mirror of
https://github.com/cshepherd/gscifs.git
synced 2024-12-27 01:31:47 +00:00
SMB_Setup_AndX logs in with old/insecure Lanman (DES) hashing (requires Tool129)
This commit is contained in:
parent
94c243a313
commit
779d1f7142
@ -1,6 +1,7 @@
|
|||||||
CIFS / SMB2 navel gazing, in 65816 assembly.
|
CIFS / SMB2 navel gazing, in 65816 assembly.
|
||||||
|
|
||||||
5/9/2015 - Current status: Connects on port 445, sends valid SMB Protocol Negotiation message, accepts and analyzes reply. Next step: Login, mount a share, read a file.
|
5/9/2015 - Current status: Connects on port 445, sends valid SMB Protocol Negotiation message, accepts and analyzes reply. Next step: Login, mount a share, read a file.
|
||||||
|
5/24/2015 - Current status: Connects on port 445, completes Protocol Negotiation, successfully sends login (on Setup_ANDX message), obsolete LM (DES) style password
|
||||||
|
|
||||||
Build 'CMD.S' with Merlin32 and the included Library directory.
|
Build 'CMD.S' with Merlin32 and the included Library directory.
|
||||||
|
|
||||||
|
154
latest_tcpdump.txt
Normal file
154
latest_tcpdump.txt
Normal file
@ -0,0 +1,154 @@
|
|||||||
|
10.0.2.55 = Apple IIgs running Marinetti
|
||||||
|
10.0.2.1 = Raspberry Pi running A2SERVER, SMB credentials 'PI' / 'APPLE2'
|
||||||
|
|
||||||
|
19:44:52.729775 IP (tos 0x0, ttl 60, id 437, offset 0, flags [none], proto TCP (6), length 91)
|
||||||
|
10.0.2.55.1025 > 10.0.2.1.445: Flags [P.], cksum 0x9201 (correct), seq 1:52, ack 1, win 16384, length 51
|
||||||
|
SMB PACKET: SMBnegprot (REQUEST)
|
||||||
|
SMB Command = 0x72
|
||||||
|
Error class = 0x0
|
||||||
|
Error code = 0 (0x0)
|
||||||
|
Flags1 = 0x8
|
||||||
|
Flags2 = 0x1
|
||||||
|
Tree ID = 0 (0x0)
|
||||||
|
Proc ID = 57005 (0xdead)
|
||||||
|
UID = 0 (0x0)
|
||||||
|
MID = 1 (0x1)
|
||||||
|
Word Count = 0 (0x0)
|
||||||
|
smb_bcc=12
|
||||||
|
Dialect=NT LM 0.12
|
||||||
|
|
||||||
|
|
||||||
|
0x0000: 4500 005b 01b5 0000 3c06 64b1 0a00 0237 E..[....<.d....7
|
||||||
|
0x0010: 0a00 0201 0401 01bd 0b17 3b08 4197 ac10 ..........;.A...
|
||||||
|
0x0020: 5018 4000 9201 0000 0000 002f ff53 4d42 P.@......../.SMB
|
||||||
|
0x0030: 7200 0000 0008 0100 0000 0000 0000 0000 r...............
|
||||||
|
0x0040: 0000 0000 0000 adde 0000 0100 000c 0002 ................
|
||||||
|
0x0050: 4e54 204c 4d20 302e 3132 00 NT.LM.0.12.
|
||||||
|
|
||||||
|
19:44:52.730020 IP (tos 0x0, ttl 64, id 59985, offset 0, flags [DF], proto TCP (6), length 40)
|
||||||
|
10.0.2.1.445 > 10.0.2.55.1025: Flags [.], cksum 0x1852 (incorrect -> 0x24dd), seq 1, ack 52, win 14600, length 0
|
||||||
|
0x0000: 4500 0028 ea51 4000 4006 3847 0a00 0201 E..(.Q@.@.8G....
|
||||||
|
0x0010: 0a00 0237 01bd 0401 4197 ac10 0b17 3b3b ...7....A.....;;
|
||||||
|
0x0020: 5010 3908 1852 0000 P.9..R..
|
||||||
|
|
||||||
|
19:44:52.735280 IP (tos 0x0, ttl 64, id 59986, offset 0, flags [DF], proto TCP (6), length 141)
|
||||||
|
10.0.2.1.445 > 10.0.2.55.1025: Flags [P.], cksum 0x975e (correct), seq 1:102, ack 52, win 14600, length 101
|
||||||
|
SMB PACKET: SMBnegprot (REPLY)
|
||||||
|
SMB Command = 0x72
|
||||||
|
Error class = 0x0
|
||||||
|
Error code = 0 (0x0)
|
||||||
|
Flags1 = 0x88
|
||||||
|
Flags2 = 0x3
|
||||||
|
Tree ID = 0 (0x0)
|
||||||
|
Proc ID = 57005 (0xdead)
|
||||||
|
UID = 0 (0x0)
|
||||||
|
MID = 1 (0x1)
|
||||||
|
Word Count = 17 (0x11)
|
||||||
|
NT1 Protocol
|
||||||
|
DialectIndex=0 (0x0)
|
||||||
|
SecMode=0x3
|
||||||
|
MaxMux=50 (0x32)
|
||||||
|
NumVcs=1 (0x1)
|
||||||
|
MaxBuffer=16644 (0x4104)
|
||||||
|
RawSize=65536 (0x10000)
|
||||||
|
SessionKey=0x76A1
|
||||||
|
Capabilities=0x80F3FD
|
||||||
|
ServerTime=Sun May 24 19:44:54 2015
|
||||||
|
TimeZone=240 (0xf0)
|
||||||
|
CryptKey=Data: (1 bytes)
|
||||||
|
[000] 08 \0x08
|
||||||
|
smb_bcc=28
|
||||||
|
[000] E1 F1 F5 61 E2 7C 34 34 57 00 4F 00 52 00 4B 00 \0xe1\0xf1\0xf5a\0xe2|44 W\0x00O\0x00R\0x00K\0x00
|
||||||
|
[010] 47 00 52 00 4F 00 55 00 50 00 00 00 G\0x00R\0x00O\0x00U\0x00 P\0x00\0x00\0x00
|
||||||
|
|
||||||
|
|
||||||
|
0x0000: 4500 008d ea52 4000 4006 37e1 0a00 0201 E....R@.@.7.....
|
||||||
|
0x0010: 0a00 0237 01bd 0401 4197 ac10 0b17 3b3b ...7....A.....;;
|
||||||
|
0x0020: 5018 3908 975e 0000 0000 0061 ff53 4d42 P.9..^.....a.SMB
|
||||||
|
0x0030: 7200 0000 0088 0340 0000 0000 0000 0000 r......@........
|
||||||
|
0x0040: 0000 0000 0000 adde 0000 0100 1100 0003 ................
|
||||||
|
0x0050: 3200 0100 0441 0000 0000 0100 a176 0000 2....A.......v..
|
||||||
|
0x0060: fdf3 8000 f7ae 6fa1 7b96 d001 f000 081c ......o.{.......
|
||||||
|
0x0070: 00e1 f1f5 61e2 7c34 3457 004f 0052 004b ....a.|44W.O.R.K
|
||||||
|
0x0080: 0047 0052 004f 0055 0050 0000 00 .G.R.O.U.P...
|
||||||
|
|
||||||
|
19:44:52.789776 IP (tos 0x0, ttl 60, id 438, offset 0, flags [none], proto TCP (6), length 40)
|
||||||
|
10.0.2.55.1025 > 10.0.2.1.445: Flags [.], cksum 0x1d80 (correct), seq 52, ack 102, win 16384, length 0
|
||||||
|
0x0000: 4500 0028 01b6 0000 3c06 64e3 0a00 0237 E..(....<.d....7
|
||||||
|
0x0010: 0a00 0201 0401 01bd 0b17 3b3b 4197 ac75 ..........;;A..u
|
||||||
|
0x0020: 5010 4000 1d80 0000 0000 0000 0000 P.@...........
|
||||||
|
|
||||||
|
19:44:53.037171 IP (tos 0x0, ttl 60, id 439, offset 0, flags [none], proto TCP (6), length 183)
|
||||||
|
10.0.2.55.1025 > 10.0.2.1.445: Flags [P.], cksum 0xe588 (correct), seq 52:195, ack 102, win 16384, length 143
|
||||||
|
SMB PACKET: SMBsesssetupX (REQUEST)
|
||||||
|
SMB Command = 0x73
|
||||||
|
Error class = 0x0
|
||||||
|
Error code = 0 (0x0)
|
||||||
|
Flags1 = 0x8
|
||||||
|
Flags2 = 0x1
|
||||||
|
Tree ID = 0 (0x0)
|
||||||
|
Proc ID = 57005 (0xdead)
|
||||||
|
UID = 0 (0x0)
|
||||||
|
MID = 1 (0x1)
|
||||||
|
Word Count = 13 (0xd)
|
||||||
|
Com2=0xFF
|
||||||
|
Res1=0x0
|
||||||
|
Off2=0 (0x0)
|
||||||
|
MaxBuffer=16644 (0x4104)
|
||||||
|
MaxMpx=50 (0x32)
|
||||||
|
VcNumber=1 (0x1)
|
||||||
|
SessionKey=0x76A1
|
||||||
|
CaseInsensitivePasswordLength=24 (0x18)
|
||||||
|
CaseSensitivePasswordLength=0 (0x0)
|
||||||
|
Res=0x0
|
||||||
|
Capabilities=0x80F3FD
|
||||||
|
Pass1&Pass2&Account&Domain&OS&LanMan=
|
||||||
|
smb_bcc=78
|
||||||
|
[000] F3 E1 2B C1 B9 1E F4 0B 7A E8 D5 93 F2 C6 56 11 \0xf3\0xe1+\0xc1\0xb9\0x1e\0xf4\0x0b z\0xe8\0xd5\0x93\0xf2\0xc6V\0x11
|
||||||
|
[010] 2C 20 43 40 C5 58 11 C6 00 00 00 00 00 00 00 00 , C@\0xc5X\0x11\0xc6 \0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00
|
||||||
|
[020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00 \0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00
|
||||||
|
[030] 50 49 00 57 4F 52 4B 47 52 4F 55 50 00 47 53 2F PI\0x00WORKG ROUP\0x00GS/
|
||||||
|
[040] 4F 53 00 41 70 70 6C 65 20 49 49 67 73 00 OS\0x00Apple IIgs\0x00
|
||||||
|
|
||||||
|
|
||||||
|
0x0000: 4500 00b7 01b7 0000 3c06 6453 0a00 0237 E.......<.dS...7
|
||||||
|
0x0010: 0a00 0201 0401 01bd 0b17 3b3b 4197 ac75 ..........;;A..u
|
||||||
|
0x0020: 5018 4000 e588 0000 0000 008b ff53 4d42 P.@..........SMB
|
||||||
|
0x0030: 7300 0000 0008 0100 0000 0000 0000 0000 s...............
|
||||||
|
0x0040: 0000 0000 0000 adde 0000 0100 0dff 0000 ................
|
||||||
|
0x0050: 0004 4132 0001 00a1 7600 0018 0000 0000 ..A2....v.......
|
||||||
|
0x0060: 0000 00fd f380 004e 00f3 e12b c1b9 1ef4 .......N...+....
|
||||||
|
0x0070: 0b7a e8d5 93f2 c656 112c 2043 40c5 5811 .z.....V.,.C@.X.
|
||||||
|
0x0080: c600 0000 0000 0000 0000 0000 0000 0000 ................
|
||||||
|
0x0090: 0000 0000 0000 0000 0050 4900 574f 524b .........PI.WORK
|
||||||
|
0x00a0: 4752 4f55 5000 4753 2f4f 5300 4170 706c GROUP.GS/OS.Appl
|
||||||
|
0x00b0: 6520 4949 6773 00 e.IIgs.
|
||||||
|
|
||||||
|
19:44:53.039043 IP (tos 0x0, ttl 64, id 59987, offset 0, flags [DF], proto TCP (6), length 112)
|
||||||
|
10.0.2.1.445 > 10.0.2.55.1025: Flags [P.], cksum 0x0d0a (correct), seq 102:174, ack 195, win 15544, length 72
|
||||||
|
SMB PACKET: SMBsesssetupX (REPLY)
|
||||||
|
SMB Command = 0x73
|
||||||
|
Error class = 0x0
|
||||||
|
Error code = 0 (0x0)
|
||||||
|
Flags1 = 0x88
|
||||||
|
Flags2 = 0x3
|
||||||
|
Tree ID = 0 (0x0)
|
||||||
|
Proc ID = 57005 (0xdead)
|
||||||
|
UID = 100 (0x64)
|
||||||
|
MID = 1 (0x1)
|
||||||
|
Word Count = 3 (0x3)
|
||||||
|
Com2=0xFF
|
||||||
|
Off2=0 (0x0)
|
||||||
|
Action=0x1
|
||||||
|
smb_bcc=27
|
||||||
|
[000] 55 6E 69 78 00 53 61 6D 62 61 20 33 2E 36 2E 36 Unix\0x00Sam ba 3.6.6
|
||||||
|
[010] 00 57 4F 52 4B 47 52 4F 55 50 00 \0x00WORKGRO UP\0x00
|
||||||
|
|
||||||
|
|
||||||
|
0x0000: 4500 0070 ea53 4000 4006 37fd 0a00 0201 E..p.S@.@.7.....
|
||||||
|
0x0010: 0a00 0237 01bd 0401 4197 ac75 0b17 3bca ...7....A..u..;.
|
||||||
|
0x0020: 5018 3cb8 0d0a 0000 0000 0044 ff53 4d42 P.<........D.SMB
|
||||||
|
0x0030: 7300 0000 0088 0340 0000 0000 0000 0000 s......@........
|
||||||
|
0x0040: 0000 0000 0000 adde 6400 0100 03ff 0000 ........d.......
|
||||||
|
0x0050: 0001 001b 0055 6e69 7800 5361 6d62 6120 .....Unix.Samba.
|
||||||
|
0x0060: 332e 362e 3600 574f 524b 4752 4f55 5000 3.6.6.WORKGROUP.
|
287
src/SMBDEMO.S
287
src/SMBDEMO.S
@ -6,6 +6,7 @@
|
|||||||
* Friday, May 1, 2015 - Ported more code to Merlin32, set up Merlin32 equates
|
* Friday, May 1, 2015 - Ported more code to Merlin32, set up Merlin32 equates
|
||||||
* Saturday, May 2, 2015 - Formatting fixes, refactoring, rewritten SMB Negotiation code
|
* Saturday, May 2, 2015 - Formatting fixes, refactoring, rewritten SMB Negotiation code
|
||||||
* Saturday, May 9, 2015 - Receive and interpret NEG_PROT reply and start login
|
* Saturday, May 9, 2015 - Receive and interpret NEG_PROT reply and start login
|
||||||
|
* Sunday, May 24, 2015 - Some bugfixes, Tool128 and Tool129 requirement for hashing and DES, LM password hashing support
|
||||||
*
|
*
|
||||||
* REFERENCES
|
* REFERENCES
|
||||||
* smb.c / smb.h from libOGC
|
* smb.c / smb.h from libOGC
|
||||||
@ -91,7 +92,7 @@ StartUpTools _TLStartUp
|
|||||||
|
|
||||||
pha
|
pha
|
||||||
pha
|
pha
|
||||||
PushLong #$800 ; 8 pages of DP space
|
PushLong #$900 ; 9 pages of DP space
|
||||||
PushWord AppMMID
|
PushWord AppMMID
|
||||||
PushWord #$C005 ; Fixed, Page-Aligned, Locked, Unpurgeable
|
PushWord #$C005 ; Fixed, Page-Aligned, Locked, Unpurgeable
|
||||||
PushLong #$000000 ; in Bank $00, $0000
|
PushLong #$000000 ; in Bank $00, $0000
|
||||||
@ -185,12 +186,22 @@ StartUpTools _TLStartUp
|
|||||||
clc
|
clc
|
||||||
adc #$100
|
adc #$100
|
||||||
pha
|
pha
|
||||||
|
pha
|
||||||
_SoundStartUp
|
_SoundStartUp
|
||||||
jsr CheckError
|
jsr CheckError
|
||||||
|
|
||||||
_TCPIPStartUp
|
_TCPIPStartUp
|
||||||
jsr CheckError
|
jsr CheckError
|
||||||
|
|
||||||
|
Tool $280 ; HashStartUp
|
||||||
|
jsr CheckError
|
||||||
|
|
||||||
|
pla
|
||||||
|
clc
|
||||||
|
adc #$100
|
||||||
|
pha
|
||||||
|
Tool $281 ; CryptoStartUp
|
||||||
|
|
||||||
rts
|
rts
|
||||||
|
|
||||||
*
|
*
|
||||||
@ -636,6 +647,13 @@ sendloop2 PushWord #0000
|
|||||||
pla
|
pla
|
||||||
cmp #2
|
cmp #2
|
||||||
bne noevent3
|
bne noevent3
|
||||||
|
PushWord #0000 ; space for result
|
||||||
|
PushLong #00000000 ; nil filter procedure
|
||||||
|
_ModalDialog
|
||||||
|
pla
|
||||||
|
cmp #2
|
||||||
|
bne noevent3
|
||||||
|
jmp CTSClose3
|
||||||
|
|
||||||
noevent3 PushLong MySMBHandle
|
noevent3 PushLong MySMBHandle
|
||||||
jsr SMB_Negotiate_Poll
|
jsr SMB_Negotiate_Poll
|
||||||
@ -647,7 +665,31 @@ login PushLong CTSWinPtr
|
|||||||
PushLong #CTSTextB
|
PushLong #CTSTextB
|
||||||
_SetIText
|
_SetIText
|
||||||
|
|
||||||
jmp SMB_input_brk ; die so we can inspect things
|
PushLong MySMBHandle
|
||||||
|
jsr SMB_SetupAndX
|
||||||
|
|
||||||
|
sendloop3 PushWord #0000
|
||||||
|
PushWord #$0006
|
||||||
|
PushLong #EventRec
|
||||||
|
_EventAvail
|
||||||
|
pla
|
||||||
|
beq noevent4
|
||||||
|
PushWord #0000
|
||||||
|
PushLong #00000000
|
||||||
|
_ModalDialog
|
||||||
|
pla
|
||||||
|
cmp #2
|
||||||
|
bne noevent4
|
||||||
|
PushWord #0000 ; space for result
|
||||||
|
PushLong #00000000 ; nil filter procedure
|
||||||
|
_ModalDialog
|
||||||
|
pla
|
||||||
|
cmp #2
|
||||||
|
bne noevent4
|
||||||
|
jmp SMB_staging_brk
|
||||||
|
|
||||||
|
noevent4 _TCPIPPoll
|
||||||
|
bra sendloop3
|
||||||
|
|
||||||
closed PushLong CTSWinPtr
|
closed PushLong CTSWinPtr
|
||||||
PushWord #1350
|
PushWord #1350
|
||||||
@ -717,7 +759,7 @@ readbuf ds 4 ; rrBuffCount
|
|||||||
*
|
*
|
||||||
* Tool List
|
* Tool List
|
||||||
*
|
*
|
||||||
ToolList dw 13 ; Tool Count
|
ToolList dw 15 ; Tool Count
|
||||||
dw 01,00 ; Tool Locator, any vers
|
dw 01,00 ; Tool Locator, any vers
|
||||||
dw 02,00 ; Memory Manager, any vers
|
dw 02,00 ; Memory Manager, any vers
|
||||||
dw 03,00 ; Misc Tools, any vers
|
dw 03,00 ; Misc Tools, any vers
|
||||||
@ -731,6 +773,8 @@ ToolList dw 13 ; Tool Count
|
|||||||
dw 20,00 ; Line Edit, any vers
|
dw 20,00 ; Line Edit, any vers
|
||||||
dw 21,00 ; Dialog Manager, any vers
|
dw 21,00 ; Dialog Manager, any vers
|
||||||
dw 54,00 ; Marinetti, any vers
|
dw 54,00 ; Marinetti, any vers
|
||||||
|
dw 128,00 ; HashTool, any vers (MD2/MD4/MD5/SHA1 hashing for NTLMv2)
|
||||||
|
dw 129,00 ; Crypto tool, any vers (DES for NTLMv1)
|
||||||
ToolListEnd
|
ToolListEnd
|
||||||
|
|
||||||
*
|
*
|
||||||
@ -1083,6 +1127,11 @@ SMB_sess_domain ds 32 ; sloppy 32 byte buffer to hold SMB domain
|
|||||||
SMB_dialect asc 02'NT LM 0.12'00 ; the only dialect we're gonna speak
|
SMB_dialect asc 02'NT LM 0.12'00 ; the only dialect we're gonna speak
|
||||||
SMB_os asc 'GS/OS'00 ; native Operating System
|
SMB_os asc 'GS/OS'00 ; native Operating System
|
||||||
SMB_lanman asc 'Apple IIgs'00 ; native LAN Manager
|
SMB_lanman asc 'Apple IIgs'00 ; native LAN Manager
|
||||||
|
SMB_lm_username asc 'PI'00,00,00,00,00,00,00,00,00,00,00,00 ; lanman hash login username
|
||||||
|
SMB_lm_password asc 'APPLE2'00,00,00,00,00,00,00,00 ; lanman hash login password
|
||||||
|
SMB_lm_magic asc 'KGS!@#$%' ; lanman hash magic DES crypt string
|
||||||
|
SMB_lm_hash ds 21 ; LM Hash, actually 16 bytes but the extra zeroes make response easier to generate
|
||||||
|
SMB_lm_response ds 24 ; LM Response
|
||||||
|
|
||||||
* SMB packet staging area
|
* SMB packet staging area
|
||||||
* TODO these will probably be dynamically allocated too?
|
* TODO these will probably be dynamically allocated too?
|
||||||
@ -1356,45 +1405,223 @@ SMB_SetupAndX plx ; return address
|
|||||||
|
|
||||||
ldy #SMB_sess_maxbuffer-SMB_sess_begin
|
ldy #SMB_sess_maxbuffer-SMB_sess_begin
|
||||||
lda [SMB_sessid],y
|
lda [SMB_sessid],y
|
||||||
sta SMB_staging+SMB_header_size+3 ; max buffer size
|
sta SMB_staging+SMB_header_size+5 ; max buffer size
|
||||||
|
|
||||||
ldy #SMB_sess_maxmpx-SMB_sess_begin
|
ldy #SMB_sess_maxmpx-SMB_sess_begin
|
||||||
lda [SMB_sessid],y
|
lda [SMB_sessid],y
|
||||||
sta SMB_staging+SMB_header_size+5 ; max MPX
|
sta SMB_staging+SMB_header_size+7 ; max MPX
|
||||||
|
|
||||||
ldy #SMB_sess_maxvcs-SMB_sess_begin
|
ldy #SMB_sess_maxvcs-SMB_sess_begin
|
||||||
lda [SMB_sessid],y
|
lda [SMB_sessid],y
|
||||||
sta SMB_staging+SMB_header_size+7 ; max VCS
|
sta SMB_staging+SMB_header_size+9 ; max VCS
|
||||||
|
|
||||||
ldy #SMB_sess_skey-SMB_sess_begin
|
ldy #SMB_sess_skey-SMB_sess_begin
|
||||||
lda [SMB_sessid],y
|
lda [SMB_sessid],y
|
||||||
sta SMB_staging+SMB_header_size+9 ; session key
|
sta SMB_staging+SMB_header_size+11 ; session key
|
||||||
lda #0
|
lda #0
|
||||||
sta SMB_staging+SMB_header_size+11 ; session key (upper, should always be zero?)
|
sta SMB_staging+SMB_header_size+13 ; session key (upper, should always be zero?)
|
||||||
|
|
||||||
lda #24
|
lda #24
|
||||||
sta SMB_staging+SMB_header_size+13 ; password length (case insensitive)
|
sta SMB_staging+SMB_header_size+15 ; password length (case insensitive)
|
||||||
|
|
||||||
lda #24
|
lda #0
|
||||||
sta SMB_staging+SMB_header_size+15 ; password length (case sensitive)
|
sta SMB_staging+SMB_header_size+17 ; password length (case sensitive/NTLM)
|
||||||
|
|
||||||
lda #0
|
lda #0
|
||||||
sta SMB_staging+SMB_header_size+17 ; reserved
|
|
||||||
sta SMB_staging+SMB_header_size+19 ; reserved
|
sta SMB_staging+SMB_header_size+19 ; reserved
|
||||||
|
sta SMB_staging+SMB_header_size+21 ; reserved
|
||||||
|
|
||||||
ldy #SMB_sess_caps-SMB_sess_begin
|
ldy #SMB_sess_caps-SMB_sess_begin
|
||||||
lda [SMB_sessid],y
|
lda [SMB_sessid],y
|
||||||
sta SMB_staging+SMB_header_size+21
|
sta SMB_staging+SMB_header_size+23
|
||||||
iny
|
iny
|
||||||
iny
|
iny
|
||||||
lda [SMB_sessid],y
|
lda [SMB_sessid],y
|
||||||
sta SMB_staging+SMB_header_size+23 ; session capabilities
|
sta SMB_staging+SMB_header_size+25 ; session capabilities
|
||||||
|
|
||||||
|
jsr SMB_LM_Hash ; generate NTLMv1 Hash
|
||||||
|
jsr SMB_LM_Response ; generate NTLMv1 Response
|
||||||
|
|
||||||
|
lda #0
|
||||||
|
sta SMB_tmp5 ; initialize pointer
|
||||||
|
|
||||||
* TODO copy username, password, native os, native lanmanager, update byte count, send result
|
; Case Insensitive Password (LM Response)
|
||||||
|
PushLong #SMB_lm_response ; source
|
||||||
|
pea #^SMB_staging
|
||||||
|
lda #SMB_staging+SMB_header_size+29
|
||||||
|
clc
|
||||||
|
adc SMB_tmp5
|
||||||
|
pha
|
||||||
|
ldx #24
|
||||||
|
jsr _strncpy
|
||||||
|
lda #24
|
||||||
|
clc
|
||||||
|
adc SMB_tmp5
|
||||||
|
sta SMB_tmp5
|
||||||
|
|
||||||
|
; Case Sensitive Password (NTLM Response)
|
||||||
|
clc
|
||||||
|
adc #24
|
||||||
|
sta SMB_tmp5 ; skip it / zero it for now
|
||||||
|
|
||||||
|
; Account
|
||||||
|
PushLong #SMB_lm_username ; source
|
||||||
|
pea #^SMB_staging ; destination
|
||||||
|
lda #SMB_staging+SMB_header_size+29
