The Tor Browser / file revision

netwerk/test/ReadNTLM.cpp@ca08bd8f51b2

netwerk/test/ReadNTLM.cpp

Wed, 31 Dec 2014 06:55:46 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Wed, 31 Dec 2014 06:55:46 +0100
changeset 1
ca08bd8f51b2
permissions
-rw-r--r--

Added tag TORBROWSER_REPLICA for changeset 6474c204b198

     1 /* vim: set ts=2 sw=2 et cindent: */

     2 /* This Source Code Form is subject to the terms of the Mozilla Public

     3  * License, v. 2.0. If a copy of the MPL was not distributed with this

     4  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

     5 

     6 #include <stdlib.h>

     7 #include <stdio.h>

     8 #include <ctype.h>

     9 

    10 #include "plbase64.h"

    11 #include "nsStringAPI.h"

    12 #include "prmem.h"

    13 

    14 /*

    15  * ReadNTLM : reads NTLM messages.

    16  *

    17  * based on http://davenport.sourceforge.net/ntlm.html

    18  */

    19 

    20 #define kNegotiateUnicode               0x00000001

    21 #define kNegotiateOEM                   0x00000002

    22 #define kRequestTarget                  0x00000004

    23 #define kUnknown1                       0x00000008

    24 #define kNegotiateSign                  0x00000010

    25 #define kNegotiateSeal                  0x00000020

    26 #define kNegotiateDatagramStyle         0x00000040

    27 #define kNegotiateLanManagerKey         0x00000080

    28 #define kNegotiateNetware               0x00000100

    29 #define kNegotiateNTLMKey               0x00000200

    30 #define kUnknown2                       0x00000400

    31 #define kUnknown3                       0x00000800

    32 #define kNegotiateDomainSupplied        0x00001000

    33 #define kNegotiateWorkstationSupplied   0x00002000

    34 #define kNegotiateLocalCall             0x00004000

    35 #define kNegotiateAlwaysSign            0x00008000

    36 #define kTargetTypeDomain               0x00010000

    37 #define kTargetTypeServer               0x00020000

    38 #define kTargetTypeShare                0x00040000

    39 #define kNegotiateNTLM2Key              0x00080000

    40 #define kRequestInitResponse            0x00100000

    41 #define kRequestAcceptResponse          0x00200000

    42 #define kRequestNonNTSessionKey         0x00400000

    43 #define kNegotiateTargetInfo            0x00800000

    44 #define kUnknown4                       0x01000000

    45 #define kUnknown5                       0x02000000

    46 #define kUnknown6                       0x04000000

    47 #define kUnknown7                       0x08000000

    48 #define kUnknown8                       0x10000000

    49 #define kNegotiate128                   0x20000000

    50 #define kNegotiateKeyExchange           0x40000000

    51 #define kNegotiate56                    0x80000000

    52 

    53 static const char NTLM_SIGNATURE[] = "NTLMSSP";

    54 static const char NTLM_TYPE1_MARKER[] = { 0x01, 0x00, 0x00, 0x00 };

    55 static const char NTLM_TYPE2_MARKER[] = { 0x02, 0x00, 0x00, 0x00 };

    56 static const char NTLM_TYPE3_MARKER[] = { 0x03, 0x00, 0x00, 0x00 };

    57 

    58 #define NTLM_MARKER_LEN 4

    59 #define NTLM_TYPE1_HEADER_LEN 32

    60 #define NTLM_TYPE2_HEADER_LEN 32

    61 #define NTLM_TYPE3_HEADER_LEN 64

    62 

    63 #define LM_HASH_LEN 16

    64 #define LM_RESP_LEN 24

    65 

    66 #define NTLM_HASH_LEN 16

    67 #define NTLM_RESP_LEN 24

    68 

    69 static void PrintFlags(uint32_t flags)

    70 {

    71 #define TEST(_flag) \

    72   if (flags & k ## _flag) \

    73     printf("    0x%08x (" # _flag ")\n", k ## _flag)

