ruby_smb 3.2.4 → 3.2.6

data/lib/ruby_smb/dcerpc.rb

@@ -51,11 +51,128 @@ module RubySMB
     require 'ruby_smb/dcerpc/request'
     require 'ruby_smb/dcerpc/response'
     require 'ruby_smb/dcerpc/rpc_auth3'
+    require 'ruby_smb/dcerpc/port_any_t'
+    require 'ruby_smb/dcerpc/p_cont_list_t'
+    require 'ruby_smb/dcerpc/p_result_t'
+    require 'ruby_smb/dcerpc/p_result_list_t'
+    require 'ruby_smb/dcerpc/alter_context'
     require 'ruby_smb/dcerpc/bind'
     require 'ruby_smb/dcerpc/bind_ack'
+    require 'ruby_smb/dcerpc/alter_context_resp'
     require 'ruby_smb/dcerpc/print_system'
     require 'ruby_smb/dcerpc/encrypting_file_system'
 
+    # Initialize the auth provider using NTLM. This function should be overriden for other providers (e.g. Kerberos, etc.)
+    # @raise ArgumentError If @ntlm_client isn't initialized with a username and password.
+    # @return Serialized message for initializing the auth provider (NTLM, unless this class is extended/overridden)
+    def auth_provider_init
+      raise ArgumentError, "NTLM Client not initialized. Username and password must be provided" unless @ntlm_client
+      type1_message = @ntlm_client.init_context
+
+      type1_message.serialize
+    end
+
+    # Encrypt the value in dcerpc_req.stub, and add a valid signature to the request.
+    # This function modifies the request object in-place, and does not return anything.
+    # This function should be overriden for other providers (e.g. Kerberos, etc.)
+    # @param dcerpc_req [Request] The Request object to be encrypted and signed in-place
+    def auth_provider_encrypt_and_sign(dcerpc_req)
+      auth_type = dcerpc_req.sec_trailer.auth_type
+      auth_level = dcerpc_req.sec_trailer.auth_level
+      unless [RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT].include?(auth_type)
+        raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
+      end
+      plaintext = dcerpc_req.stub.to_binary_s
+      pad_length = get_auth_padding_length(plaintext.length)
+      dcerpc_req.auth_pad = "\x00" * pad_length
+      data_to_sign = plain_stub_with_padding = dcerpc_req.stub.to_binary_s + dcerpc_req.auth_pad.to_binary_s
+      dcerpc_req.sec_trailer.auth_pad_length = pad_length
+      if @ntlm_client.flags & NTLM::NEGOTIATE_FLAGS[:EXTENDED_SECURITY] != 0
+        data_to_sign = dcerpc_req.to_binary_s[0..-(dcerpc_req.pdu_header.auth_length + 1)]
+      end
+
+      if auth_level == RPC_C_AUTHN_LEVEL_PKT_PRIVACY
+        encrypted = @ntlm_client.session.seal_message(plain_stub_with_padding)
+        set_encrypted_packet(dcerpc_req, encrypted, pad_length)
+      end
+      signature = @ntlm_client.session.sign_message(data_to_sign)
+
+      set_signature_on_packet(dcerpc_req, signature)
+    end
+
+    # Get the response's full stub value (which will include the auth-pad)
+    # @param dcerpc_response [Response] The Response object to extract from
+    # @return [String] The full stub, including auth_pad
+    def get_response_full_stub(dcerpc_response)
+      dcerpc_response.stub.to_binary_s + dcerpc_response.auth_pad.to_binary_s
+    end
+
+    # Decrypt the value in dcerpc_req.stub, and validate its signature.
+    # This function modifies the request object in-place, and returns whether the signature was valid.
+    # This function should be overriden for other providers (e.g. Kerberos, etc.)
+    # @param dcerpc_response [Response] The Response packet to decrypt and verify in-place
+    # @raise ArgumentError If the auth type is not NTLM
+    # @return [Boolean] Is the packet's signature valid?
+    def auth_provider_decrypt_and_verify(dcerpc_response)
+      auth_type = dcerpc_response.sec_trailer.auth_type
+      auth_level = dcerpc_response.sec_trailer.auth_level
+      unless [RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT].include?(auth_type)
+        raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
+      end
+      signature = dcerpc_response.auth_value
+      if auth_level == RPC_C_AUTHN_LEVEL_PKT_PRIVACY
+        encrypted_stub = get_response_full_stub(dcerpc_response)
+        plaintext = @ntlm_client.session.unseal_message(encrypted_stub)
+        set_decrypted_packet(dcerpc_response, plaintext)
+      end
+      data_to_check = dcerpc_response.stub.to_binary_s
+      if @ntlm_client.flags & NTLM::NEGOTIATE_FLAGS[:EXTENDED_SECURITY] != 0
+        data_to_check = dcerpc_response.to_binary_s[0..-(dcerpc_response.pdu_header.auth_length + 1)]
+      end
+
+      @ntlm_client.session.verify_signature(signature, data_to_check)
+    end
+
+    # Completes local initialisation of @ntlm_client using the server's response
+    #
+    # @param type2_message [String] NTLM type 2 message sent from server
+    # @return [String] Type 3 message to be sent to the server to complete the NTLM handshake
+    def process_ntlm_type2(type2_message)
+      ntlmssp_offset = type2_message.index('NTLMSSP')
+      type2_blob = type2_message.slice(ntlmssp_offset..-1)
+      type2_b64_message = [type2_blob].pack('m')
+      type3_message = @ntlm_client.init_context(type2_b64_message)
+      auth3 = type3_message.serialize
+
+      @session_key = @ntlm_client.session_key
+      auth3
+    end
+
+    # Send a rpc_auth3 PDU that ends the authentication handshake.
+    # This function should be overriden for other providers (e.g. Kerberos, etc.)
+    #
+    # @param response [BindAck] the BindAck response packet
+    # @param options [Hash] Unused by the NTLM auth provider
+    def auth_provider_complete_handshake(response, options)
+      auth3 = process_ntlm_type2(response.auth_value)
+
+      rpc_auth3 = RpcAuth3.new
+      add_auth_verifier(rpc_auth3, auth3)
+      rpc_auth3.pdu_header.call_id = @call_id
+
+      # The server should not respond
+      send_packet(rpc_auth3)
+      @call_id += 1
+
+      nil
+    end
+
+    def force_set_auth_params(auth_type, auth_level)
+      @auth_type = auth_type
+      @auth_level = auth_level
+    end
+
+
     # Bind to the remote server interface endpoint. It takes care of adding
     # the necessary authentication verifier if `:auth_level` is set to
     # anything different than RPC_C_AUTHN_LEVEL_NONE
@@ -74,23 +191,16 @@ module RubySMB
       @call_id ||= 1
       bind_req = Bind.new(options)
       bind_req.pdu_header.call_id = @call_id
+      auth_type = options.fetch(:auth_type) { RPC_C_AUTHN_WINNT }
+      auth_level = options.fetch(:auth_level) { RPC_C_AUTHN_LEVEL_NONE }
 
-      if options[:auth_level] && options[:auth_level] != RPC_C_AUTHN_LEVEL_NONE
-        case options[:auth_type]
-        when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
-          @ctx_id            = 0
-          @auth_ctx_id_base  = rand(0xFFFFFFFF)
-          raise ArgumentError, "NTLM Client not initialized. Username and password must be provided" unless @ntlm_client
-          type1_message = @ntlm_client.init_context
-          auth = type1_message.serialize
-        when RPC_C_AUTHN_GSS_KERBEROS, RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE
-        when RPC_C_AUTHN_GSS_KERBEROS, RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL
-          # TODO
-          raise NotImplementedError
-        else
-          raise ArgumentError, "Unsupported Auth Type: #{options[:auth_type]}"
-        end
-        add_auth_verifier(bind_req, auth, options[:auth_type], options[:auth_level])
+      force_set_auth_params(auth_type, auth_level)
+
+      if @auth_level != RPC_C_AUTHN_LEVEL_NONE
+        @ctx_id            = 0
+        @auth_ctx_id_base  = rand(0xFFFFFFFF)
+        auth = auth_provider_init
+        add_auth_verifier(bind_req, auth)
       end
 
       send_packet(bind_req)
@@ -110,17 +220,11 @@ module RubySMB
       self.max_buffer_size = dcerpc_response.max_xmit_frag
       @call_id = dcerpc_response.pdu_header.call_id
 
-      if options[:auth_level] && options[:auth_level] != RPC_C_AUTHN_LEVEL_NONE
+      if auth_level != RPC_C_AUTHN_LEVEL_NONE
         # The number of legs needed to build the security context is defined
         # by the security provider
-        # (see [2.2.1.1.7 Security Providers](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/d4097450-c62f-484b-872f-ddf59a7a0d36))
-        case options[:auth_type]
-        when RPC_C_AUTHN_WINNT
-          send_auth3(dcerpc_response, options[:auth_type], options[:auth_level])
-        when RPC_C_AUTHN_GSS_KERBEROS, RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE
-          # TODO
-          raise NotImplementedError
-        end
+        # (see [2.2.1.1.7 Security Providers](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/d4097450-c62f-484b-872f-ddf59a7a0d36))
+        auth_provider_complete_handshake(dcerpc_response, options)
       end
 
       dcerpc_response
@@ -156,16 +260,24 @@ module RubySMB
       nil
     end
 
+    def get_auth_padding_length(plaintext_len)
+      (16 - (plaintext_len % 16)) % 16
+    end
+
     # Add the authentication verifier to a Request packet. This includes a
     # sec trailer and the signature of the packet. This also encrypts the
     # Request stub if privacy is required (`:auth_level` option is
     # RPC_C_AUTHN_LEVEL_PKT_PRIVACY).
     #
     # @param dcerpc_req [Request] the Request packet to be updated
-    # @param opts [Hash] the authenticaiton options: `:auth_type` and `:auth_level`
+    # @param opts [Hash] the authentication options: `:auth_type` and `:auth_level`
     # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
     # @raise [ArgumentError] if `:auth_type` is unknown
     def set_integrity_privacy(dcerpc_req, auth_level:, auth_type:)
+      unless [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(auth_level)
+        raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
+      end
+
       dcerpc_req.sec_trailer = {
         auth_type: auth_type,
         auth_level: auth_level,
@@ -174,35 +286,30 @@ module RubySMB
       dcerpc_req.auth_value = ' ' * 16
       dcerpc_req.pdu_header.auth_length = 16
 
-      data_to_sign = plain_stub = dcerpc_req.stub.to_binary_s + dcerpc_req.auth_pad.to_binary_s
-      if @ntlm_client.flags & NTLM::NEGOTIATE_FLAGS[:EXTENDED_SECURITY] != 0
-        data_to_sign = dcerpc_req.to_binary_s[0..-(dcerpc_req.pdu_header.auth_length + 1)]
-      end
-
-      encrypted_stub = ''
-      if auth_level == RPC_C_AUTHN_LEVEL_PKT_PRIVACY
-        case auth_type
-        when RPC_C_AUTHN_NONE
-        when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
-          encrypted_stub = @ntlm_client.session.seal_message(plain_stub)
-        when RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL, RPC_C_AUTHN_GSS_KERBEROS
-          # TODO
-          raise NotImplementedError
-        else
-          raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
-        end
-      end
+      auth_provider_encrypt_and_sign(dcerpc_req)
+    end
 
-      signature = @ntlm_client.session.sign_message(data_to_sign)
+    def set_signature_on_packet(dcerpc_req, signature)
+      dcerpc_req.auth_value = signature
+      dcerpc_req.pdu_header.auth_length = signature.size
+    end
 
+    def set_encrypted_packet(dcerpc_req, encrypted_stub, pad_length)
       unless encrypted_stub.empty?
-        pad_length = dcerpc_req.sec_trailer.auth_pad_length.to_i
         dcerpc_req.enable_encrypted_stub
-        dcerpc_req.stub = encrypted_stub[0..-(pad_length + 1)]
-        dcerpc_req.auth_pad = encrypted_stub[-(pad_length)..-1]
+        dcerpc_req.stub = encrypted_stub[0..-(pad_length+1)]
+        if pad_length != 0
+          dcerpc_req.auth_pad = encrypted_stub[-(pad_length)..-1]
+        end
+      end
+    end
+
+    def set_decrypted_packet(dcerpc_response, decrypted_stub)
+      unless decrypted_stub.empty?
+        pad_length = dcerpc_response.sec_trailer.auth_pad_length.to_i
+        dcerpc_response.stub = decrypted_stub[0..-(pad_length + 1)]
+        dcerpc_response.auth_pad = decrypted_stub[-(pad_length + 1)..-1]
       end
-      dcerpc_req.auth_value = signature
-      dcerpc_req.pdu_header.auth_length = signature.size
     end
 
     # Process the security context received in a response. It decrypts the
@@ -214,39 +321,18 @@ module RubySMB
     #
     # @param dcerpc_response [Response] the Response packet
     #   containing the security context to process
-    # @param opts [Hash] the authenticaiton options: `:auth_type` and
+    # @param opts [Hash] the authentication options: `:auth_type` and
     #   `:auth_level`. To enable errors when signature check fails, set the
     #   `:raise_signature_error` option to true
     # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
     # @raise [Error::CommunicationError] if socket-related error occurs
     def handle_integrity_privacy(dcerpc_response, auth_level:, auth_type:, raise_signature_error: false)
-      decrypted_stub = ''
-      if auth_level == RPC_C_AUTHN_LEVEL_PKT_PRIVACY
-        encrypted_stub = dcerpc_response.stub.to_binary_s + dcerpc_response.auth_pad.to_binary_s
-        case auth_type
-        when RPC_C_AUTHN_NONE
-        when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
-          decrypted_stub = @ntlm_client.session.unseal_message(encrypted_stub)
-        when RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL, RPC_C_AUTHN_GSS_KERBEROS
-          # TODO
-          raise NotImplementedError
-        else
-          raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
-        end
-      end
-
-      unless decrypted_stub.empty?
-        pad_length = dcerpc_response.sec_trailer.auth_pad_length.to_i
-        dcerpc_response.stub = decrypted_stub[0..-(pad_length + 1)]
-        dcerpc_response.auth_pad = decrypted_stub[-(pad_length)..-1]
+      unless [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(auth_level)
+        raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
       end
+      signature_valid = auth_provider_decrypt_and_verify(dcerpc_response)
 
-      signature = dcerpc_response.auth_value
-      data_to_check = dcerpc_response.stub.to_binary_s
-      if @ntlm_client.flags & NTLM::NEGOTIATE_FLAGS[:EXTENDED_SECURITY] != 0
-        data_to_check = dcerpc_response.to_binary_s[0..-(dcerpc_response.pdu_header.auth_length + 1)]
-      end
-      unless @ntlm_client.session.verify_signature(signature, data_to_check)
+      unless signature_valid
         if raise_signature_error
           raise Error::InvalidPacket.new(
             "Wrong packet signature received (set `raise_signature_error` to false to ignore)"
@@ -264,12 +350,10 @@ module RubySMB
     #
     # @param req [BinData::Record] the request to be updated
     # @param auth [String] the authentication data
-    # @param auth_type [Integer] the authentication type
-    # @param auth_level [Integer] the authentication level
-    def add_auth_verifier(req, auth, auth_type, auth_level)
+    def add_auth_verifier(req, auth)
       req.sec_trailer = {
-        auth_type: auth_type,
-        auth_level: auth_level,
+        auth_type: @auth_type,
+        auth_level: @auth_level,
         auth_context_id: @ctx_id + @auth_ctx_id_base
       }
       req.auth_value = auth
@@ -277,46 +361,5 @@ module RubySMB
 
       nil
     end
-
-    def process_ntlm_type2(type2_message)
-      ntlmssp_offset = type2_message.index('NTLMSSP')
-      type2_blob = type2_message.slice(ntlmssp_offset..-1)
-      type2_b64_message = [type2_blob].pack('m')
-      type3_message = @ntlm_client.init_context(type2_b64_message)
-      auth3 = type3_message.serialize
-
-      @session_key = @ntlm_client.session_key
-      auth3
-    end
-
-    # Send a rpc_auth3 PDU that ends the authentication handshake.
-    #
-    # @param response [BindAck] the BindAck response packet
-    # @param auth_type [Integer] the authentication type
-    # @param auth_level [Integer] the authentication level
-    # @raise [ArgumentError] if `:auth_type` is unknown
-    # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
-    def send_auth3(response, auth_type, auth_level)
-      case auth_type
-      when RPC_C_AUTHN_NONE
-      when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
-        auth3 = process_ntlm_type2(response.auth_value)
-      when RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL, RPC_C_AUTHN_GSS_KERBEROS
-        # TODO
-        raise NotImplementedError
-      else
-        raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
-      end
-
-      rpc_auth3 = RpcAuth3.new
-      add_auth_verifier(rpc_auth3, auth3, auth_type, auth_level)
-      rpc_auth3.pdu_header.call_id = @call_id
-
-      # The server should not respond
-      send_packet(rpc_auth3)
-      @call_id += 1
-
-      nil
-    end
   end
 end

