tree_cell *
nasl_ntlmv1_hash (lex_ctxt * lexic)
{
const uchar *cryptkey = (uchar *) get_str_var_by_name (lexic, "cryptkey");
char *password = get_str_var_by_name (lexic, "passhash");
int pass_len = get_var_size_by_name (lexic, "passhash");
unsigned char p21[21];
tree_cell *retc;
uchar *ret;
if (cryptkey == NULL || password == NULL)
{
nasl_perror (lexic, "Syntax : ntlmv1_hash(cryptkey:<c>, passhash:<p>)\n");
return NULL;
}
bzero (p21, sizeof (p21));
memcpy (p21, password, pass_len < 16 ? pass_len : 16);
ret = emalloc (24);
E_P24 (p21, cryptkey, ret);
retc = alloc_tree_cell (0, NULL);
retc->type = CONST_DATA;
retc->size = 24;
retc->x.str_val = (char *) ret;
return retc;
}
tree_cell *
nasl_keyexchg (lex_ctxt * lexic)
{
char *cryptkey = (char *) get_str_var_by_name (lexic, "cryptkey");
uint8_t *session_key = (uint8_t *) get_str_var_by_name (lexic, "session_key");
unsigned char *nt_hash =
(unsigned char *) get_str_var_by_name (lexic, "nt_hash");
if (cryptkey == NULL || session_key == NULL || nt_hash == NULL)
{
nasl_perror (lexic,
"Syntax : keyexchg(cryptkey:<c>, session_key:<s>, nt_hash:<n> )\n");
return NULL;
}
uint8_t new_sess_key[16];
tree_cell *retc;
uint8_t *encrypted_session_key = NULL;
encrypted_session_key =
ntlmssp_genauth_keyexchg (session_key, cryptkey, nt_hash,
(uint8_t *) & new_sess_key);
int len = 16 + 16;
char *ret = emalloc (len);
memcpy (ret, new_sess_key, 16);
memcpy (ret + 16, encrypted_session_key, 16);
retc = alloc_tree_cell (0, NULL);
retc->type = CONST_DATA;
retc->size = len;
retc->x.str_val = ret;
return retc;
}
tree_cell *
nasl_ntlm2_response (lex_ctxt * lexic)
{
char *cryptkey = (char *) get_str_var_by_name (lexic, "cryptkey");
char *password = get_str_var_by_name (lexic, "password");
unsigned char *nt_hash =
(unsigned char *) get_str_var_by_name (lexic, "nt_hash");
if (cryptkey == NULL || password == NULL)
{
nasl_perror (lexic,
"Syntax : ntlm2_response(cryptkey:<c>, password:<p>, nt_hash:<n>)\n");
return NULL;
}
uint8_t lm_response[24];
uint8_t nt_response[24];
uint8_t session_key[16];
tree_cell *retc;
ntlmssp_genauth_ntlm2 (password, lm_response, nt_response, session_key,
cryptkey, nt_hash);
int len = sizeof (lm_response) + sizeof (nt_response) + sizeof (session_key);
char *ret = emalloc (len);
memcpy (ret, lm_response, sizeof (lm_response));
memcpy (ret + sizeof (lm_response), nt_response, sizeof (nt_response));
memcpy (ret + sizeof (lm_response) + sizeof (nt_response), session_key,
sizeof (session_key));
retc = alloc_tree_cell (0, NULL);
retc->type = CONST_DATA;
retc->size = len;
retc->x.str_val = ret;
return retc;
}
/*-------------------[ Windows ]-------------------------------------*/
tree_cell *
nasl_get_sign (lex_ctxt * lexic)
{
char *mac_key = (char *) get_str_var_by_name (lexic, "key");
uint8_t *buf = (uint8_t *) get_str_var_by_name (lexic, "buf");
int buflen = get_int_var_by_name (lexic, "buflen", -1);
uint32 seq_num = get_int_var_by_name (lexic, "seq_number", -1);
if (mac_key == NULL || buf == NULL || buflen == -1 || seq_num == -1)
{
nasl_perror (lexic,
"Syntax : get_sign(key:<k>, buf:<b>, buflen:<bl>, seq_number:<s>)\n");
return NULL;
}
uint8_t calc_md5_mac[16];
simple_packet_signature_ntlmssp ((uint8_t *) mac_key, buf, seq_num, calc_md5_mac);
memcpy (buf + 18, calc_md5_mac, 8);
char *ret = emalloc (buflen);
bzero (ret, buflen);
memcpy (ret, buf, buflen);
tree_cell *retc;
retc = alloc_tree_cell (0, NULL);
retc->type = CONST_DATA;
retc->size = buflen;
retc->x.str_val = (char *) ret;
return retc;
}
tree_cell *
nasl_ntlmv2_hash (lex_ctxt * lexic)
{
const uchar *server_chal = (uchar *) get_str_var_by_name (lexic, "cryptkey");
int sc_len = get_var_size_by_name (lexic, "cryptkey");
const uchar *ntlm_v2_hash = (uchar *) get_str_var_by_name (lexic, "passhash");
int hash_len = get_var_size_by_name (lexic, "passhash");
int client_chal_length = get_int_var_by_name (lexic, "length", -1);
tree_cell *retc;
unsigned char ntlmv2_response[16];
unsigned char *ntlmv2_client_data = NULL;
unsigned char *final_response;
int i;
if (sc_len < 0 || server_chal == NULL || hash_len < 0 || ntlm_v2_hash == NULL
|| client_chal_length < 0)
{
nasl_perror (lexic,
"Syntax : ntlmv2_hash(cryptkey:<c>, passhash:<p>, length:<l>)\n");
return NULL;
}
/* NTLMv2 */
/* We also get to specify some random data */
ntlmv2_client_data = emalloc (client_chal_length);
for (i = 0; i < client_chal_length; i++)
ntlmv2_client_data[i] = rand () % 256;
assert (hash_len == 16);
/* Given that data, and the challenge from the server, generate a response */
SMBOWFencrypt_ntv2_ntlmssp(ntlm_v2_hash, server_chal, 8, ntlmv2_client_data,
client_chal_length, ntlmv2_response);
/* put it into nt_response, for the code below to put into the packet */
final_response = emalloc (client_chal_length + sizeof (ntlmv2_response));
memcpy (final_response, ntlmv2_response, sizeof (ntlmv2_response));
/* after the first 16 bytes is the random data we generated above, so the server can verify us with it */
memcpy (final_response + sizeof (ntlmv2_response), ntlmv2_client_data,
client_chal_length);
efree (&ntlmv2_client_data);
retc = alloc_tree_cell (0, NULL);
retc->type = CONST_DATA;
retc->size = client_chal_length + sizeof (ntlmv2_response);
retc->x.str_val = (char *) final_response;
return retc;
}
tree_cell* script_xref(lex_ctxt* lexic)
{
struct arglist * script_infos = lexic->script_infos;
char * name = get_str_var_by_name(lexic, "name");
char * value = get_str_var_by_name(lexic, "value");
if( value == NULL || name == NULL )
{
fprintf(stderr, "script_xref() syntax error - should be script_xref(name:<name>, value:<value>)\n");
return FAKE_CELL;
}
plug_set_xref(script_infos, name, value);
return FAKE_CELL;
}
tree_cell *
nasl_ntlmv2_response (lex_ctxt * lexic)
{
char *cryptkey = (char *) get_str_var_by_name (lexic, "cryptkey");
char *user = (char *) get_str_var_by_name (lexic, "user");
char *domain = (char *) get_str_var_by_name (lexic, "domain");
unsigned char *ntlmv2_hash =
(unsigned char *) get_str_var_by_name (lexic, "ntlmv2_hash");
char *address_list = get_str_var_by_name (lexic, "address_list");
int address_list_len = get_int_var_by_name (lexic, "address_list_len", -1);
if (cryptkey == NULL || user == NULL || domain == NULL || ntlmv2_hash == NULL
|| address_list == NULL || address_list_len < 0)
{
nasl_perror (lexic,
"Syntax : ntlmv2_response(cryptkey:<c>, user:<u>, domain:<d>, ntlmv2_hash:<n>, address_list:<a>, address_list_len:<len>)\n");
return NULL;
}
uint8_t lm_response[24];
uint8_t nt_response[16 + 28 + address_list_len];
uint8_t session_key[16];
bzero (lm_response, sizeof (lm_response));
bzero (nt_response, sizeof (nt_response));
bzero (session_key, sizeof (session_key));
ntlmssp_genauth_ntlmv2 (user, domain, address_list, address_list_len,
cryptkey, lm_response, nt_response, session_key,
ntlmv2_hash);
tree_cell *retc;
int lm_response_len = 24;
int nt_response_len = 16 + 28 + address_list_len;
int len = lm_response_len + nt_response_len + sizeof (session_key);
char *ret = emalloc (len);
memcpy (ret, lm_response, lm_response_len);
memcpy (ret + lm_response_len, session_key, sizeof (session_key));
memcpy (ret + lm_response_len + sizeof (session_key), nt_response,
nt_response_len);
retc = alloc_tree_cell (0, NULL);
retc->type = CONST_DATA;
retc->size = len;
retc->x.str_val = ret;
return retc;
}
tree_cell *
nasl_insert_hexzeros (lex_ctxt * lexic)
{
const uchar *in = (uchar *) get_str_var_by_name (lexic, "in");
int in_len = get_var_size_by_name (lexic, "in");
char *src;
smb_ucs2_t *out, *dst, val;
int i;
size_t byte_len;
tree_cell *retc;
if (in_len < 0 || in == NULL)
{
nasl_perror (lexic, "Syntax : insert_hexzeros(in:<i>)\n");
return NULL;
}
byte_len = sizeof (smb_ucs2_t) * (strlen ((char *) in) + 1);
out = emalloc (byte_len);
dst = out;
src = (char *) in;
for (i = 0; i < in_len; i++)
{
val = *src;
*dst = val;
dst++;
src++;
if (val == 0)
break;
}
/* We don't want null termination */
byte_len = byte_len - 2;
retc = alloc_tree_cell (0, NULL);
retc->type = CONST_DATA;
retc->size = byte_len;
retc->x.str_val = (char *) out;
return retc;
}
/* Does both the NTLMv2 owfs of a user's password */
tree_cell *
nasl_ntv2_owf_gen (lex_ctxt * lexic)
{
const uchar *owf_in = (uchar *) get_str_var_by_name (lexic, "owf");
int owf_in_len = get_var_size_by_name (lexic, "owf");
char *user_in = get_str_var_by_name (lexic, "login");
int user_in_len = get_var_size_by_name (lexic, "login");
char *domain_in = get_str_var_by_name (lexic, "domain");
int domain_len = get_var_size_by_name (lexic, "domain");
char *src_user, *src_domain;
smb_ucs2_t *user, *dst_user, val_user;
smb_ucs2_t *domain, *dst_domain, val_domain;
int i;
size_t user_byte_len;
size_t domain_byte_len;
tree_cell *retc;
uchar *kr_buf;
HMACMD5Context ctx;
if (owf_in_len < 0 || owf_in == NULL || user_in_len < 0 || user_in == NULL
|| domain_len < 0 || domain_in == NULL)
{
nasl_perror (lexic,
"Syntax : ntv2_owf_gen(owf:<o>, login:<l>, domain:<d>)\n");
return NULL;
}
assert (owf_in_len == 16);
user_byte_len = sizeof (smb_ucs2_t) * (strlen (user_in) + 1);
user = emalloc (user_byte_len);
dst_user = user;
src_user = user_in;
for (i = 0; i < user_in_len; i++)
{
val_user = *src_user;
*dst_user = val_user;
dst_user++;
src_user++;
if (val_user == 0)
break;
}
domain_byte_len = sizeof (smb_ucs2_t) * (strlen (domain_in) + 1);
domain = emalloc (domain_byte_len);
dst_domain = domain;
src_domain = domain_in;
for (i = 0; i < domain_len; i++)
{
val_domain = *src_domain;
*dst_domain = val_domain;
dst_domain++;
src_domain++;
if (val_domain == 0)
break;
}
strupper_w (user);
strupper_w (domain);
assert (user_byte_len >= 2);
assert (domain_byte_len >= 2);
/* We don't want null termination */
user_byte_len = user_byte_len - 2;
domain_byte_len = domain_byte_len - 2;
kr_buf = emalloc (16);
hmac_md5_init_limK_to_64 (owf_in, 16, &ctx);
hmac_md5_update ((const unsigned char *) user, user_byte_len, &ctx);
hmac_md5_update ((const unsigned char *) domain, domain_byte_len, &ctx);
hmac_md5_final (kr_buf, &ctx);
efree (&user);
efree (&domain);
retc = alloc_tree_cell (0, NULL);
retc->type = CONST_DATA;
retc->size = 16;
retc->x.str_val = (char *) kr_buf;
return retc;
}
