RubyGems - ruby_smb - Versions diffs - 3.3.6 → 3.3.8 - Mend

ruby_smb 3.3.6 → 3.3.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 69dcf2cf8fa1b0bfe541d6c8fca903fedeb202a779a57ea8f7603122f0ffdd4a
-  data.tar.gz: ea05a9a1c3a6c4120e56b9cd2656b70ffb7aa3f0b857596ae00104236271154c
+  metadata.gz: 25bedacb57d3950d1ee6f3bbf731007c4e1f0bd2b8e3f38582679a5cd867793f
+  data.tar.gz: 1369c85136ad8336371ee55c1f8d90f0e85001b2c0d9e01e46b87e9b382ded16
 SHA512:
-  metadata.gz: 3567cb640cb9221e3bd79adfbb26b9e8a6b2f0baa7b474b61d9fb02e283c72f53148542b5a271263e1c8ea77c9e5c84935123fec5e72c6f2146c8bee563b354f
-  data.tar.gz: 8fe76d29d6d96a63bad52c316909263e6e335819fc0bfcc04e2f5d0783c7c526ebb1b89c2c2b53798eebdcdec66954264d10b99cfdb8cccd5c4c488fba6473ad
+  metadata.gz: 66d3566b68b64d0dc2ff8f58b373d8b6026b4980fcccb4b24c6263f59376373dadbc0b52c531ba5c212b255937d34dd281ce827eec111d0e7ef0b1a6dd5973f1
+  data.tar.gz: 8cee7210c06f8e603342b69706c2779f3e9fef2d46146505154b00bc91d6cc7dbad37735e5e6ae4ac6fac256b0ba6eaf3dda15185c161e992a12bab3b3a91bb1

checksums.yaml.gz.sig CHANGED Viewed

Binary file

data/README.md CHANGED Viewed

@@ -286,6 +286,20 @@ Configure Wireshark in Debian-based systems to be able to capture traffic withou
 - `sudo python setup.py install`
 - `cd examples && python smbclient.py <USER>:<PASS>@<WINDOWS HOST IP>`
+### Microsoft Network Monitor
+In situations where WireShark reports some requests/responses as malformed (not parsed correctly),
+[Microsoft Network Monitor](https://www.microsoft.com/en-us/download/details.aspx?id=4865) can be used instead.
+For example, the `LookupSids` response is not parsed correctly by WireShark, whereas it is by this tool.
+This software can be installed on a Windows machine:
+- Download & install the software
+- Open it
+- Click the `Start` button (or press F5) present at the top bar
+The SMB requests will be present under `All Traffic -> My Traffic -> System (4)`.
 ## License
 `ruby_smb` is released under a 3-clause BSD license. See [LICENSE.txt](LICENSE.txt) for full text.

