예제 #1
0
void ntlm_fetch_ntlm_v2_hash(NTLM_CONTEXT* context, char* hash)
{
	WINPR_SAM* sam;
	WINPR_SAM_ENTRY* entry;

	sam = SamOpen(1);
	if (sam == NULL)
		return;

	entry = SamLookupUserW(sam,
			(LPWSTR) context->identity.User, context->identity.UserLength * 2,
			(LPWSTR) context->identity.Domain, context->identity.DomainLength * 2);

	if (entry != NULL)
	{
#ifdef WITH_DEBUG_NTLM
		fprintf(stderr, "NTLM Hash:\n");
		winpr_HexDump(entry->NtHash, 16);
#endif

		NTOWFv2FromHashW(entry->NtHash,
			(LPWSTR) context->identity.User, context->identity.UserLength * 2,
			(LPWSTR) context->identity.Domain, context->identity.DomainLength * 2,
			(BYTE*) hash);

		SamFreeEntry(sam, entry);
		SamClose(sam);

		return;
	}

	entry = SamLookupUserW(sam,
		(LPWSTR) context->identity.User, context->identity.UserLength * 2, NULL, 0);

	if (entry != NULL)
	{
#ifdef WITH_DEBUG_NTLM
		fprintf(stderr, "NTLM Hash:\n");
		winpr_HexDump(entry->NtHash, 16);
#endif

		NTOWFv2FromHashW(entry->NtHash,
			(LPWSTR) context->identity.User, context->identity.UserLength * 2,
			(LPWSTR) context->identity.Domain, context->identity.DomainLength * 2,
			(BYTE*) hash);

		SamFreeEntry(sam, entry);
		SamClose(sam);

		return;
	}
	else
	{
		fprintf(stderr, "Error: Could not find user in SAM database\n");
	}
	SamClose(sam);
}
예제 #2
0
int ntlm_fetch_ntlm_v2_hash(NTLM_CONTEXT* context, BYTE* hash)
{
	WINPR_SAM* sam;
	WINPR_SAM_ENTRY* entry;
	SSPI_CREDENTIALS* credentials = context->credentials;
	sam = SamOpen(context->SamFile, TRUE);

	if (!sam)
		return -1;

	entry = SamLookupUserW(sam, (LPWSTR) credentials->identity.User,
	                       credentials->identity.UserLength * 2,
	                       (LPWSTR) credentials->identity.Domain, credentials->identity.DomainLength * 2);

	if (entry)
	{
#ifdef WITH_DEBUG_NTLM
		WLog_DBG(TAG, "NTLM Hash:");
		winpr_HexDump(TAG, WLOG_DEBUG, entry->NtHash, 16);
#endif
		NTOWFv2FromHashW(entry->NtHash,
		                 (LPWSTR) credentials->identity.User, credentials->identity.UserLength * 2,
		                 (LPWSTR) credentials->identity.Domain, credentials->identity.DomainLength * 2,
		                 (BYTE*) hash);
		SamFreeEntry(sam, entry);
		SamClose(sam);
		return 1;
	}

	entry = SamLookupUserW(sam, (LPWSTR) credentials->identity.User,
	                       credentials->identity.UserLength * 2, NULL, 0);

	if (entry)
	{
#ifdef WITH_DEBUG_NTLM
		WLog_DBG(TAG, "NTLM Hash:");
		winpr_HexDump(TAG, WLOG_DEBUG, entry->NtHash, 16);
#endif
		NTOWFv2FromHashW(entry->NtHash,
		                 (LPWSTR) credentials->identity.User, credentials->identity.UserLength * 2,
		                 (LPWSTR) credentials->identity.Domain, credentials->identity.DomainLength * 2,
		                 (BYTE*) hash);
		SamFreeEntry(sam, entry);
		SamClose(sam);
		return 1;
	}
	else
	{
		SamClose(sam);
		WLog_ERR(TAG, "Error: Could not find user in SAM database");
		return 0;
	}

	SamClose(sam);
	return 1;
}
예제 #3
0
void ntlm_fetch_ntlm_v2_hash(NTLM_CONTEXT* context, char* hash)
{
    WINPR_SAM* sam;
    WINPR_SAM_ENTRY* entry;

    sam = SamOpen(1);

    entry = SamLookupUserW(sam,
                           (LPWSTR) context->identity.User, context->identity.UserLength * 2,
                           (LPWSTR) context->identity.Domain, context->identity.DomainLength * 2);

    if (entry != NULL)
    {
        CopyMemory(hash, entry->NtHash, 16);
    }

    SamFreeEntry(sam, entry);

    SamClose(sam);
}
예제 #4
0
int nla_client_init(rdpNla* nla)
{
	char* spn;
	int length;
	rdpTls* tls = NULL;
	BOOL PromptPassword = FALSE;
	freerdp* instance = nla->instance;
	rdpSettings* settings = nla->settings;
	WINPR_SAM* sam;
	WINPR_SAM_ENTRY* entry;

	nla->state = NLA_STATE_INITIAL;

	if (settings->RestrictedAdminModeRequired)
		settings->DisableCredentialsDelegation = TRUE;

	if ((!settings->Password) || (!settings->Username)
			|| (!strlen(settings->Username)))
	{
		PromptPassword = TRUE;
	}

	if (PromptPassword && settings->Username && strlen(settings->Username))
	{
		sam = SamOpen(TRUE);

		if (sam)
		{
			entry = SamLookupUserA(sam, settings->Username, strlen(settings->Username), NULL, 0);

			if (entry)
			{
				/**
				 * The user could be found in SAM database.
				 * Use entry in SAM database later instead of prompt
				 */
				PromptPassword = FALSE;
				SamFreeEntry(sam, entry);
			}

