2 Unix SMB/Netbios implementation.
4 NT Domain Authentication SMB / MSRPC client
5 Copyright (C) Andrew Tridgell 1994-1997
6 Copyright (C) Luke Kenneth Casson Leighton 1996-1997
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
32 extern int DEBUGLEVEL;
36 extern struct cli_state *smb_cli;
41 /****************************************************************************
43 ****************************************************************************/
44 void cmd_sam_ntchange_pwd(struct client_info *info)
60 sid_to_string(sid, &info->dom.level5_sid);
61 fstrcpy(domain, info->dom.level5_dom);
63 fstrcpy(srv_name, "\\\\");
64 fstrcat(srv_name, info->dest_host);
67 fprintf(out_hnd, "SAM NT Password Change\n");
70 struct pwd_info new_pwd;
71 pwd_read(&new_pwd, "New Password (ONCE: this is test code!):", True);
73 new_passwd = (char*)getpass("New Password (ONCE ONLY - get it right :-)");
75 nt_lm_owf_gen(new_passwd, lm_newhash, nt_newhash);
76 pwd_get_lm_nt_16(&(smb_cli->pwd), lm_oldhash, nt_oldhash );
77 make_oem_passwd_hash(nt_newpass, new_passwd, nt_oldhash, True);
78 make_oem_passwd_hash(lm_newpass, new_passwd, lm_oldhash, True);
79 E_old_pw_hash(lm_newhash, lm_oldhash, lm_hshhash);
80 E_old_pw_hash(lm_newhash, nt_oldhash, nt_hshhash);
82 cli_nt_set_ntlmssp_flgs(smb_cli,
83 NTLMSSP_NEGOTIATE_UNICODE |
84 NTLMSSP_NEGOTIATE_OEM |
85 NTLMSSP_NEGOTIATE_SIGN |
86 NTLMSSP_NEGOTIATE_SEAL |
87 NTLMSSP_NEGOTIATE_LM_KEY |
88 NTLMSSP_NEGOTIATE_NTLM |
89 NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
90 NTLMSSP_NEGOTIATE_00001000 |
91 NTLMSSP_NEGOTIATE_00002000);
93 /* open SAMR session. */
94 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
96 /* establish a connection. */
97 res = res ? do_samr_unknown_38(smb_cli, srv_name) : False;
99 /* establish a connection. */
100 res = res ? do_samr_chgpasswd_user(smb_cli,
101 srv_name, smb_cli->user_name,
102 nt_newpass, nt_hshhash,
103 lm_newpass, lm_hshhash) : False;
104 /* close the session */
105 cli_nt_session_close(smb_cli);
109 fprintf(out_hnd, "NT Password changed OK\n");
113 fprintf(out_hnd, "NT Password change FAILED\n");
118 /****************************************************************************
119 experimental SAM encryted rpc test connection
120 ****************************************************************************/
121 void cmd_sam_test(struct client_info *info)
128 sid_to_string(sid, &info->dom.level5_sid);
129 fstrcpy(domain, info->dom.level5_dom);
132 if (strlen(sid) == 0)
134 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
138 fstrcpy(srv_name, "\\\\");
139 fstrcat(srv_name, info->dest_host);
142 fprintf(out_hnd, "SAM Encryption Test\n");
144 cli_nt_set_ntlmssp_flgs(smb_cli,
145 NTLMSSP_NEGOTIATE_UNICODE |
146 NTLMSSP_NEGOTIATE_OEM |
147 NTLMSSP_NEGOTIATE_SIGN |
148 NTLMSSP_NEGOTIATE_SEAL |
149 NTLMSSP_NEGOTIATE_LM_KEY |
150 NTLMSSP_NEGOTIATE_NTLM |
151 NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
152 NTLMSSP_NEGOTIATE_00001000 |
153 NTLMSSP_NEGOTIATE_00002000);
155 /* open SAMR session. */
156 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
158 /* establish a connection. */
159 res = res ? do_samr_unknown_38(smb_cli, srv_name) : False;
161 /* close the session */
162 cli_nt_session_close(smb_cli);
166 DEBUG(5,("cmd_sam_test: succeeded\n"));
170 DEBUG(5,("cmd_sam_test: failed\n"));
175 /****************************************************************************
176 experimental SAM users enum.
