---
-- This module takes care of the authentication used in SMB (LM, NTLM, LMv2, NTLMv2).
--
-- There is a lot to this functionality, so if you're interested in how it works, read
-- on.
-- In SMB authentication, there are two distinct concepts. Each will be dealt with
-- separately. There are:
-- * Stored hashes
-- * Authentication
--
-- What's confusing is that the same names are used for each of those.
--
-- Stored Hashes:
-- Windows stores two types of hashes: Lanman and NT Lanman (or NTLM). Vista and later
-- store NTLM only. Lanman passwords are divided into two 7-character passwords and
-- used as a key in DES, while NTLM is converted to unicode and MD4ed.
--
-- The stored hashes can be dumped in a variety of ways (pwdump6, fgdump, Metasploit's
-- priv
module, smb-psexec.nse
, etc). Generally, two hashes are dumped together
-- (generally, Lanman:NTLM). Sometimes, Lanman is empty and only NTLM is given. Lanman
-- is never required.
--
-- The password hashes can be given instead of passwords when supplying credentials;
-- this is done by using the smbhash
argument. Either a pair of hashes
-- can be passed, in the form of Lanman:NTLM, or a single hash, which is assumed to
-- be NTLM.
--
-- Authentication:
-- There are four types of authentication. Confusingly, these have the same names as
-- stored hashes, but only slight relationships. The four types are Lanmanv1, NTLMv1,
-- Lanmanv2, and NTLMv2. By default, Lanmanv1 and NTLMv1 are used together in most
-- applications. These Nmap scripts default to NTLMv1 alone, except in special cases,
-- but it can be overridden by the user.
--
-- Lanmanv1 and NTLMv1 both use DES for their response. The DES mixes a server challenge
-- with the hash (Lanman hash for Lanmanv1 response and NTLMv1 hash for NTLM response).
-- The way the challenge is DESed with the hashes is identical for Lanmanv1 and NTLMv1,
-- the only difference is the starting hash (Lanman vs NTLM).
--
-- Lanmanv2 and NTLMv2 both use HMAC-MD5 for their response. The HMAC-MD5 mixes a
-- server challenge and a client challenge with the NTLM hash, in both cases. The
-- difference between Lanmanv2 and NTLMv2 is the length of the client challenge;
-- Lanmanv2 has a maximum client challenge of 8 bytes, whereas NTLMv2 doesn't limit
-- the length of the client challenge.
--
-- The primary advantage to the 'v2' protocols is the client challenge -- by
-- incorporating a client challenge, a malicious server can't use a precomputation
-- attack.
--
-- In addition to hashing the passwords, messages are also signed, by default, if a
-- v1 protocol is being used (I (Ron Bowes) couldn't get signatures to work on v2
-- protocols; if anybody knows how I'd love to implement it).
--
--@args smbusername The SMB username to log in with. The forms "DOMAIN\username" and "username@DOMAIN"
-- are not understood. To set a domain, use the smbdomain
argument.
--@args smbdomain The domain to log in with. If you aren't in a domain environment, then anything
-- will (should?) be accepted by the server.
--@args smbpassword The password to connect with. Be cautious with this, since some servers will lock
-- accounts if the incorrect password is given. Although it's rare that the
-- Administrator account can be locked out, in the off chance that it can, you could
-- get yourself in trouble. To use a blank password, leave this parameter off
-- altogether.
--@args smbhash A password hash to use when logging in. This is given as a single hex string (32
-- characters) or a pair of hex strings (both 32 characters, optionally separated by a
-- single character). These hashes are the LanMan or NTLM hash of the user's password,
-- and are stored on disk or in memory. They can be retrieved from memory
-- using the fgdump or pwdump tools.
--@args smbtype The type of SMB authentication to use. These are the possible options:
-- * v1
: Sends LMv1 and NTLMv1.
-- * LMv1
: Sends LMv1 only.
-- * NTLMv1
: Sends NTLMv1 only (default).
-- * v2
: Sends LMv2 and NTLMv2.
-- * LMv2
: Sends LMv2 only.
-- * NTLMv2
: Doesn't exist; the protocol doesn't support NTLMv2 alone.
-- The default, NTLMv1
, is a pretty decent compromise between security and
-- compatibility. If you are paranoid, you might want to use v2
or
-- lmv2
for this. (Actually, if you're paranoid, you should be avoiding this
-- protocol altogether!). If you're using an extremely old system, you might need to set
-- this to v1
or lm
, which are less secure but more compatible.
-- For information, see smbauth.lua
.
--@args smbnoguest Use to disable usage of the 'guest' account.
local bin = require "bin"
local nmap = require "nmap"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local unicode = require "unicode"
local unittest = require "unittest"
_ENV = stdnse.module("smbauth", stdnse.seeall)
local have_ssl, openssl = pcall(require, "openssl")
-- Constants
local NTLMSSP_NEGOTIATE = 0x00000001
local NTLMSSP_CHALLENGE = 0x00000002
local NTLMSSP_AUTH = 0x00000003
local session_key = string.rep("\0", 16)
-- Types of accounts (ordered by how useful they are
local ACCOUNT_TYPES = {
ANONYMOUS = 0,
GUEST = 1,
USER = 2,
ADMIN = 3
}
local function account_exists(host, username, domain)
if(host.registry['smbaccounts'] == nil) then
return false
end
for i, j in pairs(host.registry['smbaccounts']) do
if(j['username'] == username and j['domain'] == domain) then
return true
end
end
return false
end
--- Try the next stored account for this host
-- @param host The host table
-- @param num If nil, the next account is chosen. If a number, the account at
-- that index is chosen
function next_account(host, num)
if(num == nil) then
if(host.registry['smbindex'] == nil) then
host.registry['smbindex'] = 1
else
host.registry['smbindex'] = host.registry['smbindex'] + 1
end
else
host.registry['smbindex'] = num
end
end
---Writes the given account to the registry.
--
-- There are several places where accounts are stored:
-- * registry['usernames'][username] => true
-- * registry['smbaccounts'][username] => password
-- * registry[ip]['smbaccounts'] => array of table containing 'username', 'password', and 'is_admin'
--
-- The final place, 'smbaccount', is reserved for the "best" account. This is
-- an administrator account, if one's found; otherwise, it's the first account
-- discovered that isn't guest
.
--
-- This has to be called while no SMB connections are made, since it
-- potentially makes its own connection.
--
--@param host The host object.
--@param username The username to add.
--@param domain The domain to add.
--@param password The password to add.
--@param password_hash The password hash to add.
--@param hash_type The hash type to use.
--@param is_admin [optional] Set to 'true' the account is known to be an administrator.
function add_account(host, username, domain, password, password_hash, hash_type, is_admin)
-- Save the username in a global list -- TODO: restore this
-- if(nmap.registry.usernames == nil) then
-- nmap.registry.usernames = {}
-- end
-- nmap.registry.usernames[username] = true
--
-- -- Save the username/password pair in a global list
-- if(nmap.registry.smbaccounts == nil) then
-- nmap.registry.smbaccounts = {}
-- end
-- nmap.registry.smbaccounts[username] = password
-- Check if we've already recorded this account
if(account_exists(host, username, domain)) then
return
end
if(host.registry['smbaccounts'] == nil) then
host.registry['smbaccounts'] = {}
end
-- Determine the type of account, if it wasn't given
local account_type = nil
if(is_admin) then
account_type = ACCOUNT_TYPES.ADMIN
else
if(username == '') then
-- Anonymous account
account_type = ACCOUNT_TYPES.ANONYMOUS
elseif(string.lower(username) == 'guest') then
-- Guest account
account_type = ACCOUNT_TYPES.GUEST
else
-- We have to assume it's a user-level account (we just can't call any SMB functions from inside here)
account_type = ACCOUNT_TYPES.USER
end
end
-- Set some defaults
if(hash_type == nil) then
hash_type = 'ntlm'
end
-- Save the new account if this is our first one, or our other account isn't an admin
local new_entry = {}
new_entry['username'] = username
new_entry['domain'] = domain
new_entry['password'] = password
new_entry['password_hash'] = password_hash
new_entry['hash_type'] = string.lower(hash_type)
new_entry['account_type'] = account_type
-- Insert the new entry into the table
table.insert(host.registry['smbaccounts'], new_entry)
-- Sort the table based on the account type (we want anonymous at the end, administrator at the front)
table.sort(host.registry['smbaccounts'], function(a,b) return a['account_type'] > b['account_type'] end)
-- Print a debug message
stdnse.debug1("SMB: Added account '%s' to account list", username)
-- Reset the credentials
next_account(host, 1)
-- io.write("\n\n" .. nsedebug.tostr(host.registry['smbaccounts']) .. "\n\n")
end
---Retrieve the current set of credentials set in the registry.
--
-- If these fail, next_account
should be called.
--
--@param host The host object.
--@return status true or false. If false, the next return value is an error
-- message and no other values are returned.
--@return username
--@return domain
--@return password
--@return password_hash
--@return hash_type
--@see next_account
function get_account(host)
if(host.registry['smbindex'] == nil) then
host.registry['smbindex'] = 1
end
local index = host.registry['smbindex']
local account = host.registry['smbaccounts'][index]
if(account == nil) then
return false, "No accounts left to try"
end
return true, account['username'], account['domain'], account['password'], account['password_hash'], account['hash_type']
end
---Initialize the host's account table.
--
-- Create the account table with the anonymous and guest users, as well as the
-- user given in the script's arguments, if there is one.
--
--@param host The host object.
function init_account(host)
-- Don't run this more than once for each host
if(host.registry['smbaccounts'] ~= nil) then
return
end
-- Create the list
host.registry['smbaccounts'] = {}
-- Add the anonymous/guest accounts
add_account(host, '', '', '', nil, 'none')
if(not stdnse.get_script_args( "smbnoguest" )) then
add_account(host, 'guest', '', '', nil, 'ntlm')
end
-- Add the account given on the commandline (TODO: allow more than one?)
local args = nmap.registry.args
local username = nil
local domain = ''
local password = nil
local password_hash = nil
local hash_type = 'ntlm'
-- Do the username first
if(args.smbusername ~= nil) then
username = args.smbusername
elseif(args.smbuser ~= nil) then
username = args.smbuser
end
-- If the username exists, do everything else
if(username ~= nil) then
-- Domain
if(args.smbdomain ~= nil) then
domain = args.smbdomain
end
-- Type
if(args.smbtype ~= nil) then
hash_type = args.smbtype
end
-- Do the password
if(args.smbpassword ~= nil) then
password = args.smbpassword
elseif(args.smbpass ~= nil) then
password = args.smbpass
end
-- Only use the hash if there's no password
if(password == nil) then
password_hash = args.smbhash
end
-- Add the account, if we got a password
if(password == nil and password_hash == nil) then
stdnse.debug1("SMB: Either smbpass, smbpassword, or smbhash have to be passed as script arguments to use an account")
else
add_account(host, username, domain, password, password_hash, hash_type)
end
end
end
---Generate the Lanman v1 hash (LMv1).
--
-- The generated hash is incredibly easy to reverse, because the input is
-- padded or truncated to 14 characters, then split into two 7-character
-- strings. Each of these strings are used as a key to encrypt the string,
-- "KGS!@#$%" in DES. Because the keys are no longer than 7-characters long,
-- it's pretty trivial to bruteforce them.
--
--@param password the password to hash
--@return true on success, or false on error
--@return The LMv1 hash
local function lm_create_hash(password)
if(have_ssl ~= true) then
return false, "SMB: OpenSSL not present"
end
local str1, str2
local key1, key2
local result
-- Convert the password to uppercase
password = string.upper(password)
-- Encode the password in OEM code page
-- Supporting all the OEM code pages would be burdensome, so we try to
-- convert to CP437, the default for US-English Windows, which is
-- used for Alt+NumPad "unicode" entry in all versions of Windows.
