?

代碼 ??1?/*
??2?You?can?get?a?locally?valid?logon?session?(a?network?logon?session)?by?using?SSPI.
??3?Simply?specify?alternate?credentials?when?you?call?AcquireCredentialsHandle,
??4?and?then?after?you?follow?the?normal?InitializeSecurityContext/AcceptSecurityContext
??5?handshake,?you'll?end?up?with?a?logon?session?for?the?user,
??6?without?having?to?have?the?TCB?privilege.
??7?
??8?See?the?attached?example...
??9?
?10?Keith
?11???*/
?12?
?13?//?this?version?requires?Windows?2000
?14?#define?_WIN32_WINNT?0x500
?15?#define?UNICODE
?16?#include?<windows.h>
?17?#include?<stdio.h>
?18?#define?SECURITY_WIN32
?19?#include?<security.h>
?20?#pragma?comment(lib,?"secur32.lib")
?21?
?22?//?brain-dead?error?routine?that?dumps?the?last?error?and?exits
?23?void?_err(const?wchar_t*?pszFcn,?DWORD?nErr?=?GetLastError())
?24?{
?25??
?26?????wchar_t?szErr[256];
?27?????if?(FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM,?0,?nErr,?0,
?28???????????????????????szErr,?sizeof?szErr?/?sizeof?*szErr,?0))
?29??????????wprintf(L"%s?failed:?%s",?pszFcn,?szErr);
?30?????else?wprintf(L"%s?failed:?0x%08X",?nErr);
?31?????exit(1);
?32?}
?33?
?34?//?Upon?success,?returns?a?handle?to?a?NETWORK?logon?session
?35?//?for?the?specified?principal?(it?will?*not*?have?network
?36?//?credentials).?Call?CloseHandle?to?dispose?of?it?when
?37?//?you?are?finished.
?38?HANDLE?_logonUserWithSSPI(wchar_t*?pszSSP,
?39???????????????????????????DWORD?grfDesiredAccessToToken,
?40???????????????????????????wchar_t*?pszAuthority,
?41???????????????????????????wchar_t*?pszPrincipal,
?42???????????????????????????wchar_t*?pszPassword)?{
?43?
?44?????//?the?following?code?loads?the?SSPI?interface?DLL
?45?????//?and?initializes?it,?getting?a?table?of?function?ptrs
?46?????HINSTANCE?hdll?=?LoadLibrary(L"security.dll");
?47?????if?(!hdll)
?48?????????_err(L"LoadLibrary");
?49?????INIT_SECURITY_INTERFACE_W?initSecurityInterface?=
?50?????????????(INIT_SECURITY_INTERFACE_W)GetProcAddress(hdll,
?51?????????????????SECURITY_ENTRYPOINT_ANSIW);
?52?????if?(!initSecurityInterface)
?53?????????_err(L"GetProcAddress");
?54?????PSecurityFunctionTable?pSSPI?=?initSecurityInterface();
?55?
?56?????//?here's?where?we?specify?the?credentials?to?verify
?57?????SEC_WINNT_AUTH_IDENTITY_EX?authIdent?=?{
?58?????????SEC_WINNT_AUTH_IDENTITY_VERSION,
?59?????????sizeof?authIdent,
?60?????????pszPrincipal,?lstrlenW(pszPrincipal),
?61?????????pszAuthority,?lstrlenW(pszAuthority),
?62?????????pszPassword,??lstrlenW(pszPassword),
?63?????????SEC_WINNT_AUTH_IDENTITY_UNICODE,
?64?????????0,?0
?65?????};
?66?
?67?????//?get?an?SSPI?handle?for?these?credentials
?68?????CredHandle?hcredClient;
?69?????TimeStamp?expiryClient;
?70?????SECURITY_STATUS?err?=
?71?????????pSSPI->AcquireCredentialsHandle(0,?pszSSP,
?72?????????????????????????????????????????SECPKG_CRED_OUTBOUND,
?73?????????????????????????????????????????0,?&authIdent,
?74?????????????????????????????????????????0,?0,
?75?????????????????????????????????????????&hcredClient,
?76?????????????????????????????????????????&expiryClient);
?77?????if?(err)
?78?????????_err(L"AcquireCredentialsHandle?for?client",?err);
?79?
?80?????//?use?the?caller's?credentials?for?the?server
?81?????CredHandle?hcredServer;
?82?????TimeStamp?expiryServer;
?83?????err?=?pSSPI->AcquireCredentialsHandle(0,?pszSSP,
?84???????????????????????????????????????????SECPKG_CRED_INBOUND,
?85???????????????????????????????????????????0,?0,?0,?0,
?86???????????????????????????????????????????&hcredServer,
?87???????????????????????????????????????????&expiryServer);
?88?????if?(err)
?89?????????_err(L"AcquireCredentialsHandle?for?server",?err);
?90?
?91?????CtxtHandle?hctxClient;
?92?????CtxtHandle?hctxServer;
?93?
?94?????//?create?two?buffers:
?95?????//????one?for?the?client?sending?tokens?to?the?server,
?96?????//????one?for?the?server?sending?tokens?to?the?client
?97?????//?(buffer?size?chosen?based?on?current?Kerb?SSP?setting
?98?????//??for?cbMaxToken?-?you?may?need?to?adjust?this)
?99?????BYTE?bufC2S[8000];
100?????BYTE?bufS2C[8000];
101?????SecBuffer?sbufC2S?=?{?sizeof?bufC2S,?SECBUFFER_TOKEN,?bufC2S?};
102?????SecBuffer?sbufS2C?=?{?sizeof?bufS2C,?SECBUFFER_TOKEN,?bufS2C?};
103?????SecBufferDesc?bdC2S?=?{?SECBUFFER_VERSION,?1,?&sbufC2S?};
104?????SecBufferDesc?bdS2C?=?{?SECBUFFER_VERSION,?1,?&sbufS2C?};
105?
106?????//?don't?really?need?any?special?context?attributes
107?????DWORD?grfRequiredCtxAttrsClient?=?ISC_REQ_DATAGRAM;//ISC_REQ_DELEGATE
108?????DWORD?grfRequiredCtxAttrsServer?=?ASC_REQ_DATAGRAM;
109?
110?????//?set?up?some?aliases?to?make?it?obvious?what's?happening
111?????PCtxtHandle????pClientCtxHandleIn??=?0;
112?????PCtxtHandle????pClientCtxHandleOut?=?&hctxClient;
113?????PCtxtHandle????pServerCtxHandleIn??=?0;
114?????PCtxtHandle????pServerCtxHandleOut?=?&hctxServer;
115?????SecBufferDesc*?pClientInput??=?0;
116?????SecBufferDesc*?pClientOutput?=?&bdC2S;
117?????SecBufferDesc*?pServerInput??=?&bdC2S;
118?????SecBufferDesc*?pServerOutput?=?&bdS2C;
119?????DWORD??????????grfCtxAttrsClient?=?0;
120?????DWORD??????????grfCtxAttrsServer?=?0;
121?????TimeStamp??????expiryClientCtx;
122?????TimeStamp??????expiryServerCtx;
123?
124?????//?since?the?caller?is?acting?as?the?server,?we?need
125?????//?a?server?principal?name?so?that?the?client?will
126?????//?be?able?to?get?a?Kerb?ticket?(if?Kerb?is?used)
127?????wchar_t?szSPN[256]={0};
128?????ULONG?cchSPN?=?sizeof?szSPN?/?sizeof?*szSPN;
129?????GetUserNameEx(NameSamCompatible,?szSPN,?&cchSPN);
130??
131??//sevice?class?/?host:?port?/?service?instance
132??
133?//?wcscpy?(szSPN,?TEXT("192.168.1.11"));
134?//?wcscpy?(szSPN,?TEXT("testwork-AD11.testwork.com"));
135?//?wcscpy?(szSPN,?TEXT("192.168.1.11"));
136?//?wcscpy?(szSPN,?TEXT("TESTWORK\\administrator"));
137?//?wcscpy?(szSPN,?TEXT("..."));
138??printf("%ws\n",szSPN);
139?????//?perform?the?authentication?handshake,?playing?the
140?????//?role?of?both?client?*and*?server.
141?????bool?bClientContinue?=?true;
142?????bool?bServerContinue?=?true;
143??int?count=1;
144?????while?(bClientContinue?||?bServerContinue)?{
145???
146?????????if?(bClientContinue)?{
147????
148?????????????sbufC2S.cbBuffer?=?sizeof?bufC2S;
149?????????????err?=?pSSPI->InitializeSecurityContext(
150?????????????????&hcredClient,?pClientCtxHandleIn,
