ruby_smb 3.1.7 → 3.2.1

data/lib/ruby_smb/dcerpc/ndr.rb

@@ -247,12 +247,22 @@ module RubySMB::Dcerpc::Ndr
 
     def do_read(io)
       if is_a?(ConfPlugin) && should_process_max_count?
-        set_max_count(io.readbytes(4).unpack('L<').first)
+        max_count = io.readbytes(4).unpack1('L<')
+        BinData.trace_message do |tracer|
+          tracer.trace_obj("#{debug_name}.max_count", max_count.to_s)
+        end
+        set_max_count(max_count)
       end
 
       if is_a?(VarPlugin)
         @offset = io.readbytes(4).unpack('L<').first
+        BinData.trace_message do |tracer|
+          tracer.trace_obj("#{debug_name}.offset", @offset.to_s)
+        end
         @actual_count = @read_until_index = io.readbytes(4).unpack('L<').first
+        BinData.trace_message do |tracer|
+          tracer.trace_obj("#{debug_name}.actual_count", @actual_count.to_s)
+        end
       end
 
       if has_elements_to_read?
@@ -523,7 +533,11 @@ module RubySMB::Dcerpc::Ndr
 
     def do_read(io)
       if should_process_max_count?
-        set_max_count(io.readbytes(4).unpack('L<').first)
+        max_count = io.readbytes(4).unpack1('L<')
+        BinData.trace_message do |tracer|
+          tracer.trace_obj("#{debug_name}.max_count", max_count.to_s)
+        end
+        set_max_count(max_count)
       end
       super
     end
@@ -582,7 +596,13 @@ module RubySMB::Dcerpc::Ndr
 
     def do_read(io)
       @offset = io.readbytes(4).unpack('L<').first
+       BinData.trace_message do |tracer|
+        tracer.trace_obj("#{debug_name}.offset", @offset.to_s)
+      end
       @actual_count = io.readbytes(4).unpack('L<').first
+      BinData.trace_message do |tracer|
+        tracer.trace_obj("#{debug_name}.actual_count", @actual_count.to_s)
+      end
       super if @actual_count > 0
     end
 
@@ -702,7 +722,11 @@ module RubySMB::Dcerpc::Ndr
 
     def do_read(io)
       if should_process_max_count?
-        set_max_count(io.readbytes(4).unpack('L<').first)
+        max_count = io.readbytes(4).unpack1('L<')
+        BinData.trace_message do |tracer|
+          tracer.trace_obj("#{debug_name}.max_count", max_count.to_s)
+        end
+        set_max_count(max_count)
 
         # Align the structure according to the alignment rules for the structure
         if respond_to?(:referent_bytes_align)
@@ -1034,6 +1058,9 @@ module RubySMB::Dcerpc::Ndr
         end
       else
         @ref_id = io.readbytes(4).unpack('L<').first
+        BinData.trace_message do |tracer|
+          tracer.trace_obj("#{debug_name}.ref_id", @ref_id.to_s)
+        end
         parent_obj = nil
         if parent&.is_a?(ConstructedTypePlugin)
           parent_obj = parent.get_top_level_constructed_type
@@ -1208,14 +1235,50 @@ module RubySMB::Dcerpc::Ndr
     extend PointerClassPlugin
   end
 
+
+  # ArrayPtr definitions:
+  #   If the type is Ndr*ArrayPtr, it's a ConfVarArray (Uni-dimensional Conformant-varying Array)
+  #   If the type is Ndr*ConfArrayPtr, it's a ConfArray (Uni-dimensional Conformant Array)
   class NdrByteArrayPtr < NdrConfVarArray
     default_parameters type: :ndr_uint8
     extend PointerClassPlugin
+
+    def assign(val)
+      val = val.bytes if val.is_a?(String)
+      super(val.to_ary)
+    end
   end
 
-  class NdrUint16ArrayPtr < NdrConfVarArray
-    default_parameters type: :ndr_uint16
+  class NdrByteConfArrayPtr < NdrConfArray
+    default_parameters type: :ndr_uint8
     extend PointerClassPlugin
+
+    def assign(val)
+      val = val.bytes if val.is_a?(String)
+      super(val.to_ary)
+    end
+  end
+
+  %i[ Uint8 Uint16 Uint32 Uint64 ].each do |klass|
+    new_klass_name = "Ndr#{klass}ArrayPtr"
+    unless self.const_defined?(new_klass_name)
+      new_klass = Class.new(NdrConfVarArray) do
+        default_parameters type: "ndr_#{klass}".downcase.to_sym
+        extend PointerClassPlugin
+      end
+      self.const_set(new_klass_name, new_klass)
+      BinData::RegisteredClasses.register(new_klass_name, new_klass)
+    end
+
+    new_klass_name = "Ndr#{klass}ConfArrayPtr"
+    unless self.const_defined?(new_klass_name)
+      new_klass = Class.new(NdrConfArray) do
+        default_parameters type: "ndr_#{klass}".downcase.to_sym
+        extend PointerClassPlugin
+      end
+      self.const_set(new_klass_name, new_klass)
+      BinData::RegisteredClasses.register(new_klass_name, new_klass)
+    end
   end
 
   class NdrFileTimePtr < NdrFileTime

data/lib/ruby_smb/dcerpc/request.rb

@@ -97,6 +97,10 @@ module RubySMB
           netr_dfs_remove_std_root_request Dfsnm::NETR_DFS_REMOVE_STD_ROOT
           string                           :default
         end
+        choice 'Icpr', selection: -> { opnum } do
+          cert_server_request_request      Icpr::CERT_SERVER_REQUEST
+          string                           :default
+        end
         string :default
       end
       string      :auth_pad,

data/lib/ruby_smb/dcerpc/samr.rb

@@ -320,7 +320,7 @@ module RubySMB
 
         def self.encrypt_password(password, key)
           # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/5fe3c4c4-e71b-440d-b2fd-8448bfaf6e04
-          password = password.encode('UTF-16LE').force_encoding('ASCII-8bit')
+          password = RubySMB::Utils.safe_encode(password, 'UTF-16LE').force_encoding('ASCII-8bit')
           buffer = password.rjust(512, "\x00") + [ password.length ].pack('V')
           salt = SecureRandom.random_bytes(16)
           key = OpenSSL::Digest::MD5.new(salt + key).digest

data/lib/ruby_smb/dcerpc.rb

@@ -47,6 +47,7 @@ module RubySMB
     require 'ruby_smb/dcerpc/drsr'
     require 'ruby_smb/dcerpc/sec_trailer'
     require 'ruby_smb/dcerpc/dfsnm'
+    require 'ruby_smb/dcerpc/icpr'
     require 'ruby_smb/dcerpc/request'
     require 'ruby_smb/dcerpc/response'
     require 'ruby_smb/dcerpc/rpc_auth3'
@@ -55,25 +56,50 @@ module RubySMB
     require 'ruby_smb/dcerpc/print_system'
     require 'ruby_smb/dcerpc/encrypting_file_system'
 
-    # Bind to the remote server interface endpoint.
+    # Bind to the remote server interface endpoint. It takes care of adding
+    # the necessary authentication verifier if `:auth_level` is set to
+    # anything different than RPC_C_AUTHN_LEVEL_NONE
     #
-    # @param options [Hash] the options to pass to the Bind request packet. At least, :endpoint must but provided with an existing Dcerpc class
+    # @param [Hash] options
+    # @option options [Module] :endpoint the endpoint to bind to. This must be a Dcerpc
+    #   class with UUID, VER_MAJOR and VER_MINOR constants defined.
+    # @option options [Integer] :auth_level the authentication level
+    # @option options [Integer] :auth_type the authentication type
     # @return [BindAck] the BindAck response packet
     # @raise [Error::InvalidPacket] if an invalid packet is received
     # @raise [Error::BindError] if the response is not a BindAck packet or if the Bind result code is not ACCEPTANCE
+    # @raise [ArgumentError] if `:auth_type` is unknown
+    # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
     def bind(options={})
+      @call_id ||= 1
       bind_req = Bind.new(options)
-      write(data: bind_req.to_binary_s)
-      @size = 1024
-      dcerpc_raw_response = read()
-      begin
-        dcerpc_response = BindAck.read(dcerpc_raw_response)
-      rescue IOError
-        raise Error::InvalidPacket, "Error reading the DCERPC response"
+      bind_req.pdu_header.call_id = @call_id
+
+      if options[:auth_level] && options[:auth_level] != RPC_C_AUTHN_LEVEL_NONE
+        case options[:auth_type]
+        when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
+          @ctx_id            = 0
+          @auth_ctx_id_base  = rand(0xFFFFFFFF)
+          raise ArgumentError, "NTLM Client not initialized. Username and password must be provided" unless @ntlm_client
+          type1_message = @ntlm_client.init_context
+          auth = type1_message.serialize
+        when RPC_C_AUTHN_GSS_KERBEROS, RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE
+        when RPC_C_AUTHN_GSS_KERBEROS, RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL
+          # TODO
+          raise NotImplementedError
+        else
+          raise ArgumentError, "Unsupported Auth Type: #{options[:auth_type]}"
+        end
+        add_auth_verifier(bind_req, auth, options[:auth_type], options[:auth_level])
       end
-      unless dcerpc_response.pdu_header.ptype == PTypes::BIND_ACK
-        raise Error::BindError, "Not a BindAck packet"
+
+      send_packet(bind_req)
+      begin
+        dcerpc_response = recv_struct(BindAck)
+      rescue Error::InvalidPacket
+        raise Error::BindError # raise the more context-specific BindError
       end
+      # TODO: see if BindNack response should be handled too
 
       res_list = dcerpc_response.p_result_list
       if res_list.n_results == 0 ||
@@ -81,9 +107,216 @@ module RubySMB
         raise Error::BindError,
           "Bind Failed (Result: #{res_list.p_results[0].result}, Reason: #{res_list.p_results[0].reason})"
       end
-      @tree.client.max_buffer_size = dcerpc_response.max_xmit_frag
+      self.max_buffer_size = dcerpc_response.max_xmit_frag
+      @call_id = dcerpc_response.pdu_header.call_id
+
+      if options[:auth_level] && options[:auth_level] != RPC_C_AUTHN_LEVEL_NONE
+        # The number of legs needed to build the security context is defined
+        # by the security provider
+        # (see [2.2.1.1.7 Security Providers](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/d4097450-c62f-484b-872f-ddf59a7a0d36))
+        case options[:auth_type]
+        when RPC_C_AUTHN_WINNT
+          send_auth3(dcerpc_response, options[:auth_type], options[:auth_level])
+        when RPC_C_AUTHN_GSS_KERBEROS, RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE
+          # TODO
+          raise NotImplementedError
+        end
+      end
+
       dcerpc_response
     end
 
+    def max_buffer_size=(value)
+      @tree.client.max_buffer_size = value
+    end
+
+    # Receive a packet from the remote host and parse it according to `struct`
+    #
+    # @param struct [Class] the structure class to parse the response with
+    def recv_struct(struct)
+      raw_response = read
+      begin
+        response = struct.read(raw_response)
+      rescue IOError
+        raise Error::InvalidPacket, "Error reading the #{struct} response"
+      end
+      unless response.pdu_header.ptype == struct::PTYPE
+        raise Error::InvalidPacket, "Not a #{struct} packet"
+      end
+
+      response
+    end
+
+    # Send a packet to the remote host
+    #
+    # @param packet [BinData::Record] the packet to send
+    # @raise [Error::CommunicationError] if socket-related error occurs
+    def send_packet(packet)
+      write(data: packet.to_binary_s)
+      nil
+    end
+
+    # Add the authentication verifier to a Request packet. This includes a
+    # sec trailer and the signature of the packet. This also encrypts the
+    # Request stub if privacy is required (`:auth_level` option is
+    # RPC_C_AUTHN_LEVEL_PKT_PRIVACY).
+    #
+    # @param dcerpc_req [Request] the Request packet to be updated
+    # @param opts [Hash] the authenticaiton options: `:auth_type` and `:auth_level`
+    # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
+    # @raise [ArgumentError] if `:auth_type` is unknown
+    def set_integrity_privacy(dcerpc_req, auth_level:, auth_type:)
+      dcerpc_req.sec_trailer = {
+        auth_type: auth_type,
+        auth_level: auth_level,
+        auth_context_id: @ctx_id + @auth_ctx_id_base
+      }
+      dcerpc_req.auth_value = ' ' * 16
+      dcerpc_req.pdu_header.auth_length = 16
+
+      data_to_sign = plain_stub = dcerpc_req.stub.to_binary_s + dcerpc_req.auth_pad.to_binary_s
+      if @ntlm_client.flags & NTLM::NEGOTIATE_FLAGS[:EXTENDED_SECURITY] != 0
+        data_to_sign = dcerpc_req.to_binary_s[0..-(dcerpc_req.pdu_header.auth_length + 1)]
+      end
+
+      encrypted_stub = ''
+      if auth_level == RPC_C_AUTHN_LEVEL_PKT_PRIVACY
+        case auth_type
+        when RPC_C_AUTHN_NONE
+        when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
+          encrypted_stub = @ntlm_client.session.seal_message(plain_stub)
+        when RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL, RPC_C_AUTHN_GSS_KERBEROS
+          # TODO
+          raise NotImplementedError
+        else
+          raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
+        end
+      end
+
+      signature = @ntlm_client.session.sign_message(data_to_sign)
+
+      unless encrypted_stub.empty?
+        pad_length = dcerpc_req.sec_trailer.auth_pad_length.to_i
+        dcerpc_req.enable_encrypted_stub
+        dcerpc_req.stub = encrypted_stub[0..-(pad_length + 1)]
+        dcerpc_req.auth_pad = encrypted_stub[-(pad_length)..-1]
+      end
+      dcerpc_req.auth_value = signature
+      dcerpc_req.pdu_header.auth_length = signature.size
+    end
+
+    # Process the security context received in a response. It decrypts the
+    # encrypted stub if `:auth_level` is set to anything different than
+    # RPC_C_AUTHN_LEVEL_PKT_PRIVACY. It also checks the packet signature and
+    # raises an InvalidPacket error if it fails. Note that the exception is
+    # disabled by default and can be enabled with the
+    # `:raise_signature_error` option
+    #
+    # @param dcerpc_response [Response] the Response packet
+    #   containing the security context to process
+    # @param opts [Hash] the authenticaiton options: `:auth_type` and
+    #   `:auth_level`. To enable errors when signature check fails, set the
+    #   `:raise_signature_error` option to true
+    # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
+    # @raise [Error::CommunicationError] if socket-related error occurs
+    def handle_integrity_privacy(dcerpc_response, auth_level:, auth_type:, raise_signature_error: false)
+      decrypted_stub = ''
+      if auth_level == RPC_C_AUTHN_LEVEL_PKT_PRIVACY
+        encrypted_stub = dcerpc_response.stub.to_binary_s + dcerpc_response.auth_pad.to_binary_s
+        case auth_type
+        when RPC_C_AUTHN_NONE
+        when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
+          decrypted_stub = @ntlm_client.session.unseal_message(encrypted_stub)
+        when RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL, RPC_C_AUTHN_GSS_KERBEROS
+          # TODO
+          raise NotImplementedError
+        else
+          raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
+        end
+      end
+
+      unless decrypted_stub.empty?
+        pad_length = dcerpc_response.sec_trailer.auth_pad_length.to_i
+        dcerpc_response.stub = decrypted_stub[0..-(pad_length + 1)]
+        dcerpc_response.auth_pad = decrypted_stub[-(pad_length)..-1]
+      end
+
+      signature = dcerpc_response.auth_value
+      data_to_check = dcerpc_response.stub.to_binary_s
+      if @ntlm_client.flags & NTLM::NEGOTIATE_FLAGS[:EXTENDED_SECURITY] != 0
+        data_to_check = dcerpc_response.to_binary_s[0..-(dcerpc_response.pdu_header.auth_length + 1)]
+      end
+      unless @ntlm_client.session.verify_signature(signature, data_to_check)
+        if raise_signature_error
+          raise Error::InvalidPacket.new(
+            "Wrong packet signature received (set `raise_signature_error` to false to ignore)"
+          )
+        end
+      end
+
+      @call_id += 1
+
+      nil
+    end
+
+    # Add the authentication verifier to the packet. This includes a sec
+    # trailer and the actual authentication data.
+    #
+    # @param req [BinData::Record] the request to be updated
+    # @param auth [String] the authentication data
+    # @param auth_type [Integer] the authentication type
+    # @param auth_level [Integer] the authentication level
+    def add_auth_verifier(req, auth, auth_type, auth_level)
+      req.sec_trailer = {
+        auth_type: auth_type,
+        auth_level: auth_level,
+        auth_context_id: @ctx_id + @auth_ctx_id_base
+      }
+      req.auth_value = auth
+      req.pdu_header.auth_length = auth.length
+
+      nil
+    end
+
+    def process_ntlm_type2(type2_message)
+      ntlmssp_offset = type2_message.index('NTLMSSP')
+      type2_blob = type2_message.slice(ntlmssp_offset..-1)
+      type2_b64_message = [type2_blob].pack('m')
+      type3_message = @ntlm_client.init_context(type2_b64_message)
+      auth3 = type3_message.serialize
+
+      @session_key = @ntlm_client.session_key
+      auth3
+    end
+
+    # Send a rpc_auth3 PDU that ends the authentication handshake.
+    #
+    # @param response [BindAck] the BindAck response packet
+    # @param auth_type [Integer] the authentication type
+    # @param auth_level [Integer] the authentication level
+    # @raise [ArgumentError] if `:auth_type` is unknown
+    # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
+    def send_auth3(response, auth_type, auth_level)
+      case auth_type
+      when RPC_C_AUTHN_NONE
+      when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
+        auth3 = process_ntlm_type2(response.auth_value)
+      when RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL, RPC_C_AUTHN_GSS_KERBEROS
+        # TODO
+        raise NotImplementedError
+      else
+        raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
+      end
+
+      rpc_auth3 = RpcAuth3.new
+      add_auth_verifier(rpc_auth3, auth3, auth_type, auth_level)
+      rpc_auth3.pdu_header.call_id = @call_id
+
+      # The server should not respond
+      send_packet(rpc_auth3)
+      @call_id += 1
+
+      nil
+    end
   end
 end

