/// <summary> /// Encrypt a byte array. /// Many data in NRPC struct is required to be encrypted. /// </summary> /// <param name="isAesNegotiated"> /// Is AES negotiated during secure channel setup. /// If AES is not negotiated, use RC4 to encrypt. /// </param> /// <param name="sessionKey"> /// Session key. /// </param> /// <param name="buffer"> /// Buffer to encrypt. /// </param> /// <returns> /// Encrypted buffer. /// </returns> /// <exception cref="ArgumentNullException"> /// Thrown when sessionKey or buffer is null. /// </exception> /// <exception cref="ArgumentException"> /// Thrown when session key length is incorrect. /// </exception> public static byte[] EncryptBuffer( bool isAesNegotiated, byte[] sessionKey, byte[] buffer) { if (sessionKey == null) { throw new ArgumentNullException("sessionKey"); } if (buffer == null) { throw new ArgumentNullException("buffer"); } if (sessionKey.Length != NETLOGON_SESSION_KEY_LENGTH) { throw new ArgumentException("Session key length is incorrect.", "sessionKey"); } if (isAesNegotiated) { using (BCryptAlgorithm aes = new BCryptAlgorithm("AES")) { aes.Mode = BCryptCipherMode.CFB; aes.Key = sessionKey; aes.IV = new byte[aes.BlockSize]; return aes.Encrypt(buffer); } } else { using (RC4 rc4 = RC4.Create()) { rc4.Key = sessionKey; return rc4.CreateEncryptor().TransformFinalBlock(buffer, 0, buffer.Length); } } }
/// <summary> /// initial netlogon signature token when AES is negotiated /// </summary> /// <param name="sequenceNumber">sequence number</param> /// <param name="sessionKey">session key</param> /// <param name="requestConfidentiality">confidentiality is required or not</param> /// <param name="isClientSideOutbound">Is client side outbound message.</param> /// <param name="securityBuffers"> /// Security buffers, contains input plain-text; output cipher-text and signature. /// </param> private static void InitialNetlogonSignatureTokenWhenAesIsNegotiated( ref ulong sequenceNumber, byte[] sessionKey, bool requestConfidentiality, bool isClientSideOutbound, SecurityBuffer[] securityBuffers) { byte[] plainText; byte[] cipherText; byte[] token; NL_AUTH_SHA2_SIGNATURE nlAuthSha2Sign = new NL_AUTH_SHA2_SIGNATURE(); //The SignatureAlgorithm first byte MUST be set to 0x13, //and the second byte MUST be set to 0x00. nlAuthSha2Sign.SignatureAlgorithm = NL_AUTH_SHA2_SIGNATURE_SignatureAlgorithm_Values.HMACSHA256; if (requestConfidentiality) { //If the Confidentiality option (section 3.3.1) is //requested from the application, then the SealAlgorithm //first byte MUST be set to 0x1A, the second byte MUST //be set to 0x00, and the Confounder MUST be filled with //cryptographically random data. nlAuthSha2Sign.SealAlgorithm = NL_AUTH_SHA2_SIGNATURE_SealAlgorithm_Values.AES128; nlAuthSha2Sign.Confounder = GenerateNonce(NL_AUTH_SIGNATURE_CONFOUNDER_LENGTH); } else { //If the Confidentiality option (section 3.3.1) is not //requested, then the SealAlgorithm MUST be filled with //two bytes of 0xff, and the Confounder is not included in the token. nlAuthSha2Sign.SealAlgorithm = NL_AUTH_SHA2_SIGNATURE_SealAlgorithm_Values.NotEncrypted; nlAuthSha2Sign.Confounder = null; } //The Pad MUST be filled with 0xff bytes. nlAuthSha2Sign.Pad = NL_AUTH_SHA2_SIGNATURE_Pad_Values.V1; //The Flags MUST be filled with 0x00 bytes. nlAuthSha2Sign.Flags = Flags_Values.V1; //The SequenceNumber MUST be computed using the following