ruby_smb 3.3.5 → 3.3.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/examples/registry_key_security_descriptor.rb +109 -0
- data/lib/ruby_smb/client/winreg.rb +12 -0
- data/lib/ruby_smb/dcerpc/ndr.rb +16 -6
- data/lib/ruby_smb/dcerpc/request.rb +19 -16
- data/lib/ruby_smb/dcerpc/rrp_rpc_unicode_string.rb +1 -1
- data/lib/ruby_smb/dcerpc/samr/sampr_domain_info_buffer.rb +151 -0
- data/lib/ruby_smb/dcerpc/samr/samr_query_information_domain_request.rb +22 -0
- data/lib/ruby_smb/dcerpc/samr/samr_query_information_domain_response.rb +23 -0
- data/lib/ruby_smb/dcerpc/samr.rb +42 -1
- data/lib/ruby_smb/dcerpc/winreg/get_key_security_request.rb +26 -0
- data/lib/ruby_smb/dcerpc/winreg/get_key_security_response.rb +26 -0
- data/lib/ruby_smb/dcerpc/winreg/query_value_response.rb +2 -0
- data/lib/ruby_smb/dcerpc/winreg/set_key_security_request.rb +26 -0
- data/lib/ruby_smb/dcerpc/winreg/set_key_security_response.rb +25 -0
- data/lib/ruby_smb/dcerpc/winreg.rb +121 -9
- data/lib/ruby_smb/field/security_descriptor.rb +17 -0
- data/lib/ruby_smb/version.rb +1 -1
- data/spec/lib/ruby_smb/dcerpc/ndr_spec.rb +80 -0
- data/spec/lib/ruby_smb/dcerpc/winreg_spec.rb +267 -18
- data.tar.gz.sig +0 -0
- metadata +10 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 228afeef84601354373c132ceaa48341ed9f5f4bbab4e625c37d2f2d71864146
|
4
|
+
data.tar.gz: 71512d0529ba352d0cc0ee7c27a27e03116d50f31801beed3fd04cb19e73f4ff
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3c7dede328c8d637b9088da518649deba6d758a1093e3591bb0cd9e2f4c458a5c5a82a37640aa14523586aa6e83b61d59d4fab21d3fa33739c47d687367cede3
|
7
|
+
data.tar.gz: 6c72f0673379264f71a55935dec05f13f195614c9cd8d6f44935687ab028545e233496ad04f4157a07d1f5f74092fac8dd43f69713d2ac1aeeb7006a12c47e21
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
@@ -0,0 +1,109 @@
|
|
1
|
+
#!/usr/bin/ruby
|
2
|
+
|
3
|
+
# This example script is used for testing the Winreg registry key security descriptor functionalities.
|
4
|
+
# It will attempt to connect to a host and reads (or writes) the security descriptor of a specified registry key.
|
5
|
+
#
|
6
|
+
# Example usage:
|
7
|
+
# - read:
|
8
|
+
# ruby examples/read_registry_key_security.rb --username msfadmin --password msfadmin -i 7 -o r 192.168.172.138 'HKLM\SECURITY\Policy\PolEKList'
|
9
|
+
# This will try to connect to \\192.168.172.138 with the msfadmin:msfadmin
|
10
|
+
# credentialas and read the security descriptor of the
|
11
|
+
# `HKLM\SECURITY\Policy\PolEKList` registry key with the security information 7
|
12
|
+
# (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
|
13
|
+
# DACL_SECURITY_INFORMATION).
|
14
|
+
#
|
15
|
+
# - write:
|
16
|
+
# ruby examples/read_registry_key_security.rb --username msfadmin --password msfadmin -i 4 --sd 01000480000000000000000000000000140000000200340002000000000214003f000f00010100000000000512000000000218000000060001020000000000052000000020020000 -o w 192.168.172.138 'HKLM\SECURITY\Policy\PolEKList'
|
17
|
+
# This will try to connect to \\192.168.172.138 with the msfadmin:msfadmin
|
18
|
+
# credentialas and write the given security descriptor to the
|
19
|
+
# `HKLM\SECURITY\Policy\PolEKList` registry key with the security information 4
|
20
|
+
# (DACL_SECURITY_INFORMATION).
|
21
|
+
|
22
|
+
require 'bundler/setup'
|
23
|
+
require 'optparse'
|
24
|
+
require 'ruby_smb'
|
25
|
+
|
26
|
+
OPERATIONS = %w{read write}
|
27
|
+
OPERATION_ALIASES = { "r" => "read", "w" => "write" }
|
28
|
+
|
29
|
+
args = ARGV.dup
|
30
|
+
options = {
|
31
|
+
domain: '.',
|
32
|
+
username: '',
|
33
|
+
password: '',
|
34
|
+
smbv1: true,
|
35
|
+
smbv2: true,
|
36
|
+
smbv3: true,
|
37
|
+
target: nil,
|
38
|
+
key: nil,
|
39
|
+
operation: 'read',
|
40
|
+
info: RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION | RubySMB::Field::SecurityDescriptor::GROUP_SECURITY_INFORMATION | RubySMB::Field::SecurityDescriptor::DACL_SECURITY_INFORMATION,
|
41
|
+
sd: nil
|
42
|
+
}
|
43
|
+
options[:key] = args.pop
|
44
|
+
options[:target ] = args.pop
|
45
|
+
optparser = OptionParser.new do |opts|
|
46
|
+
opts.banner = "Usage: #{File.basename(__FILE__)} [options] target reg_key"
|
47
|
+
opts.on('--[no-]smbv1', "Enable or disable SMBv1 (default: #{options[:smbv1] ? 'Enabled' : 'Disabled'})") do |smbv1|
|
48
|
+
options[:smbv1] = smbv1
|
49
|
+
end
|
50
|
+
opts.on('--[no-]smbv2', "Enable or disable SMBv2 (default: #{options[:smbv2] ? 'Enabled' : 'Disabled'})") do |smbv2|
|
51
|
+
options[:smbv2] = smbv2
|
52
|
+
end
|
53
|
+
opts.on('--[no-]smbv3', "Enable or disable SMBv3 (default: #{options[:smbv3] ? 'Enabled' : 'Disabled'})") do |smbv3|
|
54
|
+
options[:smbv3] = smbv3
|
55
|
+
end
|
56
|
+
opts.on('-u', '--username [USERNAME]', "The account's username (default: #{options[:username]})") do |username|
|
57
|
+
if username.include?('\\')
|
58
|
+
options[:domain], options[:username] = username.split('\\', 2)
|
59
|
+
else
|
60
|
+
options[:username] = username
|
61
|
+
end
|
62
|
+
end
|
63
|
+
opts.on('-p', '--password [PASSWORD]', "The account's password (default: #{options[:password]})") do |password|
|
64
|
+
options[:password] = password
|
65
|
+
end
|
66
|
+
operation_list = (OPERATION_ALIASES.keys + OPERATIONS).join(', ')
|
67
|
+
opts.on('-o', '--operation OPERATION', OPERATIONS, OPERATION_ALIASES, "The operation to perform on the registry key (default: #{options[:operation]})", "(#{operation_list})") do |operation|
|
68
|
+
options[:operation] = operation
|
69
|
+
end
|
70
|
+
opts.on('-i', '--info [SECURITY INFORMATION]', Integer, "The security information value (default: #{options[:info]})") do |password|
|
71
|
+
options[:info] = password
|
72
|
+
end
|
73
|
+
opts.on('-s', '--sd [SECURITY DESCRIPTOR]', "The security descriptor to write as an hex string") do |sd|
|
74
|
+
options[:sd] = sd
|
75
|
+
end
|
76
|
+
end
|
77
|
+
optparser.parse!(args)
|
78
|
+
|
79
|
+
if options[:target].nil? || options[:key].nil?
|
80
|
+
abort(optparser.help)
|
81
|
+
end
|
82
|
+
|
83
|
+
sock = TCPSocket.new options[:target], 445
|
84
|
+
dispatcher = RubySMB::Dispatcher::Socket.new(sock)
|
85
|
+
|
86
|
+
client = RubySMB::Client.new(dispatcher, smb1: options[:smbv1], smb2: options[:smbv2], smb3: options[:smbv3], username: options[:username], password: options[:password], domain: options[:domain])
|
87
|
+
protocol = client.negotiate
|
88
|
+
status = client.authenticate
|
89
|
+
|
90
|
+
puts "#{protocol}: #{status}"
|
91
|
+
|
92
|
+
case options[:operation]
|
93
|
+
when 'read', 'r'
|
94
|
+
puts "Read registry key #{options[:key]} security descriptor with security information #{options[:info]}"
|
95
|
+
security_descriptor = client.get_key_security_descriptor(options[:target], options[:key], options[:info])
|
96
|
+
puts "Security descriptor: #{security_descriptor.b.bytes.map {|c| "%02x" % c.ord}.join}"
|
97
|
+
when 'write', 'w'
|
98
|
+
unless options[:sd] && !options[:sd].empty?
|
99
|
+
puts "Security descriptor missing"
|
100
|
+
abort(optparser.help)
|
101
|
+
end
|
102
|
+
puts "Write security descriptor #{options[:sd]} to registry key #{options[:key]} with security information #{options[:info]}"
|
103
|
+
sd = options[:sd].chars.each_slice(2).map {|c| c.join.to_i(16).chr}.join
|
104
|
+
status = client.set_key_security_descriptor(options[:target], options[:key], sd, options[:info])
|
105
|
+
puts "Success!"
|
106
|
+
end
|
107
|
+
|
108
|
+
client.disconnect!
|
109
|
+
|
@@ -40,6 +40,18 @@ module RubySMB
|
|
40
40
|
end
|
41
41
|
end
|
42
42
|
|
43
|
+
def get_key_security_descriptor(host, key, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION)
|
44
|
+
connect_to_winreg(host) do |named_pipe|
|
45
|
+
named_pipe.get_key_security_descriptor(key, security_information)
|
46
|
+
end
|
47
|
+
end
|
48
|
+
|
49
|
+
def set_key_security_descriptor(host, key, security_descriptor, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION)
|
50
|
+
connect_to_winreg(host) do |named_pipe|
|
51
|
+
named_pipe.set_key_security_descriptor(key, security_descriptor, security_information)
|
52
|
+
end
|
53
|
+
end
|
54
|
+
|
43
55
|
end
|
44
56
|
end
|
45
57
|
end
|
data/lib/ruby_smb/dcerpc/ndr.rb
CHANGED
@@ -66,12 +66,16 @@ module RubySMB::Dcerpc::Ndr
|
|
66
66
|
end
|
67
67
|
|
68
68
|
# [Integers](https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_02_05)
|
69
|
-
# This will define the
|
69
|
+
# This will define the eight Integers accepted by the NDR protocol:
|
70
|
+
# - NdrInt8
|
70
71
|
# - NdrUint8
|
72
|
+
# - NdrInt16
|
71
73
|
# - NdrUint16
|
74
|
+
# - NdrInt32
|
72
75
|
# - NdrUint32
|
76
|
+
# - NdrInt64
|
73
77
|
# - NdrUint64
|
74
|
-
{Uint8: 1, Uint16le: 2, Uint32le: 4, Uint64le: 8}.each do |klass, nb_bytes|
|
78
|
+
{Int8: 1, Uint8: 1, Int16le: 2, Uint16le: 2, Int32le: 4, Uint32le: 4, Int64le: 8, Uint64le: 8}.each do |klass, nb_bytes|
|
75
79
|
new_klass_name = "Ndr#{klass.to_s.chomp('le')}"
|
76
80
|
unless self.const_defined?(new_klass_name)
|
77
81
|
new_klass = Class.new(BinData.const_get(klass)) do
|
@@ -563,8 +567,11 @@ module RubySMB::Dcerpc::Ndr
|
|
563
567
|
def get_max_count(val)
|
564
568
|
if is_a?(BinData::Stringz)
|
565
569
|
max_count = val.to_s.strip.length
|
566
|
-
#
|
567
|
-
|
570
|
+
# Add one to count the terminator. According to
|
571
|
+
# https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_04_02,
|
572
|
+
# the NDR String must contain at least one element, the terminator. So,
|
573
|
+
# add one even if it is an empty string.
|
574
|
+
max_count += 1
|
568
575
|
return max_count
|
569
576
|
else
|
570
577
|
return val.to_s.length
|
@@ -618,8 +625,11 @@ module RubySMB::Dcerpc::Ndr
|
|
618
625
|
def update_actual_count(val)
|
619
626
|
if is_a?(BinData::Stringz)
|
620
627
|
@actual_count = val.to_s.strip.length
|
621
|
-
#
|
622
|
-
|
628
|
+
# Add one to count the terminator. According to
|
629
|
+
# https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_04,
|
630
|
+
# the NDR String must contain at least one element, the terminator. So,
|
631
|
+
# add one even if it is an empty string.
|
632
|
+
@actual_count += 1
|
623
633
|
else
|
624
634
|
@actual_count = val.to_s.length
|
625
635
|
end
|
@@ -18,22 +18,24 @@ module RubySMB
|
|
18
18
|
choice :stub, label: 'Stub', selection: -> { @obj.parent.get_parameter(:endpoint) || '' } do
|
19
19
|
string 'Encrypted'
|
20
20
|
choice 'Winreg', selection: -> { opnum } do
|
21
|
-
open_root_key_request
|
22
|
-
open_root_key_request
|
23
|
-
open_root_key_request
|
24
|
-
open_root_key_request
|
25
|
-
open_root_key_request
|
26
|
-
open_root_key_request
|
27
|
-
open_root_key_request
|
28
|
-
open_root_key_request
|
29
|
-
close_key_request
|
30
|
-
enum_key_request
|
31
|
-
enum_value_request
|
32
|
-
open_key_request
|
33
|
-
query_info_key_request
|
34
|
-
query_value_request
|
35
|
-
create_key_request
|
36
|
-
save_key_request
|
21
|
+
open_root_key_request Winreg::OPEN_HKCR, opnum: Winreg::OPEN_HKCR
|
22
|
+
open_root_key_request Winreg::OPEN_HKCU, opnum: Winreg::OPEN_HKCU
|
23
|
+
open_root_key_request Winreg::OPEN_HKLM, opnum: Winreg::OPEN_HKLM
|
24
|
+
open_root_key_request Winreg::OPEN_HKPD, opnum: Winreg::OPEN_HKPD
|
25
|
+
open_root_key_request Winreg::OPEN_HKU, opnum: Winreg::OPEN_HKU
|
26
|
+
open_root_key_request Winreg::OPEN_HKCC, opnum: Winreg::OPEN_HKCC
|
27
|
+
open_root_key_request Winreg::OPEN_HKPT, opnum: Winreg::OPEN_HKPT
|
28
|
+
open_root_key_request Winreg::OPEN_HKPN, opnum: Winreg::OPEN_HKPN
|
29
|
+
close_key_request Winreg::REG_CLOSE_KEY
|
30
|
+
enum_key_request Winreg::REG_ENUM_KEY
|
31
|
+
enum_value_request Winreg::REG_ENUM_VALUE
|
32
|
+
open_key_request Winreg::REG_OPEN_KEY
|
33
|
+
query_info_key_request Winreg::REG_QUERY_INFO_KEY
|
34
|
+
query_value_request Winreg::REG_QUERY_VALUE
|
35
|
+
create_key_request Winreg::REG_CREATE_KEY
|
36
|
+
save_key_request Winreg::REG_SAVE_KEY
|
37
|
+
get_key_security_request Winreg::REG_GET_KEY_SECURITY
|
38
|
+
set_key_security_request Winreg::REG_SET_KEY_SECURITY
|
37
39
|
string :default
|
38
40
|
end
|
39
41
|
choice 'Netlogon', selection: -> { opnum } do
|
@@ -74,6 +76,7 @@ module RubySMB
|
|
74
76
|
samr_create_user2_in_domain_request Samr::SAMR_CREATE_USER2_IN_DOMAIN
|
75
77
|
samr_set_information_user2_request Samr::SAMR_SET_INFORMATION_USER2
|
76
78
|
samr_delete_user_request Samr::SAMR_DELETE_USER
|
79
|
+
samr_query_information_domain_request Samr::SAMR_QUERY_INFORMATION_DOMAIN
|
77
80
|
string :default
|
78
81
|
end
|
79
82
|
choice 'Wkssvc', selection: -> { opnum } do
|
@@ -20,7 +20,7 @@ module RubySMB
|
|
20
20
|
when BinData::Stringz, BinData::String, String
|
21
21
|
self.buffer = val.to_s
|
22
22
|
val_length = val.strip.length
|
23
|
-
val_length += 1
|
23
|
+
val_length += 1
|
24
24
|
self.buffer_length = val_length * 2
|
25
25
|
self.maximum_length = val_length * 2
|
26
26
|
else
|
@@ -0,0 +1,151 @@
|
|
1
|
+
module RubySMB
|
2
|
+
module Dcerpc
|
3
|
+
module Samr
|
4
|
+
# [2.2.3.5 DOMAIN_PASSWORD_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/0ae356d8-c220-4706-846e-ebbdc6fabdcb)
|
5
|
+
class SamprDomainPasswordInformation < Ndr::NdrStruct
|
6
|
+
default_parameters byte_align: 4
|
7
|
+
endian :little
|
8
|
+
|
9
|
+
ndr_uint16 :min_password_length
|
10
|
+
ndr_uint16 :password_history_length
|
11
|
+
ndr_uint32 :password_properties
|
12
|
+
ndr_int64 :max_password_age
|
13
|
+
ndr_int64 :min_password_age
|
14
|
+
end
|
15
|
+
|
16
|
+
# [2.2.3.12 SAMPR_DOMAIN_OEM_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/7cbb7ff0-e593-440d-8341-a3435195cdf1)
|
17
|
+
class SamprDomainOemInformation < Ndr::NdrStruct
|
18
|
+
default_parameters byte_align: 4
|
19
|
+
endian :little
|
20
|
+
|
21
|
+
rpc_unicode_string :oem_information
|
22
|
+
end
|
23
|
+
|
24
|
+
# [2.2.3.7 DOMAIN_SERVER_ROLE_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/cb0e586a-29c8-49b2-8ced-c273a7476c22)
|
25
|
+
class SamprDomainServerRoleInformation < Ndr::NdrStruct
|
26
|
+
default_parameters byte_align: 4
|
27
|
+
endian :little
|
28
|
+
|
29
|
+
ndr_uint16 :domain_server_role
|
30
|
+
end
|
31
|
+
|
32
|
+
# [2.2.3.15 SAMPR_DOMAIN_LOCKOUT_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/c9d789ed-c54a-4450-be56-251e627e1f52)
|
33
|
+
class SamprDomainLockoutInformation < Ndr::NdrStruct
|
34
|
+
default_parameters byte_align: 4
|
35
|
+
endian :little
|
36
|
+
|
37
|
+
ndr_uint64 :lockout_duration
|
38
|
+
ndr_uint64 :lockout_observation_window
|
39
|
+
ndr_uint16 :lockout_threshold
|
40
|
+
end
|
41
|
+
|
42
|
+
# [2.2.3.10 SAMPR_DOMAIN_GENERAL_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/85973e1c-96f2-4c80-8135-b24d74ad7794)
|
43
|
+
class SamprDomainGeneralInformation < Ndr::NdrStruct
|
44
|
+
default_parameters byte_align: 4
|
45
|
+
endian :little
|
46
|
+
|
47
|
+
ndr_int64 :force_logoff
|
48
|
+
rpc_unicode_string :oem_information
|
49
|
+
rpc_unicode_string :domain_name
|
50
|
+
rpc_unicode_string :replica_source_node_name
|
51
|
+
ndr_int64 :domain_modified_count
|
52
|
+
ndr_uint32 :domain_server_state
|
53
|
+
ndr_uint32 :domain_server_role
|
54
|
+
ndr_uint8 :uas_compatibility_required
|
55
|
+
ndr_uint32 :user_count
|
56
|
+
ndr_uint32 :group_count
|
57
|
+
ndr_uint32 :alias_count
|
58
|
+
end
|
59
|
+
|
60
|
+
# [2.2.3.6 DOMAIN_LOGOFF_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6fb0bbea-888c-4353-b5f8-75e7862344be)
|
61
|
+
class SamprDomainLogoffInformation < Ndr::NdrStruct
|
62
|
+
default_parameters byte_align: 4
|
63
|
+
endian :little
|
64
|
+
|
65
|
+
ndr_int64 :force_logoff
|
66
|
+
end
|
67
|
+
|
68
|
+
# [2.2.3.13 SAMPR_DOMAIN_NAME_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/5131d2c0-04c7-4c1b-8fd5-0b0b6cfa6c24)
|
69
|
+
class SamprDomainNameInformation < Ndr::NdrStruct
|
70
|
+
default_parameters byte_align: 4
|
71
|
+
endian :little
|
72
|
+
|
73
|
+
rpc_unicode_string :domain_name
|
74
|
+
end
|
75
|
+
|
76
|
+
# [2.2.3.8 DOMAIN_MODIFIED_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/e1da9680-8968-423b-98c0-fbdcf1535ef9)
|
77
|
+
class SamprDomainModifiedInformation < Ndr::NdrStruct
|
78
|
+
default_parameters byte_align: 4
|
79
|
+
endian :little
|
80
|
+
|
81
|
+
ndr_int64 :domain_modified_count
|
82
|
+
ndr_int64 :creation_time