-- https://en.wikipedia.org/wiki/Code_page_437
do
local buf = {}
for i, cp in ipairs(unicode.decode(password, unicode.utf8_dec)) do
local ch = unicode.cp437_enc(cp)
if ch == nil then
return false, "Couldn't encode password in CP437"
end
buf[i] = ch
end
password = table.concat(buf)
local nsedebug = require 'nsedebug'
stdnse.debug1("LM Password: %s", stdnse.tohex(password))
end
-- If password is under 14 characters, pad it to 14
password = password .. string.rep('\0', 14 - #password)
-- Take the first and second half of the password (note that if it's longer than 14 characters, it's truncated)
str1 = string.sub(password, 1, 7)
str2 = string.sub(password, 8, 14)
-- Generate the keys
key1 = openssl.DES_string_to_key(str1)
key2 = openssl.DES_string_to_key(str2)
-- Encrypt the string "KGS!@#$%" with each half, and concatenate it
result = openssl.encrypt("DES", key1, nil, "KGS!@#$%") .. openssl.encrypt("DES", key2, nil, "KGS!@#$%")
return true, result
end
---Generate the NTLMv1 hash.
--
-- This hash is quite a bit better than LMv1, and is far easier to generate.
-- Basically, it's the MD4 of the Unicode password.
--
--@param password the password to hash
--@return true on success, or false on error
--@return The NTLMv1 hash
function ntlm_create_hash(password)
if(have_ssl ~= true) then
return false, "SMB: OpenSSL not present"
end
return true, openssl.md4(unicode.utf8to16(password))
end
---Create the Lanman response to send back to the server.
--
-- To do this, the Lanman password is padded to 21 characters and split into
-- three 7-character strings. Each of those strings is used as a key to encrypt
-- the server challenge. The three encrypted strings are concatenated and
-- returned.
--
--@param lanman The LMv1 hash
--@param challenge The server's challenge.
--@return true on success, or false on error
--@return The client challenge response, or an error message
function lm_create_response(lanman, challenge)
if(have_ssl ~= true) then
return false, "SMB: OpenSSL not present"
end
local str1, str2, str3
local key1, key2, key3
local result
-- Pad the hash to 21 characters
lanman = lanman .. string.rep('\0', 21 - #lanman)
-- Take the first and second half of the password (note that if it's longer than 14 characters, it's truncated)
str1 = string.sub(lanman, 1, 7)
str2 = string.sub(lanman, 8, 14)
str3 = string.sub(lanman, 15, 21)
-- Generate the keys
key1 = openssl.DES_string_to_key(str1)
key2 = openssl.DES_string_to_key(str2)
key3 = openssl.DES_string_to_key(str3)
-- Print a warning message if a blank challenge is received, and create a phony challenge. A blank challenge is
-- invalid in the protocol, and causes some versions of OpenSSL to abort with no possible error handling.
if(challenge == "") then
stdnse.debug1("SMB: ERROR: Server returned invalid (blank) challenge value (should be 8 bytes); failing login to avoid OpenSSL crash.")
challenge = "AAAAAAAA"
end
-- Encrypt the challenge with each key
result = openssl.encrypt("DES", key1, nil, challenge) .. openssl.encrypt("DES", key2, nil, challenge) .. openssl.encrypt("DES", key3, nil, challenge)
return true, result
end
---Create the NTLM response to send back to the server.
--
-- This is actually done the exact same way as the Lanman hash,
-- so I call the Lanman
function.
--
--@param ntlm The NTLMv1 hash
--@param challenge The server's challenge.
--@return true on success, or false on error
--@return The client challenge response, or an error message
function ntlm_create_response(ntlm, challenge)
if(have_ssl ~= true) then
return false, "SMB: OpenSSL not present"
end
return lm_create_response(ntlm, challenge)
end
---Create the NTLM mac key, which is used for message signing.
--
-- For basic authentication, this is the md4 of the NTLM hash, concatenated
-- with the response hash; for extended authentication, this is just the md4 of
-- the NTLM hash.
--
--@param ntlm_hash The NTLM hash.
--@param ntlm_response The NTLM response.
--@param is_extended Should be set if extended security negotiations are being used.
--@return The NTLM mac key
function ntlm_create_mac_key(ntlm_hash, ntlm_response, is_extended)
if(have_ssl ~= true) then
return false, "SMB: OpenSSL not present"
end
if(is_extended) then
return openssl.md4(ntlm_hash)
else
return openssl.md4(ntlm_hash) .. ntlm_response
end
end
---Create the LM mac key, which is used for message signing.
--
-- For basic authentication, it's the first 8 bytes of the lanman hash,
-- followed by 8 null bytes, followed by the lanman response; for extended
-- authentication, this is just the first 8 bytes of the lanman hash followed
-- by 8 null bytes.
--
--@param lm_hash The LM hash.
--@param lm_response The LM response.
--@param is_extended Should be set if extended security negotiations are being used.
--@return The LM mac key
function lm_create_mac_key(lm_hash, lm_response, is_extended)
if(have_ssl ~= true) then
return false, "SMB: OpenSSL not present"
end
if(is_extended) then
return string.sub(lm_hash, 1, 8) .. string.rep('\0', 8)
else
return string.sub(lm_hash, 1, 8) .. string.rep('\0', 8) .. lm_response
end
end
---Create the NTLMv2 hash.
--
-- The NTLMv2 hash is based on the NTLMv1 hash (for easy upgrading), the
-- username, and the domain. Essentially, the NTLM hash is used as a HMAC-MD5
-- key, which is used to hash the unicode domain concatenated with the unicode
-- username.
--
--@param ntlm The NTLMv1 hash.
--@param username The username we're using.
--@param domain The domain.
--@return true on success, or false on error
--@return The NTLMv2 hash or an error message
function ntlmv2_create_hash(ntlm, username, domain)
if(have_ssl ~= true) then
return false, "SMB: OpenSSL not present"
end
username = unicode.utf8to16(string.upper(username))
domain = unicode.utf8to16(string.upper(domain))
return true, openssl.hmac("MD5", ntlm, username .. domain)
end
---Create the LMv2 response, which can be sent back to the server.
--
-- This is identical to the NTLMv2
function,
-- except that it uses an 8-byte client challenge.
--
-- The reason for LMv2 is a long and twisted story. Well, not really. The
-- reason is basically that the v1 hashes are always 24-bytes, and some servers
-- expect 24 bytes, but the NTLMv2 hash is more than 24 bytes. So, the only way
-- to keep pass-through compatibility was to have a v2-hash that was guaranteed
-- to be 24 bytes. So LMv2 was born -- it has a 16-byte hash followed by the
-- 8-byte client challenge, for a total of 24 bytes. And now you've learned
-- something
--
--@param ntlm The NVLMv1 hash.
--@param username The username we're using.
--@param domain The domain.
--@param challenge The server challenge.
--@return true on success, or false on error
--@return The LMv2 response, or an error message
function lmv2_create_response(ntlm, username, domain, challenge)
if(have_ssl ~= true) then
return false, "SMB: OpenSSL not present"
end
return ntlmv2_create_response(ntlm, username, domain, challenge, 8)
end
---Create the NTLMv2 response, which can be sent back to the server.
--
-- This is done by using the HMAC-MD5 algorithm with the NTLMv2 hash as a key,
-- and the server challenge concatenated with the client challenge for the
-- data. The resulting hash is concatenated with the client challenge and
-- returned.
--
-- The "proper" implementation for this uses a certain structure for the client
-- challenge, involving the time and computer name and stuff (if you don't do
-- this, Wireshark tells you it's a malformed packet). In my tests, however, I
-- couldn't get Vista to recognize a client challenge longer than 24 bytes, and
-- this structure was guaranteed to be much longer than 24 bytes. So, I just
-- use a random string generated by OpenSSL. I've tested it on every Windows
-- system from Windows 2000 to Windows Vista, and it has always worked.
--
--@param ntlm The NVLMv1 hash.
--@param username The username we're using.
--@param domain The domain.
--@param challenge The server challenge.
--@param client_challenge_length number of random bytes of client challenge to use
--@return true on success, or false on error
--@return The NTLMv2 response, or an error message
function ntlmv2_create_response(ntlm, username, domain, challenge, client_challenge_length)
if(have_ssl ~= true) then
return false, "SMB: OpenSSL not present"
end
local client_challenge = openssl.rand_bytes(client_challenge_length)
local status, ntlmv2_hash = ntlmv2_create_hash(ntlm, username, domain)
return true, openssl.hmac("MD5", ntlmv2_hash, challenge .. client_challenge) .. client_challenge
end
---Generate the Lanman and NTLM password hashes.
--
-- The password itself is taken from the function parameters, the script
-- arguments, and the registry (in that order). If no password is set, then the
-- password hash is used (which is read from all the usual places). If neither
-- is set, then a blank password is used.
--
-- The output passwords are hashed based on the hash type.
--
--@param ip The ip address of the host, used for registry lookups.
--@param username The username, which is used for v2 passwords.
--@param domain The username, which is used for v2 passwords.
--@param password [optional] The overriding password.
--@param password_hash [optional] The overriding password hash. Shouldn't be
-- set if password is set.
--@param challenge The server challenge.
--@param hash_type The way in which to hash the password.
--@param is_extended Set to 'true' if extended security negotiations are being
-- used (this has to be known for the message-signing key to
-- be generated properly).
--@return lm_response, to be send directly back to the server
--@return ntlm_response, to be send directly back to the server
--@reutrn mac_key used for message signing.
function get_password_response(ip, username, domain, password, password_hash, hash_type, challenge, is_extended)
local status
local lm_hash = nil
local ntlm_hash = nil
local mac_key = nil
local lm_response, ntlm_response
-- Check for a blank password
if(password == nil and password_hash == nil) then
stdnse.debug2("SMB: Couldn't find password or hash to use (assuming blank)")
password = ""
end
-- The anonymous user requires a single 0-byte instead of a LANMAN hash (don't ask me why, but it doesn't work without)
if(hash_type == 'none') then
return '\0', '', nil
end
-- If we got a password, hash it
if(password ~= nil) then
status, lm_hash = lm_create_hash(password)
status, ntlm_hash = ntlm_create_hash(password)
else
if(password_hash ~= nil) then
if(string.find(password_hash, "^" .. string.rep("%x%x", 16) .. "$")) then
stdnse.debug2("SMB: Found a 16-byte hex string")
lm_hash = bin.pack("H", password_hash:sub(1, 32))
ntlm_hash = bin.pack("H", password_hash:sub(1, 32))
elseif(string.find(password_hash, "^" .. string.rep("%x%x", 32) .. "$")) then
stdnse.debug2("SMB: Found a 32-byte hex string")
lm_hash = bin.pack("H", password_hash:sub(1, 32))
ntlm_hash = bin.pack("H", password_hash:sub(33, 64))
elseif(string.find(password_hash, "^" .. string.rep("%x%x", 16) .. "." .. string.rep("%x%x", 16) .. "$")) then
stdnse.debug2("SMB: Found two 16-byte hex strings")
lm_hash = bin.pack("H", password_hash:sub(1, 32))
ntlm_hash = bin.pack("H", password_hash:sub(34, 65))
else
stdnse.debug1("SMB: ERROR: Hash(es) provided in an invalid format (should be 32, 64, or 65 hex characters)")
lm_hash = nil
ntlm_hash = nil
end
end
end
-- At this point, we should have a good lm_hash and ntlm_hash if we're getting one
if(lm_hash == nil or ntlm_hash == nil) then
stdnse.debug2("SMB: Couldn't determine which password to use, using a blank one")
return "", ""
end
-- Output what we've got so far
stdnse.debug2("SMB: Lanman hash: %s", stdnse.tohex(lm_hash))
stdnse.debug2("SMB: NTLM hash: %s", stdnse.tohex(ntlm_hash))
-- Hash the password the way the user wants
if(hash_type == "v1") then
-- LM and NTLM are hashed with their respective algorithms
stdnse.debug2("SMB: Creating v1 response")
status, lm_response = lm_create_response(lm_hash, challenge)
status, ntlm_response = ntlm_create_response(ntlm_hash, challenge)
mac_key = ntlm_create_mac_key(ntlm_hash, ntlm_response, is_extended)
elseif(hash_type == "lm") then
-- LM is hashed with its algorithm, NTLM is blank
stdnse.debug2("SMB: Creating LMv1 response")
status, lm_response = lm_create_response(lm_hash, challenge)
