private static byte[] GetExportedSessionKey(byte[] sessionBaseKey, AuthenticateMessage message, byte[] serverChallenge, byte[] lmowf)
{
byte[] keyExchangeKey;
if (AuthenticationMessageUtils.IsNTLMv2NTResponse(message.NtChallengeResponse))
{
keyExchangeKey = sessionBaseKey;
}
else
{
keyExchangeKey = NTLMCryptography.KXKey(sessionBaseKey, message.NegotiateFlags, message.LmChallengeResponse, serverChallenge, lmowf);
}
if ((message.NegotiateFlags & NegotiateFlags.KeyExchange) > 0)
{
return(RC4.Decrypt(keyExchangeKey, message.EncryptedRandomSessionKey));
}
else
{
return(keyExchangeKey);
}
}
public static byte[] GetAuthenticateMessage(byte[] securityBlob, string domainName, string userName, string password, AuthenticationMethod authenticationMethod, out byte[] sessionKey)
{
sessionKey = null;
bool useGSSAPI = false;
SimpleProtectedNegotiationTokenResponse inputToken = null;
try
{
inputToken = SimpleProtectedNegotiationToken.ReadToken(securityBlob, 0, false) as SimpleProtectedNegotiationTokenResponse;
}
catch
{
}
ChallengeMessage challengeMessage;
if (inputToken != null)
{
challengeMessage = GetChallengeMessage(inputToken.ResponseToken);
useGSSAPI = true;
}
else
{
challengeMessage = GetChallengeMessage(securityBlob);
}
if (challengeMessage == null)
{
return(null);
}
DateTime time = DateTime.UtcNow;
byte[] clientChallenge = new byte[8];
new Random().NextBytes(clientChallenge);
AuthenticateMessage authenticateMessage = new AuthenticateMessage();
// https://msdn.microsoft.com/en-us/library/cc236676.aspx
authenticateMessage.NegotiateFlags = NegotiateFlags.Sign |
NegotiateFlags.NTLMSessionSecurity |
NegotiateFlags.AlwaysSign |
NegotiateFlags.Version |
NegotiateFlags.Use128BitEncryption |
NegotiateFlags.Use56BitEncryption;
if ((challengeMessage.NegotiateFlags & NegotiateFlags.UnicodeEncoding) > 0)
{
authenticateMessage.NegotiateFlags |= NegotiateFlags.UnicodeEncoding;
}
else
{
authenticateMessage.NegotiateFlags |= NegotiateFlags.OEMEncoding;
}
if ((challengeMessage.NegotiateFlags & NegotiateFlags.KeyExchange) > 0)
{
authenticateMessage.NegotiateFlags |= NegotiateFlags.KeyExchange;
}
if (authenticationMethod == AuthenticationMethod.NTLMv1)
{
authenticateMessage.NegotiateFlags |= NegotiateFlags.LanManagerSessionKey;
}
else
{
authenticateMessage.NegotiateFlags |= NegotiateFlags.ExtendedSessionSecurity;
}
authenticateMessage.UserName = userName;
authenticateMessage.DomainName = domainName;
authenticateMessage.WorkStation = Environment.MachineName;
byte[] sessionBaseKey;
byte[] keyExchangeKey;
if (authenticationMethod == AuthenticationMethod.NTLMv1 || authenticationMethod == AuthenticationMethod.NTLMv1ExtendedSessionSecurity)
{
if (authenticationMethod == AuthenticationMethod.NTLMv1)
{
authenticateMessage.LmChallengeResponse = NTLMCryptography.ComputeLMv1Response(challengeMessage.ServerChallenge, password);
authenticateMessage.NtChallengeResponse = NTLMCryptography.ComputeNTLMv1Response(challengeMessage.ServerChallenge, password);
}
else // NTLMv1ExtendedSessionSecurity
{
authenticateMessage.LmChallengeResponse = ByteUtils.Concatenate(clientChallenge, new byte[16]);
authenticateMessage.NtChallengeResponse = NTLMCryptography.ComputeNTLMv1ExtendedSessionSecurityResponse(challengeMessage.ServerChallenge, clientChallenge, password);
}
// https://msdn.microsoft.com/en-us/library/cc236699.aspx
sessionBaseKey = new MD4().GetByteHashFromBytes(NTLMCryptography.NTOWFv1(password));
byte[] lmowf = NTLMCryptography.LMOWFv1(password);
keyExchangeKey = NTLMCryptography.KXKey(sessionBaseKey, authenticateMessage.NegotiateFlags, authenticateMessage.LmChallengeResponse, challengeMessage.ServerChallenge, lmowf);
}
else // NTLMv2
{
NTLMv2ClientChallenge clientChallengeStructure = new NTLMv2ClientChallenge(time, clientChallenge, challengeMessage.TargetInfo);
byte[] clientChallengeStructurePadded = clientChallengeStructure.GetBytesPadded();
byte[] ntProofStr = NTLMCryptography.ComputeNTLMv2Proof(challengeMessage.ServerChallenge, clientChallengeStructurePadded, password, userName, domainName);
authenticateMessage.LmChallengeResponse = NTLMCryptography.ComputeLMv2Response(challengeMessage.ServerChallenge, clientChallenge, password, userName, challengeMessage.TargetName);
authenticateMessage.NtChallengeResponse = ByteUtils.Concatenate(ntProofStr, clientChallengeStructurePadded);
// https://msdn.microsoft.com/en-us/library/cc236700.aspx
byte[] responseKeyNT = NTLMCryptography.NTOWFv2(password, userName, domainName);
sessionBaseKey = new HMACMD5(responseKeyNT).ComputeHash(ntProofStr);
keyExchangeKey = sessionBaseKey;
}
authenticateMessage.Version = NTLMVersion.Server2003;
// https://msdn.microsoft.com/en-us/library/cc236676.aspx
if ((challengeMessage.NegotiateFlags & NegotiateFlags.KeyExchange) > 0)
{
sessionKey = new byte[16];
new Random().NextBytes(sessionKey);
authenticateMessage.EncryptedRandomSessionKey = RC4.Encrypt(keyExchangeKey, sessionKey);
}
else
{
sessionKey = keyExchangeKey;
}
if (useGSSAPI)
{
SimpleProtectedNegotiationTokenResponse outputToken = new SimpleProtectedNegotiationTokenResponse();
outputToken.ResponseToken = authenticateMessage.GetBytes();
return(outputToken.GetBytes());
}
else
{
return(authenticateMessage.GetBytes());
}
}
