NTLM挑战模式散列认证加密协议过程，算法实现与一些想法

转摘请注明作者和安全焦点

作者：FLASHSKY

SITE：WWW.XFOCUS.NET，WWW.SHOPSKY.COM

邮件：flashsky@xfocus.org

作者单位：启明星辰积极防御实验室

说明：

本来先从看见小四的《LM/NTLM验证机制》就没准备发的，但是从如下几点考虑还是发：

1。给出完全的算法实现代码

2。小四的关于NTLM，LM的过程针对返回会话KEY的有效，针对完全挑战模式下说明并非完全

3。一些新的思路和思考

4。安全BLOB的结构说明

一：NTLM认证算法过程

  1。客户端申请挑战

   安全BLOB的结构如下：

  {

    CHAR DESC[8]=“NTLMSSP”；

    DWORD NO=1；    //顺序号

    DWORD FLAG；    

    WORD DOMAINNAMELEN；  //域名长度

    WORD DOMAINNAMEMAXLEN；//域名最大长度

    DWORD DOMAINNAMEOFFSET；//域名便移

    WORD HOSTNAMELEN；  //主机名长度

    WORD HOSTNAMEMAXLEN；  //主机名最大长度

    DWORD HOSTNAMEOFFSET；  //主机名便移

    CHAR HOSTNAME[HOSTNAMELEN]；//主机名

    CHAR DOMAINNAME[DOMAINNAMELEN]；//域名

  }

   2。服务器返回挑战，这个挑战是一个8字节的随机数  

   安全BLOB的结构如下：

  {

    CHAR DESC[8]=“NTLMSSP”；

    DWORD NO=2；    //顺序号，必须为2

    WORD DOMAINNAMELEN；  //帐户域名长度

    WORD DOMAINNAMEMAXLEN；  //帐户域名最大长度

    DWORD DOMAINNAMEOFFSET；////帐户域名偏移

    DWORD FLAG；

    BYTE CHALLAGE[8]；  //8字节挑战

    BYTE RE[8]；    //保留8字节，必须为0

    WORD HOSTNAMELISTLEN； //主机名列表长度

    WORD HOSTNAMELISTMAXLEN；//主机名列表最大长度

    DWORD HOSTNAMELISTOFFSET；//主机名列表偏移

    CHAR DOMAINNAME[DOMAINNAMELEN]；

    CHAR HOSTLISTNAME[HOSTNAMELISTLEN]；

    //这里是多个结构组成

    //每个结构如下：

    //WORD ITEMNO；索引

    //WORD HOSTNAMELEN；主机名长度

    //BYTE HOSTNAME[HOSTNAMELEN]：主机名

  }

  3。客户端加密密码散列

  其实这个过程还是很复杂的

  如果是明文口令，先将此口令转化成散列，如果是系统用户则直接根据令牌从SESSION表中取出散列。

  这下面就是小四的文章中没提到的过程

  客户端先生成一个随机KEY，然后和服务器端的挑战使用MD5算法生成16字节的散列，但MS只取前8字节做为加密KEY，其实后面的散列加密并非是使用挑战直接加密的，而是

使用此加密KEY进行加密的。

    这个算法的代码如下：romkey就是客户端生成的一个随机KEY，challage就是服务器挑战

void challagetorkey(unsigned char * romkey,unsigned char * challage,unsigned char * enkey)

{

  unsigned char LM[0x58];

  md5init(LM);

  *(DWORD *)LM=0x200;

  memcpy(LM+0X18,challage,8);

  memcpy(LM+0X20,romkey,8);

  *(DWORD *)(LM+0x28)=0x80;

  *(DWORD *)(LM+0x50)=0x80;

  md5final(LM);

  memcpy(enkey,LM+8,8);

}

  然后再使用生成的加密KEY加密MD4生成的NTLM散列，具体的过程在下四的文章中有详细介绍，这里就不再讲了，后面给出了完全实现的代码。

  同时还会先选择一个RC4的KEY，对MD4生成的NTLM散列用MD4再生成一个散列，再用HMACMD5算法，加密KEY，这个散列计算出一个0X10字节的散

列，用此散列和rc4_key函数生成rc4的key表，最后用这个KEY表和先选择的RC4的KEY生成一个0X10字节的RC的结果出来。

  但要注意的是：通常情况下，这个RC4的结果并没用于认证。

  安全BLOB的结构如下：

  {

    CHAR DESC[8]=“NTLMSSP”；

    DWORD NO=3；    //顺序号，必须为3

    WORD RANDOMKEYLEN；  //客户端随机KEY长度，固定为0X18

    WORD RANDOMKEYMAXLEN；  //客户端随机KEY最大长度，固定为0X18

    //其实客户端随机KEY只有8字节，但是后面补0添满0X18字节

    DWORD RANDOMKEYOFFSET；////客户端随机KEY偏移

    WORD ENNTLMLEN；  //加密的NTLM散列长度，固定为0X18

    WORD ENNTLMMAXLEN；  //加密的NTLM散列最大长度，固定为0X18

    DWORD ENNTLMOFFSET；  //加密的NTLM散列偏移

    WORD HOSTNAMELEN； //主机名长度

    WORD HOSTNAMEMAXLEN；//主机名最大长度

    DWORD HOSTNAMEOFFSET；//主机名偏移

    WORD USERNAMELEN； //用户名长度

    WORD USERNAMEMAXLEN；//用户名最大长度

    DWORD USERNAMEOFFSET；//用户名偏移

    WORD USERDOMAINLEN； //帐户域名长度

    WORD USERDOMAINMAXLEN；//帐户域名最大长度

    DWORD USERDOMAINOFFSET；//帐户域名偏移

    WORD ENNTLMRC4LEN；  //加密的RC4 NTLM散列长度，固定为0X10

    WORD ENNTLMRC4MAXLEN；  //加密的RC4 NTLM散列最大长度，固定为0X10

    DWORD ENNTLMRC4OFFSET；  //加密的RC4 NTLM散列偏移

    DWORD FLAG；

    CHAR HOSTNAME[HOSTNAMELEN]；//主机名

    CHAR USERNAME[HOSTNAMELEN]；//用户名

    CHAR USERDOMAINNAME[HOSTNAMELEN]；//帐户域名

    RANDOMKEY[0X18]；//其实客户端随机KEY只有8字节，但是后面补0添满0X18字节

    ENNTLM[0X18]；

    ENRC4NTLM[0X10]；

  }

  4。服务器认证

   服务器获得客户端随即KEY以后，也和挑战运算获得此加密KEY，然后计算加密的NTLM散列做对比进行判断。

  5。一些思考

  主要是关于重放攻击的，其实真正的加密KEY是挑战和客户端随机KEY做MD5运算的结果，那么如果我们嗅探出了一个挑战，随机KEY就

能计算出加密KEY，如果我们发起一个请求获得一个挑战2，如果能计算一个随即KEY2（这个可由我们自己控制），满足MD5（挑战2，随即KEY2）

=加密KEY，那么我们就能发送我们修探获得的安全BLOB中的加密散列的内容来获得认证。

    当然MD5的算法本事就是要防碰撞的，但是在MS的SMB实现中，由于MD5生成的是16字节的散列，但是用来做加密KEY的只是前8个字节，那

么对于寻找只满足部分（前8字节）碰撞的算法复杂度就会大大的降低，当然我们在MD5中唯一能控制的东西就是随即KEY，但是挑战KEY已知，其实

针对加密算发是常量（因为加密内容固定为0X1O字节，其他的内容可以常量），应该来说还是很有希望的。不过就我的数学水平而已，尝试了

一下就被难到了，希望对MD5碰撞有研究的人给予指教。下面就是给出的一个针对其挑战，随即KEY到加密KEY的替代函数：

void challagetorkey(unsigned long c1,unsigned long c2,unsigned long r1,unsigned long r2)

{

//我们把挑战看做2个unsigned long的数C1,C2，客户端随即KEY也看做2个unsigned long的数R1,R2

//最后生成的是B1，D1，S1，D2，但其实用做加密KEY的只是B1，D1而已

//如果我们知道B1，D1，C1，C2，是否能找过一个R1，R2，使得满足这个函数呢？

//按照概率是针对每个B1，D1都有可能找到对应的R1，R2，因为MD5的算发要求是每个字节的变化都应该平均分布的

//我们可控的是256的8次方，结果也是256的8次方

//即使不是完全平均分布的，在测试100个挑战中总会有满足的吧？

//而算法复杂度对于16字节的256的16次方应该降低了不少

//那么再退一步说，如果我们知道B1，D1，C1，C2，R1，如果能解出R2也行，我们对R1实行穷举

//R1是256的4次方，4亿左右的穷举对现在的机器不应该是负担吧？当然真正实现工具由于认证要求，可能要求在10分钟以内

//但是如果我们在2天内能找到结果，也能说明很多问题

  DWORD a1,d1,d2,s1;

  DWORD b1;

  b1=(((0x10325476^0x98badcfe)&0xefcdab89)^0x10325476)+c1;

  b1=b1+0x67452301+0xd76aa478;

  b1=((b1<<0x7)|(b1>>0x19))+0xefcdab89;

  //第一轮

  a1=(((0x98badcfe^0xefcdab89)&b1)^0x98badcfe)+0xe8c7b756;

  d2=0x10325476+c2+a1;

  d2=((d2<<0xc)|(d2>>0x14))+b1;

  a1=(((0xefcdab89^b1)&d2)^0xefcdab89)+0x242070db;

  s1=0x98badcfe+r1+a1;

  s1=((s1<<0x11)|(s1>>0xf))+d2;

  a1=(((d2^b1)&s1)^b1)+0xc1bdceee;

  d1=0xefcdab89+r2+a1;

  d1=((d1<<0x16)|(d1>>0xa))+s1;

  a1=(((d2^s1)&d1)^d2)+0xf57c0faf;

  b1=b1+0x80+a1;

  b1=((b1<<0x7)|(b1>>0x19))+d1;

  a1=(((s1^d1)&b1)^s1)+0x4787C62A;

  d2=d2+a1;

  d2=((d2<<0xc)|(d2>>0x14))+b1;  

  a1=(((d1^b1)&d2)^d1)+0xA8304613;

  s1=s1+a1;

  s1=((s1<<0x11)|(s1>>0xf))+d2;  

  a1=(((d2^b1)&s1)^b1)+0xFD469501;

  d1=d1+a1;

  d1=((d1<<0x16)|(d1>>0xa))+s1;  

  a1=(((d2^s1)&d1)^d2)+0x698098D8;

  b1=b1+a1;

  b1=((b1<<0x7)|(b1>>0x19))+d1;

  a1=(((s1^d1)&b1)^s1)+0x8B44F7AF;

  d2=d2+a1;

  d2=((d2<<0xc)|(d2>>0x14))+b1;

  a1=(((d1^b1)&d2)^d1)+0xFFFF5BB1;

  s1=s1+a1;

  s1=((s1<<0x11)|(s1>>0xf))+d2;

  a1=(((d2^b1)&s1)^b1)+0x895CD7BE;

  d1=d1+a1;

  d1=((d1<<0x16)|(d1>>0xa))+s1;

  a1=(((d2^s1)&d1)^d2)+0x6B901122;

  b1=b1+a1;

  b1=((b1<<0x7)|(b1>>0x19))+d1;

  a1=(((s1^d1)&b1)^s1)+0xFD987193;

  d2=d2+a1;

  d2=((d2<<0xc)|(d2>>0x14))+b1;

  a1=(((d1^b1)&d2)^d1)+0xA679438E;

  s1=s1+0x80+a1;

  s1=((s1<<0x11)|(s1>>0xf))+d2;

  a1=(((d2^b1)&s1)^b1)+0x49B40821;

  d1=d1+a1;

  d1=((d1<<0x16)|(d1>>0xa))+s1;

  //第二轮

  a1=(((s1^d1)&d2)^s1)+0xF61E2562;

  b1=b1+c2+a1;

  b1=((b1<<0x5)|(b1>>0x1b))+d1;

  a1=(((d1^b1)&s1)^d1)+0xC040B340;

  d2=d2+a1;

  d2=((d2<<0x9)|(d2>>0x17))+b1;

  a1=(((d2^b1)&d1)^b1)+0x265E5A51;

  s1=s1+a1;

  s1=((s1<<0xe)|(s1>>0x12))+d2;

  a1=(((d2^s1)&b1)^d2)+0xE9B6C7AA;

  d1=d1+c1+a1;

  d1=((d1<<0x14)|(d1>>0xc))+s1;

  a1=(((s1^d1)&d2)^s1)+0xD62F105D;

  b1=b1+a1;

  b1=((b1<<0x5)|(b1>>0x1b))+d1;

  a1=(((d1^b1)&s1)^d1)+0x2441453;

  d2=d2+a1;

  d2=((d2<<0x9)|(d2>>0x17))+b1;

  a1=(((d2^b1)&d1)^b1)+0xD8A1E681;

  s1=s1+a1;

  s1=((s1<<0xe)|(s1>>0x12))+d2;

  a1=(((d2^s1)&b1)^d2)+0xE7D3FBC8;

  d1=d1+0x80+a1;

  d1=((d1<<0x14)|(d1>>0xc))+s1;

  a1=(((s1^d1)&d2)^s1)+0x21E1CDE6;

  b1=b1+a1;

  b1=((b1<<0x5)|(b1>>0x1b))+d1;

  a1=(((d1^b1)&s1)^d1)+0xC33707D6;

  d2=d2+0x80+a1;

  d2=((d2<<0x9)|(d2>>0x17))+b1;

  a1=(((d2^b1)&d1)^b1)+0xF4D50D87;

  s1=s1+r2+a1;

  s1=((s1<<0xe)|(s1>>0x12))+d2;

  a1=(((d2^s1)&b1)^d2)+0x455A14ED;

  d1=d1+a1;

  d1=((d1<<0x14)|(d1>>0xc))+s1;

  a1=(((s1^d1)&d2)^s1)+0xA9E3E905;

  b1=b1+a1;

  b1=((b1<<0x5)|(b1>>0x1b))+d1;

  a1=(((d1^b1)&s1)^d1)+0xFCEFA3F8;

  d2=d2+r1+a1;

  d2=((d2<<0x9)|(d2>>0x17))+b1;

  a1=(((d2^b1)&d1)^b1)+0x676F02D9;

  s1=s1+a1;

  s1=((s1<<0xe)|(s1>>0x12))+d2;

  a1=(((d2^s1)&b1)^d2)+0x8D2A4C8A;

  d1=d1+a1;

  d1=((d1<<0x14)|(d1>>0xc))+s1;

  //第三轮

  a1=((d2^s1)^d1)+0xFFFA3942;

  b1=b1+a1;

  b1=((b1<<0x4)|(b1>>0x1c))+d1;

  a1=((s1^d1)^b1)+0x8771F681;

  d2=d2+a1;

  d2=((d2<<0xb)|(d2>>0x15))+b1;

  a1=(d2^d1)^b1;

  s1=s1+0x6D9D6122+a1;

  s1=((s1<<0x10)|(s1>>0x10))+d2;

  a1=d2^s1;

  d1=d1+0x80+0xFDE5380C+(b1^a1);

  d1=((d1<<0x17)|(d1>>0x9))+s1;

  b1=b1+c2+0xA4BEEA44+(d1^a1);

  b1=((b1<<0x4)|(b1>>0x1c))+d1;

  a1=((s1^d1)^b1)+0x4BDECFA9;

  d2=d2+0x80+a1;

  d2=((d2<<0xb)|(d2>>0x15))+b1;

  a1=(d2^d1)^b1;

  s1=s1+0xF6BB4B60+a1;

  s1=((s1<<0x10)|(s1>>0x10))+d2;

  a1=(d2^s1);

  d1=d1+0xBEBFBC70+(b1^a1);

  d1=((d1<<0x17)|(d1>>0x9))+s1;

  b1=b1+0x289B7EC6+(d1^a1);

  b1=((b1<<0x4)|(b1>>0x1c))+d1;

  a1=((s1^d1)^b1)+0xEAA127FA;

  d2=d2+c1+a1;

  d2=((d2<<0xb)|(d2>>0x15))+b1;

  a1=(d2^d1)^b1;

  s1=s1+r2+0xD4EF3085+a1;

  s1=((s1<<0x10)|(s1>>0x10))+d2;

  a1=d2^s1;

  d1=d1+0x4881D05+(b1^a1);

  d1=((d1<<0x17)|(d1>>0x9))+s1;

  a1=d1^a1;  

  b1=b1+a1+0xD9D4D039;

  b1=((b1<<0x4)|(b1>>0x1c))+d1;

  a1=((s1^d1)^b1)+0xE6DB99E5;

  d2=d2+a1;

  d2=((d2<<0xb)|(d2>>0x15))+b1;

  a1=((d2^d1)^b1);

  s1=s1+0x1FA27CF8+a1;

  s1=((s1<<0x10)|(s1>>0x10))+d2;

  a1=((d2^s1)^b1);

  d1=d1+r1+0xC4AC5665+a1;

  d1=((d1<<0x17)|(d1>>0x9))+s1;

  //第4轮

  a1=(((d2^0xFFFFFFFF)|d1)^s1)+0xF4292244;

  b1=b1+c1+a1;

  b1=((b1<<0x6)|(b1>>0x1a))+d1;

  a1=(((s1^0xFFFFFFFF)|b1)^d1)+0x432AFF97;

  d2=d2+a1;

  d2=((d2<<0xa)|(d2>>0x16))+b1;

  a1=(((d1^0xFFFFFFFF)|d2)^b1)+0xAB9423A7;

  s1=s1+0x80+a1;

  s1=((s1<<0xf)|(s1>>0x11))+d2;

  a1=(((b1^0xFFFFFFFF)|s1)^d2);

  d1=d1+0xFC93A039+a1;

  d1=((d1<<0x15)|(d1>>0xb))+s1;

  a1=(((d2^0xFFFFFFFF)|d1)^s1)+0x655B59C3;

  b1=b1+a1;

  b1=((b1<<0x6)|(b1>>0x1a))+d1;

  a1=(((s1^0xFFFFFFFF)|b1)^d1)+0x8F0CCC92;

  d2=d2+r2+a1;

  d2=((d2<<0xa)|(d2>>0x16))+b1;

  a1=(((d1^0xFFFFFFFF)|d2)^b1)+0xFFEFF47D;

  s1=s1+a1;

  s1=((s1<<0xf)|(s1>>0x11))+d2;

  a1=(((b1^0xFFFFFFFF)|s1)^d2)+0x85845DD1;

  d1=d1+c2+a1;

  d1=((d1<<0x15)|(d1>>0xb))+s1;

  a1=(((d2^0xFFFFFFFF)|d1)^s1)+0x6FA87E4F;

  b1=b1+a1;

  b1=((b1<<0x6)|(b1>>0x1a))+d1;

  a1=(((s1^0xFFFFFFFF)|b1)^d1)+0xFE2CE6E0;

  d2=d2+a1;

  d2=((d2<<0xa)|(d2>>0x16))+b1;

  a1=(((d1^0xFFFFFFFF)|d2)^b1)+0xA3014314;

  s1=s1+a1;

  s1=((s1<<0xf)|(s1>>0x11))+d2;

  a1=(((b1^0xFFFFFFFF)|s1)^d2)+0x4E0811A1;

  d1=d1+a1;

  d1=((d1<<0x15)|(d1>>0xb))+s1;

  a1=(((d2^0xFFFFFFFF)|d1)^s1)+0xF7537E82;

  b1=b1+0x80+a1;

  b1=((b1<<0x6)|(b1>>0x1a))+d1;

  a1=(((s1^0xFFFFFFFF)|b1)^d1)+0xBD3AF235;

  d2=d2+a1;

  d2=((d2<<0xa)|(d2>>0x16))+b1;

  a1=(((d1^0xFFFFFFFF)|d2)^b1)+0x2AD7D2BB;

  s1=s1+r1+a1;

  s1=((s1<<0xf)|(s1>>0x11))+d2;

  a1=(((b1^0xFFFFFFFF)|s1)^d2)+0xEB86D391;

  d1=d1+a1;

  d1=((d1<<0x15)|(d1>>0xb))+s1;

  b1=b1+0x67452301;

  d1=d1+0xefcdab89;

  s1=s1+0x98badcfe;

  d2=d2+0x10325476;

