Skip to content

Commit

Permalink
Remove deprecated OpenSSL function calls.
Browse files Browse the repository at this point in the history
  • Loading branch information
@jmk-foofus
jmk-foofus committed Mar 20, 2024
1 parent 53d24da commit 64c5d49
Showing 1 changed file with 81 additions and 46 deletions.
127 changes: 81 additions & 46 deletions src/modsrc/smb2.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
** SMB (Version 1/2/3) Password/HASH Checking Medusa Module
**
** ------------------------------------------------------------------------
** Copyright (C) 2021 Joe Mondloch
** Copyright (C) 2024 Joe Mondloch
** JoMo-Kun / jmk@foofus.net
**
** This program is free software; you can redistribute it and/or modify
Expand Down Expand Up @@ -103,9 +103,7 @@

#ifdef HAVE_LIBSSL

#include <openssl/md5.h>
#include <openssl/md4.h>
#include <openssl/des.h>
#include <openssl/evp.h>
#include "hmacmd5.h"

#include <smb2/smb2.h>
Expand Down Expand Up @@ -193,10 +191,6 @@ int NBSTATQuery(sLogin *_psLogin,_SMBNT_DATA* _psSessionData);
int SMBNegProt(int hSocket, _SMBNT_DATA* _psSessionData);
int SMB2NegProt(int hSocket, _SMBNT_DATA* _psSessionData);

extern void hmac_md5_init_limK_to_64(const unsigned char* key, int key_len, HMACMD5Context *ctx);
extern void hmac_md5_update(const unsigned char *text, int text_len, HMACMD5Context *ctx);
extern void hmac_md5_final(unsigned char *digest, HMACMD5Context *ctx);

// Tell medusa how many parameters this module allows
int getParamNumber()
{
Expand Down Expand Up @@ -607,6 +601,9 @@ static unsigned char Get7Bits(unsigned char *input, int startBit)
/* Make the key */
static void MakeKey(unsigned char *key, unsigned char *des_key)
{
unsigned char byte;
unsigned char parity = 0;

des_key[0] = Get7Bits(key, 0);
des_key[1] = Get7Bits(key, 7);
des_key[2] = Get7Bits(key, 14);
Expand All @@ -616,18 +613,30 @@ static void MakeKey(unsigned char *key, unsigned char *des_key)
des_key[6] = Get7Bits(key, 42);
des_key[7] = Get7Bits(key, 49);

DES_set_odd_parity((DES_cblock *) des_key);
for (size_t i = 0; i < 8; i++) {
byte = des_key[i];

while (byte) {
parity ^= byte & 1;
byte >>= 1;
}

/* Set the least significant bit to the opposite of the calculated parity */
des_key[i] = (des_key[i] & 0xFE) | (parity ^ 1);
}
}

/* Do the DesEncryption */
void DesEncrypt(unsigned char *clear, unsigned char *key, unsigned char *cipher)
{
DES_cblock des_key;
DES_key_schedule key_schedule;

unsigned char des_key[8];
MakeKey(key, des_key);
DES_set_key(&des_key, &key_schedule);
DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cipher, &key_schedule, 1);
int len;

EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
EVP_EncryptInit_ex(ctx, EVP_des_ecb(), NULL, des_key, NULL);
EVP_EncryptUpdate(ctx, cipher, &len, clear, 8);
EVP_CIPHER_CTX_free(ctx);
}

/*
Expand Down Expand Up @@ -747,8 +756,9 @@ int HashLM(_SMBNT_DATA *_psSessionData, unsigned char **lmhash, unsigned char *p
*/
int MakeNTLM(_SMBNT_DATA *_psSessionData, unsigned char *ntlmhash, unsigned char *pass)
{
MD4_CTX md4Context;
unsigned char hash[16]; /* MD4_SIGNATURE_SIZE = 16 */
EVP_MD_CTX *md4Context;
unsigned int hash_len = 16;
unsigned char hash[hash_len]; /* MD4_SIGNATURE_SIZE = 16 */
unsigned char unicodePassword[256 * 2]; /* MAX_NT_PASSWORD = 256 */
unsigned int i = 0, j = 0;
int mdlen;
Expand Down Expand Up @@ -786,9 +796,12 @@ int MakeNTLM(_SMBNT_DATA *_psSessionData, unsigned char *ntlmhash, unsigned char
unicodePassword[i * 2] = (unsigned char) pass[i];

mdlen = strlen((char *) pass) * 2; /* length in bytes */
MD4_Init(&md4Context);
MD4_Update(&md4Context, unicodePassword, mdlen);
MD4_Final(hash, &md4Context); /* Tell MD4 we're done */

md4Context = EVP_MD_CTX_new();
EVP_DigestInit_ex(md4Context, EVP_md4(), NULL);
EVP_DigestUpdate(md4Context, unicodePassword, mdlen);
EVP_DigestFinal_ex(md4Context, hash, &hash_len);
EVP_MD_CTX_free(md4Context);
}
else {
writeError(ERR_DEBUG_MODULE, "Convert ASCII PwDump NTLM Hash (%s).", p);
Expand Down Expand Up @@ -833,10 +846,14 @@ int MakeNTLM(_SMBNT_DATA *_psSessionData, unsigned char *ntlmhash, unsigned char
for (i = 0; i < strlen((char *) pass); i++)
unicodePassword[i * 2] = (unsigned char) pass[i];


mdlen = strlen((char *) pass) * 2; /* length in bytes */
MD4_Init(&md4Context);
MD4_Update(&md4Context, unicodePassword, mdlen);
MD4_Final(hash, &md4Context); /* Tell MD4 we're done */

md4Context = EVP_MD_CTX_new();
EVP_DigestInit_ex(md4Context, EVP_md4(), NULL);
EVP_DigestUpdate(md4Context, unicodePassword, mdlen);
EVP_DigestFinal_ex(md4Context, hash, &hash_len);
EVP_MD_CTX_free(md4Context);
}

memcpy(ntlmhash, hash, 16);
Expand Down Expand Up @@ -892,22 +909,22 @@ int HashNTLM(_SMBNT_DATA *_psSessionData, unsigned char **ntlmhash, unsigned cha
int HashLMv2(_SMBNT_DATA *_psSessionData, unsigned char **LMv2hash, unsigned char *szLogin, unsigned char *szPassword)
{
unsigned char ntlm_hash[16];
unsigned char lmv2_response[24];
unsigned char unicodeUsername[20 * 2];
unsigned char unicodeTarget[256 * 2];
HMACMD5Context ctx;
unsigned char kr_buf[16];
int ret;
unsigned int i;
unsigned char client_challenge[8] = { 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88 };

memset(ntlm_hash, 0, 16);
memset(lmv2_response, 0, 24);
memset(kr_buf, 0, 16);
unsigned char* message;
size_t message_len;
unsigned char* kr_buf;
size_t kr_buf_len = 16;
unsigned char* lmv2_response;
size_t lmv2_response_len = 16;

/* --- HMAC #1 Caculations --- */

/* Calculate and set NTLM password hash */
memset(ntlm_hash, 0, 16);
ret = MakeNTLM(_psSessionData, (unsigned char *)&ntlm_hash, (unsigned char *) szPassword);
if (ret == FAILURE)
return FAILURE;
Expand Down Expand Up @@ -941,28 +958,44 @@ int HashLMv2(_SMBNT_DATA *_psSessionData, unsigned char **LMv2hash, unsigned cha
for (i = 0; i < strlen((char *)_psSessionData->workgroup); i++)
unicodeTarget[i * 2] = (unsigned char)_psSessionData->workgroup[i];

hmac_md5_init_limK_to_64(ntlm_hash, 16, &ctx);
hmac_md5_update((const unsigned char *)unicodeUsername, 2 * strlen((char *)szLogin), &ctx);
hmac_md5_update((const unsigned char *)unicodeTarget, 2 * strlen((char *)_psSessionData->workgroup), &ctx);
hmac_md5_final(kr_buf, &ctx);
message_len = 2 * strlen((char *)szLogin) + 2 * strlen((char *)_psSessionData->workgroup);
message = malloc(message_len);
memset(message, 0, message_len);
memcpy(message, unicodeUsername, 2 * strlen((char *)szLogin));
memcpy(message + 2 * strlen((char *)szLogin), unicodeTarget, 2 * strlen((char *)_psSessionData->workgroup));

kr_buf = malloc(kr_buf_len);
memset(kr_buf, 0, kr_buf_len);
hmac_md5(message, message_len, &kr_buf, &kr_buf_len, ntlm_hash, sizeof(ntlm_hash));

FREE(message);

/* --- HMAC #2 Calculations --- */
/*
The challenge from the Type 2 message is concatenated with our fixed client nonce. The HMAC-MD5
message authentication code algorithm is applied to this value using the 16-byte NTLMv2 hash
(calculated above) as the key. This results in a 16-byte output value.
*/
hmac_md5_init_limK_to_64(kr_buf, 16, &ctx);
hmac_md5_update(_psSessionData->challenge, 8, &ctx);
hmac_md5_update(client_challenge, 8, &ctx);
hmac_md5_final(lmv2_response, &ctx);
message_len = 16;
message = malloc(message_len);
memset(message, 0, 16);
memcpy(message, _psSessionData->challenge, 8);
memcpy(message + 8, client_challenge, 8);

lmv2_response = malloc(lmv2_response_len);
memset(lmv2_response, 0, lmv2_response_len);
hmac_md5(message, message_len, &lmv2_response, &lmv2_response_len, kr_buf, kr_buf_len);

FREE(kr_buf);

/* --- 24-byte LMv2 Response Complete --- */
*LMv2hash = malloc(24);
memset(*LMv2hash, 0, 24);
memcpy(*LMv2hash, lmv2_response, 16);
memcpy(*LMv2hash + 16, client_challenge, 8);

FREE(lmv2_response);

return SUCCESS;
}

Expand Down Expand Up @@ -994,7 +1027,7 @@ int HashNTLMv2(_SMBNT_DATA *_psSessionData, unsigned char **NTLMv2hash, int *iBy
unsigned char ntlmv2_response[56 + 20 * 2 + 256 * 2];
unsigned char unicodeUsername[20 * 2];
unsigned char unicodeTarget[256 * 2];
HMACMD5Context ctx;
//HMACMD5Context ctx;
unsigned char kr_buf[16];
unsigned int i;
int ret, iTargetLen;
Expand Down Expand Up @@ -1062,10 +1095,11 @@ int HashNTLMv2(_SMBNT_DATA *_psSessionData, unsigned char **NTLMv2hash, int *iBy
for (i = 0; i < strlen((char *)_psSessionData->workgroup); i++)
unicodeTarget[i * 2] = (unsigned char)_psSessionData->workgroup[i];

hmac_md5_init_limK_to_64(ntlm_hash, 16, &ctx);
hmac_md5_update((const unsigned char *)unicodeUsername, 2 * strlen((char *)szLogin), &ctx);
hmac_md5_update((const unsigned char *)unicodeTarget, 2 * strlen((char *)_psSessionData->workgroup), &ctx);
hmac_md5_final(kr_buf, &ctx);
/* NTLMv2 disabled, use LMv2. Replace these with hmac_md() if ever trying to fix this. */
//hmac_md5_init_limK_to_64(ntlm_hash, 16, &ctx);
//hmac_md5_update((const unsigned char *)unicodeUsername, 2 * strlen((char *)szLogin), &ctx);
//hmac_md5_update((const unsigned char *)unicodeTarget, 2 * strlen((char *)_psSessionData->workgroup), &ctx);
//hmac_md5_final(kr_buf, &ctx);

/* --- Blob Construction --- */

Expand Down Expand Up @@ -1133,10 +1167,11 @@ int HashNTLMv2(_SMBNT_DATA *_psSessionData, unsigned char **NTLMv2hash, int *iBy
(calculated above) as the key. This results in a 16-byte output value.
*/

hmac_md5_init_limK_to_64(kr_buf, 16, &ctx);
hmac_md5_update(_psSessionData->challenge, 8, &ctx);
hmac_md5_update(ntlmv2_response + 16, 48 - 16 + iTargetLen + 4, &ctx);
hmac_md5_final(ntlmv2_response, &ctx);
/* NTLMv2 disabled, use LMv2. Replace these with hmac_md() if ever trying to fix this. */
//hmac_md5_init_limK_to_64(kr_buf, 16, &ctx);
//hmac_md5_update(_psSessionData->challenge, 8, &ctx);
//hmac_md5_update(ntlmv2_response + 16, 48 - 16 + iTargetLen + 4, &ctx);
//hmac_md5_final(ntlmv2_response, &ctx);

*iByteCount = 48 + iTargetLen + 4;
*NTLMv2hash = malloc(*iByteCount);
Expand Down

0 comments on commit 64c5d49

Please sign in to comment.