OpenVAS Libraries  9.0.3
smb_crypt.c File Reference
#include <glib.h>
#include "smb_crypt.h"
#include "proto.h"
Include dependency graph for smb_crypt.c:

Go to the source code of this file.

Macros

#define int16   1
 
#define FSTRING_LEN   256
 

Typedefs

typedef char fstring[FSTRING_LEN]
 

Functions

void smbhash (uchar *out, const uchar *in, const uchar *key, int forw)
 
void E_P16 (uchar *p14, uchar *p16)
 
void E_P24 (const uchar *p21, const uchar *c8, uchar *p24)
 
void SamOEMhash (uchar *data, const uchar *key, int val)
 
void SMBsesskeygen_ntv1_ntlmssp (const uchar kr[16], const uchar *nt_resp, uint8 sess_key[16])
 
void SMBOWFencrypt_ntlmssp (const uchar passwd[16], const uchar *c8, uchar p24[24])
 
void SMBencrypt_hash_ntlmssp (const uchar lm_hash[16], const uchar *c8, uchar p24[24])
 
void SMBNTencrypt_hash_ntlmssp (const uchar nt_hash[16], uchar *c8, uchar *p24)
 
void SMBsesskeygen_lm_sess_key_ntlmssp (const uchar lm_hash[16], const uchar lm_resp[24], uint8 sess_key[16])
 
bool E_deshash_ntlmssp (const char *passwd, uint8_t pass_len, uchar p16[16])
 
void SMBsesskeygen_ntv2_ntlmssp (const uchar kr[16], const uchar *nt_resp, uint8 sess_key[16])
 
uint8_t * NTLMv2_generate_client_data_ntlmssp (const char *addr_list, int address_list_len)
 
void NTLMv2_generate_response_ntlmssp (const uchar ntlm_v2_hash[16], const char *server_chal, const char *address_list, int address_list_len, uint8_t *nt_response)
 
void LMv2_generate_response_ntlmssp (const uchar ntlm_v2_hash[16], const char *server_chal, uint8_t *lm_response)
 
void SMBNTLMv2encrypt_hash_ntlmssp (const char *user, const char *domain, uchar ntlm_v2_hash[16], const char *server_chal, const char *address_list, int address_list_len, uint8_t *lm_response, uint8_t *nt_response, uint8_t *user_session_key)
 

Macro Definition Documentation

◆ FSTRING_LEN

#define FSTRING_LEN   256

Definition at line 62 of file smb_crypt.c.

◆ int16

#define int16   1

Definition at line 59 of file smb_crypt.c.

Typedef Documentation

◆ fstring

typedef char fstring[FSTRING_LEN]

Definition at line 63 of file smb_crypt.c.

Function Documentation

◆ E_deshash_ntlmssp()

bool E_deshash_ntlmssp ( const char *  passwd,
uint8_t  pass_len,
uchar  p16[16] 
)

Creates the DES forward-only Hash of the users password in DOS ASCII charset

Parameters
passwdpassword in 'unix' charset.
p16return password hashed with DES, caller allocated 16 byte buffer
Returns
False if password was > 14 characters, and therefore may be incorrect, otherwise True
Note
p16 is filled in regardless

Definition at line 444 of file smb_crypt.c.

445 {
446  bool ret = True;
447  fstring dospwd;
448  ZERO_STRUCT(dospwd);
449  char *dpass;
450 
451  /* Password must be converted to DOS charset - null terminated, uppercase. */
452  dpass = g_utf8_strup (passwd, pass_len);
453  memcpy (dospwd, dpass, pass_len);
454  g_free (dpass);
455 
456  /* Only the fisrt 14 chars are considered, password need not be null terminated. */
457  E_P16((unsigned char *)dospwd, p16);
458 
459  if (strlen(dospwd) > 14) {
460  ret = False;
461  }
462 
463  ZERO_STRUCT(dospwd);
464 
465  return ret;
466 }
char fstring[FSTRING_LEN]
Definition: smb_crypt.c:63
void E_P16(uchar *p14, uchar *p16)
Definition: smb_crypt.c:323
#define True
Definition: charcnv.c:59
#define False
Definition: charcnv.c:58
#define ZERO_STRUCT(x)
Definition: genrand.c:65

References E_P16(), False, True, and ZERO_STRUCT.