data/lib/ruby_smb/ntlm/custom/string_encoder.rb

@@ -0,0 +1,22 @@
+require 'net/ntlm'
+
+module RubySMB
+  module NTLM
+    module Custom
+      module StringEncoder
+
+        def self.prepended(base)
+          base.singleton_class.send(:prepend, ClassMethods)
+        end
+
+        module ClassMethods
+          def encode_utf16le(str)
+            str.dup.force_encoding('UTF-8').encode(Encoding::UTF_16LE, Encoding::UTF_8).force_encoding('ASCII-8BIT')
+          end
+        end
+      end
+    end
+  end
+end
+
+Net::NTLM::EncodeUtil.send(:prepend, RubySMB::NTLM::Custom::StringEncoder)

data/lib/ruby_smb/ntlm.rb

@@ -1,4 +1,4 @@
-require 'ruby_smb/ntlm/custom/ntlm'
+require 'ruby_smb/ntlm/custom/string_encoder'
 
 module RubySMB
   module NTLM

data/lib/ruby_smb/version.rb

@@ -1,3 +1,3 @@
 module RubySMB
-  VERSION = '3.2.4'.freeze
+  VERSION = '3.2.6'.freeze
 end

data/lib/ruby_smb.rb

@@ -6,7 +6,7 @@ require 'openssl/ccm'
 require 'openssl/cmac'
 require 'windows_error'
 require 'windows_error/nt_status'
-require 'ruby_smb/ntlm/custom/ntlm'
+require 'ruby_smb/ntlm/custom/string_encoder'
 # A packet parsing and manipulation library for the SMB1 and SMB2 protocols
 #
 # [[MS-SMB] Server Message Block (SMB) Protocol Version 1](https://msdn.microsoft.com/en-us/library/cc246482.aspx)

data/spec/lib/ruby_smb/dcerpc/client_spec.rb

@@ -9,7 +9,12 @@ RSpec.describe RubySMB::Dcerpc::Client do
   let(:endpoint) { RubySMB::Dcerpc::Samr }
 
   subject(:client) { described_class.new(host, endpoint) }
-  subject(:auth_client) { described_class.new(host, endpoint, username: 'testuser', password: '1234') }
+  subject(:auth_client) do
+    result = described_class.new(host, endpoint, username: 'testuser', password: '1234')
+    result.force_set_auth_params(RubySMB::Dcerpc::RPC_C_AUTHN_WINNT, RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
+   
+    result
+  end
 
   it { is_expected.to respond_to :domain }
   it { is_expected.to respond_to :local_workstation }
@@ -135,21 +140,21 @@ RSpec.describe RubySMB::Dcerpc::Client do
     describe '#add_auth_verifier' do
       let(:req) { RubySMB::Dcerpc::Bind.new }
       let(:auth_type) { RubySMB::Dcerpc::RPC_C_AUTHN_WINNT }
-      let(:auth_level) { 0 }
+      let(:auth_level) { RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY }
       let(:auth) { 'serialized auth value' }
 
       it 'sets #auth_value field to the expected value' do
-        auth_client.add_auth_verifier(req, auth, auth_type, auth_level)
+        auth_client.add_auth_verifier(req, auth)
         expect(req.auth_value).to eq(auth)
       end
 
       it 'sets PDUHeader #auth_length field to the expected value' do
-        auth_client.add_auth_verifier(req, auth, auth_type, auth_level)
+        auth_client.add_auth_verifier(req, auth)
         expect(req.pdu_header.auth_length).to eq(auth.length)
       end
 
       it 'sets #sec_trailer field to the expected value' do
-        auth_client.add_auth_verifier(req, auth, auth_type, auth_level)
+        auth_client.add_auth_verifier(req, auth)
         expect(req.sec_trailer.auth_type).to eq(auth_type)
         expect(req.sec_trailer.auth_level).to eq(auth_level)
         expect(req.sec_trailer.auth_context_id).to eq(auth_client.instance_variable_get(:@auth_ctx_id_base))
@@ -202,29 +207,29 @@ RSpec.describe RubySMB::Dcerpc::Client do
       end
 
       it 'add an auth verifier to the RpcAuth3 packet' do
-        auth_client.send_auth3(bindack, auth_type, auth_level)
-        expect(auth_client).to have_received(:add_auth_verifier).with(rpc_auth3, auth3, auth_type, auth_level)
+        auth_client.auth_provider_complete_handshake(bindack, auth_type: auth_type, auth_level: auth_level)
+        expect(auth_client).to have_received(:add_auth_verifier).with(rpc_auth3, auth3)
       end
 
       it 'sets the PDUHeader #call_id to the expected value' do
         auth_client.instance_variable_set(:@call_id, 56)
-        auth_client.send_auth3(bindack, auth_type, auth_level)
+        auth_client.auth_provider_complete_handshake(bindack, auth_type: auth_type, auth_level: auth_level)
         expect(rpc_auth3.pdu_header.call_id).to eq(56)
       end
 
       it 'sends the RpcAuth3 packet' do
-        auth_client.send_auth3(bindack, auth_type, auth_level)
+        auth_client.auth_provider_complete_handshake(bindack, auth_type: auth_type, auth_level: auth_level)
         expect(auth_client).to have_received(:send_packet).with(rpc_auth3)
       end
 
       it 'increments #call_id' do
-        auth_client.send_auth3(bindack, auth_type, auth_level)
+        auth_client.auth_provider_complete_handshake(bindack, auth_type: auth_type, auth_level: auth_level)
         expect(auth_client.instance_variable_get(:@call_id)).to eq(2)
       end
 
       context 'with RPC_C_AUTHN_WINNT auth_type' do
         it 'processes NTLM type2 message' do
-          auth_client.send_auth3(bindack, auth_type, auth_level)
+          auth_client.auth_provider_complete_handshake(bindack, auth_type: auth_type, auth_level: auth_level)
           expect(auth_client).to have_received(:process_ntlm_type2).with(auth)
         end
       end
@@ -300,7 +305,7 @@ RSpec.describe RubySMB::Dcerpc::Client do
 
       context 'with RPC_C_AUTHN_WINNT auth_type' do
         let(:kwargs) do {
-            auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_DEFAULT,
+            auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
             auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
           }
         end
@@ -310,7 +315,7 @@ RSpec.describe RubySMB::Dcerpc::Client do
           allow(client.ntlm_client).to receive(:init_context).and_return(type1_message)
           allow(type1_message).to receive(:serialize).and_return(auth)
           allow(client).to receive(:add_auth_verifier)
-          allow(client).to receive(:send_auth3)
+          allow(client).to receive(:auth_provider_complete_handshake)
         end
 
         it 'raises an exception if the NTLM client is not initialized' do
@@ -320,12 +325,12 @@ RSpec.describe RubySMB::Dcerpc::Client do
 
         it 'adds the auth verifier with a NTLM type1 message' do
           client.bind(**kwargs)
-          expect(client).to have_received(:add_auth_verifier).with(bind_req, auth, kwargs[:auth_type], kwargs[:auth_level])
+          expect(client).to have_received(:add_auth_verifier).with(bind_req, auth)
         end
 
         it 'sends an auth3 request' do
           client.bind(**kwargs)
-          expect(client).to have_received(:send_auth3).with(bindack_response, kwargs[:auth_type], kwargs[:auth_level])
+          expect(client).to have_received(:auth_provider_complete_handshake).with(bindack_response, auth_type: kwargs[:auth_type], auth_level: kwargs[:auth_level])
         end
       end
     end
@@ -372,10 +377,14 @@ RSpec.describe RubySMB::Dcerpc::Client do
 
   describe '#set_integrity_privacy' do
     let(:dcerpc_req) do
-      RubySMB::Dcerpc::Request.new(
+      req = RubySMB::Dcerpc::Request.new(
         { opnum: RubySMB::Dcerpc::Winreg::REG_ENUM_KEY },
         { endpoint: 'Winreg' }
       )
+      req.sec_trailer.auth_pad_length = 8
+      req.auth_pad = "\x00" * 8
+
+      req
     end
     let(:auth_level) { RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY }
     let(:auth_type) { RubySMB::Dcerpc::RPC_C_AUTHN_WINNT }
@@ -656,6 +665,8 @@ RSpec.describe RubySMB::Dcerpc::Client do
       # Make sure the encrypted stub includes the correct pad to make sure sec_trailer is 16-bytes aligned
       allow(session).to receive(:unseal_message).and_return(decrypted_stub + auth_pad)
       allow(session).to receive(:verify_signature).and_return true
+      dcerpc_res.sec_trailer.auth_type = auth_type
+      dcerpc_res.sec_trailer.auth_level = auth_level
     end
 
     it 'verifies the signature' do
@@ -698,6 +709,8 @@ RSpec.describe RubySMB::Dcerpc::Client do
     context 'without RPC_C_AUTHN_LEVEL_PKT_PRIVACY auth_level' do
       it 'does not encrypt the stub' do
         plain_stub = dcerpc_res.stub.to_binary_s
+        dcerpc_res.sec_trailer.auth_level = RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_INTEGRITY
+        dcerpc_res.sec_trailer.auth_type = RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
         auth_client.handle_integrity_privacy(dcerpc_res, auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, auth_type: auth_type)
         expect(dcerpc_res.stub).to eq(plain_stub)
         expect(session).to_not have_received(:unseal_message)
@@ -706,6 +719,8 @@ RSpec.describe RubySMB::Dcerpc::Client do
 
     context 'with an unsupported auth_level' do
       it 'raises an Argument exception' do
+        dcerpc_res.sec_trailer.auth_level = RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_INTEGRITY
+        dcerpc_res.sec_trailer.auth_type = 88
         expect { auth_client.handle_integrity_privacy(dcerpc_res, auth_level: auth_level, auth_type: 88) }.to raise_error(ArgumentError)
       end
     end

data/spec/lib/ruby_smb/dcerpc/drsr_spec.rb

@@ -6,7 +6,10 @@ RSpec.describe RubySMB::Dcerpc::Drsr do
   end
 
   let(:drsr) do
-    RubySMB::Dcerpc::Client.new('1.2.3.4', RubySMB::Dcerpc::Drsr)
+    drsr = RubySMB::Dcerpc::Client.new('1.2.3.4', RubySMB::Dcerpc::Drsr)
+    drsr.force_set_auth_params(RubySMB::Dcerpc::RPC_C_AUTHN_WINNT, RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
+
+    drsr
   end
 
   describe described_class::DrsHandle do

data/spec/lib/ruby_smb/dcerpc/request_spec.rb

@@ -134,12 +134,6 @@ RSpec.describe RubySMB::Dcerpc::Request do
       packet.pdu_header.auth_length = 10
       expect(packet.auth_pad?).to be true
     end
-
-    it 'makes sure #sec_trailer is 16-bytes aligned with the begining of the PDU body (stub)' do
-      packet.pdu_header.auth_length = 6
-      packet.stub = 'A' * rand(0xFF)
-      expect((packet.sec_trailer.abs_offset - packet.stub.abs_offset) % 16).to eq(0)
-    end
   end
 
   describe '#sec_trailer' do

data/spec/lib/ruby_smb/dcerpc/response_spec.rb

@@ -77,12 +77,6 @@ RSpec.describe RubySMB::Dcerpc::Response do
       packet.pdu_header.auth_length = 10
       expect(packet.auth_pad?).to be true
     end
-
-    it 'makes sure #sec_trailer is 16-bytes aligned with the begining of the PDU body (stub)' do
-      packet.pdu_header.auth_length = 6
-      packet.stub = 'A' * rand(0xFF)
-      expect((packet.sec_trailer.abs_offset - packet.stub.abs_offset) % 16).to eq(0)
-    end
   end
 
   describe '#sec_trailer' do

data/spec/lib/ruby_smb/dcerpc/sec_trailer_spec.rb

@@ -36,20 +36,6 @@ RSpec.describe RubySMB::Dcerpc::SecTrailer do
       expect(packet.auth_pad_length).to eq(0)
     end
 
-    context 'when the parent structure has an #auth_pad field' do
-      let(:pad) { 'A' * rand(0xFF) }
-      let(:packet_with_parent) do
-        Class.new(BinData::Record) do
-          string      :auth_pad
-          sec_trailer :sec_trailer
-        end.new(auth_pad: pad)
-      end
-
-      it 'has a value equal to the size of the #auth_pad field' do
-        expect(packet_with_parent.sec_trailer.auth_pad_length).to eq(pad.size)
-      end
-    end
-
     context 'when the parent structure does not have an #auth_pad field' do
       let(:pad) { 'A' * rand(0xFF) }
       let(:packet_with_parent) do