mirror of
https://github.com/samba-team/samba.git
synced 2025-01-22 22:04:08 +03:00
cae821d459
error wrong password against nt. ???? (This used to be commit b3f16e6b5aa5ba1b6afa38ad698646c8e765ec90)
447 lines
11 KiB
C
447 lines
11 KiB
C
/*
|
|
Unix SMB/Netbios implementation.
|
|
Version 1.9.
|
|
NT Domain Authentication SMB / MSRPC client
|
|
Copyright (C) Andrew Tridgell 1994-1999
|
|
Copyright (C) Luke Kenneth Casson Leighton 1996-1999
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 2 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
*/
|
|
|
|
|
|
#ifdef SYSLOG
|
|
#undef SYSLOG
|
|
#endif
|
|
|
|
#include "includes.h"
|
|
#include "nterr.h"
|
|
|
|
extern int DEBUGLEVEL;
|
|
|
|
#define DEBUG_TESTING
|
|
|
|
extern FILE* out_hnd;
|
|
|
|
extern struct cli_state *smb_cli;
|
|
extern int smb_tidx;
|
|
|
|
/****************************************************************************
|
|
nt enumerate trusted domains
|
|
****************************************************************************/
|
|
void cmd_lsa_enum_trust_dom(struct client_info *info)
|
|
{
|
|
uint16 nt_pipe_fnum;
|
|
fstring srv_name;
|
|
uint32 num_doms = 0;
|
|
char **domains = NULL;
|
|
DOM_SID **sids = NULL;
|
|
uint32 enum_ctx = 0;
|
|
|
|
BOOL res = True;
|
|
|
|
fstrcpy(srv_name, "\\\\");
|
|
fstrcat(srv_name, info->myhostname);
|
|
strupper(srv_name);
|
|
|
|
DEBUG(4,("cmd_lsa_enum_trust_dom: server:%s\n", srv_name));
|
|
|
|
/* open LSARPC session. */
|
|
res = res ? cli_nt_session_open(smb_cli, PIPE_LSARPC, &nt_pipe_fnum) : False;
|
|
|
|
/* lookup domain controller; receive a policy handle */
|
|
res = res ? lsa_open_policy(smb_cli, nt_pipe_fnum,
|
|
srv_name,
|
|
&info->dom.lsa_info_pol, False) : False;
|
|
|
|
do
|
|
{
|
|
/* send enum trusted domains query */
|
|
res = res ? lsa_enum_trust_dom(smb_cli, nt_pipe_fnum,
|
|
&info->dom.lsa_info_pol,
|
|
&enum_ctx,
|
|
&num_doms, &domains, &sids) : False;
|
|
|
|
} while (res && enum_ctx != 0);
|
|
|
|
res = res ? lsa_close(smb_cli, nt_pipe_fnum, &info->dom.lsa_info_pol) : False;
|
|
|
|
/* close the session */
|
|
cli_nt_session_close(smb_cli, nt_pipe_fnum);
|
|
|
|
if (res)
|
|
{
|
|
uint32 i;
|
|
DEBUG(5,("cmd_lsa_enum_trust_dom: query succeeded\n"));
|
|
|
|
report(out_hnd, "LSA Enumerate Trusted Domains\n");
|
|
for (i = 0; i < num_doms; i++)
|
|
{
|
|
fstring sid;
|
|
sid_to_string(sid, sids[i]);
|
|
report(out_hnd, "Domain:\t%s\tSID:\t%s\n",
|
|
domains[i], sid);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
DEBUG(5,("cmd_lsa_enum_trust_dom: query failed\n"));
|
|
}
|
|
|
|
free_char_array(num_doms, domains);
|
|
free_sid_array(num_doms, sids);
|
|
}
|
|
|
|
/****************************************************************************
|
|
nt lsa query
|
|
****************************************************************************/
|
|
void cmd_lsa_query_info(struct client_info *info)
|
|
{
|
|
uint16 nt_pipe_fnum;
|
|
fstring srv_name;
|
|
|
|
BOOL res = True;
|
|
|
|
fstrcpy(info->dom.level3_dom, "");
|
|
fstrcpy(info->dom.level5_dom, "");
|
|
ZERO_STRUCT(info->dom.level3_sid);
|
|
ZERO_STRUCT(info->dom.level5_sid);
|
|
|
|
fstrcpy(srv_name, "\\\\");
|
|
fstrcat(srv_name, info->myhostname);
|
|
strupper(srv_name);
|
|
|
|
DEBUG(4,("cmd_lsa_query_info: server:%s\n", srv_name));
|
|
|
|
DEBUG(5, ("cmd_lsa_query_info: smb_cli->fd:%d\n", smb_cli->fd));
|
|
|
|
/* open LSARPC session. */
|
|
res = res ? cli_nt_session_open(smb_cli, PIPE_LSARPC, &nt_pipe_fnum) : False;
|
|
|
|
/* lookup domain controller; receive a policy handle */
|
|
res = res ? lsa_open_policy(smb_cli, nt_pipe_fnum,
|
|
srv_name,
|
|
&info->dom.lsa_info_pol, False) : False;
|
|
|
|
/* send client info query, level 3. receive domain name and sid */
|
|
res = res ? lsa_query_info_pol(smb_cli, nt_pipe_fnum,
|
|
&info->dom.lsa_info_pol, 0x03,
|
|
info->dom.level3_dom,
|
|
&info->dom.level3_sid) : False;
|
|
|
|
/* send client info query, level 5. receive domain name and sid */
|
|
res = res ? lsa_query_info_pol(smb_cli, nt_pipe_fnum,
|
|
&info->dom.lsa_info_pol, 0x05,
|
|
info->dom.level5_dom,
|
|
&info->dom.level5_sid) : False;
|
|
|
|
res = res ? lsa_close(smb_cli, nt_pipe_fnum, &info->dom.lsa_info_pol) : False;
|
|
|
|
/* close the session */
|
|
cli_nt_session_close(smb_cli, nt_pipe_fnum);
|
|
|
|
if (res)
|
|
{
|
|
BOOL domain_something = False;
|
|
fstring sid;
|
|
DEBUG(5,("cmd_lsa_query_info: query succeeded\n"));
|
|
|
|
report(out_hnd, "LSA Query Info Policy\n");
|
|
|
|
if (info->dom.level3_dom[0] != 0)
|
|
{
|
|
sid_to_string(sid, &info->dom.level3_sid);
|
|
report(out_hnd, "Domain Member - Domain: %s SID: %s\n",
|
|
info->dom.level3_dom, sid);
|
|
domain_something = True;
|
|
}
|
|
if (info->dom.level5_dom[0] != 0)
|
|
{
|
|
sid_to_string(sid, &info->dom.level5_sid);
|
|
report(out_hnd, "Domain Controller - Domain: %s SID: %s\n",
|
|
info->dom.level5_dom, sid);
|
|
domain_something = True;
|
|
}
|
|
if (!domain_something)
|
|
{
|
|
report(out_hnd, "%s is not a Domain Member or Controller\n",
|
|
info->dest_host);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
DEBUG(5,("cmd_lsa_query_info: query failed\n"));
|
|
}
|
|
}
|
|
|
|
/****************************************************************************
|
|
lookup names
|
|
****************************************************************************/
|
|
void cmd_lsa_lookup_names(struct client_info *info)
|
|
{
|
|
uint16 nt_pipe_fnum;
|
|
fstring temp;
|
|
int i;
|
|
fstring srv_name;
|
|
int num_names = 0;
|
|
char *names[10];
|
|
DOM_SID *sids = NULL;
|
|
int num_sids = 0;
|
|
#if 0
|
|
DOM_SID sid[10];
|
|
DOM_SID *sids[10];
|
|
#endif
|
|
BOOL res = True;
|
|
|
|
fstrcpy(srv_name, "\\\\");
|
|
fstrcat(srv_name, info->myhostname);
|
|
strupper(srv_name);
|
|
|
|
DEBUG(4,("cmd_lsa_lookup_names: server: %s\n", srv_name));
|
|
|
|
while (num_names < 10 && next_token(NULL, temp, NULL, sizeof(temp)))
|
|
{
|
|
names[num_names] = strdup(temp);
|
|
num_names++;
|
|
}
|
|
|
|
if (num_names == 0)
|
|
{
|
|
report(out_hnd, "lookupnames <name> [<name> ...]\n");
|
|
return;
|
|
}
|
|
|
|
/* open LSARPC session. */
|
|
res = res ? cli_nt_session_open(smb_cli, PIPE_LSARPC, &nt_pipe_fnum) : False;
|
|
|
|
/* lookup domain controller; receive a policy handle */
|
|
res = res ? lsa_open_policy(smb_cli, nt_pipe_fnum,
|
|
srv_name,
|
|
&info->dom.lsa_info_pol, True) : False;
|
|
|
|
/* send lsa lookup sids call */
|
|
res = res ? lsa_lookup_names(smb_cli, nt_pipe_fnum,
|
|
&info->dom.lsa_info_pol,
|
|
num_names, names,
|
|
&sids, NULL, &num_sids) : False;
|
|
|
|
res = res ? lsa_close(smb_cli, nt_pipe_fnum, &info->dom.lsa_info_pol) : False;
|
|
|
|
/* close the session */
|
|
cli_nt_session_close(smb_cli, nt_pipe_fnum);
|
|
|
|
if (res)
|
|
{
|
|
DEBUG(5,("cmd_lsa_lookup_names: query succeeded\n"));
|
|
}
|
|
else
|
|
{
|
|
DEBUG(5,("cmd_lsa_lookup_names: query failed\n"));
|
|
}
|
|
|
|
if (sids != NULL)
|
|
{
|
|
report(out_hnd, "Lookup Names:\n");
|
|
for (i = 0; i < num_sids; i++)
|
|
{
|
|
sid_to_string(temp, &sids[i]);
|
|
report(out_hnd, "SID: %s -> %s\n", names[i], temp);
|
|
#if 0
|
|
if (sids[i] != NULL)
|
|
{
|
|
free(sids[i]);
|
|
}
|
|
#endif
|
|
}
|
|
free(sids);
|
|
}
|
|
|
|
for (i = 0; i < num_names; i++)
|
|
{
|
|
if (names[i] != NULL)
|
|
{
|
|
free(((char **)names)[i]);
|
|
}
|
|
}
|
|
}
|
|
|
|
/****************************************************************************
|
|
lookup sids
|
|
****************************************************************************/
|
|
void cmd_lsa_lookup_sids(struct client_info *info)
|
|
{
|
|
uint16 nt_pipe_fnum;
|
|
fstring temp;
|
|
int i;
|
|
pstring sid_name;
|
|
fstring srv_name;
|
|
DOM_SID sid[10];
|
|
DOM_SID *sids[10];
|
|
int num_sids = 0;
|
|
char **names = NULL;
|
|
int num_names = 0;
|
|
|
|
BOOL res = True;
|
|
|
|
fstrcpy(srv_name, "\\\\");
|
|
fstrcat(srv_name, info->myhostname);
|
|
strupper(srv_name);
|
|
|
|
DEBUG(4,("cmd_lsa_lookup_sids: server: %s\n", srv_name));
|
|
|
|
while (num_sids < 10 && next_token(NULL, temp, NULL, sizeof(temp)))
|
|
{
|
|
if (strnequal("S-", temp, 2))
|
|
{
|
|
fstrcpy(sid_name, temp);
|
|
}
|
|
else
|
|
{
|
|
sid_to_string(sid_name, &info->dom.level5_sid);
|
|
|
|
if (sid_name[0] == 0)
|
|
{
|
|
report(out_hnd, "please use lsaquery first or specify a complete SID\n");
|
|
return;
|
|
}
|
|
|
|
fstrcat(sid_name, "-");
|
|
fstrcat(sid_name, temp);
|
|
}
|
|
string_to_sid(&sid[num_sids], sid_name);
|
|
sids[num_sids] = &sid[num_sids];
|
|
num_sids++;
|
|
}
|
|
|
|
if (num_sids == 0)
|
|
{
|
|
report(out_hnd, "lookupsid RID or SID\n");
|
|
return;
|
|
}
|
|
|
|
/* open LSARPC session. */
|
|
res = res ? cli_nt_session_open(smb_cli, PIPE_LSARPC, &nt_pipe_fnum) : False;
|
|
|
|
/* lookup domain controller; receive a policy handle */
|
|
res = res ? lsa_open_policy(smb_cli, nt_pipe_fnum,
|
|
srv_name,
|
|
&info->dom.lsa_info_pol, True) : False;
|
|
|
|
/* send lsa lookup sids call */
|
|
res = res ? lsa_lookup_sids(smb_cli, nt_pipe_fnum,
|
|
&info->dom.lsa_info_pol,
|
|
num_sids, sids,
|
|
&names, NULL, &num_names) : False;
|
|
|
|
res = res ? lsa_close(smb_cli, nt_pipe_fnum, &info->dom.lsa_info_pol) : False;
|
|
|
|
/* close the session */
|
|
cli_nt_session_close(smb_cli, nt_pipe_fnum);
|
|
|
|
if (res)
|
|
{
|
|
DEBUG(5,("cmd_lsa_lookup_sids: query succeeded\n"));
|
|
}
|
|
else
|
|
{
|
|
DEBUG(5,("cmd_lsa_lookup_sids: query failed\n"));
|
|
}
|
|
if (names != NULL)
|
|
{
|
|
report(out_hnd, "Lookup SIDS:\n");
|
|
for (i = 0; i < num_names; i++)
|
|
{
|
|
sid_to_string(temp, sids[i]);
|
|
report(out_hnd, "SID: %s -> %s\n", temp, names[i]);
|
|
if (names[i] != NULL)
|
|
{
|
|
free(names[i]);
|
|
}
|
|
}
|
|
free(names);
|
|
}
|
|
}
|
|
|
|
/****************************************************************************
|
|
nt lsa query
|
|
****************************************************************************/
|
|
void cmd_lsa_query_secret(struct client_info *info)
|
|
{
|
|
uint16 nt_pipe_fnum;
|
|
fstring srv_name;
|
|
BOOL res = True;
|
|
BOOL res1;
|
|
BOOL res2;
|
|
uint32 i;
|
|
|
|
POLICY_HND hnd_secret;
|
|
fstring secret_name;
|
|
STRING2 enc_secret;
|
|
STRING2 secret;
|
|
NTTIME last_update;
|
|
|
|
if (!next_token(NULL, secret_name, NULL, sizeof(secret_name)))
|
|
{
|
|
report(out_hnd, "querysecret <secret name>\n");
|
|
return;
|
|
}
|
|
|
|
fstrcpy(srv_name, "\\\\");
|
|
fstrcat(srv_name, info->dest_host);
|
|
strupper(srv_name);
|
|
|
|
DEBUG(4,("cmd_lsa_query_info: server:%s\n", srv_name));
|
|
|
|
/* open LSARPC session. */
|
|
res = res ? cli_nt_session_open(smb_cli, PIPE_LSARPC, &nt_pipe_fnum) : False;
|
|
|
|
/* lookup domain controller; receive a policy handle */
|
|
res = res ? lsa_open_policy2(smb_cli, nt_pipe_fnum,
|
|
srv_name,
|
|
&info->dom.lsa_info_pol, False) : False;
|
|
|
|
/* lookup domain controller; receive a policy handle */
|
|
res1 = res ? lsa_open_secret(smb_cli, nt_pipe_fnum,
|
|
&info->dom.lsa_info_pol,
|
|
secret_name, 0x02000000, &hnd_secret) : False;
|
|
|
|
res2 = res1 ? lsa_query_secret(smb_cli, nt_pipe_fnum,
|
|
&hnd_secret, &enc_secret, &last_update) : False;
|
|
|
|
res1 = res1 ? lsa_close(smb_cli, nt_pipe_fnum, &hnd_secret) : False;
|
|
|
|
res = res ? lsa_close(smb_cli, nt_pipe_fnum, &info->dom.lsa_info_pol) : False;
|
|
|
|
/* close the session */
|
|
cli_nt_session_close(smb_cli, nt_pipe_fnum);
|
|
|
|
if (res2 && nt_decrypt_string2(&secret, &enc_secret, (char*)(smb_cli->pwd.smb_nt_pwd)))
|
|
{
|
|
report(out_hnd, "\tValue : ");
|
|
for (i = 0; i < secret.str_str_len; i++)
|
|
{
|
|
report(out_hnd, "%02X", secret.buffer[i]);
|
|
}
|
|
|
|
report(out_hnd, "\n\tLast Updated: %s\n\n",
|
|
http_timestring(nt_time_to_unix(&last_update)));
|
|
}
|
|
else
|
|
{
|
|
report(out_hnd, "LSA Query Secret: failed\n");
|
|
}
|
|
}
|
|
|
|
|