177 ****************************************************************************/
178 void cmd_sam_enum_users(struct client_info *info)
188 BOOL request_user_info = False;
189 BOOL request_group_info = False;
190 BOOL request_alias_info = False;
191 uint16 num_entries = 0;
195 uint32 admin_rid = 0x304; /* absolutely no idea. */
199 sid_copy(&sid1, &info->dom.level5_sid);
200 sid_to_string(sid, &sid1);
201 fstrcpy(domain, info->dom.level5_dom);
203 if (sid1.num_auths == 0)
205 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
210 fstrcpy(srv_name, "\\\\");
211 fstrcat(srv_name, info->dest_host);
214 for (i = 0; i < 3; i++)
216 /* a bad way to do token parsing... */
217 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
219 request_user_info |= strequal(tmp, "-u");
220 request_group_info |= strequal(tmp, "-g");
221 request_alias_info |= strequal(tmp, "-a");
230 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
232 num_entries = (uint16)strtol(tmp, (char**)NULL, 16);
235 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
237 unk_0 = (uint16)strtol(tmp, (char**)NULL, 16);
240 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
242 acb_mask = (uint16)strtol(tmp, (char**)NULL, 16);
245 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
247 unk_1 = (uint16)strtol(tmp, (char**)NULL, 16);
251 string_to_sid(&sid_1_5_20, "S-1-5-32");
253 fprintf(out_hnd, "SAM Enumerate Users\n");
254 fprintf(out_hnd, "From: %s To: %s Domain: %s SID: %s\n",
255 info->myhostname, srv_name, domain, sid);
258 DEBUG(5,("Number of entries:%d unk_0:%04x acb_mask:%04x unk_1:%04x\n",
259 num_entries, unk_0, acb_mask, unk_1));
262 /* open SAMR session. negotiate credentials */
263 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
265 /* establish a connection. */
266 res = res ? do_samr_connect(smb_cli,
267 srv_name, 0x00000020,
268 &info->dom.samr_pol_connect) : False;
270 /* connect to the domain */
271 res = res ? do_samr_open_domain(smb_cli,
272 &info->dom.samr_pol_connect, admin_rid, &sid1,
273 &info->dom.samr_pol_open_domain) : False;
275 /* connect to the S-1-5-20 domain */
276 res1 = res ? do_samr_open_domain(smb_cli,
277 &info->dom.samr_pol_connect, admin_rid, &sid_1_5_20,
278 &info->dom.samr_pol_open_builtindom) : False;
280 /* read some users */
281 res = res ? do_samr_enum_dom_users(smb_cli,
282 &info->dom.samr_pol_open_domain,
283 num_entries, unk_0, acb_mask, unk_1, 0xffff,
284 &info->dom.sam, &info->dom.num_sam_entries) : False;
286 if (res && info->dom.num_sam_entries == 0)
288 fprintf(out_hnd, "No users\n");
291 /* query all the users */
292 for (user_idx = 0; res && user_idx < info->dom.num_sam_entries; user_idx++)
294 uint32 user_rid = info->dom.sam[user_idx].user_rid;
295 SAM_USER_INFO_21 usr;
297 fprintf(out_hnd, "User RID: %8x User Name: %s\n",
299 info->dom.sam[user_idx].acct_name);
301 if (request_user_info)
303 /* send user info query, level 0x15 */
304 if (get_samr_query_userinfo(smb_cli,
305 &info->dom.samr_pol_open_domain,
306 0x15, user_rid, &usr))
308 display_sam_user_info_21(out_hnd, ACTION_HEADER , &usr);
309 display_sam_user_info_21(out_hnd, ACTION_ENUMERATE, &usr);
310 display_sam_user_info_21(out_hnd, ACTION_FOOTER , &usr);
314 if (request_group_info)
317 DOM_GID gid[LSA_MAX_GROUPS];
319 /* send user group query */
320 if (get_samr_query_usergroups(smb_cli,
321 &info->dom.samr_pol_open_domain,
322 user_rid, &num_groups, gid))
324 display_group_rid_info(out_hnd, ACTION_HEADER , num_groups, gid);
325 display_group_rid_info(out_hnd, ACTION_ENUMERATE, num_groups, gid);
326 display_group_rid_info(out_hnd, ACTION_FOOTER , num_groups, gid);
330 if (request_alias_info)
333 uint32 rid[LSA_MAX_GROUPS];
336 sid_copy(&als_sid, &sid1);