Referenced by ntlmssp_genauth_ntlm(), and ntlmssp_genauth_ntlm2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ E_P16()

void E_P16 ( uchar p14,
uchar p16 
)

Definition at line 323 of file smb_crypt.c.

324 {
325  uchar sp8[8] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
326  smbhash(p16, sp8, p14, 1);
327  smbhash(p16+8, sp8, p14+7, 1);
328 }
#define uchar
Definition: hmacmd5.h:28
void smbhash(uchar *out, const uchar *in, const uchar *key, int forw)
Definition: smb_crypt.c:295

References smbhash(), and uchar.

Referenced by E_deshash_ntlmssp(), and nasl_lm_owf_gen().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ E_P24()

void E_P24 ( const uchar p21,
const uchar c8,
uchar p24 
)

Definition at line 330 of file smb_crypt.c.

331 {
332  smbhash(p24, c8, p21, 1);
333  smbhash(p24+8, c8, p21+7, 1);
334  smbhash(p24+16, c8, p21+14, 1);
335 }
void smbhash(uchar *out, const uchar *in, const uchar *key, int forw)
Definition: smb_crypt.c:295

References smbhash().

Referenced by nasl_ntlmv1_hash(), and SMBOWFencrypt_ntlmssp().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ LMv2_generate_response_ntlmssp()

void LMv2_generate_response_ntlmssp ( const uchar  ntlm_v2_hash[16],
const char *  server_chal,
uint8_t *  lm_response 
)

Definition at line 528 of file smb_crypt.c.

530 {
531  uchar lmv2_response[16];
532  uint8_t lmv2_client_data[8];
533 
534  /* LMv2 */
535  /* client-supplied random data */
536  generate_random_buffer_ntlmssp(lmv2_client_data, sizeof(lmv2_client_data));
537 
538  /* Given that data, and the challenge from the server, generate a response */
539  SMBOWFencrypt_ntv2_ntlmssp(ntlm_v2_hash, (const uchar*)server_chal, 8, lmv2_client_data, sizeof(lmv2_client_data), lmv2_response);
540  memcpy(lm_response, lmv2_response, sizeof(lmv2_response));
541 
542  /* after the first 16 bytes is the random data we generated above,
543  so the server can verify us with it */
544  memcpy(lm_response+sizeof(lmv2_response), lmv2_client_data, sizeof(lmv2_client_data));
545 }
#define uchar
Definition: hmacmd5.h:28
void generate_random_buffer_ntlmssp(unsigned char *out, int len)
Definition: genrand.c:167
void SMBOWFencrypt_ntv2_ntlmssp(const uchar kr[16], const uint8_t *srv_chal, int srv_chal_len, const uint8_t *cli_chal, int cli_chal_len, uchar resp_buf[16])

References generate_random_buffer_ntlmssp(), SMBOWFencrypt_ntv2_ntlmssp(), and uchar.

Referenced by SMBNTLMv2encrypt_hash_ntlmssp().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ NTLMv2_generate_client_data_ntlmssp()

uint8_t* NTLMv2_generate_client_data_ntlmssp ( const char *  addr_list,
int  address_list_len 
)

Definition at line 480 of file smb_crypt.c.

481 {
482  int i = 0;
483  /*length of response
484  *header-4, reserved-4, date-8, client chal-8, unknown-4, addr_list-size sent in arguments
485  */
486  uchar client_chal[8];
487  uint8_t *response = g_malloc0 (28 + address_list_len);
488  char long_date[8];
489  int header = 0x00000101;
490  int zeros = 0x00000000;
491 
492  generate_random_buffer_ntlmssp(client_chal, sizeof(client_chal));
493 
494  put_long_date_ntlmssp(long_date, time(NULL));
495  SIVAL(response, 0, header);
496  SIVAL(response, 4, zeros);
497  memcpy(response+4+4, long_date, 8);
498  memcpy(response+4+4+sizeof(long_date), client_chal, 8);
499  SIVAL(response, 24, zeros);
500  for(i=0; i<address_list_len;i++)
501  {
502  *(response+28+i) = *(addr_list+i);
503  }
504 
505  return response;
506 }
#define uchar
Definition: hmacmd5.h:28
#define SIVAL(buf, pos, val)
Definition: byteorder.h:123
void generate_random_buffer_ntlmssp(unsigned char *out, int len)
Definition: genrand.c:167
void put_long_date_ntlmssp(char *p, time_t t)
Definition: time.c:111

References generate_random_buffer_ntlmssp(), put_long_date_ntlmssp(), SIVAL, and uchar.

Referenced by NTLMv2_generate_response_ntlmssp().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ NTLMv2_generate_response_ntlmssp()

void NTLMv2_generate_response_ntlmssp ( const uchar  ntlm_v2_hash[16],
const char *  server_chal,
const char *  address_list,
int  address_list_len,
uint8_t *  nt_response 
)

Definition at line 509 of file smb_crypt.c.

512 {
513  uchar ntlmv2_response[16];
514  uint8_t * ntlmv2_client_data;
515 
516  /* NTLMv2 */
517  /* generate some data to pass into the response function - including
518  the hostname and domain name of the server */
519  ntlmv2_client_data = NTLMv2_generate_client_data_ntlmssp(address_list, address_list_len);
520 
521  /* Given that data, and the challenge from the server, generate a response */
522  int client_data_len = 28 + address_list_len;
523  SMBOWFencrypt_ntv2_ntlmssp(ntlm_v2_hash, (const uchar*)server_chal, 8, ntlmv2_client_data, client_data_len, ntlmv2_response);
524  memcpy(nt_response, ntlmv2_response, sizeof(ntlmv2_response));
525  memcpy(nt_response+sizeof(ntlmv2_response),ntlmv2_client_data, client_data_len);
526 }
#define uchar
Definition: hmacmd5.h:28
uint8_t * NTLMv2_generate_client_data_ntlmssp(const char *addr_list, int address_list_len)
Definition: smb_crypt.c:480
void SMBOWFencrypt_ntv2_ntlmssp(const uchar kr[16], const uint8_t *srv_chal, int srv_chal_len, const uint8_t *cli_chal, int cli_chal_len, uchar resp_buf[16])

References NTLMv2_generate_client_data_ntlmssp(), SMBOWFencrypt_ntv2_ntlmssp(), and uchar.

Referenced by SMBNTLMv2encrypt_hash_ntlmssp().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SamOEMhash()

void SamOEMhash ( uchar data,
const uchar key,
int  val 
)

Definition at line 337 of file smb_crypt.c.

338 {
339  uchar hash[256];
340  uchar index_i = 0;
341  uchar index_j = 0;
342  uchar j = 0;
343  int ind;
344  int len = 0;
345  if (val == 1) len = 516;
346  if (val == 0) len = 16;
347  if (val == 3) len = 8;
348  if (val == 2) len = 68;
349  if (val == 4) len = 32;
350 
351  if (val >= 8)
352  len = val;
353 
354  for (ind = 0; ind < 256; ind++)
355  {
356  hash[ind] = (uchar)ind;
357  }
358 
359  for( ind = 0; ind < 256; ind++)
360  {
361  uchar tc;
362 
363  j += (hash[ind] + key[ind%16]);
364 
365  tc = hash[ind];
366  hash[ind] = hash[j];
367  hash[j] = tc;
368  }
369  for( ind = 0; ind < len; ind++)
370  {
371  uchar tc;
372  uchar t;
373 
374  index_i++;
375  index_j += hash[index_i];
376 
377  tc = hash[index_i];
378  hash[index_i] = hash[index_j];
379  hash[index_j] = tc;
380 
381  t = hash[index_i] + hash[index_j];
382  data[ind] = data[ind] ^ hash[t];
383  }
384 }
#define uchar
Definition: hmacmd5.h:28
const char * val
Definition: nasl_init.c:525

References uchar, and val.

Referenced by ntlmssp_genauth_keyexchg().

Here is the caller graph for this function:

◆ SMBencrypt_hash_ntlmssp()

void SMBencrypt_hash_ntlmssp ( const uchar  lm_hash[16],
const uchar c8,
uchar  p24[24] 
)

Definition at line 406 of file smb_crypt.c.

407 {
408  uchar p21[21];
409 
410  memset(p21,'\0',21);
411  memcpy(p21, lm_hash, 16);
412  SMBOWFencrypt_ntlmssp(p21, c8, p24);
413 }
#define uchar
Definition: hmacmd5.h:28
void SMBOWFencrypt_ntlmssp(const uchar passwd[16], const uchar *c8, uchar p24[24])
Definition: smb_crypt.c:397

References SMBOWFencrypt_ntlmssp(), and uchar.

Referenced by ntlmssp_genauth_ntlm().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ smbhash()

void smbhash ( uchar out,
const uchar in,
const uchar key,
int  forw 
)

Definition at line 295 of file smb_crypt.c.

296 {
297  int i;
298  char outb[64];
299  char inb[64];
300  char keyb[64];
301  uchar key2[8];
302 
303  str_to_key(key, key2);
304 
305  for (i=0;i<64;i++) {
306  inb[i] = (in[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
307  keyb[i] = (key2[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
308  outb[i] = 0;
309  }
310 
311  dohash(outb, inb, keyb, forw);
312 
313  for (i=0;i<8;i++) {
314  out[i] = 0;
315  }
316 
317  for (i=0;i<64;i++) {
318  if (outb[i])
319  out[i/8] |= (1<<(7-(i%8)));
320  }
321 }
#define uchar
Definition: hmacmd5.h:28

References uchar.

Referenced by E_P16(), and E_P24().

Here is the caller graph for this function:

◆ SMBNTencrypt_hash_ntlmssp()

void SMBNTencrypt_hash_ntlmssp ( const uchar  nt_hash[16],
uchar c8,
uchar p24 
)

Definition at line 417 of file smb_crypt.c.

418 {
419  uchar p21[21];
420 
421  memset(p21,'\0',21);
422  memcpy(p21, nt_hash, 16);
423  SMBOWFencrypt_ntlmssp(p21, c8, p24);
424 }
#define uchar
Definition: hmacmd5.h:28
void SMBOWFencrypt_ntlmssp(const uchar passwd[16], const uchar *c8, uchar p24[24])
Definition: smb_crypt.c:397

References SMBOWFencrypt_ntlmssp(), and uchar.

Referenced by ntlmssp_genauth_ntlm(), and ntlmssp_genauth_ntlm2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SMBNTLMv2encrypt_hash_ntlmssp()

void SMBNTLMv2encrypt_hash_ntlmssp ( const char *  user,
const char *  domain,
uchar  ntlm_v2_hash[16],
const char *  server_chal,
const char *  address_list,
int  address_list_len,
uint8_t *  lm_response,
uint8_t *  nt_response,
uint8_t *  user_session_key 
)

Definition at line 547 of file smb_crypt.c.

552 {
553  NTLMv2_generate_response_ntlmssp(ntlm_v2_hash, server_chal, address_list, address_list_len, nt_response);
554 
555  /* The NTLMv2 calculations also provide a session key, for signing etc later */
556  /* use only the first 16 bytes of nt_response for session key */
557  SMBsesskeygen_ntv2_ntlmssp(ntlm_v2_hash, nt_response, user_session_key);
558 
559  LMv2_generate_response_ntlmssp(ntlm_v2_hash, server_chal, lm_response);
560 }
void LMv2_generate_response_ntlmssp(const uchar ntlm_v2_hash[16], const char *server_chal, uint8_t *lm_response)
Definition: smb_crypt.c:528
void SMBsesskeygen_ntv2_ntlmssp(const uchar kr[16], const uchar *nt_resp, uint8 sess_key[16])
Definition: smb_crypt.c:467
void NTLMv2_generate_response_ntlmssp(const uchar ntlm_v2_hash[16], const char *server_chal, const char *address_list, int address_list_len, uint8_t *nt_response)
Definition: smb_crypt.c:509

References LMv2_generate_response_ntlmssp(), NTLMv2_generate_response_ntlmssp(), and SMBsesskeygen_ntv2_ntlmssp().