    74 

    75   TEST(NegotiateUnicode);

    76   TEST(NegotiateOEM);

    77   TEST(RequestTarget);

    78   TEST(Unknown1);

    79   TEST(NegotiateSign);

    80   TEST(NegotiateSeal);

    81   TEST(NegotiateDatagramStyle);

    82   TEST(NegotiateLanManagerKey);

    83   TEST(NegotiateNetware);

    84   TEST(NegotiateNTLMKey);

    85   TEST(Unknown2);

    86   TEST(Unknown3);

    87   TEST(NegotiateDomainSupplied);

    88   TEST(NegotiateWorkstationSupplied);

    89   TEST(NegotiateLocalCall);

    90   TEST(NegotiateAlwaysSign);

    91   TEST(TargetTypeDomain);

    92   TEST(TargetTypeServer);

    93   TEST(TargetTypeShare);

    94   TEST(NegotiateNTLM2Key);

    95   TEST(RequestInitResponse);

    96   TEST(RequestAcceptResponse);

    97   TEST(RequestNonNTSessionKey);

    98   TEST(NegotiateTargetInfo);

    99   TEST(Unknown4);

   100   TEST(Unknown5);

   101   TEST(Unknown6);

   102   TEST(Unknown7);

   103   TEST(Unknown8);

   104   TEST(Negotiate128);

   105   TEST(NegotiateKeyExchange);

   106   TEST(Negotiate56);

   107 

   108 #undef TEST

   109 }

   110 

   111 static void

   112 PrintBuf(const char *tag, const uint8_t *buf, uint32_t bufLen)

   113 {

   114   int i;

   115 

   116   printf("%s =\n", tag);

   117   while (bufLen > 0)

   118   {

   119     int count = bufLen;

   120     if (count > 8)

   121       count = 8;

   122 

   123     printf("    ");

   124     for (i=0; i<count; ++i)

   125     {

   126       printf("0x%02x ", int(buf[i]));

   127     }

   128     for (; i<8; ++i)

   129     {

   130       printf("     ");

   131     }

   132 

   133     printf("   ");

   134     for (i=0; i<count; ++i)

   135     {

   136       if (isprint(buf[i]))

   137         printf("%c", buf[i]);

   138       else

   139         printf(".");

   140     }

   141     printf("\n");

   142 

   143     bufLen -= count;

   144     buf += count;

   145   }

   146 }

   147 

   148 static uint16_t

   149 ReadUint16(const uint8_t *&buf)

   150 {

   151   uint16_t x;

   152 #ifdef IS_BIG_ENDIAN

   153   x = ((uint16_t) buf[1]) | ((uint16_t) buf[0] << 8);

   154 #else

   155   x = ((uint16_t) buf[0]) | ((uint16_t) buf[1] << 8);

   156 #endif

   157   buf += sizeof(x);

   158   return x;

   159 }

   160 

   161 static uint32_t

   162 ReadUint32(const uint8_t *&buf)

   163 {

   164   uint32_t x;

   165 #ifdef IS_BIG_ENDIAN

   166   x = ( (uint32_t) buf[3])        |

   167       (((uint32_t) buf[2]) << 8)  |

   168       (((uint32_t) buf[1]) << 16) |

   169       (((uint32_t) buf[0]) << 24);

   170 #else

   171   x = ( (uint32_t) buf[0])        |

   172       (((uint32_t) buf[1]) << 8)  |

   173       (((uint32_t) buf[2]) << 16) |

   174       (((uint32_t) buf[3]) << 24);

   175 #endif

   176   buf += sizeof(x);

   177   return x;

   178 }

   179 

   180 typedef struct {

   181   uint16_t length;

   182   uint16_t capacity;

   183   uint32_t offset;

   184 } SecBuf;

   185 

   186 static void

   187 ReadSecBuf(SecBuf *s, const uint8_t *&buf)

   188 {

   189   s->length = ReadUint16(buf);

   190   s->capacity = ReadUint16(buf);

   191   s->offset = ReadUint32(buf);

   192 }

   193 

   194 static void

   195 ReadType1MsgBody(const uint8_t *inBuf, uint32_t start)

   196 {

   197   const uint8_t *cursor = inBuf + start;

   198   uint32_t flags;

   199 

   200   PrintBuf("flags", cursor, 4);

   201   // read flags

   202   flags = ReadUint32(cursor);

   203   PrintFlags(flags);

   204 

   205   // type 1 message may not include trailing security buffers

   206   if ((flags & kNegotiateDomainSupplied) | 

   207       (flags & kNegotiateWorkstationSupplied))

   208   {

   209     SecBuf secbuf;

   210     ReadSecBuf(&secbuf, cursor);

   211     PrintBuf("supplied domain", inBuf + secbuf.offset, secbuf.length);

   212 

   213     ReadSecBuf(&secbuf, cursor);

   214     PrintBuf("supplied workstation", inBuf + secbuf.offset, secbuf.length);

   215   }

   216 }

   217 

   218 static void

   219 ReadType2MsgBody(const uint8_t *inBuf, uint32_t start)

   220 {

   221   uint16_t targetLen, offset;

