From 81b6bae5eb40e09e763cbb41440167547f8f61aa Mon Sep 17 00:00:00 2001
From: patrik <patrik@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Sun, 7 Oct 2012 08:54:34 +0000
Subject: [PATCH] Squashed commit of the following:

commit e5cb0a18d5474730310f1797016e1106c33ca059
Author: Patrik Karlsson <patrik@cqure.net>
Date:   Sun Oct 7 10:47:35 2012 +0200

    compatibility fixes to spnego authentication in smb and smbauth libraries

    the spnego authentication blob now decodes properly in wireshark
    fixes in spnego authentication for both Window 2003 and Windows 7
---
 nselib/smb.lua     | 33 ++++++++++++----------
 nselib/smbauth.lua | 68 +++++++++++++++++++++++++++-------------------
 2 files changed, 59 insertions(+), 42 deletions(-)

diff --git a/nselib/smb.lua b/nselib/smb.lua
index 7ce0da05f..3ea19f82a 100644
--- a/nselib/smb.lua
+++ b/nselib/smb.lua
@@ -836,6 +836,11 @@ function smb_read(smb, read_data)
 	repeat
 		attempts = attempts - 1
 		status, netbios_data = smb['socket']:receive_buf(match.numbytes(4), true);
+		
+		if ( not(status) and netbios_data == "EOF" ) then
+			stdnse.print_debug(1, "SMB: ERROR: Server disconnected the connection")
+			return false, "SMB: ERROR: Server disconnected the connection"
+		end
 	until(status or (attempts == 0))
 
 	-- Make sure the connection is still alive
@@ -1312,7 +1317,7 @@ local function start_session_extended(smb, log_errors, overrides)
 
 				if ( sp_nego ) then
 					local enc = asn1.ASN1Encoder:new()
-					local mechtype = enc:encode( { type = 'A0', value = enc:encode( { type = '30', value = enc:encode( { type = '06', value = bin.pack("H", "2b06010401823702020a") } ) } ) } )					
+					local mechtype = enc:encode( { type = 'A0', value = enc:encode( { type = '30', value = enc:encode( { type = '06', value = bin.pack("H", "2b06010401823702020a") } ) } ) } )
 					local oid = enc:encode( { type = '06', value = bin.pack("H", "2b0601050502") } )
 					
 					security_blob = enc:encode(security_blob)
@@ -1322,14 +1327,13 @@ local function start_session_extended(smb, log_errors, overrides)
 					security_blob = enc:encode( { type = 'A0', value = security_blob } )
 					security_blob = oid .. security_blob
 					security_blob = enc:encode( { type = '60', value = security_blob } )
-					
 				end
 			else
 				if ( sp_nego ) then
 					if ( smb['domain'] or smb['server'] and ( not(domain) or #domain == 0 ) ) then
 						domain = smb['domain'] or smb['server']
 					end
-					hash_type = "v2"
+					hash_type = "ntlm"
 				end
 				
 				status, security_blob, smb['mac_key'] = smbauth.get_security_blob(security_blob, smb['ip'], username, domain, password, password_hash, hash_type, (sp_nego and 0x00088215))
@@ -1350,28 +1354,29 @@ local function start_session_extended(smb, log_errors, overrides)
 			end
 	
 			header     = smb_encode_header(smb, command_codes['SMB_COM_SESSION_SETUP_ANDX'], overrides)
+
+			-- Data is a list of strings, terminated by a blank one. 
+			data = bin.pack("<Azzz", 
+						security_blob,         -- Security blob
+						"Nmap",                -- OS
+						"Native Lanman",       -- Native LAN Manager
+						""                     -- Primary domain
+			)
+	
 			-- Parameters
 			parameters = bin.pack("<CCSSSSISII", 
 						0xFF,               -- ANDX -- no further commands
 						0x00,               -- ANDX -- Reserved (0)
-						0x0000,             -- ANDX -- next offset
+						#data + 24 + #header + 3, -- ANDX -- next offset
 						0xFFFF,             -- Max buffer size
 						0x0001,             -- Max multiplexes
 						0x0001,             -- Virtual circuit num
 						smb['session_key'], -- The session key
 						#security_blob,     -- Security blob length
 						0x00000000,         -- Reserved
-		                0x80000050          -- Capabilities
+						0x80000050          -- Capabilities
 					)
-		
-			-- Data is a list of strings, terminated by a blank one. 
-			data       = bin.pack("<Azzz", 
-						security_blob,         -- Security blob
-						"Nmap",                -- OS
-						"Native Lanman",       -- Native LAN Manager
-						""                     -- Primary domain
-					)
-	
+			
 			-- Send the session setup request
 			stdnse.print_debug(2, "SMB: Sending SMB_COM_SESSION_SETUP_ANDX")
 			result, err = smb_send(smb, header, parameters, data, overrides)
diff --git a/nselib/smbauth.lua b/nselib/smbauth.lua
index e94490de7..20515787c 100644
--- a/nselib/smbauth.lua
+++ b/nselib/smbauth.lua
@@ -677,39 +677,51 @@ function get_security_blob(security_blob, ip, username, domain, password, passwo
 	else
 		-- Parse the old security blob
 		local pos, identifier, message_type, domain_length, domain_max, domain_offset, server_flags, challenge, reserved = bin.unpack("<LISSIIA8A8", security_blob, 1)
-
-		-- Get the information for the current login
-        local lanman, ntlm, mac_key = get_password_response(ip, username, domain, password, password_hash, hash_type, challenge, true)
+   	local lanman, ntlm, mac_key = get_password_response(ip, username, domain, password, password_hash, hash_type, challenge, true)
 
 		-- Convert the username and domain to unicode (TODO: Disable the unicode flag, evaluate if that'll work)
 		username = to_unicode(username)
-		domain   = to_unicode(domain)
+		hostname = to_unicode("nmap")
+		domain   = (#username > 0 ) and to_unicode(domain) or ""
+		ntlm     = (#username > 0 ) and ntlm or ""
+		lanman   = (#username > 0 ) and lanman or string.char(0)
 
-		new_blob = bin.pack("<zISSISSISSISSISSISSII", 
-					"NTLMSSP",            -- Identifier
-					NTLMSSP_AUTH,         -- Type
-					#lanman,              -- Lanman (length, max, offset)
-					#lanman,              -- 
-					0x40,                 -- 
-					#ntlm,                -- NTLM (length, max, offset)
-					#ntlm,                -- 
-					0x40 + #lanman,       -- 
-					#domain,              -- Domain (length, max, offset)
-					#domain,              --
-					0x40 + #lanman + #ntlm,--
-					#username,            -- Username (length, max, offset)
-					#username,            -- 
-					0x40 + #lanman + #ntlm + #domain,
-					#domain,              -- Hostname (length, max, offset)
-					#domain,              --
-					0x40 + #lanman + #ntlm + #domain + #username,
-					#session_key,         -- Session key (length, max, offset)
-					#session_key,         --
-					0x40 + #lanman + #ntlm + #domain + #username + #domain,
-					flags                 -- Flags
-				)
+		local domain_offset = 0x40
+		local username_offset = domain_offset + #domain
+		local hostname_offset = username_offset + #username
+		local lanman_offset = hostname_offset + #hostname
+		local ntlm_offset = lanman_offset + #lanman
+		local sessionkey_offset = ntlm_offset + #ntlm
 
-		new_blob = new_blob .. bin.pack("AAAAAA", lanman, ntlm, domain, username, domain, session_key)
+		new_blob = bin.pack("<zISSISSISSISSISSISSIIAAAAAA",
+			"NTLMSSP",
+			NTLMSSP_AUTH,
+			#lanman,
+			#lanman,
+			lanman_offset,
+			( #ntlm > 0 and #ntlm - 16 or 0 ),
+			( #ntlm > 0 and #ntlm - 16 or 0 ),
+			ntlm_offset,
+			#domain,
+			#domain,
+			domain_offset,
+			#username,
+			#username,
+			username_offset,
+			#hostname,
+			#hostname,
+			hostname_offset,
+			#session_key,
+			#session_key,
+			sessionkey_offset,
+			flags,
+			domain,
+			username,
+			hostname,
+			lanman,
+			ntlm,
+			session_key)
+	
 		return true, new_blob, mac_key
 	end