private static byte[] nTOWFv2(string domain, string username, string password)
{
HMACT64 hmact = new HMACT64(nTOWFv1(password));
hmact.update(Encoding.Unicode.GetBytes(username.ToUpper()));
hmact.update(Encoding.Unicode.GetBytes(domain));
return(hmact.digest());
}
private static byte[] getLMv2Response(byte[] responseKeyNT, byte[] serverChallenge, byte[] clientChallenge)
{
byte[] buf = new byte[0x18];
HMACT64 hmact = new HMACT64(responseKeyNT);
hmact.update(serverChallenge);
hmact.update(clientChallenge);
hmact.digest(buf, 0, 0x10);
Array.Copy(clientChallenge, 0, buf, 0x10, 8);
return(buf);
}
public static void UnitTest()
{
byte[] buffer7;
HMACT64 hmact = new HMACT64(ASCIIEncoding.GetBytes("Jefe"));
hmact.update(ASCIIEncoding.GetBytes("what do ya want for nothing?"));
if (!TestResult(hmact.digest(), new byte[] { 0x75, 12, 120, 0x3e, 0x6a, 0xb0, 0xb5, 3, 0xea, 0xa8, 110, 0x31, 10, 0x5d, 0xb7, 0x38 }))
{
throw new Exception("HMACT64 UnitTest Failed!");
}
if (!TestResult(nTOWFv2("Domain", "User", "Password"), new byte[] { 12, 0x86, 0x8a, 0x40, 0x3b, 0xfd, 0x7a, 0x93, 0xa3, 0, 30, 0xf2, 0x2e, 240, 0x2e, 0x3f }))
{
throw new Exception("nTOWFv2 UnitTest Failed!");
}
DumpFlags(BitConverter.ToUInt32(new byte[] { 0x35, 130, 8, 0x60 }, 0));
byte[] buffer3 = new byte[] {
2, 0, 12, 0, 0x44, 0, 0x4f, 0, 0x4d, 0, 0x41, 0, 0x49, 0, 0x4e, 0,
1, 0, 12, 0, 0x53, 0, 0x45, 0, 0x52, 0, 0x56, 0, 0x45, 0, 0x52, 0,
4, 0, 20, 0, 100, 0, 0x6f, 0, 0x6d, 0, 0x61, 0, 0x69, 0, 110, 0,
0x2e, 0, 0x63, 0, 0x6f, 0, 0x6d, 0, 3, 0, 0x22, 0, 0x73, 0, 0x65, 0,
0x72, 0, 0x76, 0, 0x65, 0, 0x72, 0, 0x2e, 0, 100, 0, 0x6f, 0, 0x6d, 0,
0x61, 0, 0x69, 0, 110, 0, 0x2e, 0, 0x63, 0, 0x6f, 0, 0x6d, 0, 0, 0,
0, 0
};
byte[] clientChallenge = new byte[] { 0xff, 0xff, 0xff, 0, 0x11, 0x22, 0x33, 0x44 };
byte[] serverChallenge = new byte[] { 1, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
byte[] responseKeyNT = nTOWFv2("DOMAIN", "user", "SecREt01");
byte[] result = getLMv2Response(responseKeyNT, serverChallenge, clientChallenge);
long num2 = 0x1c334b736d39000L;
byte[] sourceArray = getNTLMv2Response(responseKeyNT, serverChallenge, clientChallenge, BitConverter.GetBytes(num2), buffer3, out buffer7);
if (!TestResult(result, new byte[] {
0xd6, 230, 0x15, 0x2e, 0xa2, 0x5d, 3, 0xb7, 0xc6, 0xba, 0x66, 0x29, 0xc2, 0xd6, 170, 240,
0xff, 0xff, 0xff, 0, 0x11, 0x22, 0x33, 0x44
}))
{
throw new Exception("LMResponse UnitTest Failed!");
}
byte[] destinationArray = new byte[0x10];
Array.Copy(sourceArray, 0, destinationArray, 0, 0x10);
if (!TestResult(destinationArray, new byte[] { 0xcb, 0xab, 0xbc, 0xa7, 0x13, 0xeb, 0x79, 0x5d, 4, 0xc9, 0x7a, 0xbc, 1, 0xee, 0x49, 0x83 }))
{
throw new Exception("NTResponse UnitTest Failed!");
}
}
private static byte[] computeResponse(byte[] responseKey, byte[] serverChallenge, byte[] clientData, int offset, int length, out byte[] keyExchangeKey)
{
HMACT64 hmact = new HMACT64(responseKey);
hmact.update(serverChallenge);
hmact.update(clientData, offset, length);
byte[] sourceArray = hmact.digest();
byte[] destinationArray = new byte[sourceArray.Length + clientData.Length];
Array.Copy(sourceArray, 0, destinationArray, 0, sourceArray.Length);
Array.Copy(clientData, 0, destinationArray, sourceArray.Length, clientData.Length);
hmact = new HMACT64(responseKey);
hmact.update(sourceArray);
keyExchangeKey = hmact.digest();
return(destinationArray);
}
private static byte[] MakeSignature(RC4 SealKey, byte[] SignKey, byte[] message, ref uint sequenceNum)
{
HMACT64 hmact = new HMACT64(SignKey);
byte[] bytes = BitConverter.GetBytes(sequenceNum++);
hmact.update(bytes);
hmact.update(message);
byte[] data = hmact.digest();
byte[] collection = SealKey.crypt(data, 0, 8);
List <byte> list = new List <byte> {
