ruby_smb 3.3.12 → 3.3.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d9ee813b67da3f28bf15f24cd60e6ff6be3c931490f97fe95786537d191a171b
-  data.tar.gz: 0d36cfa0892d145bf40d1ad43ba8e0d35185357c50d35ce8e7bc64a586041bcf
+  metadata.gz: c0e82037a7cede300c72e18aca227e16dd6f6c67c46e739aae546ff990562a20
+  data.tar.gz: ac24976008cf479989fbea0edc88ceafec163c998a7d5a87ea4b085ae1f6fcd6
 SHA512:
-  metadata.gz: b52b91a93e363be0ed1578a6b67c94409e831a848da346cf1e985e1686804bbf444e1ba15d3a6f350cb77bba9a8a035b06c4c066b96665399805da8bc0193011
-  data.tar.gz: 17d2c3bc2bb46204538a827aac81a9f46317518cbf24abdade18fd60460b57db131ed3d6d8db3cce8accadd752256c7fb8fc53b74a435a1226048166d93c0020
+  metadata.gz: c9f2bae08d955e0a977b5614a577ff1801f8b977a675f21a70ec7dac2b695d6215d91cd3f69b37b354022aba93494be64687b90e96c8a7b75390384eb7dd0b99
+  data.tar.gz: de80907d4e9d1d91de05ca1b363ba94da81f2f39fd089bad724d1b6c2b5fae8ed8048b66ac84238174f573dbb362e49d809734446e5381b1914bc5cd9b8286ce

data/cortex.yaml

@@ -10,6 +10,8 @@ info:
   x-cortex-type: service
   x-cortex-domain-parents:
   - tag: metasploit
+  x-cortex-groups:
+  - exposure:external-ship
 openapi: 3.0.1
 servers:
 - url: "/"

data/lib/ruby_smb/dcerpc/error.rb

@@ -70,6 +70,16 @@ module RubySMB
           super(msg)
         end
       end
+
+      class GkdiError < DcerpcError
+        include RubySMB::Error::UnexpectedStatusCode::Mixin
+
+        def initialize(msg, status_code: nil)
+          self.status_code = status_code unless status_code.nil?
+
+          super(msg)
+        end
+      end
     end
   end
 end

data/lib/ruby_smb/dcerpc/gkdi/gkdi_ffc_dh_key.rb

@@ -0,0 +1,17 @@
+module RubySMB
+  module Dcerpc
+    module Gkdi
+
+      # [2.2.3.1 FFC DH Key](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/f8770f01-036d-4bf6-a4cf-1bd0e3913404)
+      class GkdiFfcDhKey < BinData::Record
+        endian :little
+
+        uint8_array :magic, initial_length: 4, initial_value: [ 0x44, 0x48, 0x50, 0x42 ]
+        uint32      :key_length
+        uint8_array :field_order, initial_length: :key_length
+        uint8_array :generator, initial_length: :key_length
+        uint8_array :public_key, initial_length: :key_length
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/gkdi/gkdi_ffc_dh_parameters.rb

@@ -0,0 +1,17 @@
+module RubySMB
+  module Dcerpc
+    module Gkdi
+
+      # [2.2.2 FFC DH Parameters](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/e15ae269-ee21-446a-a480-de3ea243db5f)
+      class GkdiFfcDhParameters < BinData::Record
+        endian :little
+
+        uint32      :parameters_length, initial_value: -> { (key_length * 2) + offset_of(generator) }
+        uint8_array :magic, initial_length: 4, initial_value: [ 0x44, 0x48, 0x50, 0x4d ]
+        uint32      :key_length
+        uint8_array :field_order, initial_length: :key_length
+        uint8_array :generator, initial_length: :key_length
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/gkdi/gkdi_get_key_request.rb

@@ -0,0 +1,26 @@
+module RubySMB
+  module Dcerpc
+    module Gkdi
+
+      # [3.1.4.1 GetKey (Opnum 0)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/4cac87a3-521e-4918-a272-240f8fabed39)
+      class GkdiGetKeyRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_uint32     :cb_target_sd
+        ndr_conf_array :pb_target_sd, type: :ndr_uint8
+        uuid_ptr       :p_root_key_id
+        ndr_int32      :l0_key_id
+        ndr_int32      :l1_key_id
+        ndr_int32      :l2_key_id
+
+        def initialize_instance
+          super
+          @opnum = GKDI_GET_KEY
+        end
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/gkdi/gkdi_get_key_response.rb

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Gkdi
+
+      # [3.1.4.1 GetKey (Opnum 0)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/4cac87a3-521e-4918-a272-240f8fabed39)
+      class GkdiGetKeyResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_uint32              :pcb_out
+        ndr_byte_conf_array_ptr :pbb_out
+        ndr_uint32              :error_status
+
+        def initialize_instance
+          super
+          @opnum = GKDI_GET_KEY
+        end
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/gkdi/gkdi_group_key_envelope.rb

@@ -0,0 +1,51 @@
+module RubySMB
+  module Dcerpc
+    module Gkdi
+
+      # [2.2.4 Group Key Envelope](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/192c061c-e740-4aa0-ab1d-6954fb3e58f7)
+      class GkdiGroupKeyEnvelope < BinData::Record
+        endian :little
+
+        uint32      :version
+        uint8_array :magic, initial_length: 4, initial_value: [ 0x4b, 0x44, 0x53, 0x5b ]
+        uint32      :dw_flags
+        uint32      :l0_index
+        uint32      :l1_index
+        uint32      :l2_index
+        uuid        :root_key_identifier
+        uint32      :cb_kdf_algorithm
+        uint32      :cb_kdf_parameters, initial_value: -> { kdf_parameters.length }
+        uint32      :cb_secret_agreement_algorithm
+        uint32      :cb_secret_agreement_parameters
+        uint32      :private_key_length
+        uint32      :public_key_length
+        uint32      :cb_l1_key
+        uint32      :cb_l2_key
+        uint32      :cb_domain_name
+        uint32      :cb_forest_name
+        stringz16   :kdf_algorithm
+        struct      :kdf_parameters, only_if: -> { cb_kdf_parameters > 0 } do
+          uint8_array :block0, initial_length: 8, initial_value: [ 0, 0, 0, 0, 1, 0, 0, 0 ]
+          uint32      :length_of_hash_name, initial_value: -> { hash_algorithm_name.length }
+          uint8_array :block1, initial_length: 4, initial_value: [ 0, 0, 0, 0 ]
+          stringz16   :hash_algorithm_name
+        end
+        stringz16   :secret_agreement_algorithm
+        uint8_array :secret_agreement_parameters, initial_length: :cb_secret_agreement_parameters
+        stringz16   :domain_name
+        stringz16   :forest_name
+        uint8_array :l1_key, initial_length: 64, only_if: -> { cb_l1_key != 0 }
+        uint8_array :l2_key, initial_length: :l2_key_length, only_if: -> { cb_l2_key != 0 }
+
+        private
+
+        def l2_key_length
+          return 0 if cb_l2_key == 0
+          return 64 if (dw_flags & (1 << 31)) == 0
+
+          public_key_length
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/gkdi.rb

@@ -0,0 +1,54 @@
+module RubySMB
+  module Dcerpc
+    module Gkdi
+
+      # [2.1 Transport](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/2ca63ad2-2464-4a41-ba84-2e0270e95e86)
+      UUID = 'b9785960-524f-11df-8b6d-83dcded72085'
+      VER_MAJOR = 1
+      VER_MINOR = 0
+
+      # Operation numbers
+      GKDI_GET_KEY = 0x0000
+
+      require 'ruby_smb/dcerpc/gkdi/gkdi_get_key_request'
+      require 'ruby_smb/dcerpc/gkdi/gkdi_get_key_response'
+      require 'ruby_smb/dcerpc/gkdi/gkdi_ffc_dh_key'
+      require 'ruby_smb/dcerpc/gkdi/gkdi_ffc_dh_parameters'
+      require 'ruby_smb/dcerpc/gkdi/gkdi_group_key_envelope'
+
+      def gkdi_get_key(target_sd, root_key_id, l0_key_id, l1_key_id, l2_key_id)
+        target_sd = target_sd.to_binary_s if target_sd.respond_to?(:to_binary_s)
+
+        gkdi_get_key_request = GkdiGetKeyRequest.new(
+          cb_target_sd: target_sd.length,
+          pb_target_sd: target_sd.unpack('C*'),
+          p_root_key_id: root_key_id,
+          l0_key_id: l0_key_id,
+          l1_key_id: l1_key_id,
+          l2_key_id: l2_key_id
+        )
+
+        response = dcerpc_request(
+          gkdi_get_key_request,
+          auth_level: @auth_level,
+          auth_type: @auth_type
+        )
+        begin
+          gkdi_get_key_response = GkdiGetKeyResponse.read(response)
+        rescue IOError
+          raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading CertServerRequestResponse'
+        end
+        unless gkdi_get_key_response.error_status == WindowsError::NTStatus::STATUS_SUCCESS
+          status_code = WindowsError::Win32.find_by_retval(gkdi_get_key_response.error_status.value).first
+          raise RubySMB::Dcerpc::Error::GkdiError.new(
+            "Error returned with gkdi_get_key: #{status_code}",
+            status_code: status_code
+          )
+        end
+
+        GkdiGroupKeyEnvelope.read(gkdi_get_key_response.pbb_out.snapshot.pack('C*'))
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/request.rb

@@ -79,6 +79,8 @@ module RubySMB
           samr_set_information_user2_request           Samr::SAMR_SET_INFORMATION_USER2
           samr_delete_user_request                     Samr::SAMR_DELETE_USER
           samr_query_information_domain_request        Samr::SAMR_QUERY_INFORMATION_DOMAIN
+          samr_unicode_change_password_user2_request   Samr::SAMR_UNICODE_CHANGE_PASSWORD_USER2
+          samr_change_password_user_request            Samr::SAMR_CHANGE_PASSWORD_USER
           string                                       :default
         end
         choice 'Wkssvc', selection: -> { opnum } do
@@ -122,6 +124,9 @@ module RubySMB
           lsar_close_handle_request              Lsarpc::LSAR_CLOSE_HANDLE
           lsar_lookup_sids_request               Lsarpc::LSAR_LOOKUP_SIDS
         end
+        choice 'Gkdi', selection: -> { opnum } do
+          gkdi_get_key_request Gkdi::GKDI_GET_KEY
+        end
         string :default
       end
 

data/lib/ruby_smb/dcerpc/samr/samr_change_password_user_request.rb

@@ -0,0 +1,31 @@
+module RubySMB
+  module Dcerpc
+    module Samr
+
+      # [3.1.5.10.1 SamrChangePasswordUser (Opnum 38)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/9699d8ca-e1a4-433c-a8c3-d7bebeb01476)
+      class SamrChangePasswordUserRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        sampr_handle                      :user_handle
+        ndr_uint8                         :lm_present
+        pencrypted_nt_owf_password        :old_lm_encrypted_with_new_lm
+        pencrypted_nt_owf_password        :new_lm_encrypted_with_old_lm
+        ndr_uint8                         :nt_present
+        pencrypted_nt_owf_password        :old_nt_encrypted_with_new_nt
+        pencrypted_nt_owf_password        :new_nt_encrypted_with_old_nt
+        ndr_uint8                         :nt_cross_encryption_present
+        pencrypted_nt_owf_password        :new_nt_encrypted_with_new_nt
+        ndr_uint8                         :lm_cross_encryption_present
+        pencrypted_nt_owf_password        :new_lm_encrypted_with_new_nt
+
+        def initialize_instance
+          super
+          @opnum = SAMR_CHANGE_PASSWORD_USER
+        end
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/samr/samr_change_password_user_response.rb

@@ -0,0 +1,21 @@
+module RubySMB
+  module Dcerpc
+    module Samr
+
+      # [3.1.5.10.1 SamrChangePasswordUser (Opnum 38)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/9699d8ca-e1a4-433c-a8c3-d7bebeb01476)
+      class SamrChangePasswordUserResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_uint32 :error_status
+
+        def initialize_instance
+          super
+          @opnum = SAMR_CHANGE_PASSWORD_USER
+        end
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/samr/samr_get_members_in_group_response.rb

@@ -14,7 +14,7 @@ module RubySMB
         extend Ndr::PointerClassPlugin
       end
 
-      # [2.1.5.8.3 SamrGetMembersInGroup (Opnum 25)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/a4adbf20-040f-4416-a960-e5b7917fdae7)
+      # [3.1.5.8.3 SamrGetMembersInGroup (Opnum 25)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/3ed5030d-88a3-42ca-a6e0-8c12aa2fdfbd)
       class SamrGetMembersInGroupResponse < BinData::Record
         attr_reader :opnum
 

data/lib/ruby_smb/dcerpc/samr/samr_unicode_change_password_user2_request.rb

@@ -0,0 +1,27 @@
+module RubySMB
+  module Dcerpc
+    module Samr
+
+      # [3.1.5.10.3 SamrUnicodeChangePasswordUser2 (Opnum 55)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/acb3204a-da8b-478e-9139-1ea589edb880)
+      class SamrUnicodeChangePasswordUser2Request < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        prpc_unicode_string               :server_name
+        rpc_unicode_string                :user_name
+        psampr_encrypted_user_password    :new_password_encrypted_with_old_nt
+        pencrypted_nt_owf_password        :old_nt_owf_password_encrypted_with_new_nt
+        ndr_uint8                         :lm_present
+        psampr_encrypted_user_password    :new_password_encrypted_with_old_lm
+        pencrypted_nt_owf_password        :old_lm_owf_password_encrypted_with_new_nt
+
+        def initialize_instance
+          super
+          @opnum = SAMR_UNICODE_CHANGE_PASSWORD_USER2
+        end
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/samr/samr_unicode_change_password_user2_response.rb

@@ -0,0 +1,21 @@
+module RubySMB
+  module Dcerpc
+    module Samr
+
+      # [3.1.5.10.3 SamrUnicodeChangePasswordUser2 (Opnum 55)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/acb3204a-da8b-478e-9139-1ea589edb880)
+      class SamrUnicodeChangePasswordUser2Response < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_uint32 :error_status
+
+        def initialize_instance
+          super
+          @opnum = SAMR_UNICODE_CHANGE_PASSWORD_USER2
+        end
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/samr.rb

@@ -24,8 +24,10 @@ module RubySMB
       SAMR_GET_MEMBERS_IN_GROUP            = 0x0019
       SAMR_OPEN_USER                       = 0x0022
       SAMR_DELETE_USER                     = 0x0023
+      SAMR_CHANGE_PASSWORD_USER            = 0x0026
       SAMR_GET_GROUPS_FOR_USER             = 0x0027
       SAMR_CREATE_USER2_IN_DOMAIN          = 0x0032
+      SAMR_UNICODE_CHANGE_PASSWORD_USER2   = 0x0037
       SAMR_SET_INFORMATION_USER2           = 0x003a
       SAMR_CONNECT5                        = 0x0040
       SAMR_RID_TO_SID                      = 0x0041
@@ -318,6 +320,58 @@ module RubySMB
         extend Ndr::PointerClassPlugin
       end
 
+      # [2.2.7.3 ENCRYPTED_NT_OWF_PASSWORD](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/ce061fef-6d4f-4802-bd5d-26b11f14f4a6)
+      class EncryptedNtOwfPassword < Ndr::NdrStruct
+        default_parameter byte_align: 4
+        ndr_fixed_byte_array :buffer, initial_length: 16
+
+        # [2.2.11.1.2 Encrypting a 64-bit block with a 7-byte key](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/ebdb15df-8d0d-4347-9d62-082e6eccac40)
+        def self.to_output_key(input_key)
+          output_key = []
+          input_key = input_key.unpack('C'*7)
+          output_key.append(input_key[0] >> 0x01)
+          output_key.append(((input_key[0]&0x01)<<6) | (input_key[1]>>2))
+          output_key.append(((input_key[1]&0x03)<<5) | (input_key[2]>>3))
+          output_key.append(((input_key[2]&0x07)<<4) | (input_key[3]>>4))
+          output_key.append(((input_key[3]&0x0F)<<3) | (input_key[4]>>5))
+          output_key.append(((input_key[4]&0x1F)<<2) | (input_key[5]>>6))
+          output_key.append(((input_key[5]&0x3F)<<1) | (input_key[6]>>7))
+          output_key.append(input_key[6] & 0x7F)
+
+          output_key = output_key.map {|x| (x << 1) & 0xFE}
+
+          output_key.pack('C'*8)
+        end
+
+        # [2.2.11.1 DES-ECB-LM](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/3f5ec79d-b449-4ab2-9423-c4dccbe0b184)
+        def self.encrypt_hash(hash:, key:)
+          block1 = hash[0..7]
+          block2 = hash[8..]
+          key1 = to_output_key(key[0..6])
+          key2 = to_output_key(key[7..13]) # The last two bytes are ignored
+
+          cipher1 = OpenSSL::Cipher.new('des-ecb').tap do |cipher|
+            cipher.encrypt
+            cipher.key = key1
+          end
+
+          cipher2 = OpenSSL::Cipher.new('des-ecb').tap do |cipher|
+            cipher.encrypt
+            cipher.key = key2
+          end
+
+          cipher1.update(block1) + cipher2.update(block2)
+        end
+      end
+
+      EncryptedLmOwfPassword = EncryptedNtOwfPassword
+
+      class PencryptedNtOwfPassword < EncryptedNtOwfPassword
+        extend Ndr::PointerClassPlugin
+      end
+
+      PencryptedLmOwfPassword = PencryptedNtOwfPassword
+
       # [2.2.7.4 SAMPR_ULONG_ARRAY](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/2feb3806-4db2-45b7-90d2-86c8336a31ba)
       class SamprUlongArray < Ndr::NdrStruct
         default_parameter byte_align: 4
@@ -333,6 +387,28 @@ module RubySMB
         ndr_uint16_array_ptr :buffer
       end
 
+      # [2.2.6.21 SAMPR_ENCRYPTED_USER_PASSWORD](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/23f9ef4c-cf3e-4330-9287-ea4799b03201)
+      class SamprEncryptedUserPassword < Ndr::NdrStruct
+        default_parameter byte_align: 4
+        ndr_fixed_byte_array :buffer, initial_length: 516
+
+        def self.encrypt_password(password, old_password_nt)
+          # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/5fe3c4c4-e71b-440d-b2fd-8448bfaf6e04
+          password = password.encode('UTF-16LE').force_encoding('ASCII-8BIT')
+          buffer = password.rjust(512, "\x00") + [ password.length ].pack('V')
+          cipher = OpenSSL::Cipher.new('RC4').tap do |cipher|
+            cipher.encrypt
+            cipher.key = old_password_nt
+          end
+          cipher.update(buffer)
+        end
+      end
+
+      class PsamprEncryptedUserPassword < SamprEncryptedUserPassword
+        extend Ndr::PointerClassPlugin
+      end
+
+
       # [2.2.6.22 SAMPR_ENCRYPTED_USER_PASSWORD_NEW](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/112ecc94-1cbe-41cd-b669-377402c20786)
       class SamprEncryptedUserPasswordNew < BinData::Record
         ndr_fixed_byte_array :buffer, initial_length: 532
@@ -413,12 +489,22 @@ module RubySMB
         ndr_uint32 :user_account_control
       end
 
