123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477 |
- /*
- * Beware the LM hash is easy to crack (google for l0phtCrack)
- * and though NTLM is more secure it is still breakable.
- * Ntlmv2 is better and seen as good enough by the Windows community.
- * For real security use Kerberos.
- */
- #include <u.h>
- #include <libc.h>
- #include <mp.h>
- #include <auth.h>
- #include <libsec.h>
- #include <ctype.h>
- #include <fcall.h>
- #include <thread.h>
- #include <9p.h>
- #include "cifs.h"
- #define NTLMV2_TEST 1
- #define DEF_AUTH "ntlmv2"
- static enum {
- MACkeylen = 40, /* MAC key len */
- MAClen = 8, /* signature length */
- MACoff = 14, /* sign. offset from start of SMB (not netbios) pkt */
- Bliplen = 8, /* size of LMv2 client nonce */
- };
- static void
- dmp(char *s, int seq, void *buf, int n)
- {
- int i;
- char *p = buf;
- print("%s %3d ", s, seq);
- while(n > 0){
- for(i = 0; i < 16 && n > 0; i++, n--)
- print("%02x ", *p++ & 0xff);
- if(n > 0)
- print("\n");
- }
- print("\n");
- }
- static Auth *
- auth_plain(char *windom, char *keyp, uchar *chal, int len)
- {
- UserPasswd *up;
- static Auth *ap;
- USED(chal, len);
- up = auth_getuserpasswd(auth_getkey, "windom=%s proto=pass service=cifs %s",
- windom, keyp);
- if(! up)
- sysfatal("cannot get key - %r");
- ap = emalloc9p(sizeof(Auth));
- memset(ap, 0, sizeof(ap));
- ap->user = estrdup9p(up->user);
- ap->windom = estrdup9p(windom);
- ap->resp[0] = estrdup9p(up->passwd);
- ap->len[0] = strlen(up->passwd);
- memset(up->passwd, 0, strlen(up->passwd));
- free(up);
- return ap;
- }
- static Auth *
- auth_lm_and_ntlm(char *windom, char *keyp, uchar *chal, int len)
- {
- int err;
- Auth *ap;
- char user[64];
- MSchapreply mcr;
- err = auth_respond(chal, len, user, sizeof user, &mcr, sizeof mcr,
- auth_getkey, "windom=%s proto=mschap role=client service=cifs %s",
- windom, keyp);
- if(err == -1)
- sysfatal("cannot get key - %r");
- ap = emalloc9p(sizeof(Auth));
- memset(ap, 0, sizeof(ap));
- ap->user = estrdup9p(user);
- ap->windom = estrdup9p(windom);
- /* LM response */
- ap->len[0] = sizeof(mcr.LMresp);
- ap->resp[0] = emalloc9p(ap->len[0]);
- memcpy(ap->resp[0], mcr.LMresp, ap->len[0]);
- /* NTLM response */
- ap->len[1] = sizeof(mcr.NTresp);
- ap->resp[1] = emalloc9p(ap->len[1]);
- memcpy(ap->resp[1], mcr.NTresp, ap->len[1]);
- return ap;
- }
- /*
- * NTLM response only, the LM response is a just
- * copy of the NTLM one. We do this because the lm
- * response is easily reversed - Google for l0pht for more info.
- */
- static Auth *
- auth_ntlm(char *windom, char *keyp, uchar *chal, int len)
- {
- Auth *ap;
- if((ap = auth_lm_and_ntlm(windom, keyp, chal, len)) == nil)
- return nil;
- free(ap->resp[0]);
- ap->len[0] = ap->len[1];
- ap->resp[0] = emalloc9p(ap->len[0]);
- memcpy(ap->resp[0], ap->resp[1], ap->len[0]);
- return ap;
- }
- /*
- * This is not really nescessary as all fields hmac_md5'ed
- * in the ntlmv2 protocol are less than 64 bytes long, however
- * I still do this for completeness.
- */
- static DigestState *
- hmac_t64(uchar *data, ulong dlen, uchar *key, ulong klen, uchar *digest,
- DigestState *state)
- {
- if(klen > 64)
- klen = 64;
- return hmac_md5(data, dlen, key, klen, digest, state);
- }
- static int
- ntv2_blob(uchar *blob, int len, char *windom)
- {
- int n;
- uvlong nttime;
- Rune r;
- char *d;
- uchar *p;
- enum { /* name types */
- Beof, /* end of name list */
- Bnetbios, /* Netbios machine name */
- Bdomain, /* Windows Domain name (NT) */
- Bdnsfqdn, /* DNS Fully Qualified Domain Name */
- Bdnsname, /* DNS machine name (win2k) */
- };
- p = blob;
- *p++ = 1; /* response type */
- *p++ = 1; /* max response type understood by client */
- *p++ = 0;
- *p++ = 0; /* 2 bytes reserved */
- *p++ = 0;
- *p++ = 0;
- *p++ = 0;
- *p++ = 0; /* 4 bytes unknown */
- #ifdef NTLMV2_TEST
- *p++ = 0xf0;
- *p++ = 0x20;
- *p++ = 0xd0;
- *p++ = 0xb6;
- *p++ = 0xc2;
- *p++ = 0x92;
- *p++ = 0xbe;
- *p++ = 0x01;
- #else
- nttime = time(nil); /* nt time now */
- nttime = nttime + 11644473600LL;
- nttime = nttime * 10000000LL;
- *p++ = nttime & 0xff;
- *p++ = (nttime >> 8) & 0xff;
- *p++ = (nttime >> 16) & 0xff;
- *p++ = (nttime >> 24) & 0xff;
- *p++ = (nttime >> 32) & 0xff;
- *p++ = (nttime >> 40) & 0xff;
- *p++ = (nttime >> 48) & 0xff;
- *p++ = (nttime >> 56) & 0xff;
- #endif
- #ifdef NTLMV2_TEST
- *p++ = 0x05;
- *p++ = 0x83;
- *p++ = 0x32;
- *p++ = 0xec;
- *p++ = 0xfa;
- *p++ = 0xe4;
- *p++ = 0xf3;
- *p++ = 0x6d;
- #else
- genrandom(p, 8);
- p += 8; /* client nonce */
- #endif
- *p++ = 0x6f;
- *p++ = 0;
- *p++ = 0x6e;
- *p++ = 0; /* unknown data */
- *p++ = Bdomain;
- *p++ = 0; /* name type */
- n = utflen(windom) * 2;
- *p++ = n;
- *p++ = n >> 8; /* name length */
- d = windom;
- while(*d && p - blob < len - 8){
- d += chartorune(&r, d);
- r = toupperrune(r);
- *p++ = r;
- *p++ = r >> 8;
- }
- *p++ = 0;
- *p++ = Beof; /* name type */
- *p++ = 0;
- *p++ = 0; /* name length */
- *p++ = 0x65;
- *p++ = 0;
- *p++ = 0;
- *p++ = 0; /* unknown data */
- return p - blob;
- }
- static Auth *
- auth_ntlmv2(char *windom, char *keyp, uchar *chal, int len)
- {
- int i, n;
- Rune r;
- char *p, *u;
- uchar c, lm_hmac[MD5dlen], nt_hmac[MD5dlen], nt_sesskey[MD5dlen];
- uchar lm_sesskey[MD5dlen];
- uchar v1hash[MD5dlen], blip[Bliplen], blob[1024], v2hash[MD5dlen];
- DigestState *ds;
- UserPasswd *up;
- static Auth *ap;
- up = auth_getuserpasswd(auth_getkey, "windom=%s proto=pass service=cifs-ntlmv2 %s",
- windom, keyp);
- if(! up)
- sysfatal("cannot get key - %r");
- #ifdef NTLMV2_TEST
- {
- static uchar srvchal[] = { 0x52, 0xaa, 0xc8, 0xe8, 0x2c, 0x06, 0x7f, 0xa1 };
- up->user = "ADMINISTRATOR";
- windom = "rocknroll";
- chal = srvchal;
- }
- #endif
- ap = emalloc9p(sizeof(Auth));
- memset(ap, 0, sizeof(ap));
- /* Standard says unlimited length, experience says 128 max */
- if((n = strlen(up->passwd)) > 128)
- n = 128;
- ds = md4(nil, 0, nil, nil);
- for(i = 0, p = up->passwd; i < n; i++) {
- p += chartorune(&r, p);
- c = r;
- md4(&c, 1, nil, ds);
- c = r >> 8;
- md4(&c, 1, nil, ds);
- }
- md4(nil, 0, v1hash, ds);
- #ifdef NTLMV2_TEST
- {
- uchar v1[] = {
- 0x0c, 0xb6, 0x94, 0x88, 0x05, 0xf7, 0x97, 0xbf,
- 0x2a, 0x82, 0x80, 0x79, 0x73, 0xb8, 0x95, 0x37
- ;
- memcpy(v1hash, v1, sizeof(v1));
- }
- #endif
- /*
- * Some documentation insists that the username must be forced to
- * uppercase, but the domain name should not be. Other shows both
- * being forced to uppercase. I am pretty sure this is irrevevant as
- * the domain name passed from the remote server always seems to be in
- * uppercase already.
- */
- ds = hmac_t64(nil, 0, v1hash, MD5dlen, nil, nil);
- u = up->user;
- while(*u){
- u += chartorune(&r, u);
- r = toupperrune(r);
- c = r & 0xff;
- hmac_t64(&c, 1, v1hash, MD5dlen, nil, ds);
- c = r >> 8;
- hmac_t64(&c, 1, v1hash, MD5dlen, nil, ds);
- }
- u = windom;
- while(*u){
- u += chartorune(&r, u);
- c = r;
- hmac_t64(&c, 1, v1hash, MD5dlen, nil, ds);
- c = r >> 8;
- hmac_t64(&c, 1, v1hash, MD5dlen, nil, ds);
- }
- hmac_t64(nil, 0, v1hash, MD5dlen, v2hash, ds);
- #ifdef NTLMV2_TEST
- print("want: 40 e1 b3 24...\n");
- dmp("v2hash==kr", 0, v2hash, MD5dlen);
- #endif
- ap->user = estrdup9p(up->user);
- ap->windom = estrdup9p(windom);
- /* LM v2 */
- genrandom(blip, Bliplen);
- #ifdef NTLMV2_TEST
- {
- uchar t[] = { 0x05, 0x83, 0x32, 0xec, 0xfa, 0xe4, 0xf3, 0x6d };
- memcpy(blip, t, 8);
- }
- #endif
- ds = hmac_t64(chal, len, v2hash, MD5dlen, nil, nil);
- hmac_t64(blip, Bliplen, v2hash, MD5dlen, lm_hmac, ds);
- ap->len[0] = MD5dlen+Bliplen;
- ap->resp[0] = emalloc9p(ap->len[0]);
- memcpy(ap->resp[0], lm_hmac, MD5dlen);
- memcpy(ap->resp[0]+MD5dlen, blip, Bliplen);
- #ifdef NTLMV2_TEST
- print("want: 38 6b ae...\n");
- dmp("lmv2 resp ", 0, lm_hmac, MD5dlen);
- #endif
- /* LM v2 session key */
- hmac_t64(lm_hmac, MD5dlen, v2hash, MD5dlen, lm_sesskey, nil);
- /* LM v2 MAC key */
- ap->mackey[0] = emalloc9p(MACkeylen);
- memcpy(ap->mackey[0], lm_sesskey, MD5dlen);
- memcpy(ap->mackey[0]+MD5dlen, ap->resp[0], MACkeylen-MD5dlen);
- /* NTLM v2 */
- n = ntv2_blob(blob, sizeof(blob), windom);
- ds = hmac_t64(chal, len, v2hash, MD5dlen, nil, nil);
- hmac_t64(blob, n, v2hash, MD5dlen, nt_hmac, ds);
- ap->len[1] = MD5dlen+n;
- ap->resp[1] = emalloc9p(ap->len[1]);
- memcpy(ap->resp[1], nt_hmac, MD5dlen);
- memcpy(ap->resp[1]+MD5dlen, blob, n);
- #ifdef NTLMV2_TEST
- print("want: 1a ad 55...\n");
- dmp("ntv2 resp ", 0, nt_hmac, MD5dlen);
- #endif
- /* NTLM v2 session key */
- hmac_t64(nt_hmac, MD5dlen, v2hash, MD5dlen, nt_sesskey, nil);
- /* NTLM v2 MAC key */
- ap->mackey[1] = emalloc9p(MACkeylen);
- memcpy(ap->mackey[1], nt_sesskey, MD5dlen);
- memcpy(ap->mackey[1]+MD5dlen, ap->resp[1], MACkeylen-MD5dlen);
- free(up);
- return ap;
- }
- struct {
- char *name;
- Auth *(*func)(char *, char *, uchar *, int);
- } methods[] = {
- { "plain", auth_plain },
- { "lm+ntlm", auth_lm_and_ntlm },
- { "ntlm", auth_ntlm },
- { "ntlmv2", auth_ntlmv2 },
- // { "kerberos", auth_kerberos },
- };
- void
- autherr(void)
- {
- int i;
- fprint(2, "supported auth methods:\t");
- for(i = 0; i < nelem(methods); i++)
- fprint(2, "%s ", methods[i].name);
- fprint(2, "\n");
- exits("usage");
- }
- Auth *
- getauth(char *name, char *windom, char *keyp, int secmode, uchar *chal, int len)
- {
- int i;
- Auth *ap;
- if(name == nil){
- name = DEF_AUTH;
- if((secmode & SECMODE_PW_ENCRYPT) == 0)
- sysfatal("plaintext authentication required, use '-a plain'");
- }
- ap = nil;
- for(i = 0; i < nelem(methods); i++)
- if(strcmp(methods[i].name, name) == 0){
- ap = methods[i].func(windom, keyp, chal, len);
- break;
- }
- if(! ap){
- fprint(2, "%s: %s - unknown auth method\n", argv0, name);
- autherr(); /* never returns */
- }
- return ap;
- }
- static int
- genmac(uchar *buf, int len, int seq, uchar key[MACkeylen], uchar mine[MAClen])
- {
- DigestState *ds;
- uchar *sig, digest[MD5dlen], their[MAClen];
- sig = buf+MACoff;
- memcpy(their, sig, MAClen);
- memset(sig, 0, MAClen);
- sig[0] = seq;
- sig[1] = seq >> 8;
- sig[2] = seq >> 16;
- sig[3] = seq >> 24;
- ds = md5(key, MACkeylen, nil, nil);
- md5(buf, len, nil, ds);
- md5(nil, 0, digest, ds);
- memcpy(mine, digest, MAClen);
- return memcmp(their, mine, MAClen);
- }
- int
- macsign(Pkt *p)
- {
- int i, len;
- uchar *sig, *buf, mac[MAClen], zeros[MACkeylen];
- sig = p->buf + NBHDRLEN + MACoff;
- buf = p->buf + NBHDRLEN;
- len = (p->pos - p->buf) - NBHDRLEN;
- for(i = -3; i < 4; i++){
- memset(zeros, 0, sizeof(zeros));
- if(genmac(buf, len, p->seq+i, zeros, mac) == 0){
- dmp("got", 0, buf, len);
- dmp("Zero OK", p->seq, mac, MAClen);
- return 0;
- }
- if(genmac(buf, len, p->seq+i, p->s->auth->mackey[0], mac) == 0){
- dmp("got", 0, buf, len);
- dmp("LM-hash OK", p->seq, mac, MAClen);
- return 0;
- }
- if(genmac(buf, len, p->seq+i, p->s->auth->mackey[1], mac) == 0){
- dmp("got", 0, buf, len);
- dmp("NT-hash OK", p->seq, mac, MAClen);
- return 0;
- }
- }
- genmac(buf, len, p->seq, p->s->auth->mackey[0], mac);
- memcpy(sig, mac, MAClen);
- return -1;
- }
|