Esempio n. 1
0
        private static byte[] nTOWFv2(string domain, string username, string password)
        {
            HMACT64 hmact = new HMACT64(nTOWFv1(password));

            hmact.update(Encoding.Unicode.GetBytes(username.ToUpper()));
            hmact.update(Encoding.Unicode.GetBytes(domain));

            return(hmact.digest());
        }
Esempio n. 2
0
        private static byte[] getLMv2Response(byte[] responseKeyNT, byte[] serverChallenge, byte[] clientChallenge)
        {
            byte[]  buf   = new byte[0x18];
            HMACT64 hmact = new HMACT64(responseKeyNT);

            hmact.update(serverChallenge);
            hmact.update(clientChallenge);
            hmact.digest(buf, 0, 0x10);
            Array.Copy(clientChallenge, 0, buf, 0x10, 8);

            return(buf);
        }
Esempio n. 3
0
        public static void UnitTest()
        {
            byte[]  buffer7;
            HMACT64 hmact = new HMACT64(ASCIIEncoding.GetBytes("Jefe"));

            hmact.update(ASCIIEncoding.GetBytes("what do ya want for nothing?"));

            if (!TestResult(hmact.digest(), new byte[] { 0x75, 12, 120, 0x3e, 0x6a, 0xb0, 0xb5, 3, 0xea, 0xa8, 110, 0x31, 10, 0x5d, 0xb7, 0x38 }))
            {
                throw new Exception("HMACT64 UnitTest Failed!");
            }

            if (!TestResult(nTOWFv2("Domain", "User", "Password"), new byte[] { 12, 0x86, 0x8a, 0x40, 0x3b, 0xfd, 0x7a, 0x93, 0xa3, 0, 30, 0xf2, 0x2e, 240, 0x2e, 0x3f }))
            {
                throw new Exception("nTOWFv2 UnitTest Failed!");
            }

            DumpFlags(BitConverter.ToUInt32(new byte[] { 0x35, 130, 8, 0x60 }, 0));

            byte[] buffer3 = new byte[] {
                2, 0, 12, 0, 0x44, 0, 0x4f, 0, 0x4d, 0, 0x41, 0, 0x49, 0, 0x4e, 0,
                1, 0, 12, 0, 0x53, 0, 0x45, 0, 0x52, 0, 0x56, 0, 0x45, 0, 0x52, 0,
                4, 0, 20, 0, 100, 0, 0x6f, 0, 0x6d, 0, 0x61, 0, 0x69, 0, 110, 0,
                0x2e, 0, 0x63, 0, 0x6f, 0, 0x6d, 0, 3, 0, 0x22, 0, 0x73, 0, 0x65, 0,
                0x72, 0, 0x76, 0, 0x65, 0, 0x72, 0, 0x2e, 0, 100, 0, 0x6f, 0, 0x6d, 0,
                0x61, 0, 0x69, 0, 110, 0, 0x2e, 0, 0x63, 0, 0x6f, 0, 0x6d, 0, 0, 0,
                0, 0
            };

            byte[] clientChallenge = new byte[] { 0xff, 0xff, 0xff, 0, 0x11, 0x22, 0x33, 0x44 };
            byte[] serverChallenge = new byte[] { 1, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
            byte[] responseKeyNT   = nTOWFv2("DOMAIN", "user", "SecREt01");
            byte[] result          = getLMv2Response(responseKeyNT, serverChallenge, clientChallenge);
            long   num2            = 0x1c334b736d39000L;

            byte[] sourceArray = getNTLMv2Response(responseKeyNT, serverChallenge, clientChallenge, BitConverter.GetBytes(num2), buffer3, out buffer7);

            if (!TestResult(result, new byte[] {
                0xd6, 230, 0x15, 0x2e, 0xa2, 0x5d, 3, 0xb7, 0xc6, 0xba, 0x66, 0x29, 0xc2, 0xd6, 170, 240,
                0xff, 0xff, 0xff, 0, 0x11, 0x22, 0x33, 0x44
            }))
            {
                throw new Exception("LMResponse UnitTest Failed!");
            }
            byte[] destinationArray = new byte[0x10];
            Array.Copy(sourceArray, 0, destinationArray, 0, 0x10);

            if (!TestResult(destinationArray, new byte[] { 0xcb, 0xab, 0xbc, 0xa7, 0x13, 0xeb, 0x79, 0x5d, 4, 0xc9, 0x7a, 0xbc, 1, 0xee, 0x49, 0x83 }))
            {
                throw new Exception("NTResponse UnitTest Failed!");
            }
        }
Esempio n. 4
0
        private static byte[] computeResponse(byte[] responseKey, byte[] serverChallenge, byte[] clientData, int offset, int length, out byte[] keyExchangeKey)
        {
            HMACT64 hmact = new HMACT64(responseKey);

            hmact.update(serverChallenge);
            hmact.update(clientData, offset, length);
            byte[] sourceArray      = hmact.digest();
            byte[] destinationArray = new byte[sourceArray.Length + clientData.Length];
            Array.Copy(sourceArray, 0, destinationArray, 0, sourceArray.Length);
            Array.Copy(clientData, 0, destinationArray, sourceArray.Length, clientData.Length);
            hmact = new HMACT64(responseKey);
            hmact.update(sourceArray);
            keyExchangeKey = hmact.digest();

            return(destinationArray);
        }
Esempio n. 5
0
        private static byte[] MakeSignature(RC4 SealKey, byte[] SignKey, byte[] message, ref uint sequenceNum)
        {
            HMACT64 hmact = new HMACT64(SignKey);

            byte[] bytes = BitConverter.GetBytes(sequenceNum++);
            hmact.update(bytes);
            hmact.update(message);
            byte[]      data       = hmact.digest();
            byte[]      collection = SealKey.crypt(data, 0, 8);
            List <byte> list       = new List <byte> {
                1, 0, 0, 0
            };

            list.AddRange(collection);
            list.AddRange(bytes);

            return(list.ToArray());
        }
Esempio n. 6
0
        /// <summary>
        /// Client Info PDU
        /// </summary>
        private static RdpPacket getLoginInfo(string domain, string username, string password, string command, string directory, bool bAutoReconnect)
        {
            int num1 = 2 * "127.0.0.1".Length;
            int num2 = 2 * @"C:\WINNT\System32\mstscax.dll".Length;
            int num3 = 2 * domain.Length;
            int num4 = 2 * username.Length;
            int num5 = 2 * password.Length;
            int num6 = 2 * command.Length;
            int num7 = 2 * directory.Length;

            //int num8 = 0x213b;

            int num8 = (int)(
                ClientInfoFlags.INFO_AUTOLOGON |
                ClientInfoFlags.INFO_DISABLECTRLALTDEL |
                ClientInfoFlags.INFO_LOGONERRORS |
                ClientInfoFlags.INFO_LOGONNOTIFY |
                ClientInfoFlags.INFO_ENABLEWINDOWSKEY |
                ClientInfoFlags.INFO_MOUSE |
                ClientInfoFlags.INFO_NOAUDIOPLAYBACK |
                ClientInfoFlags.INFO_UNICODE);

            RdpPacket packet = new RdpPacket();

            packet.WriteLittleEndian32(0);
            packet.WriteLittleEndian32(num8);
            packet.WriteLittleEndian16((short)num3);
            packet.WriteLittleEndian16((short)num4);

            if ((num8 & 8) != 0)
            {
                packet.WriteLittleEndian16((short)num5);
            }
            else
            {
                packet.WriteLittleEndian16((short)0);
            }

            packet.WriteLittleEndian16((short)num6);
            packet.WriteLittleEndian16((short)num7);

            if (0 < num3)
            {
                packet.WriteUnicodeString(domain);
            }
            else
            {
                packet.WriteLittleEndian16((short)0);
            }

            packet.WriteUnicodeString(username);

            if ((num8 & 8) != 0)
            {
                packet.WriteUnicodeString(password);
            }
            else
            {
                packet.WriteLittleEndian16((short)0);
            }

            if (0 < num6)
            {
                packet.WriteUnicodeString(command);
            }
            else
            {
                packet.WriteLittleEndian16((short)0);
            }

            if (0 < num7)
            {
                packet.WriteUnicodeString(directory);
            }
            else
            {
                packet.WriteLittleEndian16((short)0);
            }

            packet.WriteLittleEndian16((short)2);
            packet.WriteLittleEndian16((short)(num1 + 2));
            packet.WriteUnicodeString("127.0.0.1");
            packet.WriteLittleEndian16((short)(num2 + 2));
            packet.WriteUnicodeString(@"C:\WINNT\System32\mstscax.dll");
            TimeZoneInfo info = TimeZoneInfo.Local;

            packet.WriteLittleEndian32((int)info.BaseUtcOffset.TotalMinutes);
            packet.WriteUnicodeString(info.StandardName);
            packet.Position += 0x3e - (2 * info.StandardName.Length);

            if (info.SupportsDaylightSavingTime)
            {
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((ushort)10);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)30);
                packet.WriteLittleEndian16((short)2);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian32(0);
            }
            else
            {
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian32(0);
            }

            packet.WriteUnicodeString(info.DaylightName);
            packet.Position += 0x3e - (2 * info.DaylightName.Length);

            if (info.SupportsDaylightSavingTime)
            {
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((ushort)3);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0x1b);
                packet.WriteLittleEndian16((short)1);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian32((int)(info.BaseUtcOffset.TotalMinutes + 1.0));
            }
            else
            {
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian16((short)0);
                packet.WriteLittleEndian32(0);
            }

            packet.WriteLittleEndianU32(0);
            PerformanceFlags flags = (PerformanceFlags)0;

            if (!Options.IsHostFlagSet(HostFlags.DesktopBackground))
            {
                flags |= PerformanceFlags.PERF_DISABLE_WALLPAPER;
            }

            if (Options.IsHostFlagSet(HostFlags.FontSmoothing))
            {
                flags |= PerformanceFlags.PERF_ENABLE_FONT_SMOOTHING;
            }

            if (Options.IsHostFlagSet(HostFlags.DesktopComposition))
            {
                flags |= PerformanceFlags.PERF_ENABLE_DESKTOP_COMPOSITION;
            }

            if (!Options.IsHostFlagSet(HostFlags.ShowWindowContents))
            {
                flags |= PerformanceFlags.PERF_DISABLE_FULLWINDOWDRAG;
            }

            if (!Options.IsHostFlagSet(HostFlags.MenuAnimation))
            {
                flags |= PerformanceFlags.PERF_DISABLE_MENUANIMATIONS;
            }

            if (!Options.IsHostFlagSet(HostFlags.VisualStyles))
            {
                flags |= PerformanceFlags.PERF_DISABLE_THEMING;
            }

            packet.WriteLittleEndian32((int)flags);

            if (bAutoReconnect)
            {
                packet.WriteLittleEndian32(0x1c);
                packet.WriteLittleEndian32(0x1c);
                packet.WriteLittleEndian32(1);
                packet.WriteLittleEndian32(Options.LogonID);
                HMACT64 hmact = new HMACT64(Options.ReconnectCookie);
                hmact.update(Secure.GetClentRandom());
                byte[] buffer = hmact.digest();
                packet.Write(buffer, 0, buffer.Length);
                return(packet);
            }

            packet.WriteLittleEndian32(0);

            return(packet);
        }
Esempio n. 7
0
        private byte[] Authenticate(byte[] lmChallengeResponse, byte[] ntChallengeResponse, string sDomainName, string sUser, string sWorkstation, byte[] EncryptedRandomSessionKey, byte[] ExportedSessionKey, bool bGenerateMIC)
        {
            RdpPacket packet = new RdpPacket();
            uint      flags  = (
                (((((0xe2800000 | NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY) |
                    NTLMSSP_NEGOTIATE_ALWAYS_SIGN) | NTLMSSP_NEGOTIATE_NTLM) |
                  NTLMSSP_NEGOTIATE_SEAL) | NTLMSSP_NEGOTIATE_SIGN) |
                NTLMSSP_REQUEST_TARGET) | NTLMSSP_NEGOTIATE_UNICODE;