+      # [2.2.6.25 SAMPR_USER_INTERNAL1_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/50d17755-c6b8-40bd-8cac-bd6cfa31adf2)
+      class SamprUserInternal1Information < BinData::Record
+        encrypted_nt_owf_password         :encrypted_nt_owf_password
+        encrypted_nt_owf_password         :encrypted_lm_owf_password
+        ndr_uint8                         :nt_password_present
+        ndr_uint8                         :lm_password_present
+        ndr_uint8                         :password_expired
+      end
+
       # [2.2.6.29 SAMPR_USER_INFO_BUFFER](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/9496c26e-490b-4e76-827f-2695fc216f35)
       class SamprUserInfoBuffer < BinData::Record
         ndr_uint16 :tag
         choice     :member, selection: :tag do
           user_control_information             USER_CONTROL_INFORMATION
           sampr_user_internal4_information_new USER_INTERNAL4_INFORMATION_NEW
+          sampr_user_internal1_information     USER_INTERNAL1_INFORMATION
         end
       end
 
@@ -436,16 +522,25 @@ module RubySMB
       # [2.2.10.1 USER_PROPERTIES](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/8263e7ab-aba9-43d2-8a36-3a9cb2dd3dad)
       class UserProperties < BinData::Record
         endian :little
+        hide   :bytes_remaining
 
         uint32 :reserved1
-        uint32 :struct_length, initial_value: -> { num_bytes - 12 }
+        # Length, in bytes, of the entire structure, starting from the :reserved4 field (offset 12):
+        uint32 :struct_length, value: -> { num_bytes - 12}
         uint16 :reserved2
         uint16 :reserved3
         string :reserved4, length: 96
         uint16 :property_signature, initial_value: 0x50
-        uint16 :property_count, initial_value: -> { user_properties.size }, onlyif: -> { struct_length > 111 }
-        array  :user_properties, type: :user_property, initial_length: :property_count, onlyif: :property_count?
+        count_bytes_remaining :bytes_remaining
+        # When there are zero `user_property` elements in the `:user_properties` field, this field MUST be omitted;
+        # the resultant `UserProperties` structure has a constant size of 0x6F bytes.
+        uint16 :property_count, value: -> { user_properties.size }, onlyif: :display_user_properties?
+        array  :user_properties, type: :user_property, read_until: -> { array.size == property_count }, onlyif: :display_user_properties?
         uint8  :reserved5
+
+        def display_user_properties?
+          (bytes_remaining > 1 && reading?) || user_properties.size > 0
+        end
       end
 
       # [2.2.10.7 KERB_KEY_DATA_NEW](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/447520a5-e1cc-48cc-8fdc-b90db57f7eac)
@@ -523,6 +618,10 @@ module RubySMB
       require 'ruby_smb/dcerpc/samr/samr_get_groups_for_user_response'
       require 'ruby_smb/dcerpc/samr/samr_set_information_user2_request'
       require 'ruby_smb/dcerpc/samr/samr_set_information_user2_response'
+      require 'ruby_smb/dcerpc/samr/samr_change_password_user_request'
+      require 'ruby_smb/dcerpc/samr/samr_change_password_user_response'
+      require 'ruby_smb/dcerpc/samr/samr_unicode_change_password_user2_request'
+      require 'ruby_smb/dcerpc/samr/samr_unicode_change_password_user2_response'
       require 'ruby_smb/dcerpc/samr/samr_delete_user_request'
       require 'ruby_smb/dcerpc/samr/samr_delete_user_response'
       require 'ruby_smb/dcerpc/samr/samr_query_information_domain_request'
@@ -882,6 +981,117 @@ module RubySMB
         nil
       end
 
+      # Change the password on a user object.
+      #
+      # @param user_handle [SamprHandle] Handle representing the user to change the password for
+      # @param old_password [String] The previous password (either this or old_nt_hash must be specified)
+      # @param new_password [String] The password to set on the account
+      # @param new_nt_hash [String] The new password's NT hash
+      # @param new_lm_hash [String] The new password's LM hash
+      # @param old_nt_hash [String] The previous password's NT hash (either this or old_password must be specified)
+      # @param old_lm_hash [String] The previous password's LM hash (currently ignored)
+      # @return nothing is returned on success
+      # @raise [RubySMB::Dcerpc::Error::SamrError] if the response error status
+      #   is not STATUS_SUCCESS
+      def samr_change_password_user(user_handle:, old_password:nil, new_password:nil, new_nt_hash:nil, new_lm_hash:nil, old_nt_hash:nil, old_lm_hash:nil)
+        if new_password.nil? == new_nt_hash.nil?
+          raise ArgumentError.new('Provide either new password or new password hashes, but not both')
+        end
+
+        if old_password.nil? == old_nt_hash.nil?
+          raise ArgumentError.new('Provide either old password or old password hashes, but not both')
+        end
+
+        if old_password
+          old_lm_hash = Net::NTLM.lm_hash(old_password[0..13])
+          old_nt_hash = Net::NTLM.ntlm_hash(old_password)
+        end
+
+        if new_nt_hash.nil?
+          new_nt_hash = Net::NTLM::ntlm_hash(new_password)
+          new_lm_hash = Net::NTLM.lm_hash(new_password[0..13])
+        elsif new_lm_hash.nil?
+          new_lm_hash = Net::NTLM.lm_hash('')
+        end
+        
+        samr_change_password_user_request = SamrChangePasswordUserRequest.new(
+          user_handle: user_handle,
+          lm_present: 0,
+          old_lm_encrypted_with_new_lm: nil,
+          new_lm_encrypted_with_old_lm: nil,
+          nt_present: 1,
+          old_nt_encrypted_with_new_nt: PencryptedNtOwfPassword.new(buffer: EncryptedNtOwfPassword.encrypt_hash(hash: old_nt_hash, key: new_nt_hash)),
+          new_nt_encrypted_with_old_nt: PencryptedNtOwfPassword.new(buffer: EncryptedNtOwfPassword.encrypt_hash(hash: new_nt_hash, key: old_nt_hash)),
+          nt_cross_encryption_present: 0,
+          new_nt_encrypted_with_new_lm: nil,
+          lm_cross_encryption_present: 1,
+          new_lm_encrypted_with_new_nt: PencryptedNtOwfPassword.new(buffer: EncryptedNtOwfPassword.encrypt_hash(hash: new_lm_hash, key: new_nt_hash)),
+        )
+        response = dcerpc_request(samr_change_password_user_request)
+        begin
+          samr_unicode_change_password_user2_response = SamrChangePasswordUserResponse.read(response)
+        rescue IOError
+          raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading SamrUnicodeChangePasswordUser2Response'
+        end
+        unless samr_unicode_change_password_user2_response.error_status == WindowsError::NTStatus::STATUS_SUCCESS
+          raise RubySMB::Dcerpc::Error::SamrError,
+            "Error returned while changing user password: "\
+            "#{WindowsError::NTStatus.find_by_retval(samr_unicode_change_password_user2_response.error_status.value).join(',')}"
+        end
+
+        nil
+      end
+
+
+      # Change the password on a user.
+      #
+      # @param server_name [String] The server name; can be ignored by the server
+      # @param target_username [String] The user for which we're changing the password
+      # @param old_password [String] The previous password (either this or old_nt_hash must be specified)
+      # @param new_password [String] The password to set on the account
+      # @param old_nt_hash [String] The previous password's NT hash (either this or old_password must be specified)
+      # @param old_lm_hash [String] The previous password's LM hash (currently ignored)
+      # @return nothing is returned on success
+      # @raise [RubySMB::Dcerpc::Error::SamrError] if the response error status
+      #   is not STATUS_SUCCESS
+      def samr_unicode_change_password_user2(server_name: "", target_username:, old_password:nil, new_password:, old_nt_hash:nil, old_lm_hash:nil)
+        #if old_lm_hash.nil? != old_nt_hash.nil?
+        #  raise ArgumentError.new('If providing the previous NT/LM hash, must provide both')
+        #end
+        if old_password.nil? == old_nt_hash.nil?
+          raise ArgumentError.new('Provide either old password or old password hashes, but not both')
+        end
+
+        if old_password
+          old_lm_hash = Net::NTLM.lm_hash(old_password[0..13])
+          old_nt_hash = Net::NTLM.ntlm_hash(old_password)
+        end
+
+        new_nt_hash = Net::NTLM::ntlm_hash(new_password)
+
+        samr_unicode_change_password_user2_request = SamrUnicodeChangePasswordUser2Request.new(
+          server_name: server_name,
+          user_name: target_username,
+          new_password_encrypted_with_old_nt: SamprEncryptedUserPassword.new(buffer: SamprEncryptedUserPassword.encrypt_password(new_password, old_nt_hash)),
+          old_nt_owf_password_encrypted_with_new_nt: PencryptedNtOwfPassword.new(buffer: EncryptedNtOwfPassword.encrypt_hash(hash: old_nt_hash, key: new_nt_hash)),
+          lm_present: 0
+        )
+        samr_unicode_change_password_user2_request
+        response = dcerpc_request(samr_unicode_change_password_user2_request)
+        begin
+          samr_unicode_change_password_user2_response = SamrUnicodeChangePasswordUser2Response.read(response)
+        rescue IOError
+          raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading SamrUnicodeChangePasswordUser2Response'
+        end
+        unless samr_unicode_change_password_user2_response.error_status == WindowsError::NTStatus::STATUS_SUCCESS
+          raise RubySMB::Dcerpc::Error::SamrError,
+            "Error returned while changing user password: "\
+            "#{WindowsError::NTStatus.find_by_retval(samr_unicode_change_password_user2_response.error_status.value).join(',')}"
+        end
+
+        nil
+      end
+
       # Closes (that is, releases server-side resources used by) any context
       # handle obtained from this RPC interface
       #

data/lib/ruby_smb/dcerpc.rb

@@ -50,6 +50,7 @@ module RubySMB
     require 'ruby_smb/dcerpc/icpr'
     require 'ruby_smb/dcerpc/efsrpc'
     require 'ruby_smb/dcerpc/lsarpc'
+    require 'ruby_smb/dcerpc/gkdi'
     require 'ruby_smb/dcerpc/request'
     require 'ruby_smb/dcerpc/response'
     require 'ruby_smb/dcerpc/rpc_auth3'

data/lib/ruby_smb/version.rb

@@ -1,3 +1,3 @@
 module RubySMB
-  VERSION = '3.3.12'.freeze
+  VERSION = '3.3.14'.freeze
 end

data/spec/lib/ruby_smb/dcerpc/samr/encrypted_nt_owf_password_spec.rb

@@ -0,0 +1,10 @@
+RSpec.describe RubySMB::Dcerpc::Samr::EncryptedNtOwfPassword do
+  it 'Creates output key' do
+    expect(described_class.to_output_key('ABCDEFG')).to eq ["40a09068442A188E"].pack('H*')
+    expect(described_class.to_output_key('AAAAAAA')).to eq ["40A05028140A0482"].pack('H*')
+  end
+
+  it 'Encrypts a hash' do
+    expect(described_class.encrypt_hash(hash: 'AAAAAAAAAAAAAAAA', key: 'BBBBBBBBBBBBBB')).to eq ["8cd90c3de08ecda28cd90c3de08ecda2"].pack('H*')
+  end
+end

data/spec/lib/ruby_smb/dcerpc/samr/sampr_encrypted_user_password_spec.rb

@@ -0,0 +1,9 @@
+RSpec.describe RubySMB::Dcerpc::Samr::SamprEncryptedUserPassword do
+
+  it 'Encrypts correctly' do
+    password = 'newPassword1!'
+    old_password_nt = 'AAAAAAAAAAAAAAAA'
+    expected = ['c2cbe63dc0a3cda1baab695ce4f0352b774592b214a905796a6ba9fd30e0ffc56d60812bfd7f45420f5332922b50cfdcde3133e3e45c5eb6c16023006cb4ff7d41f54fa009a64fa66b00fa41094d7db6c4cc9a430a7ad43122047b696d934645974fee7551dcafac28c0869106417fd3fbfc34a87a56d6141aac2b6d134723f2224791b39749bc93f4405f78ba09dcd9b4d29e72ae0c873a8d468323793fffccc2a9d8dc4d975c42064208d898df71ef0889b2e5a9cfa6c8c2758eb15b6fdd332d6d7d2829f3a3bc2a7ecd7f87d1fd4aed25d93de6a7baf8e0247e2f5b831ca7646eef7a11e2f9410574707ef85c9db8cc125fb6254fe1e111a662006343299fcb8f8fb641cb1d188ff6e5c50334ca199603a93907093e6d35d80b2dade79360bc672870d29cdf5f80120ac53e9ce3c3718d0f8097cdae2318b8e27108fc1066491e5b034f55c1e8ff00a53d2eb7b0e0ffc10236a5a530795b84f33d66eb51388d6da112886c8ea482af0ec7e9c0a549a561244ee9185b5387b05d3c5e74d88e355aef22dab1d5039d0a0caa22437f6e520121ef5d21da729bb0cdee5cbb3b450bf1d0fcafad5ac518b0535628e2a96a2d0d2f8acd3e42147e700c2889cbc92c5533f1889b49d41c0ae9a05fc0a754060c0680296de5c712a3299cdd5c646582348fc2e32a68ae4fc2a3b91fb423adc617a20b28c1d6297f14a870329e6aa802d22ba97c'].pack('H*')
+    expect(described_class.encrypt_password(password, old_password_nt)).to eq expected
+  end
+end

data/spec/lib/ruby_smb/dcerpc/samr/samr_change_password_user_request_spec.rb

@@ -0,0 +1,28 @@
+RSpec.describe RubySMB::Dcerpc::Samr::SamrChangePasswordUserRequest do
+  subject(:packet) { described_class.new }
+
+  describe '#initialize_instance' do
+    it 'sets #opnum to SAMR_CHANGE_PASSWORD_USER constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Samr::SAMR_CHANGE_PASSWORD_USER)
+    end
+  end
+
+  it 'reads itself' do
+    uuid = RubySMB::Dcerpc::Uuid.new
+    uuid.set(SecureRandom.uuid)
+    new_packet = described_class.new({
+      user_handle: RubySMB::Dcerpc::Samr::SamprHandle.new(context_handle_attributes: 42, :context_handle_uuid => uuid),
+      lm_present: 1,
+      old_lm_encrypted_with_new_lm: RubySMB::Dcerpc::Samr::PencryptedNtOwfPassword.new(buffer: SecureRandom::bytes(16)),
+      new_lm_encrypted_with_old_lm: RubySMB::Dcerpc::Samr::PencryptedNtOwfPassword.new(buffer: SecureRandom::bytes(16)),
+      nt_present: 1,
+      old_nt_encrypted_with_new_nt: RubySMB::Dcerpc::Samr::PencryptedNtOwfPassword.new(buffer: SecureRandom::bytes(16)),
+      new_nt_encrypted_with_old_nt: RubySMB::Dcerpc::Samr::PencryptedNtOwfPassword.new(buffer: SecureRandom::bytes(16)),
+      nt_cross_encryption_present: 1,
+      new_nt_encrypted_with_new_nt: RubySMB::Dcerpc::Samr::PencryptedNtOwfPassword.new(buffer: SecureRandom::bytes(16)),
+      lm_cross_encryption_present: 1,
+      new_lm_encrypted_with_new_nt: RubySMB::Dcerpc::Samr::PencryptedNtOwfPassword.new(buffer: SecureRandom::bytes(16))
+    })
+    expect(packet.read(new_packet.to_binary_s)).to eq(new_packet)
+  end
+end

data/spec/lib/ruby_smb/dcerpc/samr/samr_change_password_user_response_spec.rb

@@ -0,0 +1,16 @@
+RSpec.describe RubySMB::Dcerpc::Samr::SamrChangePasswordUserResponse do
+  subject(:packet) { described_class.new }
+
+  describe '#initialize_instance' do
+    it 'sets #opnum to SAMR_CHANGE_PASSWORD_USER constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Samr::SAMR_CHANGE_PASSWORD_USER)
+    end
+  end
+
+  it 'reads itself' do
+    new_packet = described_class.new({
+      error_status: 4
+    })
+    expect(packet.read(new_packet.to_binary_s)).to eq(new_packet)
+  end
+end

data/spec/lib/ruby_smb/dcerpc/samr/samr_unicode_change_password_user2_request_spec.rb

@@ -0,0 +1,22 @@
+RSpec.describe RubySMB::Dcerpc::Samr::SamrUnicodeChangePasswordUser2Request do
+  subject(:packet) { described_class.new }
+
+  describe '#initialize_instance' do
+    it 'sets #opnum to SAMR_UNICODE_CHANGE_PASSWORD_USER2 constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Samr::SAMR_UNICODE_CHANGE_PASSWORD_USER2)
+    end
+  end
+
+  it 'reads itself' do
+    new_packet = described_class.new({
+      server_name: 'my-server',
+      user_name: 'user.person',
+      new_password_encrypted_with_old_nt: RubySMB::Dcerpc::Samr::PsamprEncryptedUserPassword.new(buffer: SecureRandom::bytes(516)),
+      pencrypted_nt_owf_password: RubySMB::Dcerpc::Samr::PencryptedNtOwfPassword.new(buffer: SecureRandom::bytes(16)),
+      lm_present: 1,
+      new_password_encrypted_with_old_lm: RubySMB::Dcerpc::Samr::PsamprEncryptedUserPassword.new(buffer: SecureRandom::bytes(516)),
+      old_lm_owf_password_encrypted_with_new_nt: RubySMB::Dcerpc::Samr::PencryptedNtOwfPassword.new(buffer: SecureRandom::bytes(16)),
+    })
+    expect(packet.read(new_packet.to_binary_s)).to eq(new_packet)
+  end
+end

data/spec/lib/ruby_smb/dcerpc/samr/samr_unicode_change_password_user2_response_spec.rb

@@ -0,0 +1,16 @@
+RSpec.describe RubySMB::Dcerpc::Samr::SamrUnicodeChangePasswordUser2Response do
+  subject(:packet) { described_class.new }
+
+  describe '#initialize_instance' do
+    it 'sets #opnum to SAMR_UNICODE_CHANGE_PASSWORD_USER2 constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Samr::SAMR_UNICODE_CHANGE_PASSWORD_USER2)
+    end
+  end
+
+  it 'reads itself' do
+    new_packet = described_class.new({
+      error_status: 4
+    })
+    expect(packet.read(new_packet.to_binary_s)).to eq(new_packet)
+  end
+end

data/spec/lib/ruby_smb/dcerpc/samr/user_properties_spec.rb

@@ -0,0 +1,76 @@
+RSpec.describe RubySMB::Dcerpc::Samr::UserProperties do
+  describe '#read' do
+    context 'when reading a structure with no user properties' do
+      let(:binary) { [ 0, 0x63, 0, 0, 0x50, 0].pack('L<L<S<S<x96<SC') }
+      let(:subject) { described_class.read(binary) }
+
+      it 'does not include the property_count' do
+        expect(subject.property_count?).to be_falsey
+        expect(subject.snapshot).to_not include(:property_count)
+      end
+
+      it 'does not include the user_properties' do
+        expect(subject.user_properties?).to be_falsey
+        expect(subject.snapshot).to_not include(:user_properties)
+      end
+
+      it 'serializes to the value that was read' do
+        expect(subject.to_binary_s).to eq(binary)
+      end
+    end
+
+    context 'when reading a structure with two user properties' do
+      let(:user_property1) { RubySMB::Dcerpc::Samr::UserProperty.new(property_name: 'key1', property_value: 'value1') }
+      let(:user_property2) { RubySMB::Dcerpc::Samr::UserProperty.new(property_name: 'key2', property_value: 'value2') }
+      let(:user_properties) { user_property1.to_binary_s + user_property2.to_binary_s }
+      let(:binary) { [ 0, 0x63 + 2 + user_properties.length, 0, 0, 0x50, 2].pack('L<L<S<S<x96<S<S') + user_properties + "\x00".b }
+      let(:subject) { described_class.read(binary) }
+
+      it 'includes the property_count' do
+        expect(subject.property_count?).to be_truthy
+        expect(subject.property_count).to eq(2)
+        expect(subject.snapshot).to include(:property_count)
+      end
+
+      it 'includes the user_properties' do
+        expect(subject.user_properties?).to be_truthy
+        expect(subject.user_properties).to eq([user_property1, user_property2])
+        expect(subject.snapshot).to include(:user_properties)
+      end
+
+      it 'serializes to the value that was read' do
+        expect(subject.to_binary_s).to eq(binary)
+      end
+
+      context 'when #user_properties is cleared' do
+        before(:each) { subject.user_properties.clear }
+
+        it 'does not include the property_count' do
+          expect(subject.property_count?).to be_falsey
+          expect(subject.snapshot).to_not include(:property_count)
+        end
+
+        it 'does not include the user_properties' do
+          expect(subject.user_properties?).to be_falsey
+          expect(subject.snapshot).to_not include(:user_properties)
+        end
+      end
+    end
+  end
+
+  describe '#initialize' do
+    let(:subject) { described_class.new }
+
+    it 'initializes #struct_length to 0x63' do
+      expect(subject.struct_length).to eq(0x63)
+    end
+
+    it 'initializes #property_signature to 0x50' do
+      expect(subject.property_signature).to eq(0x50)
+    end
+
+    it 'does not include user_properties' do
+      expect(subject.user_properties).to be_empty
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ruby_smb
 version: !ruby/object:Gem::Version
-  version: 3.3.12
+  version: 3.3.14
 platform: ruby
 authors:
 - Metasploit Hackers
@@ -10,36 +10,10 @@ authors:
 - Dev Mohanty
 - Christophe De La Fuente
 - Spencer McIntyre
-autorequire: 
+autorequire:
 bindir: bin
-cert_chain:
-- |
-  -----BEGIN CERTIFICATE-----
-  MIIERDCCAqygAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBttc2Zk
-  ZXYvREM9bWV0YXNwbG9pdC9EQz1jb20wHhcNMjMxMDMwMTYwNDI1WhcNMjUxMDI5
-  MTYwNDI1WjAmMSQwIgYDVQQDDBttc2ZkZXYvREM9bWV0YXNwbG9pdC9EQz1jb20w
-  ggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDZN/EKv+yVjwiKWvjAVhjF
-  aWNYI0E9bJ5d1qKd29omRYX9a+OOKBCu5+394fyF5RjwU4mYGr2iopX9ixRJrWXH
-  ojs70tEvV1CmvP9rhz7JKzQQoJOkinrz4d+StIylxVxVdgm7DeiB3ruTwvl7qKUv
-  piWzhrBFiVU6XIEAwq6wNEmnv2D+Omyf4h0Tf99hc6G0QmBnU3XydqvnZ+AzUbBV
-  24RH3+NQoigLbvK4M5aOeYhk19di58hznebOw6twHzNczshrBeMFQp985ScNgsvF
-  rL+7HNNwpcpngERwZfzDNn7iYN5X3cyvTcykShtsuPMa5zXsYo42LZrsTF87DW38
-  D8sxL6Dgdqu25Mltdw9m+iD4rHSfb1KJYEoNO+WwBJLO2Y4d6G1CR66tVeWsZspb
-  zneOVC+sDuil7hOm+6a7Y2yrrRyT6IfL/07DywjPAIRUp5+Jn8ZrkWRNo2AOwWBG
-  k5gz7SfJPHuyVnPlxoMA0MTFCUnnnbyHu882TGoJGgMCAwEAAaN9MHswCQYDVR0T
-  BAIwADALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFIQfNa4E889ZE334cwU7eNu2hScH
-  MCAGA1UdEQQZMBeBFW1zZmRldkBtZXRhc3Bsb2l0LmNvbTAgBgNVHRIEGTAXgRVt
-  c2ZkZXZAbWV0YXNwbG9pdC5jb20wDQYJKoZIhvcNAQELBQADggGBAMfzvKcV27p7
-  pctmpW2JmIXLMrjNLyGJAxELH/t9pJueXdga7uj2fJkYQDbwGw5x4MGyFqhqJLH4
-  l/qsUF3PyAXDTSWLVaqXQVWO+IIHxecG0XjPXTNudzMU0hzqbqiBKvsW7/a3V5BP
-  SWlFzrFkoXWlPouFpoakyYMJjpW4SGdPzRv7pM4OhXtkXpHiRvx5985FrHgHlI89
-  NSIuIUbp8zqk4hP1i9MV0Lc/vTf2gOmo+RHnjqG1NiYfMCYyY/Mcd4W36kGOl468
