ruby_smb 3.1.5 → 3.2.0

data/lib/ruby_smb/dcerpc/icpr/cert_server_request_response.rb

@@ -0,0 +1,28 @@
+require 'ruby_smb/dcerpc/ndr'
+
+module RubySMB
+  module Dcerpc
+    module Icpr
+
+      # [3.2.4.1.1 CertServerRequest (Opnum 0)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-icpr/0c6f150e-3ead-4006-b37f-ebbf9e2cf2e7)
+      class CertServerRequestResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_uint32      :pdw_request_id
+        ndr_uint32      :pdw_disposition
+        cert_trans_blob :pctb_cert
+        cert_trans_blob :pctb_encoded_cert
+        cert_trans_blob :pctb_disposition_message
+        ndr_uint32      :error_status
+
+        def initialize_instance
+          super
+          @opnum = CERT_SERVER_REQUEST
+        end
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/icpr.rb

@@ -0,0 +1,84 @@
+module RubySMB
+  module Dcerpc
+    module Icpr
+
+      # [3.2.4.1 ICertPassage Interface](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-icpr/d98e6cfb-87ba-4915-b3ec-a1b7c6129a53)
+      UUID = '91ae6020-9e3c-11cf-8d7c-00aa00c091be'
+      VER_MAJOR = 0
+      VER_MINOR = 0
+
+      # Operation numbers
+      CERT_SERVER_REQUEST = 0x0000
+
+      # Disposition constants, see
+      # [3.2.1.4.2.1 ICertRequestD::Request (Opnum 3)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/dbb2e78f-7630-4615-92c4-6734fccfc5a6)
+      CR_DISP_ISSUED           = 0x0003
+      CR_DISP_UNDER_SUBMISSION = 0x0005
+
+      # [2.2.2.2 CERTTRANSBLOB](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/d6bee093-d862-4122-8f2b-7b49102097dc)
+      # (actually defined in MS-WCCE)
+      class CertTransBlob < Ndr::NdrStruct
+        endian :little
+        default_parameter  byte_align: 4
+
+        ndr_uint32              :cb, initial_value: -> { pb.length }
+        ndr_byte_conf_array_ptr :pb
+
+        def buffer
+          pb.to_ary.pack('C*')
+        end
+      end
+
+      require 'ruby_smb/dcerpc/icpr/cert_server_request_request'
+      require 'ruby_smb/dcerpc/icpr/cert_server_request_response'
+
+      def cert_server_request(attributes:, authority:, csr:)
+        cert_server_request_request = CertServerRequestRequest.new(
+          pwsz_authority: authority,
+          pctb_attribs: { pb: (attributes.map { |k,v| "#{k}:#{v}" }.join("\n").encode('UTF-16le').force_encoding('ASCII-8bit') + "\x00\x00".b) },
+          pctb_request: { pb: csr.to_der }
+        )
+
+        response = dcerpc_request(
+          cert_server_request_request,
+          auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
+          auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
+        )
+        begin
+          cert_server_request_response = CertServerRequestResponse.read(response)
+        rescue IOError
+          raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading CertServerRequestResponse'
+        end
+
+        ret = {
+          disposition: cert_server_request_response.pdw_disposition.value,
+          disposition_message: cert_server_request_response.pctb_disposition_message.buffer.chomp("\x00\x00").force_encoding('utf-16le').encode,
+          status: {
+            CR_DISP_ISSUED => :issued,
+            CR_DISP_UNDER_SUBMISSION => :submitted,
+          }.fetch(cert_server_request_response.pdw_disposition.value, :error)
+        }
+
+        # note: error_status == RPC_S_BINDING_HAS_NO_AUTH when not properly bound
+        if ret[:status] == :error
+          unless cert_server_request_response.error_status == WindowsError::NTStatus::STATUS_SUCCESS
+            error_status = cert_server_request_response.error_status.value
+            status_code = WindowsError::Win32.find_by_retval(error_status).first
+            if status_code.nil? && (fault_name = RubySMB::Dcerpc::Fault::Status.name(error_status))
+              status_code = WindowsError::ErrorCode.new(fault_name.to_s, error_status, 'DCERPC fault')
+            end
+            raise RubySMB::Dcerpc::Error::IcprError.new(
+              "Error returned with cert_server_request: #{status_code || "0x#{error_status.to_s(16).rjust(8, '0')}"}",
+              status_code: status_code
+            )
+          end
+        else
+          ret[:certificate] = OpenSSL::X509::Certificate.new(cert_server_request_response.pctb_encoded_cert.buffer)
+        end
+
+        ret
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/ndr.rb

