uint32 nt_error; /* NT RPC error code. */
uint16 nt_pipe_fnum; /* Pipe handle. */
unsigned char sess_key[16]; /* Current session key. */
- unsigned char ntlmssp_hash[256]; /* ntlmssp data. */
+ unsigned char ntlmssp_hash[258]; /* ntlmssp data. */
uint32 ntlmssp_cli_flgs; /* ntlmssp client flags */
uint32 ntlmssp_srv_flgs; /* ntlmssp server flags */
DOM_CRED clnt_cred; /* Client credential. */
RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
BOOL ntlmssp_auth;
- unsigned char ntlmssp_hash[256];
+ unsigned char ntlmssp_hash[258];
uint32 file_offset;
uint32 hdr_offsets;
POLICY_HND *pol_open_domain,
uint32 info_level,
uint32 user_rid, SAM_USER_INFO_21 *usr);
+BOOL do_samr_unknown_38(struct cli_state *cli, char *srv_name);
BOOL do_samr_unknown_8(struct cli_state *cli,
POLICY_HND *domain_pol, uint16 switch_value);
BOOL do_samr_enum_dom_users(struct cli_state *cli,
uint8 num_results, uint16 result, uint16 reason,
RPC_IFACE *transfer);
void smb_io_rpc_hdr_ba(char *desc, RPC_HDR_BA *rpc, prs_struct *ps, int depth);
-void make_rpc_hdr_req(RPC_HDR_REQ *hdr, uint32 data_len, uint16 opnum);
+void make_rpc_hdr_req(RPC_HDR_REQ *hdr, uint32 alloc_hint, uint16 opnum);
void smb_io_rpc_hdr_req(char *desc, RPC_HDR_REQ *rpc, prs_struct *ps, int depth);
void smb_io_rpc_hdr_resp(char *desc, RPC_HDR_RESP *rpc, prs_struct *ps, int depth);
void make_rpc_hdr_autha(RPC_HDR_AUTHA *rai,
#define SAMR_UNKNOWN_21 0x21
#define SAMR_UNKNOWN_32 0x32
#define SAMR_UNKNOWN_34 0x34
+#define SAMR_UNKNOWN_38 0x38
#define SAMR_CONNECT 0x39
#define SAMR_OPEN_ALIAS 0x1b
#define SAMR_QUERY_ALIASINFO 0x1c
smbhash(out + 8, in + 8, key2, forw);
}
-void NTLMSSPhash( unsigned char hash[256], unsigned char const key[5])
+void NTLMSSPhash( unsigned char hash[258], unsigned char key[5])
{
- unsigned char j = 0;
- int ind;
+ unsigned char j = 0;
+ int ind;
unsigned char k2[8];
- memcpy(k2, key, sizeof(key));
+ memcpy(k2, key, 5);
k2[5] = 0xe5;
- k2[6] = 0xb8;
- k2[6] = 0xb0;
+ k2[6] = 0x38;
+ k2[7] = 0xb0;
for (ind = 0; ind < 256; ind++)
{
hash[ind] = hash[j];
hash[j] = tc;
}
+
+ hash[256] = 0;
+ hash[257] = 0;
}
-void NTLMSSPcalc( unsigned char hash[256], unsigned char *data, int len)
+void NTLMSSPcalc( unsigned char hash[258], unsigned char *data, int len)
{
- unsigned char index_i = 0;
- unsigned char index_j = 0;
+ unsigned char index_i = hash[256];
+ unsigned char index_j = hash[257];
int ind;
for( ind = 0; ind < len; ind++)
hash[index_j] = tc;
t = hash[index_i] + hash[index_j];
- data[ind] ^= hash[t];
+ data[ind] = data[ind] ^ hash[t];
}
+
+ hash[256] = index_i;
+ hash[257] = index_j;
}
void SamOEMhash( unsigned char *data, unsigned char *key, int val)
memset(p21 + 8, 0xbd, 8);
E_P24(p21, ntlmchalresp, p24);
+#ifdef DEBUG_PASSWORD
+ DEBUG(100,("NTLMSSPOWFencrypt: p21, c8, p24\n"));
+ dump_data(100, p21, 21);
+ dump_data(100, ntlmchalresp, 8);
+ dump_data(100, p24, 24);
+#endif
}
prs_struct *auth_ntlm,
uint32 call_id,
RPC_IFACE *abstract, RPC_IFACE *transfer,
- char *my_name, char *domain)
+ char *my_name, char *domain, uint32 neg_flags)
{
RPC_HDR_RB hdr_rb;
RPC_HDR hdr;
mem_realloc_data(auth_req->data, auth_req->offset);
make_rpc_auth_ntlmssp_neg(&ntlmssp_neg,
- 0x0000b2b3, my_name, domain);
+ neg_flags, my_name, domain);
smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, auth_req, 0);
mem_realloc_data(auth_req->data, auth_req->offset);