algorithm. nlAuthSha2Sign.SequenceNumber = ComputeCopySequenceNumber(sequenceNumber, isClientSideOutbound); //The ClientSequenceNumber MUST be incremented by 1. sequenceNumber += 1; //Compute signature plainText = ConcatenateSecurityBuffersForChecksum(securityBuffers); nlAuthSha2Sign.Checksum = ComputeSignatureWhenAesIsNegotiated( nlAuthSha2Sign, sessionKey, requestConfidentiality, plainText); //If the Confidentiality option is requested, the data and the Confounder //field MUST be encrypted. If AES is negotiated then the server MUST use //the AES-128 algorithm using the SessionKey with an initialization //vector constructed by concatenating the sequence number with //itself twice (thus getting 16 bytes of data) if (requestConfidentiality) { byte[] aesEncryptionKey = ComputeEncryptionKeyWhenAesIsNegotiated(sessionKey); using (BCryptAlgorithm aes = new BCryptAlgorithm("AES")) { aes.Mode = BCryptCipherMode.CFB; aes.Key = aesEncryptionKey; aes.IV = ArrayUtility.ConcatenateArrays( nlAuthSha2Sign.SequenceNumber, nlAuthSha2Sign.SequenceNumber); nlAuthSha2Sign.Confounder = aes.Encrypt(nlAuthSha2Sign.Confounder); plainText = SspiUtility.ConcatenateReadWriteSecurityBuffers( securityBuffers, SecurityBufferType.Data); cipherText = aes.Encrypt(plainText); } SspiUtility.UpdateSecurityBuffers(securityBuffers, SecurityBufferType.Data, cipherText); } else { cipherText = null; } //The SequenceNumber MUST be encrypted. //If AES is negotiated, then the server MUST use the AES-128 //algorithm using the SessionKey with an initialization vector //constructed by concatenating the first 8 bytes of the //checksum with itself twice (thus getting 16 bytes of data) using (BCryptAlgorithm aes = new BCryptAlgorithm("AES")) { aes.Mode = BCryptCipherMode.CFB; aes.Key = sessionKey; aes.IV = ArrayUtility.ConcatenateArrays( nlAuthSha2Sign.Checksum, // Checksum is only 8 bytes nlAuthSha2Sign.Checksum); nlAuthSha2Sign.SequenceNumber = aes.Encrypt(nlAuthSha2Sign.SequenceNumber); } nlAuthSha2Sign.Dummy = GenerateNonce(NL_AUTH_SHA2_SIGNATURE_DUMMY_LENGTH); // 24 == size of dummy token = TypeMarshal.ToBytes(nlAuthSha2Sign); SspiUtility.UpdateSecurityBuffers(securityBuffers, SecurityBufferType.Token, token); }
/// <summary> /// Compute the Netlogon Credential. /// </summary> /// <param name="algorithm"> /// Algorithm to compute the Netlogon authenticator. /// </param> /// <param name="input"> /// A byte array that contains the input. /// </param> /// <param name="sessionKey"> /// Session Key. /// </param> /// <returns>Netlogon Credential</returns> /// <exception cref="ArgumentNullException"> /// Thrown when input or sessionKey parameter /// passed to the method is null. /// </exception> /// <exception cref="ArgumentException"> /// Thrown when computation algorithm is not supported. /// Thrown when session key length is incorrect. /// </exception> public static byte[] ComputeNetlogonCredential( NrpcComputeNetlogonCredentialAlgorithm algorithm, byte[] input, byte[] sessionKey) { if (input == null) { throw new ArgumentNullException("input"); } if (sessionKey == null) { throw new ArgumentNullException("sessionKey"); } if (sessionKey.Length != NETLOGON_SESSION_KEY_LENGTH) { throw new ArgumentException("Session key length is incorrect.", "sessionKey"); } byte[] credential; switch (algorithm) { case NrpcComputeNetlogonCredentialAlgorithm.AES128: //ComputeNetlogonCredential(Input, Sk, Output) //SET IV = 0 //CALL AesEncrypt(Input, Sk, IV, Output) using (BCryptAlgorithm aes = new BCryptAlgorithm("AES")) { aes.Mode = BCryptCipherMode.CFB; aes.Key = sessionKey; aes.IV = new byte[aes.BlockSize]; //AES128's IV is 128 bits. credential = aes.Encrypt(input); } break; case NrpcComputeNetlogonCredentialAlgorithm.DESECB: //ComputeNetlogonCredential(Input, Sk, Output) //SET k1 to bytes(0, 6, Sk) //CALL InitLMKey(k1, k3) //SET k2 to bytes(7, 13, Sk) //CALL InitLMKey(k2, k4) //CALL DES_ECB(Input, k3, &output1) //CALL DES_ECB(output1, k4, &output2) //SET Output to output2 byte[] k1 = ArrayUtility.SubArray(sessionKey, 0, 7); byte[] k2 = ArrayUtility.SubArray(sessionKey, 7, 7); using (DES des = DES.Create()) { des.Mode = CipherMode.ECB; des.Padding = PaddingMode.None; des.Key = InitLMKey(k1); byte[] output1 = des.CreateEncryptor().TransformFinalBlock(input, 0, input.Length); des.Key = InitLMKey(k2); byte[] output2 = des.CreateEncryptor().TransformFinalBlock(output1, 0, output1.Length); credential = output2; } break; default: throw new ArgumentException( "Specified netlogon credential computation algorithm is not valid.", "algorithm"); } return credential; }
private static byte[] Encrypt(ulong sessionId, Smb2CryptoInfo cryptoInfo, Smb2Role role, Smb2Packet originalPacket) { Packet_Header header; if (originalPacket is Smb2SinglePacket) { header = (originalPacket as Smb2SinglePacket).Header; } else { header = (originalPacket as Smb2CompoundPacket).Packets[0].Header; } // Encrypt all messages after session setup if global encryption enabled. // Encrypt all messages after tree connect if global encryption disabled but share encryption enabled. if (header.Command != Smb2Command.NEGOTIATE && header.Command != Smb2Command.SESSION_SETUP && (cryptoInfo.EnableSessionEncryption || (cryptoInfo.EnableTreeEncryption.Contains(header.TreeId) && header.Command != Smb2Command.TREE_CONNECT ) ) ) { using (var bcrypt = new BCryptAlgorithm("AES")) { byte[] originalBinary = originalPacket.ToBytes(); Transform_Header transformHeader = new Transform_Header { ProtocolId = Smb2Consts.ProtocolIdInTransformHeader, OriginalMessageSize = (uint)originalBinary.Length, SessionId = sessionId, Signature = new byte[16] }; if (cryptoInfo.Dialect == DialectRevision.Smb311) { transformHeader.Flags = TransformHeaderFlags.Encrypted; } else { transformHeader.EncryptionAlgorithm = EncryptionAlgorithm.ENCRYPTION_AES128_CCM; } byte[] tag; int nonceLength = 0; BCryptCipherMode mode = BCryptCipherMode.NotAvailable; GetCryptoParams(cryptoInfo, CryptoOperationType.Encrypt, out mode, out nonceLength); bcrypt.Mode = mode; bcrypt.Key = role == Smb2Role.Server ? cryptoInfo.ServerOutKey : cryptoInfo.ServerInKey; // The reserved field (5 bytes for CCM, 4 bytes for GCM) must be set to zero. byte[] nonce = new byte[16]; Buffer.BlockCopy(Guid.NewGuid().ToByteArray(), 0, nonce, 0, nonceLength); transformHeader.Nonce = new Guid(nonce); byte[] output = bcrypt.Encrypt( originalBinary, transformHeader.Nonce.ToByteArray().Take(nonceLength).ToArray(), // Use the fields including and after Nonce field as auth data Smb2Utility.MarshalStructure(transformHeader).Skip(20).ToArray(), // Signature is 16 bytes in length 16, out tag); transformHeader.Signature = tag; return Smb2Utility.MarshalStructure(transformHeader).Concat(output).ToArray(); } } // Return null if the message is not required to be encrypted. return null; }