ruby_smb 3.3.5 → 3.3.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/examples/registry_key_security_descriptor.rb +109 -0
- data/lib/ruby_smb/client/winreg.rb +12 -0
- data/lib/ruby_smb/dcerpc/ndr.rb +16 -6
- data/lib/ruby_smb/dcerpc/request.rb +19 -16
- data/lib/ruby_smb/dcerpc/rrp_rpc_unicode_string.rb +1 -1
- data/lib/ruby_smb/dcerpc/samr/sampr_domain_info_buffer.rb +151 -0
- data/lib/ruby_smb/dcerpc/samr/samr_query_information_domain_request.rb +22 -0
- data/lib/ruby_smb/dcerpc/samr/samr_query_information_domain_response.rb +23 -0
- data/lib/ruby_smb/dcerpc/samr.rb +42 -1
- data/lib/ruby_smb/dcerpc/winreg/get_key_security_request.rb +26 -0
- data/lib/ruby_smb/dcerpc/winreg/get_key_security_response.rb +26 -0
- data/lib/ruby_smb/dcerpc/winreg/query_value_response.rb +2 -0
- data/lib/ruby_smb/dcerpc/winreg/set_key_security_request.rb +26 -0
- data/lib/ruby_smb/dcerpc/winreg/set_key_security_response.rb +25 -0
- data/lib/ruby_smb/dcerpc/winreg.rb +121 -9
- data/lib/ruby_smb/field/security_descriptor.rb +17 -0
- data/lib/ruby_smb/version.rb +1 -1
- data/spec/lib/ruby_smb/dcerpc/ndr_spec.rb +80 -0
- data/spec/lib/ruby_smb/dcerpc/winreg_spec.rb +267 -18
- data.tar.gz.sig +0 -0
- metadata +10 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 228afeef84601354373c132ceaa48341ed9f5f4bbab4e625c37d2f2d71864146
|
4
|
+
data.tar.gz: 71512d0529ba352d0cc0ee7c27a27e03116d50f31801beed3fd04cb19e73f4ff
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3c7dede328c8d637b9088da518649deba6d758a1093e3591bb0cd9e2f4c458a5c5a82a37640aa14523586aa6e83b61d59d4fab21d3fa33739c47d687367cede3
|
7
|
+
data.tar.gz: 6c72f0673379264f71a55935dec05f13f195614c9cd8d6f44935687ab028545e233496ad04f4157a07d1f5f74092fac8dd43f69713d2ac1aeeb7006a12c47e21
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
@@ -0,0 +1,109 @@
|
|
1
|
+
#!/usr/bin/ruby
|
2
|
+
|
3
|
+
# This example script is used for testing the Winreg registry key security descriptor functionalities.
|
4
|
+
# It will attempt to connect to a host and reads (or writes) the security descriptor of a specified registry key.
|
5
|
+
#
|
6
|
+
# Example usage:
|
7
|
+
# - read:
|
8
|
+
# ruby examples/read_registry_key_security.rb --username msfadmin --password msfadmin -i 7 -o r 192.168.172.138 'HKLM\SECURITY\Policy\PolEKList'
|
9
|
+
# This will try to connect to \\192.168.172.138 with the msfadmin:msfadmin
|
10
|
+
# credentialas and read the security descriptor of the
|
11
|
+
# `HKLM\SECURITY\Policy\PolEKList` registry key with the security information 7
|
12
|
+
# (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
|
13
|
+
# DACL_SECURITY_INFORMATION).
|
14
|
+
#
|
15
|
+
# - write:
|
16
|
+
# ruby examples/read_registry_key_security.rb --username msfadmin --password msfadmin -i 4 --sd 01000480000000000000000000000000140000000200340002000000000214003f000f00010100000000000512000000000218000000060001020000000000052000000020020000 -o w 192.168.172.138 'HKLM\SECURITY\Policy\PolEKList'