data/examples/registry_key_security_descriptor.rb ADDED Viewed

@@ -0,0 +1,109 @@
+#!/usr/bin/ruby
+# This example script is used for testing the Winreg registry key security descriptor functionalities.
+# It will attempt to connect to a host and reads (or writes) the security descriptor of a specified registry key.
+#
+# Example usage:
+# - read:
+# ruby examples/read_registry_key_security.rb --username msfadmin --password msfadmin -i 7 -o r 192.168.172.138 'HKLM\SECURITY\Policy\PolEKList'
+# This will try to connect to \\192.168.172.138 with the msfadmin:msfadmin
+# credentialas and read the security descriptor of the
+# `HKLM\SECURITY\Policy\PolEKList` registry key with the security information 7
+# (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
+# DACL_SECURITY_INFORMATION).
+#
+# - write:
+# ruby examples/read_registry_key_security.rb --username msfadmin --password msfadmin -i 4 --sd 01000480000000000000000000000000140000000200340002000000000214003f000f00010100000000000512000000000218000000060001020000000000052000000020020000 -o w 192.168.172.138 'HKLM\SECURITY\Policy\PolEKList'
+# This will try to connect to \\192.168.172.138 with the msfadmin:msfadmin
+# credentialas and write the given security descriptor to the
+# `HKLM\SECURITY\Policy\PolEKList` registry key with the security information 4
+# (DACL_SECURITY_INFORMATION).
+require 'bundler/setup'
+require 'optparse'
+require 'ruby_smb'
+OPERATIONS = %w{read write}
+OPERATION_ALIASES = { "r" => "read", "w" => "write" }
+args = ARGV.dup
+options = {
+  domain: '.',
+  username: '',
+  password: '',
+  smbv1: true,
+  smbv2: true,
+  smbv3: true,
+  target: nil,
+  key: nil,
+  operation: 'read',
+  info: RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION | RubySMB::Field::SecurityDescriptor::GROUP_SECURITY_INFORMATION | RubySMB::Field::SecurityDescriptor::DACL_SECURITY_INFORMATION,
+  sd: nil
+}
+options[:key] = args.pop
+options[:target ] = args.pop
+optparser = OptionParser.new do |opts|
+  opts.banner = "Usage: #{File.basename(__FILE__)} [options] target reg_key"
+  opts.on('--[no-]smbv1', "Enable or disable SMBv1 (default: #{options[:smbv1] ? 'Enabled' : 'Disabled'})") do |smbv1|
+    options[:smbv1] = smbv1
+  end
+  opts.on('--[no-]smbv2', "Enable or disable SMBv2 (default: #{options[:smbv2] ? 'Enabled' : 'Disabled'})") do |smbv2|
+    options[:smbv2] = smbv2
+  end
+  opts.on('--[no-]smbv3', "Enable or disable SMBv3 (default: #{options[:smbv3] ? 'Enabled' : 'Disabled'})") do |smbv3|
+    options[:smbv3] = smbv3
+  end
+  opts.on('-u', '--username [USERNAME]', "The account's username (default: #{options[:username]})") do |username|
+    if username.include?('\\')
+      options[:domain], options[:username] = username.split('\\', 2)
+    else
+      options[:username] = username
+    end
+  end
+  opts.on('-p', '--password [PASSWORD]', "The account's password (default: #{options[:password]})") do |password|
+    options[:password] = password
+  end
+  operation_list = (OPERATION_ALIASES.keys + OPERATIONS).join(', ')
+  opts.on('-o', '--operation OPERATION', OPERATIONS, OPERATION_ALIASES, "The operation to perform on the registry key (default: #{options[:operation]})", "(#{operation_list})") do |operation|
+    options[:operation] = operation
+  end
+  opts.on('-i', '--info [SECURITY INFORMATION]', Integer, "The security information value (default: #{options[:info]})") do |password|
+    options[:info] = password
+  end
+  opts.on('-s', '--sd [SECURITY DESCRIPTOR]', "The security descriptor to write as an hex string") do |sd|
+    options[:sd] = sd
+  end
+end
+optparser.parse!(args)
+if options[:target].nil? || options[:key].nil?
+  abort(optparser.help)
+end
+sock = TCPSocket.new options[:target], 445
+dispatcher = RubySMB::Dispatcher::Socket.new(sock)
+client = RubySMB::Client.new(dispatcher, smb1: options[:smbv1], smb2: options[:smbv2], smb3: options[:smbv3], username: options[:username], password: options[:password], domain: options[:domain])
+protocol = client.negotiate
+status = client.authenticate
+puts "#{protocol}: #{status}"
+case options[:operation]
+when 'read', 'r'
+  puts "Read registry key #{options[:key]} security descriptor with security information #{options[:info]}"
+  security_descriptor = client.get_key_security_descriptor(options[:target], options[:key], options[:info])
+  puts "Security descriptor: #{security_descriptor.b.bytes.map {|c| "%02x" % c.ord}.join}"
+when 'write', 'w'
+  unless options[:sd] && !options[:sd].empty?
+    puts "Security descriptor missing"
+    abort(optparser.help)
+  end
+  puts "Write security descriptor #{options[:sd]} to registry key #{options[:key]} with security information #{options[:info]}"
+  sd = options[:sd].chars.each_slice(2).map {|c| c.join.to_i(16).chr}.join
+  status = client.set_key_security_descriptor(options[:target], options[:key], sd, options[:info])
+  puts "Success!"
+end
+client.disconnect!

