Specs are needed for the new EFS RPC structures added in this PR. As a reference, this script from the original PR can be used for this:
#!/usr/bin/ruby
# This script tests a full Authentication/Session Setup cycle
# including protocol negotiation and authentication.
require 'bundler/setup'
require 'ruby_smb'
empty = "\x00\x00\x00\x005\x00\x00\x00".b
# file_name: "\\\\localhost\\C$\\Users\\smcintyre\\Desktop\\Encrypted\\hello world.txt"
populated = "\x00\x00\x02\x00".b
populated << "\x01\x00\x00\x00".b
populated << "\x04\x00\x02\x00\x01\x00\x00\x00\b\x00\x02\x00 \x00\x00\x00\x00\x00\x00\x00\f\x00\x02\x00\x14\x00\x02\x00\x14\x00\x00\x00\x10\x00\x02\x00\x14\x00\x00\x00\x15\xC9\xADB\x8A\x8Au\x10Lk\xDC}7v\n\xA1\xBD{\x00/\"\x00\x00\x00\x00\x00\x00\x00\"\x00\x00\x00s\x00m\x00c\x00i\x00n\x00t\x00y\x00r\x00e\x00(\x00s\x00m\x00c\x00i\x00n\x00t\x00y\x00r\x00e\x00@\x00m\x00s\x00f\x00l\x00a\x00b\x00.\x00l\x00o\x00c\x00a\x00l\x00)\x00\x00\x00\x00\x00\x00\x00".b
$stderr.puts 'empty:'
BinData::trace_reading do
empty = RubySMB::Dcerpc::EncryptingFileSystem::EfsRpcQueryRecoveryAgentsResponse.read(empty)
end
$stderr.puts empty.inspect
$stderr.puts 'populated:'
BinData::trace_reading do
populated = RubySMB::Dcerpc::EncryptingFileSystem::EfsRpcQueryRecoveryAgentsResponse.read(populated)
end
$stderr.puts populated.inspect
Specs are needed for the new EFS RPC structures added in this PR. As a reference, this script from the original PR can be used for this: