uint8_t *smb_ntlm2_response(smb_ntlmh hash_v2, uint64_t srv_challenge, smb_buffer *blob) { smb_buffer data; uint8_t *response, hmac[16]; if (smb_buffer_alloc(&data, sizeof(uint64_t) + blob->size) == 0) return NULL; memcpy(data.data, (void *)&srv_challenge, sizeof(uint64_t)); memcpy((uint8_t*)data.data + sizeof(uint64_t), blob->data, blob->size); HMAC_MD5(hash_v2, SMB_NTLM_HASH_SIZE, data.data, data.size, &hmac); smb_buffer_free(&data); response = malloc(blob->size + 16); if (!response) return NULL; memcpy(response, (void *)hmac, 16); memcpy(response + 16, blob->data, blob->size); return response; }
static int negotiate(smb_session *s, const char *domain) { smb_message *msg = NULL; smb_session_xsec_req req; smb_buffer ntlm; ASN1_TYPE token; int res, der_size = 128; char der[128], err_desc[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; msg = smb_message_new(SMB_CMD_SETUP); if (!msg) return DSM_ERROR_GENERIC; // this struct will be set at the end when we know the payload size SMB_MSG_ADVANCE_PKT(msg, smb_session_xsec_req); asn1_create_element(s->spnego_asn1, "SPNEGO.GSSAPIContextToken", &token); res = asn1_write_value(token, "thisMech", spnego_oid, 1); if (res != ASN1_SUCCESS) goto error; res = asn1_write_value(token, "spnego", "negTokenInit", 1); if (res != ASN1_SUCCESS) goto error; res = asn1_write_value(token, "spnego.negTokenInit.mechTypes", "NEW", 1); if (res != ASN1_SUCCESS) goto error; res = asn1_write_value(token, "spnego.negTokenInit.mechTypes.?1", ntlmssp_oid, 1); if (res != ASN1_SUCCESS) goto error; res = asn1_write_value(token, "spnego.negTokenInit.reqFlags", NULL, 0); if (res != ASN1_SUCCESS) goto error; res = asn1_write_value(token, "spnego.negTokenInit.mechListMIC", NULL, 0); if (res != ASN1_SUCCESS) goto error; smb_ntlmssp_negotiate(domain, domain, &ntlm); res = asn1_write_value(token, "spnego.negTokenInit.mechToken", ntlm.data, ntlm.size); smb_buffer_free(&ntlm); if (res != ASN1_SUCCESS) goto error; res = asn1_der_coding(token, "", der, &der_size, err_desc); if (res != ASN1_SUCCESS) { smb_message_destroy(msg); BDSM_dbg("Encoding error: %s", err_desc); return DSM_ERROR_GENERIC; } smb_message_append(msg, der, der_size); smb_message_put_utf16(msg, SMB_OS, strlen(SMB_OS)); smb_message_put16(msg, 0); smb_message_put_utf16(msg, SMB_LANMAN, strlen(SMB_LANMAN)); smb_message_put16(msg, 0); smb_message_put16(msg, 0); SMB_MSG_INIT_PKT_ANDX(req); req.wct = 12; req.max_buffer = SMB_SESSION_MAX_BUFFER; req.mpx_count = 16; req.vc_count = 1; req.caps = s->srv.caps; req.session_key = s->srv.session_key; req.xsec_blob_size = der_size; req.payload_size = msg->cursor - sizeof(smb_session_xsec_req); SMB_MSG_INSERT_PKT(msg, 0, req); asn1_delete_structure(&token); if (!smb_session_send_msg(s, msg)) { smb_message_destroy(msg); BDSM_dbg("Unable to send Session Setup AndX (NTLMSSP_NEGOTIATE) message\n"); return DSM_ERROR_NETWORK; } smb_message_destroy(msg); return DSM_SUCCESS; error: asn1_display_error("smb_session_login negotiate()", res); smb_message_destroy(msg); return DSM_ERROR_GENERIC; }
static int auth(smb_session *s, const char *domain, const char *user, const char *password) { smb_message *msg = NULL, resp; smb_session_xsec_req req; smb_buffer ntlm; ASN1_TYPE token; int res, der_size = 512; char der[512], err_desc[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; msg = smb_message_new(SMB_CMD_SETUP); if (!msg) return DSM_ERROR_GENERIC; // this struct will be set at the end when we know the payload size SMB_MSG_ADVANCE_PKT(msg, smb_session_xsec_req); asn1_create_element(s->spnego_asn1, "SPNEGO.NegotiationToken", &token); // Select a response message type res = asn1_write_value(token, "", "negTokenResp", 1); if (res != ASN1_SUCCESS) goto error; // Delete all optionnal field except 'ResponseToken' res = asn1_write_value(token, "negTokenResp.negResult", NULL, 0); if (res != ASN1_SUCCESS) goto error; res = asn1_write_value(token, "negTokenResp.supportedMech", NULL, 0); if (res != ASN1_SUCCESS) goto error; res = asn1_write_value(token, "negTokenResp.mechListMIC", NULL, 0); if (res != ASN1_SUCCESS) goto error; smb_ntlmssp_response(s->srv.challenge, s->srv.ts - 4200, domain, domain, user, password, &s->xsec_target, &ntlm); res = asn1_write_value(token, "negTokenResp.responseToken", ntlm.data, ntlm.size); smb_buffer_free(&ntlm); if (res != ASN1_SUCCESS) goto error; res = asn1_der_coding(token, "", der, &der_size, err_desc); if (res != ASN1_SUCCESS) { smb_message_destroy(msg); BDSM_dbg("Encoding error: %s", err_desc); return DSM_ERROR_GENERIC; } smb_message_append(msg, der, der_size); if (msg->cursor % 2) smb_message_put8(msg, 0); smb_message_put_utf16(msg, SMB_OS, strlen(SMB_OS)); smb_message_put16(msg, 0); smb_message_put_utf16(msg, SMB_LANMAN, strlen(SMB_LANMAN)); smb_message_put16(msg, 0); smb_message_put16(msg, 0); // Empty PDC name SMB_MSG_INIT_PKT_ANDX(req); req.wct = 12; req.max_buffer = SMB_SESSION_MAX_BUFFER; req.mpx_count = 16; // XXX ? req.vc_count = 1; req.caps = s->srv.caps; // XXX caps & our_caps_mask req.session_key = s->srv.session_key; req.xsec_blob_size = der_size; req.payload_size = msg->cursor - sizeof(smb_session_xsec_req); SMB_MSG_INSERT_PKT(msg, 0, req); asn1_delete_structure(&token); if (!smb_session_send_msg(s, msg)) { smb_message_destroy(msg); BDSM_dbg("Unable to send Session Setup AndX (NTLMSSP_AUTH) message\n"); return DSM_ERROR_NETWORK; } smb_message_destroy(msg); if (smb_session_recv_msg(s, &resp) == 0) return DSM_ERROR_NETWORK; if (!smb_session_check_nt_status(s, &resp)) return DSM_ERROR_NT; else { smb_session_xsec_resp *r = (smb_session_xsec_resp *)resp.packet->payload; if (r->action & 0x0001) s->guest = true; s->srv.uid = resp.packet->header.uid; s->logged = true; return DSM_SUCCESS; } error: asn1_display_error("smb_session_login auth()", res); smb_message_destroy(msg); return DSM_ERROR_GENERIC; }