📄 ztest.c
字号:
return;
}
}
}
}
/*
* Creates the MD4 Hash of the users password in NT UNICODE.
*/
void md4hash(char *passwd, unsigned char *p16, int len)
{
int i=0;
MDstruct MD;
MDbegin(&MD);
for(i = 0; i + 64 <= len; i += 64){
MDupdate(&MD,(unsigned char *)passwd + (i/2), 512);
#ifdef BIGENDIAN
MDreverse(MD.buffer);
#endif
}
MDupdate(&MD,(unsigned char *)passwd + (i/2),(len-i)*8);
#ifdef BIGENDIAN
MDreverse(MD.buffer);
#endif
/* MDprint(&MD);
printf("\n"); */
memcpy(p16, (unsigned char *)MD.buffer, 16);
/*
SIVAL(p16,0,MD.buffer[0]);
SIVAL(p16,4,MD.buffer[1]);
SIVAL(p16,8,MD.buffer[2]);
SIVAL(p16,12,MD.buffer[3]);
*/
}
void LowerString(char *holder, char *word){
size_t i;
int word_len;
word_len = strlen(word);
if (strlen(word) > 128)
word[128] = '\0';
for (i=0; i < word_len; i++){
if (isupper(word[i]))
holder[i] = tolower(word[i]);
else
holder[i] = word[i];
}
if (holder[word_len - 1] == '\n')
holder[word_len - 1] = '\0';
}
void chcase(char *str, int pos){
str[pos] = toupper(str[pos]);
}
void printuser(struct user_struct *Ustruct, FILE *file){
if (Ustruct->already_printed == 1)
return;
else {
fprintf(file, "User: [%s] Lanman PW: [%s] NT dialect PW: [%s]\n",
Ustruct->username, Ustruct->lmpasswd, Ustruct->ntpasswd);
Ustruct->already_printed = 1;
fflush(file);
}
}
int Lanman(struct user_struct *index, char *dict_word, FILE *outlist){
struct user_struct *foo;
char match_lmpasswd[14], match_lmhash[32], tmphash[16];
int ret=0;
if (index->lmdone == 1){
printuser(index, outlist);
return(1);
}else{
if (index->pwdumpval){ /* doing the pwdump file */
if (cracklanman(index, dict_word, tmphash) == 1){
printuser(index, outlist);
index->lmdone = 1;
strcpy(match_lmpasswd, index->lmpasswd);
memcpy(match_lmhash, index->lmhash, 32);
ret = 1;
}
foo = index->next;
while (foo != NULL){
if (memcmp(foo->lmhashb, tmphash, 16) == 0){
LMword(match_lmpasswd, dict_word);
strcpy(foo->lmpasswd, match_lmpasswd);
foo->lmdone = 1;
foo = foo->next;
} else {
foo = foo->next;
}
}
} else { /* doing the sniffer logs */
LMword(match_lmpasswd, dict_word);
if (lm_check_sniff(index, match_lmpasswd) == 1){
printuser(index, outlist);
index->lmdone = 1;
ret = 1;
}
}
}
return(ret);
}
int nt(struct user_struct *index, char *dict_word, FILE *outlist){
struct user_struct *foo;
char match_ntpasswd[129], match_nthash[32];
if (index->ntdone == 1){
printuser(index, outlist);
return(1);
}else{
if (crackntdialect(index, dict_word, 1) == 1){
printuser(index, outlist);
index->ntdone = 1;
if (index->pwdumpval){
strcpy(match_ntpasswd, index->ntpasswd);
memcpy(match_nthash, index->nthash, 32);
foo = index->next;
while (foo != NULL){
if (memcmp(foo->nthash, match_nthash, 32) == 0){
strcpy(foo->ntpasswd, match_ntpasswd);
foo->ntdone = 1;
foo = foo->next;
} else
foo = foo->next;
}
}
return(1);
}
}
return(0);
}
int Lanman_and_nt(struct user_struct *index, char *dict_word, FILE *outlist){
struct user_struct *foo;
char match_lmpasswd[15], match_lmhash[32];
char tmphash[16];
int ret=0;
if (index->lmdone == 1 && index->ntdone){
printuser(index, outlist);
return(1);
}else{
if (cracklanman(index, dict_word, tmphash) == 1){
index->lmdone = 1;
strcpy(match_lmpasswd, index->lmpasswd);
memcpy(match_lmhash, index->lmhash, 32);
if (crackntdialect(index, index->lmpasswd, 1) == 1){
/* printuser(index, outlist); */
index->ntdone = 1;
}
ret = 1;
if ((index->lmdone) || (index->ntdone))
printuser(index, outlist);
}
if (index->pwdumpval){
foo = index->next;
while (foo != NULL){
if (memcmp(foo->lmhashb, tmphash, 16) == 0){
LMword(match_lmpasswd, dict_word);
strcpy(foo->lmpasswd, match_lmpasswd);
foo->lmdone = 1;
crackntdialect(foo, foo->lmpasswd, 1);
foo = foo->next;
} else {
foo = foo->next;
}
}
}
}
return(ret);
}
int brute_lanman(struct user_struct *head, FILE *outlist){
char brute_str[7];
char all_chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
char half_hash[8];
char tmp[128];
int spacelen = strlen(all_chars);
int pwlen = 7;
char *tmpspace[7+1];
struct user_struct *index;
int i;
int size;
size = strlen(all_chars);
index = head;
memset(brute_str, '\0', sizeof(brute_str));
memset(tmp, '\0', sizeof(tmp));
/* initialize the pointers */
tmpspace[0]=&all_chars[0];
for (i=1; i<=pwlen; i++) {
tmpspace[i]=0;
}
/* ok here we go, go until that extra pointer gets
changed... */
while(!tmpspace[pwlen]) {
for (i=0; i<=pwlen; i++) {
if(tmpspace[i] != 0) {
tmp[i]=*tmpspace[i];
