ruby_smb 3.3.10 → 3.3.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 07f6abd7129c406c8b1c008c686eef226b8fa385fa06be6eec900b95b4f97a32
-  data.tar.gz: 4ddc7ee9c516a1649faa15ad4316e36149aa4304c4dc176dfd5234f46f9218be
+  metadata.gz: d9ee813b67da3f28bf15f24cd60e6ff6be3c931490f97fe95786537d191a171b
+  data.tar.gz: 0d36cfa0892d145bf40d1ad43ba8e0d35185357c50d35ce8e7bc64a586041bcf
 SHA512:
-  metadata.gz: e948d03583b517435a912b4ea07086ee0bff1fc07c0f65f0ea89e51ec10ee4ab2074d33a82c4f774656909c938331a7080fb521e5e65989bb301e10cd80d1bf5
-  data.tar.gz: 2f964acae7e74b25cb49e3d47ea125d4f4669f3f8868b9e895bb2f63be9e465e3fc1021e6695a1b837616a0f92419708ff4af6cb894b630d0b6292c95e3b4599
+  metadata.gz: b52b91a93e363be0ed1578a6b67c94409e831a848da346cf1e985e1686804bbf444e1ba15d3a6f350cb77bba9a8a035b06c4c066b96665399805da8bc0193011
+  data.tar.gz: 17d2c3bc2bb46204538a827aac81a9f46317518cbf24abdade18fd60460b57db131ed3d6d8db3cce8accadd752256c7fb8fc53b74a435a1226048166d93c0020

data/.github/workflows/metasploit-framework_acceptance.yml

@@ -0,0 +1,47 @@
+name: Metasploit Framework Acceptance
+
+# Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
+#concurrency:
+#  group: ${{ github.ref }}-${{ github.workflow }}
+#  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  workflow_dispatch:
+    inputs:
+      metasploitFrameworkCommit:
+        description: 'metasploit-framework branch would like to test'
+        required: true
+        default: 'master'
+  push:
+    branches-ignore:
+      - gh-pages
+      - metakitty
+  pull_request:
+    branches:
+      - '*'
+#   Example of running as a cron, to weed out flaky tests
+#  schedule:
+#    - cron: '*/15 * * * *'
+
+jobs:
+  build:
+    uses: rapid7/metasploit-framework/.github/workflows/shared_smb_acceptance.yml@master
+    with:
+      metasploit_framework_commit: ${{ github.event.inputs.metasploitFrameworkCommit }}
+      build_smb: true

data/lib/ruby_smb/client.rb

@@ -4,7 +4,6 @@ module RubySMB
   class Client
     require 'ruby_smb/ntlm'
     require 'ruby_smb/signing'
-    require 'ruby_smb/utils'
     require 'ruby_smb/client/negotiation'
     require 'ruby_smb/client/authentication'
     require 'ruby_smb/client/tree_connect'
@@ -320,11 +319,12 @@ module RubySMB
       if smb1 == false && smb2 == false && smb3 == false
         raise ArgumentError, 'You must enable at least one Protocol'
       end
+
       @dispatcher        = dispatcher
       @pid               = rand(0xFFFF)
       @domain            = domain
       @local_workstation = local_workstation
-      @password          = RubySMB::Utils.safe_encode((password||''), 'utf-8')
+      @password          = (password || '')
       @sequence_counter  = 0
       @session_id        = 0x00
       @session_key       = ''
@@ -334,7 +334,7 @@ module RubySMB
       @smb1              = smb1
       @smb2              = smb2
       @smb3              = smb3
-      @username          = RubySMB::Utils.safe_encode((username||''), 'utf-8')
+      @username          = (username || '')
       @max_buffer_size   = MAX_BUFFER_SIZE
       # These sizes will be modified during negotiation
       @server_max_buffer_size = SERVER_MAX_BUFFER_SIZE
@@ -417,8 +417,8 @@ module RubySMB
                       local_workstation: self.local_workstation, ntlm_flags: NTLM::DEFAULT_CLIENT_FLAGS)
       @domain            = domain
       @local_workstation = local_workstation
-      @password          = RubySMB::Utils.safe_encode((pass||''), 'utf-8')
-      @username          = RubySMB::Utils.safe_encode((user||''), 'utf-8')
+      @password          = (pass || '')
+      @username          = (user || '')
 
       @ntlm_client = RubySMB::NTLM::Client.new(
           @username,

data/lib/ruby_smb/dcerpc/client.rb

@@ -9,12 +9,10 @@ module RubySMB
       require 'ruby_smb/dcerpc'
       require 'ruby_smb/gss'
       require 'ruby_smb/peer_info'
-      require 'ruby_smb/utils'
 
       include Dcerpc
       include Epm
       include PeerInfo
-      include Utils
 
       # The default maximum size of a RPC message that the Client accepts (in bytes)
       MAX_BUFFER_SIZE = 64512
@@ -120,8 +118,8 @@ module RubySMB
         @read_timeout      = read_timeout
         @domain            = domain
         @local_workstation = local_workstation
-        @username          = RubySMB::Utils.safe_encode(username, 'utf-8')
-        @password          = RubySMB::Utils.safe_encode(password, 'utf-8')
+        @username          = username
+        @password          = password
         @max_buffer_size   = MAX_BUFFER_SIZE
         @call_id           = 1
         @ctx_id            = 0

data/lib/ruby_smb/dcerpc/icpr.rb

@@ -35,7 +35,7 @@ module RubySMB
       def cert_server_request(attributes:, authority:, csr:)
         cert_server_request_request = CertServerRequestRequest.new(
           pwsz_authority: authority,
-          pctb_attribs: { pb: (RubySMB::Utils.safe_encode(attributes.map { |k,v| "#{k}:#{v}" }.join("\n"), 'UTF-16le').force_encoding('ASCII-8bit') + "\x00\x00".b) },
+          pctb_attribs: { pb: (attributes.map { |k,v| "#{k}:#{v}" }.join("\n").encode('UTF-16LE').force_encoding('ASCII-8BIT') + "\x00\x00".b) },
           pctb_request: { pb: csr.to_der }
         )
 
@@ -53,7 +53,7 @@ module RubySMB
         ret = {
           certificate: nil,
           disposition: cert_server_request_response.pdw_disposition.value,
-          disposition_message: cert_server_request_response.pctb_disposition_message.buffer.chomp("\x00\x00").force_encoding('utf-16le').encode,
+          disposition_message: cert_server_request_response.pctb_disposition_message.buffer.chomp("\x00\x00").force_encoding('UTF-16LE').encode,
           status: {
             CR_DISP_ISSUED => :issued,
             CR_DISP_UNDER_SUBMISSION => :submitted,

data/lib/ruby_smb/dcerpc/request.rb

@@ -70,6 +70,8 @@ module RubySMB
           samr_close_handle_request                    Samr::SAMR_CLOSE_HANDLE
           samr_get_alias_membership_request            Samr::SAMR_GET_ALIAS_MEMBERSHIP
           samr_open_user_request                       Samr::SAMR_OPEN_USER
+          samr_open_group_request                      Samr::SAMR_OPEN_GROUP
+          samr_get_members_in_group_request            Samr::SAMR_GET_MEMBERS_IN_GROUP
           samr_get_groups_for_user_request             Samr::SAMR_GET_GROUPS_FOR_USER
           samr_enumerate_domains_in_sam_server_request Samr::SAMR_ENUMERATE_DOMAINS_IN_SAM_SERVER
           samr_lookup_names_in_domain_request          Samr::SAMR_LOOKUP_NAMES_IN_DOMAIN

data/lib/ruby_smb/dcerpc/samr/samr_get_members_in_group_request.rb

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Samr
+
+      # [3.1.5.8.3 SamrGetMembersInGroup (Opnum 25)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/3ed5030d-88a3-42ca-a6e0-8c12aa2fdfbd)
+      class SamrGetMembersInGroupRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        sampr_handle :group_handle
+
+        def initialize_instance
+          super
+          @opnum = SAMR_GET_MEMBERS_IN_GROUP
+        end
+      end
+
+    end
+  end
+end
+
+

data/lib/ruby_smb/dcerpc/samr/samr_get_members_in_group_response.rb

@@ -0,0 +1,34 @@
+module RubySMB
+  module Dcerpc
+    module Samr
+      # [2.2.7.14 SAMPR_GET_MEMBERS_BUFFER](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/225147b1-45b7-4fde-a5bf-bf420e18fa08)
+      class SamprGetMembersBuffer < Ndr::NdrStruct
+        default_parameter byte_align: 4
+
+        ndr_uint32                 :member_count
+        ndr_uint32_conf_array_ptr  :members,    type: :ndr_uint32
+        ndr_uint32_conf_array_ptr  :attributes, type: :ndr_uint32
+      end
+
+      class PsamprGetMembersBuffer < SamprGetMembersBuffer
+        extend Ndr::PointerClassPlugin
+      end
+
+      # [2.1.5.8.3 SamrGetMembersInGroup (Opnum 25)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/a4adbf20-040f-4416-a960-e5b7917fdae7)
+      class SamrGetMembersInGroupResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        psampr_get_members_buffer  :members
+        ndr_uint32                 :error_status
+
+        def initialize_instance
+          super
+          @opnum = SAMR_GET_MEMBERS_IN_GROUP
+        end
+      end
+    end
+  end
+end
+

data/lib/ruby_smb/dcerpc/samr/samr_open_group_request.rb

@@ -0,0 +1,26 @@
+module RubySMB
+  module Dcerpc
+    module Samr
+
+      # [3.1.5.1.7 SamrOpenGroup (Opnum 19)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/d396e6c9-d04a-4729-b0d8-f50f2748f3c8)
+      class SamrOpenGroupRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        sampr_handle :domain_handle
+        # Access control on a server object: bitwise OR of common ACCESS_MASK
+        # and user ACCESS_MASK values (see lib/ruby_smb/dcerpc/samr.rb)
+        ndr_uint32   :desired_access
+        ndr_uint32   :group_id
+
+        def initialize_instance
+          super
+          @opnum = SAMR_OPEN_GROUP
+        end
+      end
+
+    end
+  end
+end
+

data/lib/ruby_smb/dcerpc/samr/samr_open_group_response.rb

@@ -0,0 +1,24 @@
+module RubySMB
+  module Dcerpc
+    module Samr
+
+      # [3.1.5.1.7 SamrOpenGroup (Opnum 19)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/d396e6c9-d04a-4729-b0d8-f50f2748f3c8)
+      class SamrOpenGroupResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        sampr_handle :group_handle
+        ndr_uint32   :error_status
+
+        def initialize_instance
+          super
+          @opnum = SAMR_OPEN_GROUP
+        end
+      end
+
+    end
+  end
+end
+
+

data/lib/ruby_smb/dcerpc/samr.rb

@@ -20,6 +20,8 @@ module RubySMB
       SAMR_ENUMERATE_USERS_IN_DOMAIN       = 0x000D
       SAMR_GET_ALIAS_MEMBERSHIP            = 0x0010
       SAMR_LOOKUP_NAMES_IN_DOMAIN          = 0x0011
+      SAMR_OPEN_GROUP                      = 0x0013
+      SAMR_GET_MEMBERS_IN_GROUP            = 0x0019
       SAMR_OPEN_USER                       = 0x0022
       SAMR_DELETE_USER                     = 0x0023
       SAMR_GET_GROUPS_FOR_USER             = 0x0027
@@ -337,7 +339,7 @@ module RubySMB
 
         def self.encrypt_password(password, key)
           # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/5fe3c4c4-e71b-440d-b2fd-8448bfaf6e04
-          password = RubySMB::Utils.safe_encode(password, 'UTF-16LE').force_encoding('ASCII-8bit')
+          password = password.encode('UTF-16LE').force_encoding('ASCII-8BIT')
           buffer = password.rjust(512, "\x00") + [ password.length ].pack('V')
           salt = SecureRandom.random_bytes(16)
           key = OpenSSL::Digest::MD5.new(salt + key).digest
@@ -441,8 +443,8 @@ module RubySMB
         uint16 :reserved3
         string :reserved4, length: 96
         uint16 :property_signature, initial_value: 0x50
-        uint16 :property_count, initial_value: -> { user_properties.size }
-        array  :user_properties, type: :user_property, initial_length: :property_count
+        uint16 :property_count, initial_value: -> { user_properties.size }, onlyif: -> { struct_length > 111 }
+        array  :user_properties, type: :user_property, initial_length: :property_count, onlyif: :property_count?
         uint8  :reserved5
       end
 
@@ -509,8 +511,12 @@ module RubySMB
       require 'ruby_smb/dcerpc/samr/samr_rid_to_sid_response'
       require 'ruby_smb/dcerpc/samr/samr_close_handle_request'
       require 'ruby_smb/dcerpc/samr/samr_close_handle_response'
+      require 'ruby_smb/dcerpc/samr/samr_get_members_in_group_request'
+      require 'ruby_smb/dcerpc/samr/samr_get_members_in_group_response'
       require 'ruby_smb/dcerpc/samr/samr_get_alias_membership_request'
       require 'ruby_smb/dcerpc/samr/samr_get_alias_membership_response'
+      require 'ruby_smb/dcerpc/samr/samr_open_group_request'
+      require 'ruby_smb/dcerpc/samr/samr_open_group_response'
       require 'ruby_smb/dcerpc/samr/samr_open_user_request'
       require 'ruby_smb/dcerpc/samr/samr_open_user_response'
       require 'ruby_smb/dcerpc/samr/samr_get_groups_for_user_request'
@@ -935,6 +941,40 @@ module RubySMB
         samr_get_alias_membership_reponse.membership.elements.to_ary
       end
 
+      # Returns a handle to a group, given a RID
+      #
+      # @param domain_handle [RubySMB::Dcerpc::Samr::SamprHandle] An RPC context
+      #   representing a domain object
+      # @param access [Integer] An access control that indicates the requested
+      #   access for the returned handle. It is a bitwise OR of common
+      #   ACCESS_MASK and user ACCESS_MASK values (see
+      #   lib/ruby_smb/dcerpc/samr.rb)
+      # @param group_id [Integer] RID of a group
+      # @return [RubySMB::Dcerpc::Samr::SamprHandle] The group handle
+      # @raise [RubySMB::Dcerpc::Error::InvalidPacket] if the response is not a
+      #   SamrOpenGroup packet
+      # @raise [RubySMB::Dcerpc::Error::SamrError] if the response error status
+      #   is not STATUS_SUCCESS
+      def samr_open_group(domain_handle:, access: MAXIMUM_ALLOWED, group_id:)
+        samr_open_group_request = SamrOpenGroupRequest.new(
+          domain_handle: domain_handle,
+          desired_access: access,
+          group_id: group_id
+        )
+        response = dcerpc_request(samr_open_group_request)
+        begin
+          samr_open_group_response = SamrOpenGroupResponse.read(response)
+        rescue IOError
+          raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading SamrOpenGroupResponse'
+        end
+        unless samr_open_group_response.error_status == WindowsError::NTStatus::STATUS_SUCCESS
+          raise RubySMB::Dcerpc::Error::SamrError,
+            "Error returned when getting a handle to group #{group_id}: "\
+            "#{WindowsError::NTStatus.find_by_retval(samr_open_grou_response.error_status.value).join(',')}"
+        end
+        samr_open_group_response.group_handle
+      end
+
       # Returns a handle to a user, given a RID
       #
       # @param domain_handle [RubySMB::Dcerpc::Samr::SamprHandle] An RPC context
@@ -969,6 +1009,36 @@ module RubySMB
         samr_open_user_response.user_handle
       end
 
+      # Returns a listing of members of the given group
+      #
+      # @param group_handle [RubySMB::Dcerpc::Samr::SamprHandle] An RPC context
+      #   representing a group object.
+      # @return [Array<Array<String,String>>] Array of RID and Attributes
+      # @raise [RubySMB::Dcerpc::Error::InvalidPacket] if the response is not a
+      #   SamrGetMembersInGroup packet
+      # @raise [RubySMB::Dcerpc::Error::SamrError] if the response error status
+      #   is not STATUS_SUCCESS
+      def samr_get_members_in_group(group_handle:)
+        samr_get_members_in_group_request = SamrGetMembersInGroupRequest.new(
+          group_handle: group_handle
+        )
+        response = dcerpc_request(samr_get_members_in_group_request)
+        begin
+          samr_get_members_in_group_response = SamrGetMembersInGroupResponse.read(response)
+        rescue IOError
+          raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading SamrGetMembersInGroupResponse'
+        end
+        unless samr_get_members_in_group_response.error_status == WindowsError::NTStatus::STATUS_SUCCESS
+          raise RubySMB::Dcerpc::Error::SamrError,
+            "Error returned while getting group membership: "\
+            "#{WindowsError::NTStatus.find_by_retval(samr_get_members_in_group_response.error_status.value).join(',')}"
+        end
+        members = samr_get_members_in_group_response.members.members.to_ary
+        attributes = samr_get_members_in_group_response.members.attributes.to_ary
+
+        members.zip(attributes)
+      end
+
       # Returns a listing of groups that a user is a member of
       #
       # @param user_handle [RubySMB::Dcerpc::Samr::SamprHandle] An RPC context

data/lib/ruby_smb/gss/provider/ntlm.rb

@@ -142,10 +142,7 @@ module RubySMB
             case type3_msg.ntlm_version
             when :ntlmv1
               my_ntlm_response = Net::NTLM::ntlm_response(
-                ntlm_hash: Net::NTLM::ntlm_hash(
-                  RubySMB::Utils.safe_encode(account.password, 'UTF-16LE'),
-                  unicode: true
-                ),
+                ntlm_hash: Net::NTLM::ntlm_hash(account.password),
                 challenge: @server_challenge
               )
               matches = my_ntlm_response == type3_msg.ntlm_response
@@ -157,7 +154,7 @@ module RubySMB
               ntlmv2_hash = Net::NTLM.ntlmv2_hash(
                 Net::NTLM::EncodeUtil.encode_utf16le(account.username),
                 Net::NTLM::EncodeUtil.encode_utf16le(account.password),
-                type3_msg.domain.force_encoding('ASCII-8BIT'),  # don't use the account domain because of the special '.' value
+                type3_msg.domain.dup.force_encoding('ASCII-8BIT'),  # don't use the account domain because of the special '.' value
                 {client_challenge: their_blob[16...24], unicode: true}
               )
 
@@ -310,8 +307,7 @@ module RubySMB
           domain = @default_domain if domain.nil? || domain == '.'.encode(domain.encoding)
           domain = domain.downcase
           @accounts.find do |account|
-            RubySMB::Utils.safe_encode(account.username, username.encoding).downcase == username &&
-              RubySMB::Utils.safe_encode(account.domain, domain.encoding).downcase == domain
+            account.username.encode(username.encoding).downcase == username && account.domain.encode(domain.encoding).downcase == domain
           end
         end
 

data/lib/ruby_smb/ntlm/client.rb

@@ -1,78 +1,7 @@
 module RubySMB::NTLM
-  module Message
-    def deflag
-      security_buffers.inject(head_size) do |cur, a|
-        a[1].offset = cur
-        cur += a[1].data_size
-        has_flag?(:UNICODE) ? cur + cur % 2 : cur
-      end
-    end
-
-    def serialize
-      deflag
-      @alist.map { |n, f| f.serialize }.join + security_buffers.map { |n, f| f.value + (has_flag?(:UNICODE) ? "\x00".b * (f.value.length % 2) : '') }.join
-    end
-  end
-
   class Client < Net::NTLM::Client
-    class Session < Net::NTLM::Client::Session
-      def authenticate!
-        calculate_user_session_key!
-        type3_opts = {
-          :lm_response   => is_anonymous? ? "\x00".b : lmv2_resp,
-          :ntlm_response => is_anonymous? ? '' : ntlmv2_resp,
-          :domain        => domain,
-          :user          => username,
-          :workstation   => workstation,
-          :flag          => (challenge_message.flag & client.flags)
-        }
-        t3 = Net::NTLM::Message::Type3.create type3_opts
-        t3.extend(Message)
-        if negotiate_key_exchange?
-          t3.enable(:session_key)
-          rc4 = OpenSSL::Cipher.new("rc4")
-          rc4.encrypt
-          rc4.key = user_session_key
-          sk = rc4.update exported_session_key
-          sk << rc4.final
-          t3.session_key = sk
-        end
-        t3
-      end
-
-      def is_anonymous?
-        username == '' && password == ''
-      end
-
-      private
-
-      def use_oem_strings?
-        # @see https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832
-        !challenge_message.has_flag?(:UNICODE) && challenge_message.has_flag?(:OEM)
-      end
-
-      def ntlmv2_hash
-        @ntlmv2_hash ||= RubySMB::NTLM.ntlmv2_hash(username, password, domain, {:client_challenge => client_challenge, :unicode => !use_oem_strings?})
-      end
-
-      def calculate_user_session_key!
-        if is_anonymous?
-          # see MS-NLMP section 3.4
-          @user_session_key = "\x00".b * 16
-        else
-          @user_session_key = OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, ntlmv2_hash, nt_proof_str)
-        end
-      end
-    end
-
-    def init_context(resp = nil, channel_binding = nil)
-      if resp.nil?
-        @session = nil
-        type1_message
-      else
-        @session = Client::Session.new(self, Net::NTLM::Message.decode64(resp), channel_binding)
-        @session.authenticate!
-      end
-    end
+    # There was a bunch of code in here that was necessary in versions up to and including rubyntlm version 0.6.3.
+    # The class is kept because there are references to it that should be kept in place in case future alterations to
+    # rubyntlm are required.
   end
 end

data/lib/ruby_smb/ntlm.rb

@@ -1,5 +1,3 @@
-require 'ruby_smb/ntlm/custom/string_encoder'
-
 module RubySMB
   module NTLM
     # [[MS-NLMP] 2.2.2.5](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832)
@@ -58,41 +56,6 @@ module RubySMB
         "Version #{major}.#{minor} (Build #{build}); NTLM Current Revision #{ntlm_revision}"
       end
     end
-
-    class << self
-
-      # Generate a NTLMv2 Hash
-      # @param [String] user The username
-      # @param [String] password The password
-      # @param [String] target The domain or workstation to authenticate to
-      # @option opt :unicode (false) Unicode encode the domain
-      def ntlmv2_hash(user, password, target, opt={})
-        if Net::NTLM.is_ntlm_hash? password
-          decoded_password = Net::NTLM::EncodeUtil.decode_utf16le(password)
-          ntlmhash = [decoded_password.upcase[33,65]].pack('H32')
-        else
-          ntlmhash = Net::NTLM.ntlm_hash(password, opt)
-        end
-
-        if opt[:unicode]
-          # Uppercase operation on username containing non-ASCII characters
-          # after being unicode encoded with `EncodeUtil.encode_utf16le`
-          # doesn't play well. Upcase should be done before encoding.
-          user_upcase = Net::NTLM::EncodeUtil.decode_utf16le(user).upcase
-          user_upcase = Net::NTLM::EncodeUtil.encode_utf16le(user_upcase)
-        else
-          user_upcase = user.upcase
-        end
-        userdomain = user_upcase + target
-
-        unless opt[:unicode]
-          userdomain = Net::NTLM::EncodeUtil.encode_utf16le(userdomain)
-        end
-        OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, ntlmhash, userdomain)
-      end
-
-    end
-
   end
 end
 

data/lib/ruby_smb/server/server_client/tree_connect.rb

@@ -7,7 +7,7 @@ module RubySMB
           # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/b062f3e3-1b65-4a9a-854a-0ee432499d8f
           response = RubySMB::SMB1::Packet::TreeConnectResponse.new
 
