| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
have we got. and what data do we have. hmm.. i wonder what the NTLMv2
user session key can be... hmmm... weell.... there's some hidden data
here, generated from the user password that doesn't go over-the-wire,
so that's _got_ to be involved. and... that bit of data took a lot of
computation to produce, so it's probably _also_ involved... and md4 no, md5?
no, how about hmac_md5 yes let's try that one (the other's didn't work)
oh goodie, it worked!
i love it when this sort of thing happens. took all of fifteen minutes to
guess it. tried concatenating client and server challenges. tried
concatenating _random_ bits of client and server challenges. tried
md5 of the above. tried hmac_md5 of the above. eventually, it boils down
to this:
kr = MD4(NT#,username,domainname)
hmacntchal=hmac_md5(kr, nt server challenge)
sess_key = hmac_md5(kr, hmacntchal);
|
| |
|
|
|
|
|
|
|
| |
the random workstation trust account password is TOTAL garbage. i mean,
complete garbage. it's nowhere CLOSE to being a UNICODE string. therefore
we can't just take every second character.
created nt_owf_genW() which creates NT#(password) instead of NT#(Unicode(pw)).
followed through to the password setting in srv_samr.c
|
| |
|
|
|
|
|
|
| |
reg_io_r_info() working properly. previously they weren't well
understood (well, they were the first of the registry functions i did,
back in december 97, ok??? :-)
set ntversion to 0x1 in SAMQUERY, so that we reply same as NT4 srv.
|
| | |
|
| |
|
|
| |
you have to use "ntlmv1" at the moment (i.e set client ntlmv2 = no).
|
| |
|
|
| |
error wrong password against nt. ????
|
| |
|
|
|
| |
switching on CAP_STATUS32 from non-CAP_EXTENDED_SECURITY code (enabled
for test purposes only)
|
| |
|
|
|
|
| |
implementation (NT5) when you discover that your code is trash.
samr_enum_dom_users(), samr_enum_dom_aliases() and samr_enum_dom_groups()
all take a HANDLE for multiple-call enumeration purposes.
|
| | |
|
| |
|
|
|
|
| |
this format is what i would like _all_ these functions to be
(returning status codes, not BOOL) but that's a horrendous
amount of work at the moment :)
|
| | |
|
| |
|
|
| |
deal with linking issues in other binaries
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
a problem i was having.
- added rudimentary CAP_STATUS32 support for same reason.
- added hard-coded, copy-the-same-data-from-over-the-wire version of
CAP_EXTENDED_SECURITY, which is a security-blob to encapsulate
GSSAPI which encodes
SPNEGO which is used to negotiate
Kerberos or NTLMSSP. i have implemented
NTLMSSP which negotiates
NTLMv1 or NTLMv2 and 40-bit or 128-bit etc. i have implemented
NTLMv1 / 40-bit.
*whew*.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
if this fails.
|
| |
|
|
|
| |
- ssl close from cli_reestablish_connection() not called.
- ntlmv2 fall-back to ntlmv1 failed.
|
| |
|
|
| |
Algorithm based on previous work of Jeremy's.
|
| | |
|
| | |
|
| |
|
|
| |
password and password length variables not constants.
|
| |
|
|
|
| |
static cli_calc_session_pwds(). this code used to be inside cli_session_setup()
itself and worked on non-NULL local variables.
|
| | |
|
| |
|
|
|
|
| |
now uses improved authentication. smbclient now "broken" for "scripts"
based on DEBUG() output. cli_establish_connection() requires modification
to support old scripts.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
of a pstrcpy into an fstring).
|
| |
|
|
|
| |
command "at" (compatible with NT's "at" command - see rpcclient commit) -
useful for remote NT administration.
|
| |
|
|
|
| |
used to add workstation to domain. unix account db not modified: only
SAM password db is used.
|
| | |
|
| |
|
|
| |
anywhere.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
(actually, decryption only currently because I need to get some sleep).
Basically another Microsoft twist on DES; the "master key" is the user's
NT hash MD4'd and subsets of this are chosen as the 56-bit DES keys.
|
| |
|
|
| |
Copyright (C) Benjamin Kuit <bj@mcs.uts.edu.au> 1999.
|
| |
|
|
|
|
| |
No more ugly static library buffers and all functions take a destination
string length (especially unistrcpy was rather dangerous; we were only
saved by the fact that datagrams are limited in size).
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
validation checks and also added capability to send plaintext passwords.
send "ntpasslen" of zero to do this. sending same plaintext password
for pass and ntpass arguments will result in previous behaviour of
encrypting password if server supports it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
needed this for some tests.
- removed code that said "if lm password is not encrypted then encrypt both
lm and nt passwords". actually it said "if lm password length is not 24
bytes and we're in security=user mode..."
it didn't bother to check whether the nt password was NULL or not, and
doing the encryption inside cli_session_setup is the wrong place.
- checked all instances where cli_session_setup is called with cleartext
passwords that are expected to then be encrypted (see above) with the
test "if pwlen != 24...". there was only one: all the others either
provide encrypted passwords, do null sessions or use
cli_establish_connection.
* recommendation: use cli_establish_connection() in smbwrapper/smbw.c
|
| |
|
|
|
| |
However, it seems that the -s flag
in smbclient is also ignored :-(
|
| |
|
|
| |
own smbd process, rather than complaining about a password server loop.
|
| |
|
|
|
|
|
| |
is not the same as
!(eclass == ERRDOS && num == ERRmoredata)
This was causing smbclient to segfault on receiving certain errors.
|
| |
|
|
|
| |
idiotic *SMBSERVER connectionism added to cli_connect_serverlist().
also added check for protocol < LANMAN2.
|
| | |
|
| | |
|