337 sid_append_rid(&als_sid, user_rid);
339 /* send user alias query */
340 if (do_samr_query_useraliases(smb_cli,
341 &info->dom.samr_pol_open_domain,
342 &als_sid, &num_aliases, rid))
344 display_alias_rid_info(out_hnd, ACTION_HEADER , &sid1, num_aliases, rid);
345 display_alias_rid_info(out_hnd, ACTION_ENUMERATE, &sid1, num_aliases, rid);
346 display_alias_rid_info(out_hnd, ACTION_FOOTER , &sid1, num_aliases, rid);
349 /* send user alias query */
350 if (res1 && do_samr_query_useraliases(smb_cli,
351 &info->dom.samr_pol_open_builtindom,
352 &als_sid, &num_aliases, rid))
354 display_alias_rid_info(out_hnd, ACTION_HEADER , &sid_1_5_20, num_aliases, rid);
355 display_alias_rid_info(out_hnd, ACTION_ENUMERATE, &sid_1_5_20, num_aliases, rid);
356 display_alias_rid_info(out_hnd, ACTION_FOOTER , &sid_1_5_20, num_aliases, rid);
361 res1 = res1 ? do_samr_close(smb_cli,
362 &info->dom.samr_pol_open_builtindom) : False;
364 res = res ? do_samr_close(smb_cli,
365 &info->dom.samr_pol_open_domain) : False;
367 res = res ? do_samr_close(smb_cli,
368 &info->dom.samr_pol_connect) : False;
370 /* close the session */
371 cli_nt_session_close(smb_cli);
373 if (info->dom.sam != NULL)
380 DEBUG(5,("cmd_sam_enum_users: succeeded\n"));
384 DEBUG(5,("cmd_sam_enum_users: failed\n"));
389 /****************************************************************************
390 experimental SAM user query.
391 ****************************************************************************/
392 void cmd_sam_query_user(struct client_info *info)
398 int user_idx = 0; /* FIXME maybe ... */
400 uint32 admin_rid = 0x304; /* absolutely no idea. */
404 uint32 info_level = 0x15;
406 SAM_USER_INFO_21 usr;
408 sid_to_string(sid, &info->dom.level5_sid);
409 fstrcpy(domain, info->dom.level5_dom);
411 if (strlen(sid) == 0)
413 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
417 string_to_sid(&sid1, sid);
419 fstrcpy(srv_name, "\\\\");
420 fstrcat(srv_name, info->dest_host);
423 if (next_token(NULL, rid_str , NULL, sizeof(rid_str )) &&
424 next_token(NULL, info_str, NULL, sizeof(info_str)))
426 user_rid = (uint32)strtol(rid_str , (char**)NULL, 16);
427 info_level = (uint32)strtol(info_str, (char**)NULL, 10);
430 fprintf(out_hnd, "SAM Query User: rid %x info level %d\n",
431 user_rid, info_level);
432 fprintf(out_hnd, "From: %s To: %s Domain: %s SID: %s\n",
433 info->myhostname, srv_name, domain, sid);
435 /* open SAMR session. negotiate credentials */
436 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
438 /* establish a connection. */
439 res = res ? do_samr_connect(smb_cli,
440 srv_name, 0x00000020,
441 &info->dom.samr_pol_connect) : False;
443 /* connect to the domain */
444 res = res ? do_samr_open_domain(smb_cli,
445 &info->dom.samr_pol_connect, admin_rid, &sid1,
446 &info->dom.samr_pol_open_domain) : False;
448 fprintf(out_hnd, "User RID: %8x User Name: %s\n",
450 info->dom.sam[user_idx].acct_name);
452 /* send user info query, level */
453 if (get_samr_query_userinfo(smb_cli,
454 &info->dom.samr_pol_open_domain,
455 info_level, user_rid, &usr))
457 if (info_level == 0x15)
459 display_sam_user_info_21(out_hnd, ACTION_HEADER , &usr);
460 display_sam_user_info_21(out_hnd, ACTION_ENUMERATE, &usr);
461 display_sam_user_info_21(out_hnd, ACTION_FOOTER , &usr);
465 res = res ? do_samr_close(smb_cli,
466 &info->dom.samr_pol_connect) : False;
468 res = res ? do_samr_close(smb_cli,
469 &info->dom.samr_pol_open_domain) : False;
471 /* close the session */
472 cli_nt_session_close(smb_cli);
476 DEBUG(5,("cmd_sam_query_user: succeeded\n"));
480 DEBUG(5,("cmd_sam_query_user: failed\n"));
485 /****************************************************************************
486 experimental SAM groups query.