}

  6。实现代码的说明

这个代码是完全在TCP只上实现NTLM挑战认证的，密码的计算不调用任何加密的API。

如果知道散列也可以去掉口令到散列的部分直接使用散列进行处理。

#include <stdio.h>

#include <winsock2.h>

#include <windows.h>

#include <wincrypt.h>

#include <process.h>

#include <string.h>

#include <winbase.h>

# include <wincrypt.h>

#define SECURITY_WIN32

# include <Security.h>

# include <Ntsecapi.h>

# include "smb.h"

void SmbNegotiate(SMBP * psmbp);

void SmbSessionSetupAndX1(SMBP * psmbp);

void SmbSessionSetupAndX2(SMBP * psmbp,wchar_t * username,wchar_t * domainname,wchar_t * password);

void deskey(char * LmPass,unsigned char * desecb);

void passtoowf(wchar_t * password,unsigned char * paswdowf);

void initLMP(char * pass,unsigned char * LM);

void deskey(char * LmPass,unsigned char * desecb);

void des(unsigned char * LM,char * magic,unsigned char * ecb,long no);

void md4init(unsigned char * LM);

void md4(unsigned char * LM);

void md5init(unsigned char * LM);

void md5final(unsigned char * LM);

void initMDP(PLSA_UNICODE_STRING pass,unsigned char * LM);

void hashtocread(unsigned char * enkey,unsigned char * hash,unsigned char * cread);

void challagetorkey(unsigned char * romkey,unsigned char * challage,unsigned char * enkey);

void hmacmd5(unsigned char * rc4key,unsigned char * enkey);

void rc4_key(unsigned char * rc4keylist,unsigned char * rc4key,int keylen);

typedef DWORD (CALLBACK* RTLUPCASEUNICODESTRINGTOOEMSTRING)(PLSA_UNICODE_STRING, PLSA_UNICODE_STRING, DWORD);

RTLUPCASEUNICODESTRINGTOOEMSTRING RtlUpcaseUnicodeStringToOemString;

typedef struct _SMBNBT

{

  unsigned char nbtsmb;

  unsigned char flag;

  short smbpacketlen;

}SMBNBT,* PSMBNBT;

typedef struct _SMBINFO

{

  unsigned char magic[4];

  BYTE smbtoken;

  BYTE errcodeclass;

  BYTE dosaherrcode;

  unsigned char errcode[2];

  BYTE flagsummary;

  short flagsummary2;

  short unuse[6];

  short treeid;

  short callprocessid;

  short userid;

  short multiplexid;

  unsigned char info[2048];

}SMBINFO,* PSMBINFO;

typedef struct _SMBP

{

  SMBNBT smbnbt;

  SMBINFO smbinfo;

}SMBP,* PSMBP;

wchar_t navos[]=L"windows 2000 2195";

wchar_t lanman[]=L"windows 2000 5.0";

unsigned char challage[8]={0x53,0xe6,0x97,0x53,0xfb,0x97,0x7c,0x19};

unsigned char romkey[8]={0xc7,0x91,0xdd,0xe8,0x5c,0xcd,0xc8,0xde};

unsigned char DESParity[]={0,1,1,2,1,2,2,3,1,2,2,3,2,3,3,4};

unsigned char DESDShift[]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0,

0x64,0xCC,0xF9,0x29,0xDF,0xDE,0x86,0x4A,0x81,0x84,9,0x3C,0,0,0,0,

0xFB,0x99,0xE9,8,0xEC,0x87,0x67,0x2F,0x59,0x0FD,0x22,0xF1};

DWORD DESKEY1[]={

0x00000000,0x00000010,0x20000000,0x20000010,0x00010000,0x00010010,0x20010000,0x20010010,

0x00000800,0x00000810,0x20000800,0x20000810,0x00010800,0x00010810,0x20010800,0x20010810,

0x00000020,0x00000030,0x20000020,0x20000030,0x00010020,0x00010030,0x20010020,0x20010030,

0x00000820,0x00000830,0x20000820,0x20000830,0x00010820,0x00010830,0x20010820,0x20010830,

0x00080000,0x00080010,0x20080000,0x20080010,0x00090000,0x00090010,0x20090000,0x20090010,

0x00080800,0x00080810,0x20080800,0x20080810,0x00090800,0x00090810,0x20090800,0x20090810,

0x00080020,0x00080030,0x20080020,0x20080030,0x00090020,0x00090030,0x20090020,0x20090030,

0x00080820,0x00080830,0x20080820,0x20080830,0x00090820,0x00090830,0x20090820,0x20090830};

DWORD DESKEY2[]={

0x00000000,0x02000000,0x00002000,0x02002000,0x00200000,0x02200000,0x00202000,0x02202000,

0x00000004,0x02000004,0x00002004,0x02002004,0x00200004,0x02200004,0x00202004,0x02202004,

0x00000400,0x02000400,0x00002400,0x02002400,0x00200400,0x02200400,0x00202400,0x02202400,

0x00000404,0x02000404,0x00002404,0x02002404,0x00200404,0x02200404,0x00202404,0x02202404,

0x10000000,0x12000000,0x10002000,0x12002000,0x10200000,0x12200000,0x10202000,0x12202000,

0x10000004,0x12000004,0x10002004,0x12002004,0x10200004,0x12200004,0x10202004,0x12202004,