            DumpFlags(flags);
            int position = (int)packet.Position;

            packet.WriteString("NTLMSSP", false);
            packet.WriteByte(0);
            packet.WriteLittleEndian32(3);
            int num3 = ((int)packet.Position) - position;

            num3 += 8;
            num3 += 8;
            num3 += 8;
            num3 += 8;
            num3 += 8;
            num3 += 8;
            num3 += 4;

            if ((flags & 0x2000000) != 0)
            {
                num3 += 8;
            }

            if (bGenerateMIC)
            {
                num3 += 0x10;
            }

            byte[] bytes   = Encoding.Unicode.GetBytes(sDomainName);
            byte[] buffer  = Encoding.Unicode.GetBytes(sUser);
            byte[] buffer3 = Encoding.Unicode.GetBytes(sWorkstation);
            int    num4    = num3;
            int    num5    = num4 + bytes.Length;
            int    num6    = num5 + buffer.Length;
            int    num7    = num6 + buffer3.Length;
            int    num8    = num7 + lmChallengeResponse.Length;
            int    num9    = num8 + ntChallengeResponse.Length;

            packet.WriteLittleEndian16((ushort)lmChallengeResponse.Length);
            packet.WriteLittleEndian16((ushort)lmChallengeResponse.Length);
            packet.WriteLittleEndian32(num7);
            num3 += lmChallengeResponse.Length;
            packet.WriteLittleEndian16((ushort)ntChallengeResponse.Length);
            packet.WriteLittleEndian16((ushort)ntChallengeResponse.Length);
            packet.WriteLittleEndian32(num8);
            num3 += ntChallengeResponse.Length;
            packet.WriteLittleEndian16((ushort)bytes.Length);
            packet.WriteLittleEndian16((ushort)bytes.Length);
            packet.WriteLittleEndian32(num4);
            num3 += bytes.Length;
            packet.WriteLittleEndian16((ushort)buffer.Length);
            packet.WriteLittleEndian16((ushort)buffer.Length);
            packet.WriteLittleEndian32(num5);
            num3 += buffer.Length;
            packet.WriteLittleEndian16((ushort)buffer3.Length);
            packet.WriteLittleEndian16((ushort)buffer3.Length);
            packet.WriteLittleEndian32(num6);
            num3 += buffer3.Length;
            packet.WriteLittleEndian16((ushort)EncryptedRandomSessionKey.Length);
            packet.WriteLittleEndian16((ushort)EncryptedRandomSessionKey.Length);
            packet.WriteLittleEndian32(num9);
            num3 += EncryptedRandomSessionKey.Length;
            packet.WriteLittleEndian32(flags);

            if ((flags & 0x2000000) != 0)
            {
                this.WriteVersion(packet);
            }

            long num10 = packet.Position;

            if (bGenerateMIC)
            {
                packet.WritePadding(0x10);
            }

            packet.Write(bytes, 0, bytes.Length);
            packet.Write(buffer, 0, buffer.Length);
            packet.Write(buffer3, 0, buffer3.Length);
            packet.Write(lmChallengeResponse, 0, lmChallengeResponse.Length);
            packet.Write(ntChallengeResponse, 0, ntChallengeResponse.Length);
            packet.Write(EncryptedRandomSessionKey, 0, EncryptedRandomSessionKey.Length);

            if (bGenerateMIC)
            {
                packet.Position = 0L;
                byte[] buffer4 = new byte[packet.Length];
                packet.Read(buffer4, 0, buffer4.Length);
                HMACT64 hmact = new HMACT64(ExportedSessionKey);
                hmact.update(this.m_NegotiateMsg);
                hmact.update(this.m_ChallengeMsg);
                hmact.update(buffer4);
                byte[] buffer5 = hmact.digest();
                packet.Position = num10;
                packet.Write(buffer5, 0, buffer5.Length);
            }

            packet.Position = 0L;
            byte[] buffer6 = new byte[packet.Length];
            packet.Read(buffer6, 0, buffer6.Length);

            return(buffer6);
        }