ntlm_response = ""
mac_key = lm_create_mac_key(lm_hash, lm_response, is_extended)
elseif(hash_type == "ntlm") then
-- LM and NTLM both use the NTLM algorithm
stdnse.debug2("SMB: Creating NTLMv1 response")
status, lm_response = ntlm_create_response(ntlm_hash, challenge)
status, ntlm_response = ntlm_create_response(ntlm_hash, challenge)
mac_key = ntlm_create_mac_key(ntlm_hash, ntlm_response, is_extended)
elseif(hash_type == "v2") then
-- LM and NTLM are hashed with their respective v2 algorithms
stdnse.debug2("SMB: Creating v2 response")
status, lm_response = lmv2_create_response(ntlm_hash, username, domain, challenge)
status, ntlm_response = ntlmv2_create_response(ntlm_hash, username, domain, challenge, 24)
elseif(hash_type == "lmv2") then
-- LM is hashed with its v2 algorithm, NTLM is blank
stdnse.debug2("SMB: Creating LMv2 response")
status, lm_response = lmv2_create_response(ntlm_hash, username, domain, challenge)
ntlm_response = ""
else
-- Default to NTLMv1
if(hash_type ~= nil) then
stdnse.debug1("SMB: Invalid login type specified ('%s'), using default (NTLM)", hash_type)
else
stdnse.debug1("SMB: No login type specified, using default (NTLM)")
end
status, lm_response = ntlm_create_response(ntlm_hash, challenge)
status, ntlm_response = ntlm_create_response(ntlm_hash, challenge)
end
stdnse.debug2("SMB: Lanman response: %s", stdnse.tohex(lm_response))
stdnse.debug2("SMB: NTLM response: %s", stdnse.tohex(ntlm_response))
return lm_response, ntlm_response, mac_key
end
---Generate an NTLMSSP security blob.
--@param security_blob The server's security blob, or nil if this is the first
-- message
--@param ip The ip address of the host, used for registry lookups.
--@param username The username, which is used for v2 passwords.
--@param domain The username, which is used for v2 passwords.
--@param password [optional] The overriding password.
--@param password_hash [optional] The overriding password hash. Shouldn't be
-- set if password is set.
--@param hash_type The way in which to hash the password.
--@param flags The NTLM flags as a number
function get_security_blob(security_blob, ip, username, domain, password, password_hash, hash_type, flags)
local pos = 1
local new_blob
local flags = flags or 0x00008215 -- (NEGOTIATE_SIGN_ALWAYS | NEGOTIATE_NTLM | NEGOTIATE_SIGN | REQUEST_TARGET | NEGOTIATE_UNICODE)
if(security_blob == nil) then
-- If security_blob is nil, this is the initial packet
new_blob = bin.pack(" 0 ) and unicode.utf8to16(domain) or ""
ntlm = (#username > 0 ) and ntlm or ""
lanman = (#username > 0 ) and lanman or '\0'
local domain_offset = 0x40
local username_offset = domain_offset + #domain
local hostname_offset = username_offset + #username
local lanman_offset = hostname_offset + #hostname
local ntlm_offset = lanman_offset + #lanman
local sessionkey_offset = ntlm_offset + #ntlm
new_blob = bin.pack(" 0 and #ntlm - 16 or 0 ),
( #ntlm > 0 and #ntlm - 16 or 0 ),
ntlm_offset,
#domain,
#domain,
domain_offset,
#username,
#username,
username_offset,
#hostname,
#hostname,
hostname_offset,
#session_key,
#session_key,
sessionkey_offset,
flags,
domain,
username,
hostname,
lanman,
ntlm,
session_key)
return true, new_blob, mac_key
end
end
---
-- Host information for NTLM security
-- @class table
-- @name host_info
-- @field target_realm Target Name Data
-- @field netbios_computer_name Server name
-- @field netbios_domain_name Domain name
-- @field fqdn DNS server name
-- @field dns_domain_name DNS domain name
-- @field dns_forest_name DNS tree name
-- @field timestamp Timestamp
---
-- Gets host info from a security blob
-- @param security_blob The NTLM security blob
-- @return A host_info table containing the data in the blob.