0x10000400,0x12000400,0x10002400,0x12002400,0x10200400,0x12200400,0x10202400,0x12202400,

0x10000404,0x12000404,0x10002404,0x12002404,0x10200404,0x12200404,0x10202404,0x12202404};

DWORD DESKEY3[]={

0x00000000,0x00000001,0x00040000,0x00040001,0x01000000,0x01000001,0x01040000,0x01040001,

0x00000002,0x00000003,0x00040002,0x00040003,0x01000002,0x01000003,0x01040002,0x01040003,

0x00000200,0x00000201,0x00040200,0x00040201,0x01000200,0x01000201,0x01040200,0x01040201,

0x00000202,0x00000203,0x00040202,0x00040203,0x01000202,0x01000203,0x01040202,0x01040203,

0x08000000,0x08000001,0x08040000,0x08040001,0x09000000,0x09000001,0x09040000,0x09040001,

0x08000002,0x08000003,0x08040002,0x08040003,0x09000002,0x09000003,0x09040002,0x09040003,

0x08000200,0x08000201,0x08040200,0x08040201,0x09000200,0x09000201,0x09040200,0x09040201,

0x08000202,0x08000203,0x08040202,0x08040203,0x09000202,0x09000203,0x09040202,0x09040203};

DWORD DESKEY4[]={

0x00000000,0x00100000,0x00000100,0x00100100,0x00000008,0x00100008,0x00000108,0x00100108,

0x00001000,0x00101000,0x00001100,0x00101100,0x00001008,0x00101008,0x00001108,0x00101108,

0x04000000,0x04100000,0x04000100,0x04100100,0x04000008,0x04100008,0x04000108,0x04100108,

0x04001000,0x04101000,0x04001100,0x04101100,0x04001008,0x04101008,0x04001108,0x04101108,

0x00020000,0x00120000,0x00020100,0x00120100,0x00020008,0x00120008,0x00020108,0x00120108,

0x00021000,0x00121000,0x00021100,0x00121100,0x00021008,0x00121008,0x00021108,0x00121108,

0x04020000,0x04120000,0x04020100,0x04120100,0x04020008,0x04120008,0x04020108,0x04120108,

0x04021000,0x04121000,0x04021100,0x04121100,0x04021008,0x04121008,0x04021108,0x04121108};

DWORD DESKEY5[]={

0x00000000,0x10000000,0x00010000,0x10010000,0x00000004,0x10000004,0x00010004,0x10010004,

0x20000000,0x30000000,0x20010000,0x30010000,0x20000004,0x30000004,0x20010004,0x30010004,

0x00100000,0x10100000,0x00110000,0x10110000,0x00100004,0x10100004,0x00110004,0x10110004,

0x20100000,0x30100000,0x20110000,0x30110000,0x20100004,0x30100004,0x20110004,0x30110004,

0x00001000,0x10001000,0x00011000,0x10011000,0x00001004,0x10001004,0x00011004,0x10011004,

0x20001000,0x30001000,0x20011000,0x30011000,0x20001004,0x30001004,0x20011004,0x30011004,

0x00101000,0x10101000,0x00111000,0x10111000,0x00101004,0x10101004,0x00111004,0x10111004,

0x20101000,0x30101000,0x20111000,0x30111000,0x20101004,0x30101004,0x20111004,0x30111004};

DWORD DESKEY6[]={

0x00000000,0x08000000,0x00000008,0x08000008,0x00000400,0x08000400,0x00000408,0x08000408,

0x00020000,0x08020000,0x00020008,0x08020008,0x00020400,0x08020400,0x00020408,0x08020408,

0x00000001,0x08000001,0x00000009,0x08000009,0x00000401,0x08000401,0x00000409,0x08000409,

0x00020001,0x08020001,0x00020009,0x08020009,0x00020401,0x08020401,0x00020409,0x08020409,

0x02000000,0x0A000000,0x02000008,0x0A000008,0x02000400,0x0A000400,0x02000408,0x0A000408,

0x02020000,0x0A020000,0x02020008,0x0A020008,0x02020400,0x0A020400,0x02020408,0x0A020408,

0x02000001,0x0A000001,0x02000009,0x0A000009,0x02000401,0x0A000401,0x02000409,0x0A000409,

0x02020001,0x0A020001,0x02020009,0x0A020009,0x02020401,0x0A020401,0x02020409,0x0A020409};

DWORD DESKEY7[]={

0x00000000,0x00000100,0x00080000,0x00080100,0x01000000,0x01000100,0x01080000,0x01080100,

0x00000010,0x00000110,0x00080010,0x00080110,0x01000010,0x01000110,0x01080010,0x01080110,

0x00200000,0x00200100,0x00280000,0x00280100,0x01200000,0x01200100,0x01280000,0x01280100,

0x00200010,0x00200110,0x00280010,0x00280110,0x01200010,0x01200110,0x01280010,0x01280110,

0x00000200,0x00000300,0x00080200,0x00080300,0x01000200,0x01000300,0x01080200,0x01080300,

0x00000210,0x00000310,0x00080210,0x00080310,0x01000210,0x01000310,0x01080210,0x01080310,

0x00200200,0x00200300,0x00280200,0x00280300,0x01200200,0x01200300,0x01280200,0x01280300,

0x00200210,0x00200310,0x00280210,0x00280310,0x01200210,0x01200310,0x01280210,0x01280310};

DWORD DESKEY8[]={

0x00000000,0x04000000,0x00040000,0x04040000,0x00000002,0x04000002,0x00040002,0x04040002,

0x00002000,0x04002000,0x00042000,0x04042000,0x00002002,0x04002002,0x00042002,0x04042002,

0x00000020,0x04000020,0x00040020,0x04040020,0x00000022,0x04000022,0x00040022,0x04040022,

0x00002020,0x04002020,0x00042020,0x04042020,0x00002022,0x04002022,0x00042022,0x04042022,

0x00000800,0x04000800,0x00040800,0x04040800,0x00000802,0x04000802,0x00040802,0x04040802,

0x00002800,0x04002800,0x00042800,0x04042800,0x00002802,0x04002802,0x00042802,0x04042802,

0x00000820,0x04000820,0x00040820,0x04040820,0x00000822,0x04000822,0x00040822,0x04040822,

0x00002820,0x04002820,0x00042820,0x04042820,0x00002822,0x04002822,0x00042822,0x04042822};

DWORD DESSpBox1[]={

0x02080800,0x00080000,0x02000002,0x02080802,0x02000000,0x00080802,0x00080002,0x02000002,

0x00080802,0x02080800,0x02080000,0x00000802,0x02000802,0x02000000,0x00000000,0x00080002,

0x00080000,0x00000002,0x02000800,0x00080800,0x02080802,0x02080000,0x00000802,0x02000800,

0x00000002,0x00000800,0x00080800,0x02080002,0x00000800,0x02000802,0x02080002,0x00000000,

0x00000000,0x02080802,0x02000800,0x00080002,0x02080800,0x00080000,0x00000802,0x02000800,

0x02080002,0x00000800,0x00080800,0x02000002,0x00080802,0x00000002,0x02000002,0x02080000,

0x02080802,0x00080800,0x02080000,0x02000802,0x02000000,0x00000802,0x00080002,0x00000000,

0x00080000,0x02000000,0x02000802,0x02080800,0x00000002,0x02080002,0x00000800,0x00080802};

DWORD DESSpBox2[]={

0x40108010,0x00000000,0x00108000,0x40100000,0x40000010,0x00008010,0x40008000,0x00108000,

0x00008000,0x40100010,0x00000010,0x40008000,0x00100010,0x40108000,0x40100000,0x00000010,

0x00100000,0x40008010,0x40100010,0x00008000,0x00108010,0x40000000,0x00000000,0x00100010,

0x40008010,0x00108010,0x40108000,0x40000010,0x40000000,0x00100000,0x00008010,0x40108010,

0x00100010,0x40108000,0x40008000,0x00108010,0x40108010,0x00100010,0x40000010,0x00000000,

0x40000000,0x00008010,0x00100000,0x40100010,0x00008000,0x40000000,0x00108010,0x40008010,

0x40108000,0x00008000,0x00000000,0x40000010,0x00000010,0x40108010,0x00108000,0x40100000,

0x40100010,0x00100000,0x00008010,0x40008000,0x40008010,0x00000010,0x40100000,0x00108000};

DWORD DESSpBox3[]={

0x04000001,0x04040100,0x00000100,0x04000101,0x00040001,0x04000000,0x04000101,0x00040100,

0x04000100,0x00040000,0x04040000,0x00000001,0x04040101,0x00000101,0x00000001,0x04040001,

0x00000000,0x00040001,0x04040100,0x00000100,0x00000101,0x04040101,0x00040000,0x04000001,

0x04040001,0x04000100,0x00040101,0x04040000,0x00040100,0x00000000,0x04000000,0x00040101,

0x04040100,0x00000100,0x00000001,0x00040000,0x00000101,0x00040001,0x04040000,0x04000101,

0x00000000,0x04040100,0x00040100,0x04040001,0x00040001,0x04000000,0x04040101,0x00000001,

0x00040101,0x04000001,0x04000000,0x04040101,0x00040000,0x04000100,0x04000101,0x00040100,

0x04000100,0x00000000,0x04040001,0x00000101,0x04000001,0x00040101,0x00000100,0x04040000};

DWORD DESSpBox4[]={

0x00401008,0x10001000,0x00000008,0x10401008,0x00000000,0x10400000,0x10001008,0x00400008,

0x10401000,0x10000008,0x10000000,0x00001008,0x10000008,0x00401008,0x00400000,0x10000000,

0x10400008,0x00401000,0x00001000,0x00000008,0x00401000,0x10001008,0x10400000,0x00001000,

0x00001008,0x00000000,0x00400008,0x10401000,0x10001000,0x10400008,0x10401008,0x00400000,

0x10400008,0x00001008,0x00400000,0x10000008,0x00401000,0x10001000,0x00000008,0x10400000,

0x10001008,0x00000000,0x00001000,0x00400008,0x00000000,0x10400008,0x10401000,0x00001000,

0x10000000,0x10401008,0x00401008,0x00400000,0x10401008,0x00000008,0x10001000,0x00401008,

0x00400008,0x00401000,0x10400000,0x10001008,0x00001008,0x10000000,0x10000008,0x10401000};

DWORD DESSpBox5[]={

0x08000000,0x00010000,0x00000400,0x08010420,0x08010020,0x08000400,0x00010420,0x08010000,

0x00010000,0x00000020,0x08000020,0x00010400,0x08000420,0x08010020,0x08010400,0x00000000,

0x00010400,0x08000000,0x00010020,0x00000420,0x08000400,0x00010420,0x00000000,0x08000020,

0x00000020,0x08000420,0x08010420,0x00010020,0x08010000,0x00000400,0x00000420,0x08010400,

0x08010400,0x08000420,0x00010020,0x08010000,0x00010000,0x00000020,0x08000020,0x08000400,

0x08000000,0x00010400,0x08010420,0x00000000,0x00010420,0x08000000,0x00000400,0x00010020,

0x08000420,0x00000400,0x00000000,0x08010420,0x08010020,0x08010400,0x00000420,0x00010000,

0x00010400,0x08010020,0x08000400,0x00000420,0x00000020,0x00010420,0x08010000,0x08000020};

DWORD DESSpBox6[]={

0x80000040,0x00200040,0x00000000,0x80202000,0x00200040,0x00002000,0x80002040,0x00200000,

0x00002040,0x80202040,0x00202000,0x80000000,0x80002000,0x80000040,0x80200000,0x00202040,

0x00200000,0x80002040,0x80200040,0x00000000,0x00002000,0x00000040,0x80202000,0x80200040,

0x80202040,0x80200000,0x80000000,0x00002040,0x00000040,0x00202000,0x00202040,0x80002000,

0x00002040,0x80000000,0x80002000,0x00202040,0x80202000,0x00200040,0x00000000,0x80002000,

0x80000000,0x00002000,0x80200040,0x00200000,0x00200040,0x80202040,0x00202000,0x00000040,

0x80202040,0x00202000,0x00200000,0x80002040,0x80000040,0x80200000,0x00202040,0x00000000,

0x00002000,0x80000040,0x80002040,0x80202000,0x80200000,0x00002040,0x00000040,0x80200040};

DWORD DESSpBox7[]={

0x00004000,0x00000200,0x01000200,0x01000004,0x01004204,0x00004004,0x00004200,0x00000000,

0x01000000,0x01000204,0x00000204,0x01004000,0x00000004,0x01004200,0x01004000,0x00000204,

0x01000204,0x00004000,0x00004004,0x01004204,0x00000000,0x01000200,0x01000004,0x00004200,

0x01004004,0x00004204,0x01004200,0x00000004,0x00004204,0x01004004,0x00000200,0x01000000,

0x00004204,0x01004000,0x01004004,0x00000204,0x00004000,0x00000200,0x01000000,0x01004004,

0x01000204,0x00004204,0x00004200,0x00000000,0x00000200,0x01000004,0x00000004,0x01000200,

0x00000000,0x01000204,0x01000200,0x00004200,0x00000204,0x00004000,0x01004204,0x01000000,

0x01004200,0x00000004,0x00004004,0x01004204,0x01000004,0x01004200,0x01004000,0x00004004};

DWORD DESSpBox8[]={

0x20800080,0x20820000,0x00020080,0x00000000,0x20020000,0x00800080,0x20800000,0x20820080,

0x00000080,0x20000000,0x00820000,0x00020080,0x00820080,0x20020080,0x20000080,0x20800000,

0x00020000,0x00820080,0x00800080,0x20020000,0x20820080,0x20000080,0x00000000,0x00820000,

0x20000000,0x00800000,0x20020080,0x20800080,0x00800000,0x00020000,0x20820000,0x00000080,

0x00800000,0x00020000,0x20000080,0x20820080,0x00020080,0x20000000,0x00000000,0x00820000,

0x20800080,0x20020080,0x20020000,0x00800080,0x20820000,0x00000080,0x00800080,0x20020000,

0x20820080,0x00800000,0x20800000,0x20000080,0x00820000,0x00020080,0x20020080,0x20800000,

0x00000080,0x20820000,0x00820080,0x00000000,0x20000000,0x20800080,0x00020000,0x00820080};

void main(int argc,char ** argv)

{

  WSADATA WSAData;

  SOCKET sock;

  SOCKADDR_IN addr_in;

  int len;

  char serverip[]="192.168.13.211";

  short port=445;

  WORD olen,nlen;

  unsigned char buf1[0x1000];

  SMBP smbp;

  HMODULE hNtdll = NULL;

  hNtdll = LoadLibrary( "ntdll.dll" );

  if ( !hNtdll )

  {

    printf( "LoadLibrary( NTDLL.DLL ) Error:%d\n", GetLastError() );

    return ;

  }

  RtlUpcaseUnicodeStringToOemString = (RTLUPCASEUNICODESTRINGTOOEMSTRING)

    GetProcAddress(  hNtdll,  "RtlUpcaseUnicodeStringToOemString");

  if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)

  {

    printf("WSAStartup error.Error:%d\n",WSAGetLastError());

    return;

  }

  addr_in.sin_family=AF_INET;

  addr_in.sin_port=htons(port);

  addr_in.sin_addr.S_un.S_addr=inet_addr(serverip);

  if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)

  {

    printf("Socket failed.Error:%d\n",WSAGetLastError());

    return;

  }

一次简单脚本攻击实例