2 Unix SMB/Netbios implementation.
4 NT Domain Authentication SMB / MSRPC client
5 Copyright (C) Andrew Tridgell 1994-1997
6 Copyright (C) Luke Kenneth Casson Leighton 1996-1997
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
32 extern int DEBUGLEVEL;
36 extern struct cli_state *smb_cli;
41 /****************************************************************************
43 ****************************************************************************/
44 void cmd_sam_ntchange_pwd(struct client_info *info)
60 fstrcpy(sid , info->dom.level5_sid);
61 fstrcpy(domain, info->dom.level5_dom);
63 fstrcpy(srv_name, "\\\\");
64 fstrcat(srv_name, info->dest_host);
67 fprintf(out_hnd, "SAM NT Password Change\n");
70 struct pwd_info new_pwd;
71 pwd_read(&new_pwd, "New Password (ONCE: this is test code!):", True);
73 new_passwd = (char*)getpass("New Password (ONCE ONLY - get it right :-)");
75 nt_lm_owf_gen(new_passwd, lm_newhash, nt_newhash);
76 pwd_get_lm_nt_16(&(smb_cli->pwd), lm_oldhash, nt_oldhash );
77 make_oem_passwd_hash(nt_newpass, new_passwd, nt_oldhash, True);
78 make_oem_passwd_hash(lm_newpass, new_passwd, lm_oldhash, True);
79 E_old_pw_hash(lm_newhash, lm_oldhash, lm_hshhash);
80 E_old_pw_hash(lm_newhash, nt_oldhash, nt_hshhash);
82 cli_nt_set_ntlmssp_flgs(smb_cli,
83 NTLMSSP_NEGOTIATE_UNICODE |
84 NTLMSSP_NEGOTIATE_OEM |
85 NTLMSSP_NEGOTIATE_SIGN |
86 NTLMSSP_NEGOTIATE_SEAL |
87 NTLMSSP_NEGOTIATE_LM_KEY |
88 NTLMSSP_NEGOTIATE_NTLM |
89 NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
90 NTLMSSP_NEGOTIATE_00001000 |
91 NTLMSSP_NEGOTIATE_00002000);
93 /* open SAMR session. */
94 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
96 /* establish a connection. */
97 res = res ? do_samr_unknown_38(smb_cli, srv_name) : False;
99 /* establish a connection. */
100 res = res ? do_samr_chgpasswd_user(smb_cli,
101 srv_name, smb_cli->user_name,
102 nt_newpass, (char*)nt_hshhash,
103 lm_newpass, (char*)lm_hshhash) : False;
104 /* close the session */
105 cli_nt_session_close(smb_cli);
109 fprintf(out_hnd, "NT Password changed OK\n");
113 fprintf(out_hnd, "NT Password change FAILED\n");
118 /****************************************************************************
119 experimental SAM encryted rpc test connection
120 ****************************************************************************/
121 void cmd_sam_test(struct client_info *info)
128 fstrcpy(sid , info->dom.level5_sid);
129 fstrcpy(domain, info->dom.level5_dom);
132 if (strlen(sid) == 0)
134 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
138 fstrcpy(srv_name, "\\\\");
139 fstrcat(srv_name, info->dest_host);
142 fprintf(out_hnd, "SAM Encryption Test\n");
144 cli_nt_set_ntlmssp_flgs(smb_cli,
145 NTLMSSP_NEGOTIATE_UNICODE |
146 NTLMSSP_NEGOTIATE_OEM |
147 NTLMSSP_NEGOTIATE_SIGN |
148 NTLMSSP_NEGOTIATE_SEAL |
149 NTLMSSP_NEGOTIATE_LM_KEY |
150 NTLMSSP_NEGOTIATE_NTLM |
151 NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
152 NTLMSSP_NEGOTIATE_00001000 |
153 NTLMSSP_NEGOTIATE_00002000);
155 /* open SAMR session. */
156 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
158 /* establish a connection. */
159 res = res ? do_samr_unknown_38(smb_cli, srv_name) : False;
161 /* close the session */
162 cli_nt_session_close(smb_cli);
166 DEBUG(5,("cmd_sam_test: succeeded\n"));
170 DEBUG(5,("cmd_sam_test: failed\n"));
175 /****************************************************************************
176 experimental SAM users enum.
177 ****************************************************************************/
178 void cmd_sam_enum_users(struct client_info *info)
186 BOOL request_user_info = False;
187 BOOL request_group_info = False;
188 uint16 num_entries = 0;
192 uint32 admin_rid = 0x304; /* absolutely no idea. */
195 fstrcpy(sid , info->dom.level5_sid);
196 fstrcpy(domain, info->dom.level5_dom);
198 if (strlen(sid) == 0)
200 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
204 make_dom_sid(&sid1, sid);
206 fstrcpy(srv_name, "\\\\");
207 fstrcat(srv_name, info->dest_host);
210 /* a bad way to do token parsing... */
211 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
213 request_user_info |= strequal(tmp, "-u");
214 request_group_info |= strequal(tmp, "-g");
217 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
219 request_user_info |= strequal(tmp, "-u");
220 request_group_info |= strequal(tmp, "-g");
224 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
226 num_entries = (uint16)strtol(tmp, (char**)NULL, 16);
229 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
231 unk_0 = (uint16)strtol(tmp, (char**)NULL, 16);
234 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
236 acb_mask = (uint16)strtol(tmp, (char**)NULL, 16);
239 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
241 unk_1 = (uint16)strtol(tmp, (char**)NULL, 16);
245 fprintf(out_hnd, "SAM Enumerate Users\n");
246 fprintf(out_hnd, "From: %s To: %s Domain: %s SID: %s\n",
247 info->myhostname, srv_name, domain, sid);
250 DEBUG(5,("Number of entries:%d unk_0:%04x acb_mask:%04x unk_1:%04x\n",
251 num_entries, unk_0, acb_mask, unk_1));
254 /* open SAMR session. negotiate credentials */
255 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
257 /* establish a connection. */
258 res = res ? do_samr_connect(smb_cli,
259 srv_name, 0x00000020,
260 &info->dom.samr_pol_connect) : False;
262 /* connect to the domain */
263 res = res ? do_samr_open_domain(smb_cli,
264 &info->dom.samr_pol_connect, admin_rid, &sid1,
265 &info->dom.samr_pol_open_domain) : False;
267 /* read some users */
268 res = res ? do_samr_enum_dom_users(smb_cli,
269 &info->dom.samr_pol_open_domain,
270 num_entries, unk_0, acb_mask, unk_1, 0xffff,
271 &info->dom.sam, &info->dom.num_sam_entries) : False;
273 if (res && info->dom.num_sam_entries == 0)
275 fprintf(out_hnd, "No users\n");
278 if (request_user_info || request_group_info)
280 /* query all the users */
283 while (res && user_idx < info->dom.num_sam_entries)
285 uint32 user_rid = info->dom.sam[user_idx].smb_userid;
286 SAM_USER_INFO_21 usr;
288 fprintf(out_hnd, "User RID: %8x User Name: %s\n",
290 info->dom.sam[user_idx].acct_name);
292 if (request_user_info)
294 /* send user info query, level 0x15 */
295 if (get_samr_query_userinfo(smb_cli,
296 &info->dom.samr_pol_open_domain,
297 0x15, user_rid, &usr))
299 display_sam_user_info_21(out_hnd, ACTION_HEADER , &usr);
300 display_sam_user_info_21(out_hnd, ACTION_ENUMERATE, &usr);
301 display_sam_user_info_21(out_hnd, ACTION_FOOTER , &usr);
305 if (request_group_info)
308 DOM_GID gid[LSA_MAX_GROUPS];
310 /* send user group query */
311 if (get_samr_query_usergroups(smb_cli,
312 &info->dom.samr_pol_open_domain,
313 user_rid, &num_groups, gid))
315 display_group_rid_info(out_hnd, ACTION_HEADER , num_groups, gid);
316 display_group_rid_info(out_hnd, ACTION_ENUMERATE, num_groups, gid);
317 display_group_rid_info(out_hnd, ACTION_FOOTER , num_groups, gid);
325 res = res ? do_samr_close(smb_cli,
326 &info->dom.samr_pol_open_domain) : False;
328 res = res ? do_samr_close(smb_cli,
329 &info->dom.samr_pol_connect) : False;
331 /* close the session */
332 cli_nt_session_close(smb_cli);
334 if (info->dom.sam != NULL)
341 DEBUG(5,("cmd_sam_enum_users: succeeded\n"));
345 DEBUG(5,("cmd_sam_enum_users: failed\n"));
350 /****************************************************************************
351 experimental SAM user query.