|
||||||
|
clc
|
||||||
|
adc SMB_tmp5
|
||||||
|
pha
|
||||||
|
jsr _strcpy
|
||||||
|
tya
|
||||||
|
clc
|
||||||
|
adc SMB_tmp5
|
||||||
|
sta SMB_tmp5
|
||||||
|
|
||||||
|
; Domain
|
||||||
|
PushLong #SMB_sess_domain ; source
|
||||||
|
pea #^SMB_staging ; destination
|
||||||
|
lda #SMB_staging+SMB_header_size+29
|
||||||
|
clc
|
||||||
|
adc SMB_tmp5
|
||||||
|
pha
|
||||||
|
jsr _strcpy
|
||||||
|
tya
|
||||||
|
clc
|
||||||
|
adc SMB_tmp5
|
||||||
|
sta SMB_tmp5
|
||||||
|
|
||||||
|
; OS
|
||||||
|
PushLong #SMB_os ; source
|
||||||
|
pea #^SMB_staging ; destination
|
||||||
|
lda #SMB_staging+SMB_header_size+29
|
||||||
|
clc
|
||||||
|
adc SMB_tmp5
|
||||||
|
pha
|
||||||
|
jsr _strcpy
|
||||||
|
tya
|
||||||
|
clc
|
||||||
|
adc SMB_tmp5
|
||||||
|
sta SMB_tmp5
|
||||||
|
|
||||||
|
; LanMan
|
||||||
|
PushLong #SMB_lanman
|
||||||
|
pea #^SMB_staging ; destination
|
||||||
|
lda #SMB_staging+SMB_header_size+29
|
||||||
|
clc
|
||||||
|
adc SMB_tmp5
|
||||||
|
pha
|
||||||
|
jsr _strcpy
|
||||||
|
tya
|
||||||
|
clc
|
||||||
|
adc SMB_tmp5
|
||||||
|
sta SMB_tmp5
|
||||||
|
|
||||||
|
sta SMB_staging+SMB_header_size+27 ; update byte count
|
||||||
|
|
||||||
|
clc
|
||||||
|
adc #SMB_header_size+29
|
||||||
|
pha ; 'length' parameter for _SMB_Send
|
||||||
|
dec
|
||||||
|
dec
|
||||||
|
dec
|
||||||
|
dec
|
||||||
|
xba
|
||||||
|
sta SMB_staging+SMB_offset_tcplength+1 ; save length for naked-TCP dgram
|
||||||
|
|
||||||
|
jsr _SMB_Send ; send our reply!
|
||||||
|
clc
|
||||||
|
rts
|
||||||
|
|
||||||
|
* SMB_LM_Hash - operate on the SMB_lm_username and SMB_lm_password values to produce
|
||||||
|
* SMB_lm_hash, using V1 DES-based operation. Requires TOOL129 (Crypto Tool)
|
||||||
|
*
|
||||||
|
* The password has been uppercased and chopped to 14 bytes, with 0x00 padding
|
||||||
|
* We take it in two 7-byte pieces, add parity, and use each piece to DES-encrypt the string
|
||||||
|
* 'KGS!@#$%'. The result is the LM hash.
|
||||||
|
SMB_LM_Hash PushLong #SMB_tmp1 ; SMB_tmp1 will have our parity-enhanced key
|
||||||
|
PushLong #SMB_lm_password ; key to add parity to
|
||||||
|
Tool $0A81 ; DESAddParity
|
||||||
|
|
||||||
|
PushLong #SMB_lm_hash ; where DES-encrypted data will go
|
||||||
|
PushLong #SMB_tmp1 ; parity-enhanced key
|
||||||
|
PushLong #SMB_lm_magic ; the magic string we're encrypting
|
||||||
|
PushWord #0000 ; operation: encrypt
|
||||||
|
Tool $0981 ; DESCipher
|
||||||
|
|
||||||
|
; now do the same thing with the second 7 bytes of the password
|
||||||
|
|
||||||
|
PushLong #SMB_tmp1
|
||||||
|
PushLong #SMB_lm_password+7
|
||||||
|
Tool $0A81 ; DesAddParity
|
||||||
|
|
||||||
|
PushLong #SMB_lm_hash+8
|
||||||
|
PushLong #SMB_tmp1
|
||||||
|
PushLong #SMB_lm_magic
|
||||||
|
PushWord #0000
|
||||||
|
Tool $0981
|
||||||
|
|
||||||
|
; SMB_lm_hash should now contain the NTLMv1 hash of the password
|
||||||
|
clc
|
||||||
|
rts
|
||||||
|
|
||||||
|
* SMB_LM_Response - operate on SMB_lm_hash and 8-byte challenge to produce
|
||||||
|
* SMB_lm_response, using V1 DES-based operation. Requires TOOL129 (Crypto Tool)
|
||||||
|
*
|
||||||
|
* LM Hash is padded out to 21 bytes, each of which gets parity added and is
|
||||||
|
* used to DES encrypt the session challenge. The result is the LM response.
|
||||||
|
SMB_LM_Response
|
||||||
|
PushLong #SMB_tmp1 ; SMB_tmp1 will have our parity-enhanced key
|
||||||
|
PushLong #SMB_lm_hash ; key to add parity to
|
||||||
|
Tool $0A81 ; DESAddParity
|
||||||
|
|
||||||
|
PushLong #SMB_lm_response ; where the DES-encrypted data will go
|
||||||
|
PushLong #SMB_tmp1 ; parity-enhanced key
|
||||||
|
ldy #SMB_sess_challenge-SMB_sess_begin
|
||||||
|
lda [SMB_sessid],y ; PushLong [SMB_sessid],y
|
||||||
|
pha
|
||||||
|
iny
|
||||||
|
iny
|
||||||
|
lda [SMB_sessid],y
|
||||||
|
pha
|
||||||
|
PushWord #0000 ; operation: encrypt
|
||||||
|
Tool $0981 ; DESCipher
|
||||||
|
|
||||||
|
; second 7 bytes of hash
|
||||||
|
|
||||||
|
PushLong #SMB_tmp1
|
||||||
|
PushLong #SMB_lm_hash+7
|
||||||
|
Tool $0A81 ; DESAddParity
|
||||||
|
|
||||||
|
PushLong #SMB_lm_response+8
|
||||||
|
PushLong #SMB_tmp1
|
||||||
|
ldy #SMB_sess_challenge-SMB_sess_begin
|
||||||
|
lda [SMB_sessid],y ; PushLong [SMB_sessid],y
|
||||||
|
pha
|
||||||
|
iny
|
||||||
|
iny
|
||||||
|
lda [SMB_sessid],y
|
||||||
|
pha
|
||||||
|
PushWord #0000
|
||||||
|
Tool $0981 ; DESCipher
|
||||||
|
|
||||||
|
; third 7 bytes of hash
|
||||||
|
|
||||||
|
PushLong #SMB_tmp1
|
||||||
|
PushLong #SMB_lm_hash+14
|
||||||
|
Tool $0A81 ; DesAddParity
|
||||||
|
|
||||||
|
PushLong #SMB_lm_response+16
|
||||||
|
PushLong #SMB_tmp1
|
||||||
|
ldy #SMB_sess_challenge-SMB_sess_begin
|
||||||
|
lda [SMB_sessid],y
|
||||||
|
pha
|
||||||
|
iny
|
||||||
|
iny
|
||||||
|
lda [SMB_sessid],y
|
||||||
|
pha
|
||||||
|
PushWord #0000
|
||||||
|
Tool $0981 ; DESCipher
|
||||||
|
|
||||||
jsr _SMB_Send
|
|
||||||
clc
|
clc
|
||||||
rts
|
rts
|
||||||
|
|
||||||
@ -1761,6 +1988,32 @@ _sclp lda [SMB_tmp3],y
|
|||||||
iny
|
iny
|
||||||
bra _sclp
|
bra _sclp
|
||||||
_scrt rep #$30
|
_scrt rep #$30
|
||||||
|
mx %00
|
||||||
|
iny
|
||||||
|
rts
|
||||||
|
|
||||||
|
* _strncpy - Copy a string somewhere, only n bytes
|
||||||
|
* Arguments:
|
||||||
|
* Pointer to source (two words, on stack)
|
||||||
|
* Pointer to destination (two words, on stack)
|
||||||
|
* X = number of bytes to copy
|
||||||
|
_strncpy txy
|
||||||
|
plx
|
||||||
|
PullLong SMB_tmp1 ; Destination
|
||||||
|
PullLong SMB_tmp3 ; Source
|
||||||
|
phx
|
||||||
|
tyx
|
||||||
|
ldy #00
|
||||||
|
sep #$30
|
||||||
|
mx %11
|
||||||
|
_snclp lda [SMB_tmp3],y
|
||||||
|
sta [SMB_tmp1],y
|
||||||
|
dex
|
||||||
|
cpx #00
|
||||||
|
beq _sncrt
|
||||||
|
iny
|
||||||
|
bra _snclp
|
||||||
|
_sncrt rep #$30
|
||||||
mx %00
|
mx %00
|
||||||
rts
|
rts
|
||||||
|
|
||||||
|
BIN
src/smbdemo
BIN
src/smbdemo
Binary file not shown.
Loading…
Reference in New Issue
Block a user