2 Unix SMB/Netbios implementation.
4 NT Domain Authentication SMB / MSRPC client
5 Copyright (C) Andrew Tridgell 1994-1997
6 Copyright (C) Luke Kenneth Casson Leighton 1996-1997
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
32 extern int DEBUGLEVEL;
36 extern struct cli_state *smb_cli;
41 /****************************************************************************
43 ****************************************************************************/
44 void cmd_sam_ntchange_pwd(struct client_info *info)
60 sid_to_string(sid, &info->dom.level5_sid);
61 fstrcpy(domain, info->dom.level5_dom);
63 fstrcpy(srv_name, "\\\\");
64 fstrcat(srv_name, info->dest_host);
67 fprintf(out_hnd, "SAM NT Password Change\n");
70 struct pwd_info new_pwd;
71 pwd_read(&new_pwd, "New Password (ONCE: this is test code!):", True);
73 new_passwd = (char*)getpass("New Password (ONCE ONLY - get it right :-)");
75 nt_lm_owf_gen(new_passwd, lm_newhash, nt_newhash);
76 pwd_get_lm_nt_16(&(smb_cli->pwd), lm_oldhash, nt_oldhash );
77 make_oem_passwd_hash(nt_newpass, new_passwd, nt_oldhash, True);
78 make_oem_passwd_hash(lm_newpass, new_passwd, lm_oldhash, True);
79 E_old_pw_hash(lm_newhash, lm_oldhash, lm_hshhash);
80 E_old_pw_hash(lm_newhash, nt_oldhash, nt_hshhash);
82 cli_nt_set_ntlmssp_flgs(smb_cli,
83 NTLMSSP_NEGOTIATE_UNICODE |
84 NTLMSSP_NEGOTIATE_OEM |
85 NTLMSSP_NEGOTIATE_SIGN |
86 NTLMSSP_NEGOTIATE_SEAL |
87 NTLMSSP_NEGOTIATE_LM_KEY |
88 NTLMSSP_NEGOTIATE_NTLM |
89 NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
90 NTLMSSP_NEGOTIATE_00001000 |
91 NTLMSSP_NEGOTIATE_00002000);
93 /* open SAMR session. */
94 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
96 /* establish a connection. */
97 res = res ? do_samr_unknown_38(smb_cli, srv_name) : False;
99 /* establish a connection. */
100 res = res ? do_samr_chgpasswd_user(smb_cli,
101 srv_name, smb_cli->user_name,
102 nt_newpass, nt_hshhash,
103 lm_newpass, lm_hshhash) : False;
104 /* close the session */
105 cli_nt_session_close(smb_cli);
109 fprintf(out_hnd, "NT Password changed OK\n");
113 fprintf(out_hnd, "NT Password change FAILED\n");
118 /****************************************************************************
119 experimental SAM encryted rpc test connection
120 ****************************************************************************/
121 void cmd_sam_test(struct client_info *info)
128 sid_to_string(sid, &info->dom.level5_sid);
129 fstrcpy(domain, info->dom.level5_dom);
132 if (strlen(sid) == 0)
134 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
138 fstrcpy(srv_name, "\\\\");
139 fstrcat(srv_name, info->dest_host);
142 fprintf(out_hnd, "SAM Encryption Test\n");
144 cli_nt_set_ntlmssp_flgs(smb_cli,
145 NTLMSSP_NEGOTIATE_UNICODE |
146 NTLMSSP_NEGOTIATE_OEM |
147 NTLMSSP_NEGOTIATE_SIGN |
148 NTLMSSP_NEGOTIATE_SEAL |
149 NTLMSSP_NEGOTIATE_LM_KEY |
150 NTLMSSP_NEGOTIATE_NTLM |
151 NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
152 NTLMSSP_NEGOTIATE_00001000 |
153 NTLMSSP_NEGOTIATE_00002000);
155 /* open SAMR session. */
156 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
158 /* establish a connection. */
159 res = res ? do_samr_unknown_38(smb_cli, srv_name) : False;
161 /* close the session */
162 cli_nt_session_close(smb_cli);
166 DEBUG(5,("cmd_sam_test: succeeded\n"));
170 DEBUG(5,("cmd_sam_test: failed\n"));
175 /****************************************************************************
176 experimental SAM users enum.