|
83
|
+
end
|
84
|
+
|
85
|
+
# [2.2.3.9 DOMAIN_MODIFIED_INFORMATION2](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/47eea81b-5fee-4925-b5c1-fc594dcc8dff)
|
86
|
+
class SamprDomainModifiedInformation2 < Ndr::NdrStruct
|
87
|
+
default_parameters byte_align: 4
|
88
|
+
endian :little
|
89
|
+
|
90
|
+
ndr_int64 :domain_modified_count
|
91
|
+
ndr_int64 :creation_time
|
92
|
+
ndr_int64 :modified_count_at_last_promotion
|
93
|
+
end
|
94
|
+
|
95
|
+
# [2.2.3.3 DOMAIN_STATE_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/f224edcf-8d4e-4294-b0c3-b0eda384c402)
|
96
|
+
class SamprDomainStateInformation < Ndr::NdrStruct
|
97
|
+
default_parameters byte_align: 4
|
98
|
+
endian :little
|
99
|
+
|
100
|
+
ndr_uint16 :domain_server_state
|
101
|
+
end
|
102
|
+
|
103
|
+
# [2.2.3.11 SAMPR_DOMAIN_GENERAL_INFORMATION2](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/9a663cf2-0923-4959-b2c5-2e25c19735ff)
|
104
|
+
class SamprDomainGeneralInformation2 < Ndr::NdrStruct
|
105
|
+
default_parameters byte_align: 4
|
106
|
+
endian :little
|
107
|
+
|
108
|
+
sampr_domain_general_information :i1
|
109
|
+
ndr_uint64 :lockout_duration
|
110
|
+
ndr_uint64 :lockout_observation_window
|
111
|
+
ndr_uint16 :lockout_threshold
|
112
|
+
end
|
113
|
+
|
114
|
+
# [2.2.3.14 SAMPR_DOMAIN_REPLICATION_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/c9293797-e11d-4098-be12-bf9e1de91f20)
|
115
|
+
class SamprDomainReplicationInformation < Ndr::NdrStruct
|
116
|
+
default_parameters byte_align: 4
|
117
|
+
endian :little
|
118
|
+
|
119
|
+
rpc_unicode_string :replica_node_name
|
120
|
+
end
|
121
|
+
|
122
|
+
# [2.2.3.17 SAMPR_DOMAIN_INFO_BUFFER](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/1adc2142-dbb8-4554-aa24-010c713698bf)
|
123
|
+
class SamprDomainInfoBuffer < BinData::Record
|
124
|
+
default_parameters byte_align: 4
|
125
|
+
endian :little
|
126
|
+
|
127
|
+
uint16 :info_class
|
128
|
+
skip length: 2
|
129
|
+
|
130
|
+
choice :buffer, selection: :info_class do
|
131
|
+
sampr_domain_password_information DOMAIN_PASSWORD_INFORMATION
|
132
|
+
sampr_domain_oem_information DOMAIN_OEM_INFORMATION
|
133
|
+
sampr_domain_server_role_information DOMAIN_SERVER_ROLE_INFORMATION
|
134
|
+
sampr_domain_lockout_information DOMAIN_LOCKOUT_INFORMATION
|
135
|
+
sampr_domain_logoff_information DOMAIN_LOGOFF_INFORMATION
|
136
|
+
sampr_domain_general_information DOMAIN_GENERAL_INFORMATION
|
137
|
+
sampr_domain_name_information DOMAIN_NAME_INFORMATION
|
138
|
+
sampr_domain_modified_information DOMAIN_MODIFIED_INFORMATION
|
139
|
+
sampr_domain_modified_information2 DOMAIN_MODIFIED_INFORMATION2
|
140
|
+
sampr_domain_state_information DOMAIN_STATE_INFORMATION
|
141
|
+
sampr_domain_general_information2 DOMAIN_GENERAL_INFORMATION2
|
142
|
+
sampr_domain_replication_information DOMAIN_REPLICATION_INFORMATION
|
143
|
+
end
|
144
|
+
end
|
145
|
+
|
146
|
+
class PsamprDomainInfoBuffer < SamprDomainInfoBuffer
|
147
|
+
extend Ndr::PointerClassPlugin
|
148
|
+
end
|
149
|
+
end
|
150
|
+
end
|
151
|
+
end
|
@@ -0,0 +1,22 @@
|
|
1
|
+
module RubySMB
|
2
|
+
module Dcerpc
|
3
|
+
module Samr
|
4
|
+
|
5
|
+
# [3.1.5.5.2 SamrQueryInformationDomain (Opnum 8)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/5d6a2817-caa9-41ca-a269-fd13ecbb4fa8)
|
6
|
+
class SamrQueryInformationDomainRequest < BinData::Record
|
7
|
+
attr_reader :opnum
|
8
|
+
|
9
|
+
endian :little
|
10
|
+
|
11
|
+
sampr_handle :domain_handle
|
12
|
+
ndr_uint16 :domain_information_class
|
13
|
+
|
14
|
+
def initialize_instance
|
15
|
+
super
|
16
|
+
@opnum = SAMR_QUERY_INFORMATION_DOMAIN
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
@@ -0,0 +1,23 @@
|
|
1
|
+
module RubySMB
|
2
|
+
module Dcerpc
|
3
|
+
module Samr
|
4
|
+
|
5
|
+
# [3.1.5.5.2 SamrQueryInformationDomain (Opnum 8)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/5d6a2817-caa9-41ca-a269-fd13ecbb4fa8)
|
6
|
+
class SamrQueryInformationDomainResponse < BinData::Record
|
7
|
+
attr_reader :opnum
|
8
|
+
|
9
|
+
endian :little
|
10
|
+
|
11
|
+
psampr_domain_info_buffer :buffer
|
12
|
+
ndr_uint32 :error_status
|
13
|
+
|
14
|
+
def initialize_instance
|
15
|
+
super
|
16
|
+
@opnum = SAMR_QUERY_INFORMATION_DOMAIN
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
data/lib/ruby_smb/dcerpc/samr.rb
CHANGED
@@ -16,6 +16,7 @@ module RubySMB
|
|
16
16
|
SAMR_LOOKUP_DOMAIN_IN_SAM_SERVER = 0x0005
|
17
17
|
SAMR_ENUMERATE_DOMAINS_IN_SAM_SERVER = 0x0006
|
18
18
|
SAMR_OPEN_DOMAIN = 0x0007
|
19
|
+
SAMR_QUERY_INFORMATION_DOMAIN = 0x0008
|
19
20
|
SAMR_ENUMERATE_USERS_IN_DOMAIN = 0x000D
|
20
21
|
SAMR_GET_ALIAS_MEMBERSHIP = 0x0010
|
21
22
|
SAMR_LOOKUP_NAMES_IN_DOMAIN = 0x0011
|
@@ -139,6 +140,20 @@ module RubySMB
|
|
139
140
|
USER_ALL_SECURITYDESCRIPTOR = 0x10000000
|
140
141
|
USER_ALL_UNDEFINED_MASK = 0xC0000000
|
141
142
|
|
143
|
+
# [2.2.3.16 DOMAIN_INFORMATION_CLASS Values](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6b0dff90-5ac0-429a-93aa-150334adabf6)
|
144
|
+
DOMAIN_PASSWORD_INFORMATION = 1
|
145
|
+
DOMAIN_GENERAL_INFORMATION = 2
|
146
|
+
DOMAIN_LOGOFF_INFORMATION = 3
|
147
|
+
DOMAIN_OEM_INFORMATION = 4
|
148
|
+
DOMAIN_NAME_INFORMATION = 5
|
149
|
+
DOMAIN_REPLICATION_INFORMATION = 6
|
150
|
+
DOMAIN_SERVER_ROLE_INFORMATION = 7
|
151
|
+
DOMAIN_MODIFIED_INFORMATION = 8
|
152
|
+
DOMAIN_STATE_INFORMATION = 9
|
153
|
+
DOMAIN_GENERAL_INFORMATION2 = 11
|
154
|
+
DOMAIN_LOCKOUT_INFORMATION = 12
|
155
|
+
DOMAIN_MODIFIED_INFORMATION2 = 13
|
156
|
+
|
142
157
|
# [2.2.6.28 USER_INFORMATION_CLASS Values](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6b0dff90-5ac0-429a-93aa-150334adabf6)
|
143
158
|
USER_GENERAL_INFORMATION = 1
|
144
159
|
USER_PREFERENCES_INFORMATION = 2
|
@@ -474,6 +489,7 @@ module RubySMB
|
|
474
489
|
end
|
475
490
|
|
476
491
|
require 'ruby_smb/dcerpc/samr/rpc_sid'
|
492
|
+
require 'ruby_smb/dcerpc/samr/sampr_domain_info_buffer'
|
477
493
|
|
478
494
|
require 'ruby_smb/dcerpc/samr/samr_connect_request'
|
479
495
|
require 'ruby_smb/dcerpc/samr/samr_connect_response'
|
@@ -503,6 +519,8 @@ module RubySMB
|
|
503
519
|
require 'ruby_smb/dcerpc/samr/samr_set_information_user2_response'
|
504
520
|
require 'ruby_smb/dcerpc/samr/samr_delete_user_request'
|
505
521
|
require 'ruby_smb/dcerpc/samr/samr_delete_user_response'
|
522
|
+
require 'ruby_smb/dcerpc/samr/samr_query_information_domain_request'
|
523
|
+
require 'ruby_smb/dcerpc/samr/samr_query_information_domain_response'
|
506
524
|
|
507
525
|
# Returns a handle to a server object.
|
508
526
|
#
|
@@ -979,7 +997,30 @@ module RubySMB
|
|
979
997
|
samr_get_groups_for_user_reponse.groups.groups.to_ary
|
980
998
|
end
|
981
999
|
|
1000
|
+
# Returns domain information.
|
1001
|
+
#
|
1002
|
+
# @param domain_handle [RubySMB::Dcerpc::Samr::SamprHandle] An RPC context
|
1003
|
+
# representing a domain object
|
1004
|
+
# @param info_class [Integer] The class of information to retrieve
|
1005
|
+
# @return [BinData::Choice] The requested information.
|
1006
|
+
def samr_query_information_domain(domain_handle:, info_class:)
|
1007
|
+
samr_request = SamrQueryInformationDomainRequest.new(
|
1008
|
+
domain_handle: domain_handle,
|
1009
|
+
domain_information_class: info_class
|
1010
|
+
)
|
1011
|
+
response = dcerpc_request(samr_request)
|
1012
|
+
begin
|
1013
|
+
samr_response = SamrQueryInformationDomainResponse.read(response)
|
1014
|
+
rescue IOError
|
1015
|
+
raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading SamrQueryInformationDomainResponse'
|
1016
|
+
end
|
1017
|
+
unless samr_response.error_status == WindowsError::NTStatus::STATUS_SUCCESS
|
1018
|
+
raise RubySMB::Dcerpc::Error::SamrError,
|
1019
|
+
"Error returned while querying domain information: "\
|
1020
|
+
"#{WindowsError::NTStatus.find_by_retval(samr_response.error_status.value).join(',')}"
|
1021
|
+
end
|
1022
|
+
samr_response.buffer.buffer
|
1023
|
+
end
|
982
1024
|
end
|
983
1025
|
end
|
984
1026
|
end
|
985
|
-
|
@@ -0,0 +1,26 @@
|
|
1
|
+
module RubySMB
|
2
|
+
module Dcerpc
|
3
|
+
module Winreg
|
4
|
+
|
5
|
+
# This class represents a GetKeySecurity Request Packet as defined in
|
6
|
+
# [3.1.5.13 BaseRegGetKeySecurity (Opnum 12)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/b0e1868c-f4fd-4b43-959f-c0f0cac3ee26)
|
7
|
+
class GetKeySecurityRequest < BinData::Record
|
8
|
+
attr_reader :opnum
|
9
|
+
|
10
|
+
endian :little
|
11
|
+
|
12
|
+
rpc_hkey :hkey
|
13
|
+
uint32 :security_information
|
14
|
+
rpc_security_descriptor :prpc_security_descriptor_in
|
15
|
+
|
16
|
+
def initialize_instance
|
17
|
+
super
|
18
|
+
@opnum = REG_GET_KEY_SECURITY
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
|
26
|
+
|
@@ -0,0 +1,26 @@
|
|
1
|
+
module RubySMB
|
2
|
+
module Dcerpc
|
3
|
+
module Winreg
|
4
|
+
|
5
|
+
# This class represents a GetKeySecurity Response Packet as defined in
|
6
|
+
# [3.1.5.13 BaseRegGetKeySecurity (Opnum 12)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/b0e1868c-f4fd-4b43-959f-c0f0cac3ee26)
|
7
|
+
class GetKeySecurityResponse < BinData::Record
|
8
|
+
attr_reader :opnum
|
9
|
+
|
10
|
+
endian :little
|
11
|
+
|
12
|
+
rpc_security_descriptor :prpc_security_descriptor_out
|
13
|
+
ndr_uint32 :error_status
|
14
|
+
|
15
|
+
def initialize_instance
|
16
|
+
super
|
17
|
+
@opnum = REG_GET_KEY_SECURITY
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
|
26
|
+
|
@@ -0,0 +1,26 @@
|
|
1
|
+
module RubySMB
|
2
|
+
module Dcerpc
|
3
|
+
module Winreg
|
4
|
+
|
5
|
+
# This class represents a SetKeySecurity Request Packet as defined in
|
6
|
+
# [3.1.5.21 BaseRegSetKeySecurity (Opnum 21)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/da18856c-8a6d-4217-8e93-3625865e562c)
|
7
|
+
class SetKeySecurityRequest < BinData::Record
|
8
|
+
attr_reader :opnum
|
9
|
+
|
10
|
+
endian :little
|
11
|
+
|
12
|
+
rpc_hkey :hkey
|
13
|
+
uint32 :security_information
|
14
|
+
rpc_security_descriptor :prpc_security_descriptor
|
15
|
+
|
16
|
+
def initialize_instance
|
17
|
+
super
|
18
|
+
@opnum = REG_SET_KEY_SECURITY
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
|
26
|
+
|
@@ -0,0 +1,25 @@
|
|
1
|
+
module RubySMB
|
2
|
+
module Dcerpc
|
3
|
+
module Winreg
|
4
|
+
|
5
|
+
# This class represents a SetKeySecurity Response Packet as defined in
|
6
|
+
# [3.1.5.21 BaseRegSetKeySecurity (Opnum 21)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/da18856c-8a6d-4217-8e93-3625865e562c)
|
7
|
+
class SetKeySecurityResponse < BinData::Record
|
8
|
+
attr_reader :opnum
|
9
|
+
|
10
|
+
endian :little
|
11
|
+
|
12
|
+
ndr_uint32 :error_status
|
13
|
+
|
14
|
+
def initialize_instance
|
15
|
+
super
|
16
|
+
@opnum = REG_SET_KEY_SECURITY
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
|
25
|
+
|