search

rapid7 / ruby_smb

A native Ruby implementation of the SMB Protocol Family
Other
81 stars 83 forks source link

Errors connecting to the SMB Server with Samba `smbclient` #201

Closed cdelafuente-r7 closed 2 years ago

cdelafuente-r7 commented 2 years ago

Samba's smbclient versions 4.3.11 and 4.7.6 break when connecting to the SMB Server using SMBv1. I was able to reproduce these errors on master (commit ebaf52a7ca4a18b25c790e3cf2d2ff0274bbd0c3) and while testing this PR.

Step to reproduce

Server

ruby examples/file_server.rb --path /local_path --no-smbv2 --no-smbv3 --username myuser --password 123456 --share public

smbclient Version 4.3.11 (Ubuntu 16.04)

smbclient --debuglevel=5 -L //192.168.0.44 -U \\myuser

Error when the NTLMSSP_CHALLENGE Session Setup AndX (0x73) packet is received by the client:

...
Got challenge flags:
Got NTLMSSP neg_flags=0xe2800001
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
  NTLMSSP_NEGOTIATE_56
ntlmssp_handle_neg_flags: Got challenge flags[0xe2800001] - possible downgrade detected! missing_flags[0x00080000] - NT code 0x80090302
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
neg_flags[0x62000205]
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO(ntlmssp) login failed: NT code 0x80090302
SPNEGO login failed: NT code 0x80090302
session setup failed: NT code 0x80090302

smbclient Version 4.7.6 (Ubuntu 18.04)

smbclient --debuglevel=5 -L //192.168.0.44 -U \\myuser

Error when the Negotiate Protocol (0x72) packet is received by the client:

...
 negotiated dialect[NT1] against server[192.168.1.19]
got OID=1.3.6.1.4.1.311.2.2.10
SPNEGO login failed: {Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation.
session setup failed: NT_STATUS_NO_MEMORY
zeroSteiner commented 2 years ago

I was able to reproduce and fix the issue affecting smbclient 4.3.11 but not the issue affecting 4.7.6. I tried both the commit you specified https://github.com/rapid7/ruby_smb/commit/ebaf52a7ca4a18b25c790e3cf2d2ff0274bbd0c3 and the latest on master. Here in the output you can see the latest commit from master where it even shows listing the directory.

Testing Output ``` root@3ca874da5909:/# smbclient --debuglevel=5 //192.168.159.128/public -U MSFLAB\\smcintyre INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 auth_audit: 5 auth_json_audit: 5 kerberos: 5 drs_repl: 5 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 auth_audit: 5 auth_json_audit: 5 kerberos: 5 drs_repl: 5 Processing section "[global]" doing parameter workgroup = WORKGROUP doing parameter server string = %h server (Samba, Ubuntu) doing parameter dns proxy = no doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 1000 doing parameter syslog = 0 WARNING: The "syslog" option is deprecated doing parameter panic action = /usr/share/samba/panic-action %d doing parameter server role = standalone server doing parameter passdb backend = tdbsam doing parameter obey pam restrictions = yes doing parameter unix password sync = yes doing parameter passwd program = /usr/bin/passwd %u doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . doing parameter pam password change = yes doing parameter map to guest = bad user doing parameter usershare allow guests = yes pm_process() returned Yes added interface eth0 ip=172.17.0.2 bcast=172.17.255.255 netmask=255.255.0.0 Netbios name list:- my_netbios_names[0]="3CA874DA5909" Client started (version 4.7.6-Ubuntu). Connecting to 192.168.159.128 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 87040 SO_RCVBUF = 131072 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 session request ok negotiated dialect[NT1] against server[192.168.159.128] got OID=1.3.6.1.4.1.311.2.2.10 Enter MSFLAB\smcintyre's password: GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism ntlmssp Got challenge flags: Got NTLMSSP neg_flags=0xe2800001 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP_NEGOTIATE_56 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62080205 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH session setup ok tconx ok Try "help" to get a list of possible commands. smb: \> dir dos_clean_name [\*] unix_clean_name [\*] cmd.x64.dll N 5120 Fri Mar 18 12:34:37 2022 cmd.x86.dll N 5120 Fri Mar 18 12:34:48 2022 meterpreter.x64.exe N 7168 Tue Jan 18 14:53:04 2022 meterpreter.x86.exe N 73802 Tue Jan 18 14:53:21 2022 payload.x64.dll N 8704 Fri Oct 1 22:00:02 2021 reverse_tcp.1.x64.dll R 8704 Mon Nov 29 20:37:22 2021 reverse_tcp.x64.dll N 8704 Fri Dec 17 18:01:24 2021 test D 0 Tue Mar 29 21:01:57 2022 test.txt N 13 Wed Dec 1 15:12:34 2021 Error in dskattr: NT_STATUS_NOT_SUPPORTED Total bytes listed: 117335 smb: \> root@3ca874da5909:/# smbclient --version Version 4.7.6-Ubuntu root@3ca874da5909:/# ```
zeroSteiner commented 2 years ago

Wait nevermind, it looks like you must specify an empty domain to reproduce the issue, e.g. \\smcintyre not MSFLAB\\smcintyre.

zeroSteiner commented 2 years ago

And I was able to reproduce that same issue when targeting a legitimate Samba server as well as a Windows 10 SMB server, so I'm chalking it up as a bug in smbclient and not the RubySMB server. I'll submit the patch the other one though. Thanks for reporting these!