[thirdparty/squid.git] / lib / smblib / find_password.c

/*
 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#include "squid.h"
/* Find passwords ... */
/* We do it in a brute force way ... Cycle through all the possible passwords
   sending a logon to see if all it works ... We have to wait for any timeout
   the the server implements before we try the next one. We could open lots
   of connections to the server and then send the logon request and not wait
   for the reply. This would allow us to have lots of outstanding attempts at
   a time. */

#include <sys/types.h>
#include <unistd.h>
#if HAVE_STRING_H
#include <string.h>
#endif

#include "smblib/smblib.h"

int verbose = FALSE;
int lotc = FALSE;

char *SMB_Prots[] = {"PC NETWORK PROGRAM 1.0",
                     "MICROSOFT NETWORKS 1.03",
                     "MICROSOFT NETWORKS 3.0",
                     "LANMAN1.0",
                     "LM1.2X002",
                     "LANMAN2.1",
                     "NT LM 0.12",
                     "NT LANMAN 1.0",
                     NULL
                    };

void usage()

{
    fprintf(stderr,"Usage: find_password -u <user> -l <pwd-len-max> server\n");
}

/* figure out next password */

static int pwinit = FALSE, pwpos = 0;

int next_password(char *pw, int pwlen)

{
    int i, carry = FALSE;

    if (pwinit == FALSE) {

        pwinit = TRUE;
        memset(pw, 0, pwlen + 1);
        pwpos = 0;

    }

    i = pwpos;

    while (TRUE) {

        pw[i] = pw[i] + 1;

        /* If it has wrapped around, then inc to 1 and carry up the chain */

        if (pw[i] == 0) {

            pw[i] = 1;
            i = i - 1;

            if (i < 0) {  /* If we went off the end, increment pwpos */

                pwpos = pwpos + 1;
                if (pwpos >= pwlen) return(FALSE); /* No more passwords */

                pw[pwpos] = 1;
                return(TRUE);

            }

        } else
            return(TRUE);

        return(FALSE);
    }
}

static char pwd_str[1024];  /* Where we put passwords as we convert them */

char *print_password(char * password)

{
    int i,j;
    char temp[4];

    j = 0;

    for (i = 0; i < strlen(password); i++) {

        if (((unsigned)password[i] <= ' ') || ((unsigned)password[i] > 127)) {

            pwd_str[j] = '\\';
            snprintf(temp, sizeof(temp)-1, "%03i", (int)password[i]);
            strcpy(&pwd_str[j + 1], temp);
            j = j + 3;                       /* Space for \ accounted for below */

        } else
            pwd_str[j] = password[i];

        j = j + 1;

    }

    pwd_str[j] = 0;  /* Put a null on the end ... */

    return(pwd_str);

}

main(int argc, char *argv[])

{
    void *con, *tree;
    extern char *optarg;
    extern int optind;
    int opt, error, SMB_Error, err_class, err_code, pwlen, tries = 0;
    char server[80], service[80], service_name[160], password[80], username[80];
    char old_password[80], err_string[1024];

    server[0] = 0;
    strncpy(service, "IPC$", sizeof(service) - 1);
    service_name[0] = 0;
    username[0] = 0;
    password[0] = 0;
    old_password[0] = 0;

    while ((opt = getopt(argc, argv, "s:u:l:v")) != EOF) {

        switch (opt) {
        case 's':

            strcpy(service, optarg);
            break;

        case 'u':     /* Pick up the user name */

            strncpy(username, optarg, sizeof(username) - 1);
            break;

        case 'l':     /* pick up password len */

            pwlen = atoi(optarg);
            break;

        case 'v':     /* Verbose? */
            verbose = TRUE;
            break;

        default:

            usage();
            exit(1);
            break;
        }

    }

    if (optind < argc) { /* Some more parameters, assume is the server */
        strncpy(server, argv[optind], sizeof(server) - 1);
        optind++;
    } else {
        strcpy(server, "nemesis");
    }

    if (verbose == TRUE) {  /* Print out all we know */

        fprintf(stderr, "Finding password for User: %s, on server: %s\n",
                username, server);
        fprintf(stderr, "with a pwlen = %i\n", pwlen);

