require 'rex/text' require 'rex/proto/smb/constants' module Rex module Proto module SMB class Utils CONST = Rex::Proto::SMB::Constants # Creates an access mask for use with the CLIENT.open() call based on a string def self.open_mode_to_access(str) access = CONST::OPEN_ACCESS_READ | CONST::OPEN_SHARE_DENY_NONE str.each_byte { |c| case [c].pack('C').downcase when 'w' access |= CONST::OPEN_ACCESS_READWRITE end } return access end # Creates a mode mask for use with the CLIENT.open() call based on a string def self.open_mode_to_mode(str) mode = 0 str.each_byte { |c| case [c].pack('C').downcase when 'x' # Fail if the file already exists mode |= CONST::OPEN_MODE_EXCL when 't' # Truncate the file if it already exists mode |= CONST::OPEN_MODE_TRUNC when 'c' # Create the file if it does not exist mode |= CONST::OPEN_MODE_CREAT when 'o' # Just open the file, clashes with x mode |= CONST::OPEN_MODE_OPEN end } return mode end # Returns a disposition value for smb.create based on permission string def self.create_mode_to_disposition(str) str.each_byte { |c| case [c].pack('C').downcase when 'c' # Create the file if it does not exist return CONST::CREATE_ACCESS_OPENCREATE when 'o' # Just open the file and fail if it does not exist return CONST::CREATE_ACCESS_EXIST end } return CONST::CREATE_ACCESS_OPENCREATE end # Convert a 64-bit signed SMB time to a unix timestamp def self.time_smb_to_unix(thi, tlo) (((thi << 32) + tlo) / 10000000) - 11644473600 end # Convert a unix timestamp to a 64-bit signed server time def self.time_unix_to_smb(unix_time) t64 = (unix_time + 11644473600) * 10000000 thi = (t64 & 0xffffffff00000000) >> 32 tlo = (t64 & 0x00000000ffffffff) return [thi, tlo] end # Convert a name to its NetBIOS equivalent def self.nbname_encode(str) encoded = '' for x in (0..15) if (x >= str.length) encoded << 'CA' else c = str[x, 1].upcase[0] encoded << [ (c / 16) + 0x41, (c % 16) + 0x41 ].pack('CC') end end return encoded end # Convert a name from its NetBIOS equivalent def self.nbname_decode(str) decoded = '' str << 'A' if str.length % 2 != 0 while (str.length > 0) two = str.slice!(0, 2) if (two.length == 2) decoded << [ ((two[0] - 0x41) * 16) + two[1] - 0x41 ].pack('C') end end return decoded end # # Prepends an ASN1 formatted length field to a piece of data # def self.asn1encode(str = '') res = '' # If the high bit of the first byte is 1, it contains the number of # length bytes that follow case str.length when 0 .. 0x7F res = [str.length].pack('C') + str when 0x80 .. 0xFF res = [0x81, str.length].pack('CC') + str when 0x100 .. 0xFFFF res = [0x82, str.length].pack('Cn') + str when 0x10000 .. 0xffffff res = [0x83, str.length >> 16, str.length & 0xFFFF].pack('CCn') + str when 0x1000000 .. 0xffffffff res = [0x84, str.length].pack('CN') + str else raise "ASN1 str too long" end return res end def self.make_ntlmv2_secblob_init(domain = 'WORKGROUP', name = 'WORKSTATION', flags=0x80201) blob = "\x60" + self.asn1encode( "\x06" + self.asn1encode( "\x2b\x06\x01\x05\x05\x02" ) + "\xa0" + self.asn1encode( "\x30" + self.asn1encode( "\xa0" + self.asn1encode( "\x30" + self.asn1encode( "\x06" + self.asn1encode( "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" ) ) ) + "\xa2" + self.asn1encode( "\x04" + self.asn1encode( "NTLMSSP\x00" + [1, flags].pack('VV') + [ domain.length, #length domain.length, #max length 32 ].pack('vvV') + [ name.length, #length name.length, #max length domain.length + 32 ].pack('vvV') + domain + name ) ) ) ) ) return blob end def self.make_ntlmv2_secblob_auth(domain, name, user, lmv2, ntlm, flags = 0x080201) lmv2 ||= "\x00" * 24 ntlm ||= "\x00" * 24 domain_uni = Rex::Text.to_unicode(domain) user_uni = Rex::Text.to_unicode(user) name_uni = Rex::Text.to_unicode(name) session = '' ptr = 64 blob = "\xa1" + self.asn1encode( "\x30" + self.asn1encode( "\xa2" + self.asn1encode( "\x04" + self.asn1encode( "NTLMSSP\x00" + [ 3 ].pack('V') + [ # Lan Manager Response lmv2.length, lmv2.length, (ptr) ].pack('vvV') + [ # NTLM Manager Response ntlm.length, ntlm.length, (ptr += lmv2.length) ].pack('vvV') + [ # Domain Name domain_uni.length, domain_uni.length, (ptr += ntlm.length) ].pack('vvV') + [ # Username user_uni.length, user_uni.length, (ptr += domain_uni.length) ].pack('vvV') + [ # Hostname name_uni.length, name_uni.length, (ptr += user_uni.length) ].pack('vvV') + [ # Session Key (none) session.length, session.length, (ptr += name_uni.length) ].pack('vvV') + [ flags ].pack('V') + lmv2 + ntlm + domain_uni + user_uni + name_uni + session + "\x00" ) ) ) ) return blob end def self.make_negotiate_secblob_resp(account, domain) blob = "\x60" + self.asn1encode( "\x06" + self.asn1encode( "\x2b\x06\x01\x05\x05\x02" ) + "\xa0" + self.asn1encode( "\x30" + self.asn1encode( "\xa0" + self.asn1encode( "\x30" + self.asn1encode( "\x06" + self.asn1encode( "\x2a\x86\x48\x82\xf7\x12\x01\x02\x02" ) + "\x06" + self.asn1encode( "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" ) + "\x06" + self.asn1encode( "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" ) + "\x06" + self.asn1encode( "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" ) ) ) + "\xa3" + self.asn1encode( "\x30" + self.asn1encode( "\xa0" + self.asn1encode( "\x1b" + self.asn1encode( account + '@' + domain ) ) ) ) ) ) ) return blob end def self.make_ntlmv2_secblob_chall(win_domain, dns_domain, win_name, dns_name, chall, flags) win_domain = Rex::Text.to_unicode(win_domain) dns_domain = Rex::Text.to_unicode(dns_domain) win_name = Rex::Text.to_unicode(win_name) dns_name = Rex::Text.to_unicode(dns_name) addr_list = '' addr_list << [2, win_domain.length].pack('vv') + win_domain addr_list << [1, win_name.length].pack('vv') + win_name addr_list << [4, dns_domain.length].pack('vv') + dns_domain addr_list << [3, dns_name.length].pack('vv') + dns_name addr_list << [5, dns_domain.length].pack('vv') + dns_domain addr_list << [0, 0].pack('vv') ptr = 0 blob = "\xa1" + self.asn1encode( "\x30" + self.asn1encode( "\xa0" + self.asn1encode( "\x0a" + self.asn1encode( "\x01" ) ) + "\xa1" + self.asn1encode( "\x06" + self.asn1encode( "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" ) ) + "\xa2" + self.asn1encode( "\x04" + self.asn1encode( "NTLMSSP\x00" + [2].pack('V') + [ win_domain.length, # length win_domain.length, # max length (ptr += 48) ].pack('vvV') + [ flags ].pack('V') + chall + "\x00\x00\x00\x00\x00\x00\x00\x00" + [ addr_list.length, # length addr_list.length, # max length (ptr += win_domain.length) ].pack('vvV') + win_domain + addr_list ) ) ) ) return blob end def self.make_ntlmv2_secblob_success blob = "\xa1" + self.asn1encode( "\x30" + self.asn1encode( "\xa0" + self.asn1encode( "\x0a" + self.asn1encode( "\x00" ) ) ) ) return blob end # # Process Type 3 NTLM Message (in Base64) # def self.process_type3_message(message) decode = Rex::Text.decode_base64(message.strip) type = decode[8] if (type == 3) domoff = decode[32] # domain offset domlen = decode[28] # domain length useroff = decode[40] # username offset userlen = decode[36] # username length hostoff = decode[48] # hostname offset hostlen = decode[44] # hostname length lmoff = decode[16] # LM hash offset lmlen = decode[12] # LM hash length ntoff = decode[24] # NT hash offset ntlen = decode[20] # NT hash length domain = decode[domoff..domoff+domlen-1] user = decode[useroff..useroff+userlen-1] host = decode[hostoff..hostoff+hostlen-1] lm = decode[lmoff..lmoff+lmlen-1].unpack("H*") nt = decode[ntoff..ntoff+ntlen-1].unpack("H*") return domain, user, host, lm, nt else return "", "", "", "", "" end end # # Process Type 1 NTLM Messages, return a Base64 Type 2 Message # def self.process_type1_message(message, nonce = "\x11\x22\x33\x44\x55\x66\x77\x88", win_domain = 'DOMAIN', win_name = 'SERVER', dns_name = 'server', dns_domain = 'example.com', downgrade = true) dns_name = Rex::Text.to_unicode(dns_name + "." + dns_domain) win_domain = Rex::Text.to_unicode(win_domain) dns_domain = Rex::Text.to_unicode(dns_domain) win_name = Rex::Text.to_unicode(win_name) decode = Rex::Text.decode_base64(message.strip) type = decode[8] if (type == 1) # A type 1 message has been received, lets build a type 2 message response reqflags = decode[12..15] reqflags = Integer("0x" + reqflags.unpack("h8").to_s.reverse) if (reqflags & CONST::REQUEST_TARGET) == CONST::REQUEST_TARGET if (downgrade) # At this time NTLMv2 and signing requirements are not supported if (reqflags & CONST::NEGOTIATE_NTLM2_KEY) == CONST::NEGOTIATE_NTLM2_KEY reqflags = reqflags - CONST::NEGOTIATE_NTLM2_KEY end if (reqflags & CONST::NEGOTIATE_ALWAYS_SIGN) == CONST::NEGOTIATE_ALWAYS_SIGN reqflags = reqflags - CONST::NEGOTIATE_ALWAYS_SIGN end end flags = reqflags + CONST::TARGET_TYPE_DOMAIN + CONST::TARGET_TYPE_SERVER tid = true tidoffset = 48 + win_domain.length tidbuff = [2].pack('v') + # tid type, win domain [win_domain.length].pack('v') + win_domain + [1].pack('v') + # tid type, server name [win_name.length].pack('v') + win_name + [4].pack('v') + # tid type, domain name [dns_domain.length].pack('v') + dns_domain + [3].pack('v') + # tid type, dns_name [dns_name.length].pack('v') + dns_name else flags = CONST::NEGOTIATE_UNICODE + CONST::NEGOTIATE_NTLM tid = false end type2msg = "NTLMSSP\0" + # protocol, 8 bytes "\x02\x00\x00\x00" # type, 4 bytes if (tid) type2msg += # Target security info, 8 bytes. Filled if REQUEST_TARGET [win_domain.length].pack('v') + # Length, 2 bytes [win_domain.length].pack('v') # Allocated space, 2 bytes end type2msg +="\x30\x00\x00\x00" + # Offset, 4 bytes [flags].pack('V') + # flags, 4 bytes nonce + # the nonce, 8 bytes "\x00" * 8 # Context (all 0s), 8 bytes if (tid) type2msg += # Target information security buffer. Filled if REQUEST_TARGET [tidbuff.length].pack('v') + # Length, 2 bytes [tidbuff.length].pack('v') + # Allocated space, 2 bytes [tidoffset].pack('V') + # Offset, 4 bytes (usually \x48 + length of win_domain) win_domain + # Target name data (domain in unicode if REQUEST_UNICODE) # Target information data tidbuff + # Type, 2 bytes # Length, 2 bytes # Data (in unicode if REQUEST_UNICODE) "\x00\x00\x00\x00" # Terminator, 4 bytes, all \x00 end type2msg = Rex::Text.encode_base64(type2msg).delete("\n") # base64 encode and remove the returns else # This is not a Type2 message type2msg = "" end return type2msg end # # Downgrading Type messages to LMv1/NTLMv1 and removing signing # def self.downgrade_type_message(message) decode = Rex::Text.decode_base64(message.strip) type = decode[8] if (type > 0 and type < 4) reqflags = decode[12..15] if (type == 1 or type == 3) reqflags = decode[20..23] if (type == 2) reqflags = Integer("0x" + reqflags.unpack("h8").to_s.reverse) # Remove NEGOTIATE_NTLMV2_KEY and NEGOTIATE_ALWAYS_SIGN, this lowers the negotiation # down to LMv1/NTLMv1. if (reqflags & CONST::NEGOTIATE_NTLM2_KEY) == CONST::NEGOTIATE_NTLM2_KEY reqflags = reqflags - CONST::NEGOTIATE_NTLM2_KEY end if (reqflags & CONST::NEGOTIATE_ALWAYS_SIGN) == CONST::NEGOTIATE_ALWAYS_SIGN reqflags = reqflags - CONST::NEGOTIATE_ALWAYS_SIGN end # Return the flags back to the decode so we can base64 it again flags = reqflags.to_s(16) 0.upto(8) do |idx| if (idx > flags.length) flags.insert(0, "0") end end idx = 0 0.upto(3) do |cnt| if (type == 2) decode[23-cnt] = Integer("0x" + flags[idx .. idx + 1]) else decode[15-cnt] = Integer("0x" + flags[idx .. idx + 1]) end idx += 2 end end return Rex::Text.encode_base64(decode).delete("\n") # base64 encode and remove the returns end end end end end