@@ -1208,14 +1208,50 @@ module RubySMB::Dcerpc::Ndr
     extend PointerClassPlugin
   end
 
+
+  # ArrayPtr definitions:
+  #   If the type is Ndr*ArrayPtr, it's a ConfVarArray (Uni-dimensional Conformant-varying Array)
+  #   If the type is Ndr*ConfArrayPtr, it's a ConfArray (Uni-dimensional Conformant Array)
   class NdrByteArrayPtr < NdrConfVarArray
     default_parameters type: :ndr_uint8
     extend PointerClassPlugin
+
+    def assign(val)
+      val = val.bytes if val.is_a?(String)
+      super(val.to_ary)
+    end
   end
 
-  class NdrUint16ArrayPtr < NdrConfVarArray
-    default_parameters type: :ndr_uint16
+  class NdrByteConfArrayPtr < NdrConfArray
+    default_parameters type: :ndr_uint8
     extend PointerClassPlugin
+
+    def assign(val)
+      val = val.bytes if val.is_a?(String)
+      super(val.to_ary)
+    end
+  end
+
+  %i[ Uint8 Uint16 Uint32 Uint64 ].each do |klass|
+    new_klass_name = "Ndr#{klass}ArrayPtr"
+    unless self.const_defined?(new_klass_name)
+      new_klass = Class.new(NdrConfVarArray) do
+        default_parameters type: "ndr_#{klass}".downcase.to_sym
+        extend PointerClassPlugin
+      end
+      self.const_set(new_klass_name, new_klass)
+      BinData::RegisteredClasses.register(new_klass_name, new_klass)
+    end
+
+    new_klass_name = "Ndr#{klass}ConfArrayPtr"
+    unless self.const_defined?(new_klass_name)
+      new_klass = Class.new(NdrConfArray) do
+        default_parameters type: "ndr_#{klass}".downcase.to_sym
+        extend PointerClassPlugin
+      end
+      self.const_set(new_klass_name, new_klass)
+      BinData::RegisteredClasses.register(new_klass_name, new_klass)
+    end
   end
 
   class NdrFileTimePtr < NdrFileTime

data/lib/ruby_smb/dcerpc/request.rb

@@ -90,7 +90,16 @@ module RubySMB
           drs_domain_controller_info_request Drsr::DRS_DOMAIN_CONTROLLER_INFO
           drs_crack_names_request            Drsr::DRS_CRACK_NAMES
           drs_get_nc_changes_request         Drsr::DRS_GET_NC_CHANGES
-          string                      :default
+          string                             :default
+        end
+        choice 'Dfsnm', selection: -> { opnum } do
+          netr_dfs_add_std_root_request    Dfsnm::NETR_DFS_ADD_STD_ROOT
+          netr_dfs_remove_std_root_request Dfsnm::NETR_DFS_REMOVE_STD_ROOT
+          string                           :default
+        end
+        choice 'Icpr', selection: -> { opnum } do
+          cert_server_request_request      Icpr::CERT_SERVER_REQUEST
+          string                           :default
         end
         string :default
       end