   222   uint32_t flags;

   223   const uint8_t *target;

   224   const uint8_t *cursor = inBuf + start;

   225 

   226   // read target name security buffer

   227   targetLen = ReadUint16(cursor);

   228   ReadUint16(cursor); // discard next 16-bit value

   229   offset = ReadUint32(cursor); // get offset from inBuf

   230   target = inBuf + offset;

   231 

   232   PrintBuf("target", target, targetLen);

   233 

   234   PrintBuf("flags", cursor, 4);

   235   // read flags

   236   flags = ReadUint32(cursor);

   237   PrintFlags(flags);

   238 

   239   // read challenge

   240   PrintBuf("challenge", cursor, 8);

   241   cursor += 8;

   242 

   243   PrintBuf("context", cursor, 8);

   244   cursor += 8;

   245 

   246   SecBuf secbuf;

   247   ReadSecBuf(&secbuf, cursor);

   248   PrintBuf("target information", inBuf + secbuf.offset, secbuf.length);

   249 }

   250 

   251 static void

   252 ReadType3MsgBody(const uint8_t *inBuf, uint32_t start)

   253 {

   254   const uint8_t *cursor = inBuf + start;

   255 

   256   SecBuf secbuf;

   257 

   258   ReadSecBuf(&secbuf, cursor); // LM response

   259   PrintBuf("LM response", inBuf + secbuf.offset, secbuf.length);

   260 

   261   ReadSecBuf(&secbuf, cursor); // NTLM response

   262   PrintBuf("NTLM response", inBuf + secbuf.offset, secbuf.length);

   263 

   264   ReadSecBuf(&secbuf, cursor); // domain name

   265   PrintBuf("domain name", inBuf + secbuf.offset, secbuf.length);

   266 

   267   ReadSecBuf(&secbuf, cursor); // user name

   268   PrintBuf("user name", inBuf + secbuf.offset, secbuf.length);

   269 

   270   ReadSecBuf(&secbuf, cursor); // workstation name

   271   PrintBuf("workstation name", inBuf + secbuf.offset, secbuf.length);

   272 

   273   ReadSecBuf(&secbuf, cursor); // session key

   274   PrintBuf("session key", inBuf + secbuf.offset, secbuf.length);

   275 

   276   uint32_t flags = ReadUint32(cursor);

   277   PrintBuf("flags", (const uint8_t *) &flags, sizeof(flags));

   278   PrintFlags(flags);

   279 }

   280 

   281 static void

   282 ReadMsg(const char *base64buf, uint32_t bufLen)

   283 {

   284   uint8_t *inBuf = (uint8_t *) PL_Base64Decode(base64buf, bufLen, nullptr);

   285   if (!inBuf)

   286   {

   287     printf("PL_Base64Decode failed\n");

   288     return;

   289   }

   290 

   291   const uint8_t *cursor = inBuf;

   292 

   293   PrintBuf("signature", cursor, 8);

   294 

   295   // verify NTLMSSP signature

   296   if (memcmp(cursor, NTLM_SIGNATURE, sizeof(NTLM_SIGNATURE)) != 0)

   297   {

   298     printf("### invalid or corrupt NTLM signature\n");

   299   }

   300   cursor += sizeof(NTLM_SIGNATURE);

   301 

   302   PrintBuf("message type", cursor, 4);

   303 

   304   if (memcmp(cursor, NTLM_TYPE1_MARKER, sizeof(NTLM_MARKER_LEN)) == 0)

   305     ReadType1MsgBody(inBuf, 12);

   306   else if (memcmp(cursor, NTLM_TYPE2_MARKER, sizeof(NTLM_MARKER_LEN)) == 0)

   307     ReadType2MsgBody(inBuf, 12);

   308   else if (memcmp(cursor, NTLM_TYPE3_MARKER, sizeof(NTLM_MARKER_LEN)) == 0)

   309     ReadType3MsgBody(inBuf, 12);

   310   else

   311     printf("### invalid or unknown message type\n"); 

   312 

   313   PR_Free(inBuf);

   314 }

   315 

   316 int main(int argc, char **argv)

   317 {

   318   if (argc == 1)

   319   {

   320     printf("usage: ntlmread <msg>\n");

   321     return -1;

   322   }

   323   ReadMsg(argv[1], (uint32_t) strlen(argv[1]));

   324   return 0;

   325 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial