decode_pptp.c

一个网络工具包,可以嗅探email和http等数据包中的密码等信息.注意要先把libnet-1.0.2a.tar.gz和 libnids-1.16.tar.gz装上,不然会因为缺少库函数而无法编译和安

/*
  decode_pptp.c

  Microsoft PPTP MS-CHAP. Derived from Aleph One's anger.c.
  
  Copyright (c) 2000 Dug Song <dugsong@monkey.org>
  Copyright (c) 2000 Aleph One <aleph1@securityfocus.com>
 
  $Id: decode_pptp.c,v 1.3 2000/12/15 20:16:58 dugsong Exp $
*/

#include "config.h"

#include <sys/types.h>
#include <openssl/sha.h>
#include <stdio.h>
#include <string.h>
#include "buf.h"
#include "decode.h"

struct pptp_gre_header {
	u_char flags;		/* bitfield */
	u_char ver;		/* should be PPTP_GRE_VER (enhanced GRE) */
	u_short protocol;	/* should be PPTP_GRE_PROTO (ppp-encaps) */
	u_short payload_len;	/* size of ppp payload, not inc. gre header */
	u_short call_id;	/* peer's call_id for this session */
	u_int32_t seq;		/* sequence number.  Present if S==1 */
	u_int32_t ack;		/* seq number of highest packet recieved by */
				/*  sender in this session */
};

#define PPTP_GRE_PROTO	0x880B
#define PPTP_GRE_VER	0x1

#define PPTP_GRE_IS_C(f) ((f) & 0x80)
#define PPTP_GRE_IS_R(f) ((f) & 0x40)
#define PPTP_GRE_IS_K(f) ((f) & 0x20)
#define PPTP_GRE_IS_S(f) ((f) & 0x10)
#define PPTP_GRE_IS_A(f) ((f) & 0x80)

struct ppp_header {
	u_char address;
	u_char control;
	u_short proto;
};

#define PPP_PROTO_CHAP		0xc223

struct ppp_lcp_chap_header {
	u_char code;
	u_char ident;
	u_short length;
};

#define PPP_CHAP_CODE_CHALLENGE	1
#define PPP_CHAP_CODE_RESPONSE	2

struct ppp_chap_challenge {
	u_char size;
	union {
		u_char challenge_v1[8];
		u_char challenge_v2[16];
		struct {
			u_char lanman[24];
			u_char nt[24];
			u_char flag;
		} response_v1;
		struct {
			u_char peer_challenge[16];
			u_char reserved[8];
			u_char nt[24];
			u_char flag;
		} response_v2;
	} value;
	/* name */
};

struct challenge {
	u_char version;
	u_char challenge[16];
};

int
decode_pptp(u_char *buf, int len, u_char *obuf, int olen)
{
	static struct challenge save_challenge;
	struct buf outbuf;
	struct pptp_gre_header *pgh;
	struct ppp_header *ppp;
	struct ppp_lcp_chap_header *chap;
	struct ppp_chap_challenge *chapch;
	u_short proto;
	u_char *p, name[64], digest[SHA_DIGEST_LENGTH];
	SHA_CTX ctx;
	int i, pghlen;

	buf_init(&outbuf, obuf, olen);
	
	if (len < (pghlen = sizeof(*pgh)))
		return (0);
	
	pgh = (struct pptp_gre_header *)buf;
	
	if ((pgh->ver & 0x7f) != PPTP_GRE_VER ||
	    ntohs(pgh->protocol) != PPTP_GRE_PROTO ||
	    PPTP_GRE_IS_C(pgh->flags) || PPTP_GRE_IS_R(pgh->flags) ||
	    PPTP_GRE_IS_K(pgh->flags) == 0 || (pgh->flags & 0xf) != 0) {
		return (0);
	}
	if (PPTP_GRE_IS_S(pgh->flags) == 0)
		return (0);
	
	if (PPTP_GRE_IS_A(pgh->ver) == 0)
		pghlen -= sizeof(pgh->ack);

	if (len - pghlen < ntohs(pgh->payload_len))
		return (0);

	ppp = (struct ppp_header *)(pgh + 1);

	if (ppp->address != 0xff && ppp->control != 0x3) {
		proto = pntohs(ppp);
		chap = (struct ppp_lcp_chap_header *)
			((u_char *)ppp + sizeof(proto));
	}
	else {
		proto = ntohs(ppp->proto);
		chap = (struct ppp_lcp_chap_header *)(ppp + 1);
	}
	if (proto != PPP_PROTO_CHAP)
		return (0);

	switch (chap->code) {
		
	case PPP_CHAP_CODE_CHALLENGE:
		chapch = (struct ppp_chap_challenge *)(chap + 1);
		
		if (chapch->size == 8) {
			save_challenge.version = 1;
			memcpy(save_challenge.challenge,
			       chapch->value.challenge_v1, 8);
		}
		else if (chapch->size == 16) {
			save_challenge.version = 2;
			memcpy(save_challenge.challenge,
			       chapch->value.challenge_v2, 16);
		}
		else save_challenge.version = 0;
		break;
		
	case PPP_CHAP_CODE_RESPONSE:
		if (save_challenge.version == 0)
			break;
		
		chapch = (struct ppp_chap_challenge *)(chap + 1);
		i = ntohs(chap->length) - 54;
		if (i > 63) i = 63;
		memcpy(name, (u_char *)chap + 54, i);
		name[i] = '\0';
		
		buf_putf(&outbuf, "%s:0:", name);
		
		if (save_challenge.version == 1) {
			for (i = 0; i < 8; i++) {
				buf_putf(&outbuf, "%02X",
					 save_challenge.challenge[i]);
			}
			buf_put(&outbuf, ":", 1);
			
			for (i = 0; i < 24; i++) {
				buf_putf(&outbuf, "%02X",
					 chapch->value.response_v1.lanman[i]);
			}
			buf_put(&outbuf, ":", 1);
			
			for (i = 0; i < 24; i++) {
				buf_putf(&outbuf, "%02X",
					 chapch->value.response_v1.nt[i]);
			}
			buf_put(&outbuf, "\n", 1);
		}
		else if (save_challenge.version == 2) {
			chapch = (struct ppp_chap_challenge *)(chap + 1);
			if ((p = strchr(name, '\\')) == NULL)
				p = name;
			
			SHA1_Init(&ctx);
			SHA1_Update(&ctx, chapch->value.response_v2.peer_challenge, 16);
			SHA1_Update(&ctx, save_challenge.challenge, 16);
			SHA1_Update(&ctx, p, strlen(p));
			SHA1_Final(digest, &ctx);
			
			for (i = 0; i < 8; i++) {
				buf_putf(&outbuf, "%02X", digest[i]);
			}
			buf_putf(&outbuf, ":000000000000000000000000000000000000000000000000:");
			for (i = 0; i < 24; i++) {
				buf_putf(&outbuf, "%02X",
					 chapch->value.response_v2.nt[i]);
			}
			buf_put(&outbuf, "\n", 1);
			
			save_challenge.version = 0;
		}
		break;
	}
	buf_end(&outbuf);

	return (buf_len(&outbuf));
}