RubyGems - ruby_smb - Versions diffs - 3.3.6 → 3.3.8 - Mend

ruby_smb 3.3.6 → 3.3.8

Files changed (48) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 69dcf2cf8fa1b0bfe541d6c8fca903fedeb202a779a57ea8f7603122f0ffdd4a
-  data.tar.gz: ea05a9a1c3a6c4120e56b9cd2656b70ffb7aa3f0b857596ae00104236271154c
+  metadata.gz: 25bedacb57d3950d1ee6f3bbf731007c4e1f0bd2b8e3f38582679a5cd867793f
+  data.tar.gz: 1369c85136ad8336371ee55c1f8d90f0e85001b2c0d9e01e46b87e9b382ded16
 SHA512:
-  metadata.gz: 3567cb640cb9221e3bd79adfbb26b9e8a6b2f0baa7b474b61d9fb02e283c72f53148542b5a271263e1c8ea77c9e5c84935123fec5e72c6f2146c8bee563b354f
-  data.tar.gz: 8fe76d29d6d96a63bad52c316909263e6e335819fc0bfcc04e2f5d0783c7c526ebb1b89c2c2b53798eebdcdec66954264d10b99cfdb8cccd5c4c488fba6473ad
+  metadata.gz: 66d3566b68b64d0dc2ff8f58b373d8b6026b4980fcccb4b24c6263f59376373dadbc0b52c531ba5c212b255937d34dd281ce827eec111d0e7ef0b1a6dd5973f1
+  data.tar.gz: 8cee7210c06f8e603342b69706c2779f3e9fef2d46146505154b00bc91d6cc7dbad37735e5e6ae4ac6fac256b0ba6eaf3dda15185c161e992a12bab3b3a91bb1

checksums.yaml.gz.sig CHANGED Viewed

Binary file

data/README.md CHANGED Viewed

@@ -286,6 +286,20 @@ Configure Wireshark in Debian-based systems to be able to capture traffic withou
 - `sudo python setup.py install`
 - `cd examples && python smbclient.py <USER>:<PASS>@<WINDOWS HOST IP>`
+### Microsoft Network Monitor
+In situations where WireShark reports some requests/responses as malformed (not parsed correctly),
+[Microsoft Network Monitor](https://www.microsoft.com/en-us/download/details.aspx?id=4865) can be used instead.
+For example, the `LookupSids` response is not parsed correctly by WireShark, whereas it is by this tool.
+This software can be installed on a Windows machine:
+- Download & install the software
+- Open it
+- Click the `Start` button (or press F5) present at the top bar
+The SMB requests will be present under `All Traffic -> My Traffic -> System (4)`.
 ## License
 `ruby_smb` is released under a 3-clause BSD license. See [LICENSE.txt](LICENSE.txt) for full text.

