handle NIL user domain, and Z(4) at end of nt blob for ntlmv2
the nt blob ends with 4 zero bytes, this is not the same as the EOL av-pair terminator! this makes ntlmv2 work with windows xp with LmCompatibityLevel = 3
This commit is contained in:
cinap_lenrek
parent
c940e98630
commit
007520e3fe
|
|
@ -733,6 +733,13 @@ mschap(Ticketreq *tr)
|
|||
if(id == MsvAvEOL)
|
||||
break;
|
||||
}
|
||||
|
||||
/* Z[4] */
|
||||
if(ntbloblen > sizeof(ntblob)-4)
|
||||
exits(0);
|
||||
if(readn(0, ntblob+ntbloblen, 4) < 0)
|
||||
exits(0);
|
||||
ntbloblen += 4;
|
||||
}
|
||||
|
||||
safecpy(tr->uid, reply.uid, sizeof(tr->uid));
|
||||
|
|
@ -750,21 +757,29 @@ mschap(Ticketreq *tr)
|
|||
|
||||
if(ntbloblen > 0){
|
||||
getname(MsvAvNbDomainName, ntblob, ntbloblen, windom, sizeof(windom));
|
||||
ntv2hash(hash, secret, tr->uid, windom);
|
||||
|
||||
/*
|
||||
* LmResponse = Cat(HMAC_MD5(LmHash, Cat(SC, CC)), CC)
|
||||
*/
|
||||
s = hmac_md5(chal, 8, hash, MShashlen, nil, nil);
|
||||
hmac_md5((uchar*)reply.LMresp+16, 8, hash, MShashlen, resp, s);
|
||||
lmok = memcmp(resp, reply.LMresp, 16) == 0;
|
||||
for(;;){
|
||||
ntv2hash(hash, secret, tr->uid, windom);
|
||||
|
||||
/*
|
||||
* NtResponse = Cat(HMAC_MD5(NtHash, Cat(SC, NtBlob)), NtBlob)
|
||||
*/
|
||||
s = hmac_md5(chal, 8, hash, MShashlen, nil, nil);
|
||||
hmac_md5(ntblob, ntbloblen, hash, MShashlen, resp, s);
|
||||
ntok = memcmp(resp, reply.NTresp, 16) == 0;
|
||||
/*
|
||||
* LmResponse = Cat(HMAC_MD5(LmHash, Cat(SC, CC)), CC)
|
||||
*/
|
||||
s = hmac_md5(chal, 8, hash, MShashlen, nil, nil);
|
||||
hmac_md5((uchar*)reply.LMresp+16, 8, hash, MShashlen, resp, s);
|
||||
lmok = memcmp(resp, reply.LMresp, 16) == 0;
|
||||
|
||||
/*
|
||||
* NtResponse = Cat(HMAC_MD5(NtHash, Cat(SC, NtBlob)), NtBlob)
|
||||
*/
|
||||
s = hmac_md5(chal, 8, hash, MShashlen, nil, nil);
|
||||
hmac_md5(ntblob, ntbloblen, hash, MShashlen, resp, s);
|
||||
ntok = memcmp(resp, reply.NTresp, 16) == 0;
|
||||
|
||||
if(lmok || ntok || windom[0] == '\0')
|
||||
break;
|
||||
|
||||
windom[0] = '\0'; /* try NIL domain */
|
||||
}
|
||||
dupe = 0;
|
||||
} else {
|
||||
lmhash(hash, secret);
|
||||
|
|
|
|||
|
|
@ -206,8 +206,15 @@ ntv2_blob(uchar *blob, int len, char *windom)
|
|||
*p++ = 0;
|
||||
*p++ = 0;
|
||||
|
||||
len -= 4;
|
||||
p += putname(p, len - (p-blob), windom, Bdomain);
|
||||
p += putname(p, len - (p-blob), "", Beof);
|
||||
len += 4;
|
||||
|
||||
*p++ = 0; /* 32bit: unknown data */
|
||||
*p++ = 0;
|
||||
*p++ = 0;
|
||||
*p++ = 0;
|
||||
|
||||
return p - blob;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue