/* * Beware the LM hash is easy to crack (google for l0phtCrack) * and though NTLM is more secure it is still breakable. * Ntlmv2 is better and seen as good enough by the windows community. * For real security use kerberos. */ #include #include #include #include #include #include #include #include #include <9p.h> #include "cifs.h" #define DEF_AUTH "ntlmv2" static enum { MACkeylen = 40, /* MAC key len */ MAClen = 8, /* signature length */ MACoff = 14, /* sign. offset from start of SMB (not netbios) pkt */ Bliplen = 8, /* size of LMv2 client nonce */ }; static void dmp(char *s, int seq, void *buf, int n) { int i; char *p = buf; print("%s %3d ", s, seq); while(n > 0){ for(i = 0; i < 16 && n > 0; i++, n--) print("%02x ", *p++ & 0xff); if(n > 0) print("\n"); } print("\n"); } static Auth * auth_plain(char *windom, char *keyp, uchar *chal, int len) { UserPasswd *up; static Auth *ap; USED(chal, len); up = auth_getuserpasswd(auth_getkey, "windom=%s proto=pass service=cifs %s", windom, keyp); if(! up) sysfatal("cannot get key - %r"); ap = emalloc9p(sizeof(Auth)); memset(ap, 0, sizeof(ap)); ap->user = estrdup9p(up->user); ap->windom = estrdup9p(windom); ap->resp[0] = estrdup9p(up->passwd); ap->len[0] = strlen(up->passwd); memset(up->passwd, 0, strlen(up->passwd)); free(up); return ap; } static Auth * auth_lm_and_ntlm(char *windom, char *keyp, uchar *chal, int len) { int err; char user[64]; Auth *ap; MSchapreply mcr; err = auth_respond(chal, len, user, sizeof user, &mcr, sizeof mcr, auth_getkey, "windom=%s proto=mschap role=client service=cifs %s", windom, keyp); if(err == -1) sysfatal("cannot get key - %r"); ap = emalloc9p(sizeof(Auth)); memset(ap, 0, sizeof(ap)); ap->user = estrdup9p(user); ap->windom = estrdup9p(windom); /* LM response */ ap->len[0] = sizeof(mcr.LMresp); ap->resp[0] = emalloc9p(ap->len[0]); memcpy(ap->resp[0], mcr.LMresp, ap->len[0]); /* NTLM response */ ap->len[1] = sizeof(mcr.NTresp); ap->resp[1] = emalloc9p(ap->len[1]); memcpy(ap->resp[1], mcr.NTresp, ap->len[1]); return ap; } /* * NTLM response only, the LM response is a just * copy of the NTLM one. we do this because the lm * response is easily reversed - Google for l0pht * for more info. */ static Auth * auth_ntlm(char *windom, char *keyp, uchar *chal, int len) { Auth *ap; if((ap = auth_lm_and_ntlm(windom, keyp, chal, len)) == nil) return nil; free(ap->resp[0]); ap->len[0] = ap->len[1]; ap->resp[0] = emalloc9p(ap->len[0]); memcpy(ap->resp[0], ap->resp[1], ap->len[0]); return ap; } /* * This is not really nescessary as all fields hmac_md5'ed * in the ntlmv2 protocol are less than 64 bytes long, however * I still do this for completeness */ static DigestState * hmac_t64(uchar *data, ulong dlen, uchar *key, ulong klen, uchar *digest, DigestState *state) { if(klen > 64) klen = 64; return hmac_md5(data, dlen, key, klen, digest, state); } static int putname(uchar *buf, int len, char *name, int type) { int n; Rune r; char *d; uchar *p = buf; *p++ = type; *p++ = 0; /* 16bit: name type */ n = utflen(name) * 2; *p++ = n; *p++ = n >> 8; /* 16bit: name length */ d = name; while(*d != 0 && p-buf < len-8){ d += chartorune(&r, d); r = toupperrune(r); *p++ = r; *p++ = r >> 8; } /* var: actual name */ return p - buf; } static int ntv2_blob(uchar *blob, int len, char *windom) { uvlong t; uchar *p; enum { /* name types */ Beof, /* end of name list */ Bhost, /* Netbios host name */ Bdomain, /* Windows Domain name (NT) */ Bdnshost, /* DNS host name */ Bdnsdomain, /* DNS domain name */ }; p = blob; *p++ = 1; /* 8bit: response type */ *p++ = 1; /* 8bit: max response type understood by client */ *p++ = 0; /* 16bit: reserved */ *p++ = 0; *p++ = 0; /* 32bit: unknown */ *p++ = 0; *p++ = 0; *p++ = 0; t = time(nil); t += 11644473600LL; t *= 10000000LL; *p++ = t; /* 64bit: time in NT format */ *p++ = t >> 8; *p++ = t >> 16; *p++ = t >> 24; *p++ = t >> 32; *p++ = t >> 40; *p++ = t >> 48; *p++ = t >> 56; genrandom(p, 8); p += 8; /* 64bit: client nonce */ *p++ = 0; /* 32bit: unknown data */ *p++ = 0; *p++ = 0; *p++ = 0; p += putname(p, len - (p-blob), windom, Bdomain); p += putname(p, len - (p-blob), "", Beof); return p - blob; } static Auth * auth_ntlmv2(char *windom, char *keyp, uchar *chal, int len) { int i, n; Rune r; char *p, *u; uchar v1hash[MD5dlen], blip[Bliplen], blob[1024], v2hash[MD5dlen]; uchar c, lm_hmac[MD5dlen], nt_hmac[MD5dlen], nt_sesskey[MD5dlen], lm_sesskey[MD5dlen]; DigestState *ds; UserPasswd *up; static Auth *ap; up = auth_getuserpasswd(auth_getkey, "windom=%s proto=pass service=cifs-ntlmv2 %s", windom, keyp); if(!up) sysfatal("cannot get key - %r"); ap = emalloc9p(sizeof(Auth)); memset(ap, 0, sizeof(ap)); /* Standard says unlimited length, experience says 128 max */ if((n = strlen(up->passwd)) > 128) n = 128; ds = md4(nil, 0, nil, nil); for(i=0, p=up->passwd; i < n; i++) { p += chartorune(&r, p); c = r; md4(&c, 1, nil, ds); c = r >> 8; md4(&c, 1, nil, ds); } md4(nil, 0, v1hash, ds); /* * Some documentation insists that the username must be forced to * uppercase, but the domain name should not be. Other shows both * being forced to uppercase. I am pretty sure this is irrevevant as the * domain name passed from the remote server always seems to be in * uppercase already. */ ds = hmac_t64(nil, 0, v1hash, MD5dlen, nil, nil); u = up->user; while(*u){ u += chartorune(&r, u); r = toupperrune(r); c = r; hmac_t64(&c, 1, v1hash, MD5dlen, nil, ds); c = r >> 8; hmac_t64(&c, 1, v1hash, MD5dlen, nil, ds); } u = windom; while(*u){ u += chartorune(&r, u); c = r; hmac_t64(&c, 1, v1hash, MD5dlen, nil, ds); c = r >> 8; hmac_t64(&c, 1, v1hash, MD5dlen, nil, ds); } hmac_t64(nil, 0, v1hash, MD5dlen, v2hash, ds); ap->user = estrdup9p(up->user); ap->windom = estrdup9p(windom); /* LM v2 */ genrandom(blip, Bliplen); ds = hmac_t64(chal, len, v2hash, MD5dlen, nil, nil); hmac_t64(blip, Bliplen, v2hash, MD5dlen, lm_hmac, ds); ap->len[0] = MD5dlen+Bliplen; ap->resp[0] = emalloc9p(ap->len[0]); memcpy(ap->resp[0], lm_hmac, MD5dlen); memcpy(ap->resp[0]+MD5dlen, blip, Bliplen); /* LM v2 session key */ hmac_t64(lm_hmac, MD5dlen, v2hash, MD5dlen, lm_sesskey, nil); /* LM v2 MAC key */ ap->mackey[0] = emalloc9p(MACkeylen); memcpy(ap->mackey[0], lm_sesskey, MD5dlen); memcpy(ap->mackey[0]+MD5dlen, ap->resp[0], MACkeylen-MD5dlen); /* NTLM v2 */ n = ntv2_blob(blob, sizeof blob, windom); ds = hmac_t64(chal, len, v2hash, MD5dlen, nil, nil); hmac_t64(blob, n, v2hash, MD5dlen, nt_hmac, ds); ap->len[1] = MD5dlen+n; ap->resp[1] = emalloc9p(ap->len[1]); memcpy(ap->resp[1], nt_hmac, MD5dlen); memcpy(ap->resp[1]+MD5dlen, blob, n); /* * v2hash definitely OK by * the time we get here. */ /* NTLM v2 session key */ hmac_t64(nt_hmac, MD5dlen, v2hash, MD5dlen, nt_sesskey, nil); /* NTLM v2 MAC key */ ap->mackey[1] = emalloc9p(MACkeylen); memcpy(ap->mackey[1], nt_sesskey, MD5dlen); memcpy(ap->mackey[1]+MD5dlen, ap->resp[1], MACkeylen-MD5dlen); free(up); return ap; } struct { char *name; Auth *(*func)(char *, char *, uchar *, int); } methods[] = { { "plain", auth_plain }, { "lm+ntlm", auth_lm_and_ntlm }, { "ntlm", auth_ntlm }, { "ntlmv2", auth_ntlmv2 }, // { "kerberos", auth_kerberos }, }; void autherr(void) { int i; fprint(2, "supported auth methods:\t"); for(i = 0; i < nelem(methods); i++) fprint(2, "%s ", methods[i].name); fprint(2, "\n"); exits("usage"); } Auth * getauth(char *name, char *windom, char *keyp, int secmode, uchar *chal, int len) { int i; Auth *ap; if(name == nil){ name = DEF_AUTH; if((secmode & SECMODE_PW_ENCRYPT) == 0) sysfatal("plaintext authentication required, use '-a plain'"); } ap = nil; for(i = 0; i < nelem(methods); i++) if(strcmp(methods[i].name, name) == 0){ ap = methods[i].func(windom, keyp, chal, len); break; } if(! ap){ fprint(2, "%s: %s - unknown auth method\n", argv0, name); autherr(); /* never returns */ } return ap; } static int genmac(uchar *buf, int len, int seq, uchar key[MACkeylen], uchar ours[MAClen]) { DigestState *ds; uchar *sig, digest[MD5dlen], theirs[MAClen]; sig = buf+MACoff; memcpy(theirs, sig, MAClen); memset(sig, 0, MAClen); sig[0] = seq; sig[1] = seq >> 8; sig[2] = seq >> 16; sig[3] = seq >> 24; ds = md5(key, MACkeylen, nil, nil); md5(buf, len, digest, ds); memcpy(ours, digest, MAClen); return memcmp(theirs, ours, MAClen); } int macsign(Pkt *p, int seq) { int rc, len; uchar *sig, *buf, mac[MAClen]; sig = p->buf + NBHDRLEN + MACoff; buf = p->buf + NBHDRLEN; len = (p->pos - p->buf) - NBHDRLEN; #ifdef DEBUG_MAC if(seq & 1) dmp("rx", seq, sig, MAClen); #endif rc = 0; if(! p->s->seqrun) memcpy(mac, "BSRSPYL ", 8); /* no idea, ask MS */ else rc = genmac(buf, len, seq, p->s->auth->mackey[0], mac); #ifdef DEBUG_MAC if(!(seq & 1)) dmp("tx", seq, mac, MAClen); #endif memcpy(sig, mac, MAClen); return rc; }