data/examples/registry_key_security_descriptor.rb ADDED Viewed

@@ -0,0 +1,109 @@
+#!/usr/bin/ruby
+# This example script is used for testing the Winreg registry key security descriptor functionalities.
+# It will attempt to connect to a host and reads (or writes) the security descriptor of a specified registry key.
+#
+# Example usage:
+# - read:
+# ruby examples/read_registry_key_security.rb --username msfadmin --password msfadmin -i 7 -o r 192.168.172.138 'HKLM\SECURITY\Policy\PolEKList'
+# This will try to connect to \\192.168.172.138 with the msfadmin:msfadmin
+# credentialas and read the security descriptor of the
+# `HKLM\SECURITY\Policy\PolEKList` registry key with the security information 7
+# (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
+# DACL_SECURITY_INFORMATION).
+#
+# - write:
+# ruby examples/read_registry_key_security.rb --username msfadmin --password msfadmin -i 4 --sd 01000480000000000000000000000000140000000200340002000000000214003f000f00010100000000000512000000000218000000060001020000000000052000000020020000 -o w 192.168.172.138 'HKLM\SECURITY\Policy\PolEKList'
+# This will try to connect to \\192.168.172.138 with the msfadmin:msfadmin
+# credentialas and write the given security descriptor to the
+# `HKLM\SECURITY\Policy\PolEKList` registry key with the security information 4
+# (DACL_SECURITY_INFORMATION).
+require 'bundler/setup'
+require 'optparse'
+require 'ruby_smb'
+OPERATIONS = %w{read write}
+OPERATION_ALIASES = { "r" => "read", "w" => "write" }
+args = ARGV.dup
+options = {
+  domain: '.',
+  username: '',
+  password: '',
+  smbv1: true,
+  smbv2: true,
+  smbv3: true,
+  target: nil,
+  key: nil,
+  operation: 'read',
+  info: RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION | RubySMB::Field::SecurityDescriptor::GROUP_SECURITY_INFORMATION | RubySMB::Field::SecurityDescriptor::DACL_SECURITY_INFORMATION,
+  sd: nil
+}
+options[:key] = args.pop
+options[:target ] = args.pop
+optparser = OptionParser.new do |opts|
+  opts.banner = "Usage: #{File.basename(__FILE__)} [options] target reg_key"
+  opts.on('--[no-]smbv1', "Enable or disable SMBv1 (default: #{options[:smbv1] ? 'Enabled' : 'Disabled'})") do |smbv1|
+    options[:smbv1] = smbv1
+  end
+  opts.on('--[no-]smbv2', "Enable or disable SMBv2 (default: #{options[:smbv2] ? 'Enabled' : 'Disabled'})") do |smbv2|
+    options[:smbv2] = smbv2
+  end
+  opts.on('--[no-]smbv3', "Enable or disable SMBv3 (default: #{options[:smbv3] ? 'Enabled' : 'Disabled'})") do |smbv3|
+    options[:smbv3] = smbv3
+  end
+  opts.on('-u', '--username [USERNAME]', "The account's username (default: #{options[:username]})") do |username|
+    if username.include?('\\')
+      options[:domain], options[:username] = username.split('\\', 2)
+    else
+      options[:username] = username
+    end
+  end
+  opts.on('-p', '--password [PASSWORD]', "The account's password (default: #{options[:password]})") do |password|
+    options[:password] = password
+  end
+  operation_list = (OPERATION_ALIASES.keys + OPERATIONS).join(', ')
+  opts.on('-o', '--operation OPERATION', OPERATIONS, OPERATION_ALIASES, "The operation to perform on the registry key (default: #{options[:operation]})", "(#{operation_list})") do |operation|
+    options[:operation] = operation
+  end
+  opts.on('-i', '--info [SECURITY INFORMATION]', Integer, "The security information value (default: #{options[:info]})") do |password|
+    options[:info] = password
+  end
+  opts.on('-s', '--sd [SECURITY DESCRIPTOR]', "The security descriptor to write as an hex string") do |sd|
+    options[:sd] = sd
+  end
+end
+optparser.parse!(args)
+if options[:target].nil? || options[:key].nil?
+  abort(optparser.help)
+end
+sock = TCPSocket.new options[:target], 445
+dispatcher = RubySMB::Dispatcher::Socket.new(sock)
+client = RubySMB::Client.new(dispatcher, smb1: options[:smbv1], smb2: options[:smbv2], smb3: options[:smbv3], username: options[:username], password: options[:password], domain: options[:domain])
+protocol = client.negotiate
+status = client.authenticate
+puts "#{protocol}: #{status}"
+case options[:operation]
+when 'read', 'r'
+  puts "Read registry key #{options[:key]} security descriptor with security information #{options[:info]}"
+  security_descriptor = client.get_key_security_descriptor(options[:target], options[:key], options[:info])
+  puts "Security descriptor: #{security_descriptor.b.bytes.map {|c| "%02x" % c.ord}.join}"
+when 'write', 'w'
+  unless options[:sd] && !options[:sd].empty?
+    puts "Security descriptor missing"
+    abort(optparser.help)
+  end
+  puts "Write security descriptor #{options[:sd]} to registry key #{options[:key]} with security information #{options[:info]}"
+  sd = options[:sd].chars.each_slice(2).map {|c| c.join.to_i(16).chr}.join
+  status = client.set_key_security_descriptor(options[:target], options[:key], sd, options[:info])
+  puts "Success!"
+end
+client.disconnect!

