Remove unused ip param from smbauth functions. Fixes #268

2026-06-29 12:44:00 +00:00 · 2026-06-16 14:20:17 +00:00 · 2026-06-16 14:20:17 +00:00 · 63a39b7a90
commit 63a39b7a90
parent 4920925372
11 changed files with 20 additions and 23 deletions
--- a/nselib/http.lua
+++ b/nselib/http.lua
@ -1517,9 +1517,9 @@ function generic_request(host, port, method, path, options)
    local lanman, ntlm
    if is_extended then
    -- this essentially calls the new ntlmv2_session_response function in smbauth.lua and returns whatever it returns
-      lanman, ntlm = smbauth.get_password_response(nil, username, "", options.auth.password, nil, "ntlmv2_session", challenge, true)
+      lanman, ntlm = smbauth.get_password_response(username, "", options.auth.password, nil, "ntlmv2_session", challenge, true)
    else
-      lanman, ntlm = smbauth.get_password_response(nil, username, "", options.auth.password, nil, "ntlm", challenge, false)
+      lanman, ntlm = smbauth.get_password_response(username, "", options.auth.password, nil, "ntlm", challenge, false)
      type_3_flags = type_3_flags - 0x00080000 -- Removing the Extended Security Flag as server doesn't support it.
    end

--- a/nselib/mssql.lua
+++ b/nselib/mssql.lua
@ -3424,7 +3424,7 @@ Auth = {
  end,

  NtlmResponse = function( password, nonce )
-    local lm_response, ntlm_response, mac_key = smbauth.get_password_response(nil,
+    local lm_response, ntlm_response, mac_key = smbauth.get_password_response(
      nil,
      nil,
      password,
--- a/nselib/sasl.lua
+++ b/nselib/sasl.lua
@ -219,7 +219,7 @@ if HAVE_SSL then

    --- Calculates the response
    calcResponse = function(self)
-      local ntlm, lm = smbauth.get_password_response(nil, self.username, self.domain, self.password, nil, "v1", self.chall, self.is_extended)
+      local ntlm, lm = smbauth.get_password_response(self.username, self.domain, self.password, nil, "v1", self.chall, self.is_extended)
      local msg_type = 3
      local response
      local BASE_OFFSET = 72
--- a/nselib/smb.lua
+++ b/nselib/smb.lua
@ -1176,7 +1176,7 @@ local function start_session_basic(smb, log_errors, overrides)
  while result ~= false do
    local lanman, ntlm

-    lanman, ntlm, smb['mac_key'] = smbauth.get_password_response(smb['ip'], username, domain, password, password_hash, hash_type, smb['server_challenge'], false)
+    lanman, ntlm, smb['mac_key'] = smbauth.get_password_response(username, domain, password, password_hash, hash_type, smb['server_challenge'], false)

    -- Parameters
    parameters = string.pack("<BBI2 I2I2 I2 I4 I2I2 I4I4",
@ -1353,7 +1353,7 @@ local function start_session_extended(smb, log_errors, overrides)
    repeat
      -- Get the new security blob, passing the old security blob as a parameter. If there was no previous security blob, then nil is passed, which creates a new one
      if ( not(security_blob) ) then
-        status, security_blob, smb['mac_key'] = smbauth.get_security_blob(security_blob, smb['ip'], username, domain, password, password_hash, hash_type, (sp_nego and 0x00088215))
+        status, security_blob, smb['mac_key'] = smbauth.get_security_blob(security_blob, username, domain, password, password_hash, hash_type, (sp_nego and 0x00088215))

        if ( sp_nego ) then
          local enc = asn1.ASN1Encoder:new()
@ -1376,7 +1376,7 @@ local function start_session_extended(smb, log_errors, overrides)
          hash_type = "ntlm"
        end

-        status, security_blob, smb['mac_key'] = smbauth.get_security_blob(security_blob, smb['ip'], username, domain, password, password_hash, hash_type, (sp_nego and 0x00088215))
+        status, security_blob, smb['mac_key'] = smbauth.get_security_blob(security_blob, username, domain, password, password_hash, hash_type, (sp_nego and 0x00088215))

        if ( sp_nego ) then
          local enc = asn1.ASN1Encoder:new()
--- a/nselib/smbauth.lua
+++ b/nselib/smbauth.lua
@ -140,7 +140,7 @@ end
 -- There are several places where accounts are stored:
 -- * registry['usernames'][username]    => true
 -- * registry['smbaccounts'][username]  => password
-- * registry[ip]['smbaccounts']        => array of table containing 'username', 'password', and 'is_admin'
+-- * host.registry['smbaccounts']        => array of table containing 'username', 'password', and 'is_admin'
 --
 -- The final place, 'smbaccount', is reserved for the "best" account. This is
 -- an administrator account, if one's found; otherwise, it's the first account
@ -606,16 +606,14 @@ function ntlmv2_session_response(ntlm_password_hash, challenge)

  return status, lm_response, ntlm_response
 end
+
 ---Generate the Lanman and NTLM password hashes.
 --
-- The password itself is taken from the function parameters, the script
-- arguments, and the registry (in that order). If no password is set, then the
-- password hash is used (which is read from all the usual places). If neither
-- is set, then a blank password is used.
+-- If no password is set, then the password hash is used. If neither is set,
+-- then a blank password is used.
 --
 -- The output passwords are hashed based on the hash type.
 --
--@param ip       The ip address of the host, used for registry lookups.
 --@param username The username, which is used for v2 passwords.
 --@param domain The username, which is used for v2 passwords.
 --@param password [optional] The overriding password.
@ -629,7 +627,7 @@ end
 --@return lm_response, to be send directly back to the server
 --@return ntlm_response, to be send directly back to the server
 --@return mac_key used for message signing.
-function get_password_response(ip, username, domain, password, password_hash, hash_type, challenge, is_extended)
+function get_password_response(username, domain, password, password_hash, hash_type, challenge, is_extended)
  local status
  local lm_hash   = nil
  local ntlm_hash = nil
@ -745,7 +743,6 @@ end
 ---Generate an NTLMSSP security blob.
 --@param security_blob The server's security blob, or nil if this is the first
 --                     message
--@param ip       The ip address of the host, used for registry lookups.
 --@param username The username, which is used for v2 passwords.
 --@param domain The username, which is used for v2 passwords.
 --@param password [optional] The overriding password.
@ -753,7 +750,7 @@ end
 --                     set if password is set.
 --@param hash_type The way in which to hash the password.
 --@param flags The NTLM flags as a number
-function get_security_blob(security_blob, ip, username, domain, password, password_hash, hash_type, flags)
+function get_security_blob(security_blob, username, domain, password, password_hash, hash_type, flags)
  local pos = 1
  local new_blob
  local flags = flags or 0x00008215 -- (NEGOTIATE_SIGN_ALWAYS | NEGOTIATE_NTLM | NEGOTIATE_SIGN | REQUEST_TARGET | NEGOTIATE_UNICODE)
@ -772,7 +769,7 @@ function get_security_blob(security_blob, ip, username, domain, password, passwo
  else
    -- Parse the old security blob
    local identifier, message_type, domain_length, domain_max, domain_offset, server_flags, challenge, reserved = string.unpack("<I8I4I2I2I4I4c8c8", security_blob)
-    local lanman, ntlm, mac_key = get_password_response(ip, username, domain, password, password_hash, hash_type, challenge, true)
+    local lanman, ntlm, mac_key = get_password_response(username, domain, password, password_hash, hash_type, challenge, true)

    -- Convert the username and domain to unicode (TODO: Disable the unicode flag, evaluate if that'll work)
    local hostname = unicode.utf8to16("nmap")
--- a/scripts/http-ntlm-info.nse
+++ b/scripts/http-ntlm-info.nse
@ -54,7 +54,7 @@ categories = {"default", "discovery", "safe"}
 portrule = shortport.http

 local auth_blob = base64.enc( select( 2,
-  smbauth.get_security_blob(nil, nil, nil, nil, nil, nil, nil,
+  smbauth.get_security_blob(nil, nil, nil, nil, nil, nil,
    0x00000001 + -- Negotiate Unicode
    0x00000002 + -- Negotiate OEM strings
    0x00000004 + -- Request Target
--- a/scripts/imap-ntlm-info.nse
+++ b/scripts/imap-ntlm-info.nse
@ -50,7 +50,7 @@ categories = {"default", "discovery", "safe"}


 local ntlm_auth_blob = base64.enc( select(2,
-  smbauth.get_security_blob(nil, nil, nil, nil, nil, nil, nil,
+  smbauth.get_security_blob(nil, nil, nil, nil, nil, nil,
    0x00000001 + -- Negotiate Unicode
    0x00000002 + -- Negotiate OEM strings
    0x00000004 + -- Request Target
--- a/scripts/nntp-ntlm-info.nse
+++ b/scripts/nntp-ntlm-info.nse
@ -49,7 +49,7 @@ categories = {"default", "discovery", "safe"}


 local ntlm_auth_blob = base64.enc( select(2,
-  smbauth.get_security_blob(nil, nil, nil, nil, nil, nil, nil,
+  smbauth.get_security_blob(nil, nil, nil, nil, nil, nil,
    0x00000001 + -- Negotiate Unicode
    0x00000002 + -- Negotiate OEM strings
    0x00000004 + -- Request Target
--- a/scripts/pop3-ntlm-info.nse
+++ b/scripts/pop3-ntlm-info.nse
@ -49,7 +49,7 @@ categories = {"default", "discovery", "safe"}


 local ntlm_auth_blob = base64.enc( select(2,
-  smbauth.get_security_blob(nil, nil, nil, nil, nil, nil, nil,
+  smbauth.get_security_blob(nil, nil, nil, nil, nil, nil,
    0x00000001 + -- Negotiate Unicode
    0x00000002 + -- Negotiate OEM strings
    0x00000004 + -- Request Target
--- a/scripts/smtp-ntlm-info.nse
+++ b/scripts/smtp-ntlm-info.nse
@ -49,7 +49,7 @@ categories = {"default", "discovery", "safe"}


 local ntlm_auth_blob = base64.enc( select(2,
-  smbauth.get_security_blob(nil, nil, nil, nil, nil, nil, nil,
+  smbauth.get_security_blob(nil, nil, nil, nil, nil, nil,
    0x00000001 + -- Negotiate Unicode
    0x00000002 + -- Negotiate OEM strings
    0x00000004 + -- Request Target
--- a/scripts/telnet-ntlm-info.nse
+++ b/scripts/telnet-ntlm-info.nse
@ -48,7 +48,7 @@ categories = {"default", "discovery", "safe"}


 local _, ntlm_auth_blob = smbauth.get_security_blob(
-  nil, nil, nil, nil, nil, nil, nil,
+  nil, nil, nil, nil, nil, nil,
  0x00000001 + -- Negotiate Unicode
  0x00000002 + -- Negotiate OEM strings
  0x00000004 + -- Request Target