OpenVAS Scanner  22.7.9
smb_crypt.h File Reference

Unix SMB/Netbios implementation. Version 1.9. More...

#include "byteorder.h"
#include "charset.h"
#include "hmacmd5.h"
#include "md4.h"
#include "md5.h"
Include dependency graph for smb_crypt.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Macros

#define uint8   uint8_t
 
#define False   0
 
#define True   1
 

Typedefs

typedef unsigned int bool
 

Functions

void E_P24 (const uchar *p21, const uchar *c8, uchar *p24)
 
void E_P16 (uchar *p14, uchar *p16)
 
int strupper_w (smb_ucs2_t *s)
 
void SMBsesskeygen_lm_sess_key_ntlmssp (const uchar lm_hash[16], const uchar lm_resp[24], uint8 sess_key[16])
 
void SMBsesskeygen_ntv1_ntlmssp (const uchar kr[16], const uchar *nt_resp, uint8 sess_key[16])
 
void SMBOWFencrypt_ntlmssp (const uchar passwd[16], const uchar *c8, uchar p24[24])
 
void SMBencrypt_hash_ntlmssp (const uchar lm_hash[16], const uchar *c8, uchar p24[24])
 
void SMBNTencrypt_hash_ntlmssp (const uchar nt_hash[16], uchar *c8, uchar *p24)
 
bool E_deshash_ntlmssp (const char *passwd, uint8_t pass_len, uchar p16[16])
 
void SamOEMhash (uchar *data, const uchar *key, int val)
 
void SMBOWFencrypt_ntv2_ntlmssp (const uchar *kr, const uint8_t *srv_chal, int srv_chal_len, const uint8_t *cli_chal, int cli_chal_len, uchar resp_buf[16])
 
void SMBsesskeygen_ntv2_ntlmssp (const uchar kr[16], const uchar *nt_resp, uint8 sess_key[16])
 
uint8_t * NTLMv2_generate_client_data_ntlmssp (const char *addr_list, int address_list_len)
 
void NTLMv2_generate_response_ntlmssp (const uchar ntlm_v2_hash[16], const char *server_chal, const char *address_list, int address_list_len, uint8_t *nt_response)
 
void LMv2_generate_response_ntlmssp (const uchar ntlm_v2_hash[16], const char *server_chal, uint8_t *lm_response)
 
void SMBNTLMv2encrypt_hash_ntlmssp (const char *user, const char *domain, uchar ntlm_v2_hash[16], const char *server_chal, const char *address_list, int address_list_len, unsigned char *lm_response, unsigned char *nt_response, unsigned char *user_session_key)
 

Detailed Description

Unix SMB/Netbios implementation. Version 1.9.

a partial implementation of DES designed for use in the SMB authentication protocol

Definition in file smb_crypt.h.

Macro Definition Documentation

◆ False

#define False   0

Definition at line 32 of file smb_crypt.h.

◆ True

#define True   1

Definition at line 33 of file smb_crypt.h.

◆ uint8

#define uint8   uint8_t

Definition at line 28 of file smb_crypt.h.

Typedef Documentation

◆ bool

typedef unsigned int bool

Definition at line 31 of file smb_crypt.h.

Function Documentation

◆ E_deshash_ntlmssp()

bool E_deshash_ntlmssp ( const char *  passwd,
uint8_t  pass_len,
uchar  p16[16] 
)

Creates the DES forward-only Hash of the users password in DOS ASCII charset

Parameters
passwdpassword in 'unix' charset.
p16return password hashed with DES, caller allocated 16 byte buffer
Returns
False if password was > 14 characters, and therefore may be incorrect, otherwise True
Note
p16 is filled in regardless

Definition at line 437 of file smb_crypt.c.

