public Type3Message(Type2Message type2, Version osVersion, NtlmAuthLevel level, string userName, string password, string host, NtlmFixes fixes = NtlmFixes.None) : base(3) { this.type2 = type2; this.fixes = fixes; challenge = type2.Nonce; Domain = type2.TargetName; OSVersion = osVersion; Username = userName; Password = password; Level = level; Host = host; Flags = 0; if (osVersion != null) { Flags |= NtlmFlags.NegotiateVersion; } if ((type2.Flags & NtlmFlags.NegotiateUnicode) != 0) { Flags |= NtlmFlags.NegotiateUnicode; } else { Flags |= NtlmFlags.NegotiateOem; } if ((type2.Flags & NtlmFlags.NegotiateNtlm) != 0) { Flags |= NtlmFlags.NegotiateNtlm; } if ((type2.Flags & NtlmFlags.NegotiateNtlm2Key) != 0) { Flags |= NtlmFlags.NegotiateNtlm2Key; } if ((type2.Flags & NtlmFlags.NegotiateTargetInfo) != 0) { Flags |= NtlmFlags.NegotiateTargetInfo; } if ((type2.Flags & NtlmFlags.RequestTarget) != 0) { Flags |= NtlmFlags.RequestTarget; } }
public static void Compute(Type2Message type2, NtlmAuthLevel level, string username, string password, string domain, out byte[] lm, out byte[] ntlm, NtlmFixes fixes) { lm = null; switch (level) { case NtlmAuthLevel.LM_and_NTLM: lm = ComputeLM(password, type2.Nonce); ntlm = ComputeNtlm(password, type2.Nonce); break; case NtlmAuthLevel.LM_and_NTLM_and_try_NTLMv2_Session: if ((type2.Flags & NtlmFlags.NegotiateNtlm2Key) == 0) { goto case NtlmAuthLevel.LM_and_NTLM; } ComputeNtlmV2Session(password, type2.Nonce, out lm, out ntlm); break; case NtlmAuthLevel.NTLM_only: if ((type2.Flags & NtlmFlags.NegotiateNtlm2Key) != 0) { ComputeNtlmV2Session(password, type2.Nonce, out lm, out ntlm); } else { ntlm = ComputeNtlm(password, type2.Nonce); } break; case NtlmAuthLevel.NTLMv2_only: ntlm = ComputeNtlmV2(type2, username, password, domain, fixes); if (type2.TargetInfo.Timestamp != 0 && (fixes & NtlmFixes.NTLMv2IncludeZ24) != 0) { lm = new byte[24]; } break; default: throw new InvalidOperationException(); } }
static byte[] ComputeNtlmV2(Type2Message type2, string username, string password, string domain, NtlmFixes fixes) { var ntlm_hash = ComputeNtlmPassword(password); var ubytes = Encoding.Unicode.GetBytes(username.ToUpperInvariant()); var tbytes = Encoding.Unicode.GetBytes(domain); var bytes = new byte[ubytes.Length + tbytes.Length]; ubytes.CopyTo(bytes, 0); Array.Copy(tbytes, 0, bytes, ubytes.Length, tbytes.Length); byte[] ntlm_v2_hash; using (var md5 = new HMACMD5(ntlm_hash)) ntlm_v2_hash = md5.ComputeHash(bytes); Array.Clear(ntlm_hash, 0, ntlm_hash.Length); using (var md5 = new HMACMD5(ntlm_v2_hash)) { var timestamp = DateTime.Now.Ticks - 504911232000000000; var nonce = new byte[8]; if (type2.TargetInfo?.Timestamp != 0 && (fixes & NtlmFixes.NTLMv2UseTargetInfoTimestamp) != 0) { timestamp = type2.TargetInfo.Timestamp; } using (var rng = RandomNumberGenerator.Create()) rng.GetBytes(nonce); var targetInfo = type2.EncodedTargetInfo; var blob = new byte[28 + targetInfo.Length]; blob[0] = 0x01; blob[1] = 0x01; Buffer.BlockCopy(BitConverterLE.GetBytes(timestamp), 0, blob, 8, 8); Buffer.BlockCopy(nonce, 0, blob, 16, 8); Buffer.BlockCopy(targetInfo, 0, blob, 28, targetInfo.Length); var challenge = type2.Nonce; var hashInput = new byte[challenge.Length + blob.Length]; challenge.CopyTo(hashInput, 0); blob.CopyTo(hashInput, challenge.Length); var blobHash = md5.ComputeHash(hashInput); var response = new byte[blob.Length + blobHash.Length]; blobHash.CopyTo(response, 0); blob.CopyTo(response, blobHash.Length); Array.Clear(ntlm_v2_hash, 0, ntlm_v2_hash.Length); Array.Clear(hashInput, 0, hashInput.Length); Array.Clear(blobHash, 0, blobHash.Length); Array.Clear(nonce, 0, nonce.Length); Array.Clear(blob, 0, blob.Length); return(response); } }