/* * (C) Jeremy Allison 1997. All rights reserved. * * This program is free for commercial and non-commercial use. * * Redistribution and use in source and binary forms, with or without * modification, are permitted. * * THIS SOFTWARE IS PROVIDED BY JEREMY ALLISON ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ #include #include #include #include #include "des.h" /* * Program to dump the Lanman and NT MD4 Hashed passwords from * an NT SAM database into a Samba smbpasswd file. Needs Administrator * privillages to run. * Takes one arg - the name of the machine whose SAM database you * wish to dump, if this arg is not given it dumps the local machine * account database. */ /* * Convert system error to char. Returns * memory allocated with LocalAlloc. */ char *error_to_string(DWORD error) { char *msgbuf; if(FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, NULL, error, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), /* Default language */ (char *)&msgbuf, 0, NULL ) == 0) return 0; return msgbuf; } /* * Return a pointer to a string describing an os error. * error_to_string returns a pointer to LocalAlloc'ed * memory. Cache it and release when the next one is * requested. */ char *str_oserr(DWORD err) { static char *lastmsg = 0; if(lastmsg) LocalFree((HLOCAL)lastmsg); lastmsg = error_to_string(err); return lastmsg; } /* * Utility function to get allocate a SID from a name. * Looks on local machine. SID is allocated with LocalAlloc * and must be freed by the caller. * Returns TRUE on success, FALSE on fail. */ BOOL get_sid(const char *name, SID **ppsid) { SID_NAME_USE sid_use; DWORD sid_size = 0; DWORD dom_size = 0; char *domain; *ppsid = 0; if(LookupAccountName(0, name, 0, &sid_size, 0, &dom_size, &sid_use) == 0) { if(GetLastError() != ERROR_INSUFFICIENT_BUFFER) { fprintf( stderr, "get_sid: LookupAccountName for size on name %s failed. Error was %s\n", name, str_oserr(GetLastError())); return FALSE; } } *ppsid = (SID *)LocalAlloc( LMEM_FIXED, sid_size); domain = (char *)LocalAlloc( LMEM_FIXED, dom_size); if( *ppsid == 0 || domain == 0) { fprintf( stderr, "get_sid: LocalAlloc failed. Error was %s\n", str_oserr(GetLastError())); if(*ppsid) LocalFree((HLOCAL)*ppsid); if(domain) LocalFree((HLOCAL)domain); *ppsid = 0; return FALSE; } if(LookupAccountName(0, name, *ppsid, &sid_size, domain, &dom_size, &sid_use) == 0) { fprintf( stderr, "get_sid: LookupAccountName failed for name %s. Error was %s\n", name, str_oserr(GetLastError())); LocalFree((HLOCAL)*ppsid); LocalFree((HLOCAL)domain); *ppsid = 0; return FALSE; } LocalFree((HLOCAL)domain); return TRUE; } /* * Utility function to setup a security descriptor * from a varargs list of char *name followed by a DWORD access * mask. The access control list is allocated with LocalAlloc * and must be freed by the caller. * returns TRUE on success, FALSE on fail. */ BOOL create_sd_from_list( SECURITY_DESCRIPTOR *sdout, int num, ...) { va_list ap; SID **sids = 0; char *name; DWORD amask; DWORD acl_size; PACL pacl = 0; int i; if((sids = (SID **)calloc(1,sizeof(SID *)*num)) == 0) { fprintf(stderr, "create_sd_from_list: calloc fail.\n"); return FALSE; } acl_size = num * (sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + sizeof(DWORD)); /* Collect all the SID's */ va_start( ap, num); for( i = 0; i < num; i++) { name = va_arg( ap, char *); amask = va_arg(ap, DWORD); if(get_sid( name, &sids[i]) == FALSE) goto cleanup; acl_size += GetLengthSid(sids[i]); } va_end(ap); if((pacl = (PACL)LocalAlloc( LMEM_FIXED, acl_size)) == 0) { fprintf( stderr, "create_sd_from_list: LocalAlloc fail. Error was %s\n", str_oserr(GetLastError())); goto cleanup; } if(InitializeSecurityDescriptor( sdout, SECURITY_DESCRIPTOR_REVISION) == FALSE) { fprintf( stderr, "create_sd_from_list: InitializeSecurityDescriptor fail. Error was %s\n", str_oserr(GetLastError())); goto cleanup; } if(InitializeAcl( pacl, acl_size, ACL_REVISION) == FALSE) { fprintf( stderr, "create_sd_from_list: InitializeAcl fail. Error was %s\n", str_oserr(GetLastError())); goto cleanup; } va_start(ap, num); for( i = 0; i < num; i++) { ACE_HEADER *ace_p; name = va_arg( ap, char *); amask = va_arg( ap, DWORD); if(AddAccessAllowedAce( pacl, ACL_REVISION, amask, sids[i]) == FALSE) { fprintf( stderr, "create_sd_from_list: AddAccessAllowedAce fail. Error was %s\n", str_oserr(GetLastError())); goto cleanup; } /* Make sure the ACE is inheritable */ if(GetAce( pacl, 0, (LPVOID *)&ace_p) == FALSE) { fprintf( stderr, "create_sd_from_list: GetAce fail. Error was %s\n", str_oserr(GetLastError())); goto cleanup; } ace_p->AceFlags |= ( CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE); } /* Add the ACL into the sd. */ if(SetSecurityDescriptorDacl( sdout, TRUE, pacl, FALSE) == FALSE) { fprintf( stderr, "create_sd_from_list: SetSecurityDescriptorDacl fail. Error was %s\n", str_oserr(GetLastError())); goto cleanup; } for( i = 0; i < num; i++) if(sids[i] != 0) LocalFree((HLOCAL)sids[i]); free(sids); return TRUE; cleanup: if(sids != 0) { for( i = 0; i < num; i++) if(sids[i] != 0) LocalFree((HLOCAL)sids[i]); free(sids); } if(pacl != 0) LocalFree((HLOCAL)pacl); return FALSE; } /* * Function to go over all the users in the SAM and set an ACL * on them. */ int set_userkeys_security( HKEY start, const char *path, SECURITY_DESCRIPTOR *psd, HKEY *return_key) { HKEY key; DWORD err; char usersid[128]; DWORD indx = 0; /* Open the path and enum all the user keys - setting the same security on them. */ if((err = RegOpenKeyEx( start, path, 0, KEY_ENUMERATE_SUB_KEYS, &key)) != ERROR_SUCCESS) { fprintf(stderr, "set_userkeys_security: Failed to open key %s to enumerate. \ Error was %s.\n", path, str_oserr(err)); return -1; } /* Now enumerate the subkeys, setting the security on them all. */ do { DWORD size; FILETIME ft; size = sizeof(usersid); err = RegEnumKeyEx( key, indx, usersid, &size, 0, 0, 0, &ft); if(err == ERROR_SUCCESS) { HKEY subkey; indx++; if((err = RegOpenKeyEx( key, usersid, 0, WRITE_DAC, &subkey)) != ERROR_SUCCESS) { fprintf(stderr, "set_userkeys_security: Failed to open key %s to set security. \ Error was %s.\n", usersid, str_oserr(err)); RegCloseKey(key); return -1; } if((err = RegSetKeySecurity( subkey, DACL_SECURITY_INFORMATION, psd)) != ERROR_SUCCESS) { fprintf(stderr, "set_userkeys_security: Failed to set security on key %s. \ Error was %s.\n", usersid, str_oserr(err)); RegCloseKey(subkey); RegCloseKey(key); return -1; } RegCloseKey(subkey); } } while(err == ERROR_SUCCESS); if(err != ERROR_NO_MORE_ITEMS) { RegCloseKey(key); return -1; } if(return_key == 0) RegCloseKey(key); else *return_key = key; return 0; } /* * Function to travel down the SAM security tree in the registry and restore * the correct ACL on them. Returns 0 on success. -1 on fail. */ int restore_sam_tree_access( HKEY start ) { char path[128]; char *p; HKEY key; DWORD err; SECURITY_DESCRIPTOR sd; DWORD admin_mask; admin_mask = WRITE_DAC | READ_CONTROL; if(create_sd_from_list( &sd, 2, "SYSTEM", GENERIC_ALL, "Administrators", admin_mask) == FALSE) return -1; strcpy( path, "SECURITY\\SAM\\Domains\\Account\\Users"); /* Remove the security on the user keys first. */ if(set_userkeys_security( start, path, &sd, 0) != 0) return -1; /* now go up the path, restoring security */ do { if((err = RegOpenKeyEx( start, path, 0, WRITE_DAC, &key)) != ERROR_SUCCESS) { fprintf(stderr, "restore_sam_tree_access:Failed to open key %s to set \ security. Error was %s.\n", path, str_oserr(err)); return -1; } if((err = RegSetKeySecurity( key, DACL_SECURITY_INFORMATION, &sd)) != ERROR_SUCCESS) { fprintf(stderr, "restore_sam_tree_access: Failed to set security on key %s. \ Error was %s.\n", path, str_oserr(err)); RegCloseKey(key); return -1; } RegCloseKey(key); p = strrchr(path, '\\'); if( p != 0) *p = 0; } while( p != 0 ); return 0; } /* * Function to travel the security tree and add Administrators * access as WRITE_DAC, READ_CONTROL and READ. * Returns 0 on success. -1 on fail if no security was changed, * -2 on fail if security was changed. */ int set_sam_tree_access( HKEY start, HKEY *return_key) { char path[128]; char *p; HKEY key; DWORD err; BOOL security_changed = FALSE; SECURITY_DESCRIPTOR sd; DWORD admin_mask; BOOL finished = FALSE; admin_mask = WRITE_DAC | READ_CONTROL | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS; if(create_sd_from_list( &sd, 2, "SYSTEM", GENERIC_ALL, "Administrators", admin_mask) == FALSE) return -1; strcpy( path, "SECURITY\\SAM\\Domains\\Account\\Users"); p = strchr(path, '\\'); do { if( p != 0) *p = 0; else finished = TRUE; if((err = RegOpenKeyEx( start, path, 0, WRITE_DAC, &key)) != ERROR_SUCCESS) { fprintf(stderr, "set_sam_tree_access:Failed to open key %s to set \ security. Error was %s.\n", path, str_oserr(err)); return (security_changed ? -2: -1); } if((err = RegSetKeySecurity( key, DACL_SECURITY_INFORMATION, &sd)) != ERROR_SUCCESS) { fprintf(stderr, "set_sam_tree_access: Failed to set security on key %s. \ Error was %s.\n", path, str_oserr(err)); RegCloseKey(key); return (security_changed ? -2: -1); } security_changed = TRUE; RegCloseKey(key); if(p != 0) { *p++ = '\\'; p = strchr(p, '\\'); } } while( !finished ); if(set_userkeys_security( start, path, &sd, &key) != 0) return -2; if(return_key == 0) RegCloseKey(key); else *return_key = key; return 0; } /* * Function to get a little-endian int from an offset into * a byte array. */ int get_int( char *array ) { return ((array[0]&0xff) + ((array[1]<<8)&0xff00) + ((array[2]<<16)&0xff0000) + ((array[3]<<24)&0xff000000)); } /* * Convert a 7 byte array into an 8 byte des key with odd parity. */ void str_to_key(unsigned char *str,unsigned char *key) { void des_set_odd_parity(des_cblock *); int i; key[0] = str[0]>>1; key[1] = ((str[0]&0x01)<<6) | (str[1]>>2); key[2] = ((str[1]&0x03)<<5) | (str[2]>>3); key[3] = ((str[2]&0x07)<<4) | (str[3]>>4); key[4] = ((str[3]&0x0F)<<3) | (str[4]>>5); key[5] = ((str[4]&0x1F)<<2) | (str[5]>>6); key[6] = ((str[5]&0x3F)<<1) | (str[6]>>7); key[7] = str[6]&0x7F; for (i=0;i<8;i++) { key[i] = (key[i]<<1); } des_set_odd_parity((des_cblock *)key); } /* * Function to convert the RID to the first decrypt key. */ void sid_to_key1(unsigned long sid,unsigned char deskey[8]) { unsigned char s[7]; s[0] = (unsigned char)(sid & 0xFF); s[1] = (unsigned char)((sid>>8) & 0xFF); s[2] = (unsigned char)((sid>>16) & 0xFF); s[3] = (unsigned char)((sid>>24) & 0xFF); s[4] = s[0]; s[5] = s[1]; s[6] = s[2]; str_to_key(s,deskey); } /* * Function to convert the RID to the second decrypt key. */ void sid_to_key2(unsigned long sid,unsigned char deskey[8]) { unsigned char s[7]; s[0] = (unsigned char)((sid>>24) & 0xFF); s[1] = (unsigned char)(sid & 0xFF); s[2] = (unsigned char)((sid>>8) & 0xFF); s[3] = (unsigned char)((sid>>16) & 0xFF); s[4] = s[0]; s[5] = s[1]; s[6] = s[2]; str_to_key(s,deskey); } /* * Function to split a 'V' entry into a users name, passwords and comment. */ int check_vp(char *vp, int vp_size, char **username, char **fullname, char **comment, char **homedir, char *lanman,int *got_lanman, char *md4, int *got_md4, DWORD rid ) { des_key_schedule ks1, ks2; des_cblock deskey1, deskey2; int username_offset = get_int(vp + 0xC); int username_len = get_int(vp + 0x10); int fullname_offset = get_int(vp + 0x18); int fullname_len = get_int(vp + 0x1c); int comment_offset = get_int(vp + 0x24); int comment_len = get_int(vp + 0x28); int homedir_offset = get_int(vp + 0x48); int homedir_len = get_int(vp + 0x4c); int pw_offset = get_int(vp + 0x9c); *username = 0; *fullname = 0; *comment = 0; *homedir = 0; *got_lanman = 0; *got_md4 = 0; if(username_len < 0 || username_offset < 0 || comment_len < 0 || fullname_len < 0 || homedir_offset < 0 || comment_offset < 0 || pw_offset < 0) return -1; username_offset += 0xCC; fullname_offset += 0xCC; comment_offset += 0xCC; homedir_offset += 0xCC; pw_offset += 0xCC; if((*username = (char *)malloc(username_len + 1)) == 0) { fprintf(stderr, "check_vp: malloc fail for username.\n"); return -1; } if((*fullname = (char *)malloc(fullname_len + 1)) == 0) { fprintf(stderr, "check_vp: malloc fail for username.\n"); free(*username); *username = 0; return -1; } if((*comment = (char *)malloc(comment_len + 1)) == 0) { fprintf(stderr, "check_vp: malloc fail for comment.\n"); free(*username); *username = 0; free(*fullname); *fullname = 0; return -1; } if((*homedir = (char *)malloc(homedir_len + 1)) == 0) { fprintf(stderr, "check_vp: malloc fail for homedir.\n"); free(*username); *username = 0; free(*fullname); *fullname = 0; free(*comment); *comment = 0; return -1; } wcstombs( *username, (wchar_t *)(vp + username_offset), username_len/sizeof(wchar_t)); (*username)[username_len/sizeof(wchar_t)] = 0; wcstombs( *fullname, (wchar_t *)(vp + fullname_offset), fullname_len/sizeof(wchar_t)); (*fullname)[fullname_len/sizeof(wchar_t)] = 0; wcstombs( *comment, (wchar_t *)(vp + comment_offset), comment_len/sizeof(wchar_t)); (*comment)[comment_len/sizeof(wchar_t)] = 0; wcstombs( *homedir, (wchar_t *)(vp + homedir_offset), homedir_len/sizeof(wchar_t)); (*homedir)[homedir_len/sizeof(wchar_t)] = 0; if(pw_offset >= vp_size) { /* No password */ *got_lanman = 0; *got_md4 = 0; return 0; } /* Check that the password offset plus the size of the lanman and md4 hashes fits within the V record. */ if(pw_offset + 32 > vp_size) { /* Account disabled ? */ *got_lanman = -1; *got_md4 = -1; return 0; } /* Get the two decrpt keys. */ sid_to_key1(rid,(unsigned char *)deskey1); des_set_key((des_cblock *)deskey1,ks1); sid_to_key2(rid,(unsigned char *)deskey2); des_set_key((des_cblock *)deskey2,ks2); vp += pw_offset; /* Decrypt the lanman password hash as two 8 byte blocks. */ des_ecb_encrypt((des_cblock *)vp, (des_cblock *)lanman, ks1, DES_DECRYPT); des_ecb_encrypt((des_cblock *)(vp + 8), (des_cblock *)&lanman[8], ks2, DES_DECRYPT); vp += 16; /* Decrypt the NT md4 password hash as two 8 byte blocks. */ des_ecb_encrypt((des_cblock *)vp, (des_cblock *)md4, ks1, DES_DECRYPT); des_ecb_encrypt((des_cblock *)(vp + 8), (des_cblock *)&md4[8], ks2, DES_DECRYPT); *got_lanman = 1; *got_md4 = 1; return 0; } /* * Function to print out a 16 byte array as hex. */ void print_hexval(char *val) { int i; for(i = 0; i < 16; i++) printf("%02X", (unsigned char)val[i]); } /* * Function to strip out any ':' or '\n', '\r' from a text * string. */ void strip_text( char *txt ) { char *p; for( p = strchr(txt, ':'); p ; p = strchr( p + 1, ':')) *p = '_'; for( p = strchr(txt, '\n'); p ; p = strchr(p + 1, '\n')) *p = '_'; for( p = strchr(txt, '\r'); p ; p = strchr(p + 1, '\r')) *p = '_'; } /* * Function to dump a users smbpasswd entry onto stdout. * Returns 0 on success, -1 on fail. */ int printout_smb_entry( HKEY user, DWORD rid ) { DWORD err; DWORD type; DWORD size = 0; char *vp; char lanman[16]; char md4_hash[16]; char *username; char *fullname; char *comment; char *homedir; int got_lanman; int got_md4; /* Find out how much space we need for the 'V' value. */ if((err = RegQueryValueEx( user, "V", 0, &type, 0, &size)) != ERROR_SUCCESS) { fprintf(stderr, "printout_smb_entry: Unable to determine size needed \ for user 'V' value. Error was %s.\n.", str_oserr(err)); return -1; } if((vp = (char *)malloc(size)) == 0) { fprintf(stderr, "printout_smb_entry: malloc fail for user entry.\n"); return -1; } if((err = RegQueryValueEx( user, "V", 0, &type, (LPBYTE)vp, &size)) != ERROR_SUCCESS) { fprintf(stderr, "printout_smb_entry: Unable to read user 'V' value. \ Error was %s.\n.", str_oserr(err)); free(vp); return -1; } /* Check heuristics */ if(check_vp(vp, size, &username, &fullname, &comment, &homedir, lanman, &got_lanman, md4_hash, &got_md4, rid) != 0) { fprintf(stderr, "Failed to parse entry for RID %X\n", rid); free(vp); return 0; } /* Ensure username of comment don't have any nasty suprises for us such as an embedded ':' or '\n' - see multiple UNIX passwd field update security bugs for details... */ strip_text( username ); strip_text( fullname ); strip_text( comment ); /* If homedir contains a drive letter this mangles it - but it protects the integrity of the smbpasswd file. */ strip_text( homedir ); printf("%s:%d:", username, rid); if(got_lanman) { if(got_lanman == -1) /* Disabled account ? */ printf("********************************"); else print_hexval(lanman); } else printf("NO PASSWORD*********************"); printf(":"); if(got_md4) { if(got_md4 == -1) /* Disabled account ? */ printf("********************************"); else print_hexval(md4_hash); } else printf("NO PASSWORD*********************"); printf(":"); if(*fullname) printf("%s", fullname); if(*fullname && *comment) printf(","); if(*comment) printf("%s", comment); printf(":"); if(*homedir) printf("%s", homedir); printf(":\n"); free(username); free(comment); free(homedir); free(vp); return 0; } /* * Function to go through all the user SID's - dumping out * their SAM values. Returns 0 on success, -1 on fail. */ int enumerate_users( HKEY key) { DWORD indx = 0; DWORD err; DWORD rid; char usersid[128]; do { DWORD size; FILETIME ft; size = sizeof(usersid); err = RegEnumKeyEx( key, indx, usersid, &size, 0, 0, 0, &ft); if(err == ERROR_SUCCESS) { HKEY subkey; indx++; if((err = RegOpenKeyEx( key, usersid, 0, KEY_QUERY_VALUE, &subkey)) != ERROR_SUCCESS) { fprintf(stderr, "enumerate_users: Failed to open key %s to read value. \ Error was %s.\n", usersid, str_oserr(err)); RegCloseKey(key); return -1; } rid = strtoul(usersid, 0, 16); /* Hack as we know there is a Names key here */ if(rid != 0) { if(printout_smb_entry( subkey, rid ) != 0) { RegCloseKey(subkey); return -1; } } RegCloseKey(subkey); } } while(err == ERROR_SUCCESS); if(err != ERROR_NO_MORE_ITEMS) { RegCloseKey(key); return -1; } return 0; } /* * Print usage message and die. */ void usage(const char *arg0) { fprintf(stderr, "Usage: %s <\\\\machine>\n", arg0); exit(-1); } /* * usage: \\machine */ int main(int argc, char **argv) { char username[128]; DWORD size; HKEY start_key = HKEY_LOCAL_MACHINE; HKEY users_key; int err; if(argc > 2) usage(argv[0]); /* * Ensure we are running as Administrator before * we will run. */ size = sizeof(username); if(GetUserName(username, &size)== FALSE) { fprintf(stderr, "%s: GetUserName() failed. Error was %s.", argv[0], str_oserr(GetLastError())); return -1; } if(stricmp( "Administrator", username) != 0) { fprintf(stderr, "%s: You must be running as user Administrator \ to run this program\n", argv[0]); return -1; } /* * Open a connection to the remote machines registry. */ if(argc == 2) { if((err = RegConnectRegistry( argv[1], HKEY_LOCAL_MACHINE, &start_key)) != ERROR_SUCCESS) { fprintf(stderr, "%s: Failed to connect to registry on remote computer %s.\ Error was %s.\n", argv[0], argv[1], str_oserr(err)); return -1; } } /* * We need to get to HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account\Users. * The security on this key normally doesn't allow Administrators * to read - we need to add this. */ if((err = set_sam_tree_access( start_key, &users_key)) != 0) { if(err == -2) restore_sam_tree_access( start_key); return -1; } /* Print the users SAM entries in smbpasswd format onto stdout. */ enumerate_users( users_key ); RegCloseKey(users_key); /* reset the security on the SAM */ restore_sam_tree_access( start_key ); if(start_key != HKEY_LOCAL_MACHINE) RegCloseKey(start_key); return 0; }