352 ****************************************************************************/
353 void cmd_sam_query_user(struct client_info *info)
359 int user_idx = 0; /* FIXME maybe ... */
361 uint32 admin_rid = 0x304; /* absolutely no idea. */
365 uint32 info_level = 0x15;
367 SAM_USER_INFO_21 usr;
369 fstrcpy(sid , info->dom.level5_sid);
370 fstrcpy(domain, info->dom.level5_dom);
372 if (strlen(sid) == 0)
374 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
378 make_dom_sid(&sid1, sid);
380 fstrcpy(srv_name, "\\\\");
381 fstrcat(srv_name, info->dest_host);
384 if (next_token(NULL, rid_str , NULL, sizeof(rid_str )) &&
385 next_token(NULL, info_str, NULL, sizeof(info_str)))
387 user_rid = (uint32)strtol(rid_str , (char**)NULL, 16);
388 info_level = (uint32)strtol(info_str, (char**)NULL, 10);
391 fprintf(out_hnd, "SAM Query User: rid %x info level %d\n",
392 user_rid, info_level);
393 fprintf(out_hnd, "From: %s To: %s Domain: %s SID: %s\n",
394 info->myhostname, srv_name, domain, sid);
396 /* open SAMR session. negotiate credentials */
397 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
399 /* establish a connection. */
400 res = res ? do_samr_connect(smb_cli,
401 srv_name, 0x00000020,
402 &info->dom.samr_pol_connect) : False;
404 /* connect to the domain */
405 res = res ? do_samr_open_domain(smb_cli,
406 &info->dom.samr_pol_connect, admin_rid, &sid1,
407 &info->dom.samr_pol_open_domain) : False;
409 fprintf(out_hnd, "User RID: %8x User Name: %s\n",
411 info->dom.sam[user_idx].acct_name);
413 /* send user info query, level */
414 if (get_samr_query_userinfo(smb_cli,
415 &info->dom.samr_pol_open_domain,
416 info_level, user_rid, &usr))
418 if (info_level == 0x15)
420 display_sam_user_info_21(out_hnd, ACTION_HEADER , &usr);
421 display_sam_user_info_21(out_hnd, ACTION_ENUMERATE, &usr);
422 display_sam_user_info_21(out_hnd, ACTION_FOOTER , &usr);
426 res = res ? do_samr_close(smb_cli,
427 &info->dom.samr_pol_connect) : False;
429 res = res ? do_samr_close(smb_cli,
430 &info->dom.samr_pol_open_domain) : False;
432 /* close the session */
433 cli_nt_session_close(smb_cli);
437 DEBUG(5,("cmd_sam_query_user: succeeded\n"));
441 DEBUG(5,("cmd_sam_query_user: failed\n"));
446 /****************************************************************************
447 experimental SAM groups query.
448 ****************************************************************************/
449 void cmd_sam_query_groups(struct client_info *info)
457 uint32 switch_value = 2;
458 uint32 admin_rid = 0x304; /* absolutely no idea. */
460 fstrcpy(sid , info->dom.level5_sid);
461 fstrcpy(domain, info->dom.level5_dom);
463 if (strlen(sid) == 0)
465 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
469 make_dom_sid(&sid1, sid);
471 fstrcpy(srv_name, "\\\\");
472 fstrcat(srv_name, info->dest_host);
475 if (next_token(NULL, info_str, NULL, sizeof(info_str)))
477 switch_value = (uint32)strtol(info_str, (char**)NULL, 10);
480 fprintf(out_hnd, "SAM Query Groups: info level %d\n", switch_value);
481 fprintf(out_hnd, "From: %s To: %s Domain: %s SID: %s\n",
482 info->myhostname, srv_name, domain, sid);
484 /* open SAMR session. negotiate credentials */
485 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
487 /* establish a connection. */
488 res = res ? do_samr_connect(smb_cli,
489 srv_name, 0x00000020,
490 &info->dom.samr_pol_connect) : False;
492 /* connect to the domain */
493 res = res ? do_samr_open_domain(smb_cli,
494 &info->dom.samr_pol_connect, admin_rid, &sid1,
495 &info->dom.samr_pol_open_domain) : False;
497 /* send a samr 0x8 command */
498 res = res ? do_samr_unknown_8(smb_cli,
499 &info->dom.samr_pol_open_domain, switch_value) : False;
501 res = res ? do_samr_close(smb_cli,
502 &info->dom.samr_pol_connect) : False;
504 res = res ? do_samr_close(smb_cli,
505 &info->dom.samr_pol_open_domain) : False;
507 /* close the session */
508 cli_nt_session_close(smb_cli);
512 DEBUG(5,("cmd_sam_query_groups: succeeded\n"));
516 DEBUG(5,("cmd_sam_query_groups: failed\n"));
521 /****************************************************************************
522 experimental SAM aliases query.
523 ****************************************************************************/
524 void cmd_sam_enum_aliases(struct client_info *info)
531 BOOL request_user_info = False;
532 BOOL request_alias_info = False;
533 uint32 admin_rid = 0x304; /* absolutely no idea. */
536 uint32 num_aliases = 3;
537 uint32 alias_rid[3] = { DOMAIN_GROUP_RID_ADMINS, DOMAIN_GROUP_RID_USERS, DOMAIN_GROUP_RID_GUESTS };
538 fstring alias_names [3];
539 uint32 num_als_usrs[3];
541 fstrcpy(sid , info->dom.level3_sid);
542 fstrcpy(domain, info->dom.level3_dom);
544 fstrcpy(sid , "S-1-5-20");
546 if (strlen(sid) == 0)
548 fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
552 make_dom_sid(&sid1, sid);
554 fstrcpy(srv_name, "\\\\");
555 fstrcat(srv_name, info->dest_host);
558 /* a bad way to do token parsing... */
559 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
561 request_user_info |= strequal(tmp, "-u");
562 request_alias_info |= strequal(tmp, "-g");
565 if (next_token(NULL, tmp, NULL, sizeof(tmp)))
567 request_user_info |= strequal(tmp, "-u");
568 request_alias_info |= strequal(tmp, "-g");
571 fprintf(out_hnd, "SAM Enumerate Aliases\n");
572 fprintf(out_hnd, "From: %s To: %s Domain: %s SID: %s\n",
573 info->myhostname, srv_name, domain, sid);
575 /* open SAMR session. negotiate credentials */
576 res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR) : False;
578 /* establish a connection. */
579 res = res ? do_samr_connect(smb_cli,
580 srv_name, 0x00000020,
581 &info->dom.samr_pol_connect) : False;
583 /* connect to the domain */
584 res = res ? do_samr_open_domain(smb_cli,
585 &info->dom.samr_pol_connect, admin_rid, &sid1,
586 &info->dom.samr_pol_open_domain) : False;
588 /* send a query on the aliase */
589 res = res ? do_samr_query_unknown_12(smb_cli,
590 &info->dom.samr_pol_open_domain, admin_rid, num_aliases, alias_rid,
591 &num_aliases, alias_names, num_als_usrs) : False;
595 display_alias_name_info(out_hnd, ACTION_HEADER , num_aliases, alias_names, num_als_usrs);
596 display_alias_name_info(out_hnd, ACTION_ENUMERATE, num_aliases, alias_names, num_als_usrs);
597 display_alias_name_info(out_hnd, ACTION_FOOTER , num_aliases, alias_names, num_als_usrs);
602 /* read some users */
603 res = res ? do_samr_enum_dom_users(smb_cli,
604 &info->dom.samr_pol_open_domain,
605 num_entries, unk_0, acb_mask, unk_1, 0xffff,
606 info->dom.sam, &info->dom.num_sam_entries) : False;
608 if (res && info->dom.num_sam_entries == 0)
610 fprintf(out_hnd, "No users\n");
613 if (request_user_info || request_alias_info)
615 /* query all the users */
618 while (res && user_idx < info->dom.num_sam_entries)
620 uint32 user_rid = info->dom.sam[user_idx].smb_userid;
621 SAM_USER_INFO_21 usr;
623 fprintf(out_hnd, "User RID: %8x User Name: %s\n",
625 info->dom.sam[user_idx].acct_name);
627 if (request_user_info)
629 /* send user info query, level 0x15 */
630 if (get_samr_query_userinfo(smb_cli,
631 &info->dom.samr_pol_open_domain,
632 0x15, user_rid, &usr))
634 display_sam_user_info_21(out_hnd, ACTION_HEADER , &usr);
635 display_sam_user_info_21(out_hnd, ACTION_ENUMERATE, &usr);
636 display_sam_user_info_21(out_hnd, ACTION_FOOTER , &usr);
640 if (request_alias_info)
643 DOM_GID gid[LSA_MAX_GROUPS];
645 /* send user aliase query */
646 if (get_samr_query_useraliases(smb_cli,
647 &info->dom.samr_pol_open_domain,
648 user_rid, &num_aliases, gid))
650 display_alias_info(out_hnd, ACTION_HEADER , num_aliases, gid);
651 display_alias_info(out_hnd, ACTION_ENUMERATE, num_aliases, gid);
652 display_alias_info(out_hnd, ACTION_FOOTER , num_aliases, gid);
661 res = res ? do_samr_close(smb_cli,
662 &info->dom.samr_pol_connect) : False;
664 res = res ? do_samr_close(smb_cli,
665 &info->dom.samr_pol_open_domain) : False;
667 /* close the session */
668 cli_nt_session_close(smb_cli);
672 DEBUG(5,("cmd_sam_enum_users: succeeded\n"));
676 DEBUG(5,("cmd_sam_enum_users: failed\n"));