1, 0, 0, 0
};
list.AddRange(collection);
list.AddRange(bytes);
return(list.ToArray());
}
/// <summary>
/// Client Info PDU
/// </summary>
private static RdpPacket getLoginInfo(string domain, string username, string password, string command, string directory, bool bAutoReconnect)
{
int num1 = 2 * "127.0.0.1".Length;
int num2 = 2 * @"C:\WINNT\System32\mstscax.dll".Length;
int num3 = 2 * domain.Length;
int num4 = 2 * username.Length;
int num5 = 2 * password.Length;
int num6 = 2 * command.Length;
int num7 = 2 * directory.Length;
//int num8 = 0x213b;
int num8 = (int)(
ClientInfoFlags.INFO_AUTOLOGON |
ClientInfoFlags.INFO_DISABLECTRLALTDEL |
ClientInfoFlags.INFO_LOGONERRORS |
ClientInfoFlags.INFO_LOGONNOTIFY |
ClientInfoFlags.INFO_ENABLEWINDOWSKEY |
ClientInfoFlags.INFO_MOUSE |
ClientInfoFlags.INFO_NOAUDIOPLAYBACK |
ClientInfoFlags.INFO_UNICODE);
RdpPacket packet = new RdpPacket();
packet.WriteLittleEndian32(0);
packet.WriteLittleEndian32(num8);
packet.WriteLittleEndian16((short)num3);
packet.WriteLittleEndian16((short)num4);
if ((num8 & 8) != 0)
{
packet.WriteLittleEndian16((short)num5);
}
else
{
packet.WriteLittleEndian16((short)0);
}
packet.WriteLittleEndian16((short)num6);
packet.WriteLittleEndian16((short)num7);
if (0 < num3)
{
packet.WriteUnicodeString(domain);
}
else
{
packet.WriteLittleEndian16((short)0);
}
packet.WriteUnicodeString(username);
if ((num8 & 8) != 0)
{
packet.WriteUnicodeString(password);
}
else
{
packet.WriteLittleEndian16((short)0);
}
if (0 < num6)
{
packet.WriteUnicodeString(command);
}
else
{
packet.WriteLittleEndian16((short)0);
}
if (0 < num7)
{
packet.WriteUnicodeString(directory);
}
else
{
packet.WriteLittleEndian16((short)0);
}
packet.WriteLittleEndian16((short)2);
packet.WriteLittleEndian16((short)(num1 + 2));
packet.WriteUnicodeString("127.0.0.1");
packet.WriteLittleEndian16((short)(num2 + 2));
packet.WriteUnicodeString(@"C:\WINNT\System32\mstscax.dll");
TimeZoneInfo info = TimeZoneInfo.Local;
packet.WriteLittleEndian32((int)info.BaseUtcOffset.TotalMinutes);
packet.WriteUnicodeString(info.StandardName);
packet.Position += 0x3e - (2 * info.StandardName.Length);
if (info.SupportsDaylightSavingTime)
{
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((ushort)10);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)30);
packet.WriteLittleEndian16((short)2);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian32(0);
}
else
{
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian32(0);
}
packet.WriteUnicodeString(info.DaylightName);
packet.Position += 0x3e - (2 * info.DaylightName.Length);
if (info.SupportsDaylightSavingTime)
{
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((ushort)3);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0x1b);
packet.WriteLittleEndian16((short)1);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian32((int)(info.BaseUtcOffset.TotalMinutes + 1.0));
}
else
{
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian32(0);
}
packet.WriteLittleEndianU32(0);
PerformanceFlags flags = (PerformanceFlags)0;
if (!Options.IsHostFlagSet(HostFlags.DesktopBackground))
{
flags |= PerformanceFlags.PERF_DISABLE_WALLPAPER;
}
if (Options.IsHostFlagSet(HostFlags.FontSmoothing))
{
flags |= PerformanceFlags.PERF_ENABLE_FONT_SMOOTHING;
}
if (Options.IsHostFlagSet(HostFlags.DesktopComposition))
{
flags |= PerformanceFlags.PERF_ENABLE_DESKTOP_COMPOSITION;
}
if (!Options.IsHostFlagSet(HostFlags.ShowWindowContents))
{
flags |= PerformanceFlags.PERF_DISABLE_FULLWINDOWDRAG;
}
if (!Options.IsHostFlagSet(HostFlags.MenuAnimation))
{
flags |= PerformanceFlags.PERF_DISABLE_MENUANIMATIONS;
}
if (!Options.IsHostFlagSet(HostFlags.VisualStyles))
{
flags |= PerformanceFlags.PERF_DISABLE_THEMING;
}
packet.WriteLittleEndian32((int)flags);
if (bAutoReconnect)
{
packet.WriteLittleEndian32(0x1c);
packet.WriteLittleEndian32(0x1c);
packet.WriteLittleEndian32(1);
packet.WriteLittleEndian32(Options.LogonID);
HMACT64 hmact = new HMACT64(Options.ReconnectCookie);
hmact.update(Secure.GetClentRandom());
byte[] buffer = hmact.digest();
packet.Write(buffer, 0, buffer.Length);
return(packet);
}
packet.WriteLittleEndian32(0);
return(packet);
}
private byte[] Authenticate(byte[] lmChallengeResponse, byte[] ntChallengeResponse, string sDomainName, string sUser, string sWorkstation, byte[] EncryptedRandomSessionKey, byte[] ExportedSessionKey, bool bGenerateMIC)
{
RdpPacket packet = new RdpPacket();
uint flags = (
(((((0xe2800000 | NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY) |
NTLMSSP_NEGOTIATE_ALWAYS_SIGN) | NTLMSSP_NEGOTIATE_NTLM) |
NTLMSSP_NEGOTIATE_SEAL) | NTLMSSP_NEGOTIATE_SIGN) |
NTLMSSP_REQUEST_TARGET) | NTLMSSP_NEGOTIATE_UNICODE;
DumpFlags(flags);
int position = (int)packet.Position;
packet.WriteString("NTLMSSP", false);
packet.WriteByte(0);
packet.WriteLittleEndian32(3);
int num3 = ((int)packet.Position) - position;
num3 += 8;
num3 += 8;
num3 += 8;
num3 += 8;
num3 += 8;
num3 += 8;
num3 += 4;
if ((flags & 0x2000000) != 0)
{
num3 += 8;
}
if (bGenerateMIC)
{
num3 += 0x10;
}
byte[] bytes = Encoding.Unicode.GetBytes(sDomainName);
byte[] buffer = Encoding.Unicode.GetBytes(sUser);
byte[] buffer3 = Encoding.Unicode.GetBytes(sWorkstation);
int num4 = num3;
int num5 = num4 + bytes.Length;
int num6 = num5 + buffer.Length;
int num7 = num6 + buffer3.Length;
int num8 = num7 + lmChallengeResponse.Length;
int num9 = num8 + ntChallengeResponse.Length;
packet.WriteLittleEndian16((ushort)lmChallengeResponse.Length);
packet.WriteLittleEndian16((ushort)lmChallengeResponse.Length);
packet.WriteLittleEndian32(num7);
num3 += lmChallengeResponse.Length;
packet.WriteLittleEndian16((ushort)ntChallengeResponse.Length);
packet.WriteLittleEndian16((ushort)ntChallengeResponse.Length);
packet.WriteLittleEndian32(num8);
num3 += ntChallengeResponse.Length;
packet.WriteLittleEndian16((ushort)bytes.Length);
packet.WriteLittleEndian16((ushort)bytes.Length);
packet.WriteLittleEndian32(num4);
num3 += bytes.Length;
packet.WriteLittleEndian16((ushort)buffer.Length);
packet.WriteLittleEndian16((ushort)buffer.Length);
packet.WriteLittleEndian32(num5);
num3 += buffer.Length;
packet.WriteLittleEndian16((ushort)buffer3.Length);
packet.WriteLittleEndian16((ushort)buffer3.Length);
packet.WriteLittleEndian32(num6);
num3 += buffer3.Length;
packet.WriteLittleEndian16((ushort)EncryptedRandomSessionKey.Length);
packet.WriteLittleEndian16((ushort)EncryptedRandomSessionKey.Length);
packet.WriteLittleEndian32(num9);
num3 += EncryptedRandomSessionKey.Length;
packet.WriteLittleEndian32(flags);
if ((flags & 0x2000000) != 0)
{
this.WriteVersion(packet);
}
long num10 = packet.Position;
if (bGenerateMIC)
{
packet.WritePadding(0x10);
}
packet.Write(bytes, 0, bytes.Length);
packet.Write(buffer, 0, buffer.Length);
packet.Write(buffer3, 0, buffer3.Length);
packet.Write(lmChallengeResponse, 0, lmChallengeResponse.Length);
packet.Write(ntChallengeResponse, 0, ntChallengeResponse.Length);
packet.Write(EncryptedRandomSessionKey, 0, EncryptedRandomSessionKey.Length);
if (bGenerateMIC)
{
packet.Position = 0L;
byte[] buffer4 = new byte[packet.Length];
packet.Read(buffer4, 0, buffer4.Length);
HMACT64 hmact = new HMACT64(ExportedSessionKey);
hmact.update(this.m_NegotiateMsg);
hmact.update(this.m_ChallengeMsg);
hmact.update(buffer4);
byte[] buffer5 = hmact.digest();
packet.Position = num10;
packet.Write(buffer5, 0, buffer5.Length);
}
packet.Position = 0L;
byte[] buffer6 = new byte[packet.Length];
packet.Read(buffer6, 0, buffer6.Length);
return(buffer6);
}