public Type3Message(Type2Message type2, Version osVersion, NtlmAuthLevel level, string userName, string password, string host, NtlmFixes fixes = NtlmFixes.None) : base(3)
{
this.type2 = type2;
this.fixes = fixes;
challenge = type2.Nonce;
Domain = type2.TargetName;
OSVersion = osVersion;
Username = userName;
Password = password;
Level = level;
Host = host;
Flags = 0;
if (osVersion != null)
{
Flags |= NtlmFlags.NegotiateVersion;
}
if ((type2.Flags & NtlmFlags.NegotiateUnicode) != 0)
{
Flags |= NtlmFlags.NegotiateUnicode;
}
else
{
Flags |= NtlmFlags.NegotiateOem;
}
if ((type2.Flags & NtlmFlags.NegotiateNtlm) != 0)
{
Flags |= NtlmFlags.NegotiateNtlm;
}
if ((type2.Flags & NtlmFlags.NegotiateNtlm2Key) != 0)
{
Flags |= NtlmFlags.NegotiateNtlm2Key;
}
if ((type2.Flags & NtlmFlags.NegotiateTargetInfo) != 0)
{
Flags |= NtlmFlags.NegotiateTargetInfo;
}
if ((type2.Flags & NtlmFlags.RequestTarget) != 0)
{
Flags |= NtlmFlags.RequestTarget;
}
}
public static void Compute(Type2Message type2, NtlmAuthLevel level, string username, string password, string domain, out byte[] lm, out byte[] ntlm, NtlmFixes fixes)
{
lm = null;
switch (level)
{
case NtlmAuthLevel.LM_and_NTLM:
lm = ComputeLM(password, type2.Nonce);
ntlm = ComputeNtlm(password, type2.Nonce);
break;
case NtlmAuthLevel.LM_and_NTLM_and_try_NTLMv2_Session:
if ((type2.Flags & NtlmFlags.NegotiateNtlm2Key) == 0)
{
goto case NtlmAuthLevel.LM_and_NTLM;
}
ComputeNtlmV2Session(password, type2.Nonce, out lm, out ntlm);
break;
case NtlmAuthLevel.NTLM_only:
if ((type2.Flags & NtlmFlags.NegotiateNtlm2Key) != 0)
{
ComputeNtlmV2Session(password, type2.Nonce, out lm, out ntlm);
}
else
{
ntlm = ComputeNtlm(password, type2.Nonce);
}
break;
case NtlmAuthLevel.NTLMv2_only:
ntlm = ComputeNtlmV2(type2, username, password, domain, fixes);
if (type2.TargetInfo.Timestamp != 0 && (fixes & NtlmFixes.NTLMv2IncludeZ24) != 0)
{
lm = new byte[24];
}
break;
default:
throw new InvalidOperationException();
}
}
static byte[] ComputeNtlmV2(Type2Message type2, string username, string password, string domain, NtlmFixes fixes)
{
var ntlm_hash = ComputeNtlmPassword(password);
var ubytes = Encoding.Unicode.GetBytes(username.ToUpperInvariant());
var tbytes = Encoding.Unicode.GetBytes(domain);
var bytes = new byte[ubytes.Length + tbytes.Length];
ubytes.CopyTo(bytes, 0);
Array.Copy(tbytes, 0, bytes, ubytes.Length, tbytes.Length);
byte[] ntlm_v2_hash;
using (var md5 = new HMACMD5(ntlm_hash))
ntlm_v2_hash = md5.ComputeHash(bytes);
Array.Clear(ntlm_hash, 0, ntlm_hash.Length);
using (var md5 = new HMACMD5(ntlm_v2_hash)) {
var timestamp = DateTime.Now.Ticks - 504911232000000000;
var nonce = new byte[8];
if (type2.TargetInfo?.Timestamp != 0 && (fixes & NtlmFixes.NTLMv2UseTargetInfoTimestamp) != 0)
{
timestamp = type2.TargetInfo.Timestamp;
}
using (var rng = RandomNumberGenerator.Create())
rng.GetBytes(nonce);
var targetInfo = type2.EncodedTargetInfo;
var blob = new byte[28 + targetInfo.Length];
blob[0] = 0x01;
blob[1] = 0x01;
Buffer.BlockCopy(BitConverterLE.GetBytes(timestamp), 0, blob, 8, 8);
Buffer.BlockCopy(nonce, 0, blob, 16, 8);
Buffer.BlockCopy(targetInfo, 0, blob, 28, targetInfo.Length);
var challenge = type2.Nonce;
var hashInput = new byte[challenge.Length + blob.Length];
challenge.CopyTo(hashInput, 0);
blob.CopyTo(hashInput, challenge.Length);
var blobHash = md5.ComputeHash(hashInput);
var response = new byte[blob.Length + blobHash.Length];
blobHash.CopyTo(response, 0);
blob.CopyTo(response, blobHash.Length);
Array.Clear(ntlm_v2_hash, 0, ntlm_v2_hash.Length);
Array.Clear(hashInput, 0, hashInput.Length);
Array.Clear(blobHash, 0, blobHash.Length);
Array.Clear(nonce, 0, nonce.Length);
Array.Clear(blob, 0, blob.Length);
return(response);
}
}