-          share_name = RubySMB::Utils.safe_encode(request.data_block.path, 'UTF-8').split('\\', 4).last
+          share_name = request.data_block.path.split('\\', 4).last
           share_provider = @server.shares.transform_keys(&:downcase)[share_name.downcase]
           if share_provider.nil?
             logger.warn("Received TREE_CONNECT request for non-existent share: #{share_name}")
@@ -51,7 +51,7 @@ module RubySMB
             return response
           end
 
-          share_name = RubySMB::Utils.safe_encode(request.path, 'UTF-8').split('\\', 4).last
+          share_name = request.path.encode.split('\\', 4).last
           share_provider = @server.shares.transform_keys(&:downcase)[share_name.downcase]
 
           if share_provider.nil?

data/lib/ruby_smb/version.rb

@@ -1,3 +1,3 @@
 module RubySMB
-  VERSION = '3.3.10'.freeze
+  VERSION = '3.3.12'.freeze
 end

data/lib/ruby_smb.rb

@@ -6,13 +6,11 @@ require 'openssl/ccm'
 require 'openssl/cmac'
 require 'windows_error'
 require 'windows_error/nt_status'
-require 'ruby_smb/ntlm/custom/string_encoder'
 # A packet parsing and manipulation library for the SMB1 and SMB2 protocols
 #
 # [[MS-SMB] Server Message Block (SMB) Protocol Version 1](https://msdn.microsoft.com/en-us/library/cc246482.aspx)
 # [[MS-SMB2] Server Message Block (SMB) Protocol Versions 2 and 3](https://msdn.microsoft.com/en-us/library/cc246482.aspx)
 module RubySMB
-  require 'ruby_smb/utils'
   require 'ruby_smb/error'
   require 'ruby_smb/create_actions'
   require 'ruby_smb/dispositions'

data/ruby_smb.gemspec

@@ -6,7 +6,14 @@ require 'ruby_smb/version'
 Gem::Specification.new do |spec|
   spec.name          = 'ruby_smb'
   spec.version       = RubySMB::VERSION
-  spec.authors       = ['Metasploit Hackers', 'David Maloney', 'James Lee', 'Dev Mohanty', 'Christophe De La Fuente']
+  spec.authors       = [
+    'Metasploit Hackers',
+    'David Maloney',
+    'James Lee',
+    'Dev Mohanty',
+    'Christophe De La Fuente',
+    'Spencer McIntyre'
+  ]
   spec.email         = ['msfdev@metasploit.com']
   spec.summary       = 'A pure Ruby implementation of the SMB Protocol Family'
   spec.description   = ''
@@ -33,7 +40,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'yard'
 
-  spec.add_runtime_dependency 'rubyntlm'
+  spec.add_runtime_dependency 'rubyntlm', '>= 0.6.5'
   spec.add_runtime_dependency 'windows_error', '>= 0.1.4'
   spec.add_runtime_dependency 'bindata', '2.4.15'
   spec.add_runtime_dependency 'openssl-ccm'

data/spec/lib/ruby_smb/gss/provider/ntlm/authenticator_spec.rb

@@ -9,8 +9,11 @@ RSpec.describe RubySMB::Gss::Provider::NTLM::Authenticator do
       msg.domain = domain
     end
   end
+  let(:type2_msg) do
+    Net::NTLM::Message::Type2.new
+  end
   let(:type3_msg) do
-    Net::NTLM::Message::Type2.new.response(user: username, password: '', domain: domain)
+    type2_msg.response({user: username, password: password, domain: domain}, {ntlmv2: true})
   end
 
   before(:each) do
@@ -65,9 +68,121 @@ RSpec.describe RubySMB::Gss::Provider::NTLM::Authenticator do
   end
 
   describe '#process_ntlm_type3' do
-    it 'should process a NTLM type 3 message and return an error code' do
-      expect(authenticator.process_ntlm_type3(type3_msg)).to be_a WindowsError::ErrorCode
-      expect(authenticator.process_ntlm_type3(type3_msg)).to eq WindowsError::NTStatus::STATUS_LOGON_FAILURE
+    context 'when the message is anonymous' do
+      let(:type3_msg) do
+        type2_msg.response({user: '', password: ''}, {ntlmv2: true})
+      end
+
+      context 'when anonymous access is disabled' do
+        before(:each) do
+          expect(provider).to_not receive(:allow_guests)
+          expect(provider).to receive(:allow_anonymous).and_return(false)
+        end
+
+        it 'should process a NTLM type 3 message and return STATUS_LOGON_FAILURE' do
+          status = authenticator.process_ntlm_type3(type3_msg)
+          expect(status).to be_a WindowsError::ErrorCode
+          expect(status).to eq WindowsError::NTStatus::STATUS_LOGON_FAILURE
+        end
+
+        after(:each) do
+          expect(authenticator.session_key).to be_nil
+        end
+      end
+
+      context 'when anonymous access is enabled' do
+        before(:each) do
+          expect(provider).to_not receive(:allow_guests)
+          expect(provider).to receive(:allow_anonymous).and_return(true)
+        end
+
+        it 'should process a NTLM type 3 message and return STATUS_SUCCESS' do
+          status = authenticator.process_ntlm_type3(type3_msg)
+          expect(status).to be_a WindowsError::ErrorCode
+          expect(status).to eq WindowsError::NTStatus::STATUS_SUCCESS
+        end
+
+        after(:each) do
+          expect(authenticator.session_key).to eq "\x00".b * 16
+        end
+      end
+    end
+
+    context 'when the message is a guest' do
+      let(:type3_msg) do
+        type2_msg.response({user: 'Spencer', password: password}, {ntlmv2: true})
+      end
+
+      context 'when guest access is disabled' do
+        before(:each) do
+          expect(provider).to_not receive(:allow_anonymous)
+          expect(provider).to receive(:allow_guests).and_return(false)
+        end
+
+        it 'should process a NTLM type 3 message and return STATUS_LOGON_FAILURE' do
+          status = authenticator.process_ntlm_type3(type3_msg)
+          expect(status).to be_a WindowsError::ErrorCode
+          expect(status).to eq WindowsError::NTStatus::STATUS_LOGON_FAILURE
+        end
+
+        after(:each) do
+          expect(authenticator.session_key).to be_nil
+        end
+      end
+
+      context 'when guest access is enabled' do
+        before(:each) do
+          expect(provider).to_not receive(:allow_anonymous)
+          expect(provider).to receive(:allow_guests).and_return(true)
+        end
+
+        it 'should process a NTLM type 3 message and return STATUS_SUCCESS' do
+          status = authenticator.process_ntlm_type3(type3_msg)
+          expect(status).to be_a WindowsError::ErrorCode
+          expect(status).to eq WindowsError::NTStatus::STATUS_SUCCESS
+        end
+
+        after(:each) do
+          expect(authenticator.session_key).to eq "\x00".b * 16
+        end
+      end
+    end
+
+    context 'when the message is a known user' do
+      before(:each) do
+        authenticator.instance_variable_set(:@server_challenge, type2_msg[:challenge].serialize)
+      end
+
+      context 'when the password is correct' do
+        it 'should process a NTLM type 3 message and return STATUS_SUCCESS' do
+          type3_msg.user.force_encoding('UTF-16LE')
+          type3_msg.domain.force_encoding('UTF-16LE')
+          status = authenticator.process_ntlm_type3(type3_msg)
+          expect(status).to be_a WindowsError::ErrorCode
+          expect(status).to eq WindowsError::NTStatus::STATUS_SUCCESS
+        end
+
+        after(:each) do
+          expect(authenticator.session_key).to be_a String
+          expect(authenticator.session_key.length).to eq 16
+        end
+      end
+
+      context 'when the password is wrong' do
+        let(:type3_msg) do
+          type2_msg.response({user: username, password: 'Wrong' + password, domain: domain}, {ntlmv2: true})
+        end
+
+        it 'should process a NTLM type 3 message and return STATUS_LOGON_FAILURE' do
+          status = authenticator.process_ntlm_type3(type3_msg)
+          expect(status).to be_a WindowsError::ErrorCode
+          expect(status).to eq WindowsError::NTStatus::STATUS_LOGON_FAILURE
+        end
+
+        after(:each) do
+          expect(authenticator.session_key).to be nil
+        end
+      end
     end
   end
 

data/spec/lib/ruby_smb/ntlm/client/session_spec.rb

@@ -24,7 +24,7 @@ RSpec.describe RubySMB::NTLM::Client::Session do
 
     it 'returns a Type3 message' do
       expect(session.authenticate!).to be_a Net::NTLM::Message::Type3
-      expect(session.authenticate!).to be_a RubySMB::NTLM::Message
+      expect(session.authenticate!).to be_a Net::NTLM::Message
     end
 
     context 'when it is anonymous' do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ruby_smb
 version: !ruby/object:Gem::Version
-  version: 3.3.10
+  version: 3.3.12
 platform: ruby
 authors:
 - Metasploit Hackers
@@ -9,6 +9,7 @@ authors:
 - James Lee
 - Dev Mohanty
 - Christophe De La Fuente
+- Spencer McIntyre
 autorequire: 
 bindir: bin
 cert_chain:
@@ -38,7 +39,7 @@ cert_chain:
   DgscAao7wB3xW2BWEp1KnaDWkf1x9ttgoBEYyuYwU7uatB67kBQG1PKvLt79wHvz
   Dxs+KOjGbBRfMnPgVGYkORKVrZIwlaboHbDKxcVW5xv+oZc7KYXWGg==
   -----END CERTIFICATE-----
-date: 2024-09-11 00:00:00.000000000 Z
+date: 2024-11-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: redcarpet
@@ -116,14 +117,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.6.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.6.5
 - !ruby/object:Gem::Dependency
   name: windows_error
   requirement: !ruby/object:Gem::Requirement
@@ -187,6 +188,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/metasploit-framework_acceptance.yml"
 - ".github/workflows/verify.yml"
 - ".gitignore"
 - ".rspec"
@@ -342,12 +344,16 @@ files:
 - lib/ruby_smb/dcerpc/samr/samr_get_alias_membership_response.rb
 - lib/ruby_smb/dcerpc/samr/samr_get_groups_for_user_request.rb
 - lib/ruby_smb/dcerpc/samr/samr_get_groups_for_user_response.rb
+- lib/ruby_smb/dcerpc/samr/samr_get_members_in_group_request.rb
+- lib/ruby_smb/dcerpc/samr/samr_get_members_in_group_response.rb
 - lib/ruby_smb/dcerpc/samr/samr_lookup_domain_in_sam_server_request.rb
 - lib/ruby_smb/dcerpc/samr/samr_lookup_domain_in_sam_server_response.rb
 - lib/ruby_smb/dcerpc/samr/samr_lookup_names_in_domain_request.rb
 - lib/ruby_smb/dcerpc/samr/samr_lookup_names_in_domain_response.rb
 - lib/ruby_smb/dcerpc/samr/samr_open_domain_request.rb
 - lib/ruby_smb/dcerpc/samr/samr_open_domain_response.rb
+- lib/ruby_smb/dcerpc/samr/samr_open_group_request.rb
+- lib/ruby_smb/dcerpc/samr/samr_open_group_response.rb
 - lib/ruby_smb/dcerpc/samr/samr_open_user_request.rb
 - lib/ruby_smb/dcerpc/samr/samr_open_user_response.rb
 - lib/ruby_smb/dcerpc/samr/samr_query_information_domain_request.rb
@@ -473,7 +479,6 @@ files:
 - lib/ruby_smb/nbss/session_request.rb
 - lib/ruby_smb/ntlm.rb
 - lib/ruby_smb/ntlm/client.rb
-- lib/ruby_smb/ntlm/custom/string_encoder.rb
 - lib/ruby_smb/peer_info.rb
 - lib/ruby_smb/server.rb
 - lib/ruby_smb/server/cli.rb
@@ -654,7 +659,6 @@ files:
 - lib/ruby_smb/smb2/smb2_header.rb
 - lib/ruby_smb/smb2/tree.rb
 - lib/ruby_smb/smb_error.rb
-- lib/ruby_smb/utils.rb
 - lib/ruby_smb/version.rb
 - ruby_smb.gemspec
 - spec/lib/ruby_smb/client_spec.rb
@@ -996,7 +1000,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.5.22
 signing_key: 
 specification_version: 4
 summary: A pure Ruby implementation of the SMB Protocol Family

data/lib/ruby_smb/ntlm/custom/string_encoder.rb

@@ -1,22 +0,0 @@
-require 'net/ntlm'
-
-module RubySMB
-  module NTLM
-    module Custom
-      module StringEncoder
-
-        def self.prepended(base)
-          base.singleton_class.send(:prepend, ClassMethods)
-        end
-
-        module ClassMethods
-          def encode_utf16le(str)
-            str.dup.force_encoding('UTF-8').encode(Encoding::UTF_16LE, Encoding::UTF_8).force_encoding('ASCII-8BIT')
-          end
-        end
-      end
-    end
-  end
-end
-
-Net::NTLM::EncodeUtil.send(:prepend, RubySMB::NTLM::Custom::StringEncoder)

data/lib/ruby_smb/utils.rb

@@ -1,15 +0,0 @@
-module RubySMB
-  module Utils
-
-    def self.safe_encode(str, encoding)
-      str.encode(encoding)
-    rescue EncodingError
-      if str.encoding == ::Encoding::ASCII_8BIT
-        str.dup.force_encoding(encoding)
-      else
-        raise
-      end
-    end
-
-  end
-end