Land rapid7#7462, Add support for Unicode domains

Author: wwebb-r7

lib/rex/proto/ntlm/utils.rb

@@ -402,16 +402,19 @@ def self.parse_ntlm_type_2_blob(blob)
         data[:default_name] =  temp_name.encode("UTF-8")
       when 2
         #netbios domain
-        data[:default_domain] = addr
-        data[:default_domain].force_encoding("UTF-16LE")
+        temp_domain = addr
+        temp_domain.force_encoding("UTF-16LE")
+        data[:default_domain] =  temp_domain.encode("UTF-8")
       when 3
         #dns name
-        data[:dns_host_name] =  addr
-        data[:dns_host_name].force_encoding("UTF-16LE")
+        temp_dns = addr
+        temp_dns.force_encoding("UTF-16LE")
+        data[:dns_host_name] =  temp_dns.encode("UTF-8")
       when 4
         #dns domain
-        data[:dns_domain_name] =  addr
-        data[:dns_domain_name].force_encoding("UTF-16LE")
+        temp_dns_domain = addr
+        temp_dns_domain.force_encoding("UTF-16LE")
+        data[:dns_domain_name] =  temp_dns_domain.encode("UTF-8")
       when 5
         #The FQDN of the forest.
       when 6

lib/rex/proto/smb/client.rb

@@ -760,7 +760,13 @@ def session_setup_no_ntlmssp(user = '', pass = '', domain = '', do_recv = true)
 
     self.peer_native_os = info[0]
     self.peer_native_lm = info[1]
-    self.default_domain = info[2]
+    #
+    # if the PC belongs to a domain, this value is already populated
+    # if it is not populated, we're in a workgroup and need to pupulate it now
+    #
+    if self.default_domain.nil?
+      self.default_domain = info[2]
+    end
 
     return ack
   end
@@ -906,7 +912,13 @@ def session_setup_with_ntlmssp(user = '', pass = '', domain = '', name = nil, do
     #dns name
     self.dns_host_name =  blob_data[:dns_host_name] || ''
     #dns domain
-    self.dns_domain_name =  blob_data[:dns_domain_name] || ''
+    if blob_data[:default_name] != blob_data[:default_domain]
+      # We're in a domain; get the domain name now
+      self.default_domain =  blob_data[:default_domain] || ''
+    else
+      # We're in a workgroup; workgroup names come later in the handshake
+      self.default_domain = nil
+    end
 
     type3 = @ntlm_client.init_context([blob].pack('m'))
     type3_blob = type3.serialize

modules/auxiliary/scanner/smb/smb_version.rb

@@ -108,7 +108,23 @@ def run_host(ip)
         end
 
         if simple.client.default_domain
-          desc << " (domain:#{simple.client.default_domain})"
+          if simple.client.default_domain.encoding.name == "UTF-8"
+            desc << " (domain:#{simple.client.default_domain})"
+          else
+            # Workgroup names are in ANSI, but may contain invalid characters
+            # Go through each char and convert/check
+            temp_workgroup = simple.client.default_domain.dup
+            desc << " (workgroup:"
+            temp_workgroup.each_char do |i|
+              begin
+                desc << i.encode("UTF-8")
+              rescue Encoding::UndefinedConversionError => e
+                desc << '?'
+                print_error("Found incompatible (non-ANSI) character in Workgroup name. Replaced with '?'")
+              end
+            end
+            desc << " )"
+          end
           conf[:SMBDomain] = simple.client.default_domain
           match_conf['host.domain'] = conf[:SMBDomain]
         end