2005-09-16 09:27:41 +00:00
|
|
|
module Rex
|
|
|
|
module Proto
|
|
|
|
module SMB
|
|
|
|
class Utils
|
|
|
|
|
|
|
|
require 'rex/text'
|
|
|
|
|
|
|
|
# Convert a standard ASCII string to 16-bit Unicode
|
|
|
|
def self.unicode (str)
|
|
|
|
str.unpack('C*').pack('v*')
|
|
|
|
end
|
|
|
|
|
|
|
|
# Convert a name to its NetBIOS equivalent
|
|
|
|
def self.nbname_encode (str)
|
|
|
|
encoded = ''
|
|
|
|
for x in (0..15)
|
|
|
|
if (x >= str.length)
|
|
|
|
encoded << 'CA'
|
|
|
|
else
|
|
|
|
c = str[x, 1].upcase[0]
|
|
|
|
encoded << [ (c / 16) + 0x41, (c % 16) + 0x41 ].pack('CC')
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return encoded
|
|
|
|
end
|
|
|
|
|
|
|
|
# Convert a name from its NetBIOS equivalent
|
|
|
|
def self.nbname_decode (str)
|
|
|
|
decoded = ''
|
|
|
|
str << 'A' if str.length % 2 != 0
|
|
|
|
while (str.length > 0)
|
|
|
|
two = str.slice!(0, 2)
|
|
|
|
if (two.length == 2)
|
|
|
|
decoded << [ ((two[0] - 0x41) * 16) + two[1] - 0x41 ].pack('C')
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return decoded
|
|
|
|
end
|
|
|
|
|
2005-09-19 23:35:51 +00:00
|
|
|
def self.asn1encode (str = '')
|
|
|
|
res = ''
|
|
|
|
case str.length
|
|
|
|
when 0 .. 0x80
|
|
|
|
res = [str.length].pack('C') + str
|
|
|
|
when 0x81 .. 0x100
|
|
|
|
res = [0x81, str.length].pack('CC') + str
|
|
|
|
when 0x101 .. 0x100000
|
|
|
|
res = [0x82, str.length].pack('Cn') + str
|
|
|
|
when 0x100001 .. 0xffffffff
|
|
|
|
res = [0x83, str.length].pack('CN') + str
|
|
|
|
end
|
|
|
|
return res
|
|
|
|
end
|
|
|
|
|
|
|
|
def self.make_ntlmv2_secblob_init (domain = 'WORKGROUP', name = 'WORKSTATION')
|
|
|
|
blob =
|
|
|
|
"\x60" + self.asn1encode(
|
|
|
|
"\x06" + self.asn1encode(
|
|
|
|
"\x2b\x06\x01\x05\x05\x02"
|
|
|
|
) +
|
|
|
|
"\xa0" + self.asn1encode(
|
|
|
|
"\x30" + self.asn1encode(
|
|
|
|
"\xa0" + self.asn1encode(
|
|
|
|
"\x30" + self.asn1encode(
|
|
|
|
"\x06" + self.asn1encode(
|
|
|
|
"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
|
|
|
|
)
|
|
|
|
)
|
|
|
|
) +
|
|
|
|
"\xa2" + self.asn1encode(
|
|
|
|
"\x04" + self.asn1encode(
|
|
|
|
"NTLMSSP\x00" +
|
|
|
|
[1, 0x80201].pack('VV') +
|
|
|
|
|
|
|
|
[
|
|
|
|
domain.length, #length
|
|
|
|
domain.length, #max length
|
|
|
|
32
|
|
|
|
].pack('vvV') +
|
|
|
|
|
|
|
|
[
|
|
|
|
name.length, #length
|
|
|
|
name.length, #max length
|
|
|
|
domain.length + 32
|
|
|
|
].pack('vvV') +
|
|
|
|
|
|
|
|
domain + name
|
|
|
|
)
|
|
|
|
)
|
|
|
|
)
|
|
|
|
)
|
|
|
|
)
|
2005-09-22 04:04:06 +00:00
|
|
|
|
2005-09-19 23:35:51 +00:00
|
|
|
return blob
|
|
|
|
end
|
|
|
|
|
|
|
|
def self.make_ntlmv2_secblob_auth (domain = '', name = '', user = '', lmv2 = '', ntlm = '')
|
|
|
|
|
|
|
|
domain_uni = self.unicode(domain)
|
|
|
|
user_uni = self.unicode(user)
|
|
|
|
name_uni = self.unicode(name)
|
|
|
|
|
|
|
|
ptr = 0
|
|
|
|
blob =
|
|
|
|
"\xa1" + self.asn1encode(
|
|
|
|
"\x30" + self.asn1encode(
|
|
|
|
"\xa2" + self.asn1encode(
|
|
|
|
"\x04" + self.asn1encode(
|
|
|
|
|
|
|
|
"NTLMSSP\x00" +
|
|
|
|
[ 3 ].pack('V') +
|
|
|
|
|
|
|
|
[ # Lan Manager Response
|
|
|
|
lmv2.length,
|
|
|
|
lmv2.length,
|
|
|
|
(ptr += 64)
|
|
|
|
].pack('vvV') +
|
|
|
|
|
|
|
|
[ # NTLM Manager Response
|
|
|
|
ntlm.length,
|
|
|
|
ntlm.length,
|
|
|
|
(ptr += lmv2.length)
|
|
|
|
].pack('vvV') +
|
|
|
|
|
|
|
|
[ # Domain Name
|
|
|
|
domain_uni.length,
|
|
|
|
domain_uni.length,
|
|
|
|
(ptr += ntlm.length)
|
|
|
|
].pack('vvV') +
|
|
|
|
|
|
|
|
[ # Username
|
|
|
|
user_uni.length,
|
|
|
|
user_uni.length,
|
|
|
|
(ptr += domain_uni.length)
|
|
|
|
].pack('vvV') +
|
|
|
|
|
|
|
|
[ # Hostname
|
|
|
|
name_uni.length,
|
|
|
|
name_uni.length,
|
|
|
|
(ptr += user_uni.length)
|
|
|
|
].pack('vvV') +
|
|
|
|
|
|
|
|
[ # Session Key (none)
|
|
|
|
0, 0, 0
|
|
|
|
].pack('vvV') +
|
2005-09-16 09:27:41 +00:00
|
|
|
|
2005-09-19 23:35:51 +00:00
|
|
|
[ 0x80201 ].pack('V') +
|
|
|
|
|
|
|
|
lmv2 +
|
|
|
|
ntlm +
|
|
|
|
domain_uni +
|
|
|
|
user_uni +
|
|
|
|
name_uni
|
|
|
|
))))
|
|
|
|
return blob
|
|
|
|
end
|
|
|
|
|
2005-09-16 09:27:41 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|