]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright (C) 1996-2018 The Squid Software Foundation and contributors | |
3 | * | |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
9 | #include "squid.h" | |
10 | /* Find passwords ... */ | |
11 | /* We do it in a brute force way ... Cycle through all the possible passwords | |
12 | sending a logon to see if all it works ... We have to wait for any timeout | |
13 | the the server implements before we try the next one. We could open lots | |
14 | of connections to the server and then send the logon request and not wait | |
15 | for the reply. This would allow us to have lots of outstanding attempts at | |
16 | a time. */ | |
17 | ||
18 | #include <sys/types.h> | |
19 | #include <unistd.h> | |
20 | #if HAVE_STRING_H | |
21 | #include <string.h> | |
22 | #endif | |
23 | ||
24 | #include "smblib/smblib.h" | |
25 | ||
26 | int verbose = FALSE; | |
27 | int lotc = FALSE; | |
28 | ||
29 | char *SMB_Prots[] = {"PC NETWORK PROGRAM 1.0", | |
30 | "MICROSOFT NETWORKS 1.03", | |
31 | "MICROSOFT NETWORKS 3.0", | |
32 | "LANMAN1.0", | |
33 | "LM1.2X002", | |
34 | "LANMAN2.1", | |
35 | "NT LM 0.12", | |
36 | "NT LANMAN 1.0", | |
37 | NULL | |
38 | }; | |
39 | ||
40 | void usage() | |
41 | ||
42 | { | |
43 | fprintf(stderr,"Usage: find_password -u <user> -l <pwd-len-max> server\n"); | |
44 | } | |
45 | ||
46 | /* figure out next password */ | |
47 | ||
48 | static int pwinit = FALSE, pwpos = 0; | |
49 | ||
50 | int next_password(char *pw, int pwlen) | |
51 | ||
52 | { | |
53 | int i, carry = FALSE; | |
54 | ||
55 | if (pwinit == FALSE) { | |
56 | ||
57 | pwinit = TRUE; | |
58 | memset(pw, 0, pwlen + 1); | |
59 | pwpos = 0; | |
60 | ||
61 | } | |
62 | ||
63 | i = pwpos; | |
64 | ||
65 | while (TRUE) { | |
66 | ||
67 | pw[i] = pw[i] + 1; | |
68 | ||
69 | /* If it has wrapped around, then inc to 1 and carry up the chain */ | |
70 | ||
71 | if (pw[i] == 0) { | |
72 | ||
73 | pw[i] = 1; | |
74 | i = i - 1; | |
75 | ||
76 | if (i < 0) { /* If we went off the end, increment pwpos */ | |
77 | ||
78 | pwpos = pwpos + 1; | |
79 | if (pwpos >= pwlen) return(FALSE); /* No more passwords */ | |
80 | ||
81 | pw[pwpos] = 1; | |
82 | return(TRUE); | |
83 | ||
84 | } | |
85 | ||
86 | } else | |
87 | return(TRUE); | |
88 | ||
89 | return(FALSE); | |
90 | } | |
91 | } | |
92 | ||
93 | static char pwd_str[1024]; /* Where we put passwords as we convert them */ | |
94 | ||
95 | char *print_password(char * password) | |
96 | ||
97 | { | |
98 | int i,j; | |
99 | char temp[4]; | |
100 | ||
101 | j = 0; | |
102 | ||
103 | for (i = 0; i < strlen(password); i++) { | |
104 | ||
105 | if (((unsigned)password[i] <= ' ') || ((unsigned)password[i] > 127)) { | |
106 | ||
107 | pwd_str[j] = '\\'; | |
108 | snprintf(temp, sizeof(temp)-1, "%03i", (int)password[i]); | |
109 | strcpy(&pwd_str[j + 1], temp); | |
110 | j = j + 3; /* Space for \ accounted for below */ | |
111 | ||
112 | } else | |
113 | pwd_str[j] = password[i]; | |
114 | ||
115 | j = j + 1; | |
116 | ||
117 | } | |
118 | ||
119 | pwd_str[j] = 0; /* Put a null on the end ... */ | |
120 | ||
121 | return(pwd_str); | |
122 | ||
123 | } | |
124 | ||
125 | main(int argc, char *argv[]) | |
126 | ||
127 | { | |
128 | void *con, *tree; | |
129 | extern char *optarg; | |
130 | extern int optind; | |
131 | int opt, error, SMB_Error, err_class, err_code, pwlen, tries = 0; | |
132 | char server[80], service[80], service_name[160], password[80], username[80]; | |
133 | char old_password[80], err_string[1024]; | |
134 | ||
135 | server[0] = 0; | |
136 | strncpy(service, "IPC$", sizeof(service) - 1); | |
137 | service_name[0] = 0; | |
138 | username[0] = 0; | |
139 | password[0] = 0; | |
140 | old_password[0] = 0; | |
141 | ||
142 | while ((opt = getopt(argc, argv, "s:u:l:v")) != EOF) { | |
143 | ||
144 | switch (opt) { | |
145 | case 's': | |
146 | ||
147 | strcpy(service, optarg); | |
148 | break; | |
149 | ||
150 | case 'u': /* Pick up the user name */ | |
151 | ||
152 | strncpy(username, optarg, sizeof(username) - 1); | |