			SamClose(sam);
		}
	}

#ifndef _WIN32
	if (PromptPassword)
	{
		if (settings->RestrictedAdminModeRequired)
		{
			if ((settings->PasswordHash) && (strlen(settings->PasswordHash) > 0))
				PromptPassword = FALSE;
		}
	}
#endif

	if (PromptPassword)
	{
		if (instance->Authenticate)
		{
			BOOL proceed = instance->Authenticate(instance,
						&settings->Username, &settings->Password, &settings->Domain);

			if (!proceed)
			{
				freerdp_set_last_error(instance->context, FREERDP_ERROR_CONNECT_CANCELLED);
				return 0;
			}
		}
	}

	if (!settings->Username)
	{
		nla_identity_free(nla->identity);
		nla->identity = NULL;
	}
	else
		sspi_SetAuthIdentity(nla->identity, settings->Username, settings->Domain,
			settings->Password);

#ifndef _WIN32
	{
		SEC_WINNT_AUTH_IDENTITY* identity = nla->identity;

		if (!identity)
		{
			WLog_ERR(TAG, "NLA identity=%p", identity);
			return -1;
		}

		if (settings->RestrictedAdminModeRequired)
		{
			if (settings->PasswordHash)
			{
				if (strlen(settings->PasswordHash) == 32)
				{
					free(identity->Password);

					identity->PasswordLength = ConvertToUnicode(CP_UTF8, 0,
							settings->PasswordHash, -1, &identity->Password, 0) - 1;
					/**
					 * Multiply password hash length by 64 to obtain a length exceeding
					 * the maximum (256) and use it this for hash identification in WinPR.
					 */
					identity->PasswordLength = 32 * 64; /* 2048 */
				}
			}
		}
	}
#endif

	tls = nla->transport->tls;

	if (!tls)
	{
		WLog_ERR(TAG, "Unknown NLA transport layer");
		return -1;
	}

	if (!sspi_SecBufferAlloc(&nla->PublicKey, tls->PublicKeyLength))
	{
		WLog_ERR(TAG, "Failed to allocate sspic secBuffer");
		return -1;
	}
	CopyMemory(nla->PublicKey.pvBuffer, tls->PublicKey, tls->PublicKeyLength);
	length = sizeof(TERMSRV_SPN_PREFIX) + strlen(settings->ServerHostname);

	spn = (SEC_CHAR*) malloc(length + 1);

	if (!spn)
		return -1;

	sprintf(spn, "%s%s", TERMSRV_SPN_PREFIX, settings->ServerHostname);

#ifdef UNICODE
	nla->ServicePrincipalName = NULL;
	ConvertToUnicode(CP_UTF8, 0, spn, -1, &nla->ServicePrincipalName, 0);
	free(spn);
#else
	nla->ServicePrincipalName = spn;
#endif

	nla->table = InitSecurityInterfaceEx(0);
	nla->status = nla->table->QuerySecurityPackageInfo(NLA_PKG_NAME, &nla->pPackageInfo);

	if (nla->status != SEC_E_OK)
	{
		WLog_ERR(TAG, "QuerySecurityPackageInfo status %s [%08X]",
			GetSecurityStatusString(nla->status), nla->status);
		return -1;
	}

	nla->cbMaxToken = nla->pPackageInfo->cbMaxToken;
	nla->status = nla->table->AcquireCredentialsHandle(NULL, NLA_PKG_NAME,
			SECPKG_CRED_OUTBOUND, NULL, nla->identity, NULL, NULL, &nla->credentials,
			&nla->expiration);

	if (nla->status != SEC_E_OK)
	{
		WLog_ERR(TAG, "AcquireCredentialsHandle status %s [%08X]",
			 GetSecurityStatusString(nla->status), nla->status);
		return -1;
	}

	nla->haveContext = FALSE;
	nla->haveInputBuffer = FALSE;
	nla->havePubKeyAuth = FALSE;
	ZeroMemory(&nla->inputBuffer, sizeof(SecBuffer));
	ZeroMemory(&nla->outputBuffer, sizeof(SecBuffer));
	ZeroMemory(&nla->ContextSizes, sizeof(SecPkgContext_Sizes));

	/*
	 * from tspkg.dll: 0x00000132
	 * ISC_REQ_MUTUAL_AUTH
	 * ISC_REQ_CONFIDENTIALITY
	 * ISC_REQ_USE_SESSION_KEY
	 * ISC_REQ_ALLOCATE_MEMORY
	 */
	nla->fContextReq = ISC_REQ_MUTUAL_AUTH | ISC_REQ_CONFIDENTIALITY | ISC_REQ_USE_SESSION_KEY;

	return 1;
}