487 ****************************************************************************/
488 void cmd_sam_query_groups(struct client_info *info)
496 uint32 switch_value = 2;
497 uint32 admin_rid = 0x304; /* absolutely no idea. */
499 sid_to_string(sid, &info->dom.level5_sid);
500 fstrcpy(domain, info->dom.level5_dom);
502 if (strlen(sid) == 0)
504 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
508 string_to_sid(&sid1, sid);
510 fstrcpy(srv_name, "\\\\");
511 fstrcat(srv_name, info->dest_host);
514 if (next_token(NULL, info_str, NULL, sizeof(info_str)))
516 switch_value = (uint32)strtol(info_str, (char**)NULL, 10);
519 fprintf(out_hnd, "SAM Query Groups: info level %d\n", switch_value);
520 fprintf(out_hnd, "From: %s To: %s Domain: %s SID: %s\n",
521 info->myhostname, srv_name, domain, sid);
523 /* open SAMR session. negotiate credentials */
524 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
526 /* establish a connection. */
527 res = res ? do_samr_connect(smb_cli,
528 srv_name, 0x00000020,
529 &info->dom.samr_pol_connect) : False;
531 /* connect to the domain */
532 res = res ? do_samr_open_domain(smb_cli,
533 &info->dom.samr_pol_connect, admin_rid, &sid1,
534 &info->dom.samr_pol_open_domain) : False;
536 /* send a samr 0x8 command */
537 res = res ? do_samr_query_dom_info(smb_cli,
538 &info->dom.samr_pol_open_domain, switch_value) : False;
540 res = res ? do_samr_close(smb_cli,
541 &info->dom.samr_pol_connect) : False;
543 res = res ? do_samr_close(smb_cli,
544 &info->dom.samr_pol_open_domain) : False;
546 /* close the session */
547 cli_nt_session_close(smb_cli);
551 DEBUG(5,("cmd_sam_query_groups: succeeded\n"));
555 DEBUG(5,("cmd_sam_query_groups: failed\n"));
560 /****************************************************************************
561 experimental SAM aliases query.
562 ****************************************************************************/
563 void cmd_sam_enum_aliases(struct client_info *info)
570 BOOL request_user_info = False;
571 BOOL request_alias_info = False;
572 uint32 admin_rid = 0x304; /* absolutely no idea. */
575 uint32 num_aliases = 3;
576 uint32 alias_rid[3] = { DOMAIN_GROUP_RID_ADMINS, DOMAIN_GROUP_RID_USERS, DOMAIN_GROUP_RID_GUESTS };
577 fstring alias_names [3];
578 uint32 num_als_usrs[3];
580 sid_to_string(sid, &info->dom.level3_sid);
581 fstrcpy(domain, info->dom.level3_dom);
583 fstrcpy(sid , "S-1-5-20");
585 if (strlen(sid) == 0)
587 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
591 string_to_sid(&sid1, sid);
593 fstrcpy(srv_name, "\\\\");
594 fstrcat(srv_name, info->dest_host);
597 /* a bad way to do token parsing... */
598 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
600 request_user_info |= strequal(tmp, "-u");
601 request_alias_info |= strequal(tmp, "-g");
604 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
606 request_user_info |= strequal(tmp, "-u");
607 request_alias_info |= strequal(tmp, "-g");
610 fprintf(out_hnd, "SAM Enumerate Aliases\n");
611 fprintf(out_hnd, "From: %s To: %s Domain: %s SID: %s\n",
612 info->myhostname, srv_name, domain, sid);
614 /* open SAMR session. negotiate credentials */
615 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
617 /* establish a connection. */
618 res = res ? do_samr_connect(smb_cli,
619 srv_name, 0x00000020,
620 &info->dom.samr_pol_connect) : False;
622 /* connect to the domain */
623 res = res ? do_samr_open_domain(smb_cli,
624 &info->dom.samr_pol_connect, admin_rid, &sid1,
625 &info->dom.samr_pol_open_domain) : False;
627 /* send a query on the aliases */
628 res = res ? do_samr_query_unknown_12(smb_cli,
629 &info->dom.samr_pol_open_domain, admin_rid, num_aliases, alias_rid,
630 &num_aliases, alias_names, num_als_usrs) : False;
634 display_alias_name_info(out_hnd, ACTION_HEADER , num_aliases, alias_names, num_als_usrs);
635 display_alias_name_info(out_hnd, ACTION_ENUMERATE, num_aliases, alias_names, num_als_usrs);
636 display_alias_name_info(out_hnd, ACTION_FOOTER , num_aliases, alias_names, num_als_usrs);
641 /* read some users */
642 res = res ? do_samr_enum_dom_users(smb_cli,
643 &info->dom.samr_pol_open_domain,
644 num_entries, unk_0, acb_mask, unk_1, 0xffff,
645 info->dom.sam, &info->dom.num_sam_entries) : False;
647 if (res && info->dom.num_sam_entries == 0)
649 fprintf(out_hnd, "No users\n");
652 if (request_user_info || request_alias_info)
654 /* query all the users */
657 while (res && user_idx < info->dom.num_sam_entries)
659 uint32 user_rid = info->dom.sam[user_idx].user_rid;
660 SAM_USER_INFO_21 usr;
662 fprintf(out_hnd, "User RID: %8x User Name: %s\n",
664 info->dom.sam[user_idx].acct_name);
666 if (request_user_info)
668 /* send user info query, level 0x15 */
669 if (get_samr_query_userinfo(smb_cli,
670 &info->dom.samr_pol_open_domain,
671 0x15, user_rid, &usr))
673 display_sam_user_info_21(out_hnd, ACTION_HEADER , &usr);
674 display_sam_user_info_21(out_hnd, ACTION_ENUMERATE, &usr);
675 display_sam_user_info_21(out_hnd, ACTION_FOOTER , &usr);
679 if (request_alias_info)
682 DOM_GID gid[LSA_MAX_GROUPS];
684 /* send user aliase query */
685 if (get_samr_query_useraliases(smb_cli,
686 &info->dom.samr_pol_open_domain,
687 user_rid, &num_aliases, gid))
689 display_alias_info(out_hnd, ACTION_HEADER , num_aliases, gid);
690 display_alias_info(out_hnd, ACTION_ENUMERATE, num_aliases, gid);
691 display_alias_info(out_hnd, ACTION_FOOTER , num_aliases, gid);
700 res = res ? do_samr_close(smb_cli,
701 &info->dom.samr_pol_connect) : False;
703 res = res ? do_samr_close(smb_cli,
704 &info->dom.samr_pol_open_domain) : False;
706 /* close the session */
707 cli_nt_session_close(smb_cli);
711 DEBUG(5,("cmd_sam_enum_users: succeeded\n"));
715 DEBUG(5,("cmd_sam_enum_users: failed\n"));