kerberos_func.inc

漏洞扫描源码,可以扫描linux,windows,交换机路由器

#TRUSTED 1252e0b870699021bd0f2122ee6adefc1a49952697bc923106d1643bca12a66cbf132e0656dc25f05c3f0abbb0dc788110238af2579761346853356a6a33ae8c0cf0f8d32b63a2a4bb46cb880314b599be83a6a7c5e62eaf7fdcf1f4f72cf45f5dc8f36d8bc0f12eabd95856aecf61d779e1594017b9968cdec10d763cc0268d8eabfa5f69b61de76ffdc845f83ac89cd2e89a1599db0ed2a900d327af8c99daec3268be255ca8af6a7f5138f601798952a656735b19a3c44dbf3d34c908e7d9c92273c0d42bb661802a2f297fe5a71a27da3c2c004f92a04df4602e52621d10d790fe073581734d185cd75fe6bdac200b3171829aee6d05ee8a7502deae9bb46a2832debfbb93925dae5471f345c9c50b1b4cde3003acc39bfa628fb35f8c64b15faf604a404ddc950b268c40ed6585ac635b121bb9f9287fe13e7ee939646bca79f4db518dfcc3a14ff905354abb34dbe35141861bab2450f5a2dee0e968a96e07ce2b3e554ac771a926d84e51635c56968c9afee3bec0f54edccdfdf72ec1e453a9dfff6d9939e4605ec7f1b284ffb16c8ca99a96a9164daa15d0c95564fd9c16f21cd31493b1455dd1ba3c053094ec8ec70b7eeb5cdd19607a5eb816d6d4b0197a491079a31a18d2ac2ed88e26308f668c8f21f0f97d3d849d13914237463b36f34ea9d68ce679706e802e4eb0f3d3634efd3045617fa52f70a68593b34b
# -*- Fundamental -*-
#
# 
# (C) 2005 Tenable Network Security
#
# This script is released under one of the Tenable Script Licenses and may not
# be used from within scripts released under another license without the
# authorization from Tenable Network Security Inc.
#
# See the following licenses for details :
#  http://www.nessus.org/plugins/RegisteredFeed.pdf
#  http://www.nessus.org/plugins/TenableCommercial.pdf
#  http://www.nessus.org/plugins/DirectFeed.pdf
#  http://www.nessus.org/plugins/DirectFeedCommercial.pdf
#
# @NOGPL@
#
# kerberos_func.inc 
#

include ('crypto_func.inc');


#---------------------------------------------------------#
# Function    : raw_byte                                  #
# Description : Convert a byte to raw data                #
#---------------------------------------------------------#

function raw_byte (b)
{
 return raw_string (b);
}


#---------------------------------------------------------#
# Function    : raw_word                                  #
# Description : Convert a word to raw data                #
#---------------------------------------------------------#

function raw_word (w)
{
 return raw_string ( (w)     & 255,
                     (w>>8)  & 255 );
}


#---------------------------------------------------------#
# Function    : raw_dword                                 #
# Description : Convert a dword to raw data               #
#---------------------------------------------------------#

function raw_dword (d)
{
 return raw_string ( (d)     & 255,
                     (d>>8)  & 255,
                     (d>>16) & 255,
                     (d>>24) & 255 );
}


#---------------------------------------------------------#
# Function    : get_byte                                  #
# Description : Extract a byte from a blob                #
#---------------------------------------------------------#

function get_byte (blob,pos)
{
 if (pos > (strlen (blob) - 1))
   return NULL;

 return ( ord(blob[pos]) );
}


#---------------------------------------------------------#
# Function    : get_word                                  #
# Description : Extract a word from a blob                #
#---------------------------------------------------------#

function get_word (blob,pos)
{
 if (pos > (strlen (blob) - 2))
   return NULL;

 return ( ord(blob[pos]) + (ord(blob[pos+1]) << 8) );
}


#---------------------------------------------------------#
# Function    : get_dword                                 #
# Description : Extract a dword from a blob               #
#---------------------------------------------------------#

function get_dword (blob, pos)
{
 if (pos > (strlen (blob) - 4))
   return NULL;

 return ( ord(blob[pos]) + 
          (ord(blob[pos+1]) << 8) +
          (ord(blob[pos+2]) << 16) +
          (ord(blob[pos+3]) << 24) );
}


