internal static void processRedirection(RdpPacket data, bool bStdRedirect) { if (!bStdRedirect) { data.getLittleEndian16(); } data.getLittleEndian16(); data.getLittleEndian16(); RDPClient.sessionID = data.getLittleEndian32(); int num = data.getLittleEndian32(); if ((num & 1) != 0) { RDPClient.Host = data.ReadUnicodeString(); } byte[] buffer = null; if ((num & 2) != 0) { int count = data.getLittleEndian32(); buffer = new byte[count]; data.Read(buffer, 0, count); } if ((num & 4) != 0) { RDPClient.Username = data.ReadUnicodeString(); } if ((num & 8) != 0) { RDPClient.Domain = data.ReadUnicodeString(); } if ((num & 0x10) != 0) { RDPClient.Password = data.ReadUnicodeString(); } if ((num & 0x200) != 0) { RDPClient.Host = data.ReadUnicodeString(); } if ((num & 0x100) != 0) { RDPClient.Host = data.ReadUnicodeString(); } if (!string.IsNullOrEmpty(RDPClient.Domain)) { RDPClient.DomainAndUsername = RDPClient.Domain + @"\" + RDPClient.Username; } else { RDPClient.DomainAndUsername = RDPClient.Username; } if ((num & 0x80) == 0) { Network.Close(); Licence.Reset(); Network.Connect(RDPClient.Host, RDPClient.Port); MCS.send_connection_request(buffer, false); } }
private static int receiveConnectNegotiation() { RdpPacket packet = ISO.Receive(); //Print(packet); //System.Windows.Forms.MessageBox.Show("Test"); packet.Position += 7L; if (packet.Position >= packet.Length) { return(0); } switch (packet.ReadByte()) { case 2: RDPClient.serverNegotiateFlags = (NegotiationFlags)packet.ReadByte(); packet.getLittleEndian16(); return(packet.getLittleEndian32()); case 3: packet.ReadByte(); packet.getLittleEndian16(); switch (packet.getLittleEndian32()) { case 1: throw new RDFatalException("The server requires that the client support Enhanced RDP Security with TLS 1.0"); case 2: return(0x10000000); case 3: throw new RDFatalException("The server does not possess a valid authentication certificate and cannot initialize the External Security Protocol Provider"); case 4: throw new RDFatalException("The list of requested security protocols is not consistent with the current security protocol in effect."); case 5: throw new RDFatalException("The server requires that the client support Enhanced RDP Security with CredSSP"); case 6: throw new RDFatalException("The server requires that the client support Enhanced RDP Security and certificate-based client authentication"); } throw new RDFatalException("Unknown Negotiation failure!"); } throw new RDFatalException("Negotiation failed, requested security level not supported by server."); }
public static bool IsLicensePacket(RdpPacket packet) { if (RDPClient.m_bLicensed) { return(false); } int num = packet.getLittleEndian32(); packet.Position -= 4L; return((num & 0x80) != 0); }
private static void logonInfoVersion2(RdpPacket data) { data.getLittleEndian16(); data.getLittleEndian32(); data.getLittleEndian32(); var cbDomain = data.getLittleEndian32(); data.Read(new byte[562], 0, 562); // Username + Padding var Domain = new byte[52]; data.Read(Domain, 0, cbDomain); RDPClient.Domain = System.Text.Encoding.Unicode.GetString(Domain).Replace("\0", ""); // Флаг авторизации if (RDPClient.FullXP) { RDPClient.GoodAuth = true; } }
internal static void channel_process(int ChannelID, RdpPacket data) { data.getLittleEndian32(); int num = data.getLittleEndian32(); if ((num & 1) != 0) { RDPClient.m_FullPacket = new RdpPacket(); } RDPClient.m_FullPacket.append(data); if ((num & 2) != 0) { RDPClient.m_FullPacket.Position = 0L; foreach (IVirtualChannel channel in RDPClient.m_Channels) { if (channel.ChannelID == ChannelID) { channel.channel_process(RDPClient.m_FullPacket); } } } }
private static bool parsePublicKey(RdpPacket data) { int num = 0; int num2 = 0; num = data.getLittleEndian32(); if (num != 0x31415352) { int num3 = 0x31415352; throw new RDFatalException("Bad magic header ! Need " + num3.ToString() + " but got " + num.ToString()); } num2 = data.getLittleEndian32(); if (num2 != (RDPClient.modulus_size + 8)) { RDPClient.modulus_size = num2 - 8; } data.Position += 8L; m_Exponent = new byte[4]; data.Read(m_Exponent, 0, 4); m_Modulus = new byte[RDPClient.modulus_size]; data.Read(m_Modulus, 0, RDPClient.modulus_size); return(data.Position <= data.Length); }
internal static RdpPacket Secure_Receive(out bool bFastPath) { int num; int num2; int num3 = 0; RdpPacket packet = null; Label_0004: bFastPath = false; packet = ReceiveMCS(out num, out num2); if (packet == null) { return(null); } switch (num2) { case 0xff: bFastPath = true; return(packet); case 0xfe: packet = Secure.DecryptPacket(packet); bFastPath = true; return(packet); } if (Secure.RDPEncrypted() || Licence.IsLicensePacket(packet)) { num3 = packet.getLittleEndian32(); if ((num3 & MCS.SEC_ENCRYPT) != 0) { packet = Secure.DecryptPacket(packet); } if ((num3 & 0x80) != 0) { Licence.process(packet); goto Label_0004; } if ((num3 & MCS.SEC_REDIRECTION_PKT) != 0) { ControlFlow.processRedirection(packet, true); goto Label_0004; } } if (num != MCS.MSC_GLOBAL_CHANNEL) { Channels.channel_process(num, packet); goto Label_0004; } return(packet); }
internal static void process(RdpPacket data) { int num = 0; num = data.ReadByte(); data.ReadByte(); data.getLittleEndian16(); switch (num) { case 1: process_demand(data); return; case 2: process_authreq(data); return; case 3: process_issue(data); RDPClient.m_bLicensed = true; return; case 4: RDPClient.m_bLicensed = true; return; case 0xff: data.getLittleEndian32(); data.getLittleEndian32(); data.getLittleEndian16(); data.getLittleEndian16(); RDPClient.m_bLicensed = true; return; } }
internal static void processDemandActive(RdpPacket data) { int num3; RDPClient.rdp_shareid = data.getLittleEndian32(); int num = data.getLittleEndian16(); data.getLittleEndian16(); data.Position += num; int numCaps = data.getLittleEndian16(); data.getLittleEndian16(); processServerCapabilities(data, numCaps); sendConfirmActive(); sendSynchronize(); sendControl(4); sendControl(1); ISO.Secure_Receive(out num3); ISO.Secure_Receive(out num3); ISO.Secure_Receive(out num3); if (!RDPClient.m_bInitialised) { sendPersistKeyList(); } List <Rdp.InputInfo> inputToSend = new List <Rdp.InputInfo> { new Rdp.InputInfo(0, Rdp.InputType.INPUT_EVENT_SYNC, 0, 0, 0) }; IsoLayer.SendInput(inputToSend); sendFontList(); ISO.Secure_Receive(out num3); if (RDPClient.m_bInitialised) { RDPClient.OnInitialise(); } RDPClient.m_bInitialised = true; resetOrderState(); }
private static void processLogonInfo(RdpPacket data) { var number = (InfoType)data.getLittleEndian32(); switch (number) { case InfoType.INFOTYPE_LOGON: logonInfoVersion1(data); break; case InfoType.INFOTYPE_LOGON_LONG: logonInfoVersion2(data); break; case InfoType.INFOTYPE_LOGON_PLAINNOTIFY: plainNotify(data); break; case InfoType.INFOTYPE_LOGON_EXTENDED_INFO: logonInfoExtended(data); break; default: break; } if (!RDPClient.UseAltChecker) { // Флаг авторизации if (!RDPClient.FullXP) { RDPClient.GoodAuth = true; } } // Прерываем выполнение RDPClient.timeoutTimer.Stop(); RDPClient.m_bHalt = true; }
internal static int parseCryptInfo(RdpPacket data) { int num2 = 0; int num3 = 0; int num4 = 0; int num5 = 0; int num6 = 0; int num7 = 0; num7 = data.getLittleEndian32(); if (data.getLittleEndian32() == 0) { if (!Network.SSLConnection) { throw new RDFatalException("Server does not support encrypted connections!"); } return(0); } int count = data.getLittleEndian32(); num2 = data.getLittleEndian32(); if (count != 0x20) { string[] strArray = new string[] { "Wrong size of random key size! Accepted ", count.ToString(), " but ", 0x20.ToString(), "!" }; throw new RDFatalException(string.Concat(strArray)); } m_Server_Random = new byte[count]; data.Read(m_Server_Random, 0, count); num6 = ((int)data.Position) + num2; if (num6 > data.Length) { throw new RDFatalException("Crypt Info too short!"); } if ((data.getLittleEndian32() & 1) != 0) { data.Position += 8L; while (data.Position < data.Length) { num3 = data.getLittleEndian16(); num4 = data.getLittleEndian16(); num5 = ((int)data.Position) + num4; switch (num3) { case 6: if (parsePublicKey(data)) { break; } return(0); } data.Position = num5; } return(num7); } int num9 = data.getLittleEndian32(); int num10 = 0; if (num9 < 2) { throw new RDFatalException("Illegal number of certificates " + num9.ToString()); } while (num9 > 2) { num10 = data.getLittleEndian32(); data.Position += num10; num9--; } byte[] buffer = new byte[data.getLittleEndian32()]; data.Read(buffer, 0, buffer.Length); X509Certificate certificate = new X509Certificate(buffer); m_Server_Public_Key = new byte[StaticSettings.SecureValue1]; Array.Copy(certificate.GetPublicKey(), 5, m_Server_Public_Key, 0, StaticSettings.SecureValue1); byte[] buffer2 = new byte[data.getLittleEndian32()]; data.Read(buffer2, 0, buffer2.Length); X509Certificate certificate2 = new X509Certificate(buffer2); m_Server_Public_Key = new byte[StaticSettings.SecureValue1]; Array.Copy(certificate2.GetPublicKey(), 5, m_Server_Public_Key, 0, StaticSettings.SecureValue1); RDPClient.readCert = true; return(num7); }
private static void logonInfoExtended(RdpPacket data) { // Флаг авторизации if (RDPClient.FullXP) { RDPClient.GoodAuth = true; } data.getLittleEndian16(); var num2 = (FieldsPresent)data.getLittleEndian32(); // Reconnect Cookie if (num2.HasFlag(FieldsPresent.LOGON_EX_AUTORECONNECTCOOKIE)) { if (data.getLittleEndian32() != 0x1c) { throw new Exception("Invalid length for AutoReconnectCookie!"); } data.getLittleEndian32(); RDPClient.LogonID = data.getLittleEndian32(); if (RDPClient.ReconnectCookie == null) { RDPClient.ReconnectCookie = new byte[0x10]; } data.Read(RDPClient.ReconnectCookie, 0, RDPClient.ReconnectCookie.Length); } // Error if (num2.HasFlag(FieldsPresent.LOGON_EX_LOGONERRORS)) { var ErrorType = (ErrorNotificationType)data.getLittleEndian32(); var ErrorData = (ErrorNotificationData)data.getLittleEndian32(); // Проверка ошибок if (ErrorType.HasFlag(ErrorNotificationType.LOGON_MSG_NO_PERMISSION) || ErrorType.HasFlag(ErrorNotificationType.LOGON_MSG_DISCONNECT_REFUSED) || ErrorType.HasFlag(ErrorNotificationType.LOGON_MSG_SESSION_TERMINATE) || ErrorData.HasFlag(ErrorNotificationData.LOGON_FAILED_BAD_PASSWORD) || ErrorData.HasFlag(ErrorNotificationData.LOGON_WARNING) || ErrorData.HasFlag(ErrorNotificationData.LOGON_FAILED_OTHER)) { // Флаг авторизации if (RDPClient.FullXP) { RDPClient.GoodAuth = false; } } // Проверка на смену пароля if (ErrorData.HasFlag(ErrorNotificationData.LOGON_FAILED_UPDATE_PASSWORD)) { // Флаг смены пароля RDPClient.NeedChangePassword = true; // Флаг авторизации if (RDPClient.FullXP) { RDPClient.GoodAuth = true; } } } }
private static bool processData(RdpPacket data) { int num3; int num = 0; data.Position += 6L; data.getLittleEndian16(); num = data.ReadByte(); data.ReadByte(); data.getLittleEndian16(); switch (num) { case 0x26: // 38 // RDP_DATA_PDU_SAVE_SESSION_INFO processLogonInfo(data); goto Label_015E; case 0x2f: // 47 // RDP_DATA_PDU_SET_ERROR_INFO num3 = data.getLittleEndian32(); switch (num3) { case 0: case 12: goto Label_015E; case 1: throw new RDFatalException("The disconnection was initiated by an administrative tool on the server in another session."); case 2: throw new RDFatalException("The disconnection was due to a forced logoff initiated by an administrative tool on the server in another session."); case 3: throw new RDFatalException("The idle session limit timer on the server has elapsed."); case 4: throw new RDFatalException("The active session limit timer on the server has elapsed."); case 5: throw new RDFatalException("Another user connected to the server, forcing the disconnection of the current connection."); case 7: throw new RDFatalException("The server denied the connection."); case 9: throw new RDFatalException("The user cannot connect to the server due to insufficient access privileges."); case 11: throw new RDFatalException("The disconnection was initiated by an administrative tool on the server running in the user's session."); case 0x102: throw new RDFatalException("There are no Client Access Licenses available for the target remote computer, please contact your network administrator."); } break; case 2: // processUpdate return(false); case 0x1b: // 27 return(false); default: goto Label_015E; } throw new RDFatalException("Error code: " + num3.ToString("X8") + ", please contact Support with this error code"); Label_015E: return(false); }
public void Parse(RdpPacket packet) { NTLM.AV_ID av_id; byte[] buffer = null; do { av_id = (NTLM.AV_ID)packet.getLittleEndian16(); int count = packet.getLittleEndian16(); if (count > 0) { if (av_id != NTLM.AV_ID.MsvAvFlags) { buffer = new byte[count]; packet.Read(buffer, 0, count); } else { this.Flags = packet.getLittleEndian32(); } } switch (av_id) { case NTLM.AV_ID.MsvAvNbComputerName: this.NbComputerName.length = count; this.NbComputerName.value = buffer; this.sNbComputerName = Encoding.Unicode.GetString(this.NbComputerName.value, 0, this.NbComputerName.value.Length); break; case NTLM.AV_ID.MsvAvNbDomainName: this.NbDomainName.length = count; this.NbDomainName.value = buffer; this.sNbDomainName = Encoding.Unicode.GetString(this.NbDomainName.value, 0, this.NbDomainName.value.Length); break; case NTLM.AV_ID.MsvAvDnsComputerName: this.DnsComputerName.length = count; this.DnsComputerName.value = buffer; this.sDnsComputerName = Encoding.Unicode.GetString(this.DnsComputerName.value, 0, this.DnsComputerName.value.Length); break; case NTLM.AV_ID.MsvAvDnsDomainName: this.DnsDomainName.length = count; this.DnsDomainName.value = buffer; this.sDnsDomainName = Encoding.Unicode.GetString(this.DnsDomainName.value, 0, this.DnsDomainName.value.Length); break; case NTLM.AV_ID.MsvAvDnsTreeName: this.DnsTreeName.length = count; this.DnsTreeName.value = buffer; break; case NTLM.AV_ID.MsvAvTimestamp: this.Timestamp.length = count; this.Timestamp.value = buffer; break; case NTLM.AV_ID.MsvAvRestrictions: this.Restrictions.length = count; this.Restrictions.value = buffer; break; case NTLM.AV_ID.MsvAvTargetName: this.TargetName.length = count; this.TargetName.value = buffer; break; case NTLM.AV_ID.MsvChannelBindings: this.ChannelBindings.length = count; this.ChannelBindings.value = buffer; break; } }while (av_id != NTLM.AV_ID.MsvAvEOL); }
public byte[] ProcessChallenge(byte[] Challenge) { byte[] bytes; RdpPacket packet = new RdpPacket(); this.m_ChallengeMsg = Challenge; packet.Write(Challenge, 0, Challenge.Length); packet.Position = 0L; long position = packet.Position; if (packet.ReadString(8) != "NTLMSSP\0") { throw new Exception("Invalid negotiation token!"); } if (packet.getLittleEndian32() != 2) { throw new Exception("Expected challenge!"); } int count = packet.getLittleEndian16(); packet.getLittleEndian16(); int num4 = packet.getLittleEndian32(); uint flags = (uint)packet.getLittleEndian32(); DumpFlags(flags); byte[] buffer = new byte[8]; packet.Read(buffer, 0, 8); byte[] buffer2 = new byte[8]; packet.Read(buffer2, 0, 8); int num5 = packet.getLittleEndian16(); packet.getLittleEndian16(); int num6 = packet.getLittleEndian32(); if ((flags & 0x2000000) != 0) { byte[] buffer3 = new byte[8]; packet.Read(buffer3, 0, 8); } if ((flags & 0x20000000) == 0) { throw new Exception("Strong Encryption not supported by server"); } byte[] buffer4 = null; if (count > 0) { buffer4 = new byte[count]; packet.Position = position + num4; packet.Read(buffer4, 0, count); Encoding.Unicode.GetString(buffer4, 0, buffer4.Length); } AV_PAIRS av_pairs = new AV_PAIRS(); byte[] buffer5 = null; if (num5 <= 0) { throw new Exception("No TargetInfo!"); } packet.Position = position + num6; buffer5 = new byte[num5]; packet.Read(buffer5, 0, num5); packet = new RdpPacket(); packet.Write(buffer5, 0, buffer5.Length); packet.Position = 0L; av_pairs.Parse(packet); byte[] data = nTOWFv2(this.m_sDomain, this.m_sUsername, this.m_sPassword); m_Socket.AddBlob(PacketLogger.PacketType.NTLM_ResponseKeyNT, data); byte[] blob = new byte[8]; RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider(); provider.GetBytes(blob); m_Socket.AddBlob(PacketLogger.PacketType.NTLM_ClientChallenge, blob); byte[] buffer8 = getLMv2Response(data, buffer, blob); if (this.m_bNTLMv2) { Array.Clear(buffer8, 0, buffer8.Length); } bool bGenerateMIC = false; if ((av_pairs.Timestamp.length <= 0) || !this.m_bNTLMv2) { bytes = BitConverter.GetBytes(DateTime.UtcNow.ToFileTimeUtc()); } else { bytes = av_pairs.Timestamp.value; bGenerateMIC = true; av_pairs.ProcessForNTLMv2(); buffer5 = av_pairs.Serialise(); } byte[] keyExchangeKey = null; byte[] buffer11 = getNTLMv2Response(data, buffer, blob, bytes, buffer5, out keyExchangeKey); m_Socket.AddBlob(PacketLogger.PacketType.NTLM_KeyExchangeKey, keyExchangeKey); byte[] encryptedRandomSessionKey = null; byte[] buffer13 = null; buffer13 = new byte[0x10]; provider.GetBytes(buffer13); m_Socket.AddBlob(PacketLogger.PacketType.NTLM_ExportedSessionKey, buffer13); encryptedRandomSessionKey = new byte[0x10]; RC4 rc = new RC4(); rc.engineInitEncrypt(keyExchangeKey); encryptedRandomSessionKey = rc.crypt(buffer13); if ((flags & 0x40000000) == 0) { encryptedRandomSessionKey = new byte[0]; buffer13 = keyExchangeKey; } this.InitSignKeys(buffer13); return(this.Authenticate(buffer8, buffer11, this.m_sDomain, this.m_sUsername, this.m_sWorkstation, encryptedRandomSessionKey, buffer13, bGenerateMIC)); }