153 | break; | |
154 | ||
155 | case 'l': /* pick up password len */ | |
156 | ||
157 | pwlen = atoi(optarg); | |
158 | break; | |
159 | ||
160 | case 'v': /* Verbose? */ | |
161 | verbose = TRUE; | |
162 | break; | |
163 | ||
164 | default: | |
165 | ||
166 | usage(); | |
167 | exit(1); | |
168 | break; | |
169 | } | |
170 | ||
171 | } | |
172 | ||
173 | if (optind < argc) { /* Some more parameters, assume is the server */ | |
174 | strncpy(server, argv[optind], sizeof(server) - 1); | |
175 | optind++; | |
176 | } else { | |
177 | strcpy(server, "nemesis"); | |
178 | } | |
179 | ||
180 | if (verbose == TRUE) { /* Print out all we know */ | |
181 | ||
182 | fprintf(stderr, "Finding password for User: %s, on server: %s\n", | |
183 | username, server); | |
184 | fprintf(stderr, "with a pwlen = %i\n", pwlen); | |
185 | ||
186 | } | |
187 | ||
188 | SMB_Init(); /* Initialize things ... */ | |
189 | ||
190 | /* We connect to the server and negotiate */ | |
191 | ||
192 | con = SMB_Connect_Server(NULL, server); | |
193 | ||
194 | if (con == NULL) { /* Error processing */ | |
195 | ||
196 | fprintf(stderr, "Unable to connect to server %s ...\n", server); | |
197 | ||
198 | if (SMB_Get_Last_Error() == SMBlibE_Remote) { | |
199 | ||
200 | SMB_Error = SMB_Get_Last_SMB_Err(); | |
201 | SMB_Get_SMB_Error_Msg(SMBlib_Error_Class(SMB_Error), | |
202 | SMBlib_Error_Code(SMB_Error), | |
203 | err_string, | |
204 | sizeof(err_string) - 1); | |
205 | ||
206 | } else { | |
207 | SMB_Get_Error_Msg(SMB_Get_Last_Error(), err_string, sizeof(err_string) - 1); | |
208 | } | |
209 | ||
210 | printf(" %s\n", err_string); | |
211 | exit(1); | |
212 | ||
213 | } | |
214 | ||
215 | /* We need to negotiate a protocol better than PC NetWork Program */ | |
216 | ||
217 | if (SMB_Negotiate(con, SMB_Prots) < 0) { | |
218 | ||
219 | fprintf(stderr, "Unable to negotiate a protocol with server %s ...\n", | |
220 | server); | |
221 | ||
222 | if (SMB_Get_Last_Error() == SMBlibE_Remote) { | |
223 | ||
224 | SMB_Error = SMB_Get_Last_SMB_Err(); | |
225 | SMB_Get_SMB_Error_Msg(SMBlib_Error_Class(SMB_Error), | |
226 | SMBlib_Error_Code(SMB_Error), | |
227 | err_string, | |
228 | sizeof(err_string) - 1); | |
229 | ||
230 | } else { | |
231 | SMB_Get_Error_Msg(SMB_Get_Last_Error(), err_string, sizeof(err_string) - 1); | |
232 | } | |
233 | ||
234 | printf(" %s\n", err_string); | |
235 | exit(1); | |
236 | ||
237 | } | |
238 | ||
239 | sprintf(service_name, sizeof(service_name)-1, "\\\\%s\\%s", server, service); /* Could blow up */ | |
240 | ||
241 | /* Now loop through all password possibilities ... */ | |
242 | ||
243 | memset(password, 0, sizeof(password)); | |
244 | ||
245 | while (next_password(password, pwlen) == TRUE) { | |
246 | ||
247 | if ((tree = SMB_Logon_And_TCon(con, | |
248 | NULL, | |
249 | username, | |
250 | password, | |
251 | service_name, "?????")) == NULL) { | |
252 | ||
253 | if (verbose == TRUE) { /* Lets hear about the error */ | |
254 | ||
255 | fprintf(stderr, "Unable to logon and tree connect to server %s ...\n", | |
256 | server); | |
257 | fprintf(stderr, "With username: %s, and password: %s\n", | |
258 | username, print_password(password)); | |
259 | ||
260 | if (SMB_Get_Last_Error() == SMBlibE_Remote) { | |
261 | ||
262 | SMB_Error = SMB_Get_Last_SMB_Err(); | |
263 | SMB_Get_SMB_Error_Msg(SMBlib_Error_Class(SMB_Error), | |
264 | SMBlib_Error_Code(SMB_Error), | |
265 | err_string, | |
266 | sizeof(err_string) - 1); | |
267 | ||
268 | } else { | |
269 | SMB_Get_Error_Msg(SMB_Get_Last_Error(), err_string, sizeof(err_string) - 1); | |
270 | } | |
271 | ||
272 | printf(" %s\n", err_string); | |
273 | ||
274 | } | |
275 | } else { /* Password match */ | |
276 | ||
277 | fprintf(stderr, "Logged in with password:%s\n", | |
278 | print_password(password)); | |
279 | ||
280 | /* Exit now ... */ | |
281 | ||
282 | exit(0); | |
283 | ||
284 | } | |
285 | ||
286 | } | |
287 | ||
288 | fprintf(stderr, "Passwords exhausted."); | |
289 | ||
290 | } | |
291 |