public void ProcessForNTLMv2() { this.Flags = 2; this.ChannelBindings.length = 0x10; this.ChannelBindings.value = new byte[0x10]; string s = ""; byte[] bytes = Encoding.Unicode.GetBytes(s); this.TargetName.length = bytes.Length; this.TargetName.value = bytes; byte[] buffer = new byte[] { 0x5c, 0xca, 250, 0x4d, 0x40, 0x41, 0xc5, 0x8b, 0x43, 0x93, 0x16, 0x88, 0xce, 0x3b, 0x94, 0x63, 0xf1, 0xc5, 0x61, 0xf4, 0xe1, 0xde, 0xda, 0x7a, 0x43, 0xb8, 0xd6, 200, 0x9e, 80, 0x3f, 0x42 }; this.Restrictions.length = 0x30; RdpPacket packet = new RdpPacket(); packet.WriteLittleEndian32(0x30); packet.WritePadding(4); packet.WriteByte(1); packet.WritePadding(3); packet.WriteLittleEndian32(0x2000); packet.Write(buffer, 0, 0x20); this.Restrictions.value = packet.ToArray(); if (this.Restrictions.value.Length != this.Restrictions.length) { throw new Exception("Restrictions invalid!"); } }
private void WriteVersion(RdpPacket packet) { packet.WriteByte(6); packet.WriteByte(1); packet.WriteByte(0xb0); packet.WriteByte(0x1d); packet.WriteByte(0); packet.WriteByte(0); packet.WriteByte(0); packet.WriteByte(15); }
/// <summary> /// Client X.224 Connection Request PDU /// </summary> private static void sendConnectNegotiation(NegotiationProtocol NegotiationFlags, byte[] loadBalanceToken) { string domainAndUsername = Options.DomainAndUsername; if (domainAndUsername.Length > 9) { domainAndUsername = domainAndUsername.Substring(0, 9); } RdpPacket packet = new RdpPacket(); packet.WriteByte(3); packet.WriteByte(0); long position = packet.Position; packet.WriteBigEndian16((short)0); packet.WriteByte(0); packet.WriteByte(0xe0); packet.WriteBigEndian16((short)0); packet.WriteBigEndian16((short)0); packet.WriteByte(0); if (loadBalanceToken != null) { packet.Write(loadBalanceToken, 0, loadBalanceToken.Length); packet.WriteString("\r\n", false); } else { packet.WriteString("Cookie: mstshash=" + domainAndUsername + "\r\n", true); } // RDP Negotiation Request packet.WriteByte(0x01); packet.WriteByte(0); packet.WriteLittleEndian16((short)8); packet.WriteLittleEndian32((int)NegotiationFlags); // Standard RDP Security, TLS 1.0, CredSSP long num2 = packet.Position; packet.Position = position; packet.WriteBigEndian16((short)num2); packet.WriteByte((byte)(num2 - 5L)); IsoLayer.Write(packet); }
public byte[] Negotiate() { RdpPacket packet = new RdpPacket(); uint num = (((((((0xe2000000 | NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY) | NTLMSSP_NEGOTIATE_ALWAYS_SIGN) | NTLMSSP_NEGOTIATE_NTLM) | NTLMSSP_NEGOTIATE_SEAL) | NTLMSSP_NEGOTIATE_SIGN) | NTLMSSP_REQUEST_TARGET) | NTLMSSP_NEGOTIATE_OEM) | NTLMSSP_NEGOTIATE_UNICODE; int position = (int)packet.Position; packet.WriteString("NTLMSSP", false); packet.WriteByte(0); packet.WriteLittleEndian32(1); packet.WriteLittleEndian32(num); int num3 = ((int)packet.Position) - position; num3 += 8; num3 += 8; if ((num & 0x2000000) != 0) { num3 += 8; } packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian32(0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian32(0); if ((num & 0x2000000) != 0) { this.WriteVersion(packet); } packet.Position = 0L; this.m_NegotiateMsg = new byte[packet.Length]; packet.Read(this.m_NegotiateMsg, 0, this.m_NegotiateMsg.Length); return(this.m_NegotiateMsg); }
protected static void WriteInteger(RdpPacket packet, int value) { packet.WriteByte(2); byte[] bytes = BitConverter.GetBytes(value); if (value > 0xffffff) { packet.WriteByte(4); packet.WriteByte(bytes[3]); packet.WriteByte(bytes[2]); packet.WriteByte(bytes[1]); packet.WriteByte(bytes[0]); } else if (value > 0xffff) { packet.WriteByte(3); packet.WriteByte(bytes[2]); packet.WriteByte(bytes[1]); packet.WriteByte(bytes[0]); } else if (value > 0xff) { packet.WriteByte(2); packet.WriteByte(bytes[1]); packet.WriteByte(bytes[0]); } else { packet.WriteByte(1); packet.WriteByte(bytes[0]); } }
protected static void WriteByte(RdpPacket packet, int value) { packet.WriteByte((byte)value); }
