const char * WINAPI SSP_MakeNegotiateBlob(PVOID PNegotiateBuf, int NegotiateLen, PBOOL fDone, int * Status, char * credentials) { DWORD cbOut = 0; DWORD cbIn = 0; const char * encoded = NULL; if (NTLM_asServer.fHaveCtxtHandle) _DeleteSecurityContext(&NTLM_asServer.hctxt); if (NTLM_asServer.fHaveCredHandle) _FreeCredentialsHandle(&NTLM_asServer.hcred); memcpy(pClientBuf, PNegotiateBuf, NegotiateLen); ZeroMemory(pServerBuf, cbMaxToken); ZeroMemory(&NTLM_asServer, sizeof(NTLM_asServer)); do { if (!hModule) break; /* Prepare server message (challenge) */ cbIn = NegotiateLen; cbOut = cbMaxToken; if (!GenServerContext(&NTLM_asServer, pClientBuf, cbIn, pServerBuf, &cbOut, fDone, credentials)) { *Status = SSP_ERROR; break; } *Status = SSP_OK; } while (0); if (pServerBuf != NULL && cbOut > 0) encoded = base64_encode_bin((char *) pServerBuf, cbOut); return encoded; }
const char * WINAPI SSP_ValidateNegotiateCredentials(PVOID PAutenticateBuf, int AutenticateLen, PBOOL fDone, int * Status, char * credentials) { DWORD cbOut = 0; DWORD cbIn = 0; const char * encoded = NULL; memcpy(pClientBuf, PAutenticateBuf, AutenticateLen); ZeroMemory(pServerBuf, cbMaxToken); do { if (!hModule) break; /* Prepare server message (authentication) */ cbIn = AutenticateLen; cbOut = cbMaxToken; if (!GenServerContext(&NTLM_asServer, pClientBuf, cbIn, pServerBuf, &cbOut, fDone, credentials)) { *Status = SSP_ERROR; break; } *Status = SSP_OK; } while (0); if (pServerBuf != NULL && cbOut > 0) encoded = base64_encode_bin((char *) pServerBuf, cbOut); return encoded; }
bool test_regex_search(const std::string& input, std::string& data_out, int& counter) { std::regex rgx("(\\b(NTLM)\\s(.*))"); // NTLM hash match std::smatch match; // regex for NTLM b64 hash if (std::regex_search(input.begin(), input.end(), match, rgx)) { //regex shit! std::cout << "Match[3] = " << match[3] << '\n'; //match[0] is everything std::vector<BYTE> decodedData = base64_decode(match[3]); BYTE *pData = &decodedData[0]; // pointer to first element in array DWORD dSize = decodedData.size(); //element length DWORD cbOut; BOOL done = FALSE; // setup auth if (fNewConversation) { printf("New Conversation\n"); if (!AcquireCreds()){ printf("AcquireCreds failed :( \n"); } } if (!GenServerContext(pData, dSize, g_pOutBuf, &cbOut, &done, fNewConversation)) { fprintf(stderr, "GenServerContext failed.\n"); return(FALSE); } else { fNewConversation = FALSE; } if (done == TRUE){ printf("It worked, testing impersonation!\n"); // F**K THE REST OF IT!!! test_imperson(); exit(EXIT_SUCCESS); } //data for output data_out = base64_encode(g_pOutBuf, cbOut); return 1; } else { std::cout << "No match\n"; return 0; } }
const char * WINAPI SSP_MakeChallenge(PVOID PNegotiateBuf, int NegotiateLen) { BOOL fDone = FALSE; PVOID fResult = NULL; DWORD cbOut = 0; DWORD cbIn = 0; ntlm_challenge * challenge; const char * encoded = NULL; if (NTLM_asServer.fHaveCtxtHandle) _DeleteSecurityContext(&NTLM_asServer.hctxt); if (NTLM_asServer.fHaveCredHandle) _FreeCredentialsHandle(&NTLM_asServer.hcred); NTLM_LocalCall = FALSE; Use_Unicode = FALSE; memcpy(pClientBuf, PNegotiateBuf, NegotiateLen); ZeroMemory(pServerBuf, cbMaxToken); ZeroMemory(&NTLM_asServer, sizeof(NTLM_asServer)); do { if (!hModule) break; /* Prepare server message (challenge) */ cbIn = NegotiateLen; cbOut = cbMaxToken; if (!GenServerContext(&NTLM_asServer, pClientBuf, cbIn, pServerBuf, &cbOut, &fDone, NULL)) break; fResult = pServerBuf; } while (0); if (fResult != NULL) { challenge = (ntlm_challenge *) fResult; Use_Unicode = NEGOTIATE_UNICODE & challenge->flags; NTLM_LocalCall = NEGOTIATE_THIS_IS_LOCAL_CALL & challenge->flags; encoded = base64_encode_bin((char *) fResult, cbOut); } return encoded; }
BOOL WINAPI SSP_ValidateNTLMCredentials(PVOID PAutenticateBuf, int AutenticateLen, char * credentials) { BOOL fDone = FALSE; BOOL fResult = FALSE; DWORD cbOut = 0; DWORD cbIn = 0; memcpy(pClientBuf, PAutenticateBuf, AutenticateLen); ZeroMemory(pServerBuf, cbMaxToken); do { if (!hModule) break; /* Prepare server message (authentication) */ cbIn = AutenticateLen; cbOut = cbMaxToken; if (!GenServerContext(&NTLM_asServer, pClientBuf, cbIn, pServerBuf, &cbOut, &fDone, credentials)) break; fResult = TRUE; } while (0); return fResult; }
BOOL WINAPI SSPLogonUser(LPTSTR szDomain, LPTSTR szUser, LPTSTR szPassword, PSECURITY_DESCRIPTOR psdSD, PBOOL isAuthenticated, PDWORD pdwAccessGranted) // returns bitmask with accessrights { AUTH_SEQ asServer = {0}; AUTH_SEQ asClient = {0}; BOOL fDone = FALSE; BOOL fResult = FALSE; DWORD cbOut = 0; DWORD cbIn = 0; DWORD cbMaxToken = 0; PVOID pClientBuf = NULL; PVOID pServerBuf = NULL; PSecPkgInfo pSPI = NULL; HMODULE hModule = NULL; SEC_WINNT_AUTH_IDENTITY ai; __try { hModule = LoadSecurityDll(); if (!hModule) __leave; // Get max token size fn._QuerySecurityPackageInfo(_T("NTLM"), &pSPI); cbMaxToken = pSPI->cbMaxToken; // Allocate buffers for client and server messages pClientBuf = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cbMaxToken); pServerBuf = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cbMaxToken); // Initialize auth identity structure // Marscha 2004: Seems to work with szDomain = "" or even szDomain = "anyDomain", // but I found no MS documentation for this 'feature'. ZeroMemory(&ai, sizeof(ai)); #if defined(UNICODE) || defined(_UNICODE) ai.Domain = (unsigned short *)szDomain; ai.DomainLength = lstrlen(szDomain); ai.User = (unsigned short *)szUser; ai.UserLength = lstrlen(szUser); ai.Password = (unsigned short *)szPassword; ai.PasswordLength = lstrlen(szPassword); ai.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE; #else ai.Domain = (unsigned char *)szDomain; ai.DomainLength = lstrlen(szDomain); ai.User = (unsigned char *)szUser; ai.UserLength = lstrlen(szUser); ai.Password = (unsigned char *)szPassword; ai.PasswordLength = lstrlen(szPassword); ai.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI; #endif // Prepare client message (negotiate) . cbOut = cbMaxToken; if (!GenClientContext(&asClient, &ai, NULL, 0, pClientBuf, &cbOut, &fDone)) __leave; // Prepare server message (challenge) . cbIn = cbOut; cbOut = cbMaxToken; if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf, &cbOut, &fDone)) __leave; // Most likely failure: AcceptServerContext fails with SEC_E_LOGON_DENIED // in the case of bad szUser or szPassword. // Unexpected Result: Logon will succeed if you pass in a bad szUser and // the guest account is enabled in the specified domain. // Prepare client message (authenticate) . cbIn = cbOut; cbOut = cbMaxToken; if (!GenClientContext(&asClient, &ai, pServerBuf, cbIn, pClientBuf, &cbOut, &fDone)) __leave; // Prepare server message (authentication) . cbIn = cbOut; cbOut = cbMaxToken; if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf, &cbOut, &fDone)) __leave; *isAuthenticated = TRUE; // Check authorization if (IsImpersonationAllowed()) { if (ImpersonateAndCheckAccess(&(asServer.hctxt), psdSD, pdwAccessGranted)) fResult = TRUE; } else { // Todo: Make alternative access check if (ImpersonateAndCheckAccess(&(asServer.hctxt), psdSD, pdwAccessGranted)) fResult = TRUE; } } __finally { // Clean up resources if (pSPI) fn._FreeContextBuffer(pSPI); if (asClient.fHaveCtxtHandle) fn._DeleteSecurityContext(&asClient.hctxt); if (asClient.fHaveCredHandle) fn._FreeCredentialsHandle(&asClient.hcred); if (asServer.fHaveCtxtHandle) fn._DeleteSecurityContext(&asServer.hctxt); if (asServer.fHaveCredHandle) fn._FreeCredentialsHandle(&asServer.hcred); if (hModule) UnloadSecurityDll(hModule); HeapFree(GetProcessHeap(), 0, pClientBuf); HeapFree(GetProcessHeap(), 0, pServerBuf); SecureZeroMemory(&ai, sizeof(ai)); } return fResult; }
BOOL WINAPI SSPLogonUser(LPTSTR szDomain, LPTSTR szUser, LPTSTR szPassword) { AUTH_SEQ asServer = {0}; AUTH_SEQ asClient = {0}; BOOL fDone = FALSE; BOOL fResult = FALSE; DWORD cbOut = 0; DWORD cbIn = 0; DWORD cbMaxToken = 0; PVOID pClientBuf = NULL; PVOID pServerBuf = NULL; PSecPkgInfo pSPI = NULL; HMODULE hModule = NULL; SEC_WINNT_AUTH_IDENTITY ai; __try { hModule = LoadSecurityDll(); if (!hModule) __leave; // Get max token size _QuerySecurityPackageInfo(_T("NTLM"), &pSPI); cbMaxToken = pSPI->cbMaxToken; _FreeContextBuffer(pSPI); // Allocate buffers for client and server messages pClientBuf = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cbMaxToken); pServerBuf = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cbMaxToken); // Initialize auth identity structure ZeroMemory(&ai, sizeof(ai)); #if defined(UNICODE) || defined(_UNICODE) ai.Domain = szDomain; ai.DomainLength = lstrlen(szDomain); ai.User = szUser; ai.UserLength = lstrlen(szUser); ai.Password = szPassword; ai.PasswordLength = lstrlen(szPassword); ai.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE; #else ai.Domain = (unsigned char *)szDomain; ai.DomainLength = lstrlen(szDomain); ai.User = (unsigned char *)szUser; ai.UserLength = lstrlen(szUser); ai.Password = (unsigned char *)szPassword; ai.PasswordLength = lstrlen(szPassword); ai.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI; #endif // Prepare client message (negotiate) . cbOut = cbMaxToken; if (!GenClientContext(&asClient, &ai, NULL, 0, pClientBuf, &cbOut, &fDone)) __leave; // Prepare server message (challenge) . cbIn = cbOut; cbOut = cbMaxToken; if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf, &cbOut, &fDone)) __leave; // Most likely failure: AcceptServerContext fails with SEC_E_LOGON_DENIED // in the case of bad szUser or szPassword. // Unexpected Result: Logon will succeed if you pass in a bad szUser and // the guest account is enabled in the specified domain. // Prepare client message (authenticate) . cbIn = cbOut; cbOut = cbMaxToken; if (!GenClientContext(&asClient, &ai, pServerBuf, cbIn, pClientBuf, &cbOut, &fDone)) __leave; // Prepare server message (authentication) . cbIn = cbOut; cbOut = cbMaxToken; if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf, &cbOut, &fDone)) __leave; fResult = TRUE; } __finally { // Clean up resources if (asClient.fHaveCtxtHandle) _DeleteSecurityContext(&asClient.hctxt); if (asClient.fHaveCredHandle) _FreeCredentialsHandle(&asClient.hcred); if (asServer.fHaveCtxtHandle) _DeleteSecurityContext(&asServer.hctxt); if (asServer.fHaveCredHandle) _FreeCredentialsHandle(&asServer.hcred); if (hModule) UnloadSecurityDll(hModule); HeapFree(GetProcessHeap(), 0, pClientBuf); HeapFree(GetProcessHeap(), 0, pServerBuf); } return fResult; }
BOOL WINAPI SSP_LogonUser(PTSTR szUser, PTSTR szPassword, PTSTR szDomain) { AUTH_SEQ asServer = {0}; AUTH_SEQ asClient = {0}; BOOL fDone = FALSE; BOOL fResult = FALSE; DWORD cbOut = 0; DWORD cbIn = 0; SEC_WINNT_AUTH_IDENTITY ai; do { if (!hModule) break; /* Initialize auth identity structure */ ZeroMemory(&ai, sizeof(ai)); ai.Domain = (void *)szDomain; ai.DomainLength = lstrlen(szDomain); ai.User = (void *)szUser; ai.UserLength = lstrlen(szUser); ai.Password = (void *)szPassword; ai.PasswordLength = lstrlen(szPassword); #if defined(UNICODE) || defined(_UNICODE) ai.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE; #else ai.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI; #endif /* Prepare client message (negotiate) */ cbOut = cbMaxToken; if (!GenClientContext(&asClient, &ai, NULL, 0, pClientBuf, &cbOut, &fDone)) break; /* Prepare server message (challenge) */ cbIn = cbOut; cbOut = cbMaxToken; if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf, &cbOut, &fDone, NULL)) break; /* Most likely failure: AcceptServerContext fails with SEC_E_LOGON_DENIED * in the case of bad szUser or szPassword. * Unexpected Result: Logon will succeed if you pass in a bad szUser and * the guest account is enabled in the specified domain. */ /* Prepare client message (authenticate) */ cbIn = cbOut; cbOut = cbMaxToken; if (!GenClientContext(&asClient, &ai, pServerBuf, cbIn, pClientBuf, &cbOut, &fDone)) break; /* Prepare server message (authentication) */ cbIn = cbOut; cbOut = cbMaxToken; if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf, &cbOut, &fDone, NULL)) break; fResult = TRUE; } while (0); /* Clean up resources */ if (asClient.fHaveCtxtHandle) _DeleteSecurityContext(&asClient.hctxt); if (asClient.fHaveCredHandle) _FreeCredentialsHandle(&asClient.hcred); if (asServer.fHaveCtxtHandle) _DeleteSecurityContext(&asServer.hctxt); if (asServer.fHaveCredHandle) _FreeCredentialsHandle(&asServer.hcred); return fResult; }
BOOL DoAuthentication (void) { SECURITY_STATUS ss; DWORD cbIn; DWORD cbOut; DWORD g_cbMaxMessage; BOOL done = FALSE; BOOL fDone = FALSE; BOOL fNewConversation = TRUE; TimeStamp Lifetime; PSecPkgInfoA pkgInfo; CredHandle hcred; CredHandle hCcred; struct _SecHandle hctxt; struct _SecHandle hCctxt; PBYTE g_pInBuf = NULL; PBYTE g_pOutBuf = NULL; SEC_CHAR g_lpPackageName[1024]; PBYTE nonce, clientnonce, lmhash, nthash; PCHAR pUserName = NULL; DWORD cbUserName = 0; lstrcpynA (g_lpPackageName, "NTLM",5); ss = QuerySecurityPackageInfoA ( g_lpPackageName, &pkgInfo); if (!SEC_SUCCESS(ss)) MyHandleError("Could not query package"); g_cbMaxMessage = pkgInfo->cbMaxToken; FreeContextBuffer(pkgInfo); g_pInBuf = (PBYTE) malloc (g_cbMaxMessage); g_pOutBuf = (PBYTE) malloc (g_cbMaxMessage); if (NULL == g_pInBuf || NULL == g_pOutBuf) MyHandleError("Memory allocation"); ss = AcquireCredentialsHandleA (NULL, g_lpPackageName, SECPKG_CRED_INBOUND, NULL, NULL, NULL, NULL, &hcred, &Lifetime); if (!SEC_SUCCESS (ss)) MyHandleError("AcquireCreds failed"); cbOut = g_cbMaxMessage; if (!GenClientContext ( NULL, 0, g_pOutBuf, &cbOut, &fDone, "NTLM", &hCcred, &hCctxt)) MyHandleError("Cant't generate client context"); printf ("Type%hhd message (%lu bytes):\n",g_pOutBuf[8], cbOut);//type1 PrintHexDump (cbOut, (PBYTE)g_pOutBuf); memcpy(g_pInBuf,g_pOutBuf, cbOut); cbIn = cbOut; cbOut = g_cbMaxMessage; if (!GenServerContext (g_pInBuf, cbIn, g_pOutBuf, &cbOut, &done, fNewConversation, &hcred, &hctxt)) MyHandleError("GenServerContext failed"); fNewConversation = FALSE; printf ("Type%hhd message (%lu bytes):\n",g_pOutBuf[8], cbOut); //type2 PrintHexDump (cbOut, (PBYTE)g_pOutBuf); memcpy(g_pInBuf,g_pOutBuf, cbOut); cbIn = cbOut; cbOut = g_cbMaxMessage; nonce = (PBYTE) malloc (16); memcpy (nonce, (void *)&g_pOutBuf[24], 8); if (!GenClientContext (g_pInBuf, cbIn, g_pOutBuf, &cbOut, &fDone, "NTLM", &hCcred, &hCctxt)) MyHandleError("GenClientContext failed"); printf ("Type%hhd message (%lu bytes):\n",g_pOutBuf[8], cbOut);//type3 PrintHexDump (cbOut, (PBYTE)g_pOutBuf); GetUserNameExA(NameSamCompatible, pUserName, &cbUserName); pUserName = (PCHAR) malloc (cbUserName); GetUserNameExA(NameSamCompatible, pUserName, &cbUserName); cbUserName = (DWORD)((int)strchr(pUserName,'\\')); *(char *)cbUserName = 0; printf("g_pOutBuf[22]=%d\n",g_pOutBuf[22]); if (g_pOutBuf[22] > 24) { printf("NTLMv2\n"); nthash = (PBYTE) malloc (16); cbIn = g_pOutBuf[24] + (g_pOutBuf[25] << 8); memcpy (nthash, (void *)&g_pOutBuf[cbIn], 16); cbIn += 16; clientnonce = (PBYTE) malloc (cbOut - cbIn - 16); //memcpy (clientnonce, (void *)&g_pOutBuf[cbIn], 84); memcpy (clientnonce, (void *)&g_pOutBuf[cbIn], cbOut - cbIn - 16); printf("Nonce: "); PrintHex (8, nonce); printf("\nClientNonce: "); PrintHex (cbOut - cbIn - 16, clientnonce); printf("\nNThash: "); PrintHex (16, nthash); printf("\n"); printf("\nJTR: %s::%s", (unsigned char *)((int)cbUserName+1), (unsigned char *)pUserName); printf(":"); PrintHex (8, nonce); printf(":"); PrintHex (16, nthash); printf(":"); PrintHex (cbOut - cbIn - 16, clientnonce); printf("\n"); } else if (g_pOutBuf[22] == 24) { printf("NTLM\n"); lmhash = (PBYTE) malloc (24); cbIn = g_pOutBuf[16] + (g_pOutBuf[17] << 8); memcpy (lmhash, (void *)&g_pOutBuf[cbIn], 24); nthash = (PBYTE) malloc (24); cbIn = g_pOutBuf[24] + (g_pOutBuf[25] << 8); memcpy (nthash, (void *)&g_pOutBuf[cbIn], 24); printf("\nNonce: "); PrintHex (8, nonce); printf("\nLMhash: "); PrintHex (24, lmhash); printf("\nNThash: "); PrintHex (24, nthash); printf("\nJTR: %s::%s", (unsigned char *)((int)cbUserName+1), (unsigned char *)pUserName); printf(":"); PrintHex (24, lmhash); printf(":"); PrintHex (24, nthash); printf(":"); PrintHex (8, nonce); printf("\n"); } else { printf("Unknown hashtype"); } return(TRUE); }