protected static void WriteTag(RdpPacket packet, int Tag, string Identifier)
{
WriteByte(packet, Tag);
WriteLength(packet, Identifier);
}
protected static void CloseTag(RdpPacket packet, string Identifier)
{
UpdateLength(packet, Identifier);
}
protected static void WriteByte(RdpPacket packet, int value)
{
packet.WriteByte((byte)value);
}
protected static void WriteLength(RdpPacket packet, string Identifier)
{
m_Fixup.Add(Identifier, new Fixup(Identifier, packet.Position));
WriteByte(packet, 0xff);
}
protected static void UpdateLength(RdpPacket packet, string Identifier)
{
Fixup fixup = m_Fixup[Identifier];
m_Fixup.Remove(Identifier);
long position = packet.Position;
if (fixup.Length != -1)
{
long num2 = packet.Position - fixup.Offset;
if (num2 != fixup.Length)
{
throw new Exception("DER Tag length invalid");
}
}
else
{
long num3 = packet.Position - (fixup.Offset + 1L);
byte[] bytes = BitConverter.GetBytes(num3);
packet.Position = fixup.Offset;
if (num3 > 0xffffffL)
{
packet.WriteByte(0x84);
packet.InsertByte(bytes[3]);
position += 1L;
packet.InsertByte(bytes[2]);
position += 1L;
packet.InsertByte(bytes[1]);
position += 1L;
packet.InsertByte(bytes[0]);
position += 1L;
}
else if (num3 > 0xffffL)
{
packet.WriteByte(0x83);
packet.InsertByte(bytes[2]);
position += 1L;
packet.InsertByte(bytes[1]);
position += 1L;
packet.InsertByte(bytes[0]);
position += 1L;
}
else if (num3 > 0xffL)
{
packet.WriteByte(130);
packet.InsertByte(bytes[1]);
position += 1L;
packet.InsertByte(bytes[0]);
position += 1L;
}
else if (num3 > 0x7fL)
{
packet.WriteByte(0x81);
packet.InsertByte(bytes[0]);
position += 1L;
}
else
{
packet.WriteByte(bytes[0]);
}
packet.Position = position;
}
}
public byte[] Serialise()
{
RdpPacket packet = new RdpPacket();
if (this.NbDomainName.length > 0)
{
packet.WriteLittleEndian16((short)2);
packet.WriteLittleEndian16((short)this.NbDomainName.length);
packet.Write(this.NbDomainName.value, 0, this.NbDomainName.length);
}
if (this.NbComputerName.length > 0)
{
packet.WriteLittleEndian16((short)1);
packet.WriteLittleEndian16((short)this.NbComputerName.length);
packet.Write(this.NbComputerName.value, 0, this.NbComputerName.length);
}
if (this.DnsDomainName.length > 0)
{
packet.WriteLittleEndian16((short)4);
packet.WriteLittleEndian16((short)this.DnsDomainName.length);
packet.Write(this.DnsDomainName.value, 0, this.DnsDomainName.length);
}
if (this.DnsComputerName.length > 0)
{
packet.WriteLittleEndian16((short)3);
packet.WriteLittleEndian16((short)this.DnsComputerName.length);
packet.Write(this.DnsComputerName.value, 0, this.DnsComputerName.length);
}
if (this.DnsTreeName.length > 0)
{
packet.WriteLittleEndian16((short)5);
packet.WriteLittleEndian16((short)this.DnsTreeName.length);
packet.Write(this.DnsTreeName.value, 0, this.DnsTreeName.length);
}
if (this.Timestamp.length > 0)
{
packet.WriteLittleEndian16((short)7);
packet.WriteLittleEndian16((short)this.Timestamp.length);
packet.Write(this.Timestamp.value, 0, this.Timestamp.length);
}
if (this.Flags != 0)
{
packet.WriteLittleEndian16((short)6);
packet.WriteLittleEndian16((short)4);
packet.WriteLittleEndian32(this.Flags);
}
if (this.Restrictions.length > 0)
{
packet.WriteLittleEndian16((short)8);
packet.WriteLittleEndian16((short)this.Restrictions.length);
