2 This code is based on work from
3 L0phtcrack 1.5 06.02.97 mudge@l0pht.com
5 The code also contains sources from:
6 . routines from the samba code source
9 Anton Roeckseisen (anton@genua.de)
14 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 void str_to_key(unsigned char *,unsigned char *);
31 int PutUniCode(char *dst,char *src);
32 void printlanhash(char *tmp);
33 void mdfour(unsigned char *out, unsigned char *in, int n);
34 void E_P16(unsigned char *p14,unsigned char *p16);
37 void main(int argc, char **argv) {
42 char lanpwd[LMPASSWDLEN+1];
44 char inputfile[FILENAMEBUFFER+1] = "";
50 char ntpasswd[NTPASSWDLEN+1];
54 char passwd[NTPASSWDLEN+1];
67 while ( (c = getopt(argc, argv, "L:N:f:")) != EOF){
71 strncpy(lanpwd,optarg,LMPASSWDLEN);
72 lanpwd[LMPASSWDLEN]='\0';
73 for (i=0;i<LMPASSWDLEN;i++)
74 lanpwd[i]=toupper(lanpwd[i]);
78 strncpy(passwd,optarg,NTPASSWDLEN);
79 passwd[NTPASSWDLEN]='\0';
82 strncpy(inputfile,optarg,FILENAMEBUFFER);
83 inputfile[FILENAMEBUFFER]='\0';
90 /* Get password from file or STDIN */
91 if (inputfile[0]!='\0') {
93 just_pwd=0; /* make sure no shit is happening... */
95 /* get NT-password (longer) */
96 if (strcmp(inputfile,"-")==0) {
97 fgets(passwd,NTPASSWDLEN,stdin);
99 if ((InputFilePtr=fopen(inputfile,"r")) == NULL)
100 fprintf(stderr,"Couldn't open passwordfile: %s",inputfile) ;
101 fgets(passwd,NTPASSWDLEN,InputFilePtr);
102 fclose(InputFilePtr);
104 while (strlen(passwd)>0 && passwd[strlen(passwd)-1]=='\n')
105 passwd[strlen(passwd)-1]='\0';
107 /* create LANMAN-password (shorter) */
108 strncpy(lanpwd,passwd,LMPASSWDLEN);
109 lanpwd[LMPASSWDLEN]='\0';
110 for (i=0;i<LMPASSWDLEN;i++)
111 lanpwd[i]=toupper(lanpwd[i]);
118 /* Assume the one and only Arg is the new password! */
120 if (argc>1 && just_pwd==1) {
121 strncpy(lanpwd,argv[1],LMPASSWDLEN);
122 lanpwd[LMPASSWDLEN]='\0';
123 for (i=0;i<LMPASSWDLEN;i++)
124 lanpwd[i]=toupper(lanpwd[i]);
127 strncpy(passwd,argv[1],NTPASSWDLEN);
128 passwd[NTPASSWDLEN]='\0';
133 memset(hashout,'\0',17);
134 E_P16((uchar *)lanpwd,hashout);
135 printlanhash(hashout);
140 if (printlan>0) printf(":");
142 memset(ntpasswd, '\0', sizeof(ntpasswd));
144 if (passwd[strlen(passwd)-1] == '\n') /* strip the \n - this
145 is done in LowerString for the case sensitive
147 passwd[strlen(passwd)-1] = '\0';
149 hold = (char *)malloc(NTPASSWDLEN * 2); /* grab space for
152 fprintf(stderr, "out of memory...crackntdialog hold\n");
156 uni_len = PutUniCode(hold, passwd); /* convert to
157 unicode and return correct
158 unicode length for md4 */
160 p16 = (unsigned char*)malloc(17); /* grab space for md4 hash */
162 fprintf(stderr, "out of memory...crackntdialect p16\n");
167 mdfour(p16,hold, uni_len);
181 /*****************************************************************************/
182 /*****************************************************************************/
183 /*****************************************************************************/
185 void usage(char *progname){
188 p = strrchr(progname, '\\');
194 fprintf(stderr, "Usage: %s [-L lanmgrpwd] [-N ntpasswd]\n",p);
195 fprintf(stderr, " %s password\n",p);
196 fprintf(stderr, " %s -f [-] [filename]\n\n",p);
197 fprintf(stderr, " -L lanmgrpasswd LanManager cleartextpwd <= 14 chars\n");
198 fprintf(stderr, " -N ntpasswd NT cleartextpwd <=128 chars (usually <=14)\n\n");
199 fprintf(stderr, " with both options present the encrypted LanManager-Pwd is \n");
200 fprintf(stderr, " printed first, followed by a ':' and the encrypted NT-Pwd.\n\n");
201 fprintf(stderr, " The second usage behaves like %s -L pwd -N pwd\n\n",p);
202 fprintf(stderr, " The third usage reads the password from STDIN or a File. Printout\n");
203 fprintf(stderr, " is the same as second.\n\n");
204 fprintf(stderr, "anton@genua.de\n\n");
209 /*******************************************************************
210 write a string in unicoode format
211 ********************************************************************/
212 int PutUniCode(char *dst,char *src)
222 return(ret-2); /* the way they do the md4 hash they don't represent
223 the last null. ie 'A' becomes just 0x41 0x00 - not
224 0x41 0x00 0x00 0x00 */
228 print binary buffer as hex-string
230 void printlanhash(char *tmp) {
237 /* build string from binary hash */
240 sprintf(outbuffer+2*i,"%x",(c>>4) & 0x0f);
241 sprintf(outbuffer+2*i+1,"%x",c & 0x0f);
244 /* convert to uppercase */
246 outbuffer[i] = toupper(outbuffer[i]);
249 /* print out hex-string */
250 printf("%s",outbuffer);