/// <summary>
/// This method will send ComNegotiate request before sending a Negotiate request to simulate windows client behaviour.
/// If ComNegotiate failed, the Negotiate request will still be sent.
/// </summary>
public uint MultiProtocolNegotiate(
Smb2Client client,
ushort creditCharge,
ushort creditRequest,
Packet_Header_Flags_Values flags,
ulong messageId,
DialectRevision[] dialects,
SecurityMode_Values securityMode,
Capabilities_Values capabilities,
Guid clientGuid,
out DialectRevision selectedDialect,
out byte[] gssToken,
out Packet_Header responseHeader,
out NEGOTIATE_Response responsePayload)
{
uint status = client.MultiProtocolNegotiate(
new string[] { "SMB 2.002", "SMB 2.???" },
out selectedDialect,
out gssToken,
out responseHeader,
out responsePayload);
if (responseHeader.Status != Smb2Status.STATUS_SUCCESS)
{
LogFailedStatus("ComNegotiate", responseHeader.Status);
}
PreauthIntegrityHashID[] preauthHashAlgs = null;
EncryptionAlgorithm[] encryptionAlgs = null;
// For back compatibility, if dialects contains SMB 3.11, preauthentication integrity context should be present.
if (Array.IndexOf(dialects, DialectRevision.Smb311) >= 0)
{
preauthHashAlgs = new PreauthIntegrityHashID[] { PreauthIntegrityHashID.SHA_512 };
encryptionAlgs = new EncryptionAlgorithm[] {
EncryptionAlgorithm.ENCRYPTION_AES128_GCM,
EncryptionAlgorithm.ENCRYPTION_AES128_CCM
};
}
status = client.Negotiate(
creditCharge,
creditRequest,
flags,
messageId,
dialects,
securityMode,
capabilities,
clientGuid,
out selectedDialect,
out gssToken,
out responseHeader,
out responsePayload,
0,
preauthHashAlgs,
encryptionAlgs);
return(status);
}
private void FetchSmb2CompressionInfo(Smb2Info smb2Info)
{
if (smb2Info.MaxSupportedDialectRevision < DialectRevision.Smb311)
{
logWriter.AddLog(LogLevel.Information, "SMB dialect less than 3.1.1 does not support compression.");
smb2Info.SupportedCompressionAlgorithms = new CompressionAlgorithm[0];
return;
}
var possibleCompressionAlogrithms = new CompressionAlgorithm[] { CompressionAlgorithm.LZ77, CompressionAlgorithm.LZ77Huffman, CompressionAlgorithm.LZNT1 };
// Iterate all possible compression algorithm for Windows will only return only one supported compression algorithm in response.
var result = possibleCompressionAlogrithms.Where(compressionAlgorithm =>
{
using (var client = new Smb2Client(new TimeSpan(0, 0, defaultTimeoutInSeconds)))
{
client.ConnectOverTCP(SUTIpAddress);
DialectRevision selectedDialect;
byte[] gssToken;
Packet_Header responseHeader;
NEGOTIATE_Response responsePayload;
uint status = client.Negotiate(
0,
1,
Packet_Header_Flags_Values.NONE,
0,
new DialectRevision[] { DialectRevision.Smb311 },
SecurityMode_Values.NEGOTIATE_SIGNING_ENABLED,
Capabilities_Values.NONE,
Guid.NewGuid(),
out selectedDialect,
out gssToken,
out responseHeader,
out responsePayload,
preauthHashAlgs: new PreauthIntegrityHashID[] { PreauthIntegrityHashID.SHA_512 },
compressionAlgorithms: new CompressionAlgorithm[] { compressionAlgorithm }
);
if (status == Smb2Status.STATUS_SUCCESS && client.CompressionInfo.CompressionIds.Length == 1 && client.CompressionInfo.CompressionIds[0] == compressionAlgorithm)
{
logWriter.AddLog(LogLevel.Information, $"Compression algorithm: {compressionAlgorithm} is supported by SUT.");
return(true);
}
else
{
logWriter.AddLog(LogLevel.Information, $"Compression algorithm: {compressionAlgorithm} is not supported by SUT.");
return(false);
}
}
});
smb2Info.SupportedCompressionAlgorithms = result.ToArray();
}
public void NegotiateRequest(Sequence <DialectRevision> dialects)
{
Packet_Header responseHeader = new Packet_Header();
DialectRevision selectedDialect = DialectRevision.Smb2Unknown;
NEGOTIATE_Response responsePayload = new NEGOTIATE_Response();
byte[] smb2ClientGssToken;
ModelSmb2Status status = ModelSmb2Status.STATUS_SUCCESS;
try
{
status = (ModelSmb2Status)smb2Client.Negotiate(0, 1, Packet_Header_Flags_Values.NONE, messageId++, dialects.ToArray(), SecurityMode_Values.NONE, Capabilities_Values.NONE, Guid.NewGuid(),
out selectedDialect, out smb2ClientGssToken, out responseHeader, out responsePayload);
if (status != ModelSmb2Status.STATUS_SUCCESS)
{
selectedDialect = DialectRevision.Smb2Unknown;
}
this.NegotiateResponse(status, selectedDialect);
}
catch
{
}
}
public uint Negotiate(DialectRevision[] dialects, SecurityMode_Values securityMode, Capabilities_Values capabilityValue, Guid clientGuid, out DialectRevision selectedDialect, ushort creditRequest = 1)
{
Packet_Header header;
NEGOTIATE_Response negotiateResponse;
uint status = client.Negotiate(
0,
creditRequest,
Packet_Header_Flags_Values.NONE,
messageId++,
dialects,
securityMode,
capabilityValue,
clientGuid,
out selectedDialect,
out serverGssToken,
out header,
out negotiateResponse);
grantedCredit = header.CreditRequestResponse;
return(status);
}
public void NegotiateRequest(List <DialectRevision> dialects)
{
Smb2NegotiateRequestPacket negotiateRequest;
Smb2NegotiateResponsePacket negotiateResponse;
DialectRevision selectedDialect = DialectRevision.Smb2Unknown;
byte[] smb2ClientGssToken;
ModelSmb2Status status = ModelSmb2Status.STATUS_SUCCESS;
try
{
status = (ModelSmb2Status)smb2Client.Negotiate(0, 1, Packet_Header_Flags_Values.NONE, messageId++, dialects.ToArray(), SecurityMode_Values.NONE, Capabilities_Values.NONE, Guid.NewGuid(),
out selectedDialect, out smb2ClientGssToken, out negotiateRequest, out negotiateResponse);
if (status != ModelSmb2Status.STATUS_SUCCESS)
{
selectedDialect = DialectRevision.Smb2Unknown;
}
this.NegotiateResponse(status, selectedDialect);
testConfig.CheckNegotiateContext(negotiateRequest, negotiateResponse);
}
catch
{
}
}
/// <summary>
/// This method will send ComNegotiate request before sending a Negotiate request to simulate windows client behaviour.
/// If ComNegotiate failed, the Negotiate request will still be sent.
/// </summary>
public uint MultiProtocolNegotiate(
Smb2Client client,
ushort creditCharge,
ushort creditRequest,
Packet_Header_Flags_Values flags,
ulong messageId,
DialectRevision[] dialects,
SecurityMode_Values securityMode,
Capabilities_Values capabilities,
Guid clientGuid,
out DialectRevision selectedDialect,
out byte[] gssToken,
out Packet_Header responseHeader,
out NEGOTIATE_Response responsePayload)
{
uint status = client.MultiProtocolNegotiate(
new string[] { "SMB 2.002", "SMB 2.???" },
out selectedDialect,
out gssToken,
out responseHeader,
out responsePayload);
if (responseHeader.Status != Smb2Status.STATUS_SUCCESS)
{
LogFailedStatus("ComNegotiate", responseHeader.Status);
}
// If server only supports Smb2002, no further SMB2 negotiate needed
if (selectedDialect == DialectRevision.Smb2002)
{
return status;
}
PreauthIntegrityHashID[] preauthHashAlgs = null;
EncryptionAlgorithm[] encryptionAlgs = null;
// For back compatibility, if dialects contains SMB 3.11, preauthentication integrity context should be present.
if (Array.IndexOf(dialects, DialectRevision.Smb311) >= 0)
{
preauthHashAlgs = new PreauthIntegrityHashID[] { PreauthIntegrityHashID.SHA_512 };
encryptionAlgs = new EncryptionAlgorithm[] {
EncryptionAlgorithm.ENCRYPTION_AES128_GCM,
EncryptionAlgorithm.ENCRYPTION_AES128_CCM };
}
status = client.Negotiate(
creditCharge,
creditRequest,
flags,
messageId,
dialects,
securityMode,
capabilities,
clientGuid,
out selectedDialect,
out gssToken,
out responseHeader,
out responsePayload,
0,
preauthHashAlgs,
encryptionAlgs);
return status;
}
private void FetchSmb2CompressionInfo(Smb2Info smb2Info)
{
if (smb2Info.MaxSupportedDialectRevision < DialectRevision.Smb311)
{
logWriter.AddLog(LogLevel.Information, "SMB dialect less than 3.1.1 does not support compression.");
smb2Info.SupportedCompressionAlgorithms = new CompressionAlgorithm[0];
smb2Info.IsChainedCompressionSupported = false;
return;
}
var allCompressionAlogrithms = Enum.GetValues(typeof(CompressionAlgorithm)).Cast <CompressionAlgorithm>().ToArray();
var possibleCompressionAlogrithms = Smb2Utility.GetSupportedPatternScanningAlgorithms(allCompressionAlogrithms).Concat(Smb2Utility.GetSupportedCompressionAlgorithms(allCompressionAlogrithms));
// Iterate all possible compression algorithm for Windows will only return only one supported compression algorithm in response.
var result = possibleCompressionAlogrithms.Where(compressionAlgorithm =>
{
using (var client = new Smb2Client(new TimeSpan(0, 0, defaultTimeoutInSeconds)))
{
client.ConnectOverTCP(SUTIpAddress);
DialectRevision selectedDialect;
byte[] gssToken;
Packet_Header responseHeader;
NEGOTIATE_Response responsePayload;
uint status = client.Negotiate(
0,
1,
Packet_Header_Flags_Values.NONE,
0,
new DialectRevision[] { DialectRevision.Smb311 },
SecurityMode_Values.NEGOTIATE_SIGNING_ENABLED,
Capabilities_Values.NONE,
Guid.NewGuid(),
out selectedDialect,
out gssToken,
out responseHeader,
out responsePayload,
preauthHashAlgs: new PreauthIntegrityHashID[] { PreauthIntegrityHashID.SHA_512 },
compressionAlgorithms: new CompressionAlgorithm[] { compressionAlgorithm }
);
if (status == Smb2Status.STATUS_SUCCESS && client.CompressionInfo.CompressionIds.Length == 1 && client.CompressionInfo.CompressionIds[0] == compressionAlgorithm)
{
logWriter.AddLog(LogLevel.Information, $"Compression algorithm: {compressionAlgorithm} is supported by SUT.");
return(true);
}
else
{
logWriter.AddLog(LogLevel.Information, $"Compression algorithm: {compressionAlgorithm} is not supported by SUT.");
return(false);
}
}
});
smb2Info.SupportedCompressionAlgorithms = result.ToArray();
// Check for chained compression support
using (var client = new Smb2Client(new TimeSpan(0, 0, defaultTimeoutInSeconds)))
{
client.ConnectOverTCP(SUTIpAddress);
DialectRevision selectedDialect;
byte[] gssToken;
Packet_Header responseHeader;
NEGOTIATE_Response responsePayload;
uint status = client.Negotiate(
0,
1,
Packet_Header_Flags_Values.NONE,
0,
new DialectRevision[] { DialectRevision.Smb311 },
SecurityMode_Values.NEGOTIATE_SIGNING_ENABLED,
Capabilities_Values.NONE,
Guid.NewGuid(),
out selectedDialect,
out gssToken,
out responseHeader,
out responsePayload,
preauthHashAlgs: new PreauthIntegrityHashID[] { PreauthIntegrityHashID.SHA_512 },
compressionAlgorithms: possibleCompressionAlogrithms.ToArray(),
compressionFlags: SMB2_COMPRESSION_CAPABILITIES_Flags.SMB2_COMPRESSION_CAPABILITIES_FLAG_CHAINED