data/lib/ruby_smb/client/winreg.rb CHANGED Viewed

@@ -40,6 +40,18 @@ module RubySMB
         end
       end
+      def get_key_security_descriptor(host, key, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION)
+        connect_to_winreg(host) do |named_pipe|
+          named_pipe.get_key_security_descriptor(key, security_information)
+        end
+      end
+      def set_key_security_descriptor(host, key, security_descriptor, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION)
+        connect_to_winreg(host) do |named_pipe|
+          named_pipe.set_key_security_descriptor(key, security_descriptor, security_information)
+        end
+      end
     end
   end
 end

data/lib/ruby_smb/dcerpc/error.rb CHANGED Viewed

@@ -47,6 +47,9 @@ module RubySMB
       # Raised when an error is returned during a Epm operation
       class EpmError < DcerpcError; end
+      # Raised when an error is returned during an LSARPC operation
+      class LsarpcError < DcerpcError; end
       # Raised when an error is returned during a Dfsnm operation
       class DfsnmError < DcerpcError
         include RubySMB::Error::UnexpectedStatusCode::Mixin

data/lib/ruby_smb/dcerpc/lsarpc/lsar_close_handle_request.rb ADDED Viewed

@@ -0,0 +1,22 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarClose Request Packet as defined in
+      # [3.1.4.9.4 LsarClose (Opnum 0)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/99dd2d7a-b0fc-4c6d-837a-2b4d342383ae)
+      class LsarCloseHandleRequest < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_handle :policy_handle
+        def initialize_instance
+          super
+          @opnum = LSAR_CLOSE_HANDLE
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_close_handle_response.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarClose Response Packet as defined in
+      # [3.1.4.9.4 LsarClose (Opnum 0)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/99dd2d7a-b0fc-4c6d-837a-2b4d342383ae)
+      class LsarCloseHandleResponse < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_handle :policy_handle
+        ndr_uint32   :error_status
+        def initialize_instance
+          super
+          @opnum = LSAR_CLOSE_HANDLE
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_lookup_sids_request.rb ADDED Viewed

@@ -0,0 +1,26 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarLookupSids Request Packet as defined in
+      # [3.1.4.11 LsarLookupSids (Opnum 15)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsat/eb7ac899-e697-4883-93de-1e60c7720c02)
+      class LsarLookupSidsRequest < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_handle           :policy_handle
+        lsapr_sid_enum_buffer  :sid_enum_buffer
+        lsapr_translated_names :translated_names
+        ndr_uint16             :lookup_level
+        ndr_uint32             :mapped_count
+        def initialize_instance
+          super
+          @opnum = LSAR_LOOKUP_SIDS
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_lookup_sids_response.rb ADDED Viewed

@@ -0,0 +1,25 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarLookupSids Response Packet as defined in
+      # [3.1.4.11 LsarLookupSids (Opnum 15)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsat/eb7ac899-e697-4883-93de-1e60c7720c02)
+      class LsarLookupSidsResponse < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_referenced_domain_list_ptr :referenced_domains
+        lsapr_translated_names           :translated_names
+        ndr_uint32                       :mapped_count
+        ndr_uint32                       :error_status
+        def initialize_instance
+          super
+          @opnum = LSAR_LOOKUP_SIDS
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_open_policy2_request.rb ADDED Viewed

@@ -0,0 +1,24 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarOpenPolicy2 Request Packet as defined in
+      # [3.1.4.4.1 LsarOpenPolicy2 (Opnum 44)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/9456a963-7c21-4710-af77-d0a2f5a72d6b)
+      class LsarOpenPolicy2Request < BinData::Record
+        attr_reader :opnum
+        endian :little
+        ndr_wide_stringz_ptr    :system_name
+        lsapr_object_attributes :object_attributes
+        ndr_uint32              :access_mask
+        def initialize_instance
+          super
+          @opnum = LSAR_OPEN_POLICY2
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_open_policy2_response.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarOpenPolicy2 Response Packet as defined in
+      # [3.1.4.4.1 LsarOpenPolicy2 (Opnum 44)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/9456a963-7c21-4710-af77-d0a2f5a72d6b)
+      class LsarOpenPolicy2Response < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_handle :policy_handle
+        ndr_uint32   :error_status
+        def initialize_instance
+          super
+          @opnum = LSAR_OPEN_POLICY2
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_open_policy_request.rb ADDED Viewed

@@ -0,0 +1,24 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarOpenPolicy Request Packet as defined in
+      # [3.1.4.4.2 LsarOpenPolicy (Opnum 6)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/2a482ccf-1f89-4693-8594-855ff738ae8a)
+      class LsarOpenPolicyRequest < BinData::Record
+        attr_reader :opnum
+        endian :little
+        ndr_wide_string_ptr     :system_name
+        lsapr_object_attributes :object_attributes
+        ndr_uint32              :access_mask
+        def initialize_instance
+          super
+          @opnum = LSAR_OPEN_POLICY
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_open_policy_response.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarOpenPolicy Response Packet as defined in
+      # [3.1.4.4.2 LsarOpenPolicy (Opnum 6)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/2a482ccf-1f89-4693-8594-855ff738ae8a)
+      class LsarOpenPolicyResponse < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_handle :policy_handle
+        ndr_uint32   :error_status
+        def initialize_instance
+          super
+          @opnum = LSAR_OPEN_POLICY
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_query_information_policy2_request.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarQueryInformationPolicy2 Request Packet as defined in
+      # [3.1.4.4.4 LsarQueryInformationPolicy2 (Opnum 46)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/516f503c-0230-489d-b012-e650b46b66a2)
+      class LsarQueryInformationPolicy2Request < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_handle :policy_handle
+        ndr_uint32   :information_class
+        def initialize_instance
+          super
+          @opnum = LSAR_QUERY_INFORMATION_POLICY2
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_query_information_policy2_response.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarQueryInformationPolicy2 Response Packet as defined in
+      # [3.1.4.4.4 LsarQueryInformationPolicy2 (Opnum 46)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/516f503c-0230-489d-b012-e650b46b66a2)
+      class LsarQueryInformationPolicy2Response < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_policy_information_ptr :policy_information
+        ndr_uint32                   :error_status
+        def initialize_instance
+          super
+          @opnum = LSAR_QUERY_INFORMATION_POLICY2
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_query_information_policy_request.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarQueryInformationPolicy Request Packet as defined in
+      # [3.1.4.4.4 LsarQueryInformationPolicy (Opnum 7)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/3564ba70-84ea-4f04-a9dc-dede9f96a8bf)
+      class LsarQueryInformationPolicyRequest < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_handle :policy_handle
+        ndr_uint32   :information_class
+        def initialize_instance
+          super
+          @opnum = LSAR_QUERY_INFORMATION_POLICY
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_query_information_policy_response.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarQueryInformationPolicy Response Packet as defined in
+      # [3.1.4.4.4 LsarQueryInformationPolicy (Opnum 7)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/3564ba70-84ea-4f04-a9dc-dede9f96a8bf)
+      class LsarQueryInformationPolicyResponse < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_policy_information_ptr :policy_information
+        ndr_uint32                   :error_status
+        def initialize_instance
+          super
+          @opnum = LSAR_QUERY_INFORMATION_POLICY
+        end
+      end
+    end
+  end
+end