////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal virtual Boolean ReadRequest()
{
treeId = recieve.Skip(40).Take(4).ToArray();
////////////////////////////////////////////////////////////////////////////////
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x05, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
SMB2ReadRequest readRequest = new SMB2ReadRequest();
readRequest.SetGuidHandleFile(guidFileHandle);
Byte[] bData = readRequest.GetRequest();
header.SetChainOffset(bData.Length);
if (signing)
{
header.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
else
{
header.SetFlags(new Byte[] { 0x00, 0x00, 0x00, 0x00 });
}
Byte[] bHeader = header.GetHeader();
////////////////////////////////////////////////////////////////////////////////
SMB2Header header2 = new SMB2Header();
header2.SetCommand(new Byte[] { 0x0e, 0x00 });
header2.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header2.SetMessageID(++messageId);
header2.SetProcessID(processId);
header2.SetTreeId(treeId);
header2.SetSessionID(sessionId);
header2.SetChainOffset(new Byte[] { 0x68, 0x00, 0x00, 0x00 });
SMB2FindFileRequestFile requestFile = new SMB2FindFileRequestFile();
requestFile.SetPadding(new Byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
Byte[] bData2 = requestFile.GetRequest();
if (signing)
{
header2.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 });
header2.SetSignature(sessionKey, ref bData2);
}
else
{
header2.SetFlags(new Byte[] { 0x04, 0x00, 0x00, 0x00 });
}
Byte[] bHeader2 = header2.GetHeader();
////////////////////////////////////////////////////////////////////////////////
SMB2Header header3 = new SMB2Header();
header3.SetCommand(new Byte[] { 0x0e, 0x00 });
header3.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header3.SetMessageID(++messageId);
header3.SetProcessID(processId);
header3.SetTreeId(treeId);
header3.SetSessionID(sessionId);
SMB2FindFileRequestFile requestFile2 = new SMB2FindFileRequestFile();
requestFile2.SetOutputBufferLength(new Byte[] { 0x80, 0x00, 0x00, 0x00 });
Byte[] bData3 = requestFile2.GetRequest();
if (signing)
{
header3.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 });
header3.SetSignature(sessionKey, ref bData3);
}
else
{
header3.SetFlags(new Byte[] { 0x04, 0x00, 0x00, 0x00 });
}
Byte[] bHeader3 = header3.GetHeader();
////////////////////////////////////////////////////////////////////////////////
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length + bHeader2.Length + bHeader3.Length);
sessionService.SetDataLength(bData.Length + bData2.Length + bData3.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData);
bSend = Combine.combine(bSend, Combine.combine(bHeader2, bData2));
bSend = Combine.combine(bSend, Combine.combine(bHeader3, bData3));
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
if (GetStatus(recieve.Skip(12).Take(4).ToArray()))
return true;
else
return false;
}
internal void SetNumCtxItems(Byte[] NumCtxItems, Byte[] NegotiateFlags)
{
if (this.NumCtxItems.Length == NumCtxItems.Length)
{
this.NumCtxItems = NumCtxItems;
}
if (2 == NumCtxItems[0])
{
Byte[] ContextID2 = { 0x01, 0x00 };
Byte[] NumTransItems2 = { 0x01 };
Byte[] Unknown3 = { 0x00 };
Byte[] Interface2 = { 0xc4, 0xfe, 0xfc, 0x99, 0x60, 0x52, 0x1b, 0x10, 0xbb, 0xcb, 0x00, 0xaa, 0x00, 0x21, 0x34, 0x7a };
Byte[] InterfaceVer2 = { 0x00, 0x00 };
Byte[] InterfaceVerMinor2 = { 0x00, 0x00 };
Byte[] TransferSyntax2 = { 0x2c, 0x1c, 0xb7, 0x6c, 0x12, 0x98, 0x40, 0x45, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
Byte[] TransferSyntaxVer2 = { 0x01, 0x00, 0x00, 0x00 };
Combine combine = new Combine();
combine.Extend(ContextID2);
combine.Extend(NumTransItems2);
combine.Extend(Unknown3);
combine.Extend(Interface2);
combine.Extend(InterfaceVer2);
combine.Extend(InterfaceVerMinor2);
combine.Extend(TransferSyntax2);
combine.Extend(TransferSyntaxVer2);