data/lib/ruby_smb/dcerpc.rb

@@ -46,6 +46,8 @@ module RubySMB
     require 'ruby_smb/dcerpc/epm'
     require 'ruby_smb/dcerpc/drsr'
     require 'ruby_smb/dcerpc/sec_trailer'
+    require 'ruby_smb/dcerpc/dfsnm'
+    require 'ruby_smb/dcerpc/icpr'
     require 'ruby_smb/dcerpc/request'
     require 'ruby_smb/dcerpc/response'
     require 'ruby_smb/dcerpc/rpc_auth3'
@@ -54,25 +56,50 @@ module RubySMB
     require 'ruby_smb/dcerpc/print_system'
     require 'ruby_smb/dcerpc/encrypting_file_system'
 
-    # Bind to the remote server interface endpoint.
+    # Bind to the remote server interface endpoint. It takes care of adding
+    # the necessary authentication verifier if `:auth_level` is set to
+    # anything different than RPC_C_AUTHN_LEVEL_NONE
     #
-    # @param options [Hash] the options to pass to the Bind request packet. At least, :endpoint must but provided with an existing Dcerpc class
+    # @param [Hash] options
+    # @option options [Module] :endpoint the endpoint to bind to. This must be a Dcerpc
+    #   class with UUID, VER_MAJOR and VER_MINOR constants defined.
+    # @option options [Integer] :auth_level the authentication level
+    # @option options [Integer] :auth_type the authentication type
     # @return [BindAck] the BindAck response packet
     # @raise [Error::InvalidPacket] if an invalid packet is received
     # @raise [Error::BindError] if the response is not a BindAck packet or if the Bind result code is not ACCEPTANCE
+    # @raise [ArgumentError] if `:auth_type` is unknown
+    # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
     def bind(options={})
+      @call_id ||= 1
       bind_req = Bind.new(options)
-      write(data: bind_req.to_binary_s)
-      @size = 1024
-      dcerpc_raw_response = read()
-      begin
-        dcerpc_response = BindAck.read(dcerpc_raw_response)
-      rescue IOError
-        raise Error::InvalidPacket, "Error reading the DCERPC response"
+      bind_req.pdu_header.call_id = @call_id
+
+      if options[:auth_level] && options[:auth_level] != RPC_C_AUTHN_LEVEL_NONE
+        case options[:auth_type]
+        when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
+          @ctx_id            = 0
+          @auth_ctx_id_base  = rand(0xFFFFFFFF)
+          raise ArgumentError, "NTLM Client not initialized. Username and password must be provided" unless @ntlm_client
+          type1_message = @ntlm_client.init_context
+          auth = type1_message.serialize
+        when RPC_C_AUTHN_GSS_KERBEROS, RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE
+        when RPC_C_AUTHN_GSS_KERBEROS, RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL
+          # TODO
+          raise NotImplementedError
+        else
+          raise ArgumentError, "Unsupported Auth Type: #{options[:auth_type]}"
+        end
+        add_auth_verifier(bind_req, auth, options[:auth_type], options[:auth_level])
       end
-      unless dcerpc_response.pdu_header.ptype == PTypes::BIND_ACK
-        raise Error::BindError, "Not a BindAck packet"
+
+      send_packet(bind_req)
+      begin
+        dcerpc_response = recv_struct(BindAck)
+      rescue Error::InvalidPacket
+        raise Error::BindError # raise the more context-specific BindError
       end
+      # TODO: see if BindNack response should be handled too
 
       res_list = dcerpc_response.p_result_list
       if res_list.n_results == 0 ||
@@ -80,9 +107,216 @@ module RubySMB
         raise Error::BindError,
           "Bind Failed (Result: #{res_list.p_results[0].result}, Reason: #{res_list.p_results[0].reason})"
       end
-      @tree.client.max_buffer_size = dcerpc_response.max_xmit_frag
+      self.max_buffer_size = dcerpc_response.max_xmit_frag
+      @call_id = dcerpc_response.pdu_header.call_id
+
+      if options[:auth_level] && options[:auth_level] != RPC_C_AUTHN_LEVEL_NONE
+        # The number of legs needed to build the security context is defined
+        # by the security provider
+        # (see [2.2.1.1.7 Security Providers](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/d4097450-c62f-484b-872f-ddf59a7a0d36))
+        case options[:auth_type]
+        when RPC_C_AUTHN_WINNT
+          send_auth3(dcerpc_response, options[:auth_type], options[:auth_level])
+        when RPC_C_AUTHN_GSS_KERBEROS, RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE
+          # TODO
+          raise NotImplementedError
+        end
+      end
+
       dcerpc_response
     end
 
+    def max_buffer_size=(value)
+      @tree.client.max_buffer_size = value
+    end
+
+    # Receive a packet from the remote host and parse it according to `struct`
+    #
+    # @param struct [Class] the structure class to parse the response with
+    def recv_struct(struct)
+      raw_response = read
+      begin
+        response = struct.read(raw_response)
+      rescue IOError
+        raise Error::InvalidPacket, "Error reading the #{struct} response"
+      end
+      unless response.pdu_header.ptype == struct::PTYPE
+        raise Error::InvalidPacket, "Not a #{struct} packet"
+      end
+
+      response
+    end
+
+    # Send a packet to the remote host
+    #
+    # @param packet [BinData::Record] the packet to send
+    # @raise [Error::CommunicationError] if socket-related error occurs
+    def send_packet(packet)
+      write(data: packet.to_binary_s)
+      nil
+    end
+
+    # Add the authentication verifier to a Request packet. This includes a
+    # sec trailer and the signature of the packet. This also encrypts the
+    # Request stub if privacy is required (`:auth_level` option is
+    # RPC_C_AUTHN_LEVEL_PKT_PRIVACY).
+    #
+    # @param dcerpc_req [Request] the Request packet to be updated
+    # @param opts [Hash] the authenticaiton options: `:auth_type` and `:auth_level`
+    # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
+    # @raise [ArgumentError] if `:auth_type` is unknown
+    def set_integrity_privacy(dcerpc_req, auth_level:, auth_type:)
+      dcerpc_req.sec_trailer = {
+        auth_type: auth_type,
+        auth_level: auth_level,
+        auth_context_id: @ctx_id + @auth_ctx_id_base
+      }
+      dcerpc_req.auth_value = ' ' * 16
+      dcerpc_req.pdu_header.auth_length = 16
+
+      data_to_sign = plain_stub = dcerpc_req.stub.to_binary_s + dcerpc_req.auth_pad.to_binary_s
+      if @ntlm_client.flags & NTLM::NEGOTIATE_FLAGS[:EXTENDED_SECURITY] != 0
+        data_to_sign = dcerpc_req.to_binary_s[0..-(dcerpc_req.pdu_header.auth_length + 1)]
+      end
+
+      encrypted_stub = ''
+      if auth_level == RPC_C_AUTHN_LEVEL_PKT_PRIVACY
+        case auth_type
+        when RPC_C_AUTHN_NONE
+        when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
+          encrypted_stub = @ntlm_client.session.seal_message(plain_stub)
+        when RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL, RPC_C_AUTHN_GSS_KERBEROS
+          # TODO
+          raise NotImplementedError
+        else
+          raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
+        end
+      end
+
+      signature = @ntlm_client.session.sign_message(data_to_sign)
+
+      unless encrypted_stub.empty?
+        pad_length = dcerpc_req.sec_trailer.auth_pad_length.to_i
+        dcerpc_req.enable_encrypted_stub
+        dcerpc_req.stub = encrypted_stub[0..-(pad_length + 1)]
+        dcerpc_req.auth_pad = encrypted_stub[-(pad_length)..-1]
+      end
+      dcerpc_req.auth_value = signature
+      dcerpc_req.pdu_header.auth_length = signature.size
+    end
+
+    # Process the security context received in a response. It decrypts the
+    # encrypted stub if `:auth_level` is set to anything different than
+    # RPC_C_AUTHN_LEVEL_PKT_PRIVACY. It also checks the packet signature and
+    # raises an InvalidPacket error if it fails. Note that the exception is
+    # disabled by default and can be enabled with the
+    # `:raise_signature_error` option
+    #
+    # @param dcerpc_response [Response] the Response packet
+    #   containing the security context to process
+    # @param opts [Hash] the authenticaiton options: `:auth_type` and
+    #   `:auth_level`. To enable errors when signature check fails, set the
+    #   `:raise_signature_error` option to true
+    # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
+    # @raise [Error::CommunicationError] if socket-related error occurs
+    def handle_integrity_privacy(dcerpc_response, auth_level:, auth_type:, raise_signature_error: false)
+      decrypted_stub = ''
+      if auth_level == RPC_C_AUTHN_LEVEL_PKT_PRIVACY
+        encrypted_stub = dcerpc_response.stub.to_binary_s + dcerpc_response.auth_pad.to_binary_s
+        case auth_type
+        when RPC_C_AUTHN_NONE
+        when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
+          decrypted_stub = @ntlm_client.session.unseal_message(encrypted_stub)
+        when RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL, RPC_C_AUTHN_GSS_KERBEROS
+          # TODO
+          raise NotImplementedError
+        else
+          raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
+        end
+      end
+
+      unless decrypted_stub.empty?
+        pad_length = dcerpc_response.sec_trailer.auth_pad_length.to_i
+        dcerpc_response.stub = decrypted_stub[0..-(pad_length + 1)]
+        dcerpc_response.auth_pad = decrypted_stub[-(pad_length)..-1]
+      end
+
+      signature = dcerpc_response.auth_value
+      data_to_check = dcerpc_response.stub.to_binary_s
+      if @ntlm_client.flags & NTLM::NEGOTIATE_FLAGS[:EXTENDED_SECURITY] != 0
+        data_to_check = dcerpc_response.to_binary_s[0..-(dcerpc_response.pdu_header.auth_length + 1)]
+      end
+      unless @ntlm_client.session.verify_signature(signature, data_to_check)
+        if raise_signature_error
+          raise Error::InvalidPacket.new(
+            "Wrong packet signature received (set `raise_signature_error` to false to ignore)"
+          )
+        end
+      end
+
+      @call_id += 1
+
+      nil
+    end
+
+    # Add the authentication verifier to the packet. This includes a sec
+    # trailer and the actual authentication data.
+    #
+    # @param req [BinData::Record] the request to be updated
+    # @param auth [String] the authentication data
+    # @param auth_type [Integer] the authentication type
+    # @param auth_level [Integer] the authentication level
+    def add_auth_verifier(req, auth, auth_type, auth_level)
+      req.sec_trailer = {
+        auth_type: auth_type,
+        auth_level: auth_level,
+        auth_context_id: @ctx_id + @auth_ctx_id_base
+      }
+      req.auth_value = auth
+      req.pdu_header.auth_length = auth.length
+
+      nil
+    end
+
+    def process_ntlm_type2(type2_message)
+      ntlmssp_offset = type2_message.index('NTLMSSP')
+      type2_blob = type2_message.slice(ntlmssp_offset..-1)
+      type2_b64_message = [type2_blob].pack('m')
+      type3_message = @ntlm_client.init_context(type2_b64_message)
+      auth3 = type3_message.serialize
+
+      @session_key = @ntlm_client.session_key
+      auth3
+    end
+
+    # Send a rpc_auth3 PDU that ends the authentication handshake.
+    #
+    # @param response [BindAck] the BindAck response packet
+    # @param auth_type [Integer] the authentication type
+    # @param auth_level [Integer] the authentication level
+    # @raise [ArgumentError] if `:auth_type` is unknown
+    # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
+    def send_auth3(response, auth_type, auth_level)
+      case auth_type
+      when RPC_C_AUTHN_NONE
+      when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
+        auth3 = process_ntlm_type2(response.auth_value)
+      when RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL, RPC_C_AUTHN_GSS_KERBEROS
+        # TODO
+        raise NotImplementedError
+      else
+        raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
+      end
+
+      rpc_auth3 = RpcAuth3.new
+      add_auth_verifier(rpc_auth3, auth3, auth_type, auth_level)
+      rpc_auth3.pdu_header.call_id = @call_id
+
+      # The server should not respond
+      send_packet(rpc_auth3)
+      @call_id += 1
+
+      nil
+    end
   end
 end

data/lib/ruby_smb/error.rb

@@ -70,20 +70,34 @@ module RubySMB
 
     # Raised when a response packet has a NTStatus code that was unexpected.
     class UnexpectedStatusCode < RubySMBError
-      attr_reader :status_code
+      module Mixin
+        attr_reader :status_code
 
-      def initialize(status_code)
-        case status_code
-        when WindowsError::ErrorCode
-          @status_code = status_code
-        when Integer
-          @status_code = WindowsError::NTStatus.find_by_retval(status_code).first
-          if @status_code.nil?
-            @status_code = WindowsError::ErrorCode.new("0x#{status_code.to_s(16)}", status_code, "Unknown 0x#{status_code.to_s(16)}")
+        def status_name
+          @status_code.name
+        end
+
+        private
+
+        def status_code=(status_code)
+          case status_code
+          when WindowsError::ErrorCode
+            @status_code = status_code
+          when Integer
+            @status_code = WindowsError::NTStatus.find_by_retval(status_code).first
+            if @status_code.nil?
+              @status_code = WindowsError::ErrorCode.new("0x#{status_code.to_s(16).rjust(8, '0')}", status_code, "Unknown status: 0x#{status_code.to_s(16).rjust(8, '0')}")
+            end
+          else
+            raise ArgumentError, "Status code must be a WindowsError::ErrorCode or an Integer, got #{status_code.class}"
           end
-        else
-          raise ArgumentError, "Status code must be a WindowsError::ErrorCode or an Integer, got #{status_code.class}"
         end
+      end
+
+      include Mixin
+
+      def initialize(status_code)
+        self.status_code = status_code
         super
       end
 

data/lib/ruby_smb/peer_info.rb

@@ -0,0 +1,39 @@
+module RubySMB
+  module PeerInfo
+    # Extract and store useful information about the peer/server from the
+    # NTLM Type 2 (challenge) TargetInfo fields.
+    #
+    # @param target_info_str [String] the Target Info string
+    def store_target_info(target_info_str)
+      target_info = Net::NTLM::TargetInfo.new(target_info_str)
+      {
+        Net::NTLM::TargetInfo::MSV_AV_NB_COMPUTER_NAME  => :@default_name,
+        Net::NTLM::TargetInfo::MSV_AV_NB_DOMAIN_NAME    => :@default_domain,
+        Net::NTLM::TargetInfo::MSV_AV_DNS_COMPUTER_NAME => :@dns_host_name,
+        Net::NTLM::TargetInfo::MSV_AV_DNS_DOMAIN_NAME   => :@dns_domain_name,
+        Net::NTLM::TargetInfo::MSV_AV_DNS_TREE_NAME     => :@dns_tree_name
+      }.each do |constant, attribute|
+        if target_info.av_pairs[constant]
+          value = target_info.av_pairs[constant].dup
+          value.force_encoding('UTF-16LE')
+          instance_variable_set(attribute, value.encode('UTF-8'))
+        end
+      end
+    end
+
+    # Extract the peer/server version number from the NTLM Type 2 (challenge)
+    # Version field.
+    #
+    # @param version [String] the version number as a binary string
+    # @return [String] the formatted version number (<major>.<minor>.<build>)
+    def extract_os_version(version)
+      begin
+        os_version = RubySMB::NTLM::OSVersion.read(version)
+      rescue IOError
+        return ''
+      end
+
+      "#{os_version.major}.#{os_version.minor}.#{os_version.build}"
+    end
+  end
+end

data/lib/ruby_smb/signing.rb

@@ -53,6 +53,8 @@ module RubySMB
     def self.smb2_sign(packet, session_key)
       packet.smb2_header.flags.signed = 1
       packet.smb2_header.signature = "\x00" * 16
+      # OpenSSL 3 raises exceptions if the session key is an empty string
+      session_key = session_key == '' ? ("\x00" * 16).b : session_key
       hmac = OpenSSL::HMAC.digest(OpenSSL::Digest.new('SHA256'), session_key, packet.to_binary_s)
       packet.smb2_header.signature = hmac[0, 16]
 

data/lib/ruby_smb/smb1/pipe.rb

@@ -28,10 +28,20 @@ module RubySMB
           extend RubySMB::Dcerpc::Samr
         when 'wkssvc', '\\wkssvc'
           extend RubySMB::Dcerpc::Wkssvc
+        when 'netdfs', '\\netdfs'
+          extend RubySMB::Dcerpc::Dfsnm
+        when 'cert', '\\cert'
+          extend RubySMB::Dcerpc::Icpr
         end
         super(tree: tree, response: response, name: name)
       end
 
+      def bind(options={})
+        @size = 1024
+        @ntlm_client = @tree.client.ntlm_client
+        super
+      end
+
       # Performs a peek operation on the named pipe
       #
       # @param peek_size [Integer] Amount of data to peek
@@ -96,6 +106,11 @@ module RubySMB
         options.merge!(endpoint: stub_packet.class.name.split('::').at(-2))
         dcerpc_request = RubySMB::Dcerpc::Request.new({ opnum: stub_packet.opnum }, options)
         dcerpc_request.stub.read(stub_packet.to_binary_s)
+        if options[:auth_level] &&
+           [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+          set_integrity_privacy(dcerpc_request, auth_level: options[:auth_level], auth_type: options[:auth_type])
+        end
+
         trans_nmpipe_request = RubySMB::SMB1::Packet::Trans::TransactNmpipeRequest.new(options)
         @tree.set_header_fields(trans_nmpipe_request)
         trans_nmpipe_request.set_fid(@fid)
@@ -122,6 +137,10 @@ module RubySMB
           unless dcerpc_response.pdu_header.pfc_flags.first_frag == 1
             raise RubySMB::Dcerpc::Error::InvalidPacket, "Not the first fragment"
           end
+          if options[:auth_level] &&
+             [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+            handle_integrity_privacy(dcerpc_response, auth_level: options[:auth_level], auth_type: options[:auth_type])
+          end
           stub_data = dcerpc_response.stub.to_s
 
           loop do
@@ -133,11 +152,14 @@ module RubySMB
           stub_data
         else
           dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+          if options[:auth_level] &&
+             [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+            handle_integrity_privacy(dcerpc_response, auth_level: options[:auth_level], auth_type: options[:auth_type])
+          end
           dcerpc_response.stub.to_s
         end
       end
 
-
       private
 
       def dcerpc_response_from_raw_response(raw_data)

data/lib/ruby_smb/smb2/packet/tree_connect_response.rb

@@ -21,7 +21,11 @@ module RubySMB
         uint8                 :reserved,       label: 'Reserved Space', initial_value: 0x00
         share_flags           :share_flags
         share_capabilities    :capabilities
-        file_access_mask      :maximal_access, label: 'Maximal Access'
+        choice                :maximal_access, label: 'Maximal Access', selection: -> { share_type } do
+          file_access_mask      SMB2_SHARE_TYPE_PIPE
+          file_access_mask      SMB2_SHARE_TYPE_PRINT
+          directory_access_mask SMB2_SHARE_TYPE_DISK
+        end
 
         def initialize_instance
           super