public void ProcessForNTLMv2()
{
this.Flags = 2;
this.ChannelBindings.length = 0x10;
this.ChannelBindings.value = new byte[0x10];
string s = "";
byte[] bytes = Encoding.Unicode.GetBytes(s);
this.TargetName.length = bytes.Length;
this.TargetName.value = bytes;
byte[] buffer = new byte[] {
0x5c, 0xca, 250, 0x4d, 0x40, 0x41, 0xc5, 0x8b, 0x43, 0x93, 0x16, 0x88, 0xce, 0x3b, 0x94, 0x63,
0xf1, 0xc5, 0x61, 0xf4, 0xe1, 0xde, 0xda, 0x7a, 0x43, 0xb8, 0xd6, 200, 0x9e, 80, 0x3f, 0x42
};
this.Restrictions.length = 0x30;
RdpPacket packet = new RdpPacket();
packet.WriteLittleEndian32(0x30);
packet.WritePadding(4);
packet.WriteByte(1);
packet.WritePadding(3);
packet.WriteLittleEndian32(0x2000);
packet.Write(buffer, 0, 0x20);
this.Restrictions.value = packet.ToArray();
if (this.Restrictions.value.Length != this.Restrictions.length)
{
throw new Exception("Restrictions invalid!");
}
}
private void WriteVersion(RdpPacket packet)
{
packet.WriteByte(6);
packet.WriteByte(1);
packet.WriteByte(0xb0);
packet.WriteByte(0x1d);
packet.WriteByte(0);
packet.WriteByte(0);
packet.WriteByte(0);
packet.WriteByte(15);
}
/// <summary>
/// Client X.224 Connection Request PDU
/// </summary>
private static void sendConnectNegotiation(NegotiationProtocol NegotiationFlags, byte[] loadBalanceToken)
{
string domainAndUsername = Options.DomainAndUsername;
if (domainAndUsername.Length > 9)
{
domainAndUsername = domainAndUsername.Substring(0, 9);
}
RdpPacket packet = new RdpPacket();
packet.WriteByte(3);
packet.WriteByte(0);
long position = packet.Position;
packet.WriteBigEndian16((short)0);
packet.WriteByte(0);
packet.WriteByte(0xe0);
packet.WriteBigEndian16((short)0);
packet.WriteBigEndian16((short)0);
packet.WriteByte(0);
if (loadBalanceToken != null)
{
packet.Write(loadBalanceToken, 0, loadBalanceToken.Length);
packet.WriteString("\r\n", false);
}
else
{
packet.WriteString("Cookie: mstshash=" + domainAndUsername + "\r\n", true);
}
// RDP Negotiation Request
packet.WriteByte(0x01);
packet.WriteByte(0);
packet.WriteLittleEndian16((short)8);
packet.WriteLittleEndian32((int)NegotiationFlags); // Standard RDP Security, TLS 1.0, CredSSP
long num2 = packet.Position;
packet.Position = position;
packet.WriteBigEndian16((short)num2);
packet.WriteByte((byte)(num2 - 5L));
IsoLayer.Write(packet);
}
public byte[] Negotiate()
{
RdpPacket packet = new RdpPacket();
uint num = (((((((0xe2000000 | NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY) | NTLMSSP_NEGOTIATE_ALWAYS_SIGN) | NTLMSSP_NEGOTIATE_NTLM) | NTLMSSP_NEGOTIATE_SEAL) | NTLMSSP_NEGOTIATE_SIGN) | NTLMSSP_REQUEST_TARGET) | NTLMSSP_NEGOTIATE_OEM) | NTLMSSP_NEGOTIATE_UNICODE;
int position = (int)packet.Position;
packet.WriteString("NTLMSSP", false);
packet.WriteByte(0);
packet.WriteLittleEndian32(1);
packet.WriteLittleEndian32(num);
int num3 = ((int)packet.Position) - position;
num3 += 8;
num3 += 8;
if ((num & 0x2000000) != 0)
{
num3 += 8;
}
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian32(0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian32(0);
if ((num & 0x2000000) != 0)
{
this.WriteVersion(packet);
}
packet.Position = 0L;
this.m_NegotiateMsg = new byte[packet.Length];
packet.Read(this.m_NegotiateMsg, 0, this.m_NegotiateMsg.Length);
return(this.m_NegotiateMsg);
}
protected static void WriteInteger(RdpPacket packet, int value)
{
packet.WriteByte(2);
byte[] bytes = BitConverter.GetBytes(value);
if (value > 0xffffff)
{
packet.WriteByte(4);
packet.WriteByte(bytes[3]);
packet.WriteByte(bytes[2]);
packet.WriteByte(bytes[1]);
packet.WriteByte(bytes[0]);
}
else if (value > 0xffff)
{
packet.WriteByte(3);
packet.WriteByte(bytes[2]);
packet.WriteByte(bytes[1]);
packet.WriteByte(bytes[0]);
}
else if (value > 0xff)
{
packet.WriteByte(2);
packet.WriteByte(bytes[1]);
packet.WriteByte(bytes[0]);
}
else
{
packet.WriteByte(1);
packet.WriteByte(bytes[0]);
}
}
protected static void WriteByte(RdpPacket packet, int value)
{
packet.WriteByte((byte)value);
}
protected static void UpdateLength(RdpPacket packet, string Identifier)
{
Fixup fixup = m_Fixup[Identifier];
m_Fixup.Remove(Identifier);
long position = packet.Position;
if (fixup.Length != -1)
{
long num2 = packet.Position - fixup.Offset;
if (num2 != fixup.Length)
{
throw new Exception("DER Tag length invalid");
}
}
else
{
long num3 = packet.Position - (fixup.Offset + 1L);
byte[] bytes = BitConverter.GetBytes(num3);
packet.Position = fixup.Offset;
if (num3 > 0xffffffL)
{
packet.WriteByte(0x84);
packet.InsertByte(bytes[3]);
position += 1L;
packet.InsertByte(bytes[2]);
position += 1L;
packet.InsertByte(bytes[1]);
position += 1L;
packet.InsertByte(bytes[0]);
position += 1L;
}
else if (num3 > 0xffffL)
{
packet.WriteByte(0x83);
packet.InsertByte(bytes[2]);
position += 1L;
packet.InsertByte(bytes[1]);
position += 1L;
packet.InsertByte(bytes[0]);
position += 1L;
}
else if (num3 > 0xffL)
{
packet.WriteByte(130);
packet.InsertByte(bytes[1]);
position += 1L;
packet.InsertByte(bytes[0]);
position += 1L;
}
else if (num3 > 0x7fL)
{
packet.WriteByte(0x81);
packet.InsertByte(bytes[0]);
position += 1L;
}
else
{
packet.WriteByte(bytes[0]);
}
packet.Position = position;
}
}
private byte[] Authenticate(byte[] lmChallengeResponse, byte[] ntChallengeResponse, string sDomainName, string sUser, string sWorkstation, byte[] EncryptedRandomSessionKey, byte[] ExportedSessionKey, bool bGenerateMIC)
{
RdpPacket packet = new RdpPacket();
uint flags = (
(((((0xe2800000 | NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY) |
NTLMSSP_NEGOTIATE_ALWAYS_SIGN) | NTLMSSP_NEGOTIATE_NTLM) |
NTLMSSP_NEGOTIATE_SEAL) | NTLMSSP_NEGOTIATE_SIGN) |
NTLMSSP_REQUEST_TARGET) | NTLMSSP_NEGOTIATE_UNICODE;
DumpFlags(flags);
int position = (int)packet.Position;
packet.WriteString("NTLMSSP", false);
packet.WriteByte(0);
packet.WriteLittleEndian32(3);
int num3 = ((int)packet.Position) - position;
num3 += 8;
num3 += 8;
num3 += 8;
num3 += 8;
num3 += 8;
num3 += 8;
num3 += 4;
if ((flags & 0x2000000) != 0)
{
num3 += 8;
}
if (bGenerateMIC)
{
num3 += 0x10;
}
byte[] bytes = Encoding.Unicode.GetBytes(sDomainName);
byte[] buffer = Encoding.Unicode.GetBytes(sUser);
byte[] buffer3 = Encoding.Unicode.GetBytes(sWorkstation);
int num4 = num3;
int num5 = num4 + bytes.Length;
int num6 = num5 + buffer.Length;
int num7 = num6 + buffer3.Length;
int num8 = num7 + lmChallengeResponse.Length;
int num9 = num8 + ntChallengeResponse.Length;
packet.WriteLittleEndian16((ushort)lmChallengeResponse.Length);
packet.WriteLittleEndian16((ushort)lmChallengeResponse.Length);
packet.WriteLittleEndian32(num7);
num3 += lmChallengeResponse.Length;
packet.WriteLittleEndian16((ushort)ntChallengeResponse.Length);
packet.WriteLittleEndian16((ushort)ntChallengeResponse.Length);
packet.WriteLittleEndian32(num8);
num3 += ntChallengeResponse.Length;
packet.WriteLittleEndian16((ushort)bytes.Length);
packet.WriteLittleEndian16((ushort)bytes.Length);
packet.WriteLittleEndian32(num4);
num3 += bytes.Length;
packet.WriteLittleEndian16((ushort)buffer.Length);
packet.WriteLittleEndian16((ushort)buffer.Length);
packet.WriteLittleEndian32(num5);
num3 += buffer.Length;
packet.WriteLittleEndian16((ushort)buffer3.Length);
packet.WriteLittleEndian16((ushort)buffer3.Length);
packet.WriteLittleEndian32(num6);
num3 += buffer3.Length;
packet.WriteLittleEndian16((ushort)EncryptedRandomSessionKey.Length);
packet.WriteLittleEndian16((ushort)EncryptedRandomSessionKey.Length);
packet.WriteLittleEndian32(num9);
num3 += EncryptedRandomSessionKey.Length;
packet.WriteLittleEndian32(flags);
if ((flags & 0x2000000) != 0)
{
this.WriteVersion(packet);
}
long num10 = packet.Position;
if (bGenerateMIC)
{
packet.WritePadding(0x10);
}
packet.Write(bytes, 0, bytes.Length);
packet.Write(buffer, 0, buffer.Length);
packet.Write(buffer3, 0, buffer3.Length);
packet.Write(lmChallengeResponse, 0, lmChallengeResponse.Length);
packet.Write(ntChallengeResponse, 0, ntChallengeResponse.Length);
packet.Write(EncryptedRandomSessionKey, 0, EncryptedRandomSessionKey.Length);
if (bGenerateMIC)
{
packet.Position = 0L;
byte[] buffer4 = new byte[packet.Length];
packet.Read(buffer4, 0, buffer4.Length);
HMACT64 hmact = new HMACT64(ExportedSessionKey);
hmact.update(this.m_NegotiateMsg);
hmact.update(this.m_ChallengeMsg);
hmact.update(buffer4);
byte[] buffer5 = hmact.digest();
packet.Position = num10;
packet.Write(buffer5, 0, buffer5.Length);
}
packet.Position = 0L;
byte[] buffer6 = new byte[packet.Length];
packet.Read(buffer6, 0, buffer6.Length);
return(buffer6);
}
