Implement proxy traversal (9): ntlmv1 response

Source: Internet
Author: User

I have been busy recently. I have a lot of things, I have to live a lot, and I have to pay a lower salary. There is no time to read books. I will move some of my previous technical blogs here. NTLM studied for a while at the end of last year and at the beginning of this year.
Example program. It involves many algorithms and has been checked online for a long time. (Below is the previous blog) recently I want to implement a network programming program through proxy, and summarize the relevant content. Many things come
Self-network communism should also give back to communism. This section describes the implementation of ntlmv1 response.

After preparation, you can enter the NTLM response calculation. NTLM responses include NTLM V1, NTLMv2, and NTLM sessions.
V2. Which method is used? The client and proxy negotiate and determine. when discussing the interaction between the client and proxy, we need to be able to calculate different response.

 

 
The server (proxy) provides an 8-byte challenge. Client for LM response and NT
Response calculation, the server also calculates according to the password, and verifies the value sent by the client. Lm and NT
All responses are 24 bytes.

For NTLM response, which is the ntlmv1 method we often call, it can be expressed as follows:

The server sends an 8-byte random number as challenge.

The client returns a 48-byte response. The following describes the procedure of ntlmv1:

Step 1: Obtain the challenge Value

Obtain 8-byte challenge from the server: c = 8-byte server challenge,
Random

Step 2: Calculate LM-HASH

Calculate the LM-HASH based on the user password, get the 16-byte hash value, followed by 5 NULL bytes, a total of 21 bytes, 21 bytes are evenly divided into three 7 bytes, then perform des calculation:

K1 | K2 | K3 = lm-Hash | 5-bytes-0

R1 = des (K1, c) | des (K2, c) | des (K3, c)

Step 3: Calculate NT-HASH

Calculate the NT-HASH based on the user password, get the 16-byte hash value, followed by 5 NULL bytes, a total of 21 bytes, 21 bytes are evenly divided into three 7 bytes, then perform des calculation:

K1 | K2 | K3 = Nt-Hash | 5-bytes-0

R2 = des (K1, c) | des (K2, c) | des (K3, c)

Step 4: Obtain ntlmv1 response

Response = R1 | r2

In the DES algorithm, the key input is 64 bits. These 8 bytes are removed from the CRC check bit (8th bits) to generate 56 bits of key. Now we enter the 56-byte ratio directly.
Specifically, you can use the str_to_key function introduced in LM-hash to convert the 56-bit key into a 64-bit key as the DES algorithm input, or we can directly
Add a function to the DES algorithm to process 56-bit keys. As follows:

Static int ip_56key_seq [] = {


, 8,

1,
, 44,

9, 2,
, 45, 24,

17,10, 3,
, 46,


, 35, 14,

7,
,

13,
,

19,12, 5,
25, 18, 11, 4 };

Void algorithm_des_56key (in unsigned char * SRC, in unsigned char *
Secrect,







Out unsigned char * DST ){

Unsigned
Char s [64], key [64], L [32], R [32], K [48], E [48];

Int I =
0;


Storebit (SRC, 8, S );


Storebit (secrect, 8, key );

// Step 1: initial permutation SRC and
Key


Initail_permutation (S, ip_data_seq, 64, S );


Initail_permutation (Key, ip_56key_seq, 56, key );

// Step 2: 16 computations


// Obtain the original l0 and R0


Memcpy (L, S, 32 );


Memcpy (R, S + 32, 32 );

// Perform 16 computations

For (I = 0; I
<16; I ++ ){


// Obtain K



Getkey (Key, key_offset [I]);



Initail_permutation (Key, ip_key, 48, k );


// F computing



Initail_permutation (R, ip_e, 48, e );



Xorbit (E, K, 48, e );



S_box_function (E, S1, e );



S_box_function (E + 6, S2, e + 4 );



S_box_function (E + 12, S3, e + 8 );



S_box_function (E + 18, S4, e + 12 );



S_box_function (E + 24, S5, e + 16 );



S_box_function (E + 30, S6, e + 20 );



S_box_function (E + 36, S7, e + 24 );



S_box_function (E + 42, S8, e + 28 );



Initail_permutation (E, ip_p, 32, E );



Xorbit (E, L, 32, E );



Memcpy (L, R, 32 );



Memcpy (R, E, 32 );

}


Memcpy (S, R, 32 );


Memcpy (S + 32, L, 32 );


Initail_permutation (S, inverse_ip_p, 64, S );


Parsebit (S, DST, 8 );

}

Next, we will provide the NTLM V1 reponse program:


Void ntlmv1_response (in char * passwd, in int passwd_len, in
Unsigned char * chanllenge,






Out unsigned char * DST, out int *
Dst_len ){

Unsigned
Char hash [21];


// K1 | K2 | K3 = lm-Hash | 5-bytes-0



// R1 = des (K1, c) | des (K2, c) | des (K3, c)


Lm_hash (passwd, hash, null );

Memset (hash
+ 16, 0, 5 );


Algorithm_des_56key (chanllenge, hash, DST );


Algorithm_des_56key (chanllenge, hash + 7, DST + 8 );


Algorithm_des_56key (chanllenge, hash + 14, DST + 16 );


// K1 | K2 | K3 = Nt-Hash | 5-bytes-0



// R2 = des (K1, c) | des (K2, c) | des (K3, c)


Nt_hash (passwd, 0, hash, null );

Memset (hash
+ 16, 0, 5 );


Algorithm_des_56key (chanllenge, hash, DST + 24 );


Algorithm_des_56key (chanllenge, hash + 7, DST + 32 );


Algorithm_des_56key (chanllenge, hash + 14, DST + 40 );

If (dst_len
! = NULL)


* Dst_len =
48;

}


NTLM
V1 response actually combines LM response and NT response, which is the easiest to calculate. Lm is the oldest client and the most primitive response type. nt response, also known as NTLM response, is used for NT-based clients, such as Windows
2000 and XP. If we capture packets, most proxy traversal does not use the old ntlmv1 method. Of course, if the client we write uses this method and successfully negotiates with the proxy, there is no problem with the traversal.

 

Related Links: My network communication articles

NTLM implementation:

  • Proxy traversal (16): NTLM proxy Traversal

  • Proxy traversal (15): NTLM Session Security

  • Implement proxy traversal (14): NTLM type3 message
  • Implement proxy traversal (13): NTLM type2 message
  • Implement proxy traversal (12): NTLM type1 message
  • Proxy traversal (11): NTLMv2 session response
  • Implement proxy traversal (10): NTLMv2 response
  • Implement proxy traversal (9): ntlmv1 response
  • Implement proxy traversal (8): NT-Hash implementation
  • Proxy traversal (7): md4 and MD5
  • Implement proxy traversal (6): LM-Hash implementation
  • Implement proxy traversal (5): DES algorithm 3
  • Implement proxy traversal (4): DES algorithm 2
  • Implement proxy traversal (3): One of the des Algorithms
  • Proxy traversal (2): base64 Algorithm
  • Proxy traversal (1): process and NTLM Algorithm

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.