|
17
|
+
# This will try to connect to \\192.168.172.138 with the msfadmin:msfadmin
|
18
|
+
# credentialas and write the given security descriptor to the
|
19
|
+
# `HKLM\SECURITY\Policy\PolEKList` registry key with the security information 4
|
20
|
+
# (DACL_SECURITY_INFORMATION).
|
21
|
+
|
22
|
+
require 'bundler/setup'
|
23
|
+
require 'optparse'
|
24
|
+
require 'ruby_smb'
|
25
|
+
|
26
|
+
OPERATIONS = %w{read write}
|
27
|
+
OPERATION_ALIASES = { "r" => "read", "w" => "write" }
|
28
|
+
|
29
|
+
args = ARGV.dup
|
30
|
+
options = {
|
31
|
+
domain: '.',
|
32
|
+
username: '',
|
33
|
+
password: '',
|
34
|
+
smbv1: true,
|
35
|
+
smbv2: true,
|
36
|
+
smbv3: true,
|
37
|
+
target: nil,
|
38
|
+
key: nil,
|
39
|
+
operation: 'read',
|
40
|
+
info: RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION | RubySMB::Field::SecurityDescriptor::GROUP_SECURITY_INFORMATION | RubySMB::Field::SecurityDescriptor::DACL_SECURITY_INFORMATION,
|
41
|
+
sd: nil
|
42
|
+
}
|
43
|
+
options[:key] = args.pop
|
44
|
+
options[:target ] = args.pop
|
45
|
+
optparser = OptionParser.new do |opts|
|
46
|
+
opts.banner = "Usage: #{File.basename(__FILE__)} [options] target reg_key"
|
47
|
+
opts.on('--[no-]smbv1', "Enable or disable SMBv1 (default: #{options[:smbv1] ? 'Enabled' : 'Disabled'})") do |smbv1|
|
48
|
+
options[:smbv1] = smbv1
|
49
|
+
end
|
50
|
+
opts.on('--[no-]smbv2', "Enable or disable SMBv2 (default: #{options[:smbv2] ? 'Enabled' : 'Disabled'})") do |smbv2|
|
51
|
+
options[:smbv2] = smbv2
|
52
|
+
end
|
53
|
+
opts.on('--[no-]smbv3', "Enable or disable SMBv3 (default: #{options[:smbv3] ? 'Enabled' : 'Disabled'})") do |smbv3|
|
54
|
+
options[:smbv3] = smbv3
|
55
|
+
end
|
56
|
+
opts.on('-u', '--username [USERNAME]', "The account's username (default: #{options[:username]})") do |username|
|
57
|
+
if username.include?('\\')
|
58
|
+
options[:domain], options[:username] = username.split('\\', 2)
|
59
|
+
else
|
60
|
+
options[:username] = username
|
61
|
+
end
|
62
|
+
end
|
63
|
+
opts.on('-p', '--password [PASSWORD]', "The account's password (default: #{options[:password]})") do |password|
|
64
|
+
options[:password] = password
|
65
|
+
end
|
66
|
+
operation_list = (OPERATION_ALIASES.keys + OPERATIONS).join(', ')
|
67
|
+
opts.on('-o', '--operation OPERATION', OPERATIONS, OPERATION_ALIASES, "The operation to perform on the registry key (default: #{options[:operation]})", "(#{operation_list})") do |operation|
|
68
|
+
options[:operation] = operation
|
69
|
+
end
|
70
|
+
opts.on('-i', '--info [SECURITY INFORMATION]', Integer, "The security information value (default: #{options[:info]})") do |password|
|
71
|
+
options[:info] = password
|
72
|
+
end
|
73
|
+
opts.on('-s', '--sd [SECURITY DESCRIPTOR]', "The security descriptor to write as an hex string") do |sd|
|
74
|
+
options[:sd] = sd
|
75
|
+
end
|
76
|
+
end
|
77
|
+
optparser.parse!(args)
|
78
|
+
|
79
|
+
if options[:target].nil? || options[:key].nil?
|
80
|
+
abort(optparser.help)
|
81
|
+
end
|
82
|
+
|
83
|
+
sock = TCPSocket.new options[:target], 445
|
84
|
+
dispatcher = RubySMB::Dispatcher::Socket.new(sock)
|
85
|
+
|
86
|
+
client = RubySMB::Client.new(dispatcher, smb1: options[:smbv1], smb2: options[:smbv2], smb3: options[:smbv3], username: options[:username], password: options[:password], domain: options[:domain])
|
87
|
+
protocol = client.negotiate
|
88
|
+
status = client.authenticate
|
89
|
+
|
90
|
+
puts "#{protocol}: #{status}"
|
91
|
+
|
92
|
+
case options[:operation]
|
93
|
+
when 'read', 'r'
|
94
|
+
puts "Read registry key #{options[:key]} security descriptor with security information #{options[:info]}"
|
95
|
+
security_descriptor = client.get_key_security_descriptor(options[:target], options[:key], options[:info])
|
96
|
+
puts "Security descriptor: #{security_descriptor.b.bytes.map {|c| "%02x" % c.ord}.join}"
|
97
|
+
when 'write', 'w'
|
98
|
+
unless options[:sd] && !options[:sd].empty?
|
99
|
+
puts "Security descriptor missing"
|
100
|
+
abort(optparser.help)
|
101
|
+
end
|
102
|
+
puts "Write security descriptor #{options[:sd]} to registry key #{options[:key]} with security information #{options[:info]}"
|
103
|
+
sd = options[:sd].chars.each_slice(2).map {|c| c.join.to_i(16).chr}.join
|
104
|
+
status = client.set_key_security_descriptor(options[:target], options[:key], sd, options[:info])
|
105
|
+
puts "Success!"
|
106
|
+
end
|
107
|
+
|
108
|
+
client.disconnect!
|
109
|
+
|
@@ -40,6 +40,18 @@ module RubySMB
|
|
40
40
|
end
|
41
41
|
end
|
42
42
|
|
43
|
+
def get_key_security_descriptor(host, key, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION)
|
44
|
+
connect_to_winreg(host) do |named_pipe|
|
45
|
+
named_pipe.get_key_security_descriptor(key, security_information)
|
46
|
+
end
|
47
|
+
end
|
48
|
+
|
49
|
+
def set_key_security_descriptor(host, key, security_descriptor, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION)
|
50
|
+
connect_to_winreg(host) do |named_pipe|
|
51
|
+
named_pipe.set_key_security_descriptor(key, security_descriptor, security_information)
|
52
|
+
end
|
53
|
+
end
|
54
|
+
|
43
55
|
end
|
44
56
|
end
|
45
57
|
end
|
data/lib/ruby_smb/dcerpc/ndr.rb
CHANGED
@@ -66,12 +66,16 @@ module RubySMB::Dcerpc::Ndr
|
|
66
66
|
end
|
67
67
|
|
68
68
|
# [Integers](https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_02_05)
|
69
|
-
# This will define the
|
69
|
+
# This will define the eight Integers accepted by the NDR protocol:
|
70
|
+
# - NdrInt8
|
70
71
|
# - NdrUint8
|
72
|
+
# - NdrInt16
|
71
73
|
# - NdrUint16
|
74
|
+
# - NdrInt32
|
72
75
|
# - NdrUint32
|
76
|
+
# - NdrInt64
|
73
77
|
# - NdrUint64
|
74
|
-
{Uint8: 1, Uint16le: 2, Uint32le: 4, Uint64le: 8}.each do |klass, nb_bytes|
|
78
|
+
{Int8: 1, Uint8: 1, Int16le: 2, Uint16le: 2, Int32le: 4, Uint32le: 4, Int64le: 8, Uint64le: 8}.each do |klass, nb_bytes|
|
75
79
|
new_klass_name = "Ndr#{klass.to_s.chomp('le')}"
|
76
80
|
unless self.const_defined?(new_klass_name)
|
77
81
|
new_klass = Class.new(BinData.const_get(klass)) do
|
@@ -563,8 +567,11 @@ module RubySMB::Dcerpc::Ndr
|
|
563
567
|
def get_max_count(val)
|
564
568
|
if is_a?(BinData::Stringz)
|
565
569
|
max_count = val.to_s.strip.length
|
566
|
-
#
|
567
|
-
|
570
|
+
# Add one to count the terminator. According to
|
571
|
+
# https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_04_02,
|
572
|
+
# the NDR String must contain at least one element, the terminator. So,
|
573
|
+
# add one even if it is an empty string.
|
574
|
+
max_count += 1
|
568
575
|
return max_count
|
569
576
|
else
|
570
577
|
return val.to_s.length
|
@@ -618,8 +625,11 @@ module RubySMB::Dcerpc::Ndr
|
|
618
625
|
def update_actual_count(val)
|
619
626
|
if is_a?(BinData::Stringz)
|
620
627
|
@actual_count = val.to_s.strip.length
|
621
|
-
#
|
622
|
-
|
628
|
+
# Add one to count the terminator. According to
|
629
|
+
# https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_04,
|
630
|
+
# the NDR String must contain at least one element, the terminator. So,
|
631
|
+
# add one even if it is an empty string.
|
632
|
+
@actual_count += 1
|
623
633
|
else
|
624
634
|
@actual_count = val.to_s.length
|
625
635
|
end
|
@@ -18,22 +18,24 @@ module RubySMB
|
|
18
18
|
choice :stub, label: 'Stub', selection: -> { @obj.parent.get_parameter(:endpoint) || '' } do
|
19
19
|
string 'Encrypted'
|
20
20
|
choice 'Winreg', selection: -> { opnum } do
|
21
|
-
open_root_key_request
|
22
|
-
open_root_key_request
|
23
|
-
open_root_key_request
|
24
|
-
open_root_key_request
|
25
|
-
open_root_key_request
|
26
|
-
open_root_key_request
|
27
|
-
open_root_key_request
|
28
|
-
open_root_key_request
|
29
|
-
close_key_request
|
30
|
-
enum_key_request
|
31
|
-
enum_value_request
|
32
|
-
open_key_request
|
33
|
-
query_info_key_request
|
34
|
-
query_value_request
|
35
|
-
create_key_request
|
36
|
-
save_key_request
|
21
|
+
open_root_key_request Winreg::OPEN_HKCR, opnum: Winreg::OPEN_HKCR
|
22
|
+
open_root_key_request Winreg::OPEN_HKCU, opnum: Winreg::OPEN_HKCU
|
23
|
+
open_root_key_request Winreg::OPEN_HKLM, opnum: Winreg::OPEN_HKLM
|
24
|
+
open_root_key_request Winreg::OPEN_HKPD, opnum: Winreg::OPEN_HKPD
|
25
|
+
open_root_key_request Winreg::OPEN_HKU, opnum: Winreg::OPEN_HKU
|
26
|
+
open_root_key_request Winreg::OPEN_HKCC, opnum: Winreg::OPEN_HKCC
|
27
|
+
open_root_key_request Winreg::OPEN_HKPT, opnum: Winreg::OPEN_HKPT
|
28
|
+
open_root_key_request Winreg::OPEN_HKPN, opnum: Winreg::OPEN_HKPN
|
29
|
+
close_key_request Winreg::REG_CLOSE_KEY
|
30
|
+
enum_key_request Winreg::REG_ENUM_KEY
|
31
|
+
enum_value_request Winreg::REG_ENUM_VALUE
|
32
|
+
open_key_request Winreg::REG_OPEN_KEY
|
33
|
+
query_info_key_request Winreg::REG_QUERY_INFO_KEY
|
34
|
+
query_value_request Winreg::REG_QUERY_VALUE
|
35
|
+
create_key_request Winreg::REG_CREATE_KEY
|
36
|
+
save_key_request Winreg::REG_SAVE_KEY
|
37
|
+
get_key_security_request Winreg::REG_GET_KEY_SECURITY
|
38
|
+
set_key_security_request Winreg::REG_SET_KEY_SECURITY
|
37
39
|
string :default
|
38
40
|
end
|
39
41
|
choice 'Netlogon', selection: -> { opnum } do
|
@@ -74,6 +76,7 @@ module RubySMB
|
|
74
76
|
samr_create_user2_in_domain_request Samr::SAMR_CREATE_USER2_IN_DOMAIN
|
75
77
|
samr_set_information_user2_request Samr::SAMR_SET_INFORMATION_USER2
|
76
78
|
samr_delete_user_request Samr::SAMR_DELETE_USER
|
79
|
+
samr_query_information_domain_request Samr::SAMR_QUERY_INFORMATION_DOMAIN
|
77
80
|
string :default
|
78
81
|
end
|
79
82
|
choice 'Wkssvc', selection: -> { opnum } do
|
@@ -20,7 +20,7 @@ module RubySMB
|
|
20
20
|
when BinData::Stringz, BinData::String, String
|
21
21
|
self.buffer = val.to_s
|
22
22
|
val_length = val.strip.length
|
23
|
-
val_length += 1
|
23
|
+
val_length += 1
|
24
24
|
self.buffer_length = val_length * 2
|
25
25
|
self.maximum_length = val_length * 2
|
26
26
|
else
|
@@ -0,0 +1,151 @@
|
|
1
|
+
module RubySMB
|
2
|
+
module Dcerpc
|
3
|
+
module Samr
|
4
|
+