data/lib/ruby_smb/client/winreg.rb CHANGED Viewed

@@ -40,6 +40,18 @@ module RubySMB
         end
       end
+      def get_key_security_descriptor(host, key, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION)
+        connect_to_winreg(host) do |named_pipe|
+          named_pipe.get_key_security_descriptor(key, security_information)
+        end
+      end
+      def set_key_security_descriptor(host, key, security_descriptor, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION)
+        connect_to_winreg(host) do |named_pipe|
+          named_pipe.set_key_security_descriptor(key, security_descriptor, security_information)
+        end
+      end
     end
   end
 end

data/lib/ruby_smb/dcerpc/error.rb CHANGED Viewed

@@ -47,6 +47,9 @@ module RubySMB
       # Raised when an error is returned during a Epm operation
       class EpmError < DcerpcError; end
+      # Raised when an error is returned during an LSARPC operation
+      class LsarpcError < DcerpcError; end
       # Raised when an error is returned during a Dfsnm operation
       class DfsnmError < DcerpcError
         include RubySMB::Error::UnexpectedStatusCode::Mixin

data/lib/ruby_smb/dcerpc/lsarpc/lsar_close_handle_request.rb ADDED Viewed

@@ -0,0 +1,22 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarClose Request Packet as defined in
+      # [3.1.4.9.4 LsarClose (Opnum 0)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/99dd2d7a-b0fc-4c6d-837a-2b4d342383ae)
+      class LsarCloseHandleRequest < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_handle :policy_handle
+        def initialize_instance
+          super
+          @opnum = LSAR_CLOSE_HANDLE
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_close_handle_response.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarClose Response Packet as defined in
+      # [3.1.4.9.4 LsarClose (Opnum 0)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/99dd2d7a-b0fc-4c6d-837a-2b4d342383ae)
+      class LsarCloseHandleResponse < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_handle :policy_handle
+        ndr_uint32   :error_status
+        def initialize_instance
+          super
+          @opnum = LSAR_CLOSE_HANDLE
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_lookup_sids_request.rb ADDED Viewed

@@ -0,0 +1,26 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarLookupSids Request Packet as defined in
+      # [3.1.4.11 LsarLookupSids (Opnum 15)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsat/eb7ac899-e697-4883-93de-1e60c7720c02)
+      class LsarLookupSidsRequest < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_handle           :policy_handle
+        lsapr_sid_enum_buffer  :sid_enum_buffer
+        lsapr_translated_names :translated_names
+        ndr_uint16             :lookup_level
+        ndr_uint32             :mapped_count
+        def initialize_instance
+          super
+          @opnum = LSAR_LOOKUP_SIDS
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_lookup_sids_response.rb ADDED Viewed

@@ -0,0 +1,25 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarLookupSids Response Packet as defined in
+      # [3.1.4.11 LsarLookupSids (Opnum 15)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsat/eb7ac899-e697-4883-93de-1e60c7720c02)
+      class LsarLookupSidsResponse < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_referenced_domain_list_ptr :referenced_domains
+        lsapr_translated_names           :translated_names
+        ndr_uint32                       :mapped_count
+        ndr_uint32                       :error_status
+        def initialize_instance
+          super
+          @opnum = LSAR_LOOKUP_SIDS
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_open_policy2_request.rb ADDED Viewed

@@ -0,0 +1,24 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarOpenPolicy2 Request Packet as defined in
+      # [3.1.4.4.1 LsarOpenPolicy2 (Opnum 44)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/9456a963-7c21-4710-af77-d0a2f5a72d6b)
+      class LsarOpenPolicy2Request < BinData::Record
+        attr_reader :opnum
+        endian :little
+        ndr_wide_stringz_ptr    :system_name
+        lsapr_object_attributes :object_attributes
+        ndr_uint32              :access_mask
+        def initialize_instance
+          super
+          @opnum = LSAR_OPEN_POLICY2
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_open_policy2_response.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarOpenPolicy2 Response Packet as defined in
+      # [3.1.4.4.1 LsarOpenPolicy2 (Opnum 44)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/9456a963-7c21-4710-af77-d0a2f5a72d6b)
+      class LsarOpenPolicy2Response < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_handle :policy_handle
+        ndr_uint32   :error_status
+        def initialize_instance
+          super
+          @opnum = LSAR_OPEN_POLICY2
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_open_policy_request.rb ADDED Viewed

@@ -0,0 +1,24 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarOpenPolicy Request Packet as defined in
+      # [3.1.4.4.2 LsarOpenPolicy (Opnum 6)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/2a482ccf-1f89-4693-8594-855ff738ae8a)
+      class LsarOpenPolicyRequest < BinData::Record
+        attr_reader :opnum
+        endian :little
+        ndr_wide_string_ptr     :system_name
+        lsapr_object_attributes :object_attributes
+        ndr_uint32              :access_mask
+        def initialize_instance
+          super
+          @opnum = LSAR_OPEN_POLICY
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_open_policy_response.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarOpenPolicy Response Packet as defined in
+      # [3.1.4.4.2 LsarOpenPolicy (Opnum 6)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/2a482ccf-1f89-4693-8594-855ff738ae8a)
+      class LsarOpenPolicyResponse < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_handle :policy_handle
+        ndr_uint32   :error_status
+        def initialize_instance
+          super
+          @opnum = LSAR_OPEN_POLICY
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_query_information_policy2_request.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarQueryInformationPolicy2 Request Packet as defined in
+      # [3.1.4.4.4 LsarQueryInformationPolicy2 (Opnum 46)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/516f503c-0230-489d-b012-e650b46b66a2)
+      class LsarQueryInformationPolicy2Request < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_handle :policy_handle
+        ndr_uint32   :information_class
+        def initialize_instance
+          super
+          @opnum = LSAR_QUERY_INFORMATION_POLICY2
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_query_information_policy2_response.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarQueryInformationPolicy2 Response Packet as defined in
+      # [3.1.4.4.4 LsarQueryInformationPolicy2 (Opnum 46)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/516f503c-0230-489d-b012-e650b46b66a2)
+      class LsarQueryInformationPolicy2Response < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_policy_information_ptr :policy_information
+        ndr_uint32                   :error_status
+        def initialize_instance
+          super
+          @opnum = LSAR_QUERY_INFORMATION_POLICY2
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_query_information_policy_request.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarQueryInformationPolicy Request Packet as defined in
+      # [3.1.4.4.4 LsarQueryInformationPolicy (Opnum 7)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/3564ba70-84ea-4f04-a9dc-dede9f96a8bf)
+      class LsarQueryInformationPolicyRequest < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_handle :policy_handle
+        ndr_uint32   :information_class
+        def initialize_instance
+          super
+          @opnum = LSAR_QUERY_INFORMATION_POLICY
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/lsarpc/lsar_query_information_policy_response.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Lsarpc
+      # This class represents a LsarQueryInformationPolicy Response Packet as defined in
+      # [3.1.4.4.4 LsarQueryInformationPolicy (Opnum 7)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/3564ba70-84ea-4f04-a9dc-dede9f96a8bf)
+      class LsarQueryInformationPolicyResponse < BinData::Record
+        attr_reader :opnum
+        endian :little
+        lsapr_policy_information_ptr :policy_information
+        ndr_uint32                   :error_status
+        def initialize_instance
+          super
+          @opnum = LSAR_QUERY_INFORMATION_POLICY
+        end
+      end
+    end
+  end
+end