-  I8VDTwgCufkAzFu7BJ5yCOueqtDcuq+d3YhAyU7NI4+Ja8EwazOnB+07sWhKpg7z
-  yuQ1mWYPmZfVQpoSVv1CvXsoqJYXVPBBLOacKKSj8ArVG6pPn9Bej7IOQdblaFjl
-  DgscAao7wB3xW2BWEp1KnaDWkf1x9ttgoBEYyuYwU7uatB67kBQG1PKvLt79wHvz
-  Dxs+KOjGbBRfMnPgVGYkORKVrZIwlaboHbDKxcVW5xv+oZc7KYXWGg==
-  -----END CERTIFICATE-----
-date: 2024-11-22 00:00:00.000000000 Z
+cert_chain: []
+date: 2025-04-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: redcarpet
@@ -279,6 +253,12 @@ files:
 - lib/ruby_smb/dcerpc/epm/epm_twrt.rb
 - lib/ruby_smb/dcerpc/error.rb
 - lib/ruby_smb/dcerpc/fault.rb
+- lib/ruby_smb/dcerpc/gkdi.rb
+- lib/ruby_smb/dcerpc/gkdi/gkdi_ffc_dh_key.rb
+- lib/ruby_smb/dcerpc/gkdi/gkdi_ffc_dh_parameters.rb
+- lib/ruby_smb/dcerpc/gkdi/gkdi_get_key_request.rb
+- lib/ruby_smb/dcerpc/gkdi/gkdi_get_key_response.rb
+- lib/ruby_smb/dcerpc/gkdi/gkdi_group_key_envelope.rb
 - lib/ruby_smb/dcerpc/icpr.rb
 - lib/ruby_smb/dcerpc/icpr/cert_server_request_request.rb
 - lib/ruby_smb/dcerpc/icpr/cert_server_request_response.rb
@@ -328,6 +308,8 @@ files:
 - lib/ruby_smb/dcerpc/samr.rb
 - lib/ruby_smb/dcerpc/samr/rpc_sid.rb
 - lib/ruby_smb/dcerpc/samr/sampr_domain_info_buffer.rb
+- lib/ruby_smb/dcerpc/samr/samr_change_password_user_request.rb
+- lib/ruby_smb/dcerpc/samr/samr_change_password_user_response.rb
 - lib/ruby_smb/dcerpc/samr/samr_close_handle_request.rb
 - lib/ruby_smb/dcerpc/samr/samr_close_handle_response.rb
 - lib/ruby_smb/dcerpc/samr/samr_connect_request.rb
@@ -362,6 +344,8 @@ files:
 - lib/ruby_smb/dcerpc/samr/samr_rid_to_sid_response.rb
 - lib/ruby_smb/dcerpc/samr/samr_set_information_user2_request.rb
 - lib/ruby_smb/dcerpc/samr/samr_set_information_user2_response.rb
+- lib/ruby_smb/dcerpc/samr/samr_unicode_change_password_user2_request.rb
+- lib/ruby_smb/dcerpc/samr/samr_unicode_change_password_user2_response.rb
 - lib/ruby_smb/dcerpc/sec_trailer.rb
 - lib/ruby_smb/dcerpc/srvsvc.rb
 - lib/ruby_smb/dcerpc/srvsvc/net_share_enum_all.rb
@@ -713,7 +697,11 @@ files:
 - spec/lib/ruby_smb/dcerpc/rpc_auth3_spec.rb
 - spec/lib/ruby_smb/dcerpc/rpc_security_attributes_spec.rb
 - spec/lib/ruby_smb/dcerpc/rrp_rpc_unicode_string_spec.rb
+- spec/lib/ruby_smb/dcerpc/samr/encrypted_nt_owf_password_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr/rpc_sid_spec.rb
+- spec/lib/ruby_smb/dcerpc/samr/sampr_encrypted_user_password_spec.rb
+- spec/lib/ruby_smb/dcerpc/samr/samr_change_password_user_request_spec.rb
+- spec/lib/ruby_smb/dcerpc/samr/samr_change_password_user_response_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr/samr_close_handle_request_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr/samr_close_handle_response_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr/samr_connect_request_spec.rb
@@ -736,6 +724,9 @@ files:
 - spec/lib/ruby_smb/dcerpc/samr/samr_rid_to_sid_response_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr/samr_set_information_user2_request_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr/samr_set_information_user2_response_spec.rb
+- spec/lib/ruby_smb/dcerpc/samr/samr_unicode_change_password_user2_request_spec.rb
+- spec/lib/ruby_smb/dcerpc/samr/samr_unicode_change_password_user2_response_spec.rb
+- spec/lib/ruby_smb/dcerpc/samr/user_properties_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr_spec.rb
 - spec/lib/ruby_smb/dcerpc/sec_trailer_spec.rb
 - spec/lib/ruby_smb/dcerpc/srvsvc/net_share_enum_all_spec.rb
@@ -985,7 +976,7 @@ homepage: https://github.com/rapid7/ruby_smb
 licenses:
 - BSD-3-clause
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -1000,8 +991,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.22
-signing_key: 
+rubygems_version: 3.4.19
+signing_key:
 specification_version: 4
 summary: A pure Ruby implementation of the SMB Protocol Family
 test_files:
@@ -1057,7 +1048,11 @@ test_files:
 - spec/lib/ruby_smb/dcerpc/rpc_auth3_spec.rb
 - spec/lib/ruby_smb/dcerpc/rpc_security_attributes_spec.rb
 - spec/lib/ruby_smb/dcerpc/rrp_rpc_unicode_string_spec.rb
+- spec/lib/ruby_smb/dcerpc/samr/encrypted_nt_owf_password_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr/rpc_sid_spec.rb
+- spec/lib/ruby_smb/dcerpc/samr/sampr_encrypted_user_password_spec.rb
+- spec/lib/ruby_smb/dcerpc/samr/samr_change_password_user_request_spec.rb
+- spec/lib/ruby_smb/dcerpc/samr/samr_change_password_user_response_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr/samr_close_handle_request_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr/samr_close_handle_response_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr/samr_connect_request_spec.rb
@@ -1080,6 +1075,9 @@ test_files:
 - spec/lib/ruby_smb/dcerpc/samr/samr_rid_to_sid_response_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr/samr_set_information_user2_request_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr/samr_set_information_user2_response_spec.rb
+- spec/lib/ruby_smb/dcerpc/samr/samr_unicode_change_password_user2_request_spec.rb
+- spec/lib/ruby_smb/dcerpc/samr/samr_unicode_change_password_user2_response_spec.rb
+- spec/lib/ruby_smb/dcerpc/samr/user_properties_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr_spec.rb
 - spec/lib/ruby_smb/dcerpc/sec_trailer_spec.rb
 - spec/lib/ruby_smb/dcerpc/srvsvc/net_share_enum_all_spec.rb