#---------------------------------------------------------#
# Function    : get_checksum_type                         #
# Description : return checksum type                      #
#---------------------------------------------------------#

function get_checksum_type (enc_type)
{
 if (enc_type == 23)
   return -138;
 if (enc_type == 3)
   return 8;

 return 0;
}


#---------------------------------------------------------#
# Function    : supported_encryption_type                 #
# Description : check if encryption type is supported     #
#---------------------------------------------------------#

function supported_encryption_type (type)
{
 if ((type != 23) && # arcfour
     (type != 3)) # des-cbc-md5
   return FALSE;
 
 return TRUE;
}


#---------------------------------------------------------#
# Function    : kerberos_checksum                         #
# Description : checksum data                             #
#---------------------------------------------------------#

function kerberos_checksum (key, type, data, real_key, enc_type, realm, principal)
{
 local_var enckey;

 if (enc_type == 23)
   return rc4_hmac_checksum (key:key, type:type, data:data, real_key:real_key);
 if (enc_type == 3)
 {
  if (real_key == FALSE)
  {
    enckey = des_cbc_string_to_key (_string:key, salt:realm+principal);
  }
  else
    enckey = key;

  return des_cbc_md5_checksum (data:data, key:enckey);
 }

 return NULL;
}


#---------------------------------------------------------#
# Function    : kerberos_decrypt                          #
# Description : decrypt data                              #
#---------------------------------------------------------#

function kerberos_decrypt (key, type, data, real_key, enc_type, realm, principal)
{
 local_var enckey;

 if (enc_type == 23)
   return rc4_hmac_decrypt (key:key, type:type, data:data, real_key:real_key);
 if (enc_type == 3)
 {
  if (real_key == FALSE)
  {
    enckey = des_cbc_string_to_key (_string:key, salt:realm+principal);
  }
  else
    enckey = key;

  return des_cbc_md5_decrypt (data:data, key:enckey);
 }

 return NULL;
}


#---------------------------------------------------------#
# Function    : kerberos_encrypt                          #
# Description : encrypt data                              #
#---------------------------------------------------------#

function kerberos_encrypt (key, type, data, real_key, enc_type, realm, principal)
{
 local_var enckey;

 if (enc_type == 23)
   return rc4_hmac_encrypt (key:key, type:type, data:data, real_key:real_key);
 if (enc_type == 3)
 {
  if (real_key == FALSE)
    enckey = des_cbc_string_to_key (_string:key, salt:realm+principal);
  else
    enckey = key;

  return des_cbc_md5_encrypt (data:data, key:enckey);
 }

 return NULL;
}


#---------------------------------------------------------#
# Function    : der_length                                #
# Description : return raw der length of data             #
#---------------------------------------------------------#

function der_length (data)
{
 local_var tmp, length, len;

 length = NULL;
 len = strlen (data);

 if (len == 0)
   return raw_string(0);

 while (len != 0)
 {
  length = raw_string (len % 256) + length;
  len = len / 256;
 }
 
 if ((strlen (length) > 1) || ((strlen(length) == 1) && (ord(length[0]) > 127)))
   length = raw_string (128 + strlen (length)) + length;

 return length;
}


#---------------------------------------------------------#
# Function    : der_encode                                #
# Description : Return der encoded data                   #
#---------------------------------------------------------#

function der_encode (tag,data)
{
 if (isnull (data))
   return NULL;

 return raw_string (tag) + der_length(data:data) + data;
}


function integer (i)
{
 local_var j,k;

 j = 0;

 for (k=0; k < strlen(i); k++)
 {
  j = j * 256 + ord(i[k]);
 }
 
 return j;
}


#---------------------------------------------------------#
# Function    : der_decode                                #
# Description : Return der decoded data                   #
#               [0] = code                                #
#               [1] = data                                #
#               [2] = next pos in buffer                  #
#---------------------------------------------------------#

function der_decode (data, pos)
{
 local_var tmp, i, j, len, len2;

 if (isnull (data))
   return NULL;
 
 if (isnull (pos))
   j = 0;
 else
   j = pos;

 if (strlen(data) - j  < 2)
   return NULL;

 tmp[0] = ord(data[j]);
 j++;
 
 len = ord(data[j]);
 j++;
 
 if (len > 127)
 {
  len -= 128;
  if (strlen(data) - j < len)
    return NULL;

  len2 = integer (i:substr (data, j, j + len - 1));
  j += len;
  len = len2;
 }
 
 if (strlen(data) - j < len)
   return NULL;

 tmp[1] = substr(data,j,j+len-1);
 tmp[2] = j + len;

 return tmp;
}


#---------------------------------------------------------#
# Function    : der_encode_oid                            #
# Description : Return der encoded OID (string)           #
#               ex: "1.2.840.113554.1.2.2"                #
#---------------------------------------------------------#

function der_encode_oid (oid)
{
 local_var nums, num, enum, i, max, encoded;

 if (isnull (oid))
   return NULL;

 nums = split (oid, sep:".", keep:0);
 
 max = max_index (nums);
 if (max < 2)
   return NULL;

