//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// internal void NTLMSSPNegotiate() { SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x01, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x1f, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); Byte[] bHeader = header.GetHeader(); SMB2NTLMSSPNegotiate NTLMSSPNegotiate = new SMB2NTLMSSPNegotiate(version); NTLMSSPNegotiate.SetFlags(flags); Byte[] bNegotiate = NTLMSSPNegotiate.GetSMB2NTLMSSPNegotiate(); SMB2SessionSetupRequest sessionSetup = new SMB2SessionSetupRequest(); sessionSetup.SetSecurityBlob(bNegotiate); Byte[] bData = sessionSetup.GetSMB2SessionSetupRequest(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] send = Combine.combine(bSessionService, bHeader); send = Combine.combine(send, bData); streamSocket.Write(send, 0, send.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// internal Boolean Authenticate(String domain, String username, String hash) { String NTLMSSP = BitConverter.ToString(recieve).Replace("-", ""); Int32 index = NTLMSSP.IndexOf("4E544C4D53535000") / 2; UInt16 wDomain = BitConverter.ToUInt16(recieve.Skip(index + 12).Take(2).ToArray(), 0); UInt16 wtarget = BitConverter.ToUInt16(recieve.Skip(index + 40).Take(2).ToArray(), 0); sessionId = recieve.Skip(44).Take(8).ToArray(); Byte[] bServerChallenge = recieve.Skip(index + 24).Take(8).ToArray(); Int32 start = index + 56 + wDomain; Int32 end = index + 55 + wDomain + wtarget; Byte[] details = recieve.Skip(start).Take(end - start + 1).ToArray(); Byte[] bTime = details.Skip(details.Length - 12).Take(8).ToArray(); Int32 j = 0; Byte[] bHash = new Byte[hash.Length / 2]; for (Int32 i = 0; i < hash.Length; i += 2) { bHash[j++] = (Byte)((Char)Convert.ToInt16(hash.Substring(i, 2),16)); } Byte[] bHostname = Encoding.Unicode.GetBytes(Environment.MachineName); Byte[] hostnameLength = BitConverter.GetBytes(bHostname.Length).Take(2).ToArray(); Byte[] bDomain = Encoding.Unicode.GetBytes(domain); Byte[] domainLength = BitConverter.GetBytes(bDomain.Length).Take(2).ToArray(); Byte[] bUsername = Encoding.Unicode.GetBytes(username); Byte[] usernameLength = BitConverter.GetBytes(bUsername.Length).Take(2).ToArray(); Byte[] domainOffset = { 0x40, 0x00, 0x00, 0x00 }; Byte[] usernameOffset = BitConverter.GetBytes(bDomain.Length + 64); Byte[] hostnameOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + 64); Byte[] lmOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + bHostname.Length + 64); Byte[] ntOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + bHostname.Length + 88); String usernameTarget = username.ToUpper(); Byte[] bUsernameTarget = Encoding.Unicode.GetBytes(usernameTarget); bUsernameTarget = Combine.combine(bUsernameTarget, bDomain); Byte[] NetNTLMv2Hash; using (HMACMD5 hmac = new HMACMD5()) { hmac.Key = bHash; NetNTLMv2Hash = hmac.ComputeHash(bUsernameTarget); } Byte[] bClientChallenge = new Byte[8]; Random random = new Random(); for (Int32 i = 0; i < 8; i++) { bClientChallenge[i] = (Byte)random.Next(0, 255); } Byte[] blob = Combine.combine(new Byte[] { 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, bTime); blob = Combine.combine(blob, bClientChallenge); blob = Combine.combine(blob, new Byte[] { 0x00, 0x00, 0x00, 0x00 }); blob = Combine.combine(blob, details); blob = Combine.combine(blob, new Byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); Byte[] bServerChallengeAndBlob = Combine.combine(bServerChallenge, blob); Byte[] NetNTLMv2Response; using (HMACMD5 hmacMD5 = new HMACMD5()) { hmacMD5.Key = NetNTLMv2Hash; NetNTLMv2Response = hmacMD5.ComputeHash(bServerChallengeAndBlob); } if (signing) { using (HMACMD5 hmacMD5 = new HMACMD5()) { hmacMD5.Key = NetNTLMv2Hash; sessionKey = hmacMD5.ComputeHash(NetNTLMv2Response); } } NetNTLMv2Response = Combine.combine(NetNTLMv2Response, blob); Byte[] NetNTLMv2ResponseLength = BitConverter.GetBytes(NetNTLMv2Response.Length).Take(2).ToArray(); Byte[] sessionKeyOffset = BitConverter.GetBytes(bDomain.Length + bUsername.Length + bHostname.Length + NetNTLMv2Response.Length + 88); Byte[] NetNTLMSSPResponse = { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00 }; NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, new Byte[] { 0x18, 0x00 }); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, new Byte[] { 0x18, 0x00 }); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, lmOffset); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, NetNTLMv2ResponseLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, NetNTLMv2ResponseLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, ntOffset); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, domainLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, domainLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, domainOffset); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, usernameLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, usernameLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, usernameOffset); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, hostnameLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, hostnameLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, hostnameOffset); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, sessionKeyLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, sessionKeyLength); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, sessionKeyOffset); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, flags); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, bDomain); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, bUsername); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, bHostname); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, new Byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); NetNTLMSSPResponse = Combine.combine(NetNTLMSSPResponse, NetNTLMv2Response); SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x01, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x1f, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); Byte[] bHeader = header.GetHeader(); NTLMSSPAuth ntlmSSPAuth = new NTLMSSPAuth(); ntlmSSPAuth.SetNetNTLMResponse(NetNTLMSSPResponse); Byte[] bNTLMSSPAuth = ntlmSSPAuth.GetNTLMSSPAuth(); SMB2SessionSetupRequest sessionSetup = new SMB2SessionSetupRequest(); sessionSetup.SetSecurityBlob(bNTLMSSPAuth); Byte[] bData = sessionSetup.GetSMB2SessionSetupRequest(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] send = Combine.combine(Combine.combine(bSessionService, bHeader), bData); streamSocket.Write(send, 0, send.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); if (GetStatus(recieve.Skip(12).Take(4).ToArray())) { Console.WriteLine("[+] Login Successful"); return true; } else return false; }