151?????????????????szSPN,
152?????????????????grfRequiredCtxAttrsClient,
153?????????????????0,?SECURITY_NETWORK_DREP,
154?????????????????pClientInput,?0,
155?????????????????pClientCtxHandleOut,
156?????????????????pClientOutput,
157?????????????????&grfCtxAttrsClient,
158?????????????????&expiryClientCtx);
159?????????????switch?(err)?{
160?????????????????case?0:
161?????????????????????bClientContinue?=?false;
162?????????????????????break;
163?????????????????case?SEC_I_CONTINUE_NEEDED:
164?????????????????????pClientCtxHandleIn?=?pClientCtxHandleOut;
165?????????????????????pClientInput???????=?pServerOutput;
166?????????????????????break;
167?????????????????default:
168??????printf("err=%x\n",err);
169?????????????????????_err(L"InitializeSecurityContext",?err);
170?????????????}
171?????????}
172?
173?????????if?(bServerContinue)?{
174?????????????sbufS2C.cbBuffer?=?sizeof?bufS2C;
175?????????????err?=?pSSPI->AcceptSecurityContext(
176?????????????????&hcredServer,?pServerCtxHandleIn,
177?????????????????pServerInput,
178?????????????????grfRequiredCtxAttrsServer,
179?????????????????SECURITY_NETWORK_DREP,
180?????????????????pServerCtxHandleOut,
181?????????????????pServerOutput,
182?????????????????&grfCtxAttrsServer,
183?????????????????&expiryServerCtx);
184?????????????switch?(err)?{
185?????????????????case?0:
186?????????????????????bServerContinue?=?false;
187?????????????????????break;
188?????????????????case?SEC_I_CONTINUE_NEEDED:
189?????????????????????pServerCtxHandleIn?=?pServerCtxHandleOut;
190?????????????????????break;
191?????????????????default:
192?????????????????????_err(L"AcceptSecurityContext",?err);
193?????????????}
194?????????}
195???printf("%d?bClientContinue?%d?bServerContinue?%d\n",count++,bClientContinue,bServerContinue);
196?????}
197?????//?if?everything?has?gone?smoothly,?we've?now?got?a?logon
198?????//?session?for?the?client?-?let's?grab?the?token?now
199?????pSSPI->ImpersonateSecurityContext(pServerCtxHandleOut);
200?????HANDLE?htok;
201?????if?(!OpenThreadToken(GetCurrentThread(),
202??????????????????????????grfDesiredAccessToToken,
203??????????????????????????TRUE,?&htok))
204?????????_err(L"OpenThreadToken");
205?????pSSPI->RevertSecurityContext(pServerCtxHandleOut);
206?
207?????//?clean?up
208?????pSSPI->FreeCredentialsHandle(&hcredClient);
209?????pSSPI->FreeCredentialsHandle(&hcredServer);
210?????pSSPI->DeleteSecurityContext(pServerCtxHandleOut);
211?????pSSPI->DeleteSecurityContext(pClientCtxHandleOut);
212?????
213?????return?htok;
214?}
215?
216?//?here's?an?example?of?usage
217?void?main()?{
218?????//?use?"NTLM"?or?"Kerberos"
219?
220?//Kerbero需要在加入域或者有域環境下才能正確運行
221?????HANDLE?htok?=?_logonUserWithSSPI(L"Kerberos",
222??????????????????????????????????????TOKEN_QUERY,
223??????????????????????????????????????NULL,
224??????????????????????????????????????L"administrator",
225??????????????????????????????????????L"!QAZsx");
226?????if?(htok)?{
227?????????//?password?is?valid!
228?????????CloseHandle(htok);
229?????}
230?}
231?
232?

?

?

總結

以上是生活随笔為你收集整理的sspi for NTLM or Kerberos的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。