search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
a simple SMB torture tester. This will allow us to evaluate locking
[Samba.git] / source / client / ntclient.c
blob65d9da9d5f9faa05d550436ea2f7ff5785e55d6b
1 /*
2 Unix SMB/Netbios implementation.
3 Version 1.9.
4 NT Domain Authentication SMB / MSRPC client
5 Copyright (C) Andrew Tridgell 1994-1997
6 Copyright (C) Luke Kenneth Casson Leighton 1996-1997
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #ifdef SYSLOG
24 #undef SYSLOG
25 #endif
26
27 #include "includes.h"
28
29 extern int DEBUGLEVEL;
30 extern pstring username;
31 extern pstring workgroup;
32
33 #define CLIENT_TIMEOUT (30*1000)
34
35 #ifdef NTDOMAIN
36
37
38 /****************************************************************************
39 experimental nt login.
40 ****************************************************************************/
41 BOOL do_nt_login(char *desthost, char *myhostname,
42 int Client, int cnum)
43 {
44 DOM_CHAL clnt_chal;
45 DOM_CHAL srv_chal;
46
47 DOM_CRED clnt_cred;
48
49 DOM_CHAL auth2_srv_chal;
50
51 DOM_CRED sam_logon_clnt_cred;
52 DOM_CRED sam_logon_rtn_cred;
53 DOM_CRED sam_logon_srv_cred;
54
55 DOM_CRED sam_logoff_clnt_cred;
56 DOM_CRED sam_logoff_rtn_cred;
57 DOM_CRED sam_logoff_srv_cred;
58
59 DOM_ID_INFO_1 id1;
60 LSA_USER_INFO user_info1;
61 LSA_POL_HND pol;
62 int i;
63
64 UTIME zerotime;
65
66 uint32 sess_key[2];
67 char nt_owf_mach_pwd[16];
68 fstring mach_acct;
69 fstring mach_pwd;
70 fstring server_name;
71
72 RPC_IFACE abstract;
73 RPC_IFACE transfer;
74
75 static char abs_data[16];
76 static char trn_data[16];
77
78 /* received from LSA Query Info Policy, level 5 */
79 fstring level5_domain_name;
80 pstring level5_domain_sid;
81
82 /* received from LSA Query Info Policy, level 3 */
83 fstring level3_domain_name;
84 pstring level3_domain_sid;
85
86 uint16 fnum;
87 uint32 call_id = 0;
88 char *inbuf,*outbuf;
89
90 zerotime.time = 0;
91
92 inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
93 outbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
94
95 if (!inbuf || !outbuf)
96 {
97 DEBUG(0,("out of memory\n"));
98 return False;
99 }
100
101 /******************* open the \PIPE\lsarpc file *****************/
102
103 if ((fnum = rpc_pipe_open(inbuf, outbuf, PIPE_LSARPC, Client, cnum)) == 0xffff)
104 {
105 free(inbuf); free(outbuf);
106 return False;
107 }
108
109 /******************* bind request on \PIPE\lsarpc *****************/
110
111 /* create and send a MSRPC command with api LSA_OPENPOLICY */
112
113 DEBUG(4,("LSA RPC Bind[%x]\n", fnum));
114
115 for (i = 0; i < sizeof(trn_data); i++)
116 {
117 trn_data[i] = 2 * i;
118 }
119
120 for (i = 0; i < sizeof(abs_data); i++)
121 {
122 abs_data[i] = i;
123 }
124
125 /* create interface UUIDs. */
126 make_rpc_iface(&abstract, abs_data, 0x0);
127 make_rpc_iface(&transfer, trn_data, 0x2);
128
129 if (!rpc_pipe_bind(PIPE_LSARPC, fnum, ++call_id, &abstract, &transfer))
130 {
131 free(inbuf); free(outbuf);
132 return False;
133 }
134
135 /**************** Set Named Pipe State ***************/
136 if (!rpc_pipe_set_hnd_state(PIPE_LSARPC, fnum, 0x4300))
137 {
138 free(inbuf); free(outbuf);
139 return False;
140 }
141
142 /******************* Open Policy ********************/
143
144 fstrcpy(server_name, ("\\\\"));
145 fstrcpy(&server_name[2], myhostname);
146
147 /* send an open policy request; receive a policy handle */
148 if (!do_lsa_open_policy(fnum, ++call_id, server_name, &pol))
149 {
150 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
151 free(inbuf); free(outbuf);
152 return False;
153 }
154
155 /**************** Query Info Policy, level 3 ********************/
156
157 /* send a query info policy at level 3; receive an info policy */
158 if (!do_lsa_query_info_pol(fnum, ++call_id, &pol, 0x3,
159 level3_domain_name, level3_domain_sid))
160 {
161 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
162 free(inbuf); free(outbuf);
163 return False;
164 }
165
166 /**************** Query Info Policy, level 5 ********************/
167
168 /* send a query info policy at level 5; receive an info policy */
169 if (!do_lsa_query_info_pol(fnum, ++call_id, &pol, 0x5,
170 level5_domain_name, level5_domain_sid))
171 {
172 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
173 free(inbuf); free(outbuf);
174 return False;
175 }
176
177 /******************* Open Policy ********************/
178
179 /* send a close policy request; receive a close pol response */
180 if (!do_lsa_close(fnum, ++call_id, &pol))
181 {
182 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
183 free(inbuf); free(outbuf);
184 return False;
185 }
186
187 /******************* close the \PIPE\lsarpc file *******************/
188
189 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
190
191
192
193 /******************* open the \PIPE\NETLOGON file *****************/
194
195 if ((fnum = rpc_pipe_open(inbuf, outbuf, PIPE_NETLOGON, Client, cnum)) == 0xffff)
196 {
197 free(inbuf); free(outbuf);
198 return False;
199 }
200
201 /******************* bind request on \PIPE\NETLOGON *****************/
202
203 if (!rpc_pipe_bind(PIPE_NETLOGON, fnum, ++call_id, &abstract, &transfer))
204 {
205 free(inbuf); free(outbuf);
206 return False;
207 }
208
209 /**************** Set Named Pipe State ***************/
210 if (!rpc_pipe_set_hnd_state(PIPE_NETLOGON, fnum, 0x4300))
211 {
212 free(inbuf); free(outbuf);
213 return False;
214 }
215
216 /******************* Request Challenge ********************/
217
218 fstrcpy(mach_acct, myhostname);
219 strlower(mach_pwd);
220
221 fstrcpy(mach_pwd , myhostname);
222 strcat(mach_acct, "$");
223
224 clnt_chal.data[0] = 0x11111111;
225 clnt_chal.data[1] = 0x22222222;
226
227 /* send a client challenge; receive a server challenge */
228 if (!do_lsa_req_chal(fnum, ++call_id, desthost, myhostname, &clnt_chal, &srv_chal))
229 {
230 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
231 free(inbuf); free(outbuf);
232 return False;
233 }
234
235 /************ Long-term Session key (default) **********/
236
237 #if 0
238 /* DAMN! can't get the machine password - need become_root() to do it! */
239 /* get the machine password */
240 if (!get_md4pw(mach_acct, nt_owf_mach_pwd))
241 {
242 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
243 free(inbuf); free(outbuf);
244 return False;
245 }
246
247 DEBUG(5,("got nt owf from smbpasswd entry: %s\n", mach_pwd));
248 #else
249
250 {
251 char lm_owf_mach_pwd[16];
252 nt_lm_owf_gen(mach_pwd, nt_owf_mach_pwd, lm_owf_mach_pwd);
253 DEBUG(5,("generating nt owf from initial machine pwd: %s\n", mach_pwd));
254 }
255
256 #endif
257
258 dump_data(6, nt_owf_mach_pwd, 16);
259
260 /* calculate the session key */
261 cred_session_key(&clnt_chal, &srv_chal, nt_owf_mach_pwd, sess_key);
262
263
264 /******************* Authenticate 2 ********************/
265
266 /* calculate auth-2 credentials */
267 cred_create(sess_key, &clnt_chal, zerotime, &(clnt_cred.challenge));
268
269 /* send client auth-2 challenge; receive an auth-2 challenge */
270 if (!do_lsa_auth2(fnum, ++call_id, desthost, mach_acct, 2, myhostname,
271 &(clnt_cred.challenge), 0x000001ff, &auth2_srv_chal))
272 {
273 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
274 free(inbuf); free(outbuf);
275 return False;
276 }
277
278
279 /*********************** SAM Info ***********************/
280
281 /* this is used in both the SAM Logon and the SAM Logoff */
282 make_id_info1(&id1, workgroup, 0,
283 getuid(), 0,
284 username, myhostname,
285 NULL, NULL);
286
287 /*********************** SAM Logon **********************/
288
289 clnt_cred.timestamp.time = sam_logon_clnt_cred.timestamp.time = time(NULL);
290
291 /* calculate sam logon credentials, using the auth2 client challenge */
292 cred_create(sess_key, &(clnt_cred.challenge), sam_logon_clnt_cred.timestamp,
293 &(sam_logon_clnt_cred.challenge));
294
295 /* send client sam-logon challenge; receive a sam-logon challenge */
296 if (!do_lsa_sam_logon(fnum, ++call_id, sess_key, &clnt_cred,
297 desthost, mach_acct,
298 &sam_logon_clnt_cred, &sam_logon_rtn_cred,
299 1, 1, &id1, &user_info1,
300 &sam_logon_srv_cred))
301 {
302 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
303 free(inbuf); free(outbuf);
304 return False;
305 }
306
307 /*********************** SAM Logoff *********************/
308
309 clnt_cred.timestamp.time = sam_logoff_clnt_cred.timestamp.time = time(NULL);
310
311 /* calculate sam logoff credentials, using the sam logon return challenge */
312 cred_create(sess_key, &(clnt_cred.challenge),
313 sam_logoff_clnt_cred.timestamp,
314 &(sam_logoff_clnt_cred.challenge));
315
316 /* send client sam-logoff challenge; receive a sam-logoff challenge */
317 if (!do_lsa_sam_logoff(fnum, ++call_id, sess_key, &clnt_cred,
318 desthost, mach_acct,
319 &sam_logoff_clnt_cred, &sam_logoff_rtn_cred,
320 1, 1, &id1,
321 &sam_logoff_srv_cred))
322 {
323 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
324 free(inbuf); free(outbuf);
325 return False;
326 }
327
328 /******************** close the \PIPE\NETLOGON file **************/
329
330 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
331
332 /* free memory used in all rpc transactions, above */
333 free(inbuf); free(outbuf);
334
335 return True;
336 }
337 #endif /* NTDOMAIN */
Samba GIT mirror