Referenced by ntlmssp_genauth_ntlmv2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SMBOWFencrypt_ntlmssp()

void SMBOWFencrypt_ntlmssp ( const uchar  passwd[16],
const uchar c8,
uchar  p24[24] 
)

Definition at line 397 of file smb_crypt.c.

398 {
399  uchar p21[21];
400 
401  ZERO_STRUCT(p21);
402  memcpy(p21, passwd, 16);
403  E_P24(p21, c8, p24);
404 }
#define uchar
Definition: hmacmd5.h:28
#define ZERO_STRUCT(x)
Definition: genrand.c:65
void E_P24(const uchar *p21, const uchar *c8, uchar *p24)
Definition: smb_crypt.c:330

References E_P24(), uchar, and ZERO_STRUCT.

Referenced by SMBencrypt_hash_ntlmssp(), SMBNTencrypt_hash_ntlmssp(), and SMBsesskeygen_lm_sess_key_ntlmssp().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SMBsesskeygen_lm_sess_key_ntlmssp()

void SMBsesskeygen_lm_sess_key_ntlmssp ( const uchar  lm_hash[16],
const uchar  lm_resp[24],
uint8  sess_key[16] 
)

Definition at line 426 of file smb_crypt.c.

427 {
428  uchar p24[24];
429  uchar partial_lm_hash[16];
430 
431  memcpy(partial_lm_hash, lm_hash, 8);
432  memset(partial_lm_hash + 8, 0xbd, 8);
433  SMBOWFencrypt_ntlmssp(partial_lm_hash, lm_resp, p24);
434  memcpy(sess_key, p24, 16);
435 }
#define uchar
Definition: hmacmd5.h:28
void SMBOWFencrypt_ntlmssp(const uchar passwd[16], const uchar *c8, uchar p24[24])
Definition: smb_crypt.c:397

References SMBOWFencrypt_ntlmssp(), and uchar.

Referenced by ntlmssp_genauth_ntlm().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SMBsesskeygen_ntv1_ntlmssp()

void SMBsesskeygen_ntv1_ntlmssp ( const uchar  kr[16],
const uchar nt_resp,
uint8  sess_key[16] 
)

Definition at line 386 of file smb_crypt.c.

388 {
389  /* yes, this session key does not change - yes, this
390  is a problem - but it is 128 bits */
391 
392  mdfour_ntlmssp((unsigned char *)sess_key, kr, 16);
393 
394 }
void mdfour_ntlmssp(unsigned char *out, const unsigned char *in, int n)
Definition: md4.c:125

References mdfour_ntlmssp().

Referenced by ntlmssp_genauth_ntlm(), and ntlmssp_genauth_ntlm2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SMBsesskeygen_ntv2_ntlmssp()

void SMBsesskeygen_ntv2_ntlmssp ( const uchar  kr[16],
const uchar nt_resp,
uint8  sess_key[16] 
)

Definition at line 467 of file smb_crypt.c.

469 {
470  /* a very nice, 128 bit, variable session key */
471 
472  HMACMD5Context ctx;
473 
474  hmac_md5_init_limK_to_64(kr, 16, &ctx);
475  hmac_md5_update(nt_resp, 16, &ctx);
476  hmac_md5_final((unsigned char *)sess_key, &ctx);
477 }
void hmac_md5_init_limK_to_64(const uchar *key, int key_len, HMACMD5Context *ctx)
The microsoft version of hmac_md5 initialisation.
Definition: hmacmd5.c:33
void hmac_md5_final(uchar *digest, HMACMD5Context *ctx)
Finish off hmac_md5 "inner" buffer and generate outer one.
Definition: hmacmd5.c:71
void hmac_md5_update(const uchar *text, int text_len, HMACMD5Context *ctx)
Update hmac_md5 "inner" buffer.
Definition: hmacmd5.c:63

References hmac_md5_final(), hmac_md5_init_limK_to_64(), and hmac_md5_update().

Referenced by SMBNTLMv2encrypt_hash_ntlmssp().

Here is the call graph for this function:
Here is the caller graph for this function: