ruby_smb 3.1.7 → 3.2.0

data/lib/ruby_smb/dcerpc.rb

@@ -47,6 +47,7 @@ module RubySMB
     require 'ruby_smb/dcerpc/drsr'
     require 'ruby_smb/dcerpc/sec_trailer'
     require 'ruby_smb/dcerpc/dfsnm'
+    require 'ruby_smb/dcerpc/icpr'
     require 'ruby_smb/dcerpc/request'
     require 'ruby_smb/dcerpc/response'
     require 'ruby_smb/dcerpc/rpc_auth3'
@@ -55,25 +56,50 @@ module RubySMB
     require 'ruby_smb/dcerpc/print_system'
     require 'ruby_smb/dcerpc/encrypting_file_system'
 
-    # Bind to the remote server interface endpoint.
+    # Bind to the remote server interface endpoint. It takes care of adding
+    # the necessary authentication verifier if `:auth_level` is set to
+    # anything different than RPC_C_AUTHN_LEVEL_NONE
     #
-    # @param options [Hash] the options to pass to the Bind request packet. At least, :endpoint must but provided with an existing Dcerpc class
+    # @param [Hash] options
+    # @option options [Module] :endpoint the endpoint to bind to. This must be a Dcerpc
+    #   class with UUID, VER_MAJOR and VER_MINOR constants defined.
+    # @option options [Integer] :auth_level the authentication level
+    # @option options [Integer] :auth_type the authentication type
     # @return [BindAck] the BindAck response packet
     # @raise [Error::InvalidPacket] if an invalid packet is received
     # @raise [Error::BindError] if the response is not a BindAck packet or if the Bind result code is not ACCEPTANCE
+    # @raise [ArgumentError] if `:auth_type` is unknown
+    # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
     def bind(options={})
+      @call_id ||= 1
       bind_req = Bind.new(options)
-      write(data: bind_req.to_binary_s)
-      @size = 1024
-      dcerpc_raw_response = read()
-      begin
-        dcerpc_response = BindAck.read(dcerpc_raw_response)
-      rescue IOError
-        raise Error::InvalidPacket, "Error reading the DCERPC response"
+      bind_req.pdu_header.call_id = @call_id
+
+      if options[:auth_level] && options[:auth_level] != RPC_C_AUTHN_LEVEL_NONE
+        case options[:auth_type]
+        when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
+          @ctx_id            = 0
+          @auth_ctx_id_base  = rand(0xFFFFFFFF)
+          raise ArgumentError, "NTLM Client not initialized. Username and password must be provided" unless @ntlm_client
+          type1_message = @ntlm_client.init_context
+          auth = type1_message.serialize
+        when RPC_C_AUTHN_GSS_KERBEROS, RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE
+        when RPC_C_AUTHN_GSS_KERBEROS, RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL
+          # TODO
+          raise NotImplementedError
+        else
+          raise ArgumentError, "Unsupported Auth Type: #{options[:auth_type]}"
+        end
+        add_auth_verifier(bind_req, auth, options[:auth_type], options[:auth_level])
       end
-      unless dcerpc_response.pdu_header.ptype == PTypes::BIND_ACK
-        raise Error::BindError, "Not a BindAck packet"
+
+      send_packet(bind_req)
+      begin
+        dcerpc_response = recv_struct(BindAck)
+      rescue Error::InvalidPacket
+        raise Error::BindError # raise the more context-specific BindError
       end
+      # TODO: see if BindNack response should be handled too
 
       res_list = dcerpc_response.p_result_list
       if res_list.n_results == 0 ||
@@ -81,9 +107,216 @@ module RubySMB
         raise Error::BindError,
           "Bind Failed (Result: #{res_list.p_results[0].result}, Reason: #{res_list.p_results[0].reason})"
       end
-      @tree.client.max_buffer_size = dcerpc_response.max_xmit_frag
+      self.max_buffer_size = dcerpc_response.max_xmit_frag
+      @call_id = dcerpc_response.pdu_header.call_id
+
+      if options[:auth_level] && options[:auth_level] != RPC_C_AUTHN_LEVEL_NONE
+        # The number of legs needed to build the security context is defined
+        # by the security provider
+        # (see [2.2.1.1.7 Security Providers](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/d4097450-c62f-484b-872f-ddf59a7a0d36))
+        case options[:auth_type]
+        when RPC_C_AUTHN_WINNT
+          send_auth3(dcerpc_response, options[:auth_type], options[:auth_level])
+        when RPC_C_AUTHN_GSS_KERBEROS, RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE
+          # TODO
+          raise NotImplementedError
+        end
+      end
+
       dcerpc_response
     end
 
+    def max_buffer_size=(value)
+      @tree.client.max_buffer_size = value
+    end
+
+    # Receive a packet from the remote host and parse it according to `struct`
+    #
+    # @param struct [Class] the structure class to parse the response with
+    def recv_struct(struct)
+      raw_response = read
+      begin
+        response = struct.read(raw_response)
+      rescue IOError
+        raise Error::InvalidPacket, "Error reading the #{struct} response"
+      end
+      unless response.pdu_header.ptype == struct::PTYPE
+        raise Error::InvalidPacket, "Not a #{struct} packet"
+      end
+
+      response
+    end
+
+    # Send a packet to the remote host
+    #
+    # @param packet [BinData::Record] the packet to send
+    # @raise [Error::CommunicationError] if socket-related error occurs
+    def send_packet(packet)
+      write(data: packet.to_binary_s)
+      nil
+    end
+
+    # Add the authentication verifier to a Request packet. This includes a
+    # sec trailer and the signature of the packet. This also encrypts the
+    # Request stub if privacy is required (`:auth_level` option is
+    # RPC_C_AUTHN_LEVEL_PKT_PRIVACY).
+    #
+    # @param dcerpc_req [Request] the Request packet to be updated
+    # @param opts [Hash] the authenticaiton options: `:auth_type` and `:auth_level`
+    # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
+    # @raise [ArgumentError] if `:auth_type` is unknown
+    def set_integrity_privacy(dcerpc_req, auth_level:, auth_type:)
+      dcerpc_req.sec_trailer = {
+        auth_type: auth_type,
+        auth_level: auth_level,
+        auth_context_id: @ctx_id + @auth_ctx_id_base
+      }
+      dcerpc_req.auth_value = ' ' * 16
+      dcerpc_req.pdu_header.auth_length = 16
+
+      data_to_sign = plain_stub = dcerpc_req.stub.to_binary_s + dcerpc_req.auth_pad.to_binary_s
+      if @ntlm_client.flags & NTLM::NEGOTIATE_FLAGS[:EXTENDED_SECURITY] != 0
+        data_to_sign = dcerpc_req.to_binary_s[0..-(dcerpc_req.pdu_header.auth_length + 1)]
+      end
+
+      encrypted_stub = ''
+      if auth_level == RPC_C_AUTHN_LEVEL_PKT_PRIVACY
+        case auth_type
+        when RPC_C_AUTHN_NONE
+        when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
+          encrypted_stub = @ntlm_client.session.seal_message(plain_stub)
+        when RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL, RPC_C_AUTHN_GSS_KERBEROS
+          # TODO
+          raise NotImplementedError
+        else
+          raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
+        end
+      end
+
+      signature = @ntlm_client.session.sign_message(data_to_sign)
+
+      unless encrypted_stub.empty?
+        pad_length = dcerpc_req.sec_trailer.auth_pad_length.to_i
+        dcerpc_req.enable_encrypted_stub
+        dcerpc_req.stub = encrypted_stub[0..-(pad_length + 1)]
+        dcerpc_req.auth_pad = encrypted_stub[-(pad_length)..-1]
+      end
+      dcerpc_req.auth_value = signature
+      dcerpc_req.pdu_header.auth_length = signature.size
+    end
+
+    # Process the security context received in a response. It decrypts the
+    # encrypted stub if `:auth_level` is set to anything different than
+    # RPC_C_AUTHN_LEVEL_PKT_PRIVACY. It also checks the packet signature and
+    # raises an InvalidPacket error if it fails. Note that the exception is
+    # disabled by default and can be enabled with the
+    # `:raise_signature_error` option
+    #
+    # @param dcerpc_response [Response] the Response packet
+    #   containing the security context to process
+    # @param opts [Hash] the authenticaiton options: `:auth_type` and
+    #   `:auth_level`. To enable errors when signature check fails, set the
+    #   `:raise_signature_error` option to true
+    # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
+    # @raise [Error::CommunicationError] if socket-related error occurs
+    def handle_integrity_privacy(dcerpc_response, auth_level:, auth_type:, raise_signature_error: false)
+      decrypted_stub = ''
+      if auth_level == RPC_C_AUTHN_LEVEL_PKT_PRIVACY
+        encrypted_stub = dcerpc_response.stub.to_binary_s + dcerpc_response.auth_pad.to_binary_s
+        case auth_type
+        when RPC_C_AUTHN_NONE
+        when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
+          decrypted_stub = @ntlm_client.session.unseal_message(encrypted_stub)
+        when RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL, RPC_C_AUTHN_GSS_KERBEROS
+          # TODO
+          raise NotImplementedError
+        else
+          raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
+        end
+      end
+
+      unless decrypted_stub.empty?
+        pad_length = dcerpc_response.sec_trailer.auth_pad_length.to_i
+        dcerpc_response.stub = decrypted_stub[0..-(pad_length + 1)]
+        dcerpc_response.auth_pad = decrypted_stub[-(pad_length)..-1]
+      end
+
+      signature = dcerpc_response.auth_value
+      data_to_check = dcerpc_response.stub.to_binary_s
+      if @ntlm_client.flags & NTLM::NEGOTIATE_FLAGS[:EXTENDED_SECURITY] != 0
+        data_to_check = dcerpc_response.to_binary_s[0..-(dcerpc_response.pdu_header.auth_length + 1)]
+      end
+      unless @ntlm_client.session.verify_signature(signature, data_to_check)
+        if raise_signature_error
+          raise Error::InvalidPacket.new(
+            "Wrong packet signature received (set `raise_signature_error` to false to ignore)"
+          )
+        end
+      end
+
+      @call_id += 1
+
+      nil
+    end
+
+    # Add the authentication verifier to the packet. This includes a sec
+    # trailer and the actual authentication data.
+    #
+    # @param req [BinData::Record] the request to be updated
+    # @param auth [String] the authentication data
+    # @param auth_type [Integer] the authentication type
+    # @param auth_level [Integer] the authentication level
+    def add_auth_verifier(req, auth, auth_type, auth_level)
+      req.sec_trailer = {
+        auth_type: auth_type,
+        auth_level: auth_level,
+        auth_context_id: @ctx_id + @auth_ctx_id_base
+      }
+      req.auth_value = auth
+      req.pdu_header.auth_length = auth.length
+
+      nil
+    end
+
+    def process_ntlm_type2(type2_message)
+      ntlmssp_offset = type2_message.index('NTLMSSP')
+      type2_blob = type2_message.slice(ntlmssp_offset..-1)
+      type2_b64_message = [type2_blob].pack('m')
+      type3_message = @ntlm_client.init_context(type2_b64_message)
+      auth3 = type3_message.serialize
+
+      @session_key = @ntlm_client.session_key
+      auth3
+    end
+
+    # Send a rpc_auth3 PDU that ends the authentication handshake.
+    #
+    # @param response [BindAck] the BindAck response packet
+    # @param auth_type [Integer] the authentication type
+    # @param auth_level [Integer] the authentication level
+    # @raise [ArgumentError] if `:auth_type` is unknown
+    # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
+    def send_auth3(response, auth_type, auth_level)
+      case auth_type
+      when RPC_C_AUTHN_NONE
+      when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
+        auth3 = process_ntlm_type2(response.auth_value)
+      when RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL, RPC_C_AUTHN_GSS_KERBEROS
+        # TODO
+        raise NotImplementedError
+      else
+        raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
+      end
+
+      rpc_auth3 = RpcAuth3.new
+      add_auth_verifier(rpc_auth3, auth3, auth_type, auth_level)
+      rpc_auth3.pdu_header.call_id = @call_id
+
+      # The server should not respond
+      send_packet(rpc_auth3)
+      @call_id += 1
+
+      nil
+    end
   end
 end

data/lib/ruby_smb/error.rb

@@ -73,6 +73,10 @@ module RubySMB
       module Mixin
         attr_reader :status_code
 
+        def status_name
+          @status_code.name
+        end
+
         private
 
         def status_code=(status_code)
@@ -82,7 +86,7 @@ module RubySMB
           when Integer
             @status_code = WindowsError::NTStatus.find_by_retval(status_code).first
             if @status_code.nil?
-              @status_code = WindowsError::ErrorCode.new("0x#{status_code.to_s(16).rjust(8, '0')}", status_code, "Unknown status: 0x#{status_code.to_s(16)}")
+              @status_code = WindowsError::ErrorCode.new("0x#{status_code.to_s(16).rjust(8, '0')}", status_code, "Unknown status: 0x#{status_code.to_s(16).rjust(8, '0')}")
             end
           else
             raise ArgumentError, "Status code must be a WindowsError::ErrorCode or an Integer, got #{status_code.class}"

data/lib/ruby_smb/peer_info.rb

@@ -0,0 +1,39 @@
+module RubySMB
+  module PeerInfo
+    # Extract and store useful information about the peer/server from the
+    # NTLM Type 2 (challenge) TargetInfo fields.
+    #
+    # @param target_info_str [String] the Target Info string
+    def store_target_info(target_info_str)
+      target_info = Net::NTLM::TargetInfo.new(target_info_str)
+      {
+        Net::NTLM::TargetInfo::MSV_AV_NB_COMPUTER_NAME  => :@default_name,
+        Net::NTLM::TargetInfo::MSV_AV_NB_DOMAIN_NAME    => :@default_domain,
+        Net::NTLM::TargetInfo::MSV_AV_DNS_COMPUTER_NAME => :@dns_host_name,
+        Net::NTLM::TargetInfo::MSV_AV_DNS_DOMAIN_NAME   => :@dns_domain_name,
+        Net::NTLM::TargetInfo::MSV_AV_DNS_TREE_NAME     => :@dns_tree_name
+      }.each do |constant, attribute|
+        if target_info.av_pairs[constant]
+          value = target_info.av_pairs[constant].dup
+          value.force_encoding('UTF-16LE')
+          instance_variable_set(attribute, value.encode('UTF-8'))
+        end
+      end
+    end
+
+    # Extract the peer/server version number from the NTLM Type 2 (challenge)
+    # Version field.
+    #
+    # @param version [String] the version number as a binary string
+    # @return [String] the formatted version number (<major>.<minor>.<build>)
+    def extract_os_version(version)
+      begin
+        os_version = RubySMB::NTLM::OSVersion.read(version)
+      rescue IOError
+        return ''
+      end
+
+      "#{os_version.major}.#{os_version.minor}.#{os_version.build}"
+    end
+  end
+end

data/lib/ruby_smb/smb1/pipe.rb

@@ -30,10 +30,18 @@ module RubySMB
           extend RubySMB::Dcerpc::Wkssvc
         when 'netdfs', '\\netdfs'
           extend RubySMB::Dcerpc::Dfsnm
+        when 'cert', '\\cert'
+          extend RubySMB::Dcerpc::Icpr
         end
         super(tree: tree, response: response, name: name)
       end
 
+      def bind(options={})
+        @size = 1024
+        @ntlm_client = @tree.client.ntlm_client
+        super
+      end
+
       # Performs a peek operation on the named pipe
       #
       # @param peek_size [Integer] Amount of data to peek
@@ -98,6 +106,11 @@ module RubySMB
         options.merge!(endpoint: stub_packet.class.name.split('::').at(-2))
         dcerpc_request = RubySMB::Dcerpc::Request.new({ opnum: stub_packet.opnum }, options)
         dcerpc_request.stub.read(stub_packet.to_binary_s)
+        if options[:auth_level] &&
+           [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+          set_integrity_privacy(dcerpc_request, auth_level: options[:auth_level], auth_type: options[:auth_type])
+        end
+
         trans_nmpipe_request = RubySMB::SMB1::Packet::Trans::TransactNmpipeRequest.new(options)
         @tree.set_header_fields(trans_nmpipe_request)
         trans_nmpipe_request.set_fid(@fid)
@@ -124,6 +137,10 @@ module RubySMB
           unless dcerpc_response.pdu_header.pfc_flags.first_frag == 1
             raise RubySMB::Dcerpc::Error::InvalidPacket, "Not the first fragment"
           end
+          if options[:auth_level] &&
+             [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+            handle_integrity_privacy(dcerpc_response, auth_level: options[:auth_level], auth_type: options[:auth_type])
+          end
           stub_data = dcerpc_response.stub.to_s
 
           loop do
@@ -135,11 +152,14 @@ module RubySMB
           stub_data
         else
           dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+          if options[:auth_level] &&
+             [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+            handle_integrity_privacy(dcerpc_response, auth_level: options[:auth_level], auth_type: options[:auth_type])
+          end
           dcerpc_response.stub.to_s
         end
       end
 
-
       private
 
       def dcerpc_response_from_raw_response(raw_data)

data/lib/ruby_smb/smb2/packet/tree_connect_response.rb

@@ -21,7 +21,11 @@ module RubySMB
         uint8                 :reserved,       label: 'Reserved Space', initial_value: 0x00
         share_flags           :share_flags
         share_capabilities    :capabilities
-        file_access_mask      :maximal_access, label: 'Maximal Access'
+        choice                :maximal_access, label: 'Maximal Access', selection: -> { share_type } do
+          file_access_mask      SMB2_SHARE_TYPE_PIPE
+          file_access_mask      SMB2_SHARE_TYPE_PRINT
+          directory_access_mask SMB2_SHARE_TYPE_DISK
+        end
 
         def initialize_instance
           super

data/lib/ruby_smb/smb2/pipe.rb

@@ -27,10 +27,18 @@ module RubySMB
           extend RubySMB::Dcerpc::Wkssvc
         when 'netdfs', '\\netdfs'
           extend RubySMB::Dcerpc::Dfsnm
+        when 'cert', '\\cert'
+          extend RubySMB::Dcerpc::Icpr
         end
         super(tree: tree, response: response, name: name)
       end
 
+      def bind(options={})
+        @size = 1024
+        @ntlm_client = @tree.client.ntlm_client
+        super
+      end
+
       # Performs a peek operation on the named pipe
       #
       # @param peek_size [Integer] Amount of data to peek
@@ -91,6 +99,11 @@ module RubySMB
         options.merge!(endpoint: stub_packet.class.name.split('::').at(-2))
         dcerpc_request = RubySMB::Dcerpc::Request.new({ opnum: stub_packet.opnum }, options)
         dcerpc_request.stub.read(stub_packet.to_binary_s)
+        if options[:auth_level] &&
+           [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+          set_integrity_privacy(dcerpc_request, auth_level: options[:auth_level], auth_type: options[:auth_type])
+        end
+
         ioctl_send_recv(dcerpc_request, options)
       end
 
@@ -122,6 +135,10 @@ module RubySMB
           unless dcerpc_response.pdu_header.pfc_flags.first_frag == 1
             raise RubySMB::Dcerpc::Error::InvalidPacket, "Not the first fragment"
           end
+          if options[:auth_level] &&
+             [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+            handle_integrity_privacy(dcerpc_response, auth_level: options[:auth_level], auth_type: options[:auth_type])
+          end
           stub_data = dcerpc_response.stub.to_s
 
           loop do
@@ -133,6 +150,10 @@ module RubySMB
           stub_data
         else
           dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+          if options[:auth_level] &&
+             [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+            handle_integrity_privacy(dcerpc_response, auth_level: options[:auth_level], auth_type: options[:auth_type])
+          end
           dcerpc_response.stub.to_s
         end
       end

data/lib/ruby_smb/version.rb

@@ -1,3 +1,3 @@
 module RubySMB
-  VERSION = '3.1.7'.freeze
+  VERSION = '3.2.0'.freeze
 end

data/spec/lib/ruby_smb/dcerpc/icpr/cert_server_request_request_spec.rb

@@ -0,0 +1,64 @@
+RSpec.describe RubySMB::Dcerpc::Icpr::CertServerRequestRequest do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :dw_flags }
+  it { is_expected.to respond_to :pwsz_authority }
+  it { is_expected.to respond_to :pdw_request_id }
+  it { is_expected.to respond_to :pctb_attribs }
+  it { is_expected.to respond_to :pctb_request }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#dw_flags' do
+    it 'is a NdrUint32 structure' do
+      expect(packet.dw_flags).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#pwsz_authority' do
+    it 'is a NdrWideStringzPtr structure' do
+      expect(packet.pwsz_authority).to be_a RubySMB::Dcerpc::Ndr::NdrWideStringzPtr
+    end
+  end
+  describe '#pdw_request_id' do
+    it 'is a NdrUint32 structure' do
+      expect(packet.pdw_request_id).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#pctb_attribs' do
+    it 'is a CertTransBlob structure' do
+      expect(packet.pctb_attribs).to be_a RubySMB::Dcerpc::Icpr::CertTransBlob
+    end
+  end
+  describe '#pctb_request' do
+    it 'is a CertTransBlob structure' do
+      expect(packet.pctb_request).to be_a RubySMB::Dcerpc::Icpr::CertTransBlob
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to CERT_SERVER_REQUEST constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Icpr::CERT_SERVER_REQUEST)
+    end
+  end
+  it 'reads itself' do
+    new_packet = described_class.new({
+      dw_flags: 0,
+      pwsz_authority: 'DC-CA',
+      pdw_request_id: 1,
+      pctb_attribs: { pb: 'ATTRIBUTES'.bytes },
+      pctb_request: { pb: 'REQUEST'.bytes }
+    })
+    expected_output = {
+      dw_flags: 0,
+      pwsz_authority: 'DC-CA'.encode('utf-16le'),
+      pdw_request_id: 1,
+      pctb_attribs: { cb: 10, pb: 'ATTRIBUTES'.bytes },
+      pctb_request: { cb: 7, pb: 'REQUEST'.bytes }
+    }
+    expect(packet.read(new_packet.to_binary_s)).to eq(expected_output)
+  end
+end

data/spec/lib/ruby_smb/dcerpc/icpr/cert_server_request_response_spec.rb

@@ -0,0 +1,71 @@
+RSpec.describe RubySMB::Dcerpc::Icpr::CertServerRequestResponse do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :pdw_request_id }
+  it { is_expected.to respond_to :pdw_disposition }
+  it { is_expected.to respond_to :pctb_cert }
+  it { is_expected.to respond_to :pctb_encoded_cert }
+  it { is_expected.to respond_to :pctb_disposition_message }
+  it { is_expected.to respond_to :error_status }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#pdw_request_id' do
+    it 'is a NdrUint32 structure' do
+      expect(packet.pdw_request_id).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#pdw_disposition' do
+    it 'is a NdrUint32 structure' do
+      expect(packet.pdw_disposition).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#pctb_cert' do
+    it 'is a CertTransBlob structure' do
+      expect(packet.pctb_cert).to be_a RubySMB::Dcerpc::Icpr::CertTransBlob
+    end
+  end
+  describe '#pctb_encoded_cert' do
+    it 'is a CertTransBlob structure' do
+      expect(packet.pctb_encoded_cert).to be_a RubySMB::Dcerpc::Icpr::CertTransBlob
+    end
+  end
+  describe '#pctb_disposition_message' do
+    it 'is a CertTransBlob structure' do
+      expect(packet.pctb_disposition_message).to be_a RubySMB::Dcerpc::Icpr::CertTransBlob
+    end
+  end
+  describe '#error_status' do
+    it 'is a NdrUint32 structure' do
+      expect(packet.error_status).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to CERT_SERVER_REQUEST constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Icpr::CERT_SERVER_REQUEST)
+    end
+  end
+  it 'reads itself' do
+    new_packet = described_class.new({
+      pdw_request_id: 1,
+      pdw_disposition: 0,
+      pctb_cert: { pb: 'CERT'.bytes },
+      pctb_encoded_cert: { pb: 'ENCODED_CERT'.bytes },
+      pctb_disposition_message: { pb: 'DISPOSITION_MESSAGE'.bytes },
+      error_status: 0
+    })
+    expected_output = {
+      pdw_request_id: 1,
+      pdw_disposition: 0,
+      pctb_cert: { cb: 4, pb: 'CERT'.bytes },
+      pctb_encoded_cert: { cb: 12, pb: 'ENCODED_CERT'.bytes },
+      pctb_disposition_message: { cb: 19, pb: 'DISPOSITION_MESSAGE'.bytes },
+      error_status: 0
+    }
+    expect(packet.read(new_packet.to_binary_s)).to eq(expected_output)
+  end
+end

data/spec/lib/ruby_smb/dcerpc/icpr/cert_trans_blob_spec.rb

@@ -0,0 +1,33 @@
+RSpec.describe RubySMB::Dcerpc::Icpr::CertTransBlob do
+  subject(:struct) { described_class.new }
+
+  it { is_expected.to respond_to :cb }
+  it { is_expected.to respond_to :pb }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(struct).to be_a(BinData::Record)
+  end
+  describe '#cb' do
+    it 'is a NdrUint32 structure' do
+      expect(struct.cb).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#pb' do
+    it 'is a NdrByteConfArrayPtr structure' do
+      expect(struct.pb).to be_a RubySMB::Dcerpc::Ndr::NdrByteConfArrayPtr
+    end
+  end
+  describe '#buffer' do
+    it 'returns a string' do
+      expect(struct.buffer).to be_a String
+    end
+  end
+  it 'reads itself' do
+    new_struct = described_class.new({ pb: 'BUFFER' })
+    expected_output = { cb: 6, pb: 'BUFFER'.bytes }
+    expect(struct.read(new_struct.to_binary_s)).to eq(expected_output)
+  end
+end

data/spec/lib/ruby_smb/dcerpc_spec.rb

@@ -23,6 +23,7 @@ RSpec.describe RubySMB::Dcerpc do
       allow(RubySMB::Dcerpc::BindAck).to receive(:read).and_return(bind_ack_packet)
       allow(tree).to receive(:client).and_return(client)
       allow(client).to receive(:max_buffer_size=)
+      allow(client).to receive(:ntlm_client)
     end
 
     it 'creates a Bind packet' do
@@ -49,7 +50,7 @@ RSpec.describe RubySMB::Dcerpc do
 
     it 'raises the expected exception when an invalid packet is received' do
       allow(RubySMB::Dcerpc::BindAck).to receive(:read).and_raise(IOError)
-      expect { pipe.bind(options) }.to raise_error(RubySMB::Dcerpc::Error::InvalidPacket)
+      expect { pipe.bind(options) }.to raise_error(RubySMB::Dcerpc::Error::BindError)
     end
 
     it 'raises the expected exception when it is not a BindAck packet' do