} else
break;
/* {
tmp[i]='\0';
}
*/
}
/* printf("%s : %d\n", tmp, strlen(tmp)); */
if (index->pwdumpval){
half_lanman(half_hash, tmp);
if (brute_routine(index, half_hash, tmp, 7) == 1){
#ifdef _DEBUG
printf("gotone in round %d\n", iter);
fflush(NULL);
#endif
nt_ify_list(index);
print_hits(index, outlist);
head = prune_list(index);
if (!head)
return(1);
else
index = head;
}
} else {
if (lm_check_sniff(index, tmp) == 1){
nt_ify_list(index);
print_hits(index, outlist);
head = prune_list(index);
if (!head)
return(1);
else
index = head;
}
}
/* increment */
tmpspace[0]++;
/* carry ? */
for (i=0; i<pwlen; i++) {
if (tmpspace[i] > &all_chars[spacelen -1]) {
tmpspace[i] = &all_chars[0];
/*
can't just inc the pointer but
this could be removed by playing
games with the data struct... ;-)
*/
if (tmpspace[i+1] !=0) {
tmpspace[i+1]++;
} else {
tmpspace[i+1] = &all_chars[0];
}
}
}
}
return(0);
}
void half_lanman(char *half_hash, char *brute_str){
unsigned char lanman[8];
des_cblock deskey1;
des_key_schedule ks1;
/* create the first 8byte odd parity des key */
str_to_key((unsigned char *)brute_str, deskey1);
/* setup the key schedule */
des_set_key((des_cblock *)deskey1,ks1);
/* encrypt the known 8byte value against the first des key */
des_ecb_encrypt((des_cblock *)str_to_crypt, (des_cblock *)lanman, ks1,\
DES_ENCRYPT);
memcpy(half_hash, lanman, 8);
}
/* routine to check the LANMAN passwd */
void full_lanman(char *fullhash, char *dict_word){
unsigned char passwd[14];
unsigned char lanman[16];
des_cblock deskey1, deskey2;
des_key_schedule ks1, ks2;
memset(passwd, '\0', sizeof(passwd));
memset(lanman, '\0', sizeof(lanman));
strncpy(passwd, dict_word, 14);
str_to_key(passwd, deskey1); /* create the first 8byte odd
parity des key */
des_set_key((des_cblock *)deskey1,ks1); /* setup the key schedule */
des_ecb_encrypt((des_cblock *)str_to_crypt, /* encrypt the known
8byte value */
(des_cblock *)lanman, ks1, DES_ENCRYPT); /* against the
first des key */
str_to_key(&(passwd[7]), deskey2);
des_set_key((des_cblock *)deskey2,ks2);
des_ecb_encrypt((des_cblock *)str_to_crypt,\
(des_cblock *)&lanman[8], ks2, DES_ENCRYPT);
strncpy(fullhash, (const char *)lanman, sizeof(lanman));
}
int brute_routine(struct user_struct *head, char *half_hash, char *brute_str, int iter){
struct user_struct *index;
int positive=0;
index = head;
while (index != NULL){
if (index->under7){
if (memcmp(index->lmhashb, half_hash, 8) == 0){
strncpy(index->first_half, brute_str, 7);
strncpy(index->lmpasswd, brute_str, 7);
index->lmdone = 1;
positive = 1;
}
}else{
if (iter == 7){
if (strlen(index->first_half) == 0){
if (memcmp(index->lmhashb, half_hash, 8) == 0){
strncpy(index->first_half, brute_str, 7);
if (strlen(index->second_half) != 0){
positive=1;
}
}
}
}
if (strlen(index->second_half) == 0){
if (memcmp(&index->lmhashb[8], half_hash, 8) == 0){
strncpy(index->second_half, brute_str, 7);
#ifdef _DEBUG
printf("snagged second half in round %d\n", iter);
fflush(NULL);
#endif
}
}
}
if (!(index->under7)){
if ((strlen(index->first_half) > 0) && (strlen(index->second_half) > 0)){
strncpy(index->lmpasswd, index->first_half, 7);
strncat(&index->lmpasswd[7], index->second_half, 7);
index->lmdone = 1;
positive = 1;
}
}
index = index->next;
}
return(positive);
}
int lm_check_sniff(struct user_struct *head, char *brute_str){
struct user_struct *index;
char pre_lmresp[21];
char response[24];
char full_lmhash[16];
int positive=0;
index = head;
while (index != NULL){
memset(pre_lmresp, '\0', 21);
full_lanman(full_lmhash, brute_str);
memcpy(pre_lmresp, full_lmhash, 16);
E_P24(pre_lmresp, index->server_chall, response);
if (memcmp(index->lmresp_b, response, 24) == 0){
memcpy(index->lmpasswd, brute_str, 14);
memcpy(index->lmhashb, full_lmhash, 16);
index->lmdone = 1;
positive = 1;
}
index = index->next;
}
return(positive);
}
int nt_check_sniff(struct user_struct *head, char *nthash){
struct user_struct *index;
char pre_ntresp[21];
char response[24];
int positive=0;
index = head;
memset(pre_ntresp, '\0', 21);
memcpy(pre_ntresp, nthash, 16);
E_P24(pre_ntresp, index->server_chall, response);
if (memcmp(index->ntresp_b, response, 24) == 0){
memcpy(index->nthashb, nthash, 16);
index->ntdone = 1;
positive = 1;
}
return(positive);
}
int issame(char *one, char *two, int len){
return(memcmp(one, two, len));
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -