summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/include/client.h1
-rw-r--r--source3/libsmb/smbencrypt.c10
-rw-r--r--source3/rpc_client/cli_pipe.c14
-rw-r--r--source3/rpcclient/cmd_lsarpc.c35
-rw-r--r--source3/utils/net_rpc.c9
5 files changed, 49 insertions, 20 deletions
diff --git a/source3/include/client.h b/source3/include/client.h
index 5cfc9a6f92..9cbfa51bb1 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -73,7 +73,6 @@ struct rpc_pipe_client {
char *domain;
char *user_name;
- struct pwd_info pwd;
uint16 max_xmit_frag;
uint16 max_recv_frag;
diff --git a/source3/libsmb/smbencrypt.c b/source3/libsmb/smbencrypt.c
index e7198b801d..11f8780a47 100644
--- a/source3/libsmb/smbencrypt.c
+++ b/source3/libsmb/smbencrypt.c
@@ -630,27 +630,23 @@ void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *sessi
}
/* Decrypts password-blob with session-key
- * @param pass password for session-key
+ * @param nt_hash NT hash for the session key
* @param data_in DATA_BLOB encrypted password
*
* Returns cleartext password in CH_UNIX
* Caller must free the returned string
*/
-char *decrypt_trustdom_secret(const char *pass, DATA_BLOB *data_in)
+char *decrypt_trustdom_secret(uint8_t nt_hash[16], DATA_BLOB *data_in)
{
DATA_BLOB data_out, sess_key;
- uchar nt_hash[16];
uint32_t length;
uint32_t version;
fstring cleartextpwd;
- if (!data_in || !pass)
+ if (!data_in || !nt_hash)
return NULL;
- /* generate md4 password-hash derived from the NT UNICODE password */
- E_md4hash(pass, nt_hash);
-
/* hashed twice with md4 */
mdfour(nt_hash, nt_hash, 16);
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index d4ce45446b..828307cace 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2139,6 +2139,18 @@ bool rpccli_is_pipe_idx(struct rpc_pipe_client *cli, int pipe_idx)
return (cli->abstract_syntax == pipe_names[pipe_idx].abstr_syntax);
}
+bool rpccli_get_pwd_hash(struct rpc_pipe_client *cli, uint8_t nt_hash[16])
+{
+ if (!((cli->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP)
+ || (cli->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
+ E_md4hash(cli->cli->pwd.password, nt_hash);
+ return true;
+ }
+
+ memcpy(nt_hash, cli->auth.a_u.ntlmssp_state->nt_hash, 16);
+ return true;
+}
+
struct cli_state *rpc_pipe_np_smb_conn(struct rpc_pipe_client *p)
{
return p->cli;
@@ -2337,8 +2349,6 @@ static struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp_internal(struct cli_sta
goto err;
}
- pwd_set_cleartext(&result->pwd, password);
-
*perr = ntlmssp_client_start(&ntlmssp_state);
if (!NT_STATUS_IS_OK(*perr)) {
goto err;
diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c
index 88e49546b1..0419c87c98 100644
--- a/source3/rpcclient/cmd_lsarpc.c
+++ b/source3/rpcclient/cmd_lsarpc.c
@@ -948,7 +948,8 @@ static NTSTATUS cmd_lsa_query_secobj(struct rpc_pipe_client *cli,
return result;
}
-static void display_trust_dom_info_4(struct lsa_TrustDomainInfoPassword *p, const char *password)
+static void display_trust_dom_info_4(struct lsa_TrustDomainInfoPassword *p,
+ uint8_t nt_hash[16])
{
char *pwd, *pwd_old;
@@ -958,8 +959,8 @@ static void display_trust_dom_info_4(struct lsa_TrustDomainInfoPassword *p, cons
memcpy(data.data, p->password->data, p->password->length);
memcpy(data_old.data, p->old_password->data, p->old_password->length);
- pwd = decrypt_trustdom_secret(password, &data);
- pwd_old = decrypt_trustdom_secret(password, &data_old);
+ pwd = decrypt_trustdom_secret(nt_hash, &data);
+ pwd_old = decrypt_trustdom_secret(nt_hash, &data_old);
d_printf("Password:\t%s\n", pwd);
d_printf("Old Password:\t%s\n", pwd_old);
@@ -974,11 +975,11 @@ static void display_trust_dom_info_4(struct lsa_TrustDomainInfoPassword *p, cons
static void display_trust_dom_info(TALLOC_CTX *mem_ctx,
union lsa_TrustedDomainInfo *info,
enum lsa_TrustDomInfoEnum info_class,
- const char *pass)
+ uint8_t nt_hash[16])
{
switch (info_class) {
case LSA_TRUSTED_DOMAIN_INFO_PASSWORD:
- display_trust_dom_info_4(&info->password, pass);
+ display_trust_dom_info_4(&info->password, nt_hash);
break;
default: {
const char *str = NULL;
@@ -1003,6 +1004,7 @@ static NTSTATUS cmd_lsa_query_trustdominfobysid(struct rpc_pipe_client *cli,
uint32 access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
union lsa_TrustedDomainInfo *info = NULL;
enum lsa_TrustDomInfoEnum info_class = 1;
+ uint8_t nt_hash[16];
if (argc > 3 || argc < 2) {
printf("Usage: %s [sid] [info_class]\n", argv[0]);
@@ -1028,7 +1030,12 @@ static NTSTATUS cmd_lsa_query_trustdominfobysid(struct rpc_pipe_client *cli,
if (!NT_STATUS_IS_OK(result))
goto done;
- display_trust_dom_info(mem_ctx, info, info_class, cli->pwd.password);
+ if (!rpccli_get_pwd_hash(cli, nt_hash)) {
+ d_fprintf(stderr, "Could not get pwd hash\n");
+ goto done;
+ }
+
+ display_trust_dom_info(mem_ctx, info, info_class, nt_hash);
done:
rpccli_lsa_Close(cli, mem_ctx, &pol);
@@ -1046,6 +1053,7 @@ static NTSTATUS cmd_lsa_query_trustdominfobyname(struct rpc_pipe_client *cli,
union lsa_TrustedDomainInfo *info = NULL;
enum lsa_TrustDomInfoEnum info_class = 1;
struct lsa_String trusted_domain;
+ uint8_t nt_hash[16];
if (argc > 3 || argc < 2) {
printf("Usage: %s [name] [info_class]\n", argv[0]);
@@ -1070,7 +1078,12 @@ static NTSTATUS cmd_lsa_query_trustdominfobyname(struct rpc_pipe_client *cli,
if (!NT_STATUS_IS_OK(result))
goto done;
- display_trust_dom_info(mem_ctx, info, info_class, cli->pwd.password);
+ if (!rpccli_get_pwd_hash(cli, nt_hash)) {
+ d_fprintf(stderr, "Could not get pwd hash\n");
+ goto done;
+ }
+
+ display_trust_dom_info(mem_ctx, info, info_class, nt_hash);
done:
rpccli_lsa_Close(cli, mem_ctx, &pol);
@@ -1088,6 +1101,7 @@ static NTSTATUS cmd_lsa_query_trustdominfo(struct rpc_pipe_client *cli,
union lsa_TrustedDomainInfo *info = NULL;
DOM_SID dom_sid;
enum lsa_TrustDomInfoEnum info_class = 1;
+ uint8_t nt_hash[16];
if (argc > 3 || argc < 2) {
printf("Usage: %s [sid] [info_class]\n", argv[0]);
@@ -1123,7 +1137,12 @@ static NTSTATUS cmd_lsa_query_trustdominfo(struct rpc_pipe_client *cli,
if (!NT_STATUS_IS_OK(result))
goto done;
- display_trust_dom_info(mem_ctx, info, info_class, cli->pwd.password);
+ if (!rpccli_get_pwd_hash(cli, nt_hash)) {
+ d_fprintf(stderr, "Could not get pwd hash\n");
+ goto done;
+ }
+
+ display_trust_dom_info(mem_ctx, info, info_class, nt_hash);
done:
rpccli_lsa_Close(cli, mem_ctx, &pol);
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 5845c14314..24965755fb 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -5929,6 +5929,7 @@ static NTSTATUS vampire_trusted_domain(struct rpc_pipe_client *pipe_hnd,
NTSTATUS nt_status;
union lsa_TrustedDomainInfo *info = NULL;
char *cleartextpwd = NULL;
+ uint8_t nt_hash[16];
DATA_BLOB data;
nt_status = rpccli_lsa_QueryTrustedDomainInfoBySid(pipe_hnd, mem_ctx,
@@ -5945,8 +5946,12 @@ static NTSTATUS vampire_trusted_domain(struct rpc_pipe_client *pipe_hnd,
data = data_blob(info->password.password->data,
info->password.password->length);
- cleartextpwd = decrypt_trustdom_secret(
- rpc_pipe_np_smb_conn(pipe_hnd)->pwd.password, &data);
+ if (!rpccli_get_pwd_hash(pipe_hnd, nt_hash)) {
+ DEBUG(0, ("Could not retrieve password hash\n"));
+ goto done;
+ }
+
+ cleartextpwd = decrypt_trustdom_secret(nt_hash, &data);
if (cleartextpwd == NULL) {
DEBUG(0,("retrieved NULL password\n"));