    }

    SMB_Init();          /* Initialize things ... */

    /* We connect to the server and negotiate */

    con = SMB_Connect_Server(NULL, server);

    if (con == NULL) {  /* Error processing */

        fprintf(stderr, "Unable to connect to server %s ...\n", server);

        if (SMB_Get_Last_Error() == SMBlibE_Remote) {

            SMB_Error = SMB_Get_Last_SMB_Err();
            SMB_Get_SMB_Error_Msg(SMBlib_Error_Class(SMB_Error),
                                  SMBlib_Error_Code(SMB_Error),
                                  err_string,
                                  sizeof(err_string) - 1);

        } else {
            SMB_Get_Error_Msg(SMB_Get_Last_Error(), err_string, sizeof(err_string) - 1);
        }

        printf("  %s\n", err_string);
        exit(1);

    }

    /* We need to negotiate a protocol better than PC NetWork Program */

    if (SMB_Negotiate(con, SMB_Prots) < 0) {

        fprintf(stderr, "Unable to negotiate a protocol with server %s ...\n",
                server);

        if (SMB_Get_Last_Error() == SMBlibE_Remote) {

            SMB_Error = SMB_Get_Last_SMB_Err();
            SMB_Get_SMB_Error_Msg(SMBlib_Error_Class(SMB_Error),
                                  SMBlib_Error_Code(SMB_Error),
                                  err_string,
                                  sizeof(err_string) - 1);

        } else {
            SMB_Get_Error_Msg(SMB_Get_Last_Error(), err_string, sizeof(err_string) - 1);
        }

        printf("  %s\n", err_string);
        exit(1);

    }

    sprintf(service_name, sizeof(service_name)-1, "\\\\%s\\%s", server, service); /* Could blow up */

    /* Now loop through all password possibilities ... */

    memset(password, 0, sizeof(password));

    while (next_password(password, pwlen) == TRUE) {

        if ((tree = SMB_Logon_And_TCon(con,
                                       NULL,
                                       username,
                                       password,
                                       service_name, "?????")) == NULL) {

            if (verbose == TRUE) { /* Lets hear about the error */

                fprintf(stderr, "Unable to logon and tree connect to server %s ...\n",
                        server);
                fprintf(stderr, "With username: %s, and password: %s\n",
                        username, print_password(password));

                if (SMB_Get_Last_Error() == SMBlibE_Remote) {

                    SMB_Error = SMB_Get_Last_SMB_Err();
                    SMB_Get_SMB_Error_Msg(SMBlib_Error_Class(SMB_Error),
                                          SMBlib_Error_Code(SMB_Error),
                                          err_string,
                                          sizeof(err_string) - 1);

                } else {
                    SMB_Get_Error_Msg(SMB_Get_Last_Error(), err_string, sizeof(err_string) - 1);
                }

                printf("  %s\n", err_string);

            }
        } else { /* Password match */

            fprintf(stderr, "Logged in with password:%s\n",
                    print_password(password));

            /* Exit now ... */

            exit(0);

        }

    }

    fprintf(stderr, "Passwords exhausted.");

}
Commit	Line	Data
04e4e140	1	/*
4ac4a490	2	* Copyright (C) 1996-2017 The Squid Software Foundation and contributors
04e4e140 AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
f7f3304a	9	#include "squid.h"
7c16470c AJ	10	/* Find passwords ... */
	11	/* We do it in a brute force way ... Cycle through all the possible passwords
	12	sending a logon to see if all it works ... We have to wait for any timeout
	13	the the server implements before we try the next one. We could open lots
	14	of connections to the server and then send the logon request and not wait
	15	for the reply. This would allow us to have lots of outstanding attempts at
	16	a time. */
	17
	18	#include <sys/types.h>
	19	#include <unistd.h>
0ab648c9 AJ	20	#if HAVE_STRING_H
	21	#include <string.h>
	22	#endif
7c16470c	23
0ab648c9	24	#include "smblib/smblib.h"
7c16470c AJ	25
	26	int verbose = FALSE;
	27	int lotc = FALSE;
	28
	29	char *SMB_Prots[] = {"PC NETWORK PROGRAM 1.0",
	30	"MICROSOFT NETWORKS 1.03",
	31	"MICROSOFT NETWORKS 3.0",
	32	"LANMAN1.0",
	33	"LM1.2X002",
	34	"LANMAN2.1",
	35	"NT LM 0.12",
	36	"NT LANMAN 1.0",
	37	NULL
	38	};
	39
	40	void usage()
	41
	42	{
	43	fprintf(stderr,"Usage: find_password -u <user> -l <pwd-len-max> server\n");
	44	}
	45
	46	/* figure out next password */
	47
	48	static int pwinit = FALSE, pwpos = 0;
	49
	50	int next_password(char *pw, int pwlen)
	51
	52	{
	53	int i, carry = FALSE;
	54
	55	if (pwinit == FALSE) {
	56
	57	pwinit = TRUE;
0ab648c9	58	memset(pw, 0, pwlen + 1);
7c16470c AJ	59	pwpos = 0;
	60
	61	}
	62
	63	i = pwpos;
	64
	65	while (TRUE) {
	66
	67	pw[i] = pw[i] + 1;
	68
	69	/* If it has wrapped around, then inc to 1 and carry up the chain */
	70
	71	if (pw[i] == 0) {
	72
	73	pw[i] = 1;
	74	i = i - 1;
	75
	76	if (i < 0) { /* If we went off the end, increment pwpos */
	77
	78	pwpos = pwpos + 1;
	79	if (pwpos >= pwlen) return(FALSE); /* No more passwords */
	80
	81	pw[pwpos] = 1;
	82	return(TRUE);
	83
	84	}
	85
	86	} else
	87	return(TRUE);
	88
	89	return(FALSE);
	90	}
	91	}
	92
	93	static char pwd_str[1024]; /* Where we put passwords as we convert them */
	94
	95	char print_password(char password)
	96
	97	{
	98	int i,j;
	99	char temp[4];
	100
	101	j = 0;
	102
	103	for (i = 0; i < strlen(password); i++) {
	104
	105	if (((unsigned)password[i] <= ' ') \|\| ((unsigned)password[i] > 127)) {
	106
	107	pwd_str[j] = '\\';
86c63190	108	snprintf(temp, sizeof(temp)-1, "%03i", (int)password[i]);
7c16470c AJ	109	strcpy(&pwd_str[j + 1], temp);
	110	j = j + 3; /* Space for \ accounted for below */
	111
	112	} else
	113	pwd_str[j] = password[i];
	114
	115	j = j + 1;
	116
	117	}
	118
	119	pwd_str[j] = 0; /* Put a null on the end ... */
	120
	121	return(pwd_str);
	122
	123	}
	124
	125	main(int argc, char *argv[])
	126
	127	{
	128	void con, tree;
	129	extern char *optarg;
	130	extern int optind;
	131	int opt, error, SMB_Error, err_class, err_code, pwlen, tries = 0;
	132	char server[80], service[80], service_name[160], password[80], username[80];
	133	char old_password[80], err_string[1024];
	134
	135	server[0] = 0;
	136	strncpy(service, "IPC$", sizeof(service) - 1);
	137	service_name[0] = 0;
	138	username[0] = 0;
	139	password[0] = 0;
	140	old_password[0] = 0;
	141
	142	while ((opt = getopt(argc, argv, "s:u:l:v")) != EOF) {
	143
	144	switch (opt) {
	145	case 's':
	146
	147	strcpy(service, optarg);
	148	break;
	149
	150	case 'u': /* Pick up the user name */
	151
	152	strncpy(username, optarg, sizeof(username) - 1);
	153	break;
	154
	155	case 'l': /* pick up password len */
	156
	157	pwlen = atoi(optarg);
	158	break;
	159
	160	case 'v': /* Verbose? */
	161	verbose = TRUE;
	162	break;
	163
	164	default:
	165
	166	usage();
	167	exit(1);
	168	break;
	169	}
	170
	171	}
	172
173	if (optind < argc) { /* Some more parameters, assume is the server */
174	strncpy(server, argv[optind], sizeof(server) - 1);
175	optind++;
176	} else {
177	strcpy(server, "nemesis");
178	}
179
180	if (verbose == TRUE) { /* Print out all we know */
181
182	fprintf(stderr, "Finding password for User: %s, on server: %s\n",
183	username, server);
184	fprintf(stderr, "with a pwlen = %i\n", pwlen);
185
186	}
187
188	SMB_Init(); /* Initialize things ... */
189
190	/* We connect to the server and negotiate */
191
192	con = SMB_Connect_Server(NULL, server);
193
194	if (con == NULL) { /* Error processing */
195
196	fprintf(stderr, "Unable to connect to server %s ...\n", server);
197
198	if (SMB_Get_Last_Error() == SMBlibE_Remote) {
199
200	SMB_Error = SMB_Get_Last_SMB_Err();
201	SMB_Get_SMB_Error_Msg(SMBlib_Error_Class(SMB_Error),
202	SMBlib_Error_Code(SMB_Error),
203	err_string,
204	sizeof(err_string) - 1);
205
206	} else {
207	SMB_Get_Error_Msg(SMB_Get_Last_Error(), err_string, sizeof(err_string) - 1);
208	}
209
210	printf(" %s\n", err_string);
211	exit(1);
212
213	}
214
215	/* We need to negotiate a protocol better than PC NetWork Program */
216
217	if (SMB_Negotiate(con, SMB_Prots) < 0) {
218
219	fprintf(stderr, "Unable to negotiate a protocol with server %s ...\n",
220	server);
221
222	if (SMB_Get_Last_Error() == SMBlibE_Remote) {
223
224	SMB_Error = SMB_Get_Last_SMB_Err();
225	SMB_Get_SMB_Error_Msg(SMBlib_Error_Class(SMB_Error),
226	SMBlib_Error_Code(SMB_Error),
227	err_string,
228	sizeof(err_string) - 1);
229
230	} else {
231	SMB_Get_Error_Msg(SMB_Get_Last_Error(), err_string, sizeof(err_string) - 1);
232	}
233
234	printf(" %s\n", err_string);
235	exit(1);
236
237	}
238
86c63190	239	sprintf(service_name, sizeof(service_name)-1, "\\\\%s\\%s", server, service); /* Could blow up */
7c16470c AJ	240
	241	/* Now loop through all password possibilities ... */
	242
0ab648c9	243	memset(password, 0, sizeof(password));
7c16470c AJ	244
	245	while (next_password(password, pwlen) == TRUE) {
	246
	247	if ((tree = SMB_Logon_And_TCon(con,
	248	NULL,
	249	username,
	250	password,
	251	service_name, "?????")) == NULL) {
	252
	253	if (verbose == TRUE) { /* Lets hear about the error */
	254
	255	fprintf(stderr, "Unable to logon and tree connect to server %s ...\n",
	256	server);
	257	fprintf(stderr, "With username: %s, and password: %s\n",
	258	username, print_password(password));
	259
	260	if (SMB_Get_Last_Error() == SMBlibE_Remote) {
	261
	262	SMB_Error = SMB_Get_Last_SMB_Err();
	263	SMB_Get_SMB_Error_Msg(SMBlib_Error_Class(SMB_Error),
	264	SMBlib_Error_Code(SMB_Error),
	265	err_string,
	266	sizeof(err_string) - 1);
	267
	268	} else {
	269	SMB_Get_Error_Msg(SMB_Get_Last_Error(), err_string, sizeof(err_string) - 1);
	270	}
	271
	272	printf(" %s\n", err_string);
	273
	274	}
	275	} else { /* Password match */
	276
	277	fprintf(stderr, "Logged in with password:%s\n",
	278	print_password(password));
	279
	280	/* Exit now ... */
	281
	282	exit(0);
	283
	284	}
	285
	286	}
	287
	288	fprintf(stderr, "Passwords exhausted.");
	289
	290	}
f53969cc	291