ruby_smb 2.0.12 → 2.0.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e390e96aa471e87e6406cf5b7eae77a4c45f882201f4132d3243eb25506554dc
-  data.tar.gz: 65620d67c3dbfbf2d3f795856c8da03207a8df32aa439a6f6a0b5d46b385dd31
+  metadata.gz: dff619ce28b159e4f0829b3e6ab01578831b7ce6ef259f4f006fae819f62c252
+  data.tar.gz: cd3755a1fdd80484c04375fde5f19d8867fb004e7152b7e87600f772cc22a6fe
 SHA512:
-  metadata.gz: 0c252450305e217779de4c1bf6850fa55f12c95d6380795f6940c0451d33c64f1287ab13f6a373d1dcaa1752d399dac04fd0e358a49000335deba27d46ab8fc7
-  data.tar.gz: 2734dd65b1a84a03fdd914a6877640107caf6bcf561f3a41b769ef947e21276bc8759859ac4a36ba0b2ccfe15778ff06c234ff41dabf9ea4563a74a95ea1b891
+  metadata.gz: 2336c7b2bec69f1b86f1b8ef0fc0787793cf6ca4b9212f9f3e6666b94915c77e230aa0f4c583304deaa30a341ee93ebec2b5fc4e9dbabe06ca86403506f2a1df
+  data.tar.gz: db316b93e942705596156aa156ecc58167335f05fb4259b93be09afdd618e0725589e10ffc4451947ceb32a1a3c72ee22a8e054cde46e36517a89fc1e426b2d7

data/.github/workflows/verify.yml

@@ -20,7 +20,7 @@ jobs:
           - 2.5
           - 2.6
           - 2.7
-          - 3.0
+          - 3.0.3
         test_cmd:
           - bundle exec rspec
 

data/examples/dump_secrets_from_sid.rb

@@ -0,0 +1,207 @@
+#!/usr/bin/ruby
+
+# This example script is used for testing DCERPC client and DRSR structures.
+# It will attempt to connect to a host and enumerate user secrets.
+# Example usage: ruby dump_secrets_from_sid.rb 192.168.172.138 msfadmin msfadmin MYDOMAIN S-1-5-21-419547006-9448028-4223375872-500
+# This will try to connect to \\192.168.172.138 with the msfadmin:msfadmin
+# credentials and enumerate secrets of domain user with SID
+# S-1-5-21-419547006-9448028-4223375872-500
+
+require 'bundler/setup'
+require 'ruby_smb/dcerpc/client'
+
+
+address      = ARGV[0]
+username     = ARGV[1]
+password     = ARGV[2]
+domain       = ARGV[3]
+sid          = ARGV[4]
+
+client = RubySMB::Dcerpc::Client.new(
+  address,
+  RubySMB::Dcerpc::Drsr,
+  username: username,
+  password: password,
+)
+client.connect
+puts('Binding to DRSR...')
+client.bind(
+  auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
+  auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
+)
+puts('Bound to DRSR')
+ph_drs = client.drs_bind
+puts "ph_drs: #{ph_drs}"
+puts
+
+dc_infos = client.drs_domain_controller_info(ph_drs, domain)
+dc_infos.each do |dc_info|
+  dc_info.field_names.each do |field|
+    puts "#{field}: #{dc_info.send(field).to_s.encode('utf-8')}"
+  end
+  puts
+  puts
+
+  crack_names = client.drs_crack_names(ph_drs, rp_names: [sid])
+  puts "SID: #{sid}"
+  crack_names.each do |crack_name|
+    puts "Domain: #{crack_name.p_domain.to_s.encode('utf-8')}"
+    puts "Name: #{crack_name.p_name.to_s.encode('utf-8')}"
+
+    user_record = client.drs_get_nc_changes(
+      ph_drs,
+      nc_guid: crack_name.p_name.to_s.encode('utf-8'),
+      dsa_object_guid: dc_info.ntds_dsa_object_guid,
+    )
+
+    # self.__decryptHash
+    dn = user_record.pmsg_out.msg_getchg.p_nc.string_name.to_ary[0..-1].join.encode('utf-8')
+    puts "Decrypting hash for user: #{dn}"
+
+    entinf_struct = user_record.pmsg_out.msg_getchg.p_objects.entinf
+    object_sid = rid = entinf_struct.p_name.sid[-4..-1].unpack('<L').first
+    lm_hash = Net::NTLM.lm_hash('')
+    nt_hash = Net::NTLM.ntlm_hash('')
+    disabled = nil
+    computer_account = nil
+    password_never_expires = nil
+    password_not_required = nil
+    pwd_last_set = nil
+    last_logon = nil
+    expires = nil
+    lm_history = []
+    nt_history = []
+    domain_name = ''
+    user = 'unknown'
+    kerberos_keys = {}
+    clear_text_passwords = []
+
+    entinf_struct.attr_block.p_attr.each do |attr|
+      next unless attr.attr_val.val_count > 0
+      # begin
+      att_id = user_record.pmsg_out.msg_getchg.oid_from_attid(attr.attr_typ)
+      lookup_table = RubySMB::Dcerpc::Drsr::ATTRTYP_TO_ATTID
+      # rescue XXXX
+      #   att_id = attr.attr_typ
+      #   lookup_table = NAME_TO_ATTRTYP
+      # end
+
+      #puts "#{lookup_table.key(att_id) || 'Unknown'}: #{attr.attr_val.p_aval[0].p_val}"
+
+      attribute_value = attr.attr_val.p_aval[0].p_val.to_ary.map(&:chr).join
+      case att_id
+      when lookup_table['dBCSPwd']
+        encrypted_lm_hash = client.decrypt_attribute_value(attribute_value)
+        lm_hash = client.remove_des_layer(encrypted_lm_hash, rid)
+      when lookup_table['unicodePwd']
+        encrypted_nt_hash = client.decrypt_attribute_value(attribute_value)
+        nt_hash = client.remove_des_layer(encrypted_nt_hash, rid)
+      when lookup_table['userPrincipalName']
+        domain_name = attribute_value.force_encoding('utf-16le').encode('utf-8').split('@').last
+      when lookup_table['sAMAccountName']
+        user = attribute_value.force_encoding('utf-16le').encode('utf-8')
+      when lookup_table['objectSid']
+        object_sid = attribute_value
+      when lookup_table['userAccountControl']
+        user_account_control =  attribute_value.unpack('L<')[0]
+        disabled = user_account_control & RubySMB::Dcerpc::Samr::UF_ACCOUNTDISABLE != 0
+        computer_account = user_account_control & RubySMB::Dcerpc::Samr::UF_NORMAL_ACCOUNT == 0
+        password_never_expires = user_account_control & RubySMB::Dcerpc::Samr::UF_DONT_EXPIRE_PASSWD != 0
+        password_not_required = user_account_control & RubySMB::Dcerpc::Samr::UF_PASSWD_NOTREQD != 0
+      when lookup_table['pwdLastSet']
+        pwd_last_set = Time.at(0)
+        time_value = attribute_value.unpack('Q<')[0]
+        if time_value > 0
+          pwd_last_set = RubySMB::Field::FileTime.new(time_value).to_time.utc
+        end
+      when lookup_table['accountExpires']
+        expires = Time.at(0)
+        time_value = attribute_value.unpack('Q<')[0]
+        if time_value > 0 && time_value != 0x7FFFFFFFFFFFFFFF
+          expires = RubySMB::Field::FileTime.new(time_value).to_time.utc
+        end
+      when lookup_table['lastLogonTimestamp']
+        last_logon = Time.at(0)
+        time_value = attribute_value.unpack('Q<')[0]
+        if time_value > 0
+          last_logon = RubySMB::Field::FileTime.new(time_value).to_time.utc
+        end
+      when lookup_table['lmPwdHistory']
+        tmp_lm_history = client.decrypt_attribute_value(attribute_value)
+        tmp_lm_history.bytes.each_slice(16) do |block|
+          lm_history << client.remove_des_layer(block.map(&:chr).join, rid)
+        end
+      when lookup_table['ntPwdHistory']
+        tmp_nt_history = client.decrypt_attribute_value(attribute_value)
+        tmp_nt_history.bytes.each_slice(16) do |block|
+          nt_history << client.remove_des_layer(block.map(&:chr).join, rid)
+        end
+      when lookup_table['supplementalCredentials']
+        # self.__decryptSupplementalInfo
+        plain_text = client.decrypt_attribute_value(attribute_value)
+        user_properties = RubySMB::Dcerpc::Samr::UserProperties.read(plain_text)
+        user_properties.user_properties.each do |user_property|
+          case user_property.property_name.encode('utf-8')
+          when 'Primary:Kerberos-Newer-Keys'
+            value = user_property.property_value
+            binary_value = value.chars.each_slice(2).map {|a,b| (a+b).hex.chr}.join
+            kerb_stored_credential_new = RubySMB::Dcerpc::Samr::KerbStoredCredentialNew.read(binary_value)
+            key_values = kerb_stored_credential_new.get_key_values
+            kerb_stored_credential_new.credentials.each_with_index do |credential, i|
+              kerberos_type = RubySMB::Dcerpc::Samr::KERBEROS_TYPE[credential.key_type]
+              if kerberos_type
+                kerberos_keys[kerberos_type] = key_values[i].unpack('H*')[0]
+              else
+                kerberos_keys["0x#{credential.key_type.to_i.to_s(16)}"] = key_values[i].unpack('H*')[0]
+              end
+            end
+          when 'Primary:CLEARTEXT'
+            # [MS-SAMR] 3.1.1.8.11.5 Primary:CLEARTEXT Property
+            # This credential type is the cleartext password. The value format is the UTF-16 encoded cleartext password.
+            begin
+              clear_text_passwords << user_property.property_value.to_s.force_encoding('utf-16le').encode('utf-8')
+            rescue EncodingError
+              # This could be because we're decoding a machine password. Printing it hex
+              # Keep clear_text_passwords with a ASCII-8BIT encoding
+              clear_text_passwords << user_property.property_value.to_s
+            end
+          end
+        end
+      end
+    end
+
+    user = "#{domain_name}\\#{user}" unless domain_name.empty?
+
+    puts "#{user}:#{rid}:#{lm_hash.unpack('H*')[0]}:#{nt_hash.unpack('H*')[0]}:::"
+    puts "Object SID: 0x#{object_sid.unpack('H*')[0]}"
+    puts "Password last set: #{pwd_last_set && pwd_last_set > Time.at(0) ? pwd_last_set : 'never'}"
+    puts "Last logon: #{last_logon && last_logon > Time.at(0) ? last_logon : 'never'}"
+    puts "Account disabled: #{disabled.nil? ? 'N/A' : disabled}"
+    puts "Computer account: #{computer_account.nil? ? 'N/A' : computer_account}"
+    puts "Password never expires: #{password_never_expires.nil? ?  'N/A' : password_never_expires}"
+    puts "Password not required: #{password_not_required.nil? ? 'N/A' : password_not_required}"
+    puts "Expired: #{!disabled && expires && expires > Time.at(0) && expires < Time.now}"
+    if nt_history.size > 1 and lm_history.size > 1
+      puts "Password history:"
+      nt_history[1..-1].zip(lm_history[1..-1]).each_with_index do |history, i|
+        nt_h, lm_h = history
+        empty_lm_h = Net::NTLM.lm_hash('')
+        puts "  #{user}_history#{i}:#{rid}:#{empty_lm_h.unpack('H*')[0]}:#{nt_h.to_s.unpack('H*')[0]}::: (if LMHashes are not stored)"
+        puts "  #{user}_history#{i}:#{rid}:#{lm_h.to_s.unpack('H*')[0]}:#{nt_h.to_s.unpack('H*')[0]}::: (if LMHashes are stored)"
+      end
+    end
+    puts "Kerberos keys:"
+    kerberos_keys.each do |key_type, key_value|
+      puts "  #{user}:#{key_type}:#{key_value}"
+    end
+    puts "Clear passwords:"
+    clear_text_passwords.each do |passwd|
+      puts "  #{user}:CLEARTEXT:#{passwd}"
+    end
+  end
+end
+
+client.drs_unbind(ph_drs)
+client.close
+
+puts 'Done'

data/examples/enum_domain_users.rb

@@ -0,0 +1,75 @@
+#!/usr/bin/ruby
+
+# This example script is used for testing DCERPC SAMR requests.
+# It will attempt to connect to a server object and enumerate domain users.
+# Example usage: ruby enum_domain_users.rb 192.168.172.138 msfadmin msfadmin MyDomain
+
+require 'bundler/setup'
+require 'ruby_smb'
+
+address      = ARGV[0]
+username     = ARGV[1]
+password     = ARGV[2]
+domain       = ARGV[3]
+smb_versions = ARGV[4]&.split(',') || ['1','2','3']
+
+sock = TCPSocket.new address, 445
+dispatcher = RubySMB::Dispatcher::Socket.new(sock, read_timeout: 60)
+
+client = RubySMB::Client.new(dispatcher, smb1: smb_versions.include?('1'), smb2: smb_versions.include?('2'), smb3: smb_versions.include?('3'), username: username, password: password)
+protocol = client.negotiate
+status = client.authenticate
+
+puts "#{protocol} : #{status}"
+
+tree = client.tree_connect("\\\\#{address}\\IPC$")
+samr = tree.open_file(filename: 'samr', write: true, read: true)
+
+puts('Binding to \\samr...')
+samr.bind(endpoint: RubySMB::Dcerpc::Samr)
+puts('Bound to \\samr')
+
+puts('[+] SAMR Connect')
+server_handle = samr.samr_connect
+
+domain_sid = samr.samr_lookup_domain(server_handle: server_handle, name: domain)
+domain_handle = samr.samr_open_domain(server_handle: server_handle, domain_id: domain_sid)
+
+builtin_domain_sid = samr.samr_lookup_domain(server_handle: server_handle, name: 'Builtin')
+builtin_domain_handle = samr.samr_open_domain(server_handle: server_handle, domain_id: builtin_domain_sid)
+
+users = samr.samr_enumerate_users_in_domain(domain_handle: domain_handle)
+
+puts 'RID   | SID                                         | Name          | Domain Groups | Domain Alias Groups | Builtin Alias Groups'
+puts '--------------------------------------------------------------------------------------------------------------------------------'
+users.each do |rid, name|
+  sid = samr.samr_rid_to_sid(object_handle: domain_handle, rid: rid)
+  domain_sid = sid.to_s.split('-')[0..-2].join('-')
+
+  user_handle = samr.samr_open_user(domain_handle: domain_handle, user_id: rid)
+  groups = samr.samr_get_group_for_user(user_handle: user_handle)
+  groups = groups.map { |group| RubySMB::Dcerpc::Samr::RpcSid.new("#{domain_sid}-#{group.relative_id.to_i}") }
+
+  alias_groups = samr.samr_get_alias_membership(domain_handle: domain_handle, sids: groups + [sid])
+  alias_groups = alias_groups.map { |group| RubySMB::Dcerpc::Samr::RpcSid.new("#{domain_sid}-#{group}") }
+
+  builtin_alias_groups = samr.samr_get_alias_membership(domain_handle: builtin_domain_handle, sids: groups + [sid])
+  builtin_alias_groups = builtin_alias_groups.map { |group| RubySMB::Dcerpc::Samr::RpcSid.new("#{domain_sid}-#{group}") }
+
+  #TODO: implement [LSAT] LsarLookupSids2 call to get the name of the "Unknown SID"'s
+
+  output = "#{"%-5s" % rid} | #{"%-43s" % sid} | #{name.encode('UTF-8')}"
+  output << " | #{groups.empty? ? 'N/A' : groups.map(&:name).join(', ')}"
+  output << " | #{alias_groups.empty? ? 'N/A' : alias_groups.map(&:name).join(', ')}"
+  output << " | #{builtin_alias_groups.empty? ? 'N/A' : builtin_alias_groups.map(&:name).join(', ')}"
+  puts output
+
+  samr.close_handle(user_handle)
+end
+
+samr.close_handle(domain_handle)
+samr.close_handle(builtin_domain_handle)
+samr.close_handle(server_handle)
+
+client.disconnect!
+

data/examples/get_computer_info.rb

@@ -0,0 +1,42 @@
+#!/usr/bin/ruby
+
+# This example script is used for testing DCERPC WKST requests.
+# It will attempt to retrieve configuration information of a remote computer/server.
+# Example usage: ruby enum_domain_users.rb 192.168.172.138 msfadmin msfadmin MyDomain
+
+require 'bundler/setup'
+require 'ruby_smb'
+
+address      = ARGV[0]
+username     = ARGV[1]
+password     = ARGV[2]
+smb_versions = ARGV[3]&.split(',') || ['1','2','3']
+
+sock = TCPSocket.new address, 445
+dispatcher = RubySMB::Dispatcher::Socket.new(sock, read_timeout: 60)
+
+client = RubySMB::Client.new(dispatcher, smb1: smb_versions.include?('1'), smb2: smb_versions.include?('2'), smb3: smb_versions.include?('3'), username: username, password: password)
+protocol = client.negotiate
+status = client.authenticate
+
+puts "#{protocol} : #{status}"
+
+tree = client.tree_connect("\\\\#{address}\\IPC$")
+wkssvc = tree.open_file(filename: 'wkssvc', write: true, read: true)
+
+puts('Binding to \\wkssvc...')
+wkssvc.bind(endpoint: RubySMB::Dcerpc::Wkssvc)
+puts('Bound to \\wkssvc')
+
+puts('[+] WKSSVC Connect')
+
+info = wkssvc.netr_wksta_get_info
+platform = RubySMB::Dcerpc::Wkssvc::PLATFORM_ID[info.wki100_platform_id]
+puts "Platform: #{platform || 'Unknown'}"
+puts "Computer Name: #{info.wki100_computername.encode('utf-8')}"
+puts "LAN Group: #{info.wki100_langroup.encode('utf-8')}"
+puts "OS Version: #{info.wki100_ver_major}.#{info.wki100_ver_minor}"
+
+client.disconnect!
+
+

data/examples/query_service_status.rb

@@ -36,25 +36,63 @@ scm_handle = svcctl.open_sc_manager_w(address)
 svc_handle = svcctl.open_service_w(scm_handle, service)
 svc_status = svcctl.query_service_status(svc_handle)
 
+puts
 case svc_status.dw_current_state
 when RubySMB::Dcerpc::Svcctl::SERVICE_RUNNING
   puts("Service #{service} is running")
 when RubySMB::Dcerpc::Svcctl::SERVICE_STOPPED
   puts("Service #{service} is in stopped state")
 end
+puts
 
 svc_config = svcctl.query_service_config(svc_handle)
+
+service_type = 'Service type: '
+case svc_config.dw_service_type
+when RubySMB::Dcerpc::Svcctl::SERVICE_KERNEL_DRIVER
+  service_type << 'Driver service'
+when RubySMB::Dcerpc::Svcctl::SERVICE_FILE_SYSTEM_DRIVER
+  service_type << 'File system driver service'
+when RubySMB::Dcerpc::Svcctl::SERVICE_WIN32_OWN_PROCESS
+  service_type << 'Service that runs in its own process'
+when RubySMB::Dcerpc::Svcctl::SERVICE_WIN32_SHARE_PROCESS
+  service_type << 'Service that shares a process with other services'
+end
+
+start_type = 'Service start type: '
 case svc_config.dw_start_type
 when RubySMB::Dcerpc::Svcctl::SERVICE_DISABLED
-  puts("Service #{service} is disabled")
+  start_type << 'Service is disabled'
 when RubySMB::Dcerpc::Svcctl::SERVICE_BOOT_START, RubySMB::Dcerpc::Svcctl::SERVICE_SYSTEM_START
-  puts("Service #{service} starts when the system boots up (driver)")
+  start_type << 'Service starts when the system boots up (driver)'
 when RubySMB::Dcerpc::Svcctl::SERVICE_AUTO_START
-  puts("Service #{service} starts automatically during system startup")
+  start_type << 'Service starts automatically during system startup'
 when RubySMB::Dcerpc::Svcctl::SERVICE_DEMAND_START
-  puts("Service #{service} starts manually")
+  start_type << 'Service starts manually'
 end
 
+error_control = 'Error control: '
+case svc_config.dw_error_control
+when RubySMB::Dcerpc::Svcctl::SERVICE_ERROR_IGNORE
+  error_control << 'SERVICE_ERROR_IGNORE'
+when RubySMB::Dcerpc::Svcctl::SERVICE_ERROR_NORMAL
+  error_control << 'SERVICE_ERROR_NORMAL'
+when RubySMB::Dcerpc::Svcctl::SERVICE_ERROR_SEVERE
+  error_control << 'SERVICE_ERROR_SEVERE'
+when RubySMB::Dcerpc::Svcctl::SERVICE_ERROR_CRITICAL
+  error_control << 'SERVICE_ERROR_CRITICAL'
+end
+
+puts service_type
+puts start_type
+puts error_control
+puts "Binary path: #{svc_config.lp_binary_path_name.to_s.encode('utf-8')}"
+puts "Load ordering service group: #{svc_config.lp_load_order_group.to_s.encode('utf-8')}"
+puts "Service group tag ID: #{svc_config.dw_tag_id.to_s.encode('utf-8')}"
+puts "Dependencies: #{svc_config.lp_dependencies.to_s.encode('utf-8')}"
+puts "Service start name: #{svc_config.lp_service_start_name.to_s.encode('utf-8')}"
+
+
 if svcctl
   svcctl.close_service_handle(svc_handle) if svc_handle
   svcctl.close_service_handle(scm_handle) if scm_handle

data/lib/ruby_smb/client.rb

@@ -279,7 +279,7 @@ module RubySMB
     # @param smb2 [Boolean] whether or not to enable SMB2 support
     # @param smb3 [Boolean] whether or not to enable SMB3 support
     def initialize(dispatcher, smb1: true, smb2: true, smb3: true, username:, password:, domain: '.',
-                   local_workstation: 'WORKSTATION', always_encrypt: true, ntlm_flags: default_flags)
+                   local_workstation: 'WORKSTATION', always_encrypt: true, ntlm_flags: NTLM::DEFAULT_CLIENT_FLAGS)
       raise ArgumentError, 'No Dispatcher provided' unless dispatcher.is_a? RubySMB::Dispatcher::Base
       if smb1 == false && smb2 == false && smb3 == false
         raise ArgumentError, 'You must enable at least one Protocol'
@@ -366,7 +366,7 @@ module RubySMB
     # the credentials supplied during initialization, but can take a new set of credentials if needed.
     def login(username: self.username, password: self.password,
               domain: self.domain, local_workstation: self.local_workstation,
-              ntlm_flags: default_flags)
+              ntlm_flags: NTLM::DEFAULT_CLIENT_FLAGS)
       negotiate
       session_setup(username, password, domain,
                     local_workstation: local_workstation,
@@ -374,7 +374,7 @@ module RubySMB
     end
 
     def session_setup(user, pass, domain, do_recv=true,
-                      local_workstation: self.local_workstation, ntlm_flags: default_flags)
+                      local_workstation: self.local_workstation, ntlm_flags: NTLM::DEFAULT_CLIENT_FLAGS)
       @domain            = domain
       @local_workstation = local_workstation
       @password          = pass.encode('utf-8') || ''.encode('utf-8')
@@ -648,16 +648,5 @@ module RubySMB
       )
     end
 
-    private
-
-    def default_flags
-      negotiate_version_flag = 0x02000000
-      flags = Net::NTLM::Client::DEFAULT_FLAGS |
-        RubySMB::NTLM::NEGOTIATE_FLAGS[:TARGET_INFO] |
-        negotiate_version_flag ^
-        RubySMB::NTLM::NEGOTIATE_FLAGS[:OEM]
-
-      flags
-    end
   end
 end

data/lib/ruby_smb/dcerpc/bind.rb

@@ -2,51 +2,59 @@ module RubySMB
   module Dcerpc
     # The Bind PDU as defined in
     # [The bind PDU](http://pubs.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_06_04_03)
-    class PContElemT < BinData::Record
+    class PContElemT < Ndr::NdrStruct
+      default_parameter byte_align: 4
       endian :little
 
-      uint16 :p_cont_id,     label: 'Context ID'
-      uint8 :n_transfer_syn, label: 'Number of transfer syntaxes', initial_value: 1
-      uint8 :reserved
+      ndr_uint16    :p_cont_id, label: 'Context ID'
+      ndr_uint8     :n_transfer_syn, label: 'Number of transfer syntaxes', initial_value: 1
+      ndr_uint8     :reserved
       p_syntax_id_t :abstract_syntax, label: 'Abstract syntax',
         uuid: ->      { endpoint::UUID },
         ver_major: -> { endpoint::VER_MAJOR },
         ver_minor: -> { endpoint::VER_MINOR }
-      array :transfer_syntaxes, label: 'Transfer syntax', type: :p_syntax_id_t,
+      array         :transfer_syntaxes, label: 'Transfer syntax', type: :p_syntax_id_t,
         initial_length: -> { n_transfer_syn },
         uuid: ->      { Ndr::UUID },
         ver_major: -> { Ndr::VER_MAJOR },
-        ver_minor: -> { Ndr::VER_MINOR }
+        ver_minor: -> { Ndr::VER_MINOR },
+        byte_align: 4
     end
 
-    class PContListT < BinData::Record
+    class PContListT < Ndr::NdrStruct
+      default_parameter byte_align: 4
       endian :little
 
-      uint8 :n_context_elem, label: 'Number of context elements', initial_value: -> { 1 }
-      uint8 :reserved
-      uint16 :reserved2
-      array :p_cont_elem, label: 'Presentation context elements', type: :p_cont_elem_t,
+      ndr_uint8  :n_context_elem, label: 'Number of context elements', initial_value: -> { 1 }
+      ndr_uint8  :reserved
+      ndr_uint16 :reserved2
+      array      :p_cont_elem, label: 'Presentation context elements', type: :p_cont_elem_t,
         initial_length: -> {n_context_elem},
-        endpoint: -> {endpoint}
+        endpoint: -> {endpoint},
+        byte_align: 4
     end
 
     class Bind < BinData::Record
-      endian :little
-
-      pdu_header :pdu_header,        label: 'PDU header'
+      PTYPE = PTypes::BIND
 
-      uint16 :max_xmit_frag,         label: 'max transmit frag size',    initial_value: RubySMB::Dcerpc::MAX_XMIT_FRAG
-      uint16 :max_recv_frag,         label: 'max receive  frag size',    initial_value: RubySMB::Dcerpc::MAX_RECV_FRAG
-      uint32 :assoc_group_id,        label: 'ncarnation of client-server assoc group'
+      endian :little
 
+      # PDU Header
+      pdu_header    :pdu_header, label: 'PDU header'
+      ndr_uint16    :max_xmit_frag, label: 'max transmit frag size', initial_value: RubySMB::Dcerpc::MAX_XMIT_FRAG
+      ndr_uint16    :max_recv_frag, label: 'max receive frag size', initial_value: RubySMB::Dcerpc::MAX_RECV_FRAG
+      ndr_uint32    :assoc_group_id, label: 'incarnation of client-server assoc group'
       p_cont_list_t :p_context_list, label: 'Presentation context list', endpoint: -> { endpoint }
-      string :auth_verifier,         label: 'Authentication verifier',
+
+      # Auth Verifier
+      sec_trailer   :sec_trailer, onlyif: -> { pdu_header.auth_length > 0 }
+      string        :auth_value,
         onlyif: -> { pdu_header.auth_length > 0 },
         read_length: -> { pdu_header.auth_length }
 
       def initialize_instance
         super
-        pdu_header.ptype = RubySMB::Dcerpc::PTypes::BIND
+        pdu_header.ptype = PTYPE
       end
     end
   end

data/lib/ruby_smb/dcerpc/bind_ack.rb

@@ -3,34 +3,39 @@ module RubySMB
     # The Bind ACK PDU as defined in
     # [The bind_ack PDU](http://pubs.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_06_04_04)
 
-    class PResultT < BinData::Record
+    class PResultT < Ndr::NdrStruct
+      default_parameter byte_align: 4
       endian :little
 
-      uint16        :result,          label: 'Presentation context negotiation results'
-      uint16        :reason,          label: 'Rejection reason'
-      p_syntax_id_t :transfer_syntax, label: 'Presentation syntax ID',
-        uuid: ->      { Ndr::UUID },
+      ndr_uint16        :result,          label: 'Presentation context negotiation results'
+      ndr_uint16        :reason,          label: 'Rejection reason'
+      p_syntax_id_t     :transfer_syntax, label: 'Presentation syntax ID',
+        uuid:      -> { Ndr::UUID },
         ver_major: -> { Ndr::VER_MAJOR },
         ver_minor: -> { Ndr::VER_MINOR }
     end
 
-    class PResultListT < BinData::Record
+    class PResultListT < Ndr::NdrStruct
+      default_parameter byte_align: 4
       endian :little
 
-      uint8  :n_results, label: 'Number of results'
-      uint8  :reserved
-      uint16 :reserved2
-      array  :p_results, label: 'Results', type: :p_result_t, initial_length: -> { n_results }
+      ndr_uint8  :n_results, label: 'Number of results', initial_value: -> { p_results.size }
+      ndr_uint8  :reserved
+      ndr_uint16 :reserved2
+      array      :p_results, label: 'Results', type: :p_result_t, initial_length: -> { n_results }, byte_align: 4
     end
 
-    class PortAnyT < BinData::Record
+    class PortAnyT < Ndr::NdrStruct
+      default_parameter byte_align: 2
       endian :little
 
-      uint16  :str_length, label: 'Length', initial_value: -> { port_spec.to_binary_s.size }
-      stringz :port_spec,  label: 'Port string spec'
+      ndr_uint16  :str_length, label: 'Length', initial_value: -> { port_spec.to_binary_s.size }
+      stringz     :port_spec, label: 'Port string spec', byte_align: 2
     end
 
     class BindAck < BinData::Record
+      PTYPE = PTypes::BIND_ACK
+
       # Presentation context negotiation results
       ACCEPTANCE         = 0
       USER_REJECTION     = 1
@@ -44,27 +49,23 @@ module RubySMB
 
       endian :little
 
-      pdu_header :pdu_header,         label: 'PDU header'
-
-      uint16     :max_xmit_frag,      label: 'Max transmit frag size',  initial_value: RubySMB::Dcerpc::MAX_XMIT_FRAG
-      uint16     :max_recv_frag,      label: 'Max receive frag size',   initial_value: RubySMB::Dcerpc::MAX_RECV_FRAG
-      uint32     :assoc_group_id,     label: 'Association group ID'
-      port_any_t :sec_addr,           label: 'Secondary address'
-      string     :pad,                length: -> { pad_length }
-
+      # PDU Header
+      pdu_header      :pdu_header, label: 'PDU header'
+      ndr_uint16      :max_xmit_frag, label: 'Max transmit frag size', initial_value: RubySMB::Dcerpc::MAX_XMIT_FRAG
+      ndr_uint16      :max_recv_frag, label: 'Max receive frag size', initial_value: RubySMB::Dcerpc::MAX_RECV_FRAG
+      ndr_uint32      :assoc_group_id, label: 'Association group ID'
+      port_any_t      :sec_addr, label: 'Secondary address'
       p_result_list_t :p_result_list, label: 'Presentation context result list'
-      string :auth_verifier, label: 'Authentication verifier',
+
+      # Auth Verifier
+      sec_trailer     :sec_trailer, onlyif: -> { pdu_header.auth_length > 0 }
+      string          :auth_value,
         onlyif: -> { pdu_header.auth_length > 0 },
         read_length: -> { pdu_header.auth_length }
 
       def initialize_instance
         super
-        pdu_header.ptype = RubySMB::Dcerpc::PTypes::BIND_ACK
-      end
-
-      def pad_length
-        offset = (sec_addr.abs_offset + sec_addr.do_num_bytes) % 4
-        (4 - offset) % 4
+        pdu_header.ptype = PTYPE
       end
     end
   end