);
if (status == Smb2Status.STATUS_SUCCESS && client.CompressionInfo.SupportChainedCompression)
{
logWriter.AddLog(LogLevel.Information, "Chained compression is supported by SUT.");
smb2Info.IsChainedCompressionSupported = true;
}
else
{
logWriter.AddLog(LogLevel.Information, "Chained compression is not supported by SUT.");
smb2Info.IsChainedCompressionSupported = false;
}
}
}
private bool DetectAP(DomainInfo domain, Server ap, KerberosDetector detector)
{
logWriter.AddLog(string.Format("===== Detect Application Server in Domain {0} =====", domain.Name), LogLevel.Normal);
string hostname = ap.FQDN;
IPAddress ip = IPAddress.Loopback;
try
{
var hostentry = Dns.GetHostEntry(hostname);
ip = hostentry.AddressList[0];
ap.IPv4 = ip.ToString();
string computerName = hostentry.HostName;
string machineName = computerName.Split('.')[0];
ap.FQDN = ServerHelper.GetAccountAttribute(machineName, "Computers", "dNSHostName", domain.Name, domain.Admin, domain.AdminPassword);
ap.IsWindows = detector.FetchPlatformInfo(computerName);
}
catch
{
logWriter.AddLog("Failed", LogLevel.Normal, false, LogStyle.StepFailed);
logWriter.AddLineToLog(LogLevel.Advanced);
return false;
}
if (ap.FQDN == null)
{
logWriter.AddLog("Failed", LogLevel.Normal, false, LogStyle.StepFailed);
logWriter.AddLineToLog(LogLevel.Advanced);
return false;
}
string[] tempArray = ap.FQDN.Split('.');
ap.ComputerName = tempArray[0];
try
{
ap.NetBIOS = ServerHelper.GetAccountAttribute(ap.ComputerName, "Computers", "sAMAccountName", domain.Name, domain.Admin, domain.AdminPassword);//DC01$: NetBIOS name
ap.DefaultServiceName = "host/" + ap.FQDN.ToLower();
ap.ServiceSalt = domain.Name.ToUpper() + "host" + ap.FQDN.ToLower();
ap.smb2Service.SMB2ServiceName = "cifs/" + ap.FQDN.ToLower();
}
catch
{
logWriter.AddLog("Failed", LogLevel.Normal, false, LogStyle.StepFailed);
logWriter.AddLineToLog(LogLevel.Advanced);
return false;
}
try
{
if (detectionInfo.HasSmbServer)
{
//get smb dialect
Smb2Client clientForInitialOpen = new Smb2Client(new TimeSpan(0, 0, 15));
byte[] gssToken;
Packet_Header header;
try
{
clientForInitialOpen.ConnectOverTCP(ip);
NEGOTIATE_Response negotiateResp;
DialectRevision connection_Dialect = DialectRevision.Smb2Unknown;
DialectRevision[] requestDialect = new DialectRevision[] { DialectRevision.Smb2002, DialectRevision.Smb21, DialectRevision.Smb30, DialectRevision.Smb302 };
ulong messageId = 0;
uint status = clientForInitialOpen.Negotiate(
1,
1,
Packet_Header_Flags_Values.NONE,
messageId++,
requestDialect,
SecurityMode_Values.NEGOTIATE_SIGNING_ENABLED,
Capabilities_Values.GLOBAL_CAP_DFS | Capabilities_Values.GLOBAL_CAP_LEASING | Capabilities_Values.GLOBAL_CAP_LARGE_MTU,
Guid.NewGuid(),
out connection_Dialect,
out gssToken,
out header,
out negotiateResp);
if (header.Status != Smb2Status.STATUS_SUCCESS)
{
logWriter.AddLog("Failed", LogLevel.Normal, false, LogStyle.StepFailed);
logWriter.AddLineToLog(LogLevel.Advanced);
return false;
}
else
{
ap.smb2Service.SMB2Dialect = connection_Dialect.ToString();
}
}
catch
{
logWriter.AddLog("Failed", LogLevel.Normal, false, LogStyle.StepFailed);
logWriter.AddLineToLog(LogLevel.Advanced);
return false;
}
//detect smb share
string[] shareList = ServerHelper.EnumShares(ap.IPv4, domain.Admin, domain.Name, domain.AdminPassword);
if (shareList.Length > 0)
{
//only get the first one as default value
//can ptftool support add more choices?
for (int i = 0; i < shareList.Length; i++)
{
if (shareList[i].Substring(shareList[i].Length - 1, 1) != "$")
{
ap.smb2Service.DACShare = shareList[i];
ap.smb2Service.CBACShare = shareList[i];
break;
}
}
}
else
{
ap.smb2Service.DACShare = string.Empty;
ap.smb2Service.CBACShare = string.Empty;
}
}
if (detectionInfo.HasHttpServer)
{
//detect http server
ap.httpService.HttpServiceName = "http/" + ap.FQDN.ToLower();
try
{
HttpWebRequest request = (HttpWebRequest)WebRequest.Create("http://" + ap.FQDN);
request.Credentials = new NetworkCredential(domain.Admin + "@" + domain.Name, domain.AdminPassword);
WebResponse response = request.GetResponse();
ap.httpService.Uri = response.ResponseUri.OriginalString;
}
catch
{
ap.httpService.Uri = string.Empty;
}
}
}
catch
{
logWriter.AddLog("Failed", LogLevel.Normal, false, LogStyle.StepFailed);
logWriter.AddLineToLog(LogLevel.Advanced);
return false;
}
logWriter.AddLog("Success", LogLevel.Normal, false, LogStyle.StepPassed);
logWriter.AddLineToLog(LogLevel.Advanced);
return true;
}
private void FetchSmb2EncryptionInfo(Smb2Info smb2Info)
{
EncryptionAlgorithm[] excludedEncryptionAlogrithms;
if (smb2Info.MaxSupportedDialectRevision < DialectRevision.Smb311)
{
excludedEncryptionAlogrithms = new EncryptionAlgorithm[]
{
EncryptionAlgorithm.ENCRYPTION_NONE,
EncryptionAlgorithm.ENCRYPTION_INVALID,
EncryptionAlgorithm.ENCRYPTION_AES256_CCM,
EncryptionAlgorithm.ENCRYPTION_AES256_GCM
};
}
else
{
excludedEncryptionAlogrithms = new EncryptionAlgorithm[]
{
EncryptionAlgorithm.ENCRYPTION_NONE,
EncryptionAlgorithm.ENCRYPTION_INVALID
};
}
var possibleEncryptionAlogrithms = Enum.GetValues(typeof(EncryptionAlgorithm)).Cast <EncryptionAlgorithm>().Except(excludedEncryptionAlogrithms);
logWriter.AddLog(DetectLogLevel.Information, $"Available EncryptionAlgorithms ==> {String.Join(";", possibleEncryptionAlogrithms.Select(encryptionAlgorithm => encryptionAlgorithm.ToString()))}");
// Iterate all the possible encryption algorithms since we get back only one encryption algorithm in response.
var result = possibleEncryptionAlogrithms.Where(encryptionAlgorithm =>
{
using (var client = new Smb2Client(new TimeSpan(0, 0, defaultTimeoutInSeconds)))
{
client.ConnectOverTCP(SUTIpAddress);
DialectRevision selectedDialect;
byte[] gssToken;
Packet_Header responseHeader;
NEGOTIATE_Response responsePayload;
uint status = client.Negotiate(
0,
1,
Packet_Header_Flags_Values.NONE,
0,
new DialectRevision[] { DialectRevision.Smb311 },
SecurityMode_Values.NEGOTIATE_SIGNING_ENABLED,
Capabilities_Values.NONE,
Guid.NewGuid(),
out selectedDialect,
out gssToken,
out responseHeader,
out responsePayload,
preauthHashAlgs: new PreauthIntegrityHashID[] { PreauthIntegrityHashID.SHA_512 },
encryptionAlgs: new EncryptionAlgorithm[] { encryptionAlgorithm }
);
if (status == Smb2Status.STATUS_SUCCESS && client.SelectedCipherID == encryptionAlgorithm)
{
logWriter.AddLog(DetectLogLevel.Information, $"Encryption algorithm: {encryptionAlgorithm} is supported by SUT.");
return(true);
}
else
{
logWriter.AddLog(DetectLogLevel.Information, $"Encryption algorithm: {encryptionAlgorithm} is not supported by SUT.");
return(false);
}
}
});
smb2Info.SutSupportedEncryptionAlgorithms = result.ToArray();
}
private bool UserLogon(DetectionInfo info, Smb2Client client, out ulong messageId, out ulong sessionId, out Guid clientGuid, out NEGOTIATE_Response negotiateResp)
{
messageId = 0;
sessionId = 0;
client.ConnectOverTCP(Dns.GetHostAddresses(info.ContentServerName)[0]);
#region Negotiate
DialectRevision selectedDialect;
byte[] gssToken;
Packet_Header header;
clientGuid = Guid.NewGuid();
client.Negotiate(
1,
1,
Packet_Header_Flags_Values.NONE,
messageId++,
new DialectRevision[] { DialectRevision.Smb30 },
SecurityMode_Values.NEGOTIATE_SIGNING_ENABLED,
Capabilities_Values.GLOBAL_CAP_DFS | Capabilities_Values.GLOBAL_CAP_DIRECTORY_LEASING | Capabilities_Values.GLOBAL_CAP_LARGE_MTU | Capabilities_Values.GLOBAL_CAP_LEASING | Capabilities_Values.GLOBAL_CAP_MULTI_CHANNEL | Capabilities_Values.GLOBAL_CAP_PERSISTENT_HANDLES,
clientGuid,
out selectedDialect,
out gssToken,
out header,
out negotiateResp);
if (header.Status != Smb2Status.STATUS_SUCCESS)
{
LogFailedStatus("NEGOTIATE", header.Status);
throw new Exception(string.Format("NEGOTIATE failed with {0}", Smb2Status.GetStatusCode(header.Status)));
}
#endregion
#region Session Setup
SESSION_SETUP_Response sessionSetupResp;
SspiClientSecurityContext sspiClientGss =
new SspiClientSecurityContext(
SecurityPackageType,
Credential,
Smb2Utility.GetCifsServicePrincipalName(ContentServerName),
ClientSecurityContextAttribute.None,
SecurityTargetDataRepresentation.SecurityNativeDrep);
// Server GSS token is used only for Negotiate authentication when enabled
if (SecurityPackageType == SecurityPackageType.Negotiate)
{
sspiClientGss.Initialize(gssToken);
}
else
{
sspiClientGss.Initialize(null);
}
do
{
client.SessionSetup(
1,
64,
Packet_Header_Flags_Values.NONE,
messageId++,
sessionId,
SESSION_SETUP_Request_Flags.NONE,
SESSION_SETUP_Request_SecurityMode_Values.NEGOTIATE_SIGNING_ENABLED,
SESSION_SETUP_Request_Capabilities_Values.GLOBAL_CAP_DFS,
0,
sspiClientGss.Token,
out sessionId,
out gssToken,
out header,
out sessionSetupResp);
if ((header.Status == Smb2Status.STATUS_MORE_PROCESSING_REQUIRED || header.Status == Smb2Status.STATUS_SUCCESS) && gssToken != null && gssToken.Length > 0)
{
sspiClientGss.Initialize(gssToken);
}
} while (header.Status == Smb2Status.STATUS_MORE_PROCESSING_REQUIRED);
if (header.Status != Smb2Status.STATUS_SUCCESS)
{
LogFailedStatus("SESSIONSETUP", header.Status);
throw new Exception(string.Format("SESSIONSETUP failed with {0}", Smb2Status.GetStatusCode(header.Status)));
}
byte[] sessionKey;
sessionKey = sspiClientGss.SessionKey;
client.GenerateCryptoKeys(sessionId, sessionKey, true, false, null, false);
#endregion
return(true);
}
