public static void TestRedo(string path, long size)
{
int bytesPerCluster = 512;
while (bytesPerCluster <= 65536)
{
string volumeLabel = "RedoTest_" + bytesPerCluster.ToString();
string fileName = "Test.txt";
byte[] fileData = System.Text.Encoding.ASCII.GetBytes("Redone");
CreateVolumeWithPendingFileCreation(path, size, bytesPerCluster, volumeLabel, fileName, fileData);
VHDMountHelper.MountVHD(path);
string driveName = MountHelper.WaitForDriveToMount(volumeLabel);
if (driveName == null)
{
throw new Exception("Timeout waiting for volume to mount");
}
bool isErrorFree = ChkdskHelper.Chkdsk(driveName);
if (!isErrorFree)
{
throw new InvalidDataException("CHKDSK reported errors");
}
byte[] bytesRead = File.ReadAllBytes(driveName + fileName);
if (!ByteUtils.AreByteArraysEqual(fileData, bytesRead))
{
throw new InvalidDataException("Test failed");
}
VHDMountHelper.UnmountVHD(path);
File.Delete(path);
bytesPerCluster = bytesPerCluster * 2;
}
}
/// <summary>
/// https://tools.ietf.org/html/rfc2743
/// </summary>
public static SimpleProtectedNegotiationToken ReadToken(byte[] tokenBytes, int offset)
{
byte tag = ByteReader.ReadByte(tokenBytes, ref offset);
if (tag == ApplicationTag)
{
// when an InitToken is sent, it is prepended by an Application Constructed Object specifier (0x60),
// and the OID for SPNEGO (see value in OID table above). This is the generic GSSAPI header.
int tokenLength = DerEncodingHelper.ReadLength(tokenBytes, ref offset);
tag = ByteReader.ReadByte(tokenBytes, ref offset);
if (tag == (byte)DerEncodingTag.ObjectIdentifier)
{
int objectIdentifierLength = DerEncodingHelper.ReadLength(tokenBytes, ref offset);
byte[] objectIdentifier = ByteReader.ReadBytes(tokenBytes, ref offset, objectIdentifierLength);
if (ByteUtils.AreByteArraysEqual(objectIdentifier, SPNEGOIdentifier))
{
tag = ByteReader.ReadByte(tokenBytes, ref offset);
if (tag == SimpleProtectedNegotiationTokenInit.NegTokenInitTag)
{
return(new SimpleProtectedNegotiationTokenInit(tokenBytes, offset));
}
}
}
}
else if (tag == SimpleProtectedNegotiationTokenResponse.NegTokenRespTag)
{
return(new SimpleProtectedNegotiationTokenResponse(tokenBytes, offset));
}
return(null);
}
/// <summary>
/// LM v2 / NTLM v2
/// </summary>
public User AuthenticateV2(string domainNameToAuth, string accountNameToAuth, byte[] serverChallenge, byte[] lmResponse, byte[] ntlmResponse)
{
for (int index = 0; index < this.Count; index++)
{
string accountName = this[index].AccountName;
string password = this[index].Password;
if (String.Equals(accountName, accountNameToAuth, StringComparison.InvariantCultureIgnoreCase))
{
byte[] _LMv2ClientChallenge = ByteReader.ReadBytes(lmResponse, 16, 8);
byte[] expectedLMv2Response = NTAuthentication.ComputeLMv2Response(serverChallenge, _LMv2ClientChallenge, password, accountName, domainNameToAuth);
if (ByteUtils.AreByteArraysEqual(expectedLMv2Response, lmResponse))
{
return(this[index]);
}
if (ntlmResponse.Length > 24)
{
NTLMv2ClientChallengeStructure clientChallengeStructure = new NTLMv2ClientChallengeStructure(ntlmResponse, 16);
byte[] clientChallengeStructurePadded = clientChallengeStructure.GetBytesPadded();