protected static void UpdateLength(RdpPacket packet, string Identifier) { Fixup fixup = m_Fixup[Identifier]; m_Fixup.Remove(Identifier); long position = packet.Position; if (fixup.Length != -1) { long num2 = packet.Position - fixup.Offset; if (num2 != fixup.Length) { throw new Exception("DER Tag length invalid"); } } else { long num3 = packet.Position - (fixup.Offset + 1L); byte[] bytes = BitConverter.GetBytes(num3); packet.Position = fixup.Offset; if (num3 > 0xffffffL) { packet.WriteByte(0x84); packet.InsertByte(bytes[3]); position += 1L; packet.InsertByte(bytes[2]); position += 1L; packet.InsertByte(bytes[1]); position += 1L; packet.InsertByte(bytes[0]); position += 1L; } else if (num3 > 0xffffL) { packet.WriteByte(0x83); packet.InsertByte(bytes[2]); position += 1L; packet.InsertByte(bytes[1]); position += 1L; packet.InsertByte(bytes[0]); position += 1L; } else if (num3 > 0xffL) { packet.WriteByte(130); packet.InsertByte(bytes[1]); position += 1L; packet.InsertByte(bytes[0]); position += 1L; } else if (num3 > 0x7fL) { packet.WriteByte(0x81); packet.InsertByte(bytes[0]); position += 1L; } else { packet.WriteByte(bytes[0]); } packet.Position = position; } }
private byte[] Authenticate(byte[] lmChallengeResponse, byte[] ntChallengeResponse, string sDomainName, string sUser, string sWorkstation, byte[] EncryptedRandomSessionKey, byte[] ExportedSessionKey, bool bGenerateMIC) { RdpPacket packet = new RdpPacket(); uint flags = ( (((((0xe2800000 | NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY) | NTLMSSP_NEGOTIATE_ALWAYS_SIGN) | NTLMSSP_NEGOTIATE_NTLM) | NTLMSSP_NEGOTIATE_SEAL) | NTLMSSP_NEGOTIATE_SIGN) | NTLMSSP_REQUEST_TARGET) | NTLMSSP_NEGOTIATE_UNICODE; DumpFlags(flags); int position = (int)packet.Position; packet.WriteString("NTLMSSP", false); packet.WriteByte(0); packet.WriteLittleEndian32(3); int num3 = ((int)packet.Position) - position; num3 += 8; num3 += 8; num3 += 8; num3 += 8; num3 += 8; num3 += 8; num3 += 4; if ((flags & 0x2000000) != 0) { num3 += 8; } if (bGenerateMIC) { num3 += 0x10; } byte[] bytes = Encoding.Unicode.GetBytes(sDomainName); byte[] buffer = Encoding.Unicode.GetBytes(sUser); byte[] buffer3 = Encoding.Unicode.GetBytes(sWorkstation); int num4 = num3; int num5 = num4 + bytes.Length; int num6 = num5 + buffer.Length; int num7 = num6 + buffer3.Length; int num8 = num7 + lmChallengeResponse.Length; int num9 = num8 + ntChallengeResponse.Length; packet.WriteLittleEndian16((ushort)lmChallengeResponse.Length); packet.WriteLittleEndian16((ushort)lmChallengeResponse.Length); packet.WriteLittleEndian32(num7); num3 += lmChallengeResponse.Length; packet.WriteLittleEndian16((ushort)ntChallengeResponse.Length); packet.WriteLittleEndian16((ushort)ntChallengeResponse.Length); packet.WriteLittleEndian32(num8); num3 += ntChallengeResponse.Length; packet.WriteLittleEndian16((ushort)bytes.Length); packet.WriteLittleEndian16((ushort)bytes.Length); packet.WriteLittleEndian32(num4); num3 += bytes.Length; packet.WriteLittleEndian16((ushort)buffer.Length); packet.WriteLittleEndian16((ushort)buffer.Length); packet.WriteLittleEndian32(num5); num3 += buffer.Length; packet.WriteLittleEndian16((ushort)buffer3.Length); packet.WriteLittleEndian16((ushort)buffer3.Length); packet.WriteLittleEndian32(num6); num3 += buffer3.Length; packet.WriteLittleEndian16((ushort)EncryptedRandomSessionKey.Length); packet.WriteLittleEndian16((ushort)EncryptedRandomSessionKey.Length); packet.WriteLittleEndian32(num9); num3 += EncryptedRandomSessionKey.Length; packet.WriteLittleEndian32(flags); if ((flags & 0x2000000) != 0) { this.WriteVersion(packet); } long num10 = packet.Position; if (bGenerateMIC) { packet.WritePadding(0x10); } packet.Write(bytes, 0, bytes.Length); packet.Write(buffer, 0, buffer.Length); packet.Write(buffer3, 0, buffer3.Length); packet.Write(lmChallengeResponse, 0, lmChallengeResponse.Length); packet.Write(ntChallengeResponse, 0, ntChallengeResponse.Length); packet.Write(EncryptedRandomSessionKey, 0, EncryptedRandomSessionKey.Length); if (bGenerateMIC) { packet.Position = 0L; byte[] buffer4 = new byte[packet.Length]; packet.Read(buffer4, 0, buffer4.Length); HMACT64 hmact = new HMACT64(ExportedSessionKey); hmact.update(this.m_NegotiateMsg); hmact.update(this.m_ChallengeMsg); hmact.update(buffer4); byte[] buffer5 = hmact.digest(); packet.Position = num10; packet.Write(buffer5, 0, buffer5.Length); } packet.Position = 0L; byte[] buffer6 = new byte[packet.Length]; packet.Read(buffer6, 0, buffer6.Length); return(buffer6); }