ExtraData = Combine.combine(ExtraData, combine.Retrieve());
}
else if (3 == NumCtxItems[0])
{
Byte[] ContextID2 = { 0x01, 0x00 };
Byte[] NumTransItems2 = { 0x01 };
Byte[] Unknown3 = { 0x00 };
Byte[] Interface2 = { 0x43, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 };
Byte[] InterfaceVer2 = { 0x00, 0x00 };
Byte[] InterfaceVerMinor2 = { 0x00, 0x00 };
Byte[] TransferSyntax2 = { 0x33, 0x05, 0x71, 0x71, 0xba, 0xbe, 0x37, 0x49, 0x83, 0x19, 0xb5, 0xdb, 0xef, 0x9c, 0xcc, 0x36 };
Byte[] TransferSyntaxVer2 = { 0x01, 0x00, 0x00, 0x00 };
Byte[] ContextID3 = { 0x02, 0x00 };
Byte[] NumTransItems3 = { 0x01 };
Byte[] Unknown4 = { 0x00 };
Byte[] Interface3 = { 0x43, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 };
Byte[] InterfaceVer3 = { 0x00, 0x00 };
Byte[] InterfaceVerMinor3 = { 0x00, 0x00 };
Byte[] TransferSyntax3 = { 0x2c, 0x1c, 0xb7, 0x6c, 0x12, 0x98, 0x40, 0x45, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
Byte[] TransferSyntaxVer3 = { 0x01, 0x00, 0x00, 0x00 };
Byte[] AuthType = { 0x0a };
Byte[] AuthLevel = { 0x04 };
Byte[] AuthPadLength = { 0x00 };
Byte[] AuthReserved = { 0x00 };
Byte[] ContextID4 = { 0x00, 0x00, 0x00, 0x00 };
Byte[] Identifier = { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00 };
Byte[] MessageType = { 0x01, 0x00, 0x00, 0x00 };
//Byte[] NegotiateFlags = { 0x97, 0x82, 0x08, 0xe2 };
Byte[] CallingWorkstationDomain = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
Byte[] CallingWorkstationName = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
Byte[] OSVersion = { 0x06, 0x01, 0xb1, 0x1d, 0x00, 0x00, 0x00, 0x0f };
Combine combine = new Combine();
combine.Extend(ContextID2);
combine.Extend(NumTransItems2);
combine.Extend(Unknown3);
combine.Extend(Interface2);
combine.Extend(InterfaceVer2);
combine.Extend(InterfaceVerMinor2);
combine.Extend(TransferSyntax2);
combine.Extend(TransferSyntaxVer2);
combine.Extend(ContextID3);
combine.Extend(NumTransItems3);
combine.Extend(Unknown4);
combine.Extend(Interface3);
combine.Extend(InterfaceVer3);
combine.Extend(InterfaceVerMinor3);
combine.Extend(TransferSyntax3);
combine.Extend(TransferSyntaxVer3);
combine.Extend(AuthType);
combine.Extend(AuthLevel);
combine.Extend(AuthPadLength);
combine.Extend(AuthReserved);
combine.Extend(ContextID4);
combine.Extend(Identifier);
combine.Extend(MessageType);
combine.Extend(NegotiateFlags);
combine.Extend(CallingWorkstationDomain);
combine.Extend(CallingWorkstationName);
combine.Extend(OSVersion);
ExtraData = Combine.combine(ExtraData, combine.Retrieve());
}
}
internal void SetServerInfoName(String SetServerInfoName)
{
Byte[] targetUnicode = Encoding.Unicode.GetBytes(SetServerInfoName);
IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameString = Combine.combine(targetUnicode, new Byte[] { 0x00, 0x00, 0x00, 0x00 });
IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameActualCount = BitConverter.GetBytes(SetServerInfoName.Length + 1);
IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameMaxCount = BitConverter.GetBytes(SetServerInfoName.Length + 1);
Combine combine = new Combine();
for (Int32 i = 0; i < (Math.Truncate((Decimal)(targetUnicode.Length / 8 + 1) * 8) - targetUnicode.Length); i++)
{
combine.Extend(new Byte[] { 0x00 });
}
targetUnicode = Combine.combine(targetUnicode, combine.Retrieve());
Unknown4 = IActPropertiesCntData = BitConverter.GetBytes(targetUnicode.Length + 720);
IActPropertiesCUSTOMOBJREFSize = BitConverter.GetBytes(targetUnicode.Length + 680);
IActPropertiesCUSTOMOBJREFIActPropertiesTotalSize = IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderTotalSize = BitConverter.GetBytes(targetUnicode.Length + 664);
IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoPrivateHeader = Combine.combine(BitConverter.GetBytes(targetUnicode.Length + 40), new Byte[] { 0x00, 0x00, 0x00, 0x00 });
IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize4 = BitConverter.GetBytes(targetUnicode.Length + 56);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal Boolean Authenticate(String domain, String username, String hash)
{
String NTLMSSP = BitConverter.ToString(recieve).Replace("-", "");
Int32 index = NTLMSSP.IndexOf("4E544C4D53535000") / 2;
UInt16 wDomain = BitConverter.ToUInt16(recieve.Skip(index + 12).Take(2).ToArray(), 0);
UInt16 wtarget = BitConverter.ToUInt16(recieve.Skip(index + 40).Take(2).ToArray(), 0);
sessionId = recieve.Skip(44).Take(8).ToArray();
Byte[] bServerChallenge = recieve.Skip(index + 24).Take(8).ToArray();
Int32 start = index + 56 + wDomain;
Int32 end = index + 55 + wDomain + wtarget;
Byte[] details = recieve.Skip(start).Take(end - start + 1).ToArray();
Byte[] bTime = details.Skip(details.Length - 12).Take(8).ToArray();
Int32 j = 0;
Byte[] bHash = new Byte[hash.Length / 2];
for (Int32 i = 0; i < hash.Length; i += 2)
{
bHash[j++] = (Byte)((Char)Convert.ToInt16(hash.Substring(i, 2),16));
}
Byte[] bHostname = Encoding.Unicode.GetBytes(Environment.MachineName);
Byte[] hostnameLength = BitConverter.GetBytes(bHostname.Length).Take(2).ToArray();
Byte[] bDomain = Encoding.Unicode.GetBytes(domain);
Byte[] domainLength = BitConverter.GetBytes(bDomain.Length).Take(2).ToArray();
Byte[] bUsername = Encoding.Unicode.GetBytes(username);
Byte[] usernameLength = BitConverter.GetBytes(bUsername.Length).Take(2).ToArray();
Byte[] domainOffset = { 0x40, 0x00, 0x00, 0x00 };
Byte[] usernameOffset = BitConverter.GetBytes(bDomain.Length + 64);
Byte[] hostnameOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + 64);
Byte[] lmOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + bHostname.Length + 64);
Byte[] ntOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + bHostname.Length + 88);
String usernameTarget = username.ToUpper();
Byte[] bUsernameTarget = Encoding.Unicode.GetBytes(usernameTarget);
bUsernameTarget = Combine.combine(bUsernameTarget, bDomain);
Byte[] NetNTLMv2Hash;
using (HMACMD5 hmac = new HMACMD5())
{
hmac.Key = bHash;
NetNTLMv2Hash = hmac.ComputeHash(bUsernameTarget);
}
Byte[] bClientChallenge = new Byte[8];
Random random = new Random();
for (Int32 i = 0; i < 8; i++)
{
bClientChallenge[i] = (Byte)random.Next(0, 255);
}
Byte[] blob = Combine.combine(new Byte[] { 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, bTime);
blob = Combine.combine(blob, bClientChallenge);
blob = Combine.combine(blob, new Byte[] { 0x00, 0x00, 0x00, 0x00 });
blob = Combine.combine(blob, details);
blob = Combine.combine(blob, new Byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
Byte[] bServerChallengeAndBlob = Combine.combine(bServerChallenge, blob);
Byte[] NetNTLMv2Response;
using (HMACMD5 hmacMD5 = new HMACMD5())
{
hmacMD5.Key = NetNTLMv2Hash;
NetNTLMv2Response = hmacMD5.ComputeHash(bServerChallengeAndBlob);
}
if (signing)
{
using (HMACMD5 hmacMD5 = new HMACMD5())
{
hmacMD5.Key = NetNTLMv2Hash;
sessionKey = hmacMD5.ComputeHash(NetNTLMv2Response);
}
}
NetNTLMv2Response = Combine.combine(NetNTLMv2Response, blob);
Byte[] NetNTLMv2ResponseLength = BitConverter.GetBytes(NetNTLMv2Response.Length).Take(2).ToArray();
Byte[] sessionKeyOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + bHostname.Length + NetNTLMv2Response.Length + 88);
Byte[] NetNTLMSSPResponse = { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00 };
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, new Byte[] { 0x18, 0x00 });
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, new Byte[] { 0x18, 0x00 });
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, lmOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, NetNTLMv2ResponseLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, NetNTLMv2ResponseLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, ntOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, domainLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, domainLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, domainOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, usernameLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, usernameLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, usernameOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, hostnameLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, hostnameLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, hostnameOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, sessionKeyLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, sessionKeyLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, sessionKeyOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, flags);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, bDomain);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, bUsername);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, bHostname);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, new Byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, NetNTLMv2Response);
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x01, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x1f, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
Byte[] bHeader = header.GetHeader();
NTLMSSPAuth ntlmSSPAuth = new NTLMSSPAuth();
ntlmSSPAuth.SetNetNTLMResponse(NetNTLMSSPResponse);
Byte[] bNTLMSSPAuth = ntlmSSPAuth.GetNTLMSSPAuth();
SMB2SessionSetupRequest sessionSetup = new SMB2SessionSetupRequest();
sessionSetup.SetSecurityBlob(bNTLMSSPAuth);
Byte[] bData = sessionSetup.GetSMB2SessionSetupRequest();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] send = Combine.combine(Combine.combine(bSessionService, bHeader), bData);
streamSocket.Write(send, 0, send.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
if (GetStatus(recieve.Skip(12).Take(4).ToArray()))
{
Console.WriteLine("[+] Login Successful");
return true;
}
else
return false;
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal Boolean FindRequest()
{
treeId = recieve.Skip(40).Take(4).ToArray();
////////////////////////////////////////////////////////////////////////////////
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x0e, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
header.SetChainOffset(new Byte[] { 0x68, 0x00, 0x00, 0x00 });
SMB2FindFileRequestFile findFileRequestFile = new SMB2FindFileRequestFile();
findFileRequestFile.SetInfoLevel(new Byte[] { 0x25 });
findFileRequestFile.SetFileID(guidFileHandle);
findFileRequestFile.SetPadding(new Byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
Byte[] bData = findFileRequestFile.GetRequest();
if (signing)
{
header.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader = header.GetHeader();
////////////////////////////////////////////////////////////////////////////////
SMB2Header header2 = new SMB2Header();
header2.SetCommand(new Byte[] { 0x0e, 0x00 });
header2.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header2.SetMessageID(++messageId);
header2.SetProcessID(processId);
header2.SetTreeId(treeId);
header2.SetSessionID(sessionId);
header.SetFlags(new Byte[] { 0x04, 0x00, 0x00, 0x00 });
SMB2FindFileRequestFile findFileRequestFile2 = new SMB2FindFileRequestFile();
findFileRequestFile2.SetInfoLevel(new Byte[] { 0x25 });
findFileRequestFile2.SetFileID(guidFileHandle);
findFileRequestFile2.SetPadding(new Byte[] { 0x80, 0x00, 0x00, 0x00 });
Byte[] bData2 = findFileRequestFile2.GetRequest();
if (signing)
{
header2.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 });
header2.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader2 = header2.GetHeader();
////////////////////////////////////////////////////////////////////////////////
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length + bHeader2.Length);
sessionService.SetDataLength(bData.Length + bData2.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Combine combine = new Combine();
combine.Extend(bHeader);
combine.Extend(bData);
combine.Extend(bHeader2);
combine.Extend(bData2);
Byte[] bSend = Combine.combine(bSessionService, combine.Retrieve());
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
return(GetStatus(recieve.Skip(12).Take(4).ToArray()));
}
internal Byte[] GetRequest()
{
return(Combine.combine(WordCount, ByteCount));
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal override Boolean InfoRequest()
{
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x10, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
SMB2GetInfo getInfo = new SMB2GetInfo();
getInfo.SetClass(new Byte[] { 0x01 });
getInfo.SetInfoLevel(new Byte[] { 0x07 });
getInfo.SetMaxResponseSize(new Byte[] { 0x00, 0x10, 0x00, 0x00 });
getInfo.SetGetInfoInputOffset(new Byte[] { 0x68, 0x00 });
getInfo.SetGUIDHandleFile(guidFileHandle);
Byte[] bData = getInfo.GetRequest();
header.SetChainOffset(bData.Length);
if (signing)
{
header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader = header.GetHeader();
SMB2Header header2 = new SMB2Header();
header2.SetCommand(new Byte[] { 0x10, 0x00 });
header2.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header2.SetMessageID(++messageId);
header2.SetProcessID(processId);
header2.SetTreeId(treeId);
header2.SetSessionID(sessionId);
header2.SetFlags(new Byte[] { 0x00, 0x00, 0x00, 0x04 });
SMB2GetInfo getInfo2 = new SMB2GetInfo();
getInfo2.SetClass(new Byte[] { 0x01 });
getInfo2.SetInfoLevel(new Byte[] { 0x16 });
getInfo2.SetMaxResponseSize(new Byte[] { 0x00, 0x10, 0x00, 0x00 });
getInfo2.SetGetInfoInputOffset(new Byte[] { 0x68, 0x00 });
getInfo2.SetGUIDHandleFile(guidFileHandle);
Byte[] bData2 = getInfo2.GetRequest();
if (signing)
{
header2.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
header2.SetSignature(sessionKey, ref bData2);
}
Byte[] bHeader2 = header2.GetHeader();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length + bHeader2.Length);
sessionService.SetDataLength(bData.Length + bData2.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Combine combine = new Combine();
combine.Extend(bHeader);
combine.Extend(bData);
combine.Extend(bHeader2);
combine.Extend(bData2);
Byte[] bSend = Combine.combine(bSessionService, combine.Retrieve());
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
if (GetStatus(recieve.Skip(12).Take(4).ToArray()))
{
Byte[] size = recieve.Skip(0xda - 0x36).Take(8).ToArray();
fileSize = BitConverter.ToInt64(size, 0);
Byte[] size2 = recieve.Skip(0xe2 - 0x36).Take(8).ToArray();
allocationSize = BitConverter.ToInt64(size2, 0);
return(true);
}
return(false);
}
internal SVCCTLSCMCreateServiceW()
{
DisplayName_ReferentID = Combine.combine(BitConverter.GetBytes(GenerateUuidNumeric(2)).Take(2).ToArray(), new Byte[] { 0x00, 0x00 });
}
internal Byte[] GetRequest()
{
return(Combine.combine(StructureSize, Reserved));
}
internal void SetMessageID(UInt32 MessageID)
{
this.MessageID = Combine.combine(BitConverter.GetBytes(MessageID), new Byte[] { 0x00, 0x00, 0x00, 0x00 });
}
internal Byte[] GetNetBIOSSessionService()
{
Length = BitConverter.GetBytes(this.headerLength + this.dataLength).Take(3).ToArray();
Array.Reverse(Length);
return(Combine.combine(MessageType, Length));
}
internal Boolean OpenSCManagerW()
{
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x09, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
SVCCTLSCMOpenSCManagerW openSCManagerW = new SVCCTLSCMOpenSCManagerW();
Byte[] bSCManager = openSCManagerW.GetRequest();
DCERPCRequest rpcRequest = new DCERPCRequest();
rpcRequest.SetPacketFlags(new Byte[] { 0x03 });
rpcRequest.SetFragLength(bSCManager.Length, 0, 0);
rpcRequest.SetCallID(new Byte[] { 0x01, 0x00, 0x00, 0x00 });
rpcRequest.SetContextID(new Byte[] { 0x00, 0x00 });
rpcRequest.SetOpnum(new Byte[] { 0x0f, 0x00 });
Byte[] bRPCRequest = rpcRequest.GetRequest();
SMB2WriteRequest writeRequest = new SMB2WriteRequest();
writeRequest.SetGuidHandleFile(guidFileHandle);
writeRequest.SetLength(bRPCRequest.Length + bSCManager.Length);
Byte[] bWriteRequest = writeRequest.GetRequest();
Combine combine = new Combine();
combine.Extend(bWriteRequest);
combine.Extend(bRPCRequest);
combine.Extend(bSCManager);
Byte[] bData = combine.Retrieve();
if (signing)
{
header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader = header.GetHeader();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData);
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
if (GetStatus(recieve.Skip(12).Take(4).ToArray()))
{
return(true);
}
else
{
return(false);
}
}
internal Byte[] GetRequest()
{
return(Combine.combine(ContextHandle, Unknown));
}
internal Byte[] GetRequest()
{
Byte[] request = Combine.combine(StructureSize, Flags);
request = Combine.combine(request, Reserved);
return(Combine.combine(request, FileID));
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal Boolean InfoRequest(String destination)
{
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x10, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
SMB2GetInfo getInfo = new SMB2GetInfo();
getInfo.SetClass(new Byte[] { 0x02 });
getInfo.SetInfoLevel(new Byte[] { 0x01 });
getInfo.SetMaxResponseSize(new Byte[] { 0x58, 0x00, 0x00, 0x00 });
getInfo.SetGetInfoInputOffset(new Byte[] { 00, 00 });
getInfo.SetGUIDHandleFile(guidFileHandle);
Byte[] bData = getInfo.GetRequest();
header.SetChainOffset(bData.Length);
if (signing)
{
header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader = header.GetHeader();
SMB2Header header2 = new SMB2Header();
header2.SetCommand(new Byte[] { 0x10, 0x00 });
header2.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header2.SetMessageID(++messageId);
header2.SetProcessID(processId);
header2.SetTreeId(treeId);
header2.SetSessionID(sessionId);
header2.SetFlags(new Byte[] { 0x00, 0x00, 0x00, 0x04 });
SMB2GetInfo getInfo2 = new SMB2GetInfo();
getInfo2.SetClass(new Byte[] { 0x02 });
getInfo2.SetInfoLevel(new Byte[] { 0x05 });
getInfo2.SetMaxResponseSize(new Byte[] { 0x50, 0x00, 0x00, 0x00 });
getInfo2.SetGetInfoInputOffset(new Byte[] { 00, 00 });
getInfo2.SetGUIDHandleFile(guidFileHandle);
Byte[] bData2 = getInfo2.GetRequest();
if (signing)
{
header2.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
header2.SetSignature(sessionKey, ref bData2);
}
Byte[] bHeader2 = header2.GetHeader();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length + bHeader2.Length);
sessionService.SetDataLength(bData.Length + bData2.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Combine combine = new Combine();
combine.Extend(bHeader);
combine.Extend(bData);
combine.Extend(bHeader2);
combine.Extend(bData2);
Byte[] bSend = Combine.combine(bSessionService, combine.Retrieve());
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
if (GetStatus(recieve.Skip(12).Take(4).ToArray()))
{
treeId = recieve.Skip(40).Take(4).ToArray();
fileStream = File.Create(Path.GetFullPath(destination), (Int32)allocationSize, FileOptions.None);
binaryWriter = new BinaryWriter(fileStream);
return(true);
}
return(false);
}
internal void SetExtraInfo(Int32 extraInfo, Int64 allocationSize)
{
AccessMask = new Byte[] { 0x80, 0x00, 0x10, 0x00 };
FileAttributes = new Byte[] { 0x00, 0x00, 0x00, 0x00 };
ShareAccess = new Byte[] { 0x00, 0x00, 0x00, 0x00 };
CreateOptions = new Byte[] { 0x21, 0x00, 0x00, 0x00 };
BlobOffset = BitConverter.GetBytes(FileNameBlobLength.Length);
switch (extraInfo)
{
case 1:
BlobLength = new Byte[] { 0x58, 0x00, 0x00, 0x00 };
break;
case 2:
BlobLength = new Byte[] { 0x90, 0x00, 0x00, 0x00 };
break;
default:
BlobLength = new Byte[] { 0xb0, 0x00, 0x00, 0x00 };
bAllocationSize = BitConverter.GetBytes(allocationSize);
break;
}
BlobOffset = BitConverter.GetBytes(Buffer.Length + 120);
Byte[] ExtraInfoDHnQ_ChainOffset = { 0x28, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoDHnQ_TagOffset = { 0x10, 0x00 };
Byte[] ExtraInfoDHnQ_TagLength = { 0x04, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoDHnQ_DataOffset = { 0x18, 0x00 };
Byte[] ExtraInfoDHnQ_DataLength = { 0x10, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoDHnQ_Tag = { 0x44, 0x48, 0x6e, 0x51 };
Byte[] ExtraInfoDHnQ_Unknown = { 0x00, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoDHnQ_DataGUIDHandle = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoDHnQ_ChainOffset);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoDHnQ_TagOffset);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoDHnQ_TagLength);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoDHnQ_DataOffset);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoDHnQ_DataLength);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoDHnQ_Tag);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoDHnQ_Unknown);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoDHnQ_DataGUIDHandle);
if (extraInfo == 3)
{
Byte[] ExtraInfoAlSi_ChainOffset = { 0x20, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoAlSi_Tag_Offset = { 0x10, 0x00 };
Byte[] ExtraInfoAlSi_Tag_Length = { 0x04, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoAlSi_Data_Offset = { 0x18, 0x00 };
Byte[] ExtraInfoAlSi_Data_Length = { 0x08, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoAlSi_Tag = { 0x41, 0x6c, 0x53, 0x69 };
Byte[] ExtraInfoAlSi_Unknown = { 0x00, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoAlSi_AllocationSize = bAllocationSize;
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoAlSi_ChainOffset);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoAlSi_Tag_Offset);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoAlSi_Tag_Length);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoAlSi_Data_Offset);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoAlSi_Data_Length);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoAlSi_Tag);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoAlSi_Unknown);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoAlSi_AllocationSize);
}
Byte[] ExtraInfoMxAc_ChainOffset = { 0x18, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoMxAc_Tag_Offset = { 0x10, 0x00 };
Byte[] ExtraInfoMxAc_Tag_Length = { 0x04, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoMxAc_Data_Offset = { 0x18, 0x00 };
Byte[] ExtraInfoMxAc_Data_Length = { 0x00, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoMxAc_Tag = { 0x4d, 0x78, 0x41, 0x63 };
Byte[] ExtraInfoMxAc_Unknown = { 0x00, 0x00, 0x00, 0x00 };
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoMxAc_ChainOffset);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoMxAc_Tag_Offset);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoMxAc_Tag_Length);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoMxAc_Data_Offset);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoMxAc_Data_Length);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoMxAc_Tag);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoMxAc_Unknown);
Byte[] ExtraInfoQFid_ChainOffset;
if (extraInfo > 1)
{
ExtraInfoQFid_ChainOffset = new Byte[] { 0x18, 0x00, 0x00, 0x00 };
}
else
{
ExtraInfoQFid_ChainOffset = new Byte[] { 0x00, 0x00, 0x00, 0x00 };
}
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoQFid_ChainOffset);
Byte[] ExtraInfoQFid_Tag_Offset = { 0x10, 0x00 };
Byte[] ExtraInfoQFid_Tag_Length = { 0x04, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoQFid_Data_Offset = { 0x18, 0x00 };
Byte[] ExtraInfoQFid_Data_Length = { 0x00, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoQFid_Tag = { 0x51, 0x46, 0x69, 0x64 };
Byte[] ExtraInfoQFid_Unknown = { 0x00, 0x00, 0x00, 0x00 };
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoQFid_Tag_Offset);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoQFid_Tag_Length);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoQFid_Data_Offset);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoQFid_Data_Length);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoQFid_Tag);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoQFid_Unknown);
if (extraInfo > 1)
{
Byte[] ExtraInfoRqLs_ChainOffset = { 0x00, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoRqLs_Tag_Offset = { 0x10, 0x00 };
Byte[] ExtraInfoRqLs_Tag_Length = { 0x04, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoRqLs_Data_Offset = { 0x18, 0x00 };
Byte[] ExtraInfoRqLs_Data_Length = { 0x20, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoRqLs_Tag = { 0x52, 0x71, 0x4c, 0x73 };
Byte[] ExtraInfoRqLs_Unknown = { 0x00, 0x00, 0x00, 0x00 };
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoRqLs_ChainOffset);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoRqLs_Tag_Offset);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoRqLs_Tag_Length);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoRqLs_Data_Offset);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoRqLs_Data_Length);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoRqLs_Tag);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoRqLs_Unknown);
Byte[] ExtraInfoRqLs_DataLeaseKey;
if (extraInfo == 2)
{
ExtraInfoRqLs_DataLeaseKey = new Byte[] { 0x10, 0xb0, 0x1d, 0x02, 0xa0, 0xf8, 0xff, 0xff, 0x47, 0x78, 0x67, 0x02, 0x00, 0x00, 0x00, 0x00 };
}
else
{
ExtraInfoRqLs_DataLeaseKey = new Byte[] { 0x10, 0x90, 0x64, 0x01, 0xa0, 0xf8, 0xff, 0xff, 0x47, 0x78, 0x67, 0x02, 0x00, 0x00, 0x00, 0x00 };
}
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoRqLs_DataLeaseKey);
Byte[] ExtraInfoRqLs_Data_Lease_State = { 0x07, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoRqLs_Data_Lease_Flags = { 0x00, 0x00, 0x00, 0x00 };
Byte[] ExtraInfoRqLs_Data_Lease_Duration = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoRqLs_Data_Lease_State);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoRqLs_Data_Lease_Flags);
ExtraInfo = Combine.combine(ExtraInfo, ExtraInfoRqLs_Data_Lease_Duration);
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal Boolean CreateRequest(String folder, Int32 step)
{
treeId = recieve.Skip(40).Take(4).ToArray();
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x05, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
SMB2CreateRequest createRequest = new SMB2CreateRequest();
if (!String.IsNullOrEmpty(folder))
{
createRequest.SetFileName(folder);
}
createRequest.SetExtraInfo(1, 0);
if (1 == step)
{
createRequest.SetCreateOptions(new Byte[] { 0x00, 0x00, 0x20, 0x00 });
createRequest.SetAccessMask(new Byte[] { 0x80, 0x00, 0x00, 0x00 });
createRequest.SetShareAccess(new Byte[] { 0x07, 0x00, 0x00, 0x00 });
}
else if (2 == step)
{
createRequest.SetCreateOptions(new Byte[] { 0x00, 0x00, 0x20, 0x00 });
createRequest.SetAccessMask(new Byte[] { 0x80, 0x00, 0x00, 0x00 });
createRequest.SetShareAccess(new Byte[] { 0x00, 0x00, 0x00, 0x00 });
}
else if (3 == step)
{
createRequest.SetCreateOptions(new Byte[] { 0x40, 0x00, 0x20, 0x00 });
createRequest.SetAccessMask(new Byte[] { 0x80, 0x00, 0x01, 0x00 });
createRequest.SetShareAccess(new Byte[] { 0x07, 0x00, 0x00, 0x00 });
}
Byte[] bData = createRequest.GetRequest();
if (signing)
{
header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
header.SetSignature(sessionKey, ref bData);
}
Byte[] bHeader = header.GetHeader();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData);
streamSocket.Write(bSend, 0, bSend.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
if (GetStatusSilent(recieve.Skip(12).Take(4).ToArray()))
{
guidFileHandle = recieve.Skip(0x0084).Take(16).ToArray();
return(true);
}
return(false);
}