-- @see host_info
function get_host_info_from_security_blob(security_blob)
local ntlm_challenge = {}
--local pos, identifier, message_type, domain_length, domain_max, domain_offset, server_flags, challenge, reserved, target_info_length, target_info_max, target_info_offset = bin.unpack(" 0 ) then
local length = domain_length
local pos = domain_offset + 1 -- +1 to convert to Lua's 1-based indexes
local target_realm
pos, target_realm = bin.unpack( string.format( "A%d", length ), security_blob, pos )
ntlm_challenge[ "target_realm" ] = unicode.utf16to8( target_realm )
end
-- Parse the TargetInfo data (Wireshark calls this the "Address List")
if ( target_info_length > 0 ) then
-- Definition of AvId values (IDs for AV_PAIR (attribute-value pair) structures),
-- as defined by the NTLM Authentication Protocol specification [MS-NLMP].
local NTLM_AV_ID_VALUES = {
MsvAvEOL = 0x0,
MsvAvNbComputerName = 0x1,
MsvAvNbDomainName = 0x2,
MsvAvDnsComputerName = 0x3,
MsvAvDnsDomainName = 0x4,
MsvAvDnsTreeName = 0x5,
MsvAvFlags = 0x6,
MsvAvTimestamp = 0x7,
MsvAvRestrictions = 0x8,
MsvAvTargetName = 0x9,
MsvAvChannelBindings = 0xA,
}
-- Friendlier names for AvId values, to be used as keys in the results table
-- e.g. ntlm_challenge[ "dns_computer_name" ] -> "host.test.local"
local NTLM_AV_ID_NAMES = {
[NTLM_AV_ID_VALUES.MsvAvNbComputerName] = "netbios_computer_name",
[NTLM_AV_ID_VALUES.MsvAvNbDomainName] = "netbios_domain_name",
[NTLM_AV_ID_VALUES.MsvAvDnsComputerName] = "fqdn",
[NTLM_AV_ID_VALUES.MsvAvDnsDomainName] = "dns_domain_name",
[NTLM_AV_ID_VALUES.MsvAvDnsTreeName] = "dns_forest_name",
[NTLM_AV_ID_VALUES.MsvAvTimestamp] = "timestamp",
}
local length = target_info_length
local pos = target_info_offset + 1 -- +1 to convert to Lua's 1-based indexes
local target_info
pos, target_info = bin.unpack( string.format( "A%d", length ), security_blob, pos )
pos = 1 -- reset pos to 1, since we'll be working out of just the target_info
repeat
local value, av_id, av_len
pos, av_id, av_len = bin.unpack( "= #target_info )
end
return ntlm_challenge
end
---Create an 8-byte message signature that's sent with all SMB packets.
--
--@param mac_key The key used for authentication. It's the concatenation of the
-- session key and the response hash.
--@param data The packet to generate the signature for. This should be the
-- packet that's about to be sent, except with the signature slot
-- replaced with the sequence number.
--@return The 8-byte signature. The signature is equal to the first eight bytes
-- of md5(mac_key .. smb_data)
function calculate_signature(mac_key, data)
if(have_ssl) then
return string.sub(openssl.md5(mac_key .. data), 1, 8)
else
return string.rep('\0', 8)
end
end
if not unittest.testing() then
return _ENV
end
test_suite = unittest.TestSuite:new()
if have_ssl then
test_suite:add_test(unittest.equal(
stdnse.tohex(select(-1, lm_create_hash("passphrase"))),
"855c3697d9979e78ac404c4ba2c66533"
),
"lm_create_hash"
)
test_suite:add_test(unittest.equal(
stdnse.tohex(select(-1, ntlm_create_hash("passphrase"))),
"7f8fe03093cc84b267b109625f6bbf4b"
),
"ntlm_create_hash"
)
test_suite:add_test(unittest.equal(
stdnse.tohex(select(-1, lm_create_hash("ÅÇÅÇ"))),
"1830f5732b438091aad3b435b51404ee"
),
"lm_create_hash"
)
test_suite:add_test(unittest.equal(
stdnse.tohex(select(-1, ntlm_create_hash("öäü"))),
"4848bcb81cf018c3b70ea1479bd1374d"
),
"ntlm_create_hash"
)
else
test_suite:add_test(unittest.is_false(lm_create_hash("a"), "lm_create_hash"))
test_suite:add_test(unittest.is_false(ntlm_create_hash("a"), "ntlm_create_hash"))
end
return _ENV;