public byte[] ProcessChallenge(byte[] Challenge) { byte[] bytes; RdpPacket packet = new RdpPacket(); this.m_ChallengeMsg = Challenge; packet.Write(Challenge, 0, Challenge.Length); packet.Position = 0L; long position = packet.Position; if (packet.ReadString(8) != "NTLMSSP\0") { throw new Exception("Invalid negotiation token!"); } if (packet.getLittleEndian32() != 2) { throw new Exception("Expected challenge!"); } int count = packet.getLittleEndian16(); packet.getLittleEndian16(); int num4 = packet.getLittleEndian32(); uint flags = (uint)packet.getLittleEndian32(); DumpFlags(flags); byte[] buffer = new byte[8]; packet.Read(buffer, 0, 8); byte[] buffer2 = new byte[8]; packet.Read(buffer2, 0, 8); int num5 = packet.getLittleEndian16(); packet.getLittleEndian16(); int num6 = packet.getLittleEndian32(); if ((flags & 0x2000000) != 0) { byte[] buffer3 = new byte[8]; packet.Read(buffer3, 0, 8); } if ((flags & 0x20000000) == 0) { throw new Exception("Strong Encryption not supported by server"); } byte[] buffer4 = null; if (count > 0) { buffer4 = new byte[count]; packet.Position = position + num4; packet.Read(buffer4, 0, count); Encoding.Unicode.GetString(buffer4, 0, buffer4.Length); } AV_PAIRS av_pairs = new AV_PAIRS(); byte[] buffer5 = null; if (num5 <= 0) { throw new Exception("No TargetInfo!"); } packet.Position = position + num6; buffer5 = new byte[num5]; packet.Read(buffer5, 0, num5); packet = new RdpPacket(); packet.Write(buffer5, 0, buffer5.Length); packet.Position = 0L; av_pairs.Parse(packet); byte[] data = nTOWFv2(this.m_sDomain, this.m_sUsername, this.m_sPassword); m_Socket.AddBlob(PacketLogger.PacketType.NTLM_ResponseKeyNT, data); byte[] blob = new byte[8]; RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider(); provider.GetBytes(blob); m_Socket.AddBlob(PacketLogger.PacketType.NTLM_ClientChallenge, blob); byte[] buffer8 = getLMv2Response(data, buffer, blob); if (this.m_bNTLMv2) { Array.Clear(buffer8, 0, buffer8.Length); } bool bGenerateMIC = false; if ((av_pairs.Timestamp.length <= 0) || !this.m_bNTLMv2) { bytes = BitConverter.GetBytes(DateTime.UtcNow.ToFileTimeUtc()); } else { bytes = av_pairs.Timestamp.value; bGenerateMIC = true; av_pairs.ProcessForNTLMv2(); buffer5 = av_pairs.Serialise(); } byte[] keyExchangeKey = null; byte[] buffer11 = getNTLMv2Response(data, buffer, blob, bytes, buffer5, out keyExchangeKey); m_Socket.AddBlob(PacketLogger.PacketType.NTLM_KeyExchangeKey, keyExchangeKey); byte[] encryptedRandomSessionKey = null; byte[] buffer13 = null; buffer13 = new byte[0x10]; provider.GetBytes(buffer13); m_Socket.AddBlob(PacketLogger.PacketType.NTLM_ExportedSessionKey, buffer13); encryptedRandomSessionKey = new byte[0x10]; RC4 rc = new RC4(); rc.engineInitEncrypt(keyExchangeKey); encryptedRandomSessionKey = rc.crypt(buffer13); if ((flags & 0x40000000) == 0) { encryptedRandomSessionKey = new byte[0]; buffer13 = keyExchangeKey; } this.InitSignKeys(buffer13); return(this.Authenticate(buffer8, buffer11, this.m_sDomain, this.m_sUsername, this.m_sWorkstation, encryptedRandomSessionKey, buffer13, bGenerateMIC)); }
private static RdpPacket getLoginInfo(string domain, string username, string password, string command, string directory, bool bAutoReconnect) { int num = 2 * "127.0.0.1".Length; int num2 = 2 * @"C:\WINNT\System32\mstscax.dll".Length; int num1 = _p; int num3 = 2 * domain.Length; int num4 = 2 * username.Length; int num5 = 2 * password.Length; int num6 = 2 * command.Length; int num7 = 2 * directory.Length; RdpPacket packet = new RdpPacket(); int num8 = 0x213b; packet.WriteLittleEndian32(0); packet.WriteLittleEndian32(num8); packet.WriteLittleEndian16((short)num3); packet.WriteLittleEndian16((short)num4); if ((num8 & 8) != 0) { packet.WriteLittleEndian16((short)num5); } else { packet.WriteLittleEndian16((short)0); } packet.WriteLittleEndian16((short)num6); packet.WriteLittleEndian16((short)num7); if (0 < num3) { packet.WriteUnicodeString(domain); } else { packet.WriteLittleEndian16((short)0); } packet.WriteUnicodeString(username); if ((num8 & 8) != 0) { packet.WriteUnicodeString(password); } else { packet.WriteLittleEndian16((short)0); } if (0 < num6) { packet.WriteUnicodeString(command); } else { packet.WriteLittleEndian16((short)0); } if (0 < num7) { packet.WriteUnicodeString(directory); } else { packet.WriteLittleEndian16((short)0); } packet.WriteLittleEndian16((short)2); packet.WriteLittleEndian16((short)(num + 2)); packet.WriteUnicodeString("127.0.0.1"); packet.WriteLittleEndian16((short)(num2 + 2)); packet.WriteUnicodeString(@"C:\WINNT\System32\mstscax.dll"); TimeZoneInfo info = TimeZoneInfo.Local; packet.WriteLittleEndian32((int)info.BaseUtcOffset.TotalMinutes); packet.WriteUnicodeString(info.StandardName); packet.Position += 0x3e - (2 * info.StandardName.Length); if (info.SupportsDaylightSavingTime) { packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((ushort)10); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)30); packet.WriteLittleEndian16((short)2); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian32(0); } else { packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian32(0); } packet.WriteUnicodeString(info.DaylightName); packet.Position += 0x3e - (2 * info.DaylightName.Length); if (info.SupportsDaylightSavingTime) { packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((ushort)3); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0x1b); packet.WriteLittleEndian16((short)1); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian32((int)(info.BaseUtcOffset.TotalMinutes + 1.0)); } else { packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian16((short)0); packet.WriteLittleEndian32(0); } packet.WriteLittleEndianU32(0); PerformanceFlags flags = (PerformanceFlags)0; if (!RDPClient.IsHostFlagSet(HostFlags.DesktopBackground)) { flags |= PerformanceFlags.PERF_DISABLE_WALLPAPER; } if (RDPClient.IsHostFlagSet(HostFlags.FontSmoothing)) { flags |= PerformanceFlags.PERF_ENABLE_FONT_SMOOTHING; } if (RDPClient.IsHostFlagSet(HostFlags.DesktopComposition)) { flags |= PerformanceFlags.PERF_ENABLE_DESKTOP_COMPOSITION; } if (!RDPClient.IsHostFlagSet(HostFlags.ShowWindowContents)) { flags |= PerformanceFlags.PERF_DISABLE_FULLWINDOWDRAG; } if (!RDPClient.IsHostFlagSet(HostFlags.MenuAnimation)) { flags |= PerformanceFlags.PERF_DISABLE_MENUANIMATIONS; } if (!RDPClient.IsHostFlagSet(HostFlags.VisualStyles)) { flags |= PerformanceFlags.PERF_DISABLE_THEMING; } packet.WriteLittleEndian32((int)flags); if (bAutoReconnect) { packet.WriteLittleEndian32(0x1c); packet.WriteLittleEndian32(0x1c); packet.WriteLittleEndian32(1); packet.WriteLittleEndian32(RDPClient.LogonID); HMACT64 hmact = new HMACT64(RDPClient.ReconnectCookie); hmact.update(Secure.GetClentRandom()); byte[] buffer = hmact.digest(); packet.Write(buffer, 0, buffer.Length); return(packet); } packet.WriteLittleEndian32(0); return(packet); }