Fast HTTP Vulnerability Scanner: C:/fscan/HTTPCore/Authentication/digest.cpp Source File

00001 /*
00002 *  Fast HTTP AUTH SCANNER - v0.9r2
00003 *
00004 *  Digest Authentication Module for Fscan
00005 *
00006 * References: http://tools.ietf.org/html/rfc2617
00007 * References: http://en.wikipedia.org/wiki/Digest_access_authentication
00008 */
00009 
00010 #include "md5.h"
00011 #include "../Build.h"
00012 #include "digest.h"
00013 #include <stdio.h>
00014 #include <stdlib.h>
00015 #include <string.h>
00016 #include <time.h>
00017 
00018 
00019 char *CreateDigestAuth(char *AuthenticationHeader, char *lpUsername, char *lpPassword, char *method,char *uri, int counter)
00020 {
00021         /*
00022 AuthenticationHeader is supoused to be in the following format:
00023 realm="[email protected]",qop="auth,auth-int",nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",opaque="5ccc069c403ebaf9f0171e9517f40e41"
00024 //char test[]="WWW-Authenticate: Digest realm=\"[email protected]\", qop=\"auth,auth-int\", nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"";
00025 //char test[]="realm=\"[email protected]\", qop=\"auth,auth-int\", nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"";
00026 */
00027 char *realm=NULL;
00028 char *nonce=NULL;
00029 char *opaque=NULL;
00030 
00031 //optional data
00032 char *domain=NULL;
00033 char *algorithm=NULL;
00034 
00035 char *trozo;
00036 char buffer[1024];
00037 
00038 //response data
00039 char HAI[32+1];
00040 char HAII[32+1];
00041 char response[32+1];
00042 char data[1024];
00043 char tmp[1024];
00044 unsigned int cnonceI;
00045 unsigned int cnonceII;
00046 char *resultado;
00047 
00048 if (!AuthenticationHeader) return (NULL);
00049 if (strlen(AuthenticationHeader)>sizeof(buffer)-1) {
00050         #ifdef _DBG_
00051         printf("[*] WARNING: POSSIBLE BUFFER OVERFLOW ON REMOTE AUTHENTICATON HEADER\n%s\n",AuthenticationHeader);
00052         #endif
00053         return(NULL);
00054 }
00055  strncpy(buffer,AuthenticationHeader,sizeof(buffer)-1);
00056 
00057  trozo=strtok(buffer,",");
00058  while (trozo !=NULL) {
00059          while (trozo[0]==' ') trozo++;
00060 
00061          if (strnicmp(trozo,"realm=\"",7)==0) {
00062                  realm=_strdup(trozo+7);
00063                  realm[strlen(realm)-1]='\0';
00064          }
00065          if (strnicmp(trozo,"nonce=\"",7)==0) {
00066                  nonce=_strdup(trozo+7);
00067                  nonce[strlen(nonce)-1]='\0';
00068          }
00069          if (strnicmp(trozo,"opaque=\"",8)==0) {
00070                  opaque=_strdup(trozo+8);
00071                  opaque[strlen(opaque)-1]='\0';
00072          }       
00073          if (strnicmp(trozo,"domain=\"",8)==0) {
00074                  domain=_strdup(trozo+8);
00075                  domain[strlen(domain)-1]='\0';
00076                 //free(domain); //Unused :?
00077          }
00078          if (strnicmp(trozo,"algorithm=\"",11)==0) {
00079                  algorithm=_strdup(trozo+11);
00080                  algorithm[strlen(algorithm)-1]='\0';
00081          }       
00082          trozo=strtok(NULL,",");
00083  }
00084  if ( (!realm) || (!nonce) | (!opaque) )
00085  {
00086                  if (realm) {
00087                          free(realm);
00088                  }
00089                  if (nonce) {
00090                          free(nonce);
00091                  }
00092                  if (opaque) {
00093                          free(opaque);
00094                  }
00095                  if (domain) {
00096                          free(domain);
00097                  }
00098                  if (algorithm) {
00099                          free(algorithm);
00100                  }
00101 
00102    //MessageBox( NULL, AuthenticationHeader, "AUTH DIGEST FAILED - Unable to parse realm+opaque+nonce", MB_OK|MB_ICONINFORMATION );
00103         return(NULL);
00104  }
00105 
00106 
00107 
00108 
00109 srand ( (unsigned int) time(NULL) );  
00110 cnonceI=rand()*rand();
00111 cnonceII=rand()*rand();
00112 memset(data,'\0',sizeof(data));
00113 
00114 snprintf(tmp,sizeof(tmp),"Authorization: Digest username=\"%s\", ",lpUsername); 
00115 strncpy(data,tmp,sizeof(data)-1);
00116 
00117 snprintf(tmp,sizeof(tmp),"realm=\"%s\", ",realm);
00118 strncat(data,tmp,sizeof(data)-strlen(data)-1);
00119 
00120 snprintf(tmp,sizeof(tmp),"nonce=\"%s\", ",nonce);               
00121 strncat(data,tmp,sizeof(data)-strlen(data)-1);
00122 
00123 snprintf(tmp,sizeof(tmp),"uri=\"%s\", ",uri);
00124 strncat(data,tmp,sizeof(data)-strlen(data)-1);
00125 
00126 if (algorithm) strncat(data,"algorithm=MD5, ",sizeof(data)-strlen(data)-1);
00127 
00128 
00129 snprintf(tmp,sizeof(tmp),"%s:%s:%s",lpUsername,realm,lpPassword);
00130 Getmd5Hash(tmp,(int) strlen(tmp),(unsigned char*)&HAI[0]);
00131 
00132 snprintf(tmp,sizeof(tmp),"%s:%s",method,uri);
00133 Getmd5Hash(tmp,(int) strlen(tmp),(unsigned char*)&HAII);
00134 
00135 snprintf(tmp,sizeof(tmp),"%s:%s:%8.8x:%8.8x%8.8x:%s:%s",HAI,nonce,counter,cnonceI,cnonceII,"auth",HAII);
00136 Getmd5Hash(tmp,(int) strlen(tmp),(unsigned char*)&response);
00137 
00138 
00139 snprintf(tmp,sizeof(tmp),"response=\"%s\", ",response); 
00140 strncat(data,tmp,sizeof(data)-strlen(data)-1);
00141 
00142 snprintf(tmp,sizeof(tmp),"opaque=\"%s\", ",opaque);
00143 strncat(data,tmp,sizeof(data)-strlen(data)-1);
00144 
00145 strncat(data,"qop=auth, ",sizeof(data)-strlen(data)-1);
00146 snprintf(tmp,sizeof(tmp),"nc=%8.8x, ",counter+1);
00147 strncat(data,tmp,sizeof(data)-strlen(data)-1);
00148 
00149 snprintf(tmp,sizeof(tmp),"cnonce=\"%8.8x%8.8x\"\r\n",cnonceI,cnonceII); 
00150 strncat(data,tmp,sizeof(data)-strlen(data)-1);
00151 
00152 
00153 resultado=_strdup(data);
00154 //printf("RESULTADO: %s\n",resultado);
00155 free(opaque);
00156 free(nonce);
00157 free(realm);
00158 if (algorithm) {
00159                          free(algorithm);
00160 }
00161 if (domain) {
00162         free(domain) ;
00163 }
00164 
00165 return(resultado);
00166 }