C:/Web/smbrelay3/src/ntlm.h

Go to the documentation of this file.
00001 #ifndef _NTLMER_H_
00002 #define _NTLMER_H_
00003 /* $Id$
00004    Single file NTLM system to create and parse authentication messages.
00005 
00006    http://www.reversing.org
00007    ilo-- [email protected]  
00008 
00009    I did copy&paste&modify several files to leave independent NTLM code 
00010    that compile in cygwin/linux environment. Most of the code was ripped 
00011    from Samba implementation so I left the Copying statement. Samba core
00012    code was left unmodified from 1.9 version.
00013 
00014    Also libntlm was ripped but rewrote, due to fixed and useless interface.
00015    Copyright and licensing information is in ntlm.c file.
00016 
00017    NTLM Interface, just two functions: 
00018 
00019    void BuildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host, char *domain);
00020    if flags is 0 minimun security level is selected, otherwise new value superseeds.
00021    host and domain are optional, they may be NULLed.
00022 
00023    void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse *response, long flags, char *user, char *password, char *domain, char *host);
00024    Given a challenge, generates a response for that user/passwd/host/domain.
00025    flags, host, and domain superseeds given by server. Leave 0 and NULL for server authentication
00026 
00027 
00028    This is an usage sample: 
00029 
00030 
00031                 ...
00032                 //beware of fixed sized buffer, asserts may fail, don't use long strings :)
00033                 //Yes, I Know, year 2k6 and still with this shit..
00034                 unsigned char buf[4096];
00035                 unsigned char buf2[4096];
00036 
00037                 //send auth request: let the server send it's own hostname and domainname
00038                 buildAuthRequest((tSmbNtlmAuthRequest*)buf2,0,NULL,NULL);
00039                 to64frombits(buf, buf2, SmbLength((tSmbNtlmAuthResponse*)buf2));
00040                 send_to_server(buf);
00041 
00042                 //receive challenge
00043                 receive_from_server(buf);
00044 
00045                 //build response with hostname and domainname from server
00046                 buildAuthResponse((tSmbNtlmAuthChallenge*)buf,(tSmbNtlmAuthResponse*)buf2,0,"username","password",NULL,NULL);
00047                 to64frombits(buf, buf2, SmbLength((tSmbNtlmAuthResponse*)buf2));
00048                 send_to_server(buf);
00049 
00050                 //get reply and Check if ok
00051                 ... 
00052 
00053 
00054    included bonus!!:
00055    Base64 code
00056    int  from64tobits(char *out, const char *in);
00057    void to64frombits(unsigned char *out, const unsigned char *in, int inlen);
00058 
00059 
00060 
00061 
00062    You don't need to read the rest of the file. 
00063 */
00064 
00065 
00066 /* 
00067  * These structures are byte-order dependant, and should not
00068  * be manipulated except by the use of the routines provided
00069  */
00070 
00071 #pragma pack(1)
00072 #ifdef WIN32
00073 #else
00074 #pragma align 1
00075 #endif
00076 
00077 
00078 #include <assert.h>
00079 #include <stdio.h>
00080 #include <stdlib.h>
00081 #include <string.h>
00082 
00083 #include <ctype.h>
00084 
00085 
00086 
00087 #ifdef WIN32
00088 #else
00089  #include <unistd.h>
00090 #define _strdup strdup
00091 #endif
00092 
00093 
00094 //
00095 typedef unsigned short uint16;
00096 typedef unsigned int   uint32;
00097 typedef unsigned long long int uint64;
00098 typedef unsigned char  uint8;
00099 
00100 
00101 
00102 #define SERVERNAMEITEM  0x01
00103 #define DOMAINNAMEITEM  0x02
00104 #define DNSITEM                 0x03
00105 #define FQDNITEM                0x04
00106 
00107 typedef struct
00108 {
00109 uint16  ItemType;
00110 uint16  ItemLength;
00111 uint8   buffer[256];
00112 }tSmbStrItem; //Challenge (NTLM type 2)
00113 
00114 typedef struct
00115 {
00116     uint8  HMAC[16];
00117     uint32 Header;
00118     uint32 Reserved;
00119     uint8  Filetime[8];
00120     uint8  ClientChallenge[8];
00121     uint32 Unknown;
00122     tSmbStrItem DomainName;
00123 } NtlmV2Packet;
00124 
00125 typedef struct
00126 {
00127 uint16  len;
00128 uint16  maxlen;
00129 uint32  offset;
00130 }tSmbStrHeader;
00131 
00132 typedef struct
00133 {
00134 char          ident[8];
00135 uint32        msgType;
00136 uint32        flags;
00137 tSmbStrHeader    host;
00138 tSmbStrHeader    domain;
00139 uint8         buffer[1024];
00140 uint32        bufIndex;
00141 }tSmbNtlmAuthRequest;
00142 
00143 typedef struct
00144 {
00145 char          ident[8];
00146 uint32        msgType;
00147 tSmbStrHeader    uDomain;
00148 uint32        flags;
00149 uint8         challengeData[8];
00150 uint8         reserved[8];
00151 tSmbStrHeader    emptyString;
00152 uint8         buffer[16384];
00153 //uint32        bufIndex;
00154 }tSmbNtlmAuthChallenge;
00155 
00156 
00157 
00158 typedef struct
00159 {
00160 char          ident[8];
00161 uint32        msgType;
00162 tSmbStrHeader    lmResponse;
00163 tSmbStrHeader    ntResponse;
00164 tSmbStrHeader    uDomain;
00165 tSmbStrHeader    uUser;
00166 tSmbStrHeader    uWks;
00167 tSmbStrHeader    sessionKey;
00168 uint32        flags;
00169 uint8         buffer[1024];
00170 uint32        bufIndex;
00171 }tSmbNtlmAuthResponse;
00172 
00173 
00174 /* reversing interface */
00175 /* ntlm functions */
00176 void BuildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host, char *domain);
00177 // if flags is 0 minimun security level is selected, otherwise new value superseeds.
00178 // host and domain are optional, they may be NULLed.
00179 
00180 void BuildAuthChallenge(tSmbNtlmAuthChallenge *pChallenge, char *DomainName, char *ServerName,  char *DNS, char *FQDN, uint8 flags, uint8 *SpoofedChallenge);
00181 //All parameters are optional. IF DomainName is not set, the default name will be "SMBRELAY3"
00182 //if flags is 0 minimun security level is selected, otherwise new value superseeds.
00183 //if SpoofedChallenge is not set, the default Challenge value is 0x1122334455667788
00184 //That Challenge value allows bruteforce attacks with winrtgen built LM/ntlm tables
00185 
00186 void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse *response, long flags, char *user, char *password, char *domainname, char *host, tSmbNtlmAuthResponse* OptionalNtlmPacket3);
00187 //Given a challenge, generates a response for that user/passwd/host/domain.
00188 //flags, host, and domain superseeds given by server. Leave 0 and NULL for server authentication
00189 //Additional parameter OptionalNtlmPacket3 have been added to support relay attacks by changing challenge data
00190 
00191 
00192 
00193 
00194 //int NtlmChallengeSize(tSmbNtlmAuthChallenge *Challenge);
00195 //#define NtlmChallengeSize( (tSmbNtlmAuthChallenge *)Challenge) ( sizeof(tSmbNtlmAuthChallenge) - sizeof(Challenge->buffer) +Challenge->uDomain.maxlen + Challenge->emptyString.maxlen)
00196 #define NtlmChallengeSize(Challenge) ( sizeof(tSmbNtlmAuthChallenge) - sizeof(Challenge->buffer) +Challenge->uDomain.maxlen + Challenge->emptyString.maxlen)
00197 //#define NtlmAuth
00198 
00199 /*int NtlmChallengeSize(tSmbNtlmAuthChallenge *Challenge){
00200         return( sizeof(tSmbNtlmAuthChallenge) - sizeof(Challenge->buffer) +Challenge->uDomain.maxlen + Challenge->emptyString.maxlen);
00201 }
00202 */
00203 
00204 __inline void SetChallengeKey(tSmbNtlmAuthChallenge *challenge, uint8 *SpoofedChallenge);
00205 
00206 /* Base64 code*/
00207 int from64tobits(char *out, const char *in);
00208 void to64frombits(unsigned char *out, const unsigned char *in, int inlen);
00209 
00210 // info functions
00211 void dumpAuthRequest(FILE *fp, tSmbNtlmAuthRequest *request);
00212 void dumpAuthChallenge(FILE *fp, tSmbNtlmAuthChallenge *challenge);
00213 void dumpAuthResponse(FILE *fp, tSmbNtlmAuthResponse *response);
00214 
00215 #define SmbLength(ptr) (((ptr)->buffer - (uint8*)(ptr)) + (ptr)->bufIndex)
00216 
00217 void GetNTLMPacketInfo(tSmbNtlmAuthResponse* NtlmAuthResponse, char* UserName, char *DomainName, char *WorkstationName, int verbose);
00218 
00219 void chartoWide(char *destination, char *source, int len);
00220 void Widetochar(char *destination, char *source, int len);
00221 
00222 #endif
00223 

Generated on Wed Nov 12 22:04:28 2008 for Smbrelay version 3 by  doxygen 1.5.4