB::Error::UnexpectedStatusCode, response.status_code
         end
         RubySMB::SMB1::Tree.new(client: self, share: share, response: response)
       end
@@ -55,7 +55,7 @@ module RubySMB
       def smb2_tree_connect(share)
         request = RubySMB::SMB2::Packet::TreeConnectRequest.new
         request.smb2_header.tree_id = 65_535
-        request.encode_path(share)
+        request.path = share
         raw_response = send_recv(request)
         response = RubySMB::SMB2::Packet::TreeConnectResponse.read(raw_response)
         smb2_tree_from_response(share, response)
@@ -78,9 +78,9 @@ module RubySMB
           )
         end
         unless response.status_code == WindowsError::NTStatus::STATUS_SUCCESS
-          raise RubySMB::Error::UnexpectedStatusCode, response.status_code.name
+          raise RubySMB::Error::UnexpectedStatusCode, response.status_code
         end
-        RubySMB::SMB2::Tree.new(client: self, share: share, response: response)
+        RubySMB::SMB2::Tree.new(client: self, share: share, response: response, encrypt: response.share_flags.encrypt == 1)
       end
     end
   end

data/lib/ruby_smb/client/utils.rb

@@ -40,27 +40,28 @@ module RubySMB
       end
 
       #Writes data to an open file handle
-      def write(file_id, offset = 0, data = '', do_recv = true)
+      def write(file_id = last_file_id, offset = 0, data = '', do_recv = true)
         @open_files[file_id].send_recv_write(data: data, offset: offset)
       end
 
-      def read(file_id, offset = 0, length = last_file.size)
+      def read(file_id = last_file_id, offset = 0, length = last_file.size, do_recv = true)
         data = @open_files[file_id].send_recv_read(read_length: length, offset: offset)
         data.bytes
       end
 
-      def delete(path)
-        file = last_tree.open_file(filename: path.sub(/^\\/, ''), delete: true)
+      def delete(path, tree_id = last_tree_id, do_recv = true)
+        tree = @tree_connects.detect{ |tree| tree.id == tree_id }
+        file = tree.open_file(filename: path.sub(/^\\/, ''), delete: true)
         file.delete
         file.close
       end
 
-      def close(file_id, tree_id)
+      def close(file_id = last_file_id, tree_id = last_tree_id, do_recv = true)
        @open_files[file_id].close
       end
 
-      def tree_disconnect(share)
-       @tree_connects.detect{|tree| tree.id == share }.disconnect!
+      def tree_disconnect(tree_id = last_tree_id, do_recv = true)
+       @tree_connects.detect{|tree| tree.id == tree_id }.disconnect!
       end
 
       def native_os

data/lib/ruby_smb/client/winreg.rb

@@ -0,0 +1,46 @@
+module RubySMB
+  class Client
+    module Winreg
+
+      def connect_to_winreg(host)
+        share = "\\\\#{host}\\IPC$"
+        tree = @tree_connects.find {|tree| tree.share == share}
+        tree = tree_connect(share) unless tree
+        named_pipe = tree.open_file(filename: "winreg", write: true, read: true)
+        if block_given?
+          res = yield named_pipe
+          named_pipe.close
+          res
+        else
+          named_pipe
+        end
+      end
+
+      def has_registry_key?(host, key)
+        connect_to_winreg(host) do |named_pipe|
+          named_pipe.has_registry_key?(key)
+        end
+      end
+
+      def read_registry_key_value(host, key, value_name)
+        connect_to_winreg(host) do |named_pipe|
+          named_pipe.read_registry_key_value(key, value_name)
+        end
+      end
+
+      def enum_registry_key(host, key)
+        connect_to_winreg(host) do |named_pipe|
+          named_pipe.enum_registry_key(key)
+        end
+      end
+
+      def enum_registry_values(host, key)
+        connect_to_winreg(host) do |named_pipe|
+          named_pipe.enum_registry_values(key)
+        end
+      end
+
+    end
+  end
+end
+

data/lib/ruby_smb/crypto.rb

@@ -0,0 +1,30 @@
+module RubySMB
+  module Crypto
+    module KDF
+      def self.counter_mode(ki, label, context, length: 128)
+        digest = OpenSSL::Digest.new('SHA256')
+        r = 32
+
+        n = length / 256
+        n = 1 if n == 0
+
+        raise ArgumentError if n > 2**r - 1
+        result = ""
+
+        n.times do |i|
+          input = [i + 1].pack('L>')
+          input << label
+          input << "\x00"
+          input << context
+          input << [length].pack('L>')
+          k = OpenSSL::HMAC.digest(digest, ki, input)
+          result << k
+        end
+
+        return result[0...(length / 8)]
+      rescue OpenSSL::OpenSSLError => e
+        raise RubySMB::Error::EncryptionError, "Crypto::KDF.counter_mode OpenSSL error: #{e.message}"
+      end
+    end
+  end
+end