I have been busy recently. I have a lot of things, I have to live a lot, and I have to pay a lower salary. There is no time to read books. I will move some of my previous technical blogs here. NTLM studied for a while at the end of last year and at the beginning of this year.
Example program. It involves many algorithms and has been checked online for a long time. (Below is the previous blog) recently I want to implement a network programming program through proxy, and summarize the relevant content. Many things come
Self-network communism should also give back to communism. This section describes the implementation of ntlmv1 response.
After preparation, you can enter the NTLM response calculation. NTLM responses include NTLM V1, NTLMv2, and NTLM sessions.
V2. Which method is used? The client and proxy negotiate and determine. when discussing the interaction between the client and proxy, we need to be able to calculate different response.
For NTLM response, which is the ntlmv1 method we often call, it can be expressed as follows:
The server sends an 8-byte random number as challenge.
The client returns a 48-byte response. The following describes the procedure of ntlmv1:
Step 1: Obtain the challenge Value
Obtain 8-byte challenge from the server: c = 8-byte server challenge,
Random
Step 2: Calculate LM-HASH
Calculate the LM-HASH based on the user password, get the 16-byte hash value, followed by 5 NULL bytes, a total of 21 bytes, 21 bytes are evenly divided into three 7 bytes, then perform des calculation:
K1 | K2 | K3 = lm-Hash | 5-bytes-0
R1 = des (K1, c) | des (K2, c) | des (K3, c)
Step 3: Calculate NT-HASH
Calculate the NT-HASH based on the user password, get the 16-byte hash value, followed by 5 NULL bytes, a total of 21 bytes, 21 bytes are evenly divided into three 7 bytes, then perform des calculation:
K1 | K2 | K3 = Nt-Hash | 5-bytes-0
R2 = des (K1, c) | des (K2, c) | des (K3, c)
Step 4: Obtain ntlmv1 response
Response = R1 | r2
In the DES algorithm, the key input is 64 bits. These 8 bytes are removed from the CRC check bit (8th bits) to generate 56 bits of key. Now we enter the 56-byte ratio directly.
Specifically, you can use the str_to_key function introduced in LM-hash to convert the 56-bit key into a 64-bit key as the DES algorithm input, or we can directly
Add a function to the DES algorithm to process 56-bit keys. As follows:
Static int ip_56key_seq [] = {
, 8,1,
, 44,9, 2,
, 45, 24,17,10, 3,
, 46,
, 35, 14,7,
,13,
,19,12, 5,
25, 18, 11, 4 };Void algorithm_des_56key (in unsigned char * SRC, in unsigned char *
Secrect,
Out unsigned char * DST ){Unsigned
Char s [64], key [64], L [32], R [32], K [48], E [48];Int I =
0;
Storebit (SRC, 8, S );
Storebit (secrect, 8, key );// Step 1: initial permutation SRC and
Key
Initail_permutation (S, ip_data_seq, 64, S );
Initail_permutation (Key, ip_56key_seq, 56, key );// Step 2: 16 computations
// Obtain the original l0 and R0
Memcpy (L, S, 32 );
Memcpy (R, S + 32, 32 );// Perform 16 computations
For (I = 0; I
<16; I ++ ){
// Obtain K
Getkey (Key, key_offset [I]);
Initail_permutation (Key, ip_key, 48, k );
// F computing
Initail_permutation (R, ip_e, 48, e );
Xorbit (E, K, 48, e );
S_box_function (E, S1, e );
S_box_function (E + 6, S2, e + 4 );
S_box_function (E + 12, S3, e + 8 );
S_box_function (E + 18, S4, e + 12 );
S_box_function (E + 24, S5, e + 16 );
S_box_function (E + 30, S6, e + 20 );
S_box_function (E + 36, S7, e + 24 );
S_box_function (E + 42, S8, e + 28 );
Initail_permutation (E, ip_p, 32, E );
Xorbit (E, L, 32, E );
Memcpy (L, R, 32 );
Memcpy (R, E, 32 );}
Memcpy (S, R, 32 );
Memcpy (S + 32, L, 32 );
Initail_permutation (S, inverse_ip_p, 64, S );
Parsebit (S, DST, 8 );}
Next, we will provide the NTLM V1 reponse program:
Void ntlmv1_response (in char * passwd, in int passwd_len, in
Unsigned char * chanllenge,
Out unsigned char * DST, out int *
Dst_len ){Unsigned
Char hash [21];
// K1 | K2 | K3 = lm-Hash | 5-bytes-0
// R1 = des (K1, c) | des (K2, c) | des (K3, c)
Lm_hash (passwd, hash, null );Memset (hash
+ 16, 0, 5 );
Algorithm_des_56key (chanllenge, hash, DST );
Algorithm_des_56key (chanllenge, hash + 7, DST + 8 );
Algorithm_des_56key (chanllenge, hash + 14, DST + 16 );
// K1 | K2 | K3 = Nt-Hash | 5-bytes-0
// R2 = des (K1, c) | des (K2, c) | des (K3, c)
Nt_hash (passwd, 0, hash, null );Memset (hash
+ 16, 0, 5 );
Algorithm_des_56key (chanllenge, hash, DST + 24 );
Algorithm_des_56key (chanllenge, hash + 7, DST + 32 );
Algorithm_des_56key (chanllenge, hash + 14, DST + 40 );If (dst_len
! = NULL)
* Dst_len =
48;}
NTLM
V1 response actually combines LM response and NT response, which is the easiest to calculate. Lm is the oldest client and the most primitive response type. nt response, also known as NTLM response, is used for NT-based clients, such as Windows
2000 and XP. If we capture packets, most proxy traversal does not use the old ntlmv1 method. Of course, if the client we write uses this method and successfully negotiates with the proxy, there is no problem with the traversal.
Related Links: My network communication articles
NTLM implementation:
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
