Squashed commit of the following:

commit e5cb0a18d5474730310f1797016e1106c33ca059 Author: Patrik Karlsson <patrik@cqure.net> Date: Sun Oct 7 10:47:35 2012 +0200 compatibility fixes to spnego authentication in smb and smbauth libraries the spnego authentication blob now decodes properly in wireshark fixes in spnego authentication for both Window 2003 and Windows 7
2025-12-07 13:11:28 +00:00 · 2012-10-07 08:54:34 +00:00
parent 13345f736d
commit 81b6bae5eb
2 changed files with 59 additions and 42 deletions
--- a/nselib/smbauth.lua
+++ b/nselib/smbauth.lua
@@ -677,39 +677,51 @@ function get_security_blob(security_blob, ip, username, domain, password, passwo
 	else
 		-- Parse the old security blob
 		local pos, identifier, message_type, domain_length, domain_max, domain_offset, server_flags, challenge, reserved = bin.unpack("<LISSIIA8A8", security_blob, 1)
-
-		-- Get the information for the current login
-        local lanman, ntlm, mac_key = get_password_response(ip, username, domain, password, password_hash, hash_type, challenge, true)
+   	local lanman, ntlm, mac_key = get_password_response(ip, username, domain, password, password_hash, hash_type, challenge, true)

 		-- Convert the username and domain to unicode (TODO: Disable the unicode flag, evaluate if that'll work)
 		username = to_unicode(username)
-		domain   = to_unicode(domain)
+		hostname = to_unicode("nmap")
+		domain   = (#username > 0 ) and to_unicode(domain) or ""
+		ntlm     = (#username > 0 ) and ntlm or ""
+		lanman   = (#username > 0 ) and lanman or string.char(0)

-		new_blob = bin.pack("<zISSISSISSISSISSISSII", 
-					"NTLMSSP",            -- Identifier
-					NTLMSSP_AUTH,         -- Type
-					#lanman,              -- Lanman (length, max, offset)
-					#lanman,              -- 
-					0x40,                 -- 
-					#ntlm,                -- NTLM (length, max, offset)
-					#ntlm,                -- 
-					0x40 + #lanman,       -- 
-					#domain,              -- Domain (length, max, offset)
-					#domain,              --
-					0x40 + #lanman + #ntlm,--
-					#username,            -- Username (length, max, offset)
-					#username,            -- 
-					0x40 + #lanman + #ntlm + #domain,
-					#domain,              -- Hostname (length, max, offset)
-					#domain,              --
-					0x40 + #lanman + #ntlm + #domain + #username,
-					#session_key,         -- Session key (length, max, offset)
-					#session_key,         --
-					0x40 + #lanman + #ntlm + #domain + #username + #domain,
-					flags                 -- Flags
-				)
+		local domain_offset = 0x40
+		local username_offset = domain_offset + #domain
+		local hostname_offset = username_offset + #username
+		local lanman_offset = hostname_offset + #hostname
+		local ntlm_offset = lanman_offset + #lanman
+		local sessionkey_offset = ntlm_offset + #ntlm

-		new_blob = new_blob .. bin.pack("AAAAAA", lanman, ntlm, domain, username, domain, session_key)
+		new_blob = bin.pack("<zISSISSISSISSISSISSIIAAAAAA",
+			"NTLMSSP",
+			NTLMSSP_AUTH,
+			#lanman,
+			#lanman,
+			lanman_offset,
+			( #ntlm > 0 and #ntlm - 16 or 0 ),
+			( #ntlm > 0 and #ntlm - 16 or 0 ),
+			ntlm_offset,
+			#domain,
+			#domain,
+			domain_offset,
+			#username,
+			#username,
+			username_offset,
+			#hostname,
+			#hostname,
+			hostname_offset,
+			#session_key,
+			#session_key,
+			sessionkey_offset,
+			flags,
+			domain,
+			username,
+			hostname,
+			lanman,
+			ntlm,
+			session_key)
+	
 		return true, new_blob, mac_key
 	end