# [2.2.3.5 DOMAIN_PASSWORD_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/0ae356d8-c220-4706-846e-ebbdc6fabdcb)
|
5
|
+
class SamprDomainPasswordInformation < Ndr::NdrStruct
|
6
|
+
default_parameters byte_align: 4
|
7
|
+
endian :little
|
8
|
+
|
9
|
+
ndr_uint16 :min_password_length
|
10
|
+
ndr_uint16 :password_history_length
|
11
|
+
ndr_uint32 :password_properties
|
12
|
+
ndr_int64 :max_password_age
|
13
|
+
ndr_int64 :min_password_age
|
14
|
+
end
|
15
|
+
|
16
|
+
# [2.2.3.12 SAMPR_DOMAIN_OEM_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/7cbb7ff0-e593-440d-8341-a3435195cdf1)
|
17
|
+
class SamprDomainOemInformation < Ndr::NdrStruct
|
18
|
+
default_parameters byte_align: 4
|
19
|
+
endian :little
|
20
|
+
|
21
|
+
rpc_unicode_string :oem_information
|
22
|
+
end
|
23
|
+
|
24
|
+
# [2.2.3.7 DOMAIN_SERVER_ROLE_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/cb0e586a-29c8-49b2-8ced-c273a7476c22)
|
25
|
+
class SamprDomainServerRoleInformation < Ndr::NdrStruct
|
26
|
+
default_parameters byte_align: 4
|
27
|
+
endian :little
|
28
|
+
|
29
|
+
ndr_uint16 :domain_server_role
|
30
|
+
end
|
31
|
+
|
32
|
+
# [2.2.3.15 SAMPR_DOMAIN_LOCKOUT_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/c9d789ed-c54a-4450-be56-251e627e1f52)
|
33
|
+
class SamprDomainLockoutInformation < Ndr::NdrStruct
|
34
|
+
default_parameters byte_align: 4
|
35
|
+
endian :little
|
36
|
+
|
37
|
+
ndr_uint64 :lockout_duration
|
38
|
+
ndr_uint64 :lockout_observation_window
|
39
|
+
ndr_uint16 :lockout_threshold
|
40
|
+
end
|
41
|
+
|
42
|
+
# [2.2.3.10 SAMPR_DOMAIN_GENERAL_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/85973e1c-96f2-4c80-8135-b24d74ad7794)
|
43
|
+
class SamprDomainGeneralInformation < Ndr::NdrStruct
|
44
|
+
default_parameters byte_align: 4
|
45
|
+
endian :little
|
46
|
+
|
47
|
+
ndr_int64 :force_logoff
|
48
|
+
rpc_unicode_string :oem_information
|
49
|
+
rpc_unicode_string :domain_name
|
50
|
+
rpc_unicode_string :replica_source_node_name
|
51
|
+
ndr_int64 :domain_modified_count
|
52
|
+
ndr_uint32 :domain_server_state
|
53
|
+
ndr_uint32 :domain_server_role
|
54
|
+
ndr_uint8 :uas_compatibility_required
|
55
|
+
ndr_uint32 :user_count
|
56
|
+
ndr_uint32 :group_count
|
57
|
+
ndr_uint32 :alias_count
|
58
|
+
end
|
59
|
+
|
60
|
+
# [2.2.3.6 DOMAIN_LOGOFF_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6fb0bbea-888c-4353-b5f8-75e7862344be)
|
61
|
+
class SamprDomainLogoffInformation < Ndr::NdrStruct
|
62
|
+
default_parameters byte_align: 4
|
63
|
+
endian :little
|
64
|
+
|
65
|
+
ndr_int64 :force_logoff
|
66
|
+
end
|
67
|
+
|
68
|
+
# [2.2.3.13 SAMPR_DOMAIN_NAME_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/5131d2c0-04c7-4c1b-8fd5-0b0b6cfa6c24)
|
69
|
+
class SamprDomainNameInformation < Ndr::NdrStruct
|
70
|
+
default_parameters byte_align: 4
|
71
|
+
endian :little
|
72
|
+
|
73
|
+
rpc_unicode_string :domain_name
|
74
|
+
end
|
75
|
+
|
76
|
+
# [2.2.3.8 DOMAIN_MODIFIED_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/e1da9680-8968-423b-98c0-fbdcf1535ef9)
|
77
|
+
class SamprDomainModifiedInformation < Ndr::NdrStruct
|
78
|
+
default_parameters byte_align: 4
|
79
|
+
endian :little
|
80
|
+
|
81
|
+
ndr_int64 :domain_modified_count
|
82
|
+
ndr_int64 :creation_time
|
83
|
+
end
|
84
|
+
|
85
|
+
# [2.2.3.9 DOMAIN_MODIFIED_INFORMATION2](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/47eea81b-5fee-4925-b5c1-fc594dcc8dff)
|
86
|
+
class SamprDomainModifiedInformation2 < Ndr::NdrStruct
|
87
|
+
default_parameters byte_align: 4
|
88
|
+
endian :little
|
89
|
+
|
90
|
+
ndr_int64 :domain_modified_count
|
91
|
+
ndr_int64 :creation_time
|
92
|
+
ndr_int64 :modified_count_at_last_promotion
|
93
|
+
end
|
94
|
+
|
95
|
+
# [2.2.3.3 DOMAIN_STATE_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/f224edcf-8d4e-4294-b0c3-b0eda384c402)
|
96
|
+
class SamprDomainStateInformation < Ndr::NdrStruct
|
97
|
+
default_parameters byte_align: 4
|
98
|
+
endian :little
|
99
|
+
|
100
|
+
ndr_uint16 :domain_server_state
|
101
|
+
end
|
102
|
+
|
103
|
+
# [2.2.3.11 SAMPR_DOMAIN_GENERAL_INFORMATION2](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/9a663cf2-0923-4959-b2c5-2e25c19735ff)
|
104
|
+
class SamprDomainGeneralInformation2 < Ndr::NdrStruct
|
105
|
+
default_parameters byte_align: 4
|
106
|
+
endian :little
|
107
|
+
|
108
|
+
sampr_domain_general_information :i1
|
109
|
+
ndr_uint64 :lockout_duration
|
110
|
+
ndr_uint64 :lockout_observation_window
|
111
|
+
ndr_uint16 :lockout_threshold
|
112
|
+
end
|
113
|
+
|
114
|
+
# [2.2.3.14 SAMPR_DOMAIN_REPLICATION_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/c9293797-e11d-4098-be12-bf9e1de91f20)
|
115
|
+
class SamprDomainReplicationInformation < Ndr::NdrStruct
|
116
|
+
default_parameters byte_align: 4
|
117
|
+
endian :little
|
118
|
+
|
119
|
+
rpc_unicode_string :replica_node_name
|
120
|
+
end
|
121
|
+
|
122
|
+
# [2.2.3.17 SAMPR_DOMAIN_INFO_BUFFER](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/1adc2142-dbb8-4554-aa24-010c713698bf)
|
123
|
+
class SamprDomainInfoBuffer < BinData::Record
|
124
|
+
default_parameters byte_align: 4
|
125
|
+
endian :little
|
126
|
+
|
127
|
+
uint16 :info_class
|
128
|
+
skip length: 2
|
129
|
+
|
130
|
+
choice :buffer, selection: :info_class do
|
131
|
+
sampr_domain_password_information DOMAIN_PASSWORD_INFORMATION
|
132
|
+
sampr_domain_oem_information DOMAIN_OEM_INFORMATION
|
133
|
+
sampr_domain_server_role_information DOMAIN_SERVER_ROLE_INFORMATION
|
134
|
+
sampr_domain_lockout_information DOMAIN_LOCKOUT_INFORMATION
|
135
|
+
sampr_domain_logoff_information DOMAIN_LOGOFF_INFORMATION
|
136
|
+
sampr_domain_general_information DOMAIN_GENERAL_INFORMATION
|
137
|
+
sampr_domain_name_information DOMAIN_NAME_INFORMATION
|
138
|
+
sampr_domain_modified_information DOMAIN_MODIFIED_INFORMATION
|
139
|
+
sampr_domain_modified_information2 DOMAIN_MODIFIED_INFORMATION2
|
140
|
+
sampr_domain_state_information DOMAIN_STATE_INFORMATION
|
141
|
+
sampr_domain_general_information2 DOMAIN_GENERAL_INFORMATION2
|
142
|
+
sampr_domain_replication_information DOMAIN_REPLICATION_INFORMATION
|
143
|
+
end
|
144
|
+
end
|
145
|
+
|
146
|
+
class PsamprDomainInfoBuffer < SamprDomainInfoBuffer
|
147
|
+
extend Ndr::PointerClassPlugin
|
148
|
+
end
|
149
|
+
end
|
150
|
+
end
|
151
|
+
end
|
@@ -0,0 +1,22 @@
|
|
1
|
+
module RubySMB
|
2
|
+
module Dcerpc
|
3
|
+
module Samr
|
4
|
+
|
5
|
+
# [3.1.5.5.2 SamrQueryInformationDomain (Opnum 8)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/5d6a2817-caa9-41ca-a269-fd13ecbb4fa8)
|