byte[] expectedNTLMv2Response = NTAuthentication.ComputeNTLMv2Response(serverChallenge, clientChallengeStructurePadded, password, accountName, domainNameToAuth);
if (ByteUtils.AreByteArraysEqual(expectedNTLMv2Response, ntlmResponse))
{
return(this[index]);
}
}
}
}
return(null);
}
public static bool TestCrc16Ccitt_1()
{
byte[] buffer = new byte[] { 0x06 };
byte[] checksum = new byte[] { 0x4E, 0x95 };
byte[] result = LittleEndianConverter.GetBytes(Crc16Ccitt.ComputeChecksum(buffer));
return(ByteUtils.AreByteArraysEqual(checksum, result));
}
// Based on #2 test vector from https://docs.microsoft.com/en-us/archive/blogs/openspecification/encryption-in-smb-3-0-a-protocol-perspective
public void TestDecryption()
{
byte[] key = new byte[] { 0x8F, 0xE2, 0xB5, 0x7E, 0xC3, 0x4D, 0x2D, 0xB5, 0xB1, 0xA9, 0x72, 0x7F, 0x52, 0x6B, 0xBD, 0xB5 };
byte[] nonce = new byte[] { 0x86, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00 };
byte[] signature = new byte[] { 0xA6, 0x01, 0x55, 0x30, 0xA1, 0x8F, 0x6D, 0x9A, 0xFF, 0xE2, 0x2A, 0xFA, 0xE8, 0xE6, 0x64, 0x84 };
byte[] associatedData = new byte[] { 0x86, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x14, 0x00, 0xE4, 0x08, 0x00,
0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x11, 0x00, 0x00, 0x14, 0x00, 0xE4, 0x08, 0x00 };
byte[] encyrptedData = new byte[] { 0xDB, 0xF4, 0x64, 0x35, 0xC5, 0xF1, 0x41, 0x69, 0x29, 0x3C, 0xE0, 0x79, 0xE3, 0x44, 0x47, 0x9B,
0xF6, 0x70, 0x22, 0x7E, 0x49, 0x87, 0x3F, 0x45, 0x86, 0x72, 0xC3, 0x09, 0x8D, 0xAC, 0x46, 0x7D,
0xD5, 0x80, 0x9F, 0x36, 0x9D, 0x67, 0x40, 0x91, 0x66, 0x51, 0x57, 0x87, 0x14, 0x83, 0xE0, 0x1F,
0x7B, 0xEC, 0xD0, 0x20, 0x64, 0xEA, 0xC3, 0xE2, 0x35, 0xF9, 0x13, 0x66, 0x8B, 0xBC, 0x2F, 0x09,
0x79, 0x80, 0xD4, 0xB3, 0x78, 0xF1, 0x99, 0x3E, 0xFF, 0x6E, 0x60, 0xD1, 0x77, 0x30, 0x9E, 0x5B };
byte[] expectedData = new byte[] { 0xFE, 0x53, 0x4D, 0x42, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x21, 0x00,
0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xFF, 0xFE, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x14, 0x00, 0xE4, 0x08, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x11, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
byte[] data = AesCcm.DecryptAndAuthenticate(key, nonce, encyrptedData, associatedData, signature);
Assert.True(ByteUtils.AreByteArraysEqual(expectedData, data));
}
public bool IsPasswordEmpty(AuthenticateMessage message)
{
// Special case for anonymous authentication, see [MS-NLMP] 3.3.1 - NTLM v1 Authentication
if (message.LmChallengeResponse.Length == 1 || message.NtChallengeResponse.Length == 0)
{
return(true);
}
byte[] clientChallenge = ByteReader.ReadBytes(message.LmChallengeResponse, 0, 8);
byte[] emptyPasswordNTLMv1Response = NTAuthentication.ComputeNTLMv1ExtendedSecurityResponse(m_serverChallenge, clientChallenge, String.Empty);
if (ByteUtils.AreByteArraysEqual(emptyPasswordNTLMv1Response, message.NtChallengeResponse))
{
return(true);
}
if (message.NtChallengeResponse.Length > 24)
{
NTLMv2ClientChallengeStructure clientChallengeStructure = new NTLMv2ClientChallengeStructure(message.NtChallengeResponse, 16);
byte[] clientChallengeStructurePadded = clientChallengeStructure.GetBytesPadded();
byte[] emptyPasswordNTLMv2Response = NTAuthentication.ComputeNTLMv2Response(m_serverChallenge, clientChallengeStructurePadded, String.Empty, message.UserName, message.DomainName);
if (ByteUtils.AreByteArraysEqual(emptyPasswordNTLMv2Response, message.NtChallengeResponse))
{
return(true);
}
}
return(false);
}
public void LMv1ResponseTest()
{
byte[] challenge = new byte[] { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
byte[] response = NTLMCryptography.ComputeLMv1Response(challenge, "Password");
byte[] expected = { 0x98, 0xde, 0xf7, 0xb8, 0x7f, 0x88, 0xaa, 0x5d, 0xaf, 0xe2, 0xdf, 0x77, 0x96, 0x88, 0xa1, 0x72, 0xde, 0xf1, 0x1c, 0x7d, 0x5c, 0xcd, 0xef, 0x13 };
Assert.True(ByteUtils.AreByteArraysEqual(response, expected));
}
public void TestEncryption()
{
byte[] encryptionKey = new byte[] { 0x26, 0x1B, 0x72, 0x35, 0x05, 0x58, 0xF2, 0xE9, 0xDC, 0xF6, 0x13, 0x07, 0x03, 0x83, 0xED, 0xBF };
byte[] nonce = new byte[] { 0x66, 0xE6, 0x9A, 0x11, 0x18, 0x92, 0x58, 0x4F, 0xB5, 0xED, 0x52 };
ulong sessionID = 0x8e40014000011;
byte[] message = new byte[] { 0xFE, 0x53, 0x4D, 0x42, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x40, 0x00,
0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xFF, 0xFE, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x14, 0x00, 0xE4, 0x08, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x31, 0x00, 0x70, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x15, 0x01, 0x00, 0x00, 0x39, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00, 0x39, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x53, 0x6D, 0x62, 0x33, 0x20, 0x65, 0x6E, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6F, 0x6E, 0x20,
0x74, 0x65, 0x73, 0x74, 0x69, 0x6E, 0x67 };
byte[] expectedEncrypted = new byte[] { 0x25, 0xC8, 0xFE, 0xE1, 0x66, 0x05, 0xA4, 0x37, 0x83, 0x2D, 0x1C, 0xD5, 0x2D, 0xA9, 0xF4, 0x64,
0x53, 0x33, 0x48, 0x2A, 0x17, 0x5F, 0xE5, 0x38, 0x45, 0x63, 0xF4, 0x5F, 0xCD, 0xAF, 0xAE, 0xF3,
0x8B, 0xC6, 0x2B, 0xA4, 0xD5, 0xC6, 0x28, 0x97, 0x99, 0x66, 0x25, 0xA4, 0x4C, 0x29, 0xBE, 0x56,
0x58, 0xDE, 0x2E, 0x61, 0x17, 0x58, 0x57, 0x79, 0xE7, 0xB5, 0x9F, 0xFD, 0x97, 0x12, 0x78, 0xD0,
0x85, 0x80, 0xD7, 0xFA, 0x89, 0x9E, 0x41, 0x0E, 0x91, 0x0E, 0xAB, 0xF5, 0xAA, 0x1D, 0xB4, 0x30,
0x50, 0xB3, 0x3B, 0x49, 0x18, 0x26, 0x37, 0x75, 0x9A, 0xC1, 0x5D, 0x84, 0xBF, 0xCD, 0xF5, 0xB6,
0xB2, 0x38, 0x99, 0x3C, 0x0F, 0x4C, 0xF4, 0xD6, 0x01, 0x20, 0x23, 0xF6, 0xC6, 0x27, 0x29, 0x70,
0x75, 0xD8, 0x4B, 0x78, 0x03, 0x91, 0x2D, 0x0A, 0x96, 0x39, 0x63, 0x44, 0x53, 0x59, 0x5E, 0xF3,
0xE3, 0x3F, 0xFE, 0x4E, 0x7A, 0xC2, 0xAB };
byte[] expectedSignature = new byte[] { 0x81, 0xA2, 0x86, 0x53, 0x54, 0x15, 0x44, 0x5D, 0xAE, 0x39, 0x39, 0x21, 0xE4, 0x4F, 0xA4, 0x2E };
byte[] signature;
byte[] encryptedMessage = SMB2Cryptography.EncryptMessage(encryptionKey, nonce, message, sessionID, out signature);
Assert.True(ByteUtils.AreByteArraysEqual(expectedEncrypted, encryptedMessage));
// The associated data in this sample include non-zero nonce padding so we ignore signature validation
}
public static bool TestCrc16Ccitt_2()
{
byte[] buffer = new byte[] { 0x0d, 0x0f, 0x50, 0x42, 0x4c, 0x5f, 0x44, 0x6c, 0x6f, 0x61, 0x64, 0x56, 0x45, 0x52, 0x31, 0x2e, 0x30 };
byte[] checksum = new byte[] { 0x37, 0x41 };
byte[] result = LittleEndianConverter.GetBytes(Crc16Ccitt.ComputeChecksum(buffer));
return(ByteUtils.AreByteArraysEqual(checksum, result));
}
public static void TestSimultaneousWriteAndRead(string path, long size)
{
RawDiskImage disk = RawDiskImage.Create(path, size);
disk.ExclusiveLock(true);
int totalSectors = (int)Math.Min(disk.TotalSectors, Int32.MaxValue);
Parallel.For(0, totalSectors / 2, 1, 4, delegate(int sectorHint)
{
long sectorIndex = sectorHint * 2;
byte[] pattern = GetTestPattern(sectorIndex, 2, RawDiskImage.DefaultBytesPerSector);
disk.WriteSectors(sectorIndex, pattern);
if (sectorIndex > 100)
{
long sectorIndexToVerify = sectorIndex - 100;
byte[] expectedPattern = GetTestPattern(sectorIndexToVerify, 2, RawDiskImage.DefaultBytesPerSector);
byte[] sectorBytes = disk.ReadSectors(sectorIndexToVerify, 2);
if (!ByteUtils.AreByteArraysEqual(sectorBytes, expectedPattern))
{
throw new InvalidDataException("Test failed");
}
}
});
disk.ReleaseLock();
}
// Based on #1 test vector from https://docs.microsoft.com/en-us/archive/blogs/openspecification/encryption-in-smb-3-0-a-protocol-perspective
public void TestEncryption()
{
byte[] key = new byte[] { 0x26, 0x1B, 0x72, 0x35, 0x05, 0x58, 0xF2, 0xE9, 0xDC, 0xF6, 0x13, 0x07, 0x03, 0x83, 0xED, 0xBF };
byte[] nonce = new byte[] { 0x66, 0xE6, 0x9A, 0x11, 0x18, 0x92, 0x58, 0x4F, 0xB5, 0xED, 0x52 };
byte[] data = new byte[] { 0xFE, 0x53, 0x4D, 0x42, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x40, 0x00,
0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xFF, 0xFE, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x14, 0x00, 0xE4, 0x08, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x31, 0x00, 0x70, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x15, 0x01, 0x00, 0x00, 0x39, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00, 0x39, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x53, 0x6D, 0x62, 0x33, 0x20, 0x65, 0x6E, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6F, 0x6E, 0x20,
0x74, 0x65, 0x73, 0x74, 0x69, 0x6E, 0x67 };
byte[] associatedData = new byte[] { 0x66, 0xE6, 0x9A, 0x11, 0x18, 0x92, 0x58, 0x4F, 0xB5, 0xED, 0x52, 0x4A, 0x74, 0x4D, 0xA3, 0xEE,
0x87, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x11, 0x00, 0x00, 0x14, 0x00, 0xE4, 0x08, 0x00 };
byte[] expectedEncrypted = new byte[] { 0x25, 0xC8, 0xFE, 0xE1, 0x66, 0x05, 0xA4, 0x37, 0x83, 0x2D, 0x1C, 0xD5, 0x2D, 0xA9, 0xF4, 0x64,
0x53, 0x33, 0x48, 0x2A, 0x17, 0x5F, 0xE5, 0x38, 0x45, 0x63, 0xF4, 0x5F, 0xCD, 0xAF, 0xAE, 0xF3,
0x8B, 0xC6, 0x2B, 0xA4, 0xD5, 0xC6, 0x28, 0x97, 0x99, 0x66, 0x25, 0xA4, 0x4C, 0x29, 0xBE, 0x56,
0x58, 0xDE, 0x2E, 0x61, 0x17, 0x58, 0x57, 0x79, 0xE7, 0xB5, 0x9F, 0xFD, 0x97, 0x12, 0x78, 0xD0,
0x85, 0x80, 0xD7, 0xFA, 0x89, 0x9E, 0x41, 0x0E, 0x91, 0x0E, 0xAB, 0xF5, 0xAA, 0x1D, 0xB4, 0x30,
0x50, 0xB3, 0x3B, 0x49, 0x18, 0x26, 0x37, 0x75, 0x9A, 0xC1, 0x5D, 0x84, 0xBF, 0xCD, 0xF5, 0xB6,
0xB2, 0x38, 0x99, 0x3C, 0x0F, 0x4C, 0xF4, 0xD6, 0x01, 0x20, 0x23, 0xF6, 0xC6, 0x27, 0x29, 0x70,
0x75, 0xD8, 0x4B, 0x78, 0x03, 0x91, 0x2D, 0x0A, 0x96, 0x39, 0x63, 0x44, 0x53, 0x59, 0x5E, 0xF3,
0xE3, 0x3F, 0xFE, 0x4E, 0x7A, 0xC2, 0xAB };
byte[] expectedSignature = new byte[] { 0x81, 0xA2, 0x86, 0x53, 0x54, 0x15, 0x44, 0x5D, 0xAE, 0x39, 0x39, 0x21, 0xE4, 0x4F, 0xA4, 0x2E };
byte[] calculatedSignature;
byte[] encrypted = AesCcm.Encrypt(key, nonce, data, associatedData, 16, out calculatedSignature);
Assert.True(ByteUtils.AreByteArraysEqual(expectedEncrypted, encrypted));
Assert.True(ByteUtils.AreByteArraysEqual(expectedSignature, calculatedSignature));
}
public static void TestOverlappedWriteAndOverlappedRead(string path, long size)
{
RawDiskImage disk = RawDiskImage.Create(path, size);
disk.ExclusiveLock(true);
int totalSectors = (int)Math.Min(disk.TotalSectors, Int32.MaxValue);
Parallel.For(0, totalSectors, 1, 4, delegate(int sectorIndex)
{
byte[] pattern = GetTestPattern(sectorIndex, RawDiskImage.DefaultBytesPerSector);
disk.WriteSectors(sectorIndex, pattern);
});
Parallel.For(0, totalSectors, 1, 4, delegate(int sectorIndex)
{
byte[] pattern = GetTestPattern(sectorIndex, RawDiskImage.DefaultBytesPerSector);
byte[] sectorBytes = disk.ReadSector(sectorIndex);
if (!ByteUtils.AreByteArraysEqual(pattern, sectorBytes))
{
throw new InvalidDataException("Test failed");
}
});
disk.ReleaseLock();
}
public static void TestWriteRead(string path, long size)
{
RawDiskImage disk = RawDiskImage.Create(path, size);
disk.ExclusiveLock();
for (long sectorIndex = 0; sectorIndex < disk.TotalSectors; sectorIndex += PhysicalDisk.MaximumDirectTransferSizeLBA)
{
long leftToWrite = disk.TotalSectors - sectorIndex;
int sectorsToWrite = (int)Math.Min(leftToWrite, PhysicalDisk.MaximumDirectTransferSizeLBA);
byte[] pattern = GetTestPattern(sectorIndex, sectorsToWrite, RawDiskImage.DefaultBytesPerSector);
disk.WriteSectors(sectorIndex, pattern);
}
for (long sectorIndex = 0; sectorIndex < disk.TotalSectors; sectorIndex += PhysicalDisk.MaximumDirectTransferSizeLBA)
{
long leftToRead = disk.TotalSectors - sectorIndex;
int sectorsToRead = (int)Math.Min(leftToRead, PhysicalDisk.MaximumDirectTransferSizeLBA);
byte[] pattern = GetTestPattern(sectorIndex, sectorsToRead, RawDiskImage.DefaultBytesPerSector);
byte[] sectorBytes = disk.ReadSectors(sectorIndex, sectorsToRead);
if (!ByteUtils.AreByteArraysEqual(pattern, sectorBytes))
{
throw new InvalidDataException("Test failed");
}
}
disk.ReleaseLock();
}
public static bool NTLMv2ChallengeMessageTest()
{
byte[] expected = new byte[] { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x0c, 0x00,
0x38, 0x00, 0x00, 0x00, 0x33, 0x82, 0x8a, 0xe2, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x24, 0x00, 0x44, 0x00, 0x00, 0x00,
0x06, 0x00, 0x70, 0x17, 0x00, 0x00, 0x00, 0x0f, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00, 0x76, 0x00,
0x65, 0x00, 0x72, 0x00, 0x02, 0x00, 0x0c, 0x00, 0x44, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x61, 0x00,
0x69, 0x00, 0x6e, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00, 0x76, 0x00,
0x65, 0x00, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00 };
byte[] serverChallenge = new byte[] { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
ChallengeMessage message = new ChallengeMessage();
message.ServerChallenge = serverChallenge;
message.Version = new NTLMVersion(6, 0, 6000, 15);
message.NegotiateFlags = NegotiateFlags.UnicodeEncoding | NegotiateFlags.OEMEncoding | NegotiateFlags.Sign | NegotiateFlags.Seal | NegotiateFlags.NTLMSessionSecurity | NegotiateFlags.AlwaysSign | NegotiateFlags.TargetTypeServer | NegotiateFlags.ExtendedSessionSecurity | NegotiateFlags.TargetInfo | NegotiateFlags.Version | NegotiateFlags.Use128BitEncryption | NegotiateFlags.KeyExchange | NegotiateFlags.Use56BitEncryption;
message.TargetName = "Server";
byte[] serverAVPair = AVPairUtils.GetAVPairSequence("Domain", "Server");
message.TargetInfo = serverAVPair;
byte[] messageBytes = message.GetBytes();
bool success = ByteUtils.AreByteArraysEqual(expected, messageBytes);
return(success);
}
/// <summary>
/// LM v1 / NTLM v1 Extended Session Security
/// </summary>
private static bool AuthenticateV1Extended(string password, byte[] serverChallenge, byte[] lmResponse, byte[] ntResponse)
{
byte[] clientChallenge = ByteReader.ReadBytes(lmResponse, 0, 8);
byte[] expectedNTLMv1Response = NTLMCryptography.ComputeNTLMv1ExtendedSessionSecurityResponse(serverChallenge, clientChallenge, password);
return(ByteUtils.AreByteArraysEqual(expectedNTLMv1Response, ntResponse));
}
public void TestDecryption()
{
byte[] decryptionKey = new byte[] { 0x8F, 0xE2, 0xB5, 0x7E, 0xC3, 0x4D, 0x2D, 0xB5, 0xB1, 0xA9, 0x72, 0x7F, 0x52, 0x6B, 0xBD, 0xB5 };
byte[] transformedPacket = new byte[] { 0xFD, 0x53, 0x4D, 0x42, 0xA6, 0x01, 0x55, 0x30, 0xA1, 0x8F, 0x6D, 0x9A, 0xFF, 0xE2, 0x2A, 0xFA,
0xE8, 0xE6, 0x64, 0x84, 0x86, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x14,
0x00, 0xE4, 0x08, 0x00, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x11, 0x00, 0x00, 0x14,
0x00, 0xE4, 0x08, 0x00, 0xDB, 0xF4, 0x64, 0x35, 0xC5, 0xF1, 0x41, 0x69, 0x29, 0x3C, 0xE0, 0x79,
0xE3, 0x44, 0x47, 0x9B, 0xF6, 0x70, 0x22, 0x7E, 0x49, 0x87, 0x3F, 0x45, 0x86, 0x72, 0xC3, 0x09,
0x8D, 0xAC, 0x46, 0x7D, 0xD5, 0x80, 0x9F, 0x36, 0x9D, 0x67, 0x40, 0x91, 0x66, 0x51, 0x57, 0x87,
0x14, 0x83, 0xE0, 0x1F, 0x7B, 0xEC, 0xD0, 0x20, 0x64, 0xEA, 0xC3, 0xE2, 0x35, 0xF9, 0x13, 0x66,
0x8B, 0xBC, 0x2F, 0x09, 0x79, 0x80, 0xD4, 0xB3, 0x78, 0xF1, 0x99, 0x3E, 0xFF, 0x6E, 0x60, 0xD1,
0x77, 0x30, 0x9E, 0x5B };
byte[] expectedDecryptedMessage = new byte[] { 0xFE, 0x53, 0x4D, 0x42, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x21, 0x00,
0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xFF, 0xFE, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x14, 0x00, 0xE4, 0x08, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x11, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
SMB2TransformHeader transformHeader = new SMB2TransformHeader(transformedPacket, 0);
byte[] encryptedMessage = ByteReader.ReadBytes(transformedPacket, SMB2TransformHeader.Length, (int)transformHeader.OriginalMessageSize);
byte[] decryptedMessage = SMB2Cryptography.DecryptMessage(decryptionKey, transformHeader, encryptedMessage);
Assert.True(ByteUtils.AreByteArraysEqual(expectedDecryptedMessage, decryptedMessage));
}
public static bool ValidateCertificate(byte[] issuingCertificate, byte[] certificateToValidate)
{
RSAParameters rsaParameters = GetRSAParameters(issuingCertificate);
byte[] certificateSignature = ByteReader.ReadBytes(certificateToValidate, certificateToValidate.Length - 256, 256);
byte[] decodedSignature = RSAHelper.DecryptSignature(certificateSignature, rsaParameters);
byte[] tbsCertificate = CertificateHelper.ExtractTbsCertificate(certificateToValidate);
if (StartsWith(decodedSignature, SHA_256_PKCS_ID))
{
byte[] expectedHash = ByteReader.ReadBytes(decodedSignature, SHA_256_PKCS_ID.Length, 32);
SHA256Managed sha256 = new SHA256Managed();
byte[] hash = sha256.ComputeHash(tbsCertificate);
return(ByteUtils.AreByteArraysEqual(hash, expectedHash));
}
else if (StartsWith(decodedSignature, SHA_160_PKCS_ID))
{
byte[] expectedHash = ByteReader.ReadBytes(decodedSignature, SHA_160_PKCS_ID.Length, 20);
SHA1Managed sha1 = new SHA1Managed();
byte[] hash = sha1.ComputeHash(tbsCertificate);
return(ByteUtils.AreByteArraysEqual(hash, expectedHash));
}
else
{
throw new NotImplementedException("Unsupported Signature PKCS ID");
}
}
public void NTLMv1ResponseTest()
{
byte[] challenge = new byte[] { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
byte[] response = NTLMCryptography.ComputeNTLMv1Response(challenge, "Password");
byte[] expected = { 0x67, 0xc4, 0x30, 0x11, 0xf3, 0x02, 0x98, 0xa2, 0xad, 0x35, 0xec, 0xe6, 0x4f, 0x16, 0x33, 0x1c, 0x44, 0xbd, 0xbe, 0xd9, 0x27, 0x84, 0x1f, 0x94 };
Assert.True(ByteUtils.AreByteArraysEqual(response, expected));
}
/// <summary>
/// Get Windows Volume Guid of MBR disk
/// </summary>
/// <param name="partitionStartOffset">In bytes</param>
/// <returns></returns>
public static Guid?GetWindowsVolumeGuid(uint mbrDiskSignature, ulong partitionStartOffset)
{
byte[] identifier = new byte[12];
LittleEndianWriter.WriteUInt32(identifier, 0, mbrDiskSignature);
LittleEndianWriter.WriteUInt64(identifier, 4, partitionStartOffset);
RegistryKey mountedDevices = Registry.LocalMachine.OpenSubKey(@"SYSTEM\MountedDevices");
foreach (string valueName in mountedDevices.GetValueNames())
{
object valueObject = mountedDevices.GetValue(valueName);
byte[] value = valueObject as byte[];
if (value != null && value.Length == 12)
{
if (ByteUtils.AreByteArraysEqual(value, identifier))
{
if (valueName.StartsWith(@"\??\Volume"))
{
string guidString = valueName.Substring(10);
return(new Guid(guidString));
}
}
}
}
return(null);
}
public static bool VerifyImageSignature(byte[] imageBytes, byte[] softwareID, byte[] hardwareID)
{
if (softwareID.Length != 8)
{
throw new ArgumentException("SoftwareID should be 8 bytes long");
}
if (hardwareID.Length != 8)
{
throw new ArgumentException("HardwareID should be 8 bytes long");
}
byte[] expectedHash = DecryptFileSignature(imageBytes);
byte[] imageHeader = ByteReader.ReadBytes(imageBytes, 0, ApplicationExecutableHeader.Length);
byte[] codeBytes = ApplicationExecutableHelper.ExtractCode(imageBytes);
HashAlgorithm hashAlgorithm;
if (expectedHash.Length == 20)
{
hashAlgorithm = SHA1.Create();
}
else if (expectedHash.Length == 32)
{
hashAlgorithm = SHA256.Create();
}
else
{
throw new Exception("Unknown hash algorithm");
}
byte[] message = hashAlgorithm.ComputeHash(ByteUtils.Concatenate(imageHeader, codeBytes));
byte[] hash = HMAC(softwareID, hardwareID, message, hashAlgorithm);
return(ByteUtils.AreByteArraysEqual(expectedHash, hash));
}
public static bool Test2()
{
byte[] key = new byte[] { 0x61, 0x8A, 0x63, 0xD2, 0xFB };
byte[] text = new byte[] { 0xDC, 0xEE, 0x4C, 0xF9, 0x2C };
byte[] expectedCipher = new byte[] { 0xF1, 0x38, 0x29, 0xC9, 0xDE };
byte[] cipher = RC4.Encrypt(key, text);
return(ByteUtils.AreByteArraysEqual(cipher, expectedCipher));
}
public static bool Test1()
{
byte[] key = new byte[] { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF };
byte[] text = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
byte[] expectedCipher = new byte[] { 0x74, 0x94, 0xC2, 0xE7, 0x10, 0x4B, 0x08, 0x79 };
byte[] cipher = RC4.Encrypt(key, text);
return(ByteUtils.AreByteArraysEqual(cipher, expectedCipher));
}
public void Test2()
{
byte[] key = new byte[] { 0x61, 0x8A, 0x63, 0xD2, 0xFB };
byte[] text = new byte[] { 0xDC, 0xEE, 0x4C, 0xF9, 0x2C };
byte[] expectedCipher = new byte[] { 0xF1, 0x38, 0x29, 0xC9, 0xDE };
byte[] cipher = RC4.Encrypt(key, text);
Assert.IsTrue(ByteUtils.AreByteArraysEqual(cipher, expectedCipher));
}
public static bool LMv1HashTest()
{
byte[] hash = NTLMCryptography.LMOWFv1("Password");
byte[] expected = new byte[] { 0xe5, 0x2c, 0xac, 0x67, 0x41, 0x9a, 0x9a, 0x22, 0x4a, 0x3b, 0x10, 0x8f, 0x3f, 0xa6, 0xcb, 0x6d };
bool success = ByteUtils.AreByteArraysEqual(hash, expected);
return(success);
}
public static bool NTv2HashTest()
{
byte[] hash = NTLMCryptography.NTOWFv2("Password", "User", "Domain");
byte[] expected = new byte[] { 0x0c, 0x86, 0x8a, 0x40, 0x3b, 0xfd, 0x7a, 0x93, 0xa3, 0x00, 0x1e, 0xf2, 0x2e, 0xf0, 0x2e, 0x3f };
bool success = ByteUtils.AreByteArraysEqual(hash, expected);
return(success);
}
public void LMv2ResponseTest()
{
byte[] serverChallenge = new byte[] { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
byte[] clientChallenge = new byte[] { 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa };
byte[] response = NTLMCryptography.ComputeLMv2Response(serverChallenge, clientChallenge, "Password", "User", "Domain");
byte[] expected = new byte[] { 0x86, 0xc3, 0x50, 0x97, 0xac, 0x9c, 0xec, 0x10, 0x25, 0x54, 0x76, 0x4a, 0x57, 0xcc, 0xcc, 0x19, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa };
Assert.True(ByteUtils.AreByteArraysEqual(response, expected));
}
public static bool NTv1HashTest()
{
byte[] hash = NTLMCryptography.NTOWFv1("Password");
byte[] expected = new byte[] { 0xa4, 0xf4, 0x9c, 0x40, 0x65, 0x10, 0xbd, 0xca, 0xb6, 0x82, 0x4e, 0xe7, 0xc3, 0x0f, 0xd8, 0x52 };
bool success = ByteUtils.AreByteArraysEqual(hash, expected);
return(success);
}
public void Test1()
{
byte[] key = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF };
byte[] text = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
byte[] expectedCipher = { 0x74, 0x94, 0xC2, 0xE7, 0x10, 0x4B, 0x08, 0x79 };
byte[] cipher = RC4.Encrypt(key, text);
Assert.True(ByteUtils.AreByteArraysEqual(cipher, expectedCipher));
}
public static bool StartsWith(byte[] array1, byte[] array2)
{
if (array1.Length >= array2.Length)
{
byte[] start = ByteReader.ReadBytes(array1, 0, array2.Length);
return(ByteUtils.AreByteArraysEqual(start, array2));
}
return(false);
}
public void Test2()
{
byte[] buffer = { 0x20, 0x46, 0x47, 0x45, 0x4e, 0x44, 0x4a, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x41, 0x41, 0x00 };
int offset = 0;
string name = NetBiosUtils.DecodeName(buffer, ref offset);
byte[] encodedName = NetBiosUtils.EncodeName(name, string.Empty);
Assert.True(ByteUtils.AreByteArraysEqual(buffer, encodedName));
}