if (auth_len != 0)
{
- alloc_hint = data_len - 0x18 - auth_len - 12;
+ alloc_hint = data_len - 0x18 - auth_len - 10;
}
else
{
RPC_AUTH_NTLMSSP_CHK chk;
RPC_HDR_AUTH rhdr_auth;
- make_rpc_hdr_auth(&rhdr_auth, 0x0a, 0x06, 0x02);
+ make_rpc_hdr_auth(&rhdr_auth, 0x0a, 0x06, 0x08);
smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &hdr_auth, 0);
make_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, crc32, 0);
ntlmssp_auth ? &auth_req : NULL,
ntlmssp_auth ? &auth_ntlm : NULL,
call_id,
- abstract, transfer, global_myname, cli->domain);
+ abstract, transfer,
+ global_myname, cli->domain, cli->ntlmssp_cli_flgs);
/* this is a hack due to limitations in rpc_api_pipe */
prs_init(&data, mem_buf_len(hdr.data), 4, 0x0, False);
if (encrypted)
{
- cli->ntlmssp_cli_flgs =
+ cli->ntlmssp_cli_flgs =
NTLMSSP_NEGOTIATE_UNICODE |
- NTLMSSP_NEGOTIATE_OEM |
+/* NTLMSSP_NEGOTIATE_OEM |
+ */
NTLMSSP_NEGOTIATE_SIGN |
NTLMSSP_NEGOTIATE_SEAL |
NTLMSSP_NEGOTIATE_LM_KEY |
NTLMSSP_NEGOTIATE_NTLM |
- NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
+ NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
+/*
NTLMSSP_NEGOTIATE_00001000 |
NTLMSSP_NEGOTIATE_00002000;
+ */
DEBUG(5,("cli_nt_session_open: neg_flags: %lx\n",
cli->ntlmssp_cli_flgs));
}
return do_samr_close(cli, &pol_open_user);
}
+/****************************************************************************
+do a SAMR unknown 0x38 command
+****************************************************************************/
+BOOL do_samr_unknown_38(struct cli_state *cli, char *srv_name)
+{
+ prs_struct data;
+ prs_struct rdata;
+
+ SAMR_Q_UNKNOWN_38 q_e;
+ BOOL valid_un8 = False;
+
+ /* create and send a MSRPC command with api SAMR_ENUM_DOM_USERS */
+
+ prs_init(&data , 1024, 4, SAFETY_MARGIN, False);
+ prs_init(&rdata, 0 , 4, SAFETY_MARGIN, True );
+
+ DEBUG(4,("SAMR Unknown 38 server:%s\n", srv_name));
+
+ make_samr_q_unknown_38(&q_e, srv_name);
+
+ /* turn parameters into data stream */
+ samr_io_q_unknown_38("", &q_e, &data, 0);
+
+ /* send the data on \PIPE\ */
+ if (rpc_api_pipe_req(cli, SAMR_UNKNOWN_38, &data, &rdata))
+ {
+ SAMR_R_UNKNOWN_38 r_e;
+ BOOL p;
+
+ samr_io_r_unknown_38("", &r_e, &rdata, 0);
+
+ p = rdata.offset != 0;
+ if (p && r_e.status != 0)
+ {
+ /* report error code */
+ DEBUG(0,("SAMR_R_UNKNOWN_38: %s\n", get_nt_error_msg(r_e.status)));
+ p = False;
+ }
+
+ if (p)
+ {
+ valid_un8 = True;
+ }
+ }
+
+ prs_mem_free(&data );
+ prs_mem_free(&rdata );
+
+ return valid_un8;
+}
+
/****************************************************************************
do a SAMR unknown 0x8 command
****************************************************************************/
smb_io_strhdr("hdr_myname", &(neg->hdr_myname), ps, depth);
smb_io_strhdr("hdr_domain", &(neg->hdr_domain), ps, depth);
- prs_string("myname", ps, depth, neg->myname, neg->hdr_myname.str_str_len, sizeof(neg->myname));
prs_string("domain", ps, depth, neg->domain, neg->hdr_domain.str_str_len, sizeof(neg->domain));
+ prs_string("myname", ps, depth, neg->myname, neg->hdr_myname.str_str_len, sizeof(neg->myname));
}
/*******************************************************************
usr_len *= 2;
}
- make_str_hdr(&rsp->hdr_lm_resp, lm_len, lm_len, offset);
- offset += lm_len;
-
- make_str_hdr(&rsp->hdr_nt_resp, nt_len, nt_len, offset);
- offset += nt_len;
-
make_str_hdr(&rsp->hdr_domain , dom_len, dom_len, offset);
offset += dom_len;
make_str_hdr(&rsp->hdr_wks , wks_len, wks_len, offset);
offset += wks_len;
+ make_str_hdr(&rsp->hdr_lm_resp, lm_len , lm_len , offset);
+ offset += lm_len;
+
+ make_str_hdr(&rsp->hdr_nt_resp, nt_len , nt_len , offset);
+ offset += nt_len;
+
make_str_hdr(&rsp->hdr_sess_key, 0, 0, offset);
rsp->neg_flags = neg_flags;
old_offset = ps->offset;
- ps->offset = rsp->hdr_lm_resp .buffer + 0x1c;
- prs_uint8s(False, "lm_resp ", ps, depth, (uint8*)rsp->lm_resp , MIN(rsp->hdr_lm_resp .str_str_len, sizeof(rsp->lm_resp )));
- old_offset += rsp->hdr_lm_resp .str_str_len;
-
- ps->offset = rsp->hdr_nt_resp .buffer + 0x1c;
- prs_uint8s(False, "nt_resp ", ps, depth, (uint8*)rsp->nt_resp , MIN(rsp->hdr_nt_resp .str_str_len, sizeof(rsp->nt_resp )));
- old_offset += rsp->hdr_nt_resp .str_str_len;
-
ps->offset = rsp->hdr_domain .buffer + 0x1c;
prs_uint8s(True , "domain ", ps, depth, (uint8*)rsp->domain , MIN(rsp->hdr_domain .str_str_len, sizeof(rsp->domain )));
old_offset += rsp->hdr_domain .str_str_len;
prs_uint8s(True , "wks ", ps, depth, (uint8*)rsp->wks , MIN(rsp->hdr_wks .str_str_len, sizeof(rsp->wks )));
old_offset += rsp->hdr_wks .str_str_len;
+ ps->offset = rsp->hdr_lm_resp .buffer + 0x1c;
+ prs_uint8s(False, "lm_resp ", ps, depth, (uint8*)rsp->lm_resp , MIN(rsp->hdr_lm_resp .str_str_len, sizeof(rsp->lm_resp )));
+ old_offset += rsp->hdr_lm_resp .str_str_len;
+
+ ps->offset = rsp->hdr_nt_resp .buffer + 0x1c;
+ prs_uint8s(False, "nt_resp ", ps, depth, (uint8*)rsp->nt_resp , MIN(rsp->hdr_nt_resp .str_str_len, sizeof(rsp->nt_resp )));
+ old_offset += rsp->hdr_nt_resp .str_str_len;
+
if (rsp->hdr_sess_key.str_str_len != 0)
{
ps->offset = rsp->hdr_sess_key.buffer + 0x1c;
prs_uint32("neg_flags", ps, depth, &(rsp->neg_flags)); /* 0x0000 82b1 */
- prs_uint8s(False, "lm_resp ", ps, depth, rsp->lm_resp , MIN(rsp->hdr_lm_resp .str_str_len, sizeof(rsp->lm_resp )));
- prs_uint8s(False, "nt_resp ", ps, depth, rsp->nt_resp , MIN(rsp->hdr_nt_resp .str_str_len, sizeof(rsp->nt_resp )));
prs_uint8s(True , "domain ", ps, depth, rsp->domain , MIN(rsp->hdr_domain .str_str_len, sizeof(rsp->domain )));
prs_uint8s(True , "user ", ps, depth, rsp->user , MIN(rsp->hdr_usr .str_str_len, sizeof(rsp->user )));
prs_uint8s(True , "wks ", ps, depth, rsp->wks , MIN(rsp->hdr_wks .str_str_len, sizeof(rsp->wks )));
+ prs_uint8s(False, "lm_resp ", ps, depth, rsp->lm_resp , MIN(rsp->hdr_lm_resp .str_str_len, sizeof(rsp->lm_resp )));
+ prs_uint8s(False, "nt_resp ", ps, depth, rsp->nt_resp , MIN(rsp->hdr_nt_resp .str_str_len, sizeof(rsp->nt_resp )));
prs_uint8s(False, "sess_key", ps, depth, rsp->sess_key, MIN(rsp->hdr_sess_key.str_str_len, sizeof(rsp->sess_key)));
}
}
res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR, True) : False;
/* establish a connection. */
- res = res ? do_samr_connect(smb_cli,
- srv_name, 0x00000020,
- &info->dom.samr_pol_connect) : False;
-
- res = res ? do_samr_close(smb_cli,
- &info->dom.samr_pol_connect) : False;
+ res = res ? do_samr_unknown_38(smb_cli, srv_name) : False;
/* close the session */
cli_nt_session_close(smb_cli);
put_dos_date3(outbuf,smb_vwv4,mtime);
SIVAL(outbuf,smb_vwv6,size);
SSVAL(outbuf,smb_vwv8,rmode);
- SSVAL(outbuf,smb_vwv11,0);
+ SSVAL(outbuf,smb_vwv11,0x0001);
return chain_reply(inbuf,outbuf,length,bufsize);
}