6
|
+
class SamrQueryInformationDomainRequest < BinData::Record
|
7
|
+
attr_reader :opnum
|
8
|
+
|
9
|
+
endian :little
|
10
|
+
|
11
|
+
sampr_handle :domain_handle
|
12
|
+
ndr_uint16 :domain_information_class
|
13
|
+
|
14
|
+
def initialize_instance
|
15
|
+
super
|
16
|
+
@opnum = SAMR_QUERY_INFORMATION_DOMAIN
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
@@ -0,0 +1,23 @@
|
|
1
|
+
module RubySMB
|
2
|
+
module Dcerpc
|
3
|
+
module Samr
|
4
|
+
|
5
|
+
# [3.1.5.5.2 SamrQueryInformationDomain (Opnum 8)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/5d6a2817-caa9-41ca-a269-fd13ecbb4fa8)
|
6
|
+
class SamrQueryInformationDomainResponse < BinData::Record
|
7
|
+
attr_reader :opnum
|
8
|
+
|
9
|
+
endian :little
|
10
|
+
|
11
|
+
psampr_domain_info_buffer :buffer
|
12
|
+
ndr_uint32 :error_status
|
13
|
+
|
14
|
+
def initialize_instance
|
15
|
+
super
|
16
|
+
@opnum = SAMR_QUERY_INFORMATION_DOMAIN
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
data/lib/ruby_smb/dcerpc/samr.rb
CHANGED
@@ -16,6 +16,7 @@ module RubySMB
|
|
16
16
|
SAMR_LOOKUP_DOMAIN_IN_SAM_SERVER = 0x0005
|
17
17
|
SAMR_ENUMERATE_DOMAINS_IN_SAM_SERVER = 0x0006
|
18
18
|
SAMR_OPEN_DOMAIN = 0x0007
|
19
|
+
SAMR_QUERY_INFORMATION_DOMAIN = 0x0008
|
19
20
|
SAMR_ENUMERATE_USERS_IN_DOMAIN = 0x000D
|
20
21
|
SAMR_GET_ALIAS_MEMBERSHIP = 0x0010
|
21
22
|
SAMR_LOOKUP_NAMES_IN_DOMAIN = 0x0011
|
@@ -139,6 +140,20 @@ module RubySMB
|
|
139
140
|
USER_ALL_SECURITYDESCRIPTOR = 0x10000000
|
140
141
|
USER_ALL_UNDEFINED_MASK = 0xC0000000
|
141
142
|
|
143
|
+
# [2.2.3.16 DOMAIN_INFORMATION_CLASS Values](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6b0dff90-5ac0-429a-93aa-150334adabf6)
|
144
|
+
DOMAIN_PASSWORD_INFORMATION = 1
|
145
|
+
DOMAIN_GENERAL_INFORMATION = 2
|
146
|
+
DOMAIN_LOGOFF_INFORMATION = 3
|
147
|
+
DOMAIN_OEM_INFORMATION = 4
|
148
|
+
DOMAIN_NAME_INFORMATION = 5
|
149
|
+
DOMAIN_REPLICATION_INFORMATION = 6
|
150
|
+
DOMAIN_SERVER_ROLE_INFORMATION = 7
|
151
|
+
DOMAIN_MODIFIED_INFORMATION = 8
|
152
|
+
DOMAIN_STATE_INFORMATION = 9
|
153
|
+
DOMAIN_GENERAL_INFORMATION2 = 11
|
154
|
+
DOMAIN_LOCKOUT_INFORMATION = 12
|
155
|
+
DOMAIN_MODIFIED_INFORMATION2 = 13
|
156
|
+
|
142
157
|
# [2.2.6.28 USER_INFORMATION_CLASS Values](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6b0dff90-5ac0-429a-93aa-150334adabf6)
|
143
158
|
USER_GENERAL_INFORMATION = 1
|
144
159
|
USER_PREFERENCES_INFORMATION = 2
|
@@ -474,6 +489,7 @@ module RubySMB
|
|
474
489
|
end
|
475
490
|
|
476
491
|
require 'ruby_smb/dcerpc/samr/rpc_sid'
|
492
|
+
require 'ruby_smb/dcerpc/samr/sampr_domain_info_buffer'
|
477
493
|
|
478
494
|
require 'ruby_smb/dcerpc/samr/samr_connect_request'
|
479
495
|
require 'ruby_smb/dcerpc/samr/samr_connect_response'
|
@@ -503,6 +519,8 @@ module RubySMB
|
|
503
519
|
require 'ruby_smb/dcerpc/samr/samr_set_information_user2_response'
|
504
520
|
require 'ruby_smb/dcerpc/samr/samr_delete_user_request'
|
505
521
|
require 'ruby_smb/dcerpc/samr/samr_delete_user_response'
|
522
|
+
require 'ruby_smb/dcerpc/samr/samr_query_information_domain_request'
|
523
|
+
require 'ruby_smb/dcerpc/samr/samr_query_information_domain_response'
|
506
524
|
|
507
525
|
# Returns a handle to a server object.
|
508
526
|
#
|
@@ -979,7 +997,30 @@ module RubySMB
|
|
979
997
|
samr_get_groups_for_user_reponse.groups.groups.to_ary
|
980
998
|
end
|
981
999
|
|
1000
|
+
# Returns domain information.
|
1001
|
+
#
|
1002
|
+
# @param domain_handle [RubySMB::Dcerpc::Samr::SamprHandle] An RPC context
|
1003
|
+
# representing a domain object
|
1004
|
+
# @param info_class [Integer] The class of information to retrieve
|
1005
|
+
# @return [BinData::Choice] The requested information.
|
1006
|
+
def samr_query_information_domain(domain_handle:, info_class:)
|
1007
|
+
samr_request = SamrQueryInformationDomainRequest.new(
|
1008
|
+
domain_handle: domain_handle,
|
1009
|
+
domain_information_class: info_class
|
1010
|
+
)
|
1011
|
+
response = dcerpc_request(samr_request)
|
1012
|
+
begin
|
1013
|
+
samr_response = SamrQueryInformationDomainResponse.read(response)
|
1014
|
+
rescue IOError
|
1015
|
+
raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading SamrQueryInformationDomainResponse'
|
1016
|
+
end
|
1017
|
+
unless samr_response.error_status == WindowsError::NTStatus::STATUS_SUCCESS
|
1018
|
+
raise RubySMB::Dcerpc::Error::SamrError,
|
1019
|
+
"Error returned while querying domain information: "\
|
1020
|
+
"#{WindowsError::NTStatus.find_by_retval(samr_response.error_status.value).join(',')}"
|
1021
|
+
end
|
1022
|
+
samr_response.buffer.buffer
|
1023
|
+
end
|
982
1024
|
end
|
983
1025
|
end
|
984
1026
|
end
|
985
|
-
|
@@ -0,0 +1,26 @@
|
|
1
|
+
module RubySMB
|
2
|
+
module Dcerpc
|
3
|
+
module Winreg
|
4
|
+
|
5
|
+
# This class represents a GetKeySecurity Request Packet as defined in
|
6
|
+
# [3.1.5.13 BaseRegGetKeySecurity (Opnum 12)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/b0e1868c-f4fd-4b43-959f-c0f0cac3ee26)
|
7
|
+
class GetKeySecurityRequest < BinData::Record
|
8
|
+
attr_reader :opnum
|
9
|
+
|
10
|
+
endian :little
|
11
|
+
|
12
|
+
rpc_hkey :hkey
|
13
|
+
uint32 :security_information
|
14
|
+
rpc_security_descriptor :prpc_security_descriptor_in
|
15
|
+
|
16
|
+
def initialize_instance
|
17
|
+
super
|
18
|
+
@opnum = REG_GET_KEY_SECURITY
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
|
26
|
+
|
@@ -0,0 +1,26 @@
|
|
1
|
+
module RubySMB
|
2
|
+
module Dcerpc
|
3
|
+
module Winreg
|
4
|
+
|
5
|
+
# This class represents a GetKeySecurity Response Packet as defined in
|
6
|
+
# [3.1.5.13 BaseRegGetKeySecurity (Opnum 12)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/b0e1868c-f4fd-4b43-959f-c0f0cac3ee26)
|
7
|
+
class GetKeySecurityResponse < BinData::Record
|
8
|
+
attr_reader :opnum
|
9
|
+
|
10
|
+
endian :little
|
11
|
+
|
12
|
+
rpc_security_descriptor :prpc_security_descriptor_out
|
13
|
+
ndr_uint32 :error_status
|
14
|
+
|
15
|
+
def initialize_instance
|
16
|
+
super
|
17
|
+
@opnum = REG_GET_KEY_SECURITY
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
|
26
|
+
|
@@ -0,0 +1,26 @@
|
|
1
|
+
module RubySMB
|
2
|
+
module Dcerpc
|
3
|
+
module Winreg
|
4
|
+
|
5
|
+
# This class represents a SetKeySecurity Request Packet as defined in
|
6
|
+
# [3.1.5.21 BaseRegSetKeySecurity (Opnum 21)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/da18856c-8a6d-4217-8e93-3625865e562c)
|
7
|
+
class SetKeySecurityRequest < BinData::Record
|
8
|
+
attr_reader :opnum
|
9
|
+
|
10
|
+
endian :little
|
11
|
+
|
12
|
+
rpc_hkey :hkey
|
13
|
+
uint32 :security_information
|
14
|
+
rpc_security_descriptor :prpc_security_descriptor
|
15
|
+
|
16
|
+
def initialize_instance
|
17
|
+
super
|
18
|
+
@opnum = REG_SET_KEY_SECURITY
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
|
26
|
+
|
@@ -0,0 +1,25 @@
|
|
1
|
+
module RubySMB
|
2
|
+
module Dcerpc
|
3
|
+
module Winreg
|
4
|
+
|
5
|
+
# This class represents a SetKeySecurity Response Packet as defined in
|
6
|
+
# [3.1.5.21 BaseRegSetKeySecurity (Opnum 21)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/da18856c-8a6d-4217-8e93-3625865e562c)
|
7
|
+
class SetKeySecurityResponse < BinData::Record
|
8
|
+
attr_reader :opnum
|
9
|
+
|
10
|
+
endian :little
|
11
|
+
|
12
|
+
ndr_uint32 :error_status
|
13
|
+
|
14
|
+
def initialize_instance
|
15
|
+
super
|
16
|
+
@opnum = REG_SET_KEY_SECURITY
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
|
25
|
+
|