예제 #1
0
        internal static void process_authreq(RdpPacket data)
        {
            byte[] destinationArray = new byte[10];
            byte[] outData          = new byte[10];
            byte[] buffer3          = new byte[20];
            byte[] buffer4          = new byte[30];
            byte[] signature        = new byte[0x10];
            RC4    rc = new RC4();

            byte[] buffer6 = null;
            if (!parse_authreq(data))
            {
                throw new RDFatalException("Authentication request is incorrect!");
            }
            Array.Copy(RDPClient.m_In_Token, 0, destinationArray, 0, 10);
            buffer6 = new byte[RDPClient.m_LicenceKey.Length];
            Array.Copy(RDPClient.m_LicenceKey, 0, buffer6, 0, RDPClient.m_LicenceKey.Length);
            rc.engineInitDecrypt(buffer6);
            rc.crypt(RDPClient.m_In_Token, 0, 10, outData, 0);
            byte[] sourceArray = generate_hwid();
            Array.Copy(outData, 0, buffer4, 0, 10);
            Array.Copy(sourceArray, 0, buffer4, 10, 20);
            signature = Secure.sign(RDPClient.m_Licence_Sign_Key, 0x10, 0x10, buffer4, buffer4.Length);
            Array.Copy(RDPClient.m_LicenceKey, 0, buffer6, 0, RDPClient.m_LicenceKey.Length);
            rc.engineInitEncrypt(buffer6);
            rc.crypt(sourceArray, 0, 20, buffer3, 0);
            send_authresp(destinationArray, buffer3, signature);
        }
예제 #2
0
        internal static byte[] update(byte[] key, byte[] update_key)
        {
            byte[]       buffer           = new byte[20];
            byte[]       destinationArray = new byte[m_KeyLength];
            byte[]       sourceArray      = new byte[key.Length];
            MemoryStream stream           = new MemoryStream();

            stream.Write(update_key, 0, m_KeyLength);
            stream.Write(m_Pad_54, 0, 40);
            stream.Write(key, 0, m_KeyLength);
            stream.Position = 0L;
            buffer          = SHA1.ComputeHash(stream);
            stream          = new MemoryStream();
            stream.Write(update_key, 0, m_KeyLength);
            stream.Write(m_Pad_92, 0, 0x30);
            stream.Write(buffer, 0, 20);
            stream.Position = 0L;
            sourceArray     = global::MD5.ComputeHash(stream);
            Array.Copy(sourceArray, 0, destinationArray, 0, m_KeyLength);
            RC4 rc = new RC4();

            rc.engineInitDecrypt(destinationArray);
            sourceArray = rc.crypt(sourceArray, 0, m_KeyLength);
            if (m_KeyLength == 8)
            {
                Sign.make40bit(sourceArray);
            }
            return(sourceArray);
        }
예제 #3
0
 private void InitSignKeys(byte[] exportedSessionKey)
 {
     byte[] bytes    = ASCIIEncoding.GetBytes("session key to client-to-server signing key magic constant\0");
     byte[] constant = ASCIIEncoding.GetBytes("session key to client-to-server sealing key magic constant\0");
     byte[] buffer3  = ASCIIEncoding.GetBytes("session key to server-to-client signing key magic constant\0");
     byte[] buffer4  = ASCIIEncoding.GetBytes("session key to server-to-client sealing key magic constant\0");
     this.ClientSigningKey   = GenerateSignKey(exportedSessionKey, bytes);
     this.ServerSigningKey   = GenerateSignKey(exportedSessionKey, buffer3);
     this.ClientSealingKey   = GenerateSealKey(exportedSessionKey, constant);
     this.ServerSealingKey   = GenerateSealKey(exportedSessionKey, buffer4);
     this.m_ClientSealingRC4 = new RC4();
     this.m_ClientSealingRC4.engineInitEncrypt(this.ClientSealingKey);
     this.m_ServerSealingRC4 = new RC4();
     this.m_ServerSealingRC4.engineInitDecrypt(this.ServerSealingKey);
     this.m_SigningSequenceNum = this.m_ReceiveSequenceNum = 0;
 }
예제 #4
0
        internal static void process_issue(RdpPacket data)
        {
            int count = 0;
            RC4 rc    = new RC4();

            byte[] destinationArray = new byte[RDPClient.m_LicenceKey.Length];
            Array.Copy(RDPClient.m_LicenceKey, 0, destinationArray, 0, RDPClient.m_LicenceKey.Length);
            data.getLittleEndian16();
            count = data.getLittleEndian16();
            if ((data.Position + count) <= data.Length)
            {
                rc.engineInitDecrypt(destinationArray);
                byte[] buffer = new byte[count];
                data.Read(buffer, 0, count);
                rc.crypt(buffer, 0, count, buffer, 0);
            }
        }
예제 #5
0
        private static byte[] MakeSignature(RC4 SealKey, byte[] SignKey, byte[] message, ref uint sequenceNum)
        {
            HMACT64 hmact = new HMACT64(SignKey);

            byte[] bytes = BitConverter.GetBytes(sequenceNum++);
            hmact.update(bytes);
            hmact.update(message);
            byte[]      data       = hmact.digest();
            byte[]      collection = SealKey.crypt(data, 0, 8);
            List <byte> list       = new List <byte> {
                1, 0, 0, 0
            };

            list.AddRange(collection);
            list.AddRange(bytes);
            return(list.ToArray());
        }
예제 #6
0
        // Инициализация данных
        private void Init(int sec1, int sec2)
        {
            // Поля безопасности
            StaticSettings.SecureValue1 = sec1;
            StaticSettings.SecureValue2 = sec2;

            // Мои настройки
            FullXP             = false;
            GoodAuth           = false;
            UseAltChecker      = false;
            NeedChangePassword = false;

            // Options
            enableFastPathOutput = false;
            BoundsBottom         = (height - 1);
            BoundsRight          = (width - 1);
            m_server_bpp         = 8;
            width  = 1024;
            height = 768;

            // ControlFlow
            rdp_shareid = 0;

            // Network
            m_bSSLConnection   = false;
            m_bConnectionAlive = false;
            m_ConnectionStage  = RDPClient.eConnectionStage.None;
            m_Logger           = null;

            // Secure
            readCert        = false;
            modulus_size    = StaticSettings.SecureValue1;
            dec_count       = 0;
            enc_count       = 0;
            m_Client_Random = new byte[] {
                0, 0xff, 30, 0x37, 0x4d, 0x16, 0xd4, 0x20, 0x61, 0x2d, 0, 0, 0, 0, 0, 0,
                0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
            };
            _r                       = new byte[StaticSettings.SecureValue2];
            m_RC4_Dec                = new RC4();
            m_RC4_Enc                = new RC4();
            m_Sec_Crypted_Random     = new byte[StaticSettings.SecureValue1];
            m_Sec_Decrypt_Update_Key = new byte[StaticSettings.SecureValue2];
            m_Sec_Sign_Key           = new byte[StaticSettings.SecureValue2];

            // ASN1
            m_Fixup = new Dictionary <string, ASN1.Fixup>();

            // Channels
            m_Channels = new List <IVirtualChannel>();

            // License
            m_bLicensed        = false;
            m_Licence_Sign_Key = new byte[StaticSettings.SecureValue2];
            m_LicenceKey       = new byte[StaticSettings.SecureValue2];
            m_Server_Random    = new byte[0x20];

            // ControlFlow
            m_bInitialised           = false;
            m_bServerSupportsCacheV2 = false;

            // Rdp
            timeoutTimer         = new System.Timers.Timer();
            m_bExceptionReported = false;
            m_bHalt      = false;
            m_InputCache = new List <Rdp.InputInfo>();

            // ISO
            lastchannel = 0;

            // Channels
            m_Channels = new List <IVirtualChannel>();

            // CredSSP
            m_bAuthenticated = false;

            // NTLM
            NTLMSSP_NEGOTIATE_ALWAYS_SIGN = 0x8000;
            NTLMSSP_NEGOTIATE_ANONYMOUS   = 0x800;
            NTLMSSP_NEGOTIATE_DATAGRAM    = (uint)StaticSettings.SecureValue1;
            NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY = 0x80000;
            NTLMSSP_NEGOTIATE_IDENTIFY                 = 0x100000;
            NTLMSSP_NEGOTIATE_LM_KEY                   = 0x80;
            NTLMSSP_NEGOTIATE_NTLM                     = 0x200;
            NTLMSSP_NEGOTIATE_OEM                      = 2;
            NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED      = 0x1000;
            NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED = 0x2000;
            NTLMSSP_NEGOTIATE_SEAL                     = 0x20;
            NTLMSSP_NEGOTIATE_SIGN                     = (uint)StaticSettings.SecureValue2;
            NTLMSSP_REQUEST_NON_NT_SESSION_KEY         = 0x400000;
            NTLMSSP_REQUEST_TARGET                     = 4;
            NTLMSSP_TARGET_TYPE_DOMAIN                 = 0x10000;
            NTLMSSP_TARGET_TYPE_SERVER                 = 0x20000;
            NTLMSSP_NEGOTIATE_UNICODE                  = 1;
        }
예제 #7
0
        public byte[] ProcessChallenge(byte[] Challenge)
        {
            byte[]    bytes;
            RdpPacket packet = new RdpPacket();

            this.m_ChallengeMsg = Challenge;
            packet.Write(Challenge, 0, Challenge.Length);
            packet.Position = 0L;
            long position = packet.Position;

            if (packet.ReadString(8) != "NTLMSSP\0")
            {
                throw new Exception("Invalid negotiation token!");
            }
            if (packet.getLittleEndian32() != 2)
            {
                throw new Exception("Expected challenge!");
            }
            int count = packet.getLittleEndian16();

            packet.getLittleEndian16();
            int  num4  = packet.getLittleEndian32();
            uint flags = (uint)packet.getLittleEndian32();

            DumpFlags(flags);
            byte[] buffer = new byte[8];
            packet.Read(buffer, 0, 8);
            byte[] buffer2 = new byte[8];
            packet.Read(buffer2, 0, 8);
            int num5 = packet.getLittleEndian16();

            packet.getLittleEndian16();
            int num6 = packet.getLittleEndian32();

            if ((flags & 0x2000000) != 0)
            {
                byte[] buffer3 = new byte[8];
                packet.Read(buffer3, 0, 8);
            }
            if ((flags & 0x20000000) == 0)
            {
                throw new Exception("Strong Encryption not supported by server");
            }
            byte[] buffer4 = null;
            if (count > 0)
            {
                buffer4         = new byte[count];
                packet.Position = position + num4;
                packet.Read(buffer4, 0, count);
                Encoding.Unicode.GetString(buffer4, 0, buffer4.Length);
            }
            AV_PAIRS av_pairs = new AV_PAIRS();

            byte[] buffer5 = null;
            if (num5 <= 0)
            {
                throw new Exception("No TargetInfo!");
            }
            packet.Position = position + num6;
            buffer5         = new byte[num5];
            packet.Read(buffer5, 0, num5);
            packet = new RdpPacket();
            packet.Write(buffer5, 0, buffer5.Length);
            packet.Position = 0L;
            av_pairs.Parse(packet);
            byte[] data = nTOWFv2(this.m_sDomain, this.m_sUsername, this.m_sPassword);
            m_Socket.AddBlob(PacketLogger.PacketType.NTLM_ResponseKeyNT, data);
            byte[] blob = new byte[8];
            RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();

            provider.GetBytes(blob);
            m_Socket.AddBlob(PacketLogger.PacketType.NTLM_ClientChallenge, blob);
            byte[] buffer8 = getLMv2Response(data, buffer, blob);
            if (this.m_bNTLMv2)
            {
                Array.Clear(buffer8, 0, buffer8.Length);
            }
            bool bGenerateMIC = false;

            if ((av_pairs.Timestamp.length <= 0) || !this.m_bNTLMv2)
            {
                bytes = BitConverter.GetBytes(DateTime.UtcNow.ToFileTimeUtc());
            }
            else
            {
                bytes        = av_pairs.Timestamp.value;
                bGenerateMIC = true;
                av_pairs.ProcessForNTLMv2();
                buffer5 = av_pairs.Serialise();
            }
            byte[] keyExchangeKey = null;
            byte[] buffer11       = getNTLMv2Response(data, buffer, blob, bytes, buffer5, out keyExchangeKey);
            m_Socket.AddBlob(PacketLogger.PacketType.NTLM_KeyExchangeKey, keyExchangeKey);
            byte[] encryptedRandomSessionKey = null;
            byte[] buffer13 = null;
            buffer13 = new byte[0x10];
            provider.GetBytes(buffer13);
            m_Socket.AddBlob(PacketLogger.PacketType.NTLM_ExportedSessionKey, buffer13);
            encryptedRandomSessionKey = new byte[0x10];
            RC4 rc = new RC4();

            rc.engineInitEncrypt(keyExchangeKey);
            encryptedRandomSessionKey = rc.crypt(buffer13);
            if ((flags & 0x40000000) == 0)
            {
                encryptedRandomSessionKey = new byte[0];
                buffer13 = keyExchangeKey;
            }
            this.InitSignKeys(buffer13);
            return(this.Authenticate(buffer8, buffer11, this.m_sDomain, this.m_sUsername, this.m_sWorkstation, encryptedRandomSessionKey, buffer13, bGenerateMIC));
        }