data/lib/ruby_smb/error.rb

@@ -73,6 +73,10 @@ module RubySMB
       module Mixin
         attr_reader :status_code
 
+        def status_name
+          @status_code.name
+        end
+
         private
 
         def status_code=(status_code)
@@ -82,7 +86,7 @@ module RubySMB
           when Integer
             @status_code = WindowsError::NTStatus.find_by_retval(status_code).first
             if @status_code.nil?
-              @status_code = WindowsError::ErrorCode.new("0x#{status_code.to_s(16).rjust(8, '0')}", status_code, "Unknown status: 0x#{status_code.to_s(16)}")
+              @status_code = WindowsError::ErrorCode.new("0x#{status_code.to_s(16).rjust(8, '0')}", status_code, "Unknown status: 0x#{status_code.to_s(16).rjust(8, '0')}")
             end
           else
             raise ArgumentError, "Status code must be a WindowsError::ErrorCode or an Integer, got #{status_code.class}"

data/lib/ruby_smb/gss/provider/ntlm.rb

@@ -18,6 +18,7 @@ module RubySMB
         end
 
         class Authenticator < Authenticator::Base
+
           def reset!
             super
             @server_challenge = nil
@@ -141,7 +142,10 @@ module RubySMB
             case type3_msg.ntlm_version
             when :ntlmv1
               my_ntlm_response = Net::NTLM::ntlm_response(
-                ntlm_hash: Net::NTLM::ntlm_hash(account.password.encode('UTF-16LE'), unicode: true),
+                ntlm_hash: Net::NTLM::ntlm_hash(
+                  RubySMB::Utils.safe_encode(account.password, 'UTF-16LE'),
+                  unicode: true
+                ),
                 challenge: @server_challenge
               )
               matches = my_ntlm_response == type3_msg.ntlm_response
@@ -151,9 +155,9 @@ module RubySMB
               their_blob = type3_msg.ntlm_response[digest.digest_length..-1]
 
               ntlmv2_hash = Net::NTLM.ntlmv2_hash(
-                account.username.encode('UTF-16LE'),
-                account.password.encode('UTF-16LE'),
-                type3_msg.domain.encode('UTF-16LE'),  # don't use the account domain because of the special '.' value
+                RubySMB::Utils.safe_encode(account.username, 'UTF-16LE'),
+                RubySMB::Utils.safe_encode(account.password, 'UTF-16LE'),
+                RubySMB::Utils.safe_encode(type3_msg.domain, 'UTF-16LE'),  # don't use the account domain because of the special '.' value
                 {client_challenge: their_blob[16...24], unicode: true}
               )
 
@@ -305,7 +309,10 @@ module RubySMB
           username = username.downcase
           domain = @default_domain if domain.nil? || domain == '.'.encode(domain.encoding)
           domain = domain.downcase
-          @accounts.find { |account| account.username.encode(username.encoding).downcase == username && account.domain.encode(domain.encoding).downcase == domain }
+          @accounts.find do |account|
+            RubySMB::Utils.safe_encode(account.username, username.encoding).downcase == username &&
+              RubySMB::Utils.safe_encode(account.domain, domain.encoding).downcase == domain
+          end
         end
 
         #

data/lib/ruby_smb/ntlm/client.rb

@@ -51,6 +51,10 @@ module RubySMB::NTLM
         !challenge_message.has_flag?(:UNICODE) && challenge_message.has_flag?(:OEM)
       end
 
+      def ntlmv2_hash
+        @ntlmv2_hash ||= RubySMB::NTLM.ntlmv2_hash(username, password, domain, {:client_challenge => client_challenge, :unicode => !use_oem_strings?})
+      end
+
       def calculate_user_session_key!
         if is_anonymous?
           # see MS-NLMP section 3.4

data/lib/ruby_smb/ntlm/custom/ntlm.rb

@@ -0,0 +1,19 @@
+require 'net/ntlm'
+
+module Custom
+  module NTLM
+
+    def self.prepended(base)
+      base.singleton_class.send(:prepend, ClassMethods)
+    end
+
+    module ClassMethods
+      def encode_utf16le(str)
+        str.dup.force_encoding('UTF-8').encode(Encoding::UTF_16LE, Encoding::UTF_8).force_encoding('ASCII-8BIT')
+      end
+    end
+
+  end
+end
+
+Net::NTLM::EncodeUtil.send(:prepend, Custom::NTLM)

data/lib/ruby_smb/ntlm.rb

@@ -1,3 +1,5 @@
+require 'ruby_smb/ntlm/custom/ntlm'
+
 module RubySMB
   module NTLM
     # [[MS-NLMP] 2.2.2.5](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832)
@@ -56,6 +58,41 @@ module RubySMB
         "Version #{major}.#{minor} (Build #{build}); NTLM Current Revision #{ntlm_revision}"
       end
     end
+
+    class << self
+
+      # Generate a NTLMv2 Hash
+      # @param [String] user The username
+      # @param [String] password The password
+      # @param [String] target The domain or workstation to authenticate to
+      # @option opt :unicode (false) Unicode encode the domain
+      def ntlmv2_hash(user, password, target, opt={})
+        if Net::NTLM.is_ntlm_hash? password
+          decoded_password = Net::NTLM::EncodeUtil.decode_utf16le(password)
+          ntlmhash = [decoded_password.upcase[33,65]].pack('H32')
+        else
+          ntlmhash = Net::NTLM.ntlm_hash(password, opt)
+        end
+
+        if opt[:unicode]
+          # Uppercase operation on username containing non-ASCII characters
+          # after being unicode encoded with `EncodeUtil.encode_utf16le`
+          # doesn't play well. Upcase should be done before encoding.
+          user_upcase = Net::NTLM::EncodeUtil.decode_utf16le(user).upcase
+          user_upcase = Net::NTLM::EncodeUtil.encode_utf16le(user_upcase)
+        else
+          user_upcase = user.upcase
+        end
+        userdomain = user_upcase + target
+
+        unless opt[:unicode]
+          userdomain = Net::NTLM::EncodeUtil.encode_utf16le(userdomain)
+        end
+        OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, ntlmhash, userdomain)
+      end
+
+    end
+
   end
 end
 

data/lib/ruby_smb/peer_info.rb

@@ -0,0 +1,39 @@
+module RubySMB
+  module PeerInfo
+    # Extract and store useful information about the peer/server from the
+    # NTLM Type 2 (challenge) TargetInfo fields.
+    #
+    # @param target_info_str [String] the Target Info string
+    def store_target_info(target_info_str)
+      target_info = Net::NTLM::TargetInfo.new(target_info_str)
+      {
+        Net::NTLM::TargetInfo::MSV_AV_NB_COMPUTER_NAME  => :@default_name,
+        Net::NTLM::TargetInfo::MSV_AV_NB_DOMAIN_NAME    => :@default_domain,
+        Net::NTLM::TargetInfo::MSV_AV_DNS_COMPUTER_NAME => :@dns_host_name,
+        Net::NTLM::TargetInfo::MSV_AV_DNS_DOMAIN_NAME   => :@dns_domain_name,
+        Net::NTLM::TargetInfo::MSV_AV_DNS_TREE_NAME     => :@dns_tree_name
+      }.each do |constant, attribute|
+        if target_info.av_pairs[constant]
+          value = target_info.av_pairs[constant].dup
+          value.force_encoding('UTF-16LE')
+          instance_variable_set(attribute, value.encode('UTF-8'))
+        end
+      end
+    end
+
+    # Extract the peer/server version number from the NTLM Type 2 (challenge)
+    # Version field.
+    #
+    # @param version [String] the version number as a binary string
+    # @return [String] the formatted version number (<major>.<minor>.<build>)
+    def extract_os_version(version)
+      begin
+        os_version = RubySMB::NTLM::OSVersion.read(version)
+      rescue IOError
+        return ''
+      end
+
+      "#{os_version.major}.#{os_version.minor}.#{os_version.build}"
+    end
+  end
+end

data/lib/ruby_smb/server/server_client/tree_connect.rb

@@ -7,7 +7,7 @@ module RubySMB
           # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/b062f3e3-1b65-4a9a-854a-0ee432499d8f
           response = RubySMB::SMB1::Packet::TreeConnectResponse.new
 
-          share_name = request.data_block.path.encode('UTF-8').split('\\', 4).last
+          share_name = RubySMB::Utils.safe_encode(request.data_block.path, 'UTF-8').split('\\', 4).last
           share_provider = @server.shares.transform_keys(&:downcase)[share_name.downcase]
           if share_provider.nil?
             logger.warn("Received TREE_CONNECT request for non-existent share: #{share_name}")
@@ -49,7 +49,7 @@ module RubySMB
             return response
           end
 
-          share_name = request.path.encode('UTF-8').split('\\', 4).last
+          share_name = RubySMB::Utils.safe_encode(request.path, 'UTF-8').split('\\', 4).last
           share_provider = @server.shares.transform_keys(&:downcase)[share_name.downcase]
 
           if share_provider.nil?