diff options
-rw-r--r-- | source3/include/client.h | 1 | ||||
-rw-r--r-- | source3/libsmb/smbencrypt.c | 10 | ||||
-rw-r--r-- | source3/rpc_client/cli_pipe.c | 14 | ||||
-rw-r--r-- | source3/rpcclient/cmd_lsarpc.c | 35 | ||||
-rw-r--r-- | source3/utils/net_rpc.c | 9 |
5 files changed, 49 insertions, 20 deletions
diff --git a/source3/include/client.h b/source3/include/client.h index 5cfc9a6f92..9cbfa51bb1 100644 --- a/source3/include/client.h +++ b/source3/include/client.h @@ -73,7 +73,6 @@ struct rpc_pipe_client { char *domain; char *user_name; - struct pwd_info pwd; uint16 max_xmit_frag; uint16 max_recv_frag; diff --git a/source3/libsmb/smbencrypt.c b/source3/libsmb/smbencrypt.c index e7198b801d..11f8780a47 100644 --- a/source3/libsmb/smbencrypt.c +++ b/source3/libsmb/smbencrypt.c @@ -630,27 +630,23 @@ void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *sessi } /* Decrypts password-blob with session-key - * @param pass password for session-key + * @param nt_hash NT hash for the session key * @param data_in DATA_BLOB encrypted password * * Returns cleartext password in CH_UNIX * Caller must free the returned string */ -char *decrypt_trustdom_secret(const char *pass, DATA_BLOB *data_in) +char *decrypt_trustdom_secret(uint8_t nt_hash[16], DATA_BLOB *data_in) { DATA_BLOB data_out, sess_key; - uchar nt_hash[16]; uint32_t length; uint32_t version; fstring cleartextpwd; - if (!data_in || !pass) + if (!data_in || !nt_hash) return NULL; - /* generate md4 password-hash derived from the NT UNICODE password */ - E_md4hash(pass, nt_hash); - /* hashed twice with md4 */ mdfour(nt_hash, nt_hash, 16); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index d4ce45446b..828307cace 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -2139,6 +2139,18 @@ bool rpccli_is_pipe_idx(struct rpc_pipe_client *cli, int pipe_idx) return (cli->abstract_syntax == pipe_names[pipe_idx].abstr_syntax); } +bool rpccli_get_pwd_hash(struct rpc_pipe_client *cli, uint8_t nt_hash[16]) +{ + if (!((cli->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) + || (cli->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) { + E_md4hash(cli->cli->pwd.password, nt_hash); + return true; + } + + memcpy(nt_hash, cli->auth.a_u.ntlmssp_state->nt_hash, 16); + return true; +} + struct cli_state *rpc_pipe_np_smb_conn(struct rpc_pipe_client *p) { return p->cli; @@ -2337,8 +2349,6 @@ static struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp_internal(struct cli_sta goto err; } - pwd_set_cleartext(&result->pwd, password); - *perr = ntlmssp_client_start(&ntlmssp_state); if (!NT_STATUS_IS_OK(*perr)) { goto err; diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c index 88e49546b1..0419c87c98 100644 --- a/source3/rpcclient/cmd_lsarpc.c +++ b/source3/rpcclient/cmd_lsarpc.c @@ -948,7 +948,8 @@ static NTSTATUS cmd_lsa_query_secobj(struct rpc_pipe_client *cli, return result; } -static void display_trust_dom_info_4(struct lsa_TrustDomainInfoPassword *p, const char *password) +static void display_trust_dom_info_4(struct lsa_TrustDomainInfoPassword *p, + uint8_t nt_hash[16]) { char *pwd, *pwd_old; @@ -958,8 +959,8 @@ static void display_trust_dom_info_4(struct lsa_TrustDomainInfoPassword *p, cons memcpy(data.data, p->password->data, p->password->length); memcpy(data_old.data, p->old_password->data, p->old_password->length); - pwd = decrypt_trustdom_secret(password, &data); - pwd_old = decrypt_trustdom_secret(password, &data_old); + pwd = decrypt_trustdom_secret(nt_hash, &data); + pwd_old = decrypt_trustdom_secret(nt_hash, &data_old); d_printf("Password:\t%s\n", pwd); d_printf("Old Password:\t%s\n", pwd_old); @@ -974,11 +975,11 @@ static void display_trust_dom_info_4(struct lsa_TrustDomainInfoPassword *p, cons static void display_trust_dom_info(TALLOC_CTX *mem_ctx, union lsa_TrustedDomainInfo *info, enum lsa_TrustDomInfoEnum info_class, - const char *pass) + uint8_t nt_hash[16]) { switch (info_class) { case LSA_TRUSTED_DOMAIN_INFO_PASSWORD: - display_trust_dom_info_4(&info->password, pass); + display_trust_dom_info_4(&info->password, nt_hash); break; default: { const char *str = NULL; @@ -1003,6 +1004,7 @@ static NTSTATUS cmd_lsa_query_trustdominfobysid(struct rpc_pipe_client *cli, uint32 access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; union lsa_TrustedDomainInfo *info = NULL; enum lsa_TrustDomInfoEnum info_class = 1; + uint8_t nt_hash[16]; if (argc > 3 || argc < 2) { printf("Usage: %s [sid] [info_class]\n", argv[0]); @@ -1028,7 +1030,12 @@ static NTSTATUS cmd_lsa_query_trustdominfobysid(struct rpc_pipe_client *cli, if (!NT_STATUS_IS_OK(result)) goto done; - display_trust_dom_info(mem_ctx, info, info_class, cli->pwd.password); + if (!rpccli_get_pwd_hash(cli, nt_hash)) { + d_fprintf(stderr, "Could not get pwd hash\n"); + goto done; + } + + display_trust_dom_info(mem_ctx, info, info_class, nt_hash); done: rpccli_lsa_Close(cli, mem_ctx, &pol); @@ -1046,6 +1053,7 @@ static NTSTATUS cmd_lsa_query_trustdominfobyname(struct rpc_pipe_client *cli, union lsa_TrustedDomainInfo *info = NULL; enum lsa_TrustDomInfoEnum info_class = 1; struct lsa_String trusted_domain; + uint8_t nt_hash[16]; if (argc > 3 || argc < 2) { printf("Usage: %s [name] [info_class]\n", argv[0]); @@ -1070,7 +1078,12 @@ static NTSTATUS cmd_lsa_query_trustdominfobyname(struct rpc_pipe_client *cli, if (!NT_STATUS_IS_OK(result)) goto done; - display_trust_dom_info(mem_ctx, info, info_class, cli->pwd.password); + if (!rpccli_get_pwd_hash(cli, nt_hash)) { + d_fprintf(stderr, "Could not get pwd hash\n"); + goto done; + } + + display_trust_dom_info(mem_ctx, info, info_class, nt_hash); done: rpccli_lsa_Close(cli, mem_ctx, &pol); @@ -1088,6 +1101,7 @@ static NTSTATUS cmd_lsa_query_trustdominfo(struct rpc_pipe_client *cli, union lsa_TrustedDomainInfo *info = NULL; DOM_SID dom_sid; enum lsa_TrustDomInfoEnum info_class = 1; + uint8_t nt_hash[16]; if (argc > 3 || argc < 2) { printf("Usage: %s [sid] [info_class]\n", argv[0]); @@ -1123,7 +1137,12 @@ static NTSTATUS cmd_lsa_query_trustdominfo(struct rpc_pipe_client *cli, if (!NT_STATUS_IS_OK(result)) goto done; - display_trust_dom_info(mem_ctx, info, info_class, cli->pwd.password); + if (!rpccli_get_pwd_hash(cli, nt_hash)) { + d_fprintf(stderr, "Could not get pwd hash\n"); + goto done; + } + + display_trust_dom_info(mem_ctx, info, info_class, nt_hash); done: rpccli_lsa_Close(cli, mem_ctx, &pol); diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 5845c14314..24965755fb 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -5929,6 +5929,7 @@ static NTSTATUS vampire_trusted_domain(struct rpc_pipe_client *pipe_hnd, NTSTATUS nt_status; union lsa_TrustedDomainInfo *info = NULL; char *cleartextpwd = NULL; + uint8_t nt_hash[16]; DATA_BLOB data; nt_status = rpccli_lsa_QueryTrustedDomainInfoBySid(pipe_hnd, mem_ctx, @@ -5945,8 +5946,12 @@ static NTSTATUS vampire_trusted_domain(struct rpc_pipe_client *pipe_hnd, data = data_blob(info->password.password->data, info->password.password->length); - cleartextpwd = decrypt_trustdom_secret( - rpc_pipe_np_smb_conn(pipe_hnd)->pwd.password, &data); + if (!rpccli_get_pwd_hash(pipe_hnd, nt_hash)) { + DEBUG(0, ("Could not retrieve password hash\n")); + goto done; + } + + cleartextpwd = decrypt_trustdom_secret(nt_hash, &data); if (cleartextpwd == NULL) { DEBUG(0,("retrieved NULL password\n")); |