438 {
439  bool ret = True;
440  fstring dospwd;
441  ZERO_STRUCT (dospwd);
442  char *dpass;
443 
444  /* Password must be converted to DOS charset - null terminated, uppercase. */
445  dpass = g_utf8_strup (passwd, pass_len);
446  memcpy (dospwd, dpass, pass_len);
447  g_free (dpass);
448 
449  /* Only the first 14 chars are considered, password need not be null
450  * terminated. */
451  E_P16 ((unsigned char *) dospwd, p16);
452 
453  if (strlen (dospwd) > 14)
454  {
455  ret = False;
456  }
457 
458  ZERO_STRUCT (dospwd);
459 
460  return ret;
461 }

References E_P16(), False, True, and ZERO_STRUCT.

Referenced by ntlmssp_genauth_ntlm(), and ntlmssp_genauth_ntlm2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ E_P16()

void E_P16 ( uchar p14,
uchar p16 
)

Definition at line 302 of file smb_crypt.c.

303 {
304  uchar sp8[8] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
305  smbhash (p16, sp8, p14, 1);
306  smbhash (p16 + 8, sp8, p14 + 7, 1);
307 }

References smbhash(), and uchar.

Referenced by E_deshash_ntlmssp(), and nasl_lm_owf_gen().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ E_P24()

void E_P24 ( const uchar p21,
const uchar c8,
uchar p24 
)

Definition at line 310 of file smb_crypt.c.

311 {
312  smbhash (p24, c8, p21, 1);
313  smbhash (p24 + 8, c8, p21 + 7, 1);
314  smbhash (p24 + 16, c8, p21 + 14, 1);
315 }

References smbhash().

Referenced by nasl_ntlmv1_hash(), and SMBOWFencrypt_ntlmssp().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ LMv2_generate_response_ntlmssp()

void LMv2_generate_response_ntlmssp ( const uchar  ntlm_v2_hash[16],
const char *  server_chal,
uint8_t *  lm_response 
)

Definition at line 534 of file smb_crypt.c.

536 {
537  uchar lmv2_response[16];
538  uint8_t lmv2_client_data[8];
539 
540  /* LMv2 */
541  /* client-supplied random data */
542  generate_random_buffer_ntlmssp (lmv2_client_data, sizeof (lmv2_client_data));
543 
544  /* Given that data, and the challenge from the server, generate a response */
545  SMBOWFencrypt_ntv2_ntlmssp (ntlm_v2_hash, (const uchar *) server_chal, 8,
546  lmv2_client_data, sizeof (lmv2_client_data),
547  lmv2_response);
548  memcpy (lm_response, lmv2_response, sizeof (lmv2_response));
549 
550  /* after the first 16 bytes is the random data we generated above,
551  so the server can verify us with it */
552  memcpy (lm_response + sizeof (lmv2_response), lmv2_client_data,
553  sizeof (lmv2_client_data));
554 }

References generate_random_buffer_ntlmssp(), SMBOWFencrypt_ntv2_ntlmssp(), and uchar.

Referenced by SMBNTLMv2encrypt_hash_ntlmssp().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ NTLMv2_generate_client_data_ntlmssp()

uint8_t* NTLMv2_generate_client_data_ntlmssp ( const char *  addr_list,
int  address_list_len 
)

Definition at line 476 of file smb_crypt.c.

478 {
479  int i = 0;
480  /*length of response
481  *header-4, reserved-4, date-8, client chal-8, unknown-4, addr_list-size sent
482  *in arguments
483  */
484  uchar client_chal[8];
485  uint8_t *response = g_malloc0 (28 + address_list_len);
486  char long_date[8];
487  int header = 0x00000101;
488  int zeros = 0x00000000;
489 
490  generate_random_buffer_ntlmssp (client_chal, sizeof (client_chal));
491 
492  put_long_date_ntlmssp (long_date, time (NULL));
493  SIVAL (response, 0, header);
494  SIVAL (response, 4, zeros);
495  memcpy (response + 4 + 4, long_date, 8);
496  memcpy (response + 4 + 4 + sizeof (long_date), client_chal, 8);
497  SIVAL (response, 24, zeros);
498  for (i = 0; i < address_list_len; i++)
499  {
500  *(response + 28 + i) = *(addr_list + i);
501  }
502 
503  return response;
504 }

References generate_random_buffer_ntlmssp(), put_long_date_ntlmssp(), SIVAL, and uchar.

Referenced by NTLMv2_generate_response_ntlmssp().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ NTLMv2_generate_response_ntlmssp()

void NTLMv2_generate_response_ntlmssp ( const uchar  ntlm_v2_hash[16],
const char *  server_chal,
const char *  address_list,
int  address_list_len,
uint8_t *  nt_response 
)

Definition at line 507 of file smb_crypt.c.

511 {
512  uchar ntlmv2_response[16];
513  uint8_t *ntlmv2_client_data;
514 
515  /* NTLMv2 */
516  /* generate some data to pass into the response function - including
517  the hostname and domain name of the server */
518  ntlmv2_client_data =
519  NTLMv2_generate_client_data_ntlmssp (address_list, address_list_len);
520 
521  /* Given that data, and the challenge from the server, generate a response */
522  int client_data_len = 28 + address_list_len;
523  SMBOWFencrypt_ntv2_ntlmssp (ntlm_v2_hash, (const uchar *) server_chal, 8,
524  ntlmv2_client_data, client_data_len,
525  ntlmv2_response);
526  memcpy (nt_response, ntlmv2_response, sizeof (ntlmv2_response));
527  memcpy (nt_response + sizeof (ntlmv2_response), ntlmv2_client_data,
528  client_data_len);
529 
530  g_free (ntlmv2_client_data);
531 }

References NTLMv2_generate_client_data_ntlmssp(), SMBOWFencrypt_ntv2_ntlmssp(), and uchar.

Referenced by SMBNTLMv2encrypt_hash_ntlmssp().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SamOEMhash()

void SamOEMhash ( uchar data,
const uchar key,
int  val 
)

Definition at line 318 of file smb_crypt.c.

319 {
320  uchar hash[256];
321  uchar index_i = 0;
322  uchar index_j = 0;
323  uchar j = 0;
324  int ind;
325  int len = 0;
326  if (val == 1)
327  len = 516;
328  if (val == 0)
329  len = 16;
330  if (val == 3)
331  len = 8;
332  if (val == 2)
333  len = 68;
334  if (val == 4)
335  len = 32;
336 
337  if (val >= 8)
338  len = val;
339 
340  for (ind = 0; ind < 256; ind++)
341  {
342  hash[ind] = (uchar) ind;
343  }
344 
345  for (ind = 0; ind < 256; ind++)
346  {
347  uchar tc;
348 
349  j += (hash[ind] + key[ind % 16]);
350 
351  tc = hash[ind];
352  hash[ind] = hash[j];
353  hash[j] = tc;
354  }
355  for (ind = 0; ind < len; ind++)
356  {
357  uchar tc;
358  uchar t;
359 
360  index_i++;
361  index_j += hash[index_i];
362 
363  tc = hash[index_i];
364  hash[index_i] = hash[index_j];
365  hash[index_j] = tc;
366 
367  t = hash[index_i] + hash[index_j];
368  data[ind] = data[ind] ^ hash[t];
369  }
370 }

References len, uchar, and val.

Referenced by ntlmssp_genauth_keyexchg().

Here is the caller graph for this function:

◆ SMBencrypt_hash_ntlmssp()

void SMBencrypt_hash_ntlmssp ( const uchar  lm_hash[16],
const uchar c8,
uchar  p24[24] 
)

Definition at line 394 of file smb_crypt.c.

396 {
397  uchar p21[21];
398 
399  memset (p21, '\0', 21);
400  memcpy (p21, lm_hash, 16);
401  SMBOWFencrypt_ntlmssp (p21, c8, p24);
402 }

References SMBOWFencrypt_ntlmssp(), and uchar.

Referenced by ntlmssp_genauth_ntlm().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SMBNTencrypt_hash_ntlmssp()

void SMBNTencrypt_hash_ntlmssp ( const uchar  nt_hash[16],
uchar c8,
uchar p24 
)

Definition at line 406 of file smb_crypt.c.

407 {
408  uchar p21[21];
409 
410  memset (p21, '\0', 21);
411  memcpy (p21, nt_hash, 16);
412  SMBOWFencrypt_ntlmssp (p21, c8, p24);
413 }

References SMBOWFencrypt_ntlmssp(), and uchar.

Referenced by ntlmssp_genauth_ntlm(), and ntlmssp_genauth_ntlm2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SMBNTLMv2encrypt_hash_ntlmssp()

void SMBNTLMv2encrypt_hash_ntlmssp ( const char *  user,
const char *  domain,
uchar  ntlm_v2_hash[16],
const char *  server_chal,
const char *  address_list,
int  address_list_len,
unsigned char *  lm_response,
unsigned char *  nt_response,
unsigned char *  user_session_key 
)

◆ SMBOWFencrypt_ntlmssp()

void SMBOWFencrypt_ntlmssp ( const uchar  passwd[16],
const uchar c8,
uchar  p24[24] 
)

Definition at line 384 of file smb_crypt.c.

385 {
386  uchar p21[21];
387 
388  ZERO_STRUCT (p21);
389  memcpy (p21, passwd, 16);
390  E_P24 (p21, c8, p24);
391 }

References E_P24(), uchar, and ZERO_STRUCT.

Referenced by SMBencrypt_hash_ntlmssp(), SMBNTencrypt_hash_ntlmssp(), and SMBsesskeygen_lm_sess_key_ntlmssp().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SMBOWFencrypt_ntv2_ntlmssp()

void SMBOWFencrypt_ntv2_ntlmssp ( const uchar kr,
const uint8_t *  srv_chal,
int  srv_chal_len,
const uint8_t *  cli_chal,
int  cli_chal_len,
uchar  resp_buf[16] 
)

Referenced by LMv2_generate_response_ntlmssp(), nasl_ntlmv2_hash(), and NTLMv2_generate_response_ntlmssp().

Here is the caller graph for this function:

◆ SMBsesskeygen_lm_sess_key_ntlmssp()

void SMBsesskeygen_lm_sess_key_ntlmssp ( const uchar  lm_hash[16],
const uchar  lm_resp[24],
uint8  sess_key[16] 
)

Definition at line 416 of file smb_crypt.c.

418 {
419  uchar p24[24];
420  uchar partial_lm_hash[16];
421 
422  memcpy (partial_lm_hash, lm_hash, 8);
423  memset (partial_lm_hash + 8, 0xbd, 8);
424  SMBOWFencrypt_ntlmssp (partial_lm_hash, lm_resp, p24);
425  memcpy (sess_key, p24, 16);
426 }

References SMBOWFencrypt_ntlmssp(), and uchar.

Referenced by ntlmssp_genauth_ntlm().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SMBsesskeygen_ntv1_ntlmssp()

void SMBsesskeygen_ntv1_ntlmssp ( const uchar  kr[16],
const uchar nt_resp,
uint8  sess_key[16] 
)

Definition at line 373 of file smb_crypt.c.

375 {
376  /* yes, this session key does not change - yes, this
377  is a problem - but it is 128 bits */
378  (void) nt_resp;
379  mdfour_ntlmssp ((unsigned char *) sess_key, kr, 16);
380 }

References mdfour_ntlmssp().

Referenced by ntlmssp_genauth_ntlm(), and ntlmssp_genauth_ntlm2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SMBsesskeygen_ntv2_ntlmssp()

void SMBsesskeygen_ntv2_ntlmssp ( const uchar  kr[16],
const uchar nt_resp,
uint8  sess_key[16] 
)

Definition at line 463 of file smb_crypt.c.

465 {
466  /* a very nice, 128 bit, variable session key */
467 
468  HMACMD5Context ctx;
469 
470  hmac_md5_init_limK_to_64 (kr, 16, &ctx);
471  hmac_md5_update (nt_resp, 16, &ctx);
472  hmac_md5_final ((unsigned char *) sess_key, &ctx);
473 }

References hmac_md5_final(), hmac_md5_init_limK_to_64(), and hmac_md5_update().

Referenced by SMBNTLMv2encrypt_hash_ntlmssp().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ strupper_w()

int strupper_w ( smb_ucs2_t s)

Definition at line 35 of file smb_crypt2.c.

36 {
37  int ret = 0;
38  while (*s)
39  {
40  smb_ucs2_t v = toupper_w (*s);
41  if (v != *s)
42  {
43  *s = v;
44  ret = 1;
45  }
46  s++;
47  }
48  return ret;
49 }

References toupper_w().

Referenced by nasl_ntv2_owf_gen().

Here is the call graph for this function:
Here is the caller graph for this function:
HMACMD5Context
Definition: hmacmd5.h:29
E_P24
void E_P24(const uchar *p21, const uchar *c8, uchar *p24)
Definition: smb_crypt.c:310
ZERO_STRUCT
#define ZERO_STRUCT(x)
Definition: genrand.c:56
uchar
#define uchar
Definition: hmacmd5.h:22
mdfour_ntlmssp
void mdfour_ntlmssp(unsigned char *out, const unsigned char *in, int n)
Definition: md4.c:165
SMBOWFencrypt_ntv2_ntlmssp
void SMBOWFencrypt_ntv2_ntlmssp(const uchar *kr, const uint8_t *srv_chal, int srv_chal_len, const uint8_t *cli_chal, int cli_chal_len, uchar resp_buf[16])
fstring
char fstring[FSTRING_LEN]
Definition: smb_crypt.c:55
E_P16
void E_P16(uchar *p14, uchar *p16)
Definition: smb_crypt.c:302
SIVAL
#define SIVAL(buf, pos, val)
Definition: byteorder.h:117
generate_random_buffer_ntlmssp
void generate_random_buffer_ntlmssp(unsigned char *out, int len)
Definition: genrand.c:170
hmac_md5_init_limK_to_64
void hmac_md5_init_limK_to_64(const uchar *key, int key_len, HMACMD5Context *ctx)
The microsoft version of hmac_md5 initialisation.
Definition: hmacmd5.c:24
SMBOWFencrypt_ntlmssp
void SMBOWFencrypt_ntlmssp(const uchar passwd[16], const uchar *c8, uchar p24[24])
Definition: smb_crypt.c:384
len
uint8_t len
Definition: nasl_packet_forgery.c:1
hmac_md5_update
void hmac_md5_update(const uchar *text, int text_len, HMACMD5Context *ctx)
Update hmac_md5 "inner" buffer.
Definition: hmacmd5.c:55
put_long_date_ntlmssp
void put_long_date_ntlmssp(char *p, time_t t)
Definition: time.c:110
smb_ucs2_t
uint16 smb_ucs2_t
Definition: hmacmd5.h:52
NTLMv2_generate_client_data_ntlmssp
uint8_t * NTLMv2_generate_client_data_ntlmssp(const char *addr_list, int address_list_len)
Definition: smb_crypt.c:476
smbhash
static void smbhash(uchar *out, const uchar *in, const uchar *key, int forw)
Definition: smb_crypt.c:270
hmac_md5_final
void hmac_md5_final(uchar *digest, HMACMD5Context *ctx)
Finish off hmac_md5 "inner" buffer and generate outer one.
Definition: hmacmd5.c:64
False
#define False
Definition: charcnv.c:63
True
#define True
Definition: charcnv.c:64
val
const char * val
Definition: nasl_init.c:412
toupper_w
static smb_ucs2_t toupper_w(smb_ucs2_t val)
Definition: smb_crypt2.c:25