177 ****************************************************************************/
178 void cmd_sam_enum_users(struct client_info *info)
186 BOOL request_user_info = False;
187 BOOL request_group_info = False;
188 BOOL request_alias_info = False;
189 uint16 num_entries = 0;
193 uint32 admin_rid = 0x304; /* absolutely no idea. */
197 sid_copy(&sid1, &info->dom.level5_sid);
198 sid_to_string(sid, &sid1);
199 fstrcpy(domain, info->dom.level5_dom);
201 if (sid1.num_auths == 0)
203 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
208 fstrcpy(srv_name, "\\\\");
209 fstrcat(srv_name, info->dest_host);
212 for (i = 0; i < 3; i++)
214 /* a bad way to do token parsing... */
215 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
217 request_user_info |= strequal(tmp, "-u");
218 request_group_info |= strequal(tmp, "-g");
219 request_alias_info |= strequal(tmp, "-a");
224 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
226 num_entries = (uint16)strtol(tmp, (char**)NULL, 16);
229 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
231 unk_0 = (uint16)strtol(tmp, (char**)NULL, 16);
234 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
236 acb_mask = (uint16)strtol(tmp, (char**)NULL, 16);
239 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
241 unk_1 = (uint16)strtol(tmp, (char**)NULL, 16);
245 fprintf(out_hnd, "SAM Enumerate Users\n");
246 fprintf(out_hnd, "From: %s To: %s Domain: %s SID: %s\n",
247 info->myhostname, srv_name, domain, sid);
250 DEBUG(5,("Number of entries:%d unk_0:%04x acb_mask:%04x unk_1:%04x\n",
251 num_entries, unk_0, acb_mask, unk_1));
254 /* open SAMR session. negotiate credentials */
255 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
257 /* establish a connection. */
258 res = res ? do_samr_connect(smb_cli,
259 srv_name, 0x00000020,
260 &info->dom.samr_pol_connect) : False;
262 /* connect to the domain */
263 res = res ? do_samr_open_domain(smb_cli,
264 &info->dom.samr_pol_connect, admin_rid, &sid1,
265 &info->dom.samr_pol_open_domain) : False;
267 /* read some users */
268 res = res ? do_samr_enum_dom_users(smb_cli,
269 &info->dom.samr_pol_open_domain,
270 num_entries, unk_0, acb_mask, unk_1, 0xffff,
271 &info->dom.sam, &info->dom.num_sam_entries) : False;
273 if (res && info->dom.num_sam_entries == 0)
275 fprintf(out_hnd, "No users\n");
278 if (request_user_info || request_group_info || request_alias_info)
280 /* query all the users */
283 while (res && user_idx < info->dom.num_sam_entries)
285 uint32 user_rid = info->dom.sam[user_idx].user_rid;
286 SAM_USER_INFO_21 usr;
288 fprintf(out_hnd, "User RID: %8x User Name: %s\n",
290 info->dom.sam[user_idx].acct_name);
292 if (request_user_info)
294 /* send user info query, level 0x15 */
295 if (get_samr_query_userinfo(smb_cli,
296 &info->dom.samr_pol_open_domain,
297 0x15, user_rid, &usr))
299 display_sam_user_info_21(out_hnd, ACTION_HEADER , &usr);
300 display_sam_user_info_21(out_hnd, ACTION_ENUMERATE, &usr);
301 display_sam_user_info_21(out_hnd, ACTION_FOOTER , &usr);
305 if (request_group_info)
308 DOM_GID gid[LSA_MAX_GROUPS];
310 /* send user group query */
311 if (get_samr_query_usergroups(smb_cli,
312 &info->dom.samr_pol_open_domain,
313 user_rid, &num_groups, gid))
315 display_group_rid_info(out_hnd, ACTION_HEADER , num_groups, gid);
316 display_group_rid_info(out_hnd, ACTION_ENUMERATE, num_groups, gid);
317 display_group_rid_info(out_hnd, ACTION_FOOTER , num_groups, gid);
321 if (request_alias_info)
324 uint32 rid[LSA_MAX_GROUPS];
327 sid_copy(&als_sid, &sid1);
328 sid_append_rid(&als_sid, user_rid);
330 /* send user alias query */
331 if (do_samr_query_useraliases(smb_cli,
332 &info->dom.samr_pol_open_domain,
333 &als_sid, &num_aliases, rid))
335 display_alias_rid_info(out_hnd, ACTION_HEADER , &als_sid, num_aliases, rid);
336 display_alias_rid_info(out_hnd, ACTION_ENUMERATE, &als_sid, num_aliases, rid);
337 display_alias_rid_info(out_hnd, ACTION_FOOTER , &als_sid, num_aliases, rid);
345 res = res ? do_samr_close(smb_cli,
346 &info->dom.samr_pol_open_domain) : False;
348 res = res ? do_samr_close(smb_cli,
349 &info->dom.samr_pol_connect) : False;
351 /* close the session */
352 cli_nt_session_close(smb_cli);
354 if (info->dom.sam != NULL)
361 DEBUG(5,("cmd_sam_enum_users: succeeded\n"));
365 DEBUG(5,("cmd_sam_enum_users: failed\n"));
370 /****************************************************************************
371 experimental SAM user query.
372 ****************************************************************************/
373 void cmd_sam_query_user(struct client_info *info)
379 int user_idx = 0; /* FIXME maybe ... */
381 uint32 admin_rid = 0x304; /* absolutely no idea. */
385 uint32 info_level = 0x15;
387 SAM_USER_INFO_21 usr;
389 sid_to_string(sid, &info->dom.level5_sid);
390 fstrcpy(domain, info->dom.level5_dom);
392 if (strlen(sid) == 0)
394 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
398 string_to_sid(&sid1, sid);
400 fstrcpy(srv_name, "\\\\");
401 fstrcat(srv_name, info->dest_host);
404 if (next_token(NULL, rid_str , NULL, sizeof(rid_str )) &&
405 next_token(NULL, info_str, NULL, sizeof(info_str)))
407 user_rid = (uint32)strtol(rid_str , (char**)NULL, 16);
408 info_level = (uint32)strtol(info_str, (char**)NULL, 10);
411 fprintf(out_hnd, "SAM Query User: rid %x info level %d\n",
412 user_rid, info_level);
413 fprintf(out_hnd, "From: %s To: %s Domain: %s SID: %s\n",
414 info->myhostname, srv_name, domain, sid);
416 /* open SAMR session. negotiate credentials */
417 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
419 /* establish a connection. */
420 res = res ? do_samr_connect(smb_cli,
421 srv_name, 0x00000020,
422 &info->dom.samr_pol_connect) : False;
424 /* connect to the domain */
425 res = res ? do_samr_open_domain(smb_cli,
426 &info->dom.samr_pol_connect, admin_rid, &sid1,
427 &info->dom.samr_pol_open_domain) : False;
429 fprintf(out_hnd, "User RID: %8x User Name: %s\n",
431 info->dom.sam[user_idx].acct_name);
433 /* send user info query, level */
434 if (get_samr_query_userinfo(smb_cli,
435 &info->dom.samr_pol_open_domain,
436 info_level, user_rid, &usr))
438 if (info_level == 0x15)
440 display_sam_user_info_21(out_hnd, ACTION_HEADER , &usr);
441 display_sam_user_info_21(out_hnd, ACTION_ENUMERATE, &usr);
442 display_sam_user_info_21(out_hnd, ACTION_FOOTER , &usr);
446 res = res ? do_samr_close(smb_cli,
447 &info->dom.samr_pol_connect) : False;
449 res = res ? do_samr_close(smb_cli,
450 &info->dom.samr_pol_open_domain) : False;
452 /* close the session */
453 cli_nt_session_close(smb_cli);
457 DEBUG(5,("cmd_sam_query_user: succeeded\n"));
461 DEBUG(5,("cmd_sam_query_user: failed\n"));
466 /****************************************************************************
467 experimental SAM groups query.
468 ****************************************************************************/
469 void cmd_sam_query_groups(struct client_info *info)
477 uint32 switch_value = 2;
478 uint32 admin_rid = 0x304; /* absolutely no idea. */
480 sid_to_string(sid, &info->dom.level5_sid);
481 fstrcpy(domain, info->dom.level5_dom);
483 if (strlen(sid) == 0)
485 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
489 string_to_sid(&sid1, sid);
491 fstrcpy(srv_name, "\\\\");
492 fstrcat(srv_name, info->dest_host);
495 if (next_token(NULL, info_str, NULL, sizeof(info_str)))
497 switch_value = (uint32)strtol(info_str, (char**)NULL, 10);
500 fprintf(out_hnd, "SAM Query Groups: info level %d\n", switch_value);
501 fprintf(out_hnd, "From: %s To: %s Domain: %s SID: %s\n",
502 info->myhostname, srv_name, domain, sid);
504 /* open SAMR session. negotiate credentials */
505 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
507 /* establish a connection. */
508 res = res ? do_samr_connect(smb_cli,
509 srv_name, 0x00000020,
510 &info->dom.samr_pol_connect) : False;
512 /* connect to the domain */
513 res = res ? do_samr_open_domain(smb_cli,
514 &info->dom.samr_pol_connect, admin_rid, &sid1,
515 &info->dom.samr_pol_open_domain) : False;
517 /* send a samr 0x8 command */
518 res = res ? do_samr_query_dom_info(smb_cli,
519 &info->dom.samr_pol_open_domain, switch_value) : False;
521 res = res ? do_samr_close(smb_cli,
522 &info->dom.samr_pol_connect) : False;
524 res = res ? do_samr_close(smb_cli,
525 &info->dom.samr_pol_open_domain) : False;
527 /* close the session */
528 cli_nt_session_close(smb_cli);
532 DEBUG(5,("cmd_sam_query_groups: succeeded\n"));
536 DEBUG(5,("cmd_sam_query_groups: failed\n"));
541 /****************************************************************************
542 experimental SAM aliases query.
543 ****************************************************************************/
544 void cmd_sam_enum_aliases(struct client_info *info)
551 BOOL request_user_info = False;
552 BOOL request_alias_info = False;
553 uint32 admin_rid = 0x304; /* absolutely no idea. */
556 uint32 num_aliases = 3;
557 uint32 alias_rid[3] = { DOMAIN_GROUP_RID_ADMINS, DOMAIN_GROUP_RID_USERS, DOMAIN_GROUP_RID_GUESTS };
558 fstring alias_names [3];
559 uint32 num_als_usrs[3];
561 sid_to_string(sid, &info->dom.level3_sid);
562 fstrcpy(domain, info->dom.level3_dom);
564 fstrcpy(sid , "S-1-5-20");
566 if (strlen(sid) == 0)
568 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
572 string_to_sid(&sid1, sid);
574 fstrcpy(srv_name, "\\\\");
575 fstrcat(srv_name, info->dest_host);
578 /* a bad way to do token parsing... */
579 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
581 request_user_info |= strequal(tmp, "-u");
582 request_alias_info |= strequal(tmp, "-g");
585 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
587 request_user_info |= strequal(tmp, "-u");
588 request_alias_info |= strequal(tmp, "-g");
591 fprintf(out_hnd, "SAM Enumerate Aliases\n");
592 fprintf(out_hnd, "From: %s To: %s Domain: %s SID: %s\n",
593 info->myhostname, srv_name, domain, sid);
595 /* open SAMR session. negotiate credentials */
596 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
598 /* establish a connection. */
599 res = res ? do_samr_connect(smb_cli,
600 srv_name, 0x00000020,
601 &info->dom.samr_pol_connect) : False;
603 /* connect to the domain */
604 res = res ? do_samr_open_domain(smb_cli,
605 &info->dom.samr_pol_connect, admin_rid, &sid1,
606 &info->dom.samr_pol_open_domain) : False;
608 /* send a query on the aliases */
609 res = res ? do_samr_query_unknown_12(smb_cli,
610 &info->dom.samr_pol_open_domain, admin_rid, num_aliases, alias_rid,
611 &num_aliases, alias_names, num_als_usrs) : False;
615 display_alias_name_info(out_hnd, ACTION_HEADER , num_aliases, alias_names, num_als_usrs);
616 display_alias_name_info(out_hnd, ACTION_ENUMERATE, num_aliases, alias_names, num_als_usrs);
617 display_alias_name_info(out_hnd, ACTION_FOOTER , num_aliases, alias_names, num_als_usrs);
622 /* read some users */
623 res = res ? do_samr_enum_dom_users(smb_cli,
624 &info->dom.samr_pol_open_domain,
625 num_entries, unk_0, acb_mask, unk_1, 0xffff,
626 info->dom.sam, &info->dom.num_sam_entries) : False;
628 if (res && info->dom.num_sam_entries == 0)
630 fprintf(out_hnd, "No users\n");
633 if (request_user_info || request_alias_info)
635 /* query all the users */
638 while (res && user_idx < info->dom.num_sam_entries)
640 uint32 user_rid = info->dom.sam[user_idx].user_rid;
641 SAM_USER_INFO_21 usr;
643 fprintf(out_hnd, "User RID: %8x User Name: %s\n",
645 info->dom.sam[user_idx].acct_name);
647 if (request_user_info)
649 /* send user info query, level 0x15 */
650 if (get_samr_query_userinfo(smb_cli,
651 &info->dom.samr_pol_open_domain,
652 0x15, user_rid, &usr))
654 display_sam_user_info_21(out_hnd, ACTION_HEADER , &usr);
655 display_sam_user_info_21(out_hnd, ACTION_ENUMERATE, &usr);
656 display_sam_user_info_21(out_hnd, ACTION_FOOTER , &usr);
660 if (request_alias_info)
663 DOM_GID gid[LSA_MAX_GROUPS];
665 /* send user aliase query */
666 if (get_samr_query_useraliases(smb_cli,
667 &info->dom.samr_pol_open_domain,
668 user_rid, &num_aliases, gid))
670 display_alias_info(out_hnd, ACTION_HEADER , num_aliases, gid);
671 display_alias_info(out_hnd, ACTION_ENUMERATE, num_aliases, gid);
672 display_alias_info(out_hnd, ACTION_FOOTER , num_aliases, gid);
681 res = res ? do_samr_close(smb_cli,
682 &info->dom.samr_pol_connect) : False;
684 res = res ? do_samr_close(smb_cli,
685 &info->dom.samr_pol_open_domain) : False;
687 /* close the session */
688 cli_nt_session_close(smb_cli);
692 DEBUG(5,("cmd_sam_enum_users: succeeded\n"));
696 DEBUG(5,("cmd_sam_enum_users: failed\n"));