From 43dedd7b0e6e59bf3e1965466fe635641b8a21e4 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Thu, 7 Jan 2016 20:43:19 +0000
Subject: [PATCH] Extract optional OS version info from NTLM challenge message

---
 nselib/smbauth.lua | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/nselib/smbauth.lua b/nselib/smbauth.lua
index de1612008..2e8f77b5b 100644
--- a/nselib/smbauth.lua
+++ b/nselib/smbauth.lua
@@ -843,9 +843,7 @@ end
 -- @return A host_info table containing the data in the blob.
 -- @see host_info
 function get_host_info_from_security_blob(security_blob)
-  local ntlm_challenge = {}
-  --local pos, identifier, message_type, domain_length, domain_max, domain_offset, server_flags, challenge, reserved, target_info_length, target_info_max, target_info_offset = bin.unpack("<A8ISSIILLSSI", security_blob)
-  local pos, identifier, message_type, domain_length, domain_max, domain_offset, server_flags, challenge, reserved, target_info_length, target_info_max, target_info_offset = bin.unpack("<A8ISSIILLSSI", security_blob)
+  local hpos, identifier, message_type, domain_length, domain_max, domain_offset, server_flags, challenge = bin.unpack("<A8ISSIIL", security_blob)
 
   -- Do some validation on the NTLMSSP message
   if ( identifier ~= "NTLMSSP\0" ) then
@@ -857,6 +855,8 @@ function get_host_info_from_security_blob(security_blob)
     return false, "Invalid message type in NTLM challenge message"
   end
 
+  local ntlm_challenge = {}
+
   -- Parse the TargetName data (i.e. the server authentication realm)
   if ( domain_length > 0 ) then
     local length = domain_length
@@ -866,6 +866,26 @@ function get_host_info_from_security_blob(security_blob)
     ntlm_challenge[ "target_realm" ] = unicode.utf16to8( target_realm )
   end
 
+  if hpos + domain_length > #security_blob then
+    -- Context, Target Information, and OS Version structure are all omitted
+    -- Probably Win9x
+    return ntlm_challenge
+  end
+
+  local hpos, context, target_info_length, target_info_max, target_info_offset = bin.unpack("<LSSI", security_blob, hpos)
+
+  -- OS info is in the intervening 8 bytes, subtract 1 for lua 1-index
+  if target_info_offset >= hpos + 7 and domain_offset >= hpos + 7 then
+    local hpos, major, minor, build, reserved = bin.unpack("<CCSA4", security_blob, hpos)
+    if reserved == "\0\0\0\x0f" then
+      ntlm_challenge.os_major_version = major
+      ntlm_challenge.os_minor_version = minor
+      ntlm_challenge.os_build = build
+    else
+      stdnse.debug2("smbauth: Unknown OS info structure in NTLM handshake")
+    end
+  end
+
   -- Parse the TargetInfo data (Wireshark calls this the "Address List")
   if ( target_info_length > 0 ) then