 # value1 x 40 + value2
 encoded = raw_string (40*int(nums[0]) + int(nums[1]));
 
 for (i=2; i < max; i++)
 {
  num = int(nums[i]);
  enum = raw_string (num % 128);
  num = num / 128;
  while (num != 0)
  {
   enum = raw_string (128 + (num%128)) + enum;
   num = num / 128;
  }
  encoded += enum;
 }
 
 # OID Tag = 0x06
 return der_encode (tag:0x06, data:encoded);
}


#---------------------------------------------------------#
# Function    : der_decode_oid                            #
# Description : Return OID (string)                       #
#               ex: "1.2.840.113554.1.2.2"                #
#---------------------------------------------------------#

function der_decode_oid (oid)
{
 local_var soid, i, val;

 if (strlen (oid) < 1)
   return NULL;

 soid = string (ord (oid[0]) / 40, ".", ord (oid[0]) % 40);

 for (i = 1; i < strlen(oid); i++)
 {
  val = 0;
  while (ord(oid[i]) >= 128)
  {
   val = ((ord(oid[i]) - 128) + val) * 128;
   i++;
  }
  val += ord (oid[i]);
  soid += string (".",val);
 }
 
 return soid;
}


#---------------------------------------------------------#
# Function    : der_encode_int                            #
# Description : Return der encoded INTEGER                #
#---------------------------------------------------------#

function der_encode_int (i)
{
 local_var val,j,tmp;

 if (isnull (i))
   return NULL;

 val[0] = i & 255;
 val[1] = (i>>8)  & 255;
# val[2] = (i>>16) & 255;
# val[3] = (i>>24) & 255;

 j = 3;
 while ((val[j] == 0) && (j != 0))
   j--;

 tmp = NULL;
 while (j != 0)
 {
  tmp += raw_string (val[j]);
  j--;
 }

 tmp += raw_string (val[j]);
 
 return der_encode (tag:0x02, data:tmp);
}


#---------------------------------------------------------#
# Function    : der_encode_int32                          #
# Description : Return der encoded INTEGER                #
#---------------------------------------------------------#

function der_encode_int32 (i)
{
 local_var tmp;

 if (isnull (i))
   return NULL;

 tmp = raw_string ((i>>24) & 255,
                   (i>>16) & 255,
                   (i>>8)  & 255,
                   i & 255);

 return der_encode (tag:0x02, data:tmp);
}


#---------------------------------------------------------#
# Function    : der_encode_string                         #
# Description : Return der encoded STRING                 #
#---------------------------------------------------------#

function der_encode_string (string)
{
 if (isnull (string))
   return NULL;
   
 return der_encode (tag:0x1B, data:string);
}


#---------------------------------------------------------#
# Function    : der_encode_sequence                       #
# Description : Return der encoded SEQUENCE               #
#---------------------------------------------------------#


function der_encode_sequence (seq)
{
 local_var encoded, max, i, j, val;

 if (isnull (seq))
   return NULL;
   
 max = max_index (seq);
 if (max == 0)
   return NULL;

 i = 0xA0;
 
 encoded = NULL;
 
 for (j=0; j < max; j++)
 {
  val = seq[j];
  if (!isnull(val))
  {
    encoded += der_encode (tag:i, data:val);
  }
  i++;
 }

 # SEQUENCE Tag = 0x30
 return der_encode (tag:0x30, data:encoded); 
}


#---------------------------------------------------------#
# Function    : der_encode_name                           #
# Description : Return type/name                          #
#---------------------------------------------------------#
#                                                         #
# PrincipalName ::= SEQUENCE {                            #
#   name-type[0]     INTEGER,                             #
#   name-string[1]   SEQUENCE OF GeneralString            #
# }                                                       #
#                                                         #
#---------------------------------------------------------#

function der_encode_name (type, name1, name2)
{
 local_var list, names;

 if (isnull (name1) && isnull (name2))
   return NULL;
   
 list = NULL;
 
 names = der_encode_string (string:name1);
 names += der_encode_string (string:name2);
 
 list[0] = der_encode_int (i:type);
 list[1] = der_encode_list (list:names);

 return der_encode_sequence (seq:list); 
}