packet.Write(this.Restrictions.value, 0, this.Restrictions.length);
}
if (this.ChannelBindings.length > 0)
{
packet.WriteLittleEndian16((short)10);
packet.WriteLittleEndian16((short)this.ChannelBindings.length);
packet.Write(this.ChannelBindings.value, 0, this.ChannelBindings.length);
}
if (this.TargetName.value != null)
{
packet.WriteLittleEndian16((short)9);
packet.WriteLittleEndian16((short)this.TargetName.length);
packet.Write(this.TargetName.value, 0, this.TargetName.length);
}
packet.WriteLittleEndian16((short)0);
packet.WriteLittleEndian16((short)0);
packet.WritePadding(8);
byte[] buffer = new byte[packet.Length];
packet.Position = 0L;
packet.Read(buffer, 0, buffer.Length);
return(buffer);
}
public void Parse(RdpPacket packet)
{
NTLM.AV_ID av_id;
byte[] buffer = null;
do
{
av_id = (NTLM.AV_ID)packet.ReadLittleEndian16();
int count = packet.ReadLittleEndian16();
if (count > 0)
{
if (av_id != NTLM.AV_ID.MsvAvFlags)
{
buffer = new byte[count];
packet.Read(buffer, 0, count);
}
else
{
this.Flags = packet.ReadLittleEndian32();
}
}
switch (av_id)
{
case NTLM.AV_ID.MsvAvNbComputerName:
this.NbComputerName.length = count;
this.NbComputerName.value = buffer;
this.sNbComputerName = Encoding.Unicode.GetString(this.NbComputerName.value, 0, this.NbComputerName.value.Length);
break;
case NTLM.AV_ID.MsvAvNbDomainName:
this.NbDomainName.length = count;
this.NbDomainName.value = buffer;
this.sNbDomainName = Encoding.Unicode.GetString(this.NbDomainName.value, 0, this.NbDomainName.value.Length);
break;
case NTLM.AV_ID.MsvAvDnsComputerName:
this.DnsComputerName.length = count;
this.DnsComputerName.value = buffer;
this.sDnsComputerName = Encoding.Unicode.GetString(this.DnsComputerName.value, 0, this.DnsComputerName.value.Length);
break;
case NTLM.AV_ID.MsvAvDnsDomainName:
this.DnsDomainName.length = count;
this.DnsDomainName.value = buffer;
this.sDnsDomainName = Encoding.Unicode.GetString(this.DnsDomainName.value, 0, this.DnsDomainName.value.Length);
break;
case NTLM.AV_ID.MsvAvDnsTreeName:
this.DnsTreeName.length = count;
this.DnsTreeName.value = buffer;
break;
case NTLM.AV_ID.MsvAvTimestamp:
this.Timestamp.length = count;
this.Timestamp.value = buffer;
break;
case NTLM.AV_ID.MsvAvRestrictions:
this.Restrictions.length = count;
this.Restrictions.value = buffer;
break;
case NTLM.AV_ID.MsvAvTargetName:
this.TargetName.length = count;
this.TargetName.value = buffer;
break;
case NTLM.AV_ID.MsvChannelBindings:
this.ChannelBindings.length = count;
this.ChannelBindings.value = buffer;
break;
}
}while (av_id != NTLM.AV_ID.MsvAvEOL);
}
private byte[] Authenticate(byte[] lmChallengeResponse, byte[] ntChallengeResponse, string sDomainName, string sUser, string sWorkstation, byte[] EncryptedRandomSessionKey, byte[] ExportedSessionKey, bool bGenerateMIC)
{
RdpPacket packet = new RdpPacket();
uint flags = (
(((((0xe2800000 | NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY) |
NTLMSSP_NEGOTIATE_ALWAYS_SIGN) | NTLMSSP_NEGOTIATE_NTLM) |
NTLMSSP_NEGOTIATE_SEAL) | NTLMSSP_NEGOTIATE_SIGN) |
NTLMSSP_REQUEST_TARGET) | NTLMSSP_NEGOTIATE_UNICODE;
DumpFlags(flags);
int position = (int)packet.Position;
packet.WriteString("NTLMSSP", false);
packet.WriteByte(0);
packet.WriteLittleEndian32(3);
int num3 = ((int)packet.Position) - position;
num3 += 8;
num3 += 8;
num3 += 8;
num3 += 8;
num3 += 8;
num3 += 8;
num3 += 4;
if ((flags & 0x2000000) != 0)
{
num3 += 8;
}
if (bGenerateMIC)
{
num3 += 0x10;
}
byte[] bytes = Encoding.Unicode.GetBytes(sDomainName);
byte[] buffer = Encoding.Unicode.GetBytes(sUser);
byte[] buffer3 = Encoding.Unicode.GetBytes(sWorkstation);
int num4 = num3;
int num5 = num4 + bytes.Length;
int num6 = num5 + buffer.Length;
int num7 = num6 + buffer3.Length;
int num8 = num7 + lmChallengeResponse.Length;
int num9 = num8 + ntChallengeResponse.Length;
packet.WriteLittleEndian16((ushort)lmChallengeResponse.Length);
packet.WriteLittleEndian16((ushort)lmChallengeResponse.Length);
packet.WriteLittleEndian32(num7);
num3 += lmChallengeResponse.Length;
packet.WriteLittleEndian16((ushort)ntChallengeResponse.Length);
packet.WriteLittleEndian16((ushort)ntChallengeResponse.Length);
packet.WriteLittleEndian32(num8);
num3 += ntChallengeResponse.Length;
packet.WriteLittleEndian16((ushort)bytes.Length);
packet.WriteLittleEndian16((ushort)bytes.Length);
packet.WriteLittleEndian32(num4);
num3 += bytes.Length;
packet.WriteLittleEndian16((ushort)buffer.Length);
packet.WriteLittleEndian16((ushort)buffer.Length);
packet.WriteLittleEndian32(num5);
num3 += buffer.Length;
packet.WriteLittleEndian16((ushort)buffer3.Length);
packet.WriteLittleEndian16((ushort)buffer3.Length);
packet.WriteLittleEndian32(num6);
num3 += buffer3.Length;
packet.WriteLittleEndian16((ushort)EncryptedRandomSessionKey.Length);
packet.WriteLittleEndian16((ushort)EncryptedRandomSessionKey.Length);
packet.WriteLittleEndian32(num9);
num3 += EncryptedRandomSessionKey.Length;
packet.WriteLittleEndian32(flags);
if ((flags & 0x2000000) != 0)
{
this.WriteVersion(packet);
}
long num10 = packet.Position;
if (bGenerateMIC)
{
packet.WritePadding(0x10);
}
packet.Write(bytes, 0, bytes.Length);
packet.Write(buffer, 0, buffer.Length);
packet.Write(buffer3, 0, buffer3.Length);
packet.Write(lmChallengeResponse, 0, lmChallengeResponse.Length);
packet.Write(ntChallengeResponse, 0, ntChallengeResponse.Length);
packet.Write(EncryptedRandomSessionKey, 0, EncryptedRandomSessionKey.Length);
if (bGenerateMIC)
{
packet.Position = 0L;
byte[] buffer4 = new byte[packet.Length];
packet.Read(buffer4, 0, buffer4.Length);
HMACT64 hmact = new HMACT64(ExportedSessionKey);
hmact.update(this.m_NegotiateMsg);
hmact.update(this.m_ChallengeMsg);
hmact.update(buffer4);
byte[] buffer5 = hmact.digest();
packet.Position = num10;
packet.Write(buffer5, 0, buffer5.Length);
}
packet.Position = 0L;
byte[] buffer6 = new byte[packet.Length];
packet.Read(buffer6, 0, buffer6.Length);
return(buffer6);
}
public byte[] ProcessChallenge(byte[] Challenge)
{
byte[] bytes;
RdpPacket packet = new RdpPacket();
this.m_ChallengeMsg = Challenge;
packet.Write(Challenge, 0, Challenge.Length);
packet.Position = 0L;
long position = packet.Position;
if (packet.ReadString(8) != "NTLMSSP\0")
{
throw new Exception("Invalid negotiation token!");
}
if (packet.ReadLittleEndian32() != 2)
{
throw new Exception("Expected challenge!");
}
int count = packet.ReadLittleEndian16();
packet.ReadLittleEndian16();
int num4 = packet.ReadLittleEndian32();
uint flags = (uint)packet.ReadLittleEndian32();
DumpFlags(flags);
byte[] buffer = new byte[8];
packet.Read(buffer, 0, 8);
DumpHex(buffer, buffer.Length, "Server Challenge");
byte[] buffer2 = new byte[8];
packet.Read(buffer2, 0, 8);
int num5 = packet.ReadLittleEndian16();
packet.ReadLittleEndian16();
int num6 = packet.ReadLittleEndian32();
if ((flags & 0x2000000) != 0)
{
byte[] buffer3 = new byte[8];
packet.Read(buffer3, 0, 8);
}
if ((flags & 0x20000000) == 0)
{
throw new Exception("Strong Encryption not supported by server");
}
byte[] buffer4 = null;
if (count > 0)
{
buffer4 = new byte[count];
packet.Position = position + num4;
packet.Read(buffer4, 0, count);
Encoding.Unicode.GetString(buffer4, 0, buffer4.Length);
}
AV_PAIRS av_pairs = new AV_PAIRS();
byte[] buffer5 = null;
if (num5 <= 0)
{
throw new Exception("No TargetInfo!");
}
packet.Position = position + num6;
buffer5 = new byte[num5];
packet.Read(buffer5, 0, num5);
packet = new RdpPacket();
packet.Write(buffer5, 0, buffer5.Length);
packet.Position = 0L;
av_pairs.Parse(packet);
buffer5 = av_pairs.Serialise();
byte[] data = nTOWFv2(this.m_sDomain, this.m_sUsername, this.m_sPassword);
if (Network.Logger != null)
{
if (Network.Logger.Reading)
{
data = this.m_Socket.GetBlob(PacketLogger.PacketType.NTLM_ResponseKeyNT);
}
else
{
this.m_Socket.AddBlob(PacketLogger.PacketType.NTLM_ResponseKeyNT, data);
}
}
byte[] blob = new byte[8];
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
provider.GetBytes(blob);
if (Network.Logger != null)
{
if (Network.Logger.Reading)
{
blob = this.m_Socket.GetBlob(PacketLogger.PacketType.NTLM_ClientChallenge);
}
else
{
this.m_Socket.AddBlob(PacketLogger.PacketType.NTLM_ClientChallenge, blob);
}
}
DumpHex(blob, blob.Length, "Client Challenge");
byte[] buffer8 = getLMv2Response(data, buffer, blob);
DumpHex(buffer8, buffer8.Length, "LM Response");
if (this.m_bNTLMv2)
{
Array.Clear(buffer8, 0, buffer8.Length);
}
bool bGenerateMIC = false;
if ((av_pairs.Timestamp.length <= 0) || !this.m_bNTLMv2)
{
bytes = BitConverter.GetBytes(DateTime.UtcNow.ToFileTimeUtc());
}
else
{
bytes = av_pairs.Timestamp.value;
bGenerateMIC = true;
av_pairs.ProcessForNTLMv2();
buffer5 = av_pairs.Serialise();
}
DumpHex(buffer5, buffer5.Length, "targetinfo");
byte[] keyExchangeKey = null;
byte[] buffer11 = getNTLMv2Response(data, buffer, blob, bytes, buffer5, out keyExchangeKey);
DumpHex(buffer11, buffer11.Length, "NTLMv2 Response");
if (Network.Logger != null)
{
if (Network.Logger.Reading)
{
keyExchangeKey = this.m_Socket.GetBlob(PacketLogger.PacketType.NTLM_KeyExchangeKey);
}
else
{
this.m_Socket.AddBlob(PacketLogger.PacketType.NTLM_KeyExchangeKey, keyExchangeKey);
}
}
byte[] encryptedRandomSessionKey = null;
byte[] buffer13 = null;
buffer13 = new byte[0x10];
provider.GetBytes(buffer13);
if (Network.Logger != null)
{
if (Network.Logger.Reading)
{
buffer13 = this.m_Socket.GetBlob(PacketLogger.PacketType.NTLM_ExportedSessionKey);
}
else
{
this.m_Socket.AddBlob(PacketLogger.PacketType.NTLM_ExportedSessionKey, buffer13);
}
}
encryptedRandomSessionKey = new byte[0x10];
RC4 rc = new RC4();
rc.engineInitEncrypt(keyExchangeKey);
encryptedRandomSessionKey = rc.crypt(buffer13);
if ((flags & 0x40000000) == 0)
{
encryptedRandomSessionKey = new byte[0];
buffer13 = keyExchangeKey;
}
this.InitSignKeys(buffer13);
return(this.Authenticate(buffer8, buffer11, this.m_sDomain, this.m_sUsername, this.m_sWorkstation, encryptedRandomSessionKey, buffer13, bGenerateMIC));
}