├── README.md
├── RdpInfo
├── RdpInfo
│ ├── App.config
│ ├── RdpFull
│ │ ├── Exceptions
│ │ │ └── RDFatalException.cs
│ │ ├── Cryptography
│ │ │ ├── ABCDStruct.cs
│ │ │ ├── MD4.cs
│ │ │ ├── HMACT64.cs
│ │ │ ├── RC4.cs
│ │ │ ├── MD4Managed.cs
│ │ │ └── MD5.cs
│ │ ├── Protocol
│ │ │ ├── Processing
│ │ │ │ ├── IsoLayer.cs
│ │ │ │ └── ISO.cs
│ │ │ ├── Network
│ │ │ │ ├── Network.cs
│ │ │ │ ├── PacketLogger.cs
│ │ │ │ └── NetworkSocket.cs
│ │ │ └── Negotiation
│ │ │ │ ├── RdpPacket.cs
│ │ │ │ ├── MCS.cs
│ │ │ │ ├── ASN1.cs
│ │ │ │ ├── CredSSP.cs
│ │ │ │ └── NTLM.cs
│ │ ├── Settings
│ │ │ └── Options.cs
│ │ └── Encoding
│ │ │ └── ASCIIEncoding.cs
│ ├── Properties
│ │ └── AssemblyInfo.cs
│ ├── RdpInfo.csproj
│ └── Program.cs
└── RdpInfo.sln
├── SmbInfo
├── SmbInfo
│ ├── App.config
│ ├── Properties
│ │ └── AssemblyInfo.cs
│ ├── SmbInfo.csproj
│ └── Program.cs
└── SmbInfo.sln
├── WmiInfo
├── WmiInfo
│ ├── App.config
│ ├── Properties
│ │ └── AssemblyInfo.cs
│ ├── WmiInfo.csproj
│ └── Program.cs
└── WmiInfo.sln
├── MssqlInfo
├── MssqlInfo
│ ├── App.config
│ ├── Properties
│ │ └── AssemblyInfo.cs
│ ├── MssqlInfo.csproj
│ └── Program.cs
└── MssqlInfo.sln
└── WinRmInfo
├── WinRmInfo
├── Properties
│ └── AssemblyInfo.cs
├── WinRmInfo.csproj
└── Program.cs
└── WinRmInfo.sln
/README.md:
--------------------------------------------------------------------------------
1 | # 基于NTLM认证的常见端口服务探测Windows信息Demo
2 |
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/SmbInfo/SmbInfo/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/WmiInfo/WmiInfo/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/MssqlInfo/MssqlInfo/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Exceptions/RDFatalException.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace SharpRDPCheck
4 | {
5 | internal class RDFatalException : Exception
6 | {
7 | public RDFatalException(string message) : base(message)
8 | {
9 |
10 |
11 | }
12 |
13 | }
14 | }
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Cryptography/ABCDStruct.cs:
--------------------------------------------------------------------------------
1 | using System.Runtime.InteropServices;
2 |
3 | namespace SharpRDPCheck
4 | {
5 | [StructLayout(LayoutKind.Sequential)]
6 | internal struct ABCDStruct
7 | {
8 | public uint A;
9 | public uint B;
10 | public uint C;
11 | public uint D;
12 | }
13 | }
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Protocol/Processing/IsoLayer.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Diagnostics;
4 |
5 | namespace SharpRDPCheck
6 | {
7 | internal class IsoLayer
8 | {
9 | internal static void Write(RdpPacket data)
10 | {
11 | data.Position = 0L;
12 | byte[] buffer = new byte[data.Length];
13 | data.Read(buffer, 0, (int)data.Length);
14 |
15 | Network.Send(buffer);
16 | }
17 | }
18 |
19 | }
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | [assembly: AssemblyTitle("SharpRDPCheck")]
6 | [assembly: AssemblyDescription("")]
7 | [assembly: AssemblyConfiguration("")]
8 | [assembly: AssemblyCompany("")]
9 | [assembly: AssemblyProduct("SharpRDPCheck")]
10 | [assembly: AssemblyCopyright("Copyright © 2020")]
11 | [assembly: AssemblyTrademark("")]
12 | [assembly: AssemblyCulture("")]
13 |
14 |
15 | [assembly: ComVisible(false)]
16 |
17 |
18 | [assembly: Guid("f6ac33bd-28fc-4ede-b394-d5139a890f50")]
19 |
20 | [assembly: AssemblyVersion("1.0.0.0")]
21 | [assembly: AssemblyFileVersion("1.0.0.0")]
22 |
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Settings/Options.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Text;
4 | using System.Threading;
5 | using System.Security.Cryptography.X509Certificates;
6 | using System.Diagnostics;
7 |
8 | namespace SharpRDPCheck
9 | {
10 | internal class Options
11 | {
12 | internal static int SocketTimeout = 3000;
13 | internal static string ClientName = "Windows7"; // Client Name
14 | internal static string Domain = ""; // Domain
15 | internal static string DomainAndUsername = ""; // Domain and Username
16 | internal static string Host = ""; // Host
17 | internal static string hostname = "";
18 | internal static string Username = ""; // Username
19 | internal static string Password = ""; // Password
20 | internal static string hash = ""; // NTLM hash
21 | internal static int Port = 3389; // Port
22 | internal static bool enableNLA = true; // Enable NLA
23 | internal static MCS.NegotiationFlags serverNegotiateFlags;
24 | internal static bool GetNtlmInfo = true;
25 | }
26 | }
--------------------------------------------------------------------------------
/WinRmInfo/WinRmInfo/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // 有关程序集的一般信息由以下
6 | // 控制。更改这些特性值可修改
7 | // 与程序集关联的信息。
8 | [assembly: AssemblyTitle("ConsoleApp1")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("ConsoleApp1")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // 将 ComVisible 设置为 false 会使此程序集中的类型
18 | //对 COM 组件不可见。如果需要从 COM 访问此程序集中的类型
19 | //请将此类型的 ComVisible 特性设置为 true。
20 | [assembly: ComVisible(false)]
21 |
22 | // 如果此项目向 COM 公开,则下列 GUID 用于类型库的 ID
23 | [assembly: Guid("f77ee959-6c37-4978-9254-437c2b86e824")]
24 |
25 | // 程序集的版本信息由下列四个值组成:
26 | //
27 | // 主版本
28 | // 次版本
29 | // 生成号
30 | // 修订号
31 | //
32 | //可以指定所有这些值,也可以使用“生成号”和“修订号”的默认值
33 | //通过使用 "*",如下所示:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31129.286
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "RdpInfo", "RdpInfo\RdpInfo.csproj", "{F6AC33BD-28FC-4EDE-B394-D5139A890F50}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {F6AC33BD-28FC-4EDE-B394-D5139A890F50}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {F6AC33BD-28FC-4EDE-B394-D5139A890F50}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {F6AC33BD-28FC-4EDE-B394-D5139A890F50}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {F6AC33BD-28FC-4EDE-B394-D5139A890F50}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {501EBDCC-CF63-46F7-BF01-16B9609D5CF6}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/SmbInfo/SmbInfo.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31129.286
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SmbInfo", "SmbInfo\SmbInfo.csproj", "{32594A58-3481-4A13-B96D-C48874D2ACD4}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {32594A58-3481-4A13-B96D-C48874D2ACD4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {32594A58-3481-4A13-B96D-C48874D2ACD4}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {32594A58-3481-4A13-B96D-C48874D2ACD4}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {32594A58-3481-4A13-B96D-C48874D2ACD4}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {26989B12-8500-4C40-8596-37C8934D9318}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/WmiInfo/WmiInfo.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31129.286
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WmiInfo", "WmiInfo\WmiInfo.csproj", "{92A4910D-E923-4C67-9B54-FAF0503BADCE}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {92A4910D-E923-4C67-9B54-FAF0503BADCE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {92A4910D-E923-4C67-9B54-FAF0503BADCE}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {92A4910D-E923-4C67-9B54-FAF0503BADCE}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {92A4910D-E923-4C67-9B54-FAF0503BADCE}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {09D07C59-8942-44F9-8C66-AD79E9119BEB}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/WinRmInfo/WinRmInfo.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30804.86
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WinRmInfo", "WinRmInfo\WinRmInfo.csproj", "{F77EE959-6C37-4978-9254-437C2B86E824}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {F77EE959-6C37-4978-9254-437C2B86E824}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {F77EE959-6C37-4978-9254-437C2B86E824}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {F77EE959-6C37-4978-9254-437C2B86E824}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {F77EE959-6C37-4978-9254-437C2B86E824}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {841B0080-EC94-45BE-8059-75BDC3BB2608}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/MssqlInfo/MssqlInfo.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31129.286
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MssqlInfo", "MssqlInfo\MssqlInfo.csproj", "{20D49853-D94A-4085-A576-3C4DFA969C29}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {20D49853-D94A-4085-A576-3C4DFA969C29}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {20D49853-D94A-4085-A576-3C4DFA969C29}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {20D49853-D94A-4085-A576-3C4DFA969C29}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {20D49853-D94A-4085-A576-3C4DFA969C29}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {9ABB949E-5199-4622-9FEF-DCDDC27BD02F}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Cryptography/MD4.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using System.Text;
4 |
5 | namespace SharpRDPCheck
6 | {
7 | internal sealed class MD4
8 | {
9 |
10 | public static byte[] ComputeHash(byte[] input)
11 | {
12 | MD4Managed managed = new MD4Managed();
13 | managed.Initialize();
14 | return managed.ComputeHash(input);
15 | }
16 |
17 | public static byte[] ComputeHash(string input, Encoding encoding)
18 | {
19 | if (input == null)
20 | {
21 | throw new ArgumentNullException("input", "Unable to calculate hash over null input data");
22 | }
23 | if (encoding == null)
24 | {
25 | throw new ArgumentNullException("encoding", "Unable to calculate hash over a string without a default encoding. Consider using the GetHash(string) overload to use UTF8 Encoding");
26 | }
27 | return ComputeHash(encoding.GetBytes(input));
28 | }
29 |
30 | public static string ComputeHashString(byte[] input)
31 | {
32 | if (input == null)
33 | {
34 | throw new ArgumentNullException("input", "Unable to calculate hash over null input data");
35 | }
36 | return BitConverter.ToString(ComputeHash(input)).Replace("-", "");
37 | }
38 |
39 | }
40 | }
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Protocol/Processing/ISO.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Threading;
3 | using System.Diagnostics;
4 |
5 | namespace SharpRDPCheck
6 | {
7 | internal class ISO
8 | {
9 | internal static RdpPacket Receive()
10 | {
11 | byte[] buffer = new byte[0x3000];
12 | int count = Network.Receive(buffer);
13 | RdpPacket packet = new RdpPacket();
14 | packet.Write(buffer, 0, count);
15 | packet.Position = 0L;
16 | int num2 = 0;
17 |
18 | if (packet.ReadByte() == 3)
19 | {
20 | packet.ReadByte();
21 | num2 = packet.ReadBigEndian16();
22 | long position = packet.Position;
23 |
24 | while (num2 > count)
25 | {
26 | int num4 = Network.Receive(buffer);
27 | packet.Position = count;
28 | packet.Write(buffer, 0, num4);
29 | count += num4;
30 | }
31 |
32 | packet.Position = position;
33 |
34 | return packet;
35 | }
36 | num2 = packet.ReadByte();
37 |
38 | if ((num2 & 0x80) != 0)
39 | {
40 | num2 &= -129;
41 | num2 = num2 << (8 + packet.ReadByte());
42 | }
43 |
44 | return packet;
45 | }
46 |
47 |
48 | }
49 | }
--------------------------------------------------------------------------------
/SmbInfo/SmbInfo/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("SmbInfo")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("SmbInfo")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("32594a58-3481-4a13-b96d-c48874d2acd4")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/WmiInfo/WmiInfo/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("WmiInfo")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("WmiInfo")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("92a4910d-e923-4c67-9b54-faf0503badce")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/MssqlInfo/MssqlInfo/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("MssqlInfo")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("MssqlInfo")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("20d49853-d94a-4085-a576-3c4dfa969c29")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/WinRmInfo/WinRmInfo/WinRmInfo.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {F77EE959-6C37-4978-9254-437C2B86E824}
8 | Exe
9 | WinRmInfo
10 | WinRmInfo
11 | v2.0
12 | 512
13 | true
14 |
15 |
16 | AnyCPU
17 | true
18 | full
19 | false
20 | bin\Debug\
21 | DEBUG;TRACE
22 | prompt
23 | 4
24 |
25 |
26 | AnyCPU
27 | pdbonly
28 | true
29 | bin\Release\
30 | TRACE
31 | prompt
32 | 4
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
--------------------------------------------------------------------------------
/SmbInfo/SmbInfo/SmbInfo.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {32594A58-3481-4A13-B96D-C48874D2ACD4}
8 | Exe
9 | SmbInfo
10 | SmbInfo
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/WmiInfo/WmiInfo/WmiInfo.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {92A4910D-E923-4C67-9B54-FAF0503BADCE}
8 | Exe
9 | WmiInfo
10 | WmiInfo
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/MssqlInfo/MssqlInfo/MssqlInfo.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {20D49853-D94A-4085-A576-3C4DFA969C29}
8 | Exe
9 | MssqlInfo
10 | MssqlInfo
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Cryptography/HMACT64.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 |
4 | namespace SharpRDPCheck
5 | {
6 | internal class HMACT64
7 | {
8 | private const int BLOCK_LENGTH = 0x40;
9 | private List buffer = new List();
10 | private byte[] ipad = new byte[0x40];
11 | private const byte IPAD = 0x36;
12 | private byte[] opad = new byte[0x40];
13 | private const byte OPAD = 0x5c;
14 |
15 | public HMACT64(byte[] key)
16 | {
17 | int num = Math.Min(key.Length, 0x40);
18 |
19 | for (int i = 0; i < num; i++)
20 | {
21 | this.ipad[i] = (byte)(key[i] ^ 0x36);
22 | this.opad[i] = (byte)(key[i] ^ 0x5c);
23 | }
24 |
25 | for (int j = num; j < 0x40; j++)
26 | {
27 | this.ipad[j] = 0x36;
28 | this.opad[j] = 0x5c;
29 | }
30 |
31 | this.reset();
32 | }
33 |
34 | public byte[] digest()
35 | {
36 | byte[] collection = MD5.ComputeHash(this.buffer.ToArray());
37 | this.buffer.Clear();
38 | this.buffer.AddRange(this.opad);
39 | this.buffer.AddRange(collection);
40 | collection = MD5.ComputeHash(this.buffer.ToArray());
41 | this.reset();
42 |
43 | return collection;
44 | }
45 |
46 | public int digest(byte[] buf, int offset, int len)
47 | {
48 | byte[] collection = MD5.ComputeHash(this.buffer.ToArray());
49 | this.buffer.Clear();
50 | this.buffer.AddRange(this.opad);
51 | this.buffer.AddRange(collection);
52 | byte[] sourceArray = MD5.ComputeHash(this.buffer.ToArray());
53 |
54 | if (len > sourceArray.Length)
55 | {
56 | len = sourceArray.Length;
57 | }
58 |
59 | Array.Copy(sourceArray, 0, buf, offset, len);
60 | this.reset();
61 |
62 | return sourceArray.Length;
63 | }
64 |
65 | public void reset()
66 | {
67 | this.buffer.Clear();
68 | this.buffer.AddRange(this.ipad);
69 | }
70 |
71 | public void update(byte[] input)
72 | {
73 | this.buffer.AddRange(input);
74 | }
75 |
76 | public void update(byte[] input, int offset, int len)
77 | {
78 | for (int i = offset; i < (offset + len); i++)
79 | {
80 | this.buffer.Add(input[i]);
81 | }
82 | }
83 |
84 | }
85 | }
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Protocol/Network/Network.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Threading;
3 |
4 | namespace SharpRDPCheck
5 | {
6 | internal class Network
7 | {
8 | private static eConnectionStage m_ConnectionStage = eConnectionStage.None;
9 | private static PacketLogger m_Logger = null;
10 | internal static NetworkSocket m_OpenSocket = null;
11 | internal delegate void ConnectionStageChangedHandler();
12 | internal static event ConnectionStageChangedHandler ConnectionStageChanged;
13 |
14 | internal static void Connect(string host, int port)
15 | {
16 | ConnectionStage = eConnectionStage.Connecting;
17 | try
18 | {
19 | NetworkSocket socket = new NetworkSocket(host.Replace(".", ""));
20 | socket.Connect(host, port);
21 | m_OpenSocket = socket;
22 | }
23 | catch { }
24 | }
25 |
26 | internal static void DisConnect()
27 | {
28 | m_OpenSocket.DisConnect();
29 | }
30 |
31 | internal static void ConnectSSL()
32 | {
33 | m_OpenSocket.ConnectSSL();
34 | }
35 |
36 | public static byte[] GetSSLPublicKey()
37 | {
38 | return m_OpenSocket.GetSSLPublicKey();
39 | }
40 |
41 | public static int Receive(byte[] buffer)
42 | {
43 | return Receive(buffer, buffer.Length);
44 | }
45 |
46 | public static int Receive(byte[] buffer, int size)
47 | {
48 | return m_OpenSocket.Receive(buffer, size);
49 | }
50 |
51 | public static int Send(byte[] buffer)
52 | {
53 | return m_OpenSocket.Send(buffer);
54 | }
55 |
56 |
57 | internal static eConnectionStage ConnectionStage
58 | {
59 | get
60 | {
61 | return m_ConnectionStage;
62 | }
63 | set
64 | {
65 | eConnectionStage connectionStage = m_ConnectionStage;
66 | m_ConnectionStage = value;
67 | if ((connectionStage != value) && (ConnectionStageChanged != null))
68 | {
69 | ConnectionStageChanged();
70 | }
71 | }
72 | }
73 |
74 | public static PacketLogger Logger
75 | {
76 | get
77 | {
78 | return m_Logger;
79 | }
80 | set
81 | {
82 | m_Logger = value;
83 | }
84 | }
85 |
86 | public static NetworkSocket OpenSocket
87 | {
88 | get
89 | {
90 | return m_OpenSocket;
91 | }
92 | }
93 |
94 |
95 | public enum eConnectionStage
96 | {
97 | None,
98 | Connecting,
99 | ConnectingToGateway,
100 | ConnectingToHost,
101 | Negotiating,
102 | Securing,
103 | Authenticating,
104 | Establishing,
105 | Login,
106 | Reconnecting,
107 | SecureAndLogin
108 | }
109 |
110 | }
111 | }
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Cryptography/RC4.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace SharpRDPCheck
4 | {
5 | internal class RC4
6 | {
7 | public static readonly int DECRYPT = 2;
8 | public static readonly int ENCRYPT = 1;
9 | private int[] sBox = new int[0x100];
10 | public static readonly int UNINITIALIZED = 0;
11 | private int state;
12 | private int x;
13 | private int y;
14 |
15 | public byte[] crypt(byte[] data)
16 | {
17 | byte[] outData = new byte[data.Length];
18 | this.engineUpdate(data, 0, data.Length, outData, 0);
19 | return outData;
20 | }
21 |
22 | public byte[] crypt(byte[] data, int position, int length)
23 | {
24 | byte[] outData = new byte[length];
25 | this.engineUpdate(data, position, length, outData, 0);
26 | return outData;
27 | }
28 |
29 | public void engineInitDecrypt(byte[] key)
30 | {
31 | this.makeKey(key);
32 | this.state = ENCRYPT;
33 | }
34 |
35 | public void engineInitEncrypt(byte[] key)
36 | {
37 | this.makeKey(key);
38 | this.state = ENCRYPT;
39 | }
40 |
41 | protected int engineUpdate(byte[] inData, int inOffset, int inLen, byte[] outData, int outOffset)
42 | {
43 | if (inLen < 0)
44 | {
45 | throw new RDFatalException("inLen < 0");
46 |
47 | }
48 | this.getState();
49 | int eNCRYPT = ENCRYPT;
50 | if ((inData == outData) && (((outOffset >= inOffset) && (outOffset < (inOffset + inLen))) || ((inOffset >= outOffset) && (inOffset < (outOffset + inLen)))))
51 | {
52 | byte[] destinationArray = new byte[inLen];
53 | Array.Copy(inData, inOffset, destinationArray, 0, inLen);
54 | inData = destinationArray;
55 | inOffset = 0;
56 | }
57 | this.rc4(inData, inOffset, inLen, outData, outOffset);
58 | return inLen;
59 | }
60 |
61 | public int getState()
62 | {
63 | return this.state;
64 | }
65 |
66 | private void makeKey(byte[] userkey)
67 | {
68 | if (userkey == null)
69 | {
70 | throw new RDFatalException("Null key for RC4");
71 | }
72 |
73 | int length = userkey.Length;
74 |
75 | if (length == 0)
76 | {
77 | throw new RDFatalException("Zero key length in RC4");
78 | }
79 |
80 | this.x = this.y = 0;
81 |
82 | for (int i = 0; i < 0x100; i++)
83 | {
84 | this.sBox[i] = i;
85 | }
86 |
87 | int index = 0;
88 | int num4 = 0;
89 |
90 | for (int j = 0; j < 0x100; j++)
91 | {
92 | num4 = (((userkey[index] & 0xff) + this.sBox[j]) + num4) & 0xff;
93 | int num6 = this.sBox[j];
94 | this.sBox[j] = this.sBox[num4];
95 | this.sBox[num4] = num6;
96 | index = (index + 1) % length;
97 | }
98 | }
99 |
100 | private void rc4(byte[] inData, int inOffset, int inLen, byte[] outData, int outOffset)
101 | {
102 | for (int i = 0; i < inLen; i++)
103 | {
104 | this.x = (this.x + 1) & 0xff;
105 | this.y = (this.sBox[this.x] + this.y) & 0xff;
106 | int num2 = this.sBox[this.x];
107 | this.sBox[this.x] = this.sBox[this.y];
108 | this.sBox[this.y] = num2;
109 | int index = (this.sBox[this.x] + this.sBox[this.y]) & 0xff;
110 | outData[outOffset++] = (byte) (inData[inOffset++] ^ this.sBox[index]);
111 | }
112 | }
113 |
114 | }
115 | }
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpInfo.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {F6AC33BD-28FC-4EDE-B394-D5139A890F50}
8 | Exe
9 | Properties
10 | RdpInfo
11 | RdpInfo
12 | v2.0
13 | 512
14 | true
15 |
16 |
17 |
18 | AnyCPU
19 | true
20 | full
21 | false
22 | bin\Debug\
23 | DEBUG;TRACE
24 | prompt
25 | 4
26 |
27 |
28 | AnyCPU
29 | pdbonly
30 | true
31 | bin\Release\
32 | TRACE
33 | prompt
34 | 4
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
81 |
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Protocol/Network/PacketLogger.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.IO;
4 | using System.Text;
5 | using System.Threading;
6 |
7 | namespace SharpRDPCheck
8 | {
9 | internal class PacketLogger : IDisposable
10 | {
11 | private Dictionary m_Blobs = new Dictionary();
12 | private BinaryReader m_ReadStream;
13 | private Dictionary> m_ReceivedPackets = new Dictionary>();
14 | private Dictionary m_Sockets = new Dictionary();
15 | private Dictionary m_SocketsDelay = new Dictionary();
16 | private Dictionary m_SocketsLastReceivedTick = new Dictionary();
17 | private BinaryWriter m_WriteStream;
18 |
19 | public void Dispose()
20 | {
21 | if (this.m_WriteStream != null)
22 | {
23 | this.m_WriteStream.Close();
24 | //this.m_WriteStream.Dispose();
25 | this.m_WriteStream = null;
26 | }
27 | if (this.m_ReadStream != null)
28 | {
29 | this.m_ReadStream.Close();
30 | //this.m_ReadStream.Dispose();
31 | this.m_ReadStream = null;
32 | }
33 | }
34 |
35 | public void AddBlob(PacketType type, byte[] data, string socket)
36 | {
37 | if (!this.m_Blobs.ContainsKey(this.BuildBlobId(type, socket)))
38 | {
39 | this.m_Blobs.Add(this.BuildBlobId(type, socket), new PacketBlob(data, type));
40 | }
41 | }
42 |
43 |
44 |
45 | private int BuildBlobId(PacketType type, string socket)
46 | {
47 | byte num;
48 | if (!this.m_Sockets.TryGetValue(socket, out num))
49 | {
50 | if (this.Reading)
51 | {
52 | throw new Exception("Unknown socket - " + socket);
53 | }
54 | num = (byte) (this.m_Sockets.Count + 1);
55 | this.m_Sockets.Add(socket, num);
56 | byte[] bytes = ASCIIEncoding.GetBytes(socket);
57 | }
58 | return (((int) type) | (num << 0x10));
59 | }
60 |
61 | public byte[] GetBlob(PacketType type, string socket)
62 | {
63 | PacketBlob blob;
64 | if (this.m_Blobs.TryGetValue(this.BuildBlobId(type, socket), out blob))
65 | {
66 | return blob.Data;
67 | }
68 | return null;
69 | }
70 |
71 | public byte[] GetSSLPublicKey(string socket)
72 | {
73 | PacketBlob blob;
74 | if (this.m_Blobs.TryGetValue(this.BuildBlobId(PacketType.PublicKey, socket), out blob))
75 | {
76 | return blob.Data;
77 | }
78 | return null;
79 | }
80 |
81 | public void SSLPublicKey(byte[] data, string socket)
82 | {
83 | if (this.GetSSLPublicKey(socket) == null)
84 | {
85 | this.m_Blobs.Add(this.BuildBlobId(PacketType.PublicKey, socket), new PacketBlob(data, PacketType.PublicKey));
86 | }
87 | }
88 |
89 | public bool Reading
90 | {
91 | get
92 | {
93 | return (this.m_ReadStream != null);
94 | }
95 | }
96 |
97 | private class PacketBlob
98 | {
99 | private byte[] m_Data;
100 | private PacketLogger.PacketType m_Type;
101 |
102 | public PacketBlob(byte[] data, PacketLogger.PacketType type)
103 | {
104 | this.m_Data = data;
105 | this.m_Type = type;
106 | }
107 |
108 | public byte[] Data
109 | {
110 | get
111 | {
112 | return this.m_Data;
113 | }
114 | }
115 |
116 | }
117 |
118 | public enum PacketType
119 | {
120 | BitmapCache = 7,
121 | ClientRandom = 8,
122 | Exception = 9,
123 | HostSettings = 6,
124 | None = -1,
125 | NTLM_ClientChallenge = 4,
126 | NTLM_ExportedSessionKey = 5,
127 | NTLM_KeyExchangeKey = 11,
128 | NTLM_ResponseKeyNT = 10,
129 | PublicKey = 3,
130 | Received = 1,
131 | Sent = 2,
132 | SocketName = 12
133 | }
134 |
135 | private class ReceivedPacket
136 | {
137 | private byte[] m_Data;
138 | private uint m_Ticks;
139 |
140 | public ReceivedPacket(byte[] data, uint ticks)
141 | {
142 | this.m_Data = data;
143 | this.m_Ticks = ticks;
144 | }
145 |
146 | public byte[] Data
147 | {
148 | get
149 | {
150 | return this.m_Data;
151 | }
152 | }
153 |
154 | public uint Ticks
155 | {
156 | get
157 | {
158 | return this.m_Ticks;
159 | }
160 | }
161 | }
162 |
163 | }
164 | }
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Protocol/Negotiation/RdpPacket.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using System.Text;
4 |
5 | namespace SharpRDPCheck
6 | {
7 | internal class RdpPacket : MemoryStream
8 | {
9 | public const byte DATA_TRANSFER = 240;
10 | public const byte DISCONNECT_REQUEST = 0x80;
11 | public const byte EOT = 0x80;
12 | public const byte FAST_PATH_OUTPUT = 0xff;
13 | public const byte FAST_PATH_OUTPUT_ENCRYPTED = 0xfe;
14 | private byte[] m_Buffer;
15 | private NetworkSocket m_Socket;
16 |
17 | public RdpPacket()
18 | {
19 | }
20 |
21 | public RdpPacket(NetworkSocket Socket, byte[] buffer)
22 | {
23 | this.m_Socket = Socket;
24 | this.m_Buffer = buffer;
25 | }
26 |
27 |
28 | public void copyToByteArray(RdpPacket packet)
29 | {
30 | byte[] buffer = new byte[packet.Length];
31 | packet.Position = 0L;
32 | packet.Read(buffer, 0, (int) packet.Length);
33 | this.Write(buffer, 0, buffer.Length);
34 | }
35 |
36 | public void InsertByte(byte value)
37 | {
38 | long position = this.Position;
39 | this.Seek(0L, SeekOrigin.End);
40 | this.WriteByte(0);
41 | byte[] sourceArray = this.GetBuffer();
42 | Array.Copy(sourceArray, (int) position, sourceArray, ((int) position) + 1, (int) ((sourceArray.Length - position) - 1L));
43 | this.Position = position;
44 | this.WriteByte(value);
45 | }
46 |
47 | public override int Read(byte[] buffer, int offset, int count)
48 | {
49 | if ((this.Position + count) > this.Length)
50 | {
51 | this.ReadFromSocket(count);
52 | }
53 |
54 | return base.Read(buffer, offset, count);
55 | }
56 |
57 | public int ReadLittleEndian16()
58 | {
59 | byte[] buffer = new byte[2];
60 | this.Read(buffer, 0, 2);
61 | return BitConverter.ToInt16(buffer, 0);
62 | }
63 |
64 | public int ReadLittleEndian32()
65 | {
66 | byte[] buffer = new byte[4];
67 | this.Read(buffer, 0, 4);
68 | return BitConverter.ToInt32(buffer, 0);
69 | }
70 |
71 |
72 | public int ReadBigEndian16()
73 | {
74 | byte[] buffer = new byte[2];
75 | this.Read(buffer, 0, 2);
76 | return BitConverter.ToInt16(this.Reverse(buffer), 0);
77 | }
78 |
79 |
80 | public override int ReadByte()
81 | {
82 | if (this.Position >= this.Length)
83 | {
84 | this.ReadFromSocket(1);
85 | }
86 | return base.ReadByte();
87 | }
88 |
89 | private void ReadFromSocket(int lengthRequired)
90 | {
91 | if (this.m_Socket == null)
92 | {
93 | throw new IOException("RdpPacket - Overrun!");
94 | }
95 | int count = this.m_Socket.Receive(this.m_Buffer, this.m_Buffer.Length);
96 | if (count <= 0)
97 | {
98 | throw new IOException("RdpPacket - Overrun!");
99 | }
100 | lengthRequired -= count;
101 | if (lengthRequired > 0)
102 | {
103 | throw new IOException("RdpPacket - Overrun!");
104 | }
105 | long position = this.Position;
106 | this.Write(this.m_Buffer, 0, count);
107 | this.Position = position;
108 | }
109 |
110 | public string ReadString(int Length)
111 | {
112 | byte[] buffer = new byte[Length];
113 | this.Read(buffer, 0, Length);
114 | return ASCIIEncoding.GetString(buffer, 0, Length);
115 | }
116 |
117 |
118 | private byte[] Reverse(byte[] data)
119 | {
120 | Array.Reverse(data);
121 | return data;
122 | }
123 |
124 | public void WriteBigEndian16(short Value)
125 | {
126 | base.Write(this.Reverse(BitConverter.GetBytes(Value)), 0, 2);
127 | }
128 |
129 |
130 | override public void WriteByte(byte value)
131 | {
132 | base.WriteByte(value);
133 | }
134 |
135 | public void WriteLittleEndian16(short Value)
136 | {
137 | base.Write(BitConverter.GetBytes(Value), 0, 2);
138 | }
139 |
140 | public void WriteLittleEndian16(ushort Value)
141 | {
142 | base.Write(BitConverter.GetBytes(Value), 0, 2);
143 | }
144 |
145 | public void WriteLittleEndian32(int value)
146 | {
147 | base.Write(BitConverter.GetBytes(value), 0, 4);
148 | }
149 |
150 | public void WriteLittleEndian32(uint value)
151 | {
152 | base.Write(BitConverter.GetBytes(value), 0, 4);
153 | }
154 |
155 | public void WritePadding(int bytes)
156 | {
157 | for (int i = 0; i < bytes; i++)
158 | {
159 | this.WriteByte(0);
160 | }
161 | }
162 |
163 | public void WriteString(string sString, bool bQuiet)
164 | {
165 | byte[] bytes = ASCIIEncoding.GetBytes(sString, bQuiet);
166 | this.Write(bytes, 0, bytes.Length);
167 | }
168 |
169 | }
170 | }
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Text;
3 |
4 | namespace SharpRDPCheck
5 | {
6 | class Program
7 | {
8 | static void Main(string[] args)
9 | {
10 |
11 | try
12 | {
13 | Options.Host = args[0];
14 | Options.Port = Convert.ToInt32(args[1]);
15 | Network.Connect(Options.Host, Options.Port);
16 | NTLMInfo ntlminfo = new NTLMInfo();
17 | ntlminfo = GetNTLMInfo(MCS.RDPNTLMSSPNegotiate(null, false), ntlminfo);
18 | Console.WriteLine($@"target {Options.Host} RDPInfo: Windows Version {ntlminfo.OsVersion} Build {ntlminfo.OsBuildNumber}, Domain Name {ntlminfo.NbtDoaminName}, Computer Name {ntlminfo.NbtComputer}, Dns Suffix {ntlminfo.DnsDomainName}, Dns Computer Name {ntlminfo.DnsDomainName}, TimeStamp {ntlminfo.TimeStamp}");
19 | }
20 | catch (Exception exception)
21 | {
22 | Console.WriteLine($@"target {Options.Host} RDPInfo Error: " + exception.Message);
23 | }
24 |
25 | }
26 |
27 |
28 | public class NTLMInfo
29 | {
30 | public string NativeOs { get; set; }
31 | public string NativeLanManager { get; set; }
32 | public string NbtDoaminName { get; set; }
33 | public string NbtComputer { get; set; }
34 | public string DomainName { get; set; }
35 | public short OsBuildNumber { get; set; }
36 |
37 | public string OsVersion { get; set; }
38 | public string DnsComputerName { get; set; }
39 | public string DnsDomainName { get; set; }
40 | public string DNSTreeName { get; set; }
41 | public DateTime TimeStamp { get; set; }
42 | public bool SMBsigning { get; set; }
43 | }
44 |
45 | public static NTLMInfo GetNTLMInfo(byte[] buf, NTLMInfo ntlminfo)
46 | {
47 | string NTLMSSP_Negotiate = BitConverter.ToString(buf).Replace("-", "");
48 | int off;
49 | off = NTLMSSP_Negotiate.IndexOf("4E544C4D53535000") / 2;
50 | int NTLMSSP_Negotiate_Len = (NTLMSSP_Negotiate.Length - NTLMSSP_Negotiate.IndexOf("4E544C4D53535000")) / 2;
51 | byte[] ntlm = new byte[NTLMSSP_Negotiate_Len];
52 | Array.Copy(buf, off, ntlm, 0, NTLMSSP_Negotiate_Len);
53 |
54 | NTLMSSP_Negotiate_Len = BitConverter.ToInt16(ntlm, 0xc);
55 | off = BitConverter.ToInt16(ntlm, 0x10);
56 | ntlminfo.OsBuildNumber = BitConverter.ToInt16(ntlm, off - 6);
57 | ntlminfo.OsVersion = $@"{ntlm[off - 8]}.{ntlm[off - 7]}";
58 |
59 | off += NTLMSSP_Negotiate_Len;
60 | int type = BitConverter.ToInt16(ntlm, off);
61 |
62 | while (type != 0)
63 | {
64 | off += 2;
65 | NTLMSSP_Negotiate_Len = BitConverter.ToInt16(ntlm, off);
66 | off += 2;
67 | switch (type)
68 | {
69 | case 1:
70 | {
71 | ntlminfo.NbtComputer = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
72 | //Console.WriteLine("NetBIOS computer name: " + Encoding.Unicode.GetString(ntlm, off, len));
73 | break;
74 | }
75 | case 2:
76 | {
77 | ntlminfo.NbtDoaminName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
78 | //Console.WriteLine("NetBIOS domain name: " + Encoding.Unicode.GetString(ntlm, off, len));
79 | break;
80 | }
81 | case 3:
82 | {
83 | ntlminfo.DnsComputerName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
84 | //Console.WriteLine("DNS computer name: " + Encoding.Unicode.GetString(ntlm, off, len));
85 | break;
86 | }
87 | case 4:
88 | {
89 | ntlminfo.DnsDomainName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
90 | //Console.WriteLine("DNS domain name: " + Encoding.Unicode.GetString(ntlm, off, len));
91 | break;
92 | }
93 | case 5:
94 | {
95 | ntlminfo.DNSTreeName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
96 | //Console.WriteLine("DNS tree name: " + Encoding.Unicode.GetString(ntlm, off, len));
97 | break;
98 | }
99 | case 7:
100 | {
101 | ntlminfo.TimeStamp = DateTime.FromFileTime(BitConverter.ToInt64(ntlm, off));
102 | //Console.WriteLine("time stamp: {0:o}", DateTime.FromFileTime(BitConverter.ToInt64(ntlm, off)));
103 | break;
104 | }
105 | default:
106 | {
107 | //Console.Write("Unknown type {0}, data: ", type);
108 | for (int i = 0; i < NTLMSSP_Negotiate_Len; i++)
109 | {
110 | Console.Write(ntlm[i + off].ToString("X2"));
111 | }
112 | Console.WriteLine();
113 | break;
114 | }
115 | }
116 | off += NTLMSSP_Negotiate_Len;
117 | type = BitConverter.ToInt16(ntlm, off);
118 | }
119 |
120 | return ntlminfo;
121 | }
122 | }
123 | }
124 |
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Protocol/Network/NetworkSocket.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Net;
4 | using System.Net.Sockets;
5 | using System.Net.Security;
6 | using System.Security.Authentication;
7 | using System.Net;
8 |
9 | using System.Security.Cryptography.X509Certificates;
10 |
11 |
12 | #region # SecurityProtocolTypeExtensions / SslProtocolsExtensions
13 | namespace System.Security.Authentication
14 | {
15 | public static class SslProtocolsExtensions
16 | {
17 | public const SslProtocols Tls12 = (SslProtocols)0x00000C00;
18 | public const SslProtocols Tls11 = (SslProtocols)0x00000300;
19 | }
20 | }
21 | //namespace System.Net
22 | //{
23 | // using System.Security.Authentication;
24 | // public static class SecurityProtocolTypeExtensions
25 | // {
26 | // public const SecurityProtocolType Tls12 = (SecurityProtocolType)SslProtocolsExtensions.Tls12;
27 | // public const SecurityProtocolType Tls11 = (SecurityProtocolType)SslProtocolsExtensions.Tls11;
28 | // public const SecurityProtocolType SystemDefault = (SecurityProtocolType)0;
29 | // }
30 | //}
31 | #endregion
32 |
33 |
34 | namespace SharpRDPCheck
35 | {
36 | internal class NetworkSocket
37 | {
38 |
39 | private TcpClient tcpClient;
40 | private NetworkStream networkStream;
41 | private SslStream sslStream;
42 | private string m_sSocketName;
43 | private byte[] m_SSLPublicKey;
44 | private object lockObj = new object();
45 |
46 |
47 | public NetworkSocket(string sSocketName)
48 | {
49 | this.m_sSocketName = sSocketName;
50 | }
51 |
52 | public void Connect(string host, int port)
53 | {
54 |
55 | // TcpClient
56 | tcpClient = new TcpClient();
57 | tcpClient.SendTimeout = Options.SocketTimeout;
58 | tcpClient.ReceiveTimeout = Options.SocketTimeout;
59 | tcpClient.Connect(IPAddress.Parse(host), port);
60 |
61 | // NetworkStream
62 | networkStream = tcpClient.GetStream();
63 | networkStream.WriteTimeout = Options.SocketTimeout;
64 | networkStream.ReadTimeout = Options.SocketTimeout;
65 | }
66 |
67 | public void DisConnect()
68 | {
69 | // TcpClient
70 | tcpClient.Client.Shutdown(SocketShutdown.Both);
71 | //tcpClient.GetStream().Close();
72 | tcpClient.Close();
73 | tcpClient = null;
74 |
75 | // NetworkStream
76 | //networkStream.Close();
77 | //networkStream.
78 |
79 | //sslStream
80 | //sslStream.c
81 | //sslStream.Close();
82 | //sslStream.edn
83 | }
84 |
85 |
86 | public void ConnectSSL()
87 | {
88 |
89 | //ServicePointManager.SecurityProtocol = SecurityProtocolTypeExtensions.Tls12;
90 | sslStream = new SslStream(networkStream, false, new RemoteCertificateValidationCallback(ValidateServerCertificate));
91 | sslStream.WriteTimeout = Options.SocketTimeout;
92 | sslStream.ReadTimeout = Options.SocketTimeout;
93 | //hostname, null, SslProtocols.Tls12, true
94 | //sslStream.AuthenticateAsClient(Options.Host);
95 | sslStream.AuthenticateAsClient(Options.Host, null, SslProtocolsExtensions.Tls12| SslProtocols.Default, true);
96 | }
97 |
98 |
99 | private bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
100 | {
101 |
102 | m_SSLPublicKey = certificate.GetPublicKey();
103 |
104 | if (Network.Logger == null)
105 | Network.Logger = new PacketLogger();
106 |
107 | Network.Logger.SSLPublicKey(m_SSLPublicKey, m_sSocketName);
108 |
109 | return true;
110 | }
111 |
112 |
113 | public void AddBlob(PacketLogger.PacketType type, byte[] data)
114 | {
115 | if (Network.Logger == null)
116 | Network.Logger = new PacketLogger();
117 |
118 | Network.Logger.AddBlob(type, data, m_sSocketName);
119 | }
120 |
121 | public byte[] GetBlob(PacketLogger.PacketType type)
122 | {
123 | return Network.Logger.GetBlob(type, m_sSocketName);
124 | }
125 |
126 | public byte[] GetSSLPublicKey()
127 | {
128 | return m_SSLPublicKey;
129 | }
130 |
131 | protected int InternalReceive(byte[] buffer, int offset, int size)
132 | {
133 | return networkStream.Read(buffer, offset, size);
134 | }
135 |
136 | protected int InternalSend(byte[] buffer, int offset, int size)
137 | {
138 | networkStream.Write(buffer, offset, size);
139 | return buffer.Length;
140 | }
141 |
142 | public int Receive(byte[] buffer, int size)
143 | {
144 | return Receive(buffer, 0, size);
145 | }
146 |
147 | public int Receive(byte[] buffer, int offset, int size)
148 | {
149 |
150 | int len = -1;
151 | if (sslStream != null)
152 | {
153 | len = sslStream.Read(buffer, offset, size);
154 | }
155 | else if (networkStream != null || len == -1)
156 | {
157 | len = InternalReceive(buffer, offset, size);
158 | }
159 | return len;
160 | }
161 |
162 | public int Send(byte[] buffer)
163 | {
164 | lock (lockObj)
165 | {
166 | if (sslStream != null)
167 | {
168 | sslStream.Write(buffer, 0, buffer.Length);
169 | sslStream.Flush();
170 | return buffer.Length;
171 | }
172 | }
173 | return InternalSend(buffer, 0, buffer.Length);
174 | }
175 |
176 |
177 | }
178 | }
--------------------------------------------------------------------------------
/WmiInfo/WmiInfo/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Net;
4 | using System.Net.Sockets;
5 | using System.Text;
6 | using System.Threading.Tasks;
7 |
8 | namespace WmiInfo
9 | {
10 | class Program
11 | {
12 | static void Main(string[] args)
13 | {
14 | string host = args[0];
15 | byte[] WMI_Client_Receive = new byte[2048];
16 | //Socket WMI_Client = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
17 | try
18 | {
19 | var WMI_Client = new TcpClient();
20 | IAsyncResult result = WMI_Client.BeginConnect(host, 135, null, null);
21 | bool success = result.AsyncWaitHandle.WaitOne(5000, true);
22 | if (!WMI_Client.Connected)
23 | {
24 | Console.WriteLine($@"target {host} WmiInfo can't connect!");
25 | return;
26 | }
27 | NetworkStream WMI_Client_Stream = WMI_Client.GetStream();
28 | WMI_Client_Receive = SendStream(WMI_Client_Stream, new byte[] { 5, 0, 11, 3, 16, 0, 0, 0, 120, 0, 40, 0, 3, 0, 0, 0, 184, 16, 184, 16, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 160, 1, 0, 0, 0, 0, 0, 0, 192, 0, 0, 0, 0, 0, 0, 70, 0, 0, 0, 0, 4, 93, 136, 138, 235, 28, 201, 17, 159, 232, 8, 0, 43, 16, 72, 96, 2, 0, 0, 0, 10, 2, 0, 0, 0, 0, 0, 0, 78, 84, 76, 77, 83, 83, 80, 0, 1, 0, 0, 0, 7, 130, 8, 162, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 1, 177, 29, 0, 0, 0, 15 });
29 | NTLMInfo ntlminfo = new NTLMInfo();
30 | ntlminfo = GetNTLMInfo(WMI_Client_Receive, ntlminfo);
31 | Console.Write($@"target {host} WMIInfo: Windows Version {ntlminfo.OsVersion} Build {ntlminfo.OsBuildNumber}, Domain Name {ntlminfo.NbtDoaminName}, Computer Name {ntlminfo.NbtComputer}, Dns Suffix {ntlminfo.DnsDomainName}, Dns Computer Name {ntlminfo.DnsDomainName}, TimeStamp {ntlminfo.TimeStamp}");
32 | WMI_Client.Close();
33 | WMI_Client_Stream.Close();
34 | }
35 | catch (Exception ex)
36 | {
37 | Console.WriteLine($@"target {host} WMIinfo Error:{ex.Message}");
38 | }
39 | }
40 |
41 | public static byte[] SendStream(NetworkStream stream, byte[] BytesToSend)
42 | {
43 | byte[] BytesReceived = new byte[2048];
44 | stream.Write(BytesToSend, 0, BytesToSend.Length);
45 | stream.Flush();
46 | stream.Read(BytesReceived, 0, BytesReceived.Length);
47 | return BytesReceived;
48 | }
49 |
50 | public class NTLMInfo
51 | {
52 | public string NativeOs { get; set; }
53 | public string NativeLanManager { get; set; }
54 | public string NbtDoaminName { get; set; }
55 | public string NbtComputer { get; set; }
56 | public string DomainName { get; set; }
57 | public short OsBuildNumber { get; set; }
58 |
59 | public string OsVersion { get; set; }
60 | public string DnsComputerName { get; set; }
61 | public string DnsDomainName { get; set; }
62 | public string DNSTreeName { get; set; }
63 | public DateTime TimeStamp { get; set; }
64 | public bool SMBsigning { get; set; }
65 | }
66 |
67 | public static NTLMInfo GetNTLMInfo(byte[] buf, NTLMInfo ntlminfo)
68 | {
69 | string NTLMSSP_Negotiate = BitConverter.ToString(buf).Replace("-", "");
70 | int off;
71 | off = NTLMSSP_Negotiate.IndexOf("4E544C4D53535000") / 2;
72 | int NTLMSSP_Negotiate_Len = (NTLMSSP_Negotiate.Length - NTLMSSP_Negotiate.IndexOf("4E544C4D53535000")) / 2;
73 | byte[] ntlm = new byte[NTLMSSP_Negotiate_Len];
74 | Array.Copy(buf, off, ntlm, 0, NTLMSSP_Negotiate_Len);
75 |
76 | NTLMSSP_Negotiate_Len = BitConverter.ToInt16(ntlm, 0xc);
77 | off = BitConverter.ToInt16(ntlm, 0x10);
78 | ntlminfo.OsBuildNumber = BitConverter.ToInt16(ntlm, off - 6);
79 | ntlminfo.OsVersion = $@"{ntlm[off - 8]}.{ntlm[off - 7]}";
80 |
81 | off += NTLMSSP_Negotiate_Len;
82 | int type = BitConverter.ToInt16(ntlm, off);
83 |
84 | while (type != 0)
85 | {
86 | off += 2;
87 | NTLMSSP_Negotiate_Len = BitConverter.ToInt16(ntlm, off);
88 | off += 2;
89 | switch (type)
90 | {
91 | case 1:
92 | {
93 | ntlminfo.NbtComputer = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
94 | //Console.WriteLine("NetBIOS computer name: " + Encoding.Unicode.GetString(ntlm, off, len));
95 | break;
96 | }
97 | case 2:
98 | {
99 | ntlminfo.NbtDoaminName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
100 | //Console.WriteLine("NetBIOS domain name: " + Encoding.Unicode.GetString(ntlm, off, len));
101 | break;
102 | }
103 | case 3:
104 | {
105 | ntlminfo.DnsComputerName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
106 | //Console.WriteLine("DNS computer name: " + Encoding.Unicode.GetString(ntlm, off, len));
107 | break;
108 | }
109 | case 4:
110 | {
111 | ntlminfo.DnsDomainName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
112 | //Console.WriteLine("DNS domain name: " + Encoding.Unicode.GetString(ntlm, off, len));
113 | break;
114 | }
115 | case 5:
116 | {
117 | ntlminfo.DNSTreeName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
118 | //Console.WriteLine("DNS tree name: " + Encoding.Unicode.GetString(ntlm, off, len));
119 | break;
120 | }
121 | case 7:
122 | {
123 | ntlminfo.TimeStamp = DateTime.FromFileTime(BitConverter.ToInt64(ntlm, off));
124 | //Console.WriteLine("time stamp: {0:o}", DateTime.FromFileTime(BitConverter.ToInt64(ntlm, off)));
125 | break;
126 | }
127 | default:
128 | {
129 | //Console.Write("Unknown type {0}, data: ", type);
130 | for (int i = 0; i < NTLMSSP_Negotiate_Len; i++)
131 | {
132 | Console.Write(ntlm[i + off].ToString("X2"));
133 | }
134 | Console.WriteLine();
135 | break;
136 | }
137 | }
138 | off += NTLMSSP_Negotiate_Len;
139 | type = BitConverter.ToInt16(ntlm, off);
140 | }
141 |
142 | return ntlminfo;
143 | }
144 | }
145 |
146 | }
147 |
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Protocol/Negotiation/MCS.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Diagnostics;
4 |
5 | namespace SharpRDPCheck
6 | {
7 | internal class MCS
8 | {
9 | internal static readonly int DPUM = 8;
10 | internal static readonly int SDIN = 0x1a;
11 | internal static readonly int SDRQ = 0x19;
12 | internal static readonly int MCS_USERCHANNEL_BASE = 0x3e9; // 1001
13 | internal static readonly int MSC_GLOBAL_CHANNEL = 0x3eb; // 1003
14 | internal static List serverSupportedChannels = new List();
15 |
16 | internal static byte[] RDPNTLMSSPNegotiate(byte[] loadBalanceToken, bool bAutoReconnect)
17 | {
18 | int num;
19 | Network.ConnectionStage = Network.eConnectionStage.Negotiating;
20 |
21 |
22 | // Client X.224 Connection Request PDU
23 |
24 | sendConnectNegotiation(
25 | NegotiationProtocol.PROTOCOL_RDP |
26 | NegotiationProtocol.PROTOCOL_SSL |
27 | NegotiationProtocol.PROTOCOL_HYBRID,
28 | loadBalanceToken);
29 |
30 | // Server X.224 Connection Confirm PDU
31 | num = receiveConnectNegotiation();
32 |
33 |
34 | if (((num & 1) != 0) || ((num & 2) != 0))
35 | {
36 | Network.ConnectionStage = Network.eConnectionStage.Securing;
37 | Network.ConnectSSL();
38 | }
39 |
40 | Network.ConnectionStage = Network.eConnectionStage.Authenticating;
41 | try
42 | {
43 |
44 |
45 | return CredSSP.GetRDPNTLMSSPNegotiate();
46 |
47 |
48 | //CredSSP.Negotiate(Network.GetSSLPublicKey());
49 | }
50 | catch (Exception exception)
51 | {
52 | Console.WriteLine($@"target {Options.Host} RDP Auth Fail: {exception.Message}");
53 | throw;
54 | }
55 |
56 | }
57 |
58 |
59 | ///
60 | /// Client X.224 Connection Request PDU
61 | ///
62 | private static void sendConnectNegotiation(NegotiationProtocol NegotiationFlags, byte[] loadBalanceToken)
63 | {
64 | string domainAndUsername = Options.DomainAndUsername;
65 |
66 | if (domainAndUsername.Length > 9)
67 | {
68 | domainAndUsername = domainAndUsername.Substring(0, 9);
69 | }
70 |
71 | RdpPacket packet = new RdpPacket();
72 | packet.WriteByte(3);
73 | packet.WriteByte(0);
74 | long position = packet.Position;
75 | packet.WriteBigEndian16((short)0);
76 | packet.WriteByte(0);
77 | packet.WriteByte(0xe0);
78 | packet.WriteBigEndian16((short)0);
79 | packet.WriteBigEndian16((short)0);
80 | packet.WriteByte(0);
81 |
82 | if (loadBalanceToken != null)
83 | {
84 | packet.Write(loadBalanceToken, 0, loadBalanceToken.Length);
85 | packet.WriteString("\r\n", false);
86 | }
87 | else
88 | {
89 | packet.WriteString("Cookie: mstshash=" + domainAndUsername + "\r\n", true);
90 | }
91 |
92 | // RDP Negotiation Request
93 | packet.WriteByte(0x01);
94 | packet.WriteByte(0);
95 | packet.WriteLittleEndian16((short)8);
96 | packet.WriteLittleEndian32((int)NegotiationFlags); // Standard RDP Security, TLS 1.0, CredSSP
97 |
98 | long num2 = packet.Position;
99 | packet.Position = position;
100 | packet.WriteBigEndian16((short)num2);
101 | packet.WriteByte((byte)(num2 - 5L));
102 |
103 | IsoLayer.Write(packet);
104 | }
105 |
106 | ///
107 | /// Server X.224 Connection Confirm PDU
108 | ///
109 | private static int receiveConnectNegotiation()
110 | {
111 | RdpPacket packet = ISO.Receive();
112 | packet.Position += 7L;
113 |
114 | if (packet.Position >= packet.Length)
115 | {
116 | return 0;
117 | }
118 |
119 | switch (packet.ReadByte())
120 | {
121 | // TYPE_RDP_NEG_RSP
122 | case 0x02:
123 | Options.serverNegotiateFlags = (NegotiationFlags)packet.ReadByte();
124 | packet.ReadLittleEndian16();
125 | return packet.ReadLittleEndian32();
126 |
127 | // TYPE_RDP_NEG_FAILURE
128 | case 0x03:
129 | packet.ReadByte();
130 | packet.ReadLittleEndian16();
131 |
132 | switch ((NegotiationFailureCodes)packet.ReadLittleEndian32())
133 | {
134 | case NegotiationFailureCodes.SSL_REQUIRED_BY_SERVER:
135 | throw new RDFatalException("The server requires that the client support Enhanced RDP Security with TLS 1.0");
136 |
137 | case NegotiationFailureCodes.SSL_NOT_ALLOWED_BY_SERVER:
138 | return 0x10000000;
139 |
140 | case NegotiationFailureCodes.SSL_CERT_NOT_ON_SERVER:
141 | throw new RDFatalException("The server does not possess a valid authentication certificate and cannot initialize the External Security Protocol Provider");
142 |
143 | case NegotiationFailureCodes.INCONSISTENT_FLAGS:
144 | throw new RDFatalException("The list of requested security protocols is not consistent with the current security protocol in effect.");
145 |
146 | case NegotiationFailureCodes.HYBRID_REQUIRED_BY_SERVER:
147 | throw new RDFatalException("The server requires that the client support Enhanced RDP Security with CredSSP");
148 |
149 | case NegotiationFailureCodes.SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER:
150 | throw new RDFatalException("The server requires that the client support Enhanced RDP Security and certificate-based client authentication");
151 | }
152 |
153 | throw new RDFatalException("Unknown Negotiation failure!");
154 | }
155 |
156 | throw new RDFatalException("Negotiation failed, requested security level not supported by server.");
157 | }
158 |
159 | [Flags]
160 | private enum NegotiationProtocol
161 | {
162 | PROTOCOL_RDP = 0x00000000,
163 | PROTOCOL_SSL = 0x00000001,
164 | PROTOCOL_HYBRID = 0x00000002
165 | }
166 |
167 | [Flags]
168 | internal enum NegotiationFlags
169 | {
170 | EXTENDED_CLIENT_DATA_SUPPORTED = 0x01,
171 | DYNVC_GFX_PROTOCOL_SUPPORTED = 0x02,
172 | NEGRSP_FLAG_RESERVED = 0x04,
173 | RESTRICTED_ADMIN_MODE_SUPPORTED = 0x08
174 | }
175 |
176 | [Flags]
177 | private enum NegotiationFailureCodes
178 | {
179 | SSL_REQUIRED_BY_SERVER = 0x00000001,
180 | SSL_NOT_ALLOWED_BY_SERVER = 0x00000002,
181 | SSL_CERT_NOT_ON_SERVER = 0x00000003,
182 | INCONSISTENT_FLAGS = 0x00000004,
183 | HYBRID_REQUIRED_BY_SERVER = 0x00000005,
184 | SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER = 0x00000006
185 | }
186 | }
187 | }
--------------------------------------------------------------------------------
/WinRmInfo/WinRmInfo/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Text;
4 | using System.IO;
5 | using System.Net;
6 |
7 | namespace ConsoleApp1
8 | {
9 | class Program
10 | {
11 | static void Main(string[] args)
12 | {
13 | string target = args[0];
14 | try
15 | {
16 | Uri ourUri = new Uri($@"http://{target}:5985/wsman");
17 | // Creates an HttpWebRequest for the specified URL.
18 | HttpWebRequest myHttpWebRequest = (HttpWebRequest)WebRequest.Create(ourUri);
19 | myHttpWebRequest.Method = "POST";
20 | myHttpWebRequest.ContentLength = 0;
21 | myHttpWebRequest.KeepAlive = true;
22 | myHttpWebRequest.ContentType = "application/soap+xml;charset=UTF-8";
23 | myHttpWebRequest.UserAgent = "Microsoft WinRM Client";
24 | myHttpWebRequest.Headers.Add("Authorization", "Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==");
25 | HttpWebResponse myHttpWebResponse = (HttpWebResponse)myHttpWebRequest.GetResponse();
26 | Console.WriteLine("\nThe server did not issue any challenge. Please try again with a protected resource URL.");
27 | // Releases the resources of the response.
28 | myHttpWebResponse.Close();
29 | }
30 | catch (WebException e)
31 | {
32 | HttpWebResponse response = (HttpWebResponse)e.Response;
33 | if (response != null)
34 | {
35 | if (response.StatusCode == HttpStatusCode.Unauthorized)
36 | {
37 | string challenge = null;
38 | challenge = response.GetResponseHeader("WWW-Authenticate");
39 | //if (challenge != null)
40 |
41 | NTLMInfo ntlminfo = GetNTLMInfo(Convert.FromBase64String(challenge.Split()[1]), new NTLMInfo());
42 | Console.WriteLine($@"target {target} WinRmInfo: Windows Version {ntlminfo.OsVersion} Build {ntlminfo.OsBuildNumber}, Domain Name {ntlminfo.NbtDoaminName}, Computer Name {ntlminfo.NbtComputer}, Dns Suffix {ntlminfo.DnsDomainName}, Dns Computer Name {ntlminfo.DnsDomainName}, TimeStamp {ntlminfo.TimeStamp}");
43 | }
44 | else
45 | {
46 | Console.WriteLine($@"target {target} WinRmInfo Error: The following WebException was raised : {0}", e.Message);
47 | }
48 | }
49 | else
50 | {
51 | Console.WriteLine($@"target {target} WinRmInfo Error: Response Received from server was null");
52 | }
53 | }
54 | catch (Exception e)
55 | {
56 | Console.WriteLine($@"target {target} WinRmInfo Error: The following Exception was raised : {0}", e.Message);
57 | }
58 | }
59 |
60 | public class NTLMInfo
61 | {
62 | public string NativeOs { get; set; }
63 | public string NativeLanManager { get; set; }
64 | public string NbtDoaminName { get; set; }
65 | public string NbtComputer { get; set; }
66 | public string DomainName { get; set; }
67 | public short OsBuildNumber { get; set; }
68 |
69 | public string OsVersion { get; set; }
70 | public string DnsComputerName { get; set; }
71 | public string DnsDomainName { get; set; }
72 | public string DNSTreeName { get; set; }
73 | public DateTime TimeStamp { get; set; }
74 | public bool SMBsigning { get; set; }
75 | }
76 |
77 | public static NTLMInfo GetNTLMInfo(byte[] buf, NTLMInfo ntlminfo)
78 | {
79 | string NTLMSSP_Negotiate = BitConverter.ToString(buf).Replace("-", "");
80 | int off;
81 | off = NTLMSSP_Negotiate.IndexOf("4E544C4D53535000") / 2;
82 | int NTLMSSP_Negotiate_Len = (NTLMSSP_Negotiate.Length - NTLMSSP_Negotiate.IndexOf("4E544C4D53535000")) / 2;
83 | byte[] ntlm = new byte[NTLMSSP_Negotiate_Len];
84 | Array.Copy(buf, off, ntlm, 0, NTLMSSP_Negotiate_Len);
85 |
86 | NTLMSSP_Negotiate_Len = BitConverter.ToInt16(ntlm, 0xc);
87 | off = BitConverter.ToInt16(ntlm, 0x10);
88 | ntlminfo.OsBuildNumber = BitConverter.ToInt16(ntlm, off - 6);
89 | ntlminfo.OsVersion = $@"{ntlm[off - 8]}.{ntlm[off - 7]}";
90 |
91 | off += NTLMSSP_Negotiate_Len;
92 | int type = BitConverter.ToInt16(ntlm, off);
93 |
94 | while (type != 0)
95 | {
96 | off += 2;
97 | NTLMSSP_Negotiate_Len = BitConverter.ToInt16(ntlm, off);
98 | off += 2;
99 | switch (type)
100 | {
101 | case 1:
102 | {
103 | ntlminfo.NbtComputer = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
104 | //Console.WriteLine("NetBIOS computer name: " + Encoding.Unicode.GetString(ntlm, off, len));
105 | break;
106 | }
107 | case 2:
108 | {
109 | ntlminfo.NbtDoaminName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
110 | //Console.WriteLine("NetBIOS domain name: " + Encoding.Unicode.GetString(ntlm, off, len));
111 | break;
112 | }
113 | case 3:
114 | {
115 | ntlminfo.DnsComputerName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
116 | //Console.WriteLine("DNS computer name: " + Encoding.Unicode.GetString(ntlm, off, len));
117 | break;
118 | }
119 | case 4:
120 | {
121 | ntlminfo.DnsDomainName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
122 | //Console.WriteLine("DNS domain name: " + Encoding.Unicode.GetString(ntlm, off, len));
123 | break;
124 | }
125 | case 5:
126 | {
127 | ntlminfo.DNSTreeName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
128 | //Console.WriteLine("DNS tree name: " + Encoding.Unicode.GetString(ntlm, off, len));
129 | break;
130 | }
131 | case 7:
132 | {
133 | ntlminfo.TimeStamp = DateTime.FromFileTime(BitConverter.ToInt64(ntlm, off));
134 | //Console.WriteLine("time stamp: {0:o}", DateTime.FromFileTime(BitConverter.ToInt64(ntlm, off)));
135 | break;
136 | }
137 | default:
138 | {
139 | //Console.Write("Unknown type {0}, data: ", type);
140 | for (int i = 0; i < NTLMSSP_Negotiate_Len; i++)
141 | {
142 | Console.Write(ntlm[i + off].ToString("X2"));
143 | }
144 | Console.WriteLine();
145 | break;
146 | }
147 | }
148 | off += NTLMSSP_Negotiate_Len;
149 | type = BitConverter.ToInt16(ntlm, off);
150 | }
151 |
152 | return ntlminfo;
153 | }
154 | }
155 | }
156 |
157 |
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Cryptography/MD4Managed.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Security.Cryptography;
3 |
4 | namespace SharpRDPCheck
5 | {
6 | internal class MD4Managed : HashAlgorithm
7 | {
8 | private byte[] buffer = new byte[0x40];
9 | private uint[] count = new uint[2];
10 | private byte[] digest = new byte[0x10];
11 | private const int S11 = 3;
12 | private const int S12 = 7;
13 | private const int S13 = 11;
14 | private const int S14 = 0x13;
15 | private const int S21 = 3;
16 | private const int S22 = 5;
17 | private const int S23 = 9;
18 | private const int S24 = 13;
19 | private const int S31 = 3;
20 | private const int S32 = 9;
21 | private const int S33 = 11;
22 | private const int S34 = 15;
23 | private uint[] state = new uint[4];
24 | private uint[] x = new uint[0x10];
25 |
26 | public MD4Managed()
27 | {
28 | this.Initialize();
29 | }
30 |
31 | protected override byte[] HashFinal()
32 | {
33 | byte[] output = new byte[8];
34 | this.Encode(output, this.count);
35 | uint num = (this.count[0] >> 3) & 0x3f;
36 | int cbSize = (num < 0x38) ? (0x38 - ((int)num)) : (120 - ((int)num));
37 | this.HashCore(this.Padding(cbSize), 0, cbSize);
38 | this.HashCore(output, 0, 8);
39 | this.Encode(this.digest, this.state);
40 | this.Initialize();
41 |
42 | return this.digest;
43 | }
44 |
45 | private void Decode(uint[] output, byte[] input, int index)
46 | {
47 | int num = 0;
48 |
49 | for (int i = index; num < output.Length; i += 4)
50 | {
51 | output[num] = (uint)(((input[i] | (input[i + 1] << 8)) | (input[i + 2] << 0x10)) | (input[i + 3] << 0x18));
52 | num++;
53 | }
54 | }
55 |
56 | private void Encode(byte[] output, uint[] input)
57 | {
58 | int index = 0;
59 |
60 | for (int i = 0; i < output.Length; i += 4)
61 | {
62 | output[i] = (byte)input[index];
63 | output[i + 1] = (byte)(input[index] >> 8);
64 | output[i + 2] = (byte)(input[index] >> 0x10);
65 | output[i + 3] = (byte)(input[index] >> 0x18);
66 | index++;
67 | }
68 | }
69 |
70 | private uint F(uint x, uint y, uint z)
71 | {
72 | return ((x & y) | (~x & z));
73 | }
74 |
75 | private void FF(ref uint a, uint b, uint c, uint d, uint x, byte s)
76 | {
77 | a += this.F(b, c, d) + x;
78 | a = this.ROL(a, s);
79 | }
80 |
81 | private uint G(uint x, uint y, uint z)
82 | {
83 | return (((x & y) | (x & z)) | (y & z));
84 | }
85 |
86 | private void GG(ref uint a, uint b, uint c, uint d, uint x, byte s)
87 | {
88 | a += (this.G(b, c, d) + x) + 0x5a827999;
89 | a = this.ROL(a, s);
90 | }
91 |
92 | private uint H(uint x, uint y, uint z)
93 | {
94 | return ((x ^ y) ^ z);
95 | }
96 |
97 | protected override void HashCore(byte[] array, int ibStart, int cbSize)
98 | {
99 | int dstOffset = ((int)(this.count[0] >> 3)) & 0x3f;
100 | this.count[0] += (uint)(cbSize << 3);
101 |
102 | if (this.count[0] < (cbSize << 3))
103 | {
104 | this.count[1]++;
105 | }
106 |
107 | this.count[1] += (uint)(cbSize >> 0x1d);
108 | int count = 0x40 - dstOffset;
109 | int index = 0;
110 |
111 | if (cbSize >= count)
112 | {
113 | Buffer.BlockCopy(array, ibStart, this.buffer, dstOffset, count);
114 | this.MD4Transform(this.state, this.buffer, 0);
115 | index = count;
116 |
117 | while ((index + 0x3f) < cbSize)
118 | {
119 | this.MD4Transform(this.state, array, index);
120 | index += 0x40;
121 | }
122 |
123 | dstOffset = 0;
124 | }
125 |
126 | Buffer.BlockCopy(array, ibStart + index, this.buffer, dstOffset, cbSize - index);
127 | }
128 |
129 | private void HH(ref uint a, uint b, uint c, uint d, uint x, byte s)
130 | {
131 | a += (this.H(b, c, d) + x) + 0x6ed9eba1;
132 | a = this.ROL(a, s);
133 | }
134 |
135 | public override void Initialize()
136 | {
137 | this.count[0] = 0;
138 | this.count[1] = 0;
139 | this.state[0] = 0x67452301;
140 | this.state[1] = 0xefcdab89;
141 | this.state[2] = 0x98badcfe;
142 | this.state[3] = 0x10325476;
143 | Array.Clear(this.buffer, 0, 0x40);
144 | Array.Clear(this.x, 0, 0x10);
145 | }
146 |
147 | private void MD4Transform(uint[] state, byte[] block, int index)
148 | {
149 | uint a = state[0];
150 | uint b = state[1];
151 | uint c = state[2];
152 | uint d = state[3];
153 | this.Decode(this.x, block, index);
154 | this.FF(ref a, b, c, d, this.x[0], 3);
155 | this.FF(ref d, a, b, c, this.x[1], 7);
156 | this.FF(ref c, d, a, b, this.x[2], 11);
157 | this.FF(ref b, c, d, a, this.x[3], 0x13);
158 | this.FF(ref a, b, c, d, this.x[4], 3);
159 | this.FF(ref d, a, b, c, this.x[5], 7);
160 | this.FF(ref c, d, a, b, this.x[6], 11);
161 | this.FF(ref b, c, d, a, this.x[7], 0x13);
162 | this.FF(ref a, b, c, d, this.x[8], 3);
163 | this.FF(ref d, a, b, c, this.x[9], 7);
164 | this.FF(ref c, d, a, b, this.x[10], 11);
165 | this.FF(ref b, c, d, a, this.x[11], 0x13);
166 | this.FF(ref a, b, c, d, this.x[12], 3);
167 | this.FF(ref d, a, b, c, this.x[13], 7);
168 | this.FF(ref c, d, a, b, this.x[14], 11);
169 | this.FF(ref b, c, d, a, this.x[15], 0x13);
170 | this.GG(ref a, b, c, d, this.x[0], 3);
171 | this.GG(ref d, a, b, c, this.x[4], 5);
172 | this.GG(ref c, d, a, b, this.x[8], 9);
173 | this.GG(ref b, c, d, a, this.x[12], 13);
174 | this.GG(ref a, b, c, d, this.x[1], 3);
175 | this.GG(ref d, a, b, c, this.x[5], 5);
176 | this.GG(ref c, d, a, b, this.x[9], 9);
177 | this.GG(ref b, c, d, a, this.x[13], 13);
178 | this.GG(ref a, b, c, d, this.x[2], 3);
179 | this.GG(ref d, a, b, c, this.x[6], 5);
180 | this.GG(ref c, d, a, b, this.x[10], 9);
181 | this.GG(ref b, c, d, a, this.x[14], 13);
182 | this.GG(ref a, b, c, d, this.x[3], 3);
183 | this.GG(ref d, a, b, c, this.x[7], 5);
184 | this.GG(ref c, d, a, b, this.x[11], 9);
185 | this.GG(ref b, c, d, a, this.x[15], 13);
186 | this.HH(ref a, b, c, d, this.x[0], 3);
187 | this.HH(ref d, a, b, c, this.x[8], 9);
188 | this.HH(ref c, d, a, b, this.x[4], 11);
189 | this.HH(ref b, c, d, a, this.x[12], 15);
190 | this.HH(ref a, b, c, d, this.x[2], 3);
191 | this.HH(ref d, a, b, c, this.x[10], 9);
192 | this.HH(ref c, d, a, b, this.x[6], 11);
193 | this.HH(ref b, c, d, a, this.x[14], 15);
194 | this.HH(ref a, b, c, d, this.x[1], 3);
195 | this.HH(ref d, a, b, c, this.x[9], 9);
196 | this.HH(ref c, d, a, b, this.x[5], 11);
197 | this.HH(ref b, c, d, a, this.x[13], 15);
198 | this.HH(ref a, b, c, d, this.x[3], 3);
199 | this.HH(ref d, a, b, c, this.x[11], 9);
200 | this.HH(ref c, d, a, b, this.x[7], 11);
201 | this.HH(ref b, c, d, a, this.x[15], 15);
202 | state[0] += a;
203 | state[1] += b;
204 | state[2] += c;
205 | state[3] += d;
206 | }
207 |
208 | private byte[] Padding(int nLength)
209 | {
210 | if (nLength > 0)
211 | {
212 | byte[] buffer = new byte[nLength];
213 | buffer[0] = 0x80;
214 | return buffer;
215 | }
216 |
217 | return null;
218 | }
219 |
220 | private uint ROL(uint x, byte n)
221 | {
222 | return ((x << n) | (x >> (0x20 - n)));
223 | }
224 |
225 | }
226 | }
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Protocol/Negotiation/ASN1.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 |
4 | namespace SharpRDPCheck
5 | {
6 | internal class ASN1
7 | {
8 | private static Dictionary m_Fixup = new Dictionary();
9 |
10 | protected static void CloseTag(RdpPacket packet, string Identifier)
11 | {
12 | UpdateLength(packet, Identifier);
13 | }
14 |
15 | protected static int ContextTag(int type)
16 | {
17 | return (160 + type);
18 | }
19 |
20 | protected static void Init()
21 | {
22 | m_Fixup.Clear();
23 | }
24 |
25 | protected static int OctetStringTag()
26 | {
27 | return 4;
28 | }
29 |
30 | protected static int ReadInteger(RdpPacket packet)
31 | {
32 | if (packet.ReadByte() != 2)
33 | {
34 | throw new Exception("Data Error!");
35 | }
36 | int num2 = packet.ReadByte();
37 | byte[] buffer = new byte[4];
38 |
39 | switch (num2)
40 | {
41 | case 4:
42 | packet.Read(buffer, 0, 4);
43 | return BitConverter.ToInt32(buffer, 0);
44 |
45 | case 3:
46 | packet.Read(buffer, 0, 3);
47 | return BitConverter.ToInt32(buffer, 0);
48 |
49 | case 2:
50 | packet.Read(buffer, 0, 2);
51 | return BitConverter.ToInt32(buffer, 0);
52 | }
53 |
54 | packet.Read(buffer, 0, 1);
55 |
56 | return BitConverter.ToInt32(buffer, 0);
57 | }
58 |
59 | protected static int ReadLength(RdpPacket packet, string Identifier)
60 | {
61 | int num;
62 | byte[] buffer = new byte[4];
63 | int num2 = packet.ReadByte();
64 |
65 | switch (num2)
66 | {
67 | case 0x84:
68 | buffer[3] = (byte) packet.ReadByte();
69 | buffer[2] = (byte) packet.ReadByte();
70 | buffer[1] = (byte) packet.ReadByte();
71 | buffer[0] = (byte) packet.ReadByte();
72 | num = BitConverter.ToInt32(buffer, 0);
73 | break;
74 |
75 | case 0x83:
76 | buffer[2] = (byte) packet.ReadByte();
77 | buffer[1] = (byte) packet.ReadByte();
78 | buffer[0] = (byte) packet.ReadByte();
79 | num = BitConverter.ToInt32(buffer, 0);
80 | break;
81 |
82 | case 130:
83 | buffer[1] = (byte) packet.ReadByte();
84 | buffer[0] = (byte) packet.ReadByte();
85 | num = BitConverter.ToInt32(buffer, 0);
86 | break;
87 |
88 | case 0x81:
89 | num = packet.ReadByte();
90 | break;
91 |
92 | default:
93 | num = num2;
94 | break;
95 | }
96 |
97 | m_Fixup.Add(Identifier, new Fixup(Identifier, packet.Position, num));
98 |
99 | return num;
100 | }
101 |
102 | protected static int ReadTag(RdpPacket packet, string Identifier)
103 | {
104 | int num = packet.ReadByte();
105 | ReadLength(packet, Identifier);
106 |
107 | return num;
108 | }
109 |
110 | protected static int ReadTag(RdpPacket packet, int ExpectedTag, string Identifier)
111 | {
112 | int num = packet.ReadByte();
113 |
114 | if (num != ExpectedTag)
115 | {
116 | throw new Exception(string.Concat(new object[] { "Expected DER tag ", ExpectedTag, " but got ", num }));
117 | }
118 |
119 | return ReadLength(packet, Identifier);
120 | }
121 |
122 | protected static int SequenceTag(int type)
123 | {
124 | return (0x30 + type);
125 | }
126 |
127 | protected static void UpdateLength(RdpPacket packet, string Identifier)
128 | {
129 | Fixup fixup = m_Fixup[Identifier];
130 | m_Fixup.Remove(Identifier);
131 | long position = packet.Position;
132 |
133 | if (fixup.Length != -1)
134 | {
135 | long num2 = packet.Position - fixup.Offset;
136 |
137 | if (num2 != fixup.Length)
138 | {
139 | throw new Exception("DER Tag length invalid");
140 | }
141 | }
142 | else
143 | {
144 | long num3 = packet.Position - (fixup.Offset + 1L);
145 | byte[] bytes = BitConverter.GetBytes(num3);
146 | packet.Position = fixup.Offset;
147 |
148 | if (num3 > 0xffffffL)
149 | {
150 | packet.WriteByte(0x84);
151 | packet.InsertByte(bytes[3]);
152 | position += 1L;
153 | packet.InsertByte(bytes[2]);
154 | position += 1L;
155 | packet.InsertByte(bytes[1]);
156 | position += 1L;
157 | packet.InsertByte(bytes[0]);
158 | position += 1L;
159 | }
160 | else if (num3 > 0xffffL)
161 | {
162 | packet.WriteByte(0x83);
163 | packet.InsertByte(bytes[2]);
164 | position += 1L;
165 | packet.InsertByte(bytes[1]);
166 | position += 1L;
167 | packet.InsertByte(bytes[0]);
168 | position += 1L;
169 | }
170 | else if (num3 > 0xffL)
171 | {
172 | packet.WriteByte(130);
173 | packet.InsertByte(bytes[1]);
174 | position += 1L;
175 | packet.InsertByte(bytes[0]);
176 | position += 1L;
177 | }
178 | else if (num3 > 0x7fL)
179 | {
180 | packet.WriteByte(0x81);
181 | packet.InsertByte(bytes[0]);
182 | position += 1L;
183 | }
184 | else
185 | {
186 | packet.WriteByte(bytes[0]);
187 | }
188 |
189 | packet.Position = position;
190 | }
191 | }
192 |
193 | protected static void WriteByte(RdpPacket packet, int value)
194 | {
195 | packet.WriteByte((byte) value);
196 | }
197 |
198 | protected static void WriteInteger(RdpPacket packet, int value)
199 | {
200 | packet.WriteByte(2);
201 | byte[] bytes = BitConverter.GetBytes(value);
202 |
203 | if (value > 0xffffff)
204 | {
205 | packet.WriteByte(4);
206 | packet.WriteByte(bytes[3]);
207 | packet.WriteByte(bytes[2]);
208 | packet.WriteByte(bytes[1]);
209 | packet.WriteByte(bytes[0]);
210 | }
211 | else if (value > 0xffff)
212 | {
213 | packet.WriteByte(3);
214 | packet.WriteByte(bytes[2]);
215 | packet.WriteByte(bytes[1]);
216 | packet.WriteByte(bytes[0]);
217 | }
218 | else if (value > 0xff)
219 | {
220 | packet.WriteByte(2);
221 | packet.WriteByte(bytes[1]);
222 | packet.WriteByte(bytes[0]);
223 | }
224 | else
225 | {
226 | packet.WriteByte(1);
227 | packet.WriteByte(bytes[0]);
228 | }
229 | }
230 |
231 | protected static void WriteLength(RdpPacket packet, string Identifier)
232 | {
233 | m_Fixup.Add(Identifier, new Fixup(Identifier, packet.Position));
234 | WriteByte(packet, 0xff);
235 | }
236 |
237 | protected static void WriteTag(RdpPacket packet, int Tag, string Identifier)
238 | {
239 | WriteByte(packet, Tag);
240 | WriteLength(packet, Identifier);
241 | }
242 |
243 | private class Fixup
244 | {
245 | public string Identifer;
246 | public int Length;
247 | public long Offset;
248 |
249 | public Fixup(string sIdentifier, long Offset)
250 | {
251 | this.Identifer = sIdentifier;
252 | this.Offset = Offset;
253 | this.Length = -1;
254 | }
255 |
256 | public Fixup(string sIdentifier, long Offset, int Length)
257 | {
258 | this.Identifer = sIdentifier;
259 | this.Offset = Offset;
260 | this.Length = Length;
261 | }
262 | }
263 |
264 | }
265 | }
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Cryptography/MD5.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using System.Text;
4 |
5 | namespace SharpRDPCheck
6 | {
7 | internal static class MD5
8 | {
9 |
10 | public static byte[] ComputeHash(byte[] input)
11 | {
12 | if (input == null)
13 | {
14 | throw new ArgumentNullException("input", "Unable to calculate hash over null input data");
15 | }
16 | ABCDStruct aBCDValue = new ABCDStruct
17 | {
18 | A = 0x67452301,
19 | B = 0xefcdab89,
20 | C = 0x98badcfe,
21 | D = 0x10325476
22 | };
23 | int ibStart = 0;
24 | while (ibStart <= (input.Length - 0x40))
25 | {
26 | GetHashBlock(input, ref aBCDValue, ibStart);
27 | ibStart += 0x40;
28 | }
29 | return GetHashFinalBlock(input, ibStart, input.Length - ibStart, aBCDValue, input.Length * 8L);
30 | }
31 |
32 | public static byte[] ComputeHash(string input, Encoding encoding)
33 | {
34 | if (input == null)
35 | {
36 | throw new ArgumentNullException("input", "Unable to calculate hash over null input data");
37 | }
38 | if (encoding == null)
39 | {
40 | throw new ArgumentNullException("encoding", "Unable to calculate hash over a string without a default encoding. Consider using the GetHash(string) overload to use UTF8 Encoding");
41 | }
42 | return ComputeHash(encoding.GetBytes(input));
43 | }
44 |
45 |
46 | public static string ComputeHashString(byte[] input)
47 | {
48 | if (input == null)
49 | {
50 | throw new ArgumentNullException("input", "Unable to calculate hash over null input data");
51 | }
52 | return BitConverter.ToString(ComputeHash(input)).Replace("-", "");
53 | }
54 |
55 | private static uint[] Converter(byte[] input, int ibStart)
56 | {
57 | if (input == null)
58 | {
59 | throw new ArgumentNullException("input", "Unable convert null array to array of uInts");
60 | }
61 | uint[] numArray = new uint[0x10];
62 | for (int i = 0; i < 0x10; i++)
63 | {
64 | numArray[i] = input[ibStart + (i * 4)];
65 | numArray[i] += (uint)(input[(ibStart + (i * 4)) + 1] << 8);
66 | numArray[i] += (uint)(input[(ibStart + (i * 4)) + 2] << 0x10);
67 | numArray[i] += (uint)(input[(ibStart + (i * 4)) + 3] << 0x18);
68 | }
69 | return numArray;
70 | }
71 |
72 | internal static void GetHashBlock(byte[] input, ref ABCDStruct ABCDValue, int ibStart)
73 | {
74 | uint[] numArray = Converter(input, ibStart);
75 | uint a = ABCDValue.A;
76 | uint b = ABCDValue.B;
77 | uint c = ABCDValue.C;
78 | uint d = ABCDValue.D;
79 | a = r1(a, b, c, d, numArray[0], 7, 0xd76aa478);
80 | d = r1(d, a, b, c, numArray[1], 12, 0xe8c7b756);
81 | c = r1(c, d, a, b, numArray[2], 0x11, 0x242070db);
82 | b = r1(b, c, d, a, numArray[3], 0x16, 0xc1bdceee);
83 | a = r1(a, b, c, d, numArray[4], 7, 0xf57c0faf);
84 | d = r1(d, a, b, c, numArray[5], 12, 0x4787c62a);
85 | c = r1(c, d, a, b, numArray[6], 0x11, 0xa8304613);
86 | b = r1(b, c, d, a, numArray[7], 0x16, 0xfd469501);
87 | a = r1(a, b, c, d, numArray[8], 7, 0x698098d8);
88 | d = r1(d, a, b, c, numArray[9], 12, 0x8b44f7af);
89 | c = r1(c, d, a, b, numArray[10], 0x11, 0xffff5bb1);
90 | b = r1(b, c, d, a, numArray[11], 0x16, 0x895cd7be);
91 | a = r1(a, b, c, d, numArray[12], 7, 0x6b901122);
92 | d = r1(d, a, b, c, numArray[13], 12, 0xfd987193);
93 | c = r1(c, d, a, b, numArray[14], 0x11, 0xa679438e);
94 | b = r1(b, c, d, a, numArray[15], 0x16, 0x49b40821);
95 | a = r2(a, b, c, d, numArray[1], 5, 0xf61e2562);
96 | d = r2(d, a, b, c, numArray[6], 9, 0xc040b340);
97 | c = r2(c, d, a, b, numArray[11], 14, 0x265e5a51);
98 | b = r2(b, c, d, a, numArray[0], 20, 0xe9b6c7aa);
99 | a = r2(a, b, c, d, numArray[5], 5, 0xd62f105d);
100 | d = r2(d, a, b, c, numArray[10], 9, 0x2441453);
101 | c = r2(c, d, a, b, numArray[15], 14, 0xd8a1e681);
102 | b = r2(b, c, d, a, numArray[4], 20, 0xe7d3fbc8);
103 | a = r2(a, b, c, d, numArray[9], 5, 0x21e1cde6);
104 | d = r2(d, a, b, c, numArray[14], 9, 0xc33707d6);
105 | c = r2(c, d, a, b, numArray[3], 14, 0xf4d50d87);
106 | b = r2(b, c, d, a, numArray[8], 20, 0x455a14ed);
107 | a = r2(a, b, c, d, numArray[13], 5, 0xa9e3e905);
108 | d = r2(d, a, b, c, numArray[2], 9, 0xfcefa3f8);
109 | c = r2(c, d, a, b, numArray[7], 14, 0x676f02d9);
110 | b = r2(b, c, d, a, numArray[12], 20, 0x8d2a4c8a);
111 | a = r3(a, b, c, d, numArray[5], 4, 0xfffa3942);
112 | d = r3(d, a, b, c, numArray[8], 11, 0x8771f681);
113 | c = r3(c, d, a, b, numArray[11], 0x10, 0x6d9d6122);
114 | b = r3(b, c, d, a, numArray[14], 0x17, 0xfde5380c);
115 | a = r3(a, b, c, d, numArray[1], 4, 0xa4beea44);
116 | d = r3(d, a, b, c, numArray[4], 11, 0x4bdecfa9);
117 | c = r3(c, d, a, b, numArray[7], 0x10, 0xf6bb4b60);
118 | b = r3(b, c, d, a, numArray[10], 0x17, 0xbebfbc70);
119 | a = r3(a, b, c, d, numArray[13], 4, 0x289b7ec6);
120 | d = r3(d, a, b, c, numArray[0], 11, 0xeaa127fa);
121 | c = r3(c, d, a, b, numArray[3], 0x10, 0xd4ef3085);
122 | b = r3(b, c, d, a, numArray[6], 0x17, 0x4881d05);
123 | a = r3(a, b, c, d, numArray[9], 4, 0xd9d4d039);
124 | d = r3(d, a, b, c, numArray[12], 11, 0xe6db99e5);
125 | c = r3(c, d, a, b, numArray[15], 0x10, 0x1fa27cf8);
126 | b = r3(b, c, d, a, numArray[2], 0x17, 0xc4ac5665);
127 | a = r4(a, b, c, d, numArray[0], 6, 0xf4292244);
128 | d = r4(d, a, b, c, numArray[7], 10, 0x432aff97);
129 | c = r4(c, d, a, b, numArray[14], 15, 0xab9423a7);
130 | b = r4(b, c, d, a, numArray[5], 0x15, 0xfc93a039);
131 | a = r4(a, b, c, d, numArray[12], 6, 0x655b59c3);
132 | d = r4(d, a, b, c, numArray[3], 10, 0x8f0ccc92);
133 | c = r4(c, d, a, b, numArray[10], 15, 0xffeff47d);
134 | b = r4(b, c, d, a, numArray[1], 0x15, 0x85845dd1);
135 | a = r4(a, b, c, d, numArray[8], 6, 0x6fa87e4f);
136 | d = r4(d, a, b, c, numArray[15], 10, 0xfe2ce6e0);
137 | c = r4(c, d, a, b, numArray[6], 15, 0xa3014314);
138 | b = r4(b, c, d, a, numArray[13], 0x15, 0x4e0811a1);
139 | a = r4(a, b, c, d, numArray[4], 6, 0xf7537e82);
140 | d = r4(d, a, b, c, numArray[11], 10, 0xbd3af235);
141 | c = r4(c, d, a, b, numArray[2], 15, 0x2ad7d2bb);
142 | b = r4(b, c, d, a, numArray[9], 0x15, 0xeb86d391);
143 | ABCDValue.A = a + ABCDValue.A;
144 | ABCDValue.B = b + ABCDValue.B;
145 | ABCDValue.C = c + ABCDValue.C;
146 | ABCDValue.D = d + ABCDValue.D;
147 | }
148 |
149 | internal static byte[] GetHashFinalBlock(byte[] input, int ibStart, int cbSize, ABCDStruct ABCD, long len)
150 | {
151 | byte[] destinationArray = new byte[0x40];
152 | byte[] bytes = BitConverter.GetBytes(len);
153 | Array.Copy(input, ibStart, destinationArray, 0, cbSize);
154 | destinationArray[cbSize] = 0x80;
155 | if (cbSize <= 0x38)
156 | {
157 | Array.Copy(bytes, 0, destinationArray, 0x38, 8);
158 | GetHashBlock(destinationArray, ref ABCD, 0);
159 | }
160 | else
161 | {
162 | GetHashBlock(destinationArray, ref ABCD, 0);
163 | destinationArray = new byte[0x40];
164 | Array.Copy(bytes, 0, destinationArray, 0x38, 8);
165 | GetHashBlock(destinationArray, ref ABCD, 0);
166 | }
167 | byte[] buffer3 = new byte[0x10];
168 | Array.Copy(BitConverter.GetBytes(ABCD.A), 0, buffer3, 0, 4);
169 | Array.Copy(BitConverter.GetBytes(ABCD.B), 0, buffer3, 4, 4);
170 | Array.Copy(BitConverter.GetBytes(ABCD.C), 0, buffer3, 8, 4);
171 | Array.Copy(BitConverter.GetBytes(ABCD.D), 0, buffer3, 12, 4);
172 | return buffer3;
173 | }
174 |
175 | private static uint LSR(uint i, int s)
176 | {
177 | return ((i << s) | (i >> (0x20 - s)));
178 | }
179 |
180 | private static uint r1(uint a, uint b, uint c, uint d, uint x, int s, uint t)
181 | {
182 | return (b + LSR(((a + ((b & c) | ((b ^ uint.MaxValue) & d))) + x) + t, s));
183 | }
184 |
185 | private static uint r2(uint a, uint b, uint c, uint d, uint x, int s, uint t)
186 | {
187 | return (b + LSR(((a + ((b & d) | (c & (d ^ uint.MaxValue)))) + x) + t, s));
188 | }
189 |
190 | private static uint r3(uint a, uint b, uint c, uint d, uint x, int s, uint t)
191 | {
192 | return (b + LSR(((a + ((b ^ c) ^ d)) + x) + t, s));
193 | }
194 |
195 | private static uint r4(uint a, uint b, uint c, uint d, uint x, int s, uint t)
196 | {
197 | return (b + LSR(((a + (c ^ (b | (d ^ uint.MaxValue)))) + x) + t, s));
198 | }
199 |
200 | }
201 | }
--------------------------------------------------------------------------------
/MssqlInfo/MssqlInfo/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Net.Sockets;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 |
7 | namespace MssqlInfo
8 | {
9 | class Program
10 | {
11 | static void Main(string[] args)
12 | {
13 | byte[] MSSQL_Client_Receive = new byte[2048];
14 | string host = args[0];
15 | int port = int.Parse(args[1]);
16 |
17 | try
18 | {
19 | var MSSQL_Client = new TcpClient();
20 | IAsyncResult result = MSSQL_Client.BeginConnect(host, port, null, null);
21 | bool success = result.AsyncWaitHandle.WaitOne(5000, true);
22 | if (!MSSQL_Client.Connected)
23 | {
24 | Console.WriteLine($@"target {host} WmiInfo can't connect!");
25 | return;
26 | }
27 | NetworkStream MSSQL_Client_Stream = MSSQL_Client.GetStream();
28 | MSSQL_Client.ReceiveTimeout = 30000;
29 | byte[] prelogin = {
30 | 0x12,0x01,0x00,0x58,0x00,0x00,0x01,0x00,0x00,0x00,0x1f,0x00,0x06,0x01,0x00,0x25,
31 | 0x00,0x01,0x02,0x00,0x26,0x00,0x01,0x03,0x00,0x27,0x00,0x04,0x04,0x00,0x2b,0x00,
32 | 0x01,0x05,0x00,0x2c,0x00,0x24,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,
33 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
34 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
35 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
36 | };
37 |
38 | byte[] SSPI_Message =
39 | {
40 | 0x10,0x01,0x01,0xb3,0x00,0x00,0x01,0x00,0xab,0x01,0x00,0x00,0x04,0x00,0x00,0x74,
41 | 0x40,0x1f,0x00,0x00,0x00,0x00,0x00,0x06,0x2a,0x2a,0x2a,0x2a,0x00,0x00,0x00,0x00,
42 | 0xe0,0x83,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x5e,0x00,0x09,0x00,
43 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x00,0x21,0x00,0xb2,0x00,0x0e,0x00,
44 | 0xce,0x00,0x04,0x00,0xd2,0x00,0x21,0x00,0x14,0x01,0x00,0x00,0x14,0x01,0x07,0x00,
45 | 0x2a,0x2a,0x2a,0x2a,0x2a,0x2a,0x22,0x01,0x7e,0x00,0xa0,0x01,0x00,0x00,0xa0,0x01,
46 | 0x00,0x00,0x00,0x00,0x00,0x00,0x41,0x00,0x4e,0x00,0x4f,0x00,0x4e,0x00,0x59,0x00,
47 | 0x4d,0x00,0x4f,0x00,0x55,0x00,0x53,0x00,0x43,0x00,0x6f,0x00,0x72,0x00,0x65,0x00,
48 | 0x20,0x00,0x2e,0x00,0x4e,0x00,0x65,0x00,0x74,0x00,0x20,0x00,0x53,0x00,0x71,0x00,
49 | 0x6c,0x00,0x43,0x00,0x6c,0x00,0x69,0x00,0x65,0x00,0x6e,0x00,0x74,0x00,0x20,0x00,
50 | 0x44,0x00,0x61,0x00,0x74,0x00,0x61,0x00,0x20,0x00,0x50,0x00,0x72,0x00,0x6f,0x00,
51 | 0x76,0x00,0x69,0x00,0x64,0x00,0x65,0x00,0x72,0x00,0x31,0x00,0x30,0x00,0x2e,0x00,
52 | 0x32,0x00,0x30,0x00,0x30,0x00,0x2e,0x00,0x32,0x00,0x31,0x00,0x35,0x00,0x2e,0x00,
53 | 0x31,0x00,0x30,0x00,0x38,0x00,0xa0,0x01,0x00,0x00,0x43,0x00,0x6f,0x00,0x72,0x00,
54 | 0x65,0x00,0x20,0x00,0x2e,0x00,0x4e,0x00,0x65,0x00,0x74,0x00,0x20,0x00,0x53,0x00,
55 | 0x71,0x00,0x6c,0x00,0x43,0x00,0x6c,0x00,0x69,0x00,0x65,0x00,0x6e,0x00,0x74,0x00,
56 | 0x20,0x00,0x44,0x00,0x61,0x00,0x74,0x00,0x61,0x00,0x20,0x00,0x50,0x00,0x72,0x00,
57 | 0x6f,0x00,0x76,0x00,0x69,0x00,0x64,0x00,0x65,0x00,0x72,0x00,0x54,0x00,0x64,0x00,
58 | 0x73,0x00,0x54,0x00,0x65,0x00,0x73,0x00,0x74,0x00,0x60,0x7c,0x06,0x06,0x2b,0x06,
59 | 0x01,0x05,0x05,0x02,0xa0,0x72,0x30,0x70,0xa0,0x30,0x30,0x2e,0x06,0x0a,0x2b,0x06,
60 | 0x01,0x04,0x01,0x82,0x37,0x02,0x02,0x0a,0x06,0x09,0x2a,0x86,0x48,0x82,0xf7,0x12,
61 | 0x01,0x02,0x02,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x12,0x01,0x02,0x02,0x06,0x0a,
62 | 0x2b,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x02,0x1e,0xa2,0x3c,0x04,0x3a,0x4e,0x54,
63 | 0x4c,0x4d,0x53,0x53,0x50,0x00,0x01,0x00,0x00,0x00,0xb7,0xb2,0x08,0xe2,0x09,0x00,
64 | 0x09,0x00,0x31,0x00,0x00,0x00,0x09,0x00,0x09,0x00,0x28,0x00,0x00,0x00,0x0a,0x00,
65 | 0x61,0x4a,0x00,0x00,0x00,0x0f,0x41,0x4e,0x4f,0x4e,0x59,0x4d,0x4f,0x55,0x53,0x57,
66 | 0x4f,0x52,0x4b,0x47,0x52,0x4f,0x55,0x50,0x01,0x00,0x00,0x00,0x00,0x05,0x00,0x00,
67 | 0x00,0x00,0xff
68 | };
69 |
70 | SendStream(MSSQL_Client_Stream, prelogin);
71 | MSSQL_Client_Receive = SendStream(MSSQL_Client_Stream, SSPI_Message);
72 | NTLMInfo NTLMInfo = new NTLMInfo();
73 | NTLMInfo = GetNTLMInfo(MSSQL_Client_Receive, NTLMInfo);
74 | Console.WriteLine($@"target {host} MSSQL Info: Windows Version {NTLMInfo.OsVersion} Build {NTLMInfo.OsBuildNumber}, Domain Name {NTLMInfo.NbtDoaminName}, Computer Name {NTLMInfo.NbtComputer}, Dns Suffix {NTLMInfo.DnsDomainName}, Dns Computer Name {NTLMInfo.DnsDomainName}, TimeStamp {NTLMInfo.TimeStamp}");
75 | MSSQL_Client.Close();
76 | MSSQL_Client_Stream.Close();
77 |
78 | }
79 | catch (Exception ex)
80 | {
81 | Console.WriteLine($@"target {host} MSSQL Info Error:{ex.Message}");
82 | }
83 | }
84 |
85 | public static byte[] SendStream(NetworkStream stream, byte[] BytesToSend)
86 | {
87 | byte[] BytesReceived = new byte[2048];
88 | stream.Write(BytesToSend, 0, BytesToSend.Length);
89 | stream.Flush();
90 | stream.Read(BytesReceived, 0, BytesReceived.Length);
91 | return BytesReceived;
92 | }
93 |
94 | public class NTLMInfo
95 | {
96 | public string NativeOs { get; set; }
97 | public string NativeLanManager { get; set; }
98 | public string NbtDoaminName { get; set; }
99 | public string NbtComputer { get; set; }
100 | public string DomainName { get; set; }
101 | public short OsBuildNumber { get; set; }
102 |
103 | public string OsVersion { get; set; }
104 | public string DnsComputerName { get; set; }
105 | public string DnsDomainName { get; set; }
106 | public string DNSTreeName { get; set; }
107 | public DateTime TimeStamp { get; set; }
108 | public bool SMBsigning { get; set; }
109 | }
110 |
111 | public static NTLMInfo GetNTLMInfo(byte[] buf, NTLMInfo ntlminfo)
112 | {
113 | string NTLMSSP_Negotiate = BitConverter.ToString(buf).Replace("-", "");
114 | int off;
115 | off = NTLMSSP_Negotiate.IndexOf("4E544C4D53535000") / 2;
116 | int NTLMSSP_Negotiate_Len = (NTLMSSP_Negotiate.Length - NTLMSSP_Negotiate.IndexOf("4E544C4D53535000")) / 2;
117 | byte[] ntlm = new byte[NTLMSSP_Negotiate_Len];
118 | Array.Copy(buf, off, ntlm, 0, NTLMSSP_Negotiate_Len);
119 |
120 | NTLMSSP_Negotiate_Len = BitConverter.ToInt16(ntlm, 0xc);
121 | off = BitConverter.ToInt16(ntlm, 0x10);
122 | ntlminfo.OsBuildNumber = BitConverter.ToInt16(ntlm, off - 6);
123 | ntlminfo.OsVersion = $@"{ntlm[off - 8]}.{ntlm[off - 7]}";
124 |
125 | off += NTLMSSP_Negotiate_Len;
126 | int type = BitConverter.ToInt16(ntlm, off);
127 |
128 | while (type != 0)
129 | {
130 | off += 2;
131 | NTLMSSP_Negotiate_Len = BitConverter.ToInt16(ntlm, off);
132 | off += 2;
133 | switch (type)
134 | {
135 | case 1:
136 | {
137 | ntlminfo.NbtComputer = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
138 | //Console.WriteLine("NetBIOS computer name: " + Encoding.Unicode.GetString(ntlm, off, len));
139 | break;
140 | }
141 | case 2:
142 | {
143 | ntlminfo.NbtDoaminName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
144 | //Console.WriteLine("NetBIOS domain name: " + Encoding.Unicode.GetString(ntlm, off, len));
145 | break;
146 | }
147 | case 3:
148 | {
149 | ntlminfo.DnsComputerName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
150 | //Console.WriteLine("DNS computer name: " + Encoding.Unicode.GetString(ntlm, off, len));
151 | break;
152 | }
153 | case 4:
154 | {
155 | ntlminfo.DnsDomainName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
156 | //Console.WriteLine("DNS domain name: " + Encoding.Unicode.GetString(ntlm, off, len));
157 | break;
158 | }
159 | case 5:
160 | {
161 | ntlminfo.DNSTreeName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
162 | //Console.WriteLine("DNS tree name: " + Encoding.Unicode.GetString(ntlm, off, len));
163 | break;
164 | }
165 | case 7:
166 | {
167 | ntlminfo.TimeStamp = DateTime.FromFileTime(BitConverter.ToInt64(ntlm, off));
168 | //Console.WriteLine("time stamp: {0:o}", DateTime.FromFileTime(BitConverter.ToInt64(ntlm, off)));
169 | break;
170 | }
171 | default:
172 | {
173 | //Console.Write("Unknown type {0}, data: ", type);
174 | for (int i = 0; i < NTLMSSP_Negotiate_Len; i++)
175 | {
176 | Console.Write(ntlm[i + off].ToString("X2"));
177 | }
178 | Console.WriteLine();
179 | break;
180 | }
181 | }
182 | off += NTLMSSP_Negotiate_Len;
183 | type = BitConverter.ToInt16(ntlm, off);
184 | }
185 |
186 | return ntlminfo;
187 | }
188 | }
189 |
190 | }
191 |
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Protocol/Negotiation/CredSSP.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Text;
3 |
4 |
5 | namespace SharpRDPCheck
6 | {
7 | internal class CredSSP : ASN1
8 | {
9 | private static bool m_bAuthenticated = false;
10 | private static byte[] m_ChallengeMsg;
11 | private static NTLM m_NTLMAuthenticate;
12 |
13 | public static void Negotiate(byte[] ServerPublicKey)
14 | {
15 | try
16 | {
17 | ASN1.Init();
18 | m_bAuthenticated = false;
19 | SendNegotiate();
20 | //NTLM.DumpHex(ServerPublicKey, ServerPublicKey.Length, "Server Public Key");
21 | while (!m_bAuthenticated)
22 | {
23 | ProcesssResponse(Receive(), ServerPublicKey);
24 | }
25 | }
26 | catch (Exception exception)
27 | {
28 | //Console.WriteLine(exception.Message, exception.InnerException);
29 | throw;
30 | //throw new Exception("Authentication Error (" + exception.Message + ")", exception.InnerException);
31 | }
32 | }
33 | public static byte[] GetRDPNTLMSSPNegotiate()
34 | {
35 | try
36 | {
37 | SendNegotiate();
38 | return ReceiveNTLMv2();
39 |
40 | }
41 | catch (Exception exception)
42 | {
43 | //Console.WriteLine(exception.Message, exception.InnerException);
44 | throw;
45 | //throw new Exception("Authentication Error (" + exception.Message + ")", exception.InnerException);
46 | }
47 | }
48 |
49 |
50 | private static void SendNegotiate()
51 | {
52 | SendTSRequest(WriteNegoToken(), null, null);
53 | }
54 |
55 | private static void SendTSRequest(RdpPacket negoTokens, byte[] auth_info, byte[] pub_key_auth)
56 | {
57 | RdpPacket packet = new RdpPacket();
58 | ASN1.WriteTag(packet, ASN1.SequenceTag(0), "TSRequest");
59 | ASN1.WriteTag(packet, ASN1.ContextTag(0), "CTX_Version");
60 | ASN1.WriteInteger(packet, 2);
61 | ASN1.CloseTag(packet, "CTX_Version");
62 |
63 | if (negoTokens != null)
64 | {
65 | ASN1.WriteTag(packet, ASN1.ContextTag(1), "CTX_NegTokens");
66 | ASN1.WriteTag(packet, ASN1.SequenceTag(0), "NegTokens");
67 | ASN1.WriteTag(packet, ASN1.SequenceTag(0), "NegTokens2");
68 | ASN1.WriteTag(packet, ASN1.ContextTag(0), "CTX_OctetString");
69 | ASN1.WriteTag(packet, ASN1.OctetStringTag(), "OctetString");
70 | packet.copyToByteArray(negoTokens);
71 | ASN1.CloseTag(packet, "OctetString");
72 | ASN1.CloseTag(packet, "CTX_OctetString");
73 | ASN1.CloseTag(packet, "NegTokens2");
74 | ASN1.CloseTag(packet, "NegTokens");
75 | ASN1.CloseTag(packet, "CTX_NegTokens");
76 | }
77 |
78 | if (auth_info != null)
79 | {
80 | ASN1.WriteTag(packet, ASN1.ContextTag(2), "CTX_AuthInfo");
81 | ASN1.WriteTag(packet, ASN1.OctetStringTag(), "OctetString");
82 | packet.Write(auth_info, 0, auth_info.Length);
83 | ASN1.CloseTag(packet, "OctetString");
84 | ASN1.CloseTag(packet, "CTX_AuthInfo");
85 | }
86 |
87 | if (pub_key_auth != null)
88 | {
89 | ASN1.WriteTag(packet, ASN1.ContextTag(3), "CTX_PubKeyAuth");
90 | ASN1.WriteTag(packet, ASN1.OctetStringTag(), "OctetString");
91 | packet.Write(pub_key_auth, 0, pub_key_auth.Length);
92 | ASN1.CloseTag(packet, "OctetString");
93 | ASN1.CloseTag(packet, "CTX_PubKeyAuth");
94 | }
95 |
96 | ASN1.CloseTag(packet, "TSRequest");
97 |
98 | Send(packet);
99 | }
100 |
101 | private static void ProcesssResponse(RdpPacket packet, byte[] ServerPublicKey)
102 | {
103 | ASN1.ReadTag(packet, ASN1.SequenceTag(0), "TSRequest");
104 | ASN1.ReadTag(packet, ASN1.ContextTag(0), "CTX_Version");
105 |
106 | if (ASN1.ReadInteger(packet) < 2)
107 | {
108 | throw new Exception("TSRequest version not supported!");
109 | }
110 |
111 | ASN1.CloseTag(packet, "CTX_Version");
112 | byte[] buffer = null;
113 | int num2 = ASN1.ReadTag(packet, "Tag");
114 |
115 | if (num2 == ASN1.ContextTag(1))
116 | {
117 | ASN1.ReadTag(packet, ASN1.SequenceTag(0), "NegTokens");
118 | ASN1.ReadTag(packet, ASN1.SequenceTag(0), "NegTokens2");
119 | ASN1.ReadTag(packet, ASN1.ContextTag(0), "CTX_OctetString");
120 | m_ChallengeMsg = new byte[ASN1.ReadTag(packet, ASN1.OctetStringTag(), "OctetString")];
121 | packet.Read(m_ChallengeMsg, 0, m_ChallengeMsg.Length);
122 | ASN1.CloseTag(packet, "OctetString");
123 | ASN1.CloseTag(packet, "CTX_OctetString");
124 | ASN1.CloseTag(packet, "NegTokens2");
125 | ASN1.CloseTag(packet, "NegTokens");
126 | }
127 | else if (num2 == ASN1.ContextTag(3))
128 | {
129 | buffer = new byte[ASN1.ReadTag(packet, ASN1.OctetStringTag(), "OctetString")];
130 | packet.Read(buffer, 0, buffer.Length);
131 | ASN1.CloseTag(packet, "OctetString");
132 | }
133 |
134 | ASN1.CloseTag(packet, "Tag");
135 | ASN1.CloseTag(packet, "TSRequest");
136 |
137 | if (buffer != null)
138 | {
139 | byte[] buffer2 = m_NTLMAuthenticate.DecryptMessage(buffer);
140 | buffer2[0] = (byte) (buffer2[0] - 1);
141 | if (!NTLM.CompareArray(buffer2, ServerPublicKey))
142 | {
143 | throw new Exception("Unable to verify the server's public key!");
144 | }
145 | buffer2[0] = (byte) (buffer2[0] + 1);
146 | SendTSRequest(null, WriteTSCredentials(), null);
147 | m_bAuthenticated = true;
148 | }
149 | else
150 | {
151 | ReadNegoToken(m_ChallengeMsg, ServerPublicKey);
152 | }
153 | }
154 |
155 | private static void ReadNegoToken(byte[] Challenge, byte[] ServerPublicKey)
156 | {
157 | RdpPacket negoTokens = new RdpPacket();
158 | byte[] buffer = m_NTLMAuthenticate.ProcessChallenge(Challenge);
159 | negoTokens.Write(buffer, 0, buffer.Length);
160 | negoTokens.Position = 0L;
161 | byte[] buffer2 = m_NTLMAuthenticate.EncryptMessage(ServerPublicKey);
162 |
163 | SendTSRequest(negoTokens, null, buffer2);
164 | }
165 |
166 | private static RdpPacket Receive()
167 | {
168 | byte[] buffer = new byte[0x2000];
169 | int length = Network.Receive(buffer);
170 | NTLM.DumpHex(buffer, length, "Receive");
171 |
172 | RdpPacket packet = new RdpPacket();
173 | packet.Write(buffer, 0, length);
174 | packet.Position = 0L;
175 |
176 | return packet;
177 | }
178 |
179 | private static byte[] ReceiveNTLMv2()
180 | {
181 | byte[] buffer = new byte[0x2000];
182 | int length = Network.Receive(buffer);
183 |
184 | return buffer;
185 | }
186 |
187 | private static void Send(RdpPacket packet)
188 | {
189 | packet.Position = 0L;
190 | byte[] buffer = new byte[packet.Length];
191 | packet.Read(buffer, 0, (int) packet.Length);
192 | NTLM.DumpHex(buffer, (int) packet.Length, "Send");
193 |
194 | Network.Send(buffer);
195 | }
196 |
197 | public static RdpPacket WriteNegoToken()
198 | {
199 | m_NTLMAuthenticate = new NTLM(Network.OpenSocket, Options.Username, Options.Password, Options.Domain);
200 | byte[] buffer = m_NTLMAuthenticate.Negotiate();
201 | RdpPacket packet = new RdpPacket();
202 | packet.Write(buffer, 0, buffer.Length);
203 | packet.Position = 0L;
204 |
205 | return packet;
206 | }
207 |
208 | private static byte[] WriteTSCredentials()
209 | {
210 | RdpPacket packet = new RdpPacket();
211 | ASN1.WriteTag(packet, ASN1.SequenceTag(0), "SEQ_TSCRED");
212 | ASN1.WriteTag(packet, ASN1.ContextTag(0), "CTX_credType");
213 | ASN1.WriteInteger(packet, 1);
214 | ASN1.CloseTag(packet, "CTX_credType");
215 | ASN1.WriteTag(packet, ASN1.ContextTag(1), "CTX_credentials");
216 | ASN1.WriteTag(packet, ASN1.OctetStringTag(), "CTX_OctetString");
217 | ASN1.WriteTag(packet, ASN1.SequenceTag(0), "SEQ_Credentials");
218 | ASN1.WriteTag(packet, ASN1.ContextTag(0), "CTX_domain");
219 | ASN1.WriteTag(packet, ASN1.OctetStringTag(), "OctectString");
220 | byte[] bytes = Encoding.Unicode.GetBytes(Options.Domain);
221 | packet.Write(bytes, 0, bytes.Length);
222 | ASN1.CloseTag(packet, "OctectString");
223 | ASN1.CloseTag(packet, "CTX_domain");
224 | ASN1.WriteTag(packet, ASN1.ContextTag(1), "CTX_user");
225 | ASN1.WriteTag(packet, ASN1.OctetStringTag(), "OctectString");
226 | byte[] buffer = Encoding.Unicode.GetBytes(Options.Username);
227 | packet.Write(buffer, 0, buffer.Length);
228 | ASN1.CloseTag(packet, "OctectString");
229 | ASN1.CloseTag(packet, "CTX_user");
230 | ASN1.WriteTag(packet, ASN1.ContextTag(2), "CTX_password");
231 | ASN1.WriteTag(packet, ASN1.OctetStringTag(), "OctectString");
232 | byte[] buffer3 = Encoding.Unicode.GetBytes(Options.Password);
233 | packet.Write(buffer3, 0, buffer3.Length);
234 | ASN1.CloseTag(packet, "OctectString");
235 | ASN1.CloseTag(packet, "CTX_password");
236 | ASN1.CloseTag(packet, "SEQ_Credentials");
237 | ASN1.CloseTag(packet, "CTX_OctetString");
238 | ASN1.CloseTag(packet, "CTX_credentials");
239 | ASN1.CloseTag(packet, "SEQ_TSCRED");
240 | byte[] buffer4 = new byte[packet.Length];
241 | packet.Position = 0L;
242 | packet.Read(buffer4, 0, buffer4.Length);
243 |
244 | return m_NTLMAuthenticate.EncryptMessage(buffer4);
245 | }
246 |
247 | }
248 | }
--------------------------------------------------------------------------------
/SmbInfo/SmbInfo/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Collections.Specialized;
4 | using System.Net.Sockets;
5 | using System.Text;
6 | using System.Threading.Tasks;
7 |
8 | namespace SmbInfo
9 | {
10 | class Program
11 | {
12 | static void Main(string[] args)
13 | {
14 | string host = args[0];
15 | int port = int.Parse(args[1]);
16 |
17 | byte[] SMBClientReceive = new byte[2048];
18 |
19 | TcpClient SMB_Client = new TcpClient();
20 | IAsyncResult result = SMB_Client.BeginConnect(host, 445, null, null);
21 | bool success = result.AsyncWaitHandle.WaitOne(5000, true);
22 | if (!SMB_Client.Connected)
23 | {
24 | Console.WriteLine($@"target {host} SMBInfo can't connect!");
25 | return;
26 | }
27 |
28 | NetworkStream SMB_Client_Stream = SMB_Client.GetStream();
29 | NTLMInfo ntlminfo = new NTLMInfo();
30 | SMBPacket SMBPackets = new SMBPacket();
31 | if (port == 139)
32 | {
33 | SendStream(SMB_Client_Stream, GetNtbiosTCPData());
34 | }
35 |
36 | try
37 | {
38 | SMBClientReceive = SendStream(SMB_Client_Stream, GetNegotiateSMBv1Data());
39 | if (BitConverter.ToString(SMBClientReceive).Replace("-", "").Substring(78, 2) == "0F")
40 | {
41 | ntlminfo.SMBsigning = true;
42 | }
43 | else
44 | {
45 | ntlminfo.SMBsigning = false;
46 | }
47 | SMBClientReceive = SendStream(SMB_Client_Stream, GetNTLMSSPNegotiatev1Data());
48 |
49 | int len = BitConverter.ToInt16(SMBClientReceive, 43);
50 |
51 | string[] ss = null;
52 |
53 | if (Encoding.Unicode.GetString(SMBClientReceive, len + 47, SMBClientReceive.Length - len - 47).Split('\0')[0].ToLower().IndexOf("windows") > -1)
54 | {
55 | ss = Encoding.Unicode.GetString(SMBClientReceive, len + 47, SMBClientReceive.Length - len - 47).Split('\0');
56 | }
57 | else
58 | {
59 | ss = Encoding.Unicode.GetString(SMBClientReceive, len + 48, SMBClientReceive.Length - len - 48).Split('\0');
60 | }
61 |
62 | //Console.WriteLine(ss);
63 | ntlminfo.NativeOs = ss[0];
64 | ntlminfo.NativeLanManager = ss[1];
65 | ntlminfo = GetNTLMInfo(SMBClientReceive, ntlminfo);
66 | Console.WriteLine($@"target {host} SMBInfo: {ntlminfo.NativeOs} ({ntlminfo.NativeLanManager}), Version {ntlminfo.OsVersion} Build {ntlminfo.OsBuildNumber}, Domain Name {ntlminfo.NbtDoaminName}, Computer Name {ntlminfo.NbtComputer}, Dns Suffix {ntlminfo.DnsDomainName}, Tree Dns ComputerName {ntlminfo.DnsComputerName}, SMB Signing {ntlminfo.SMBsigning}");
67 | }
68 | catch
69 | {
70 | if (!SMB_Client.Connected)
71 | {
72 | SMB_Client = new TcpClient();
73 | SMB_Client.Connect(host, port);
74 | SMB_Client_Stream = SMB_Client.GetStream();
75 | }
76 | SMBClientReceive = SendStream(SMB_Client_Stream, GetNegotiateSMBv2Data1());
77 | if (BitConverter.ToString(new byte[] { SMBClientReceive[4], SMBClientReceive[5], SMBClientReceive[6], SMBClientReceive[7] }).ToLower() == "ff-53-4d-42")
78 | {
79 | Console.WriteLine($@"target {host} Could not connect with SMBv2");
80 | }
81 | else
82 | {
83 | if (BitConverter.ToString(new byte[] { SMBClientReceive[70] }) == "03")
84 | {
85 | ntlminfo.SMBsigning = true;
86 | SMBPackets.SMB_Signing = true;
87 | SMBPackets.SMB_Session_Key_Length = new byte[] { 0x00, 0x00 };
88 | SMBPackets.SMB_Negotiate_Flags = new byte[] { 0x15, 0x82, 0x08, 0xa0 };
89 | }
90 | else
91 | {
92 | SMBPackets.SMB_Signing = false;
93 | ntlminfo.SMBsigning = false;
94 | SMBPackets.SMB_Session_Key_Length = new byte[] { 0x00, 0x00 };
95 | SMBPackets.SMB_Negotiate_Flags = new byte[] { 0x05, 0x80, 0x08, 0xa0 };
96 | }
97 | SendStream(SMB_Client_Stream, GetNegotiateSMBv2Data2());
98 | SMBClientReceive = SendStream(SMB_Client_Stream, GetNTLMSSPNegotiatev2Data(SMBPackets));
99 | ntlminfo = GetNTLMInfo(SMBClientReceive, ntlminfo);
100 | Console.WriteLine($@"target {host} SMBInfo: Windows Version {ntlminfo.OsVersion} Build {ntlminfo.OsBuildNumber}, Domain Name {ntlminfo.NbtDoaminName}, Computer Name {ntlminfo.NbtComputer}, Dns Suffix {ntlminfo.DnsDomainName}, Tree Dns ComputerName {ntlminfo.DnsComputerName}, SMB Signing {ntlminfo.SMBsigning}, TimeStamp {ntlminfo.TimeStamp}");
101 | }
102 |
103 | }
104 | }
105 |
106 | public static byte[] GetNtbiosTCPData()
107 | {
108 | byte[] NtbiosTCPData ={
109 | 0x81,0x00,0x00,0x44,0x20,0x43,0x4b,0x46,0x44,0x45,0x4e,0x45,0x43,0x46,0x44,0x45
110 | ,0x46,0x46,0x43,0x46,0x47,0x45,0x46,0x46,0x43,0x43,0x41,0x43,0x41,0x43,0x41,0x43
111 | ,0x41,0x43,0x41,0x43,0x41,0x00,0x20,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43
112 | ,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43
113 | ,0x41,0x43,0x41,0x43,0x41,0x41,0x41,0x00
114 | };
115 | return NtbiosTCPData;
116 | }
117 |
118 | public static byte[] GetNegotiateSMBv1Data()
119 | {
120 | byte[] NegotiateSMBv1Data ={
121 | 0x00, 0x00, 0x00, 0x85, 0xFF, 0x53, 0x4D, 0x42, 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xC8,
122 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE,
123 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4E, 0x45, 0x54, 0x57, 0x4F,
124 | 0x52, 0x4B, 0x20, 0x50, 0x52, 0x4F, 0x47, 0x52, 0x41, 0x4D, 0x20, 0x31, 0x2E, 0x30, 0x00, 0x02,
125 | 0x4C, 0x41, 0x4E, 0x4D, 0x41, 0x4E, 0x31, 0x2E, 0x30, 0x00, 0x02, 0x57, 0x69, 0x6E, 0x64, 0x6F,
126 | 0x77, 0x73, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x57, 0x6F, 0x72, 0x6B, 0x67, 0x72, 0x6F, 0x75, 0x70,
127 | 0x73, 0x20, 0x33, 0x2E, 0x31, 0x61, 0x00, 0x02, 0x4C, 0x4D, 0x31, 0x2E, 0x32, 0x58, 0x30, 0x30,
128 | 0x32, 0x00, 0x02, 0x4C, 0x41, 0x4E, 0x4D, 0x41, 0x4E, 0x32, 0x2E, 0x31, 0x00, 0x02, 0x4E, 0x54,
129 | 0x20, 0x4C, 0x4D, 0x20, 0x30, 0x2E, 0x31, 0x32, 0x00
130 | };
131 | return NegotiateSMBv1Data;
132 | }
133 |
134 | public static byte[] GetNTLMSSPNegotiatev1Data()
135 | {
136 |
137 | byte[] NTLMSSPNegotiatev1Data ={
138 | 0x00, 0x00, 0x01, 0x0A, 0xFF, 0x53, 0x4D, 0x42, 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xC8,
139 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE,
140 | 0x00, 0x00, 0x40, 0x00, 0x0C, 0xFF, 0x00, 0x0A, 0x01, 0x04, 0x41, 0x32, 0x00, 0x00, 0x00, 0x00,
141 | 0x00, 0x00, 0x00, 0x4A, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD4, 0x00, 0x00, 0xA0, 0xCF, 0x00, 0x60,
142 | 0x48, 0x06, 0x06, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x02, 0xA0, 0x3E, 0x30, 0x3C, 0xA0, 0x0E, 0x30,
143 | 0x0C, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x0A, 0xA2, 0x2A, 0x04,
144 | 0x28, 0x4E, 0x54, 0x4C, 0x4D, 0x53, 0x53, 0x50, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x82, 0x08,
145 | 0xA2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
146 | 0x00, 0x05, 0x02, 0xCE, 0x0E, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6E, 0x00,
147 | 0x64, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00,
148 | 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x33, 0x00,
149 | 0x20, 0x00, 0x33, 0x00, 0x37, 0x00, 0x39, 0x00, 0x30, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,
150 | 0x72, 0x00, 0x76, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00, 0x20, 0x00, 0x50, 0x00, 0x61, 0x00,
151 | 0x63, 0x00, 0x6B, 0x00, 0x20, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00, 0x69, 0x00,
152 | 0x6E, 0x00, 0x64, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,
153 | 0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,
154 | 0x33, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2E, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00
155 | };
156 | return NTLMSSPNegotiatev1Data;
157 | }
158 | public static byte[] GetNegotiateSMBv2Data1()
159 | {
160 | byte[] NegotiateSMBData ={
161 | 0x00, 0x00, 0x00, 0x45, 0xFF, 0x53, 0x4D, 0x42, 0x72, 0x00,
162 | 0x00, 0x00, 0x00, 0x18, 0x01, 0x48, 0x00, 0x00, 0x00, 0x00,
163 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF,
164 | 0xAC, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x00, 0x02,
165 | 0x4E, 0x54, 0x20, 0x4C, 0x4D, 0x20, 0x30, 0x2E, 0x31, 0x32,
166 | 0x00, 0x02, 0x53, 0x4D, 0x42, 0x20, 0x32, 0x2E, 0x30, 0x30,
167 | 0x32, 0x00, 0x02, 0x53, 0x4D, 0x42, 0x20, 0x32, 0x2E, 0x3F,
168 | 0x3F, 0x3F, 0x00
169 | };
170 | return NegotiateSMBData;
171 | }
172 |
173 | public static byte[] GetNegotiateSMBv2Data2()
174 | {
175 | byte[] NegotiateSMB2Data = {
176 | 0x00, 0x00, 0x00, 0x68, 0xFE, 0x53, 0x4D, 0x42, 0x40, 0x00,
177 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
178 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
179 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
180 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
181 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
182 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00,
183 | 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
184 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
185 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
186 | 0x00, 0x00, 0x00, 0x00, 0x02, 0x02, 0x10, 0x02
187 | };
188 | return NegotiateSMB2Data;
189 | }
190 |
191 |
192 | public static byte[] GetNTLMSSPNegotiatev2Data(SMBPacket SMBPackets)
193 | {
194 | byte[] NTLMSSPNegotiateData = {
195 | 0x00, 0x00, 0x00, 0x9A, 0xFE, 0x53, 0x4D, 0x42, 0x40, 0x00,
196 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
197 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
198 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
199 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
200 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
201 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x19, 0x00,
202 | 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
203 | 0x58, 0x00, 0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
204 | 0x00, 0x00, 0x60, 0x40, 0x06, 0x06, 0x2B, 0x06, 0x01, 0x05,
205 | 0x05, 0x02, 0xA0, 0x36, 0x30, 0x34, 0xA0, 0x0E, 0x30, 0x0C,
206 | 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02,
207 | 0x02, 0x0A, 0xA2, 0x22, 0x04, 0x20, 0x4E, 0x54, 0x4C, 0x4D,
208 | 0x53, 0x53, 0x50, 0x00, 0x01, 0x00, 0x00, 0x00,
209 | SMBPackets.SMB_Negotiate_Flags[0], SMBPackets.SMB_Negotiate_Flags[1],
210 | SMBPackets.SMB_Negotiate_Flags[2], SMBPackets.SMB_Negotiate_Flags[3],
211 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
212 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
213 | };
214 | return NTLMSSPNegotiateData;
215 |
216 | }
217 |
218 | public static byte[] SendStream(NetworkStream stream, byte[] BytesToSend)
219 | {
220 | byte[] BytesReceived = new byte[2048];
221 | stream.Write(BytesToSend, 0, BytesToSend.Length);
222 | stream.Flush();
223 | stream.Read(BytesReceived, 0, BytesReceived.Length);
224 | return BytesReceived;
225 | }
226 |
227 |
228 | public class SMBPacket
229 | {
230 | public OrderedDictionary Packet_SMB_Header { get; set; }
231 | public OrderedDictionary Packet_SMB2_Header { get; set; }
232 | public OrderedDictionary Packet_SMB_Data { get; set; }
233 | public OrderedDictionary Packet_SMB2_Data { get; set; }
234 | public OrderedDictionary Packet_NTLMSSP_Negotiate { get; set; }
235 | public OrderedDictionary Packet_NTLMSSP_Auth { get; set; }
236 | public OrderedDictionary Packet_RPC_Data { get; set; }
237 | public OrderedDictionary Packet_SCM_Data { get; set; }
238 | public bool SMB_Signing { get; set; }
239 | public byte[] SMB_Session_ID { get; set; }
240 | public byte[] SMB_Session_Key_Length { get; set; }
241 | public byte[] SMB_Negotiate_Flags { get; set; }
242 | public byte[] Session_Key { get; set; }
243 | }
244 |
245 | public class NTLMInfo
246 | {
247 | public string NativeOs { get; set; }
248 | public string NativeLanManager { get; set; }
249 | public string NbtDoaminName { get; set; }
250 | public string NbtComputer { get; set; }
251 | public string DomainName { get; set; }
252 | public short OsBuildNumber { get; set; }
253 |
254 | public string OsVersion { get; set; }
255 | public string DnsComputerName { get; set; }
256 | public string DnsDomainName { get; set; }
257 | public string DNSTreeName { get; set; }
258 | public DateTime TimeStamp { get; set; }
259 | public bool SMBsigning { get; set; }
260 | }
261 |
262 | public static NTLMInfo GetNTLMInfo(byte[] buf, NTLMInfo ntlminfo)
263 | {
264 | string NTLMSSP_Negotiate = BitConverter.ToString(buf).Replace("-", "");
265 | int off;
266 | off = NTLMSSP_Negotiate.IndexOf("4E544C4D53535000") / 2;
267 | int NTLMSSP_Negotiate_Len = (NTLMSSP_Negotiate.Length - NTLMSSP_Negotiate.IndexOf("4E544C4D53535000")) / 2;
268 | byte[] ntlm = new byte[NTLMSSP_Negotiate_Len];
269 | Array.Copy(buf, off, ntlm, 0, NTLMSSP_Negotiate_Len);
270 |
271 | NTLMSSP_Negotiate_Len = BitConverter.ToInt16(ntlm, 0xc);
272 | off = BitConverter.ToInt16(ntlm, 0x10);
273 | ntlminfo.OsBuildNumber = BitConverter.ToInt16(ntlm, off - 6);
274 | ntlminfo.OsVersion = $@"{ntlm[off - 8]}.{ntlm[off - 7]}";
275 |
276 | off += NTLMSSP_Negotiate_Len;
277 | int type = BitConverter.ToInt16(ntlm, off);
278 |
279 | while (type != 0)
280 | {
281 | off += 2;
282 | NTLMSSP_Negotiate_Len = BitConverter.ToInt16(ntlm, off);
283 | off += 2;
284 | switch (type)
285 | {
286 | case 1:
287 | {
288 | ntlminfo.NbtComputer = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
289 | //Console.WriteLine("NetBIOS computer name: " + Encoding.Unicode.GetString(ntlm, off, len));
290 | break;
291 | }
292 | case 2:
293 | {
294 | ntlminfo.NbtDoaminName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
295 | //Console.WriteLine("NetBIOS domain name: " + Encoding.Unicode.GetString(ntlm, off, len));
296 | break;
297 | }
298 | case 3:
299 | {
300 | ntlminfo.DnsComputerName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
301 | //Console.WriteLine("DNS computer name: " + Encoding.Unicode.GetString(ntlm, off, len));
302 | break;
303 | }
304 | case 4:
305 | {
306 | ntlminfo.DnsDomainName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
307 | //Console.WriteLine("DNS domain name: " + Encoding.Unicode.GetString(ntlm, off, len));
308 | break;
309 | }
310 | case 5:
311 | {
312 | ntlminfo.DNSTreeName = Encoding.Unicode.GetString(ntlm, off, NTLMSSP_Negotiate_Len);
313 | //Console.WriteLine("DNS tree name: " + Encoding.Unicode.GetString(ntlm, off, len));
314 | break;
315 | }
316 | case 7:
317 | {
318 | ntlminfo.TimeStamp = DateTime.FromFileTime(BitConverter.ToInt64(ntlm, off));
319 | //Console.WriteLine("time stamp: {0:o}", DateTime.FromFileTime(BitConverter.ToInt64(ntlm, off)));
320 | break;
321 | }
322 | default:
323 | {
324 | //Console.Write("Unknown type {0}, data: ", type);
325 | for (int i = 0; i < NTLMSSP_Negotiate_Len; i++)
326 | {
327 | Console.Write(ntlm[i + off].ToString("X2"));
328 | }
329 | Console.WriteLine();
330 | break;
331 | }
332 | }
333 | off += NTLMSSP_Negotiate_Len;
334 | type = BitConverter.ToInt16(ntlm, off);
335 | }
336 |
337 | return ntlminfo;
338 | }
339 | }
340 | }
341 |
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Encoding/ASCIIEncoding.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Text;
4 |
5 | namespace SharpRDPCheck
6 | {
7 | internal class ASCIIEncoding
8 | {
9 | public static byte[] GetBytes(string sString)
10 | {
11 | return GetBytes(sString, false);
12 | }
13 |
14 | public static byte[] GetBytes(string sString, bool bQuiet)
15 | {
16 | List list = new List();
17 | foreach (char ch in sString)
18 | {
19 | if ((ch >= 'a') && (ch <= 'z'))
20 | {
21 | int num = ((byte) ch) - 0x61;
22 | list.Add((byte) (0x61 + num));
23 | continue;
24 | }
25 |
26 | if ((ch >= 'A') && (ch <= 'Z'))
27 | {
28 | int num2 = ((byte) ch) - 0x41;
29 | list.Add((byte) (0x41 + num2));
30 | continue;
31 | }
32 |
33 | if ((ch >= '0') && (ch <= '9'))
34 | {
35 | int num3 = ((byte) ch) - 0x30;
36 | list.Add((byte) (0x30 + num3));
37 | continue;
38 | }
39 |
40 | switch (ch)
41 | {
42 | case '\0':
43 | {
44 | list.Add(0);
45 | continue;
46 | }
47 | case '\n':
48 | {
49 | list.Add(10);
50 | continue;
51 | }
52 | case '\r':
53 | {
54 | list.Add(13);
55 | continue;
56 | }
57 | case ' ':
58 | {
59 | list.Add(0x20);
60 | continue;
61 | }
62 | case '!':
63 | {
64 | list.Add(0x21);
65 | continue;
66 | }
67 | case '"':
68 | {
69 | list.Add(0x22);
70 | continue;
71 | }
72 | case '#':
73 | {
74 | list.Add(0x23);
75 | continue;
76 | }
77 | case '$':
78 | {
79 | list.Add(0x24);
80 | continue;
81 | }
82 | case '%':
83 | {
84 | list.Add(0x25);
85 | continue;
86 | }
87 | case '&':
88 | {
89 | list.Add(0x26);
90 | continue;
91 | }
92 | case '\'':
93 | {
94 | list.Add(0x27);
95 | continue;
96 | }
97 | case '(':
98 | {
99 | list.Add(40);
100 | continue;
101 | }
102 | case ')':
103 | {
104 | list.Add(0x29);
105 | continue;
106 | }
107 | case '*':
108 | {
109 | list.Add(0x2a);
110 | continue;
111 | }
112 | case '+':
113 | {
114 | list.Add(0x2b);
115 | continue;
116 | }
117 | case ',':
118 | {
119 | list.Add(0x2c);
120 | continue;
121 | }
122 | case '-':
123 | {
124 | list.Add(0x2d);
125 | continue;
126 | }
127 | case '.':
128 | {
129 | list.Add(0x2e);
130 | continue;
131 | }
132 | case '/':
133 | {
134 | list.Add(0x2f);
135 | continue;
136 | }
137 | case ':':
138 | {
139 | list.Add(0x3a);
140 | continue;
141 | }
142 | case ';':
143 | {
144 | list.Add(0x3b);
145 | continue;
146 | }
147 | case '<':
148 | {
149 | list.Add(60);
150 | continue;
151 | }
152 | case '=':
153 | {
154 | list.Add(0x3d);
155 | continue;
156 | }
157 | case '>':
158 | {
159 | list.Add(0x3e);
160 | continue;
161 | }
162 | case '?':
163 | {
164 | list.Add(0x3f);
165 | continue;
166 | }
167 | case '@':
168 | {
169 | list.Add(0x40);
170 | continue;
171 | }
172 | case '[':
173 | {
174 | list.Add(0x5b);
175 | continue;
176 | }
177 | case '\\':
178 | {
179 | list.Add(0x5c);
180 | continue;
181 | }
182 | case ']':
183 | {
184 | list.Add(0x5d);
185 | continue;
186 | }
187 | case '^':
188 | {
189 | list.Add(0x5e);
190 | continue;
191 | }
192 | case '_':
193 | {
194 | list.Add(0x5f);
195 | continue;
196 | }
197 | case '`':
198 | {
199 | list.Add(0x60);
200 | continue;
201 | }
202 | case '{':
203 | {
204 | list.Add(0x7b);
205 | continue;
206 | }
207 | case '|':
208 | {
209 | list.Add(0x7c);
210 | continue;
211 | }
212 | case '}':
213 | {
214 | list.Add(0x7d);
215 | continue;
216 | }
217 | case '~':
218 | {
219 | list.Add(0x7e);
220 | continue;
221 | }
222 | case '\x00a1':
223 | {
224 | list.Add(0xa1);
225 | continue;
226 | }
227 | case '\x00a2':
228 | {
229 | list.Add(0xa2);
230 | continue;
231 | }
232 | case '\x00a3':
233 | {
234 | list.Add(0xa3);
235 | continue;
236 | }
237 | case '\x00a4':
238 | {
239 | list.Add(0xa4);
240 | continue;
241 | }
242 | case '\x00a5':
243 | {
244 | list.Add(0xa5);
245 | continue;
246 | }
247 | case '\x00a6':
248 | {
249 | list.Add(0xa6);
250 | continue;
251 | }
252 | case '\x00a7':
253 | {
254 | list.Add(0xa7);
255 | continue;
256 | }
257 | case '\x00a8':
258 | {
259 | list.Add(0xa8);
260 | continue;
261 | }
262 | case '\x00a9':
263 | {
264 | list.Add(0xa9);
265 | continue;
266 | }
267 | case '\x00aa':
268 | {
269 | list.Add(170);
270 | continue;
271 | }
272 | case '\x00ab':
273 | {
274 | list.Add(0xab);
275 | continue;
276 | }
277 | case '\x00ac':
278 | {
279 | list.Add(0xac);
280 | continue;
281 | }
282 | case '\x00ae':
283 | {
284 | list.Add(0xae);
285 | continue;
286 | }
287 | case '\x00af':
288 | {
289 | list.Add(0xaf);
290 | continue;
291 | }
292 | case '\x00b0':
293 | {
294 | list.Add(0xb0);
295 | continue;
296 | }
297 | case '\x00b1':
298 | {
299 | list.Add(0xb1);
300 | continue;
301 | }
302 | case '\x00b2':
303 | {
304 | list.Add(0xb2);
305 | continue;
306 | }
307 | case '\x00b3':
308 | {
309 | list.Add(0xb3);
310 | continue;
311 | }
312 | case '\x00b4':
313 | {
314 | list.Add(180);
315 | continue;
316 | }
317 | case '\x00b5':
318 | {
319 | list.Add(0xb5);
320 | continue;
321 | }
322 | case '\x00b6':
323 | {
324 | list.Add(0xb6);
325 | continue;
326 | }
327 | case '\x00b7':
328 | {
329 | list.Add(0xb7);
330 | continue;
331 | }
332 | case '\x00b8':
333 | {
334 | list.Add(0xb8);
335 | continue;
336 | }
337 | case '\x00b9':
338 | {
339 | list.Add(0xb9);
340 | continue;
341 | }
342 | case '\x00ba':
343 | {
344 | list.Add(0xba);
345 | continue;
346 | }
347 | case '\x00bb':
348 | {
349 | list.Add(0xbb);
350 | continue;
351 | }
352 | case '\x00bc':
353 | {
354 | list.Add(0xbc);
355 | continue;
356 | }
357 | case '\x00bd':
358 | {
359 | list.Add(0xbd);
360 | continue;
361 | }
362 | case '\x00be':
363 | {
364 | list.Add(190);
365 | continue;
366 | }
367 | case '\x00bf':
368 | {
369 | list.Add(0xbf);
370 | continue;
371 | }
372 | case '\x00c0':
373 | {
374 | list.Add(0xc0);
375 | continue;
376 | }
377 | case '\x00c1':
378 | {
379 | list.Add(0xc1);
380 | continue;
381 | }
382 | case '\x00c2':
383 | {
384 | list.Add(0xc2);
385 | continue;
386 | }
387 | case '\x00c3':
388 | {
389 | list.Add(0xc3);
390 | continue;
391 | }
392 | case '\x00c4':
393 | {
394 | list.Add(0xc4);
395 | continue;
396 | }
397 | case '\x00c5':
398 | {
399 | list.Add(0xc5);
400 | continue;
401 | }
402 | case '\x00c6':
403 | {
404 | list.Add(0xc6);
405 | continue;
406 | }
407 | case '\x00c7':
408 | {
409 | list.Add(0xc7);
410 | continue;
411 | }
412 | case '\x00c8':
413 | {
414 | list.Add(200);
415 | continue;
416 | }
417 | case '\x00c9':
418 | {
419 | list.Add(0xc9);
420 | continue;
421 | }
422 | case '\x00ca':
423 | {
424 | list.Add(0xca);
425 | continue;
426 | }
427 | case '\x00cb':
428 | {
429 | list.Add(0xcb);
430 | continue;
431 | }
432 | case '\x00cc':
433 | {
434 | list.Add(0xcc);
435 | continue;
436 | }
437 | case '\x00cd':
438 | {
439 | list.Add(0xcd);
440 | continue;
441 | }
442 | case '\x00ce':
443 | {
444 | list.Add(0xce);
445 | continue;
446 | }
447 | case '\x00cf':
448 | {
449 | list.Add(0xcf);
450 | continue;
451 | }
452 | case '\x00d0':
453 | {
454 | list.Add(0xd0);
455 | continue;
456 | }
457 | case '\x00d1':
458 | {
459 | list.Add(0xd1);
460 | continue;
461 | }
462 | case '\x00d2':
463 | {
464 | list.Add(210);
465 | continue;
466 | }
467 | case '\x00d3':
468 | {
469 | list.Add(0xd3);
470 | continue;
471 | }
472 | case '\x00d4':
473 | {
474 | list.Add(0xd4);
475 | continue;
476 | }
477 | case '\x00d5':
478 | {
479 | list.Add(0xd5);
480 | continue;
481 | }
482 | case '\x00d6':
483 | {
484 | list.Add(0xd6);
485 | continue;
486 | }
487 | case '\x00d7':
488 | {
489 | list.Add(0xd7);
490 | continue;
491 | }
492 | case '\x00d8':
493 | {
494 | list.Add(0xd8);
495 | continue;
496 | }
497 | case '\x00d9':
498 | {
499 | list.Add(0xd9);
500 | continue;
501 | }
502 | case '\x00da':
503 | {
504 | list.Add(0xda);
505 | continue;
506 | }
507 | case '\x00db':
508 | {
509 | list.Add(0xdb);
510 | continue;
511 | }
512 | case '\x00dc':
513 | {
514 | list.Add(220);
515 | continue;
516 | }
517 | case '\x00dd':
518 | {
519 | list.Add(0xdd);
520 | continue;
521 | }
522 | case '\x00de':
523 | {
524 | list.Add(0xde);
525 | continue;
526 | }
527 | case '\x00df':
528 | {
529 | list.Add(0xdf);
530 | continue;
531 | }
532 | case '\x00e0':
533 | {
534 | list.Add(0xe0);
535 | continue;
536 | }
537 | case '\x00e1':
538 | {
539 | list.Add(0xe1);
540 | continue;
541 | }
542 | case '\x00e2':
543 | {
544 | list.Add(0xe2);
545 | continue;
546 | }
547 | case '\x00e3':
548 | {
549 | list.Add(0xe3);
550 | continue;
551 | }
552 | case '\x00e4':
553 | {
554 | list.Add(0xe4);
555 | continue;
556 | }
557 | case '\x00e5':
558 | {
559 | list.Add(0xe5);
560 | continue;
561 | }
562 | case '\x00e6':
563 | {
564 | list.Add(230);
565 | continue;
566 | }
567 | case '\x00e7':
568 | {
569 | list.Add(0xe7);
570 | continue;
571 | }
572 | case '\x00e8':
573 | {
574 | list.Add(0xe8);
575 | continue;
576 | }
577 | case '\x00e9':
578 | {
579 | list.Add(0xe9);
580 | continue;
581 | }
582 | case '\x00ea':
583 | {
584 | list.Add(0xea);
585 | continue;
586 | }
587 | case '\x00eb':
588 | {
589 | list.Add(0xeb);
590 | continue;
591 | }
592 | case '\x00ec':
593 | {
594 | list.Add(0xec);
595 | continue;
596 | }
597 | case '\x00ed':
598 | {
599 | list.Add(0xed);
600 | continue;
601 | }
602 | case '\x00ee':
603 | {
604 | list.Add(0xee);
605 | continue;
606 | }
607 | case '\x00ef':
608 | {
609 | list.Add(0xef);
610 | continue;
611 | }
612 | case '\x00f0':
613 | {
614 | list.Add(240);
615 | continue;
616 | }
617 | case '\x00f1':
618 | {
619 | list.Add(0xf1);
620 | continue;
621 | }
622 | case '\x00f2':
623 | {
624 | list.Add(0xf2);
625 | continue;
626 | }
627 | case '\x00f3':
628 | {
629 | list.Add(0xf3);
630 | continue;
631 | }
632 | case '\x00f4':
633 | {
634 | list.Add(0xf4);
635 | continue;
636 | }
637 | case '\x00f5':
638 | {
639 | list.Add(0xf5);
640 | continue;
641 | }
642 | case '\x00f6':
643 | {
644 | list.Add(0xf6);
645 | continue;
646 | }
647 | case '\x00f7':
648 | {
649 | list.Add(0xf7);
650 | continue;
651 | }
652 | case '\x00f8':
653 | {
654 | list.Add(0xf8);
655 | continue;
656 | }
657 | case '\x00f9':
658 | {
659 | list.Add(0xf9);
660 | continue;
661 | }
662 | case '\x00fa':
663 | {
664 | list.Add(250);
665 | continue;
666 | }
667 | case '\x00fb':
668 | {
669 | list.Add(0xfb);
670 | continue;
671 | }
672 | case '\x00fc':
673 | {
674 | list.Add(0xfc);
675 | continue;
676 | }
677 | case '\x00fd':
678 | {
679 | list.Add(0xfd);
680 | continue;
681 | }
682 | case '\x00fe':
683 | {
684 | list.Add(0xfe);
685 | continue;
686 | }
687 | case '\x00ff':
688 | {
689 | list.Add(0xff);
690 | continue;
691 | }
692 | case 'Œ':
693 | {
694 | list.Add(140);
695 | continue;
696 | }
697 | case 'œ':
698 | {
699 | list.Add(0x9c);
700 | continue;
701 | }
702 | case 'Š':
703 | {
704 | list.Add(0x8a);
705 | continue;
706 | }
707 | case 'š':
708 | {
709 | list.Add(0x9a);
710 | continue;
711 | }
712 | case 'Ž':
713 | {
714 | list.Add(0x8e);
715 | continue;
716 | }
717 | case 'ž':
718 | {
719 | list.Add(0x9e);
720 | continue;
721 | }
722 | case 'ƒ':
723 | {
724 | list.Add(0x83);
725 | continue;
726 | }
727 | case 'Ÿ':
728 | {
729 | list.Add(0x9f);
730 | continue;
731 | }
732 | case '–':
733 | {
734 | list.Add(150);
735 | continue;
736 | }
737 | case '—':
738 | {
739 | list.Add(0x97);
740 | continue;
741 | }
742 | case '‘':
743 | {
744 | list.Add(0x91);
745 | continue;
746 | }
747 | case '’':
748 | {
749 | list.Add(0x92);
750 | continue;
751 | }
752 | case '‚':
753 | {
754 | list.Add(130);
755 | continue;
756 | }
757 | case '“':
758 | {
759 | list.Add(0x93);
760 | continue;
761 | }
762 | case '”':
763 | {
764 | list.Add(0x94);
765 | continue;
766 | }
767 | case '„':
768 | {
769 | list.Add(0x84);
770 | continue;
771 | }
772 | case '†':
773 | {
774 | list.Add(0x86);
775 | continue;
776 | }
777 | case '‡':
778 | {
779 | list.Add(0x87);
780 | continue;
781 | }
782 | case '•':
783 | {
784 | list.Add(0x95);
785 | continue;
786 | }
787 | case '…':
788 | {
789 | list.Add(0x85);
790 | continue;
791 | }
792 | case '˜':
793 | {
794 | list.Add(0x98);
795 | continue;
796 | }
797 | case 'ˆ':
798 | {
799 | list.Add(0x88);
800 | continue;
801 | }
802 | case '€':
803 | {
804 | list.Add(0x80);
805 | continue;
806 | }
807 | case '™':
808 | {
809 | list.Add(0x99);
810 | continue;
811 | }
812 | case '‹':
813 | {
814 | list.Add(0x8b);
815 | continue;
816 | }
817 | case '›':
818 | {
819 | list.Add(0x9b);
820 | continue;
821 | }
822 | case '‰':
823 | {
824 | list.Add(0x89);
825 | continue;
826 | }
827 | }
828 |
829 | if (!bQuiet)
830 | {
831 | throw new Exception("Invalid ASCII char: " + ch);
832 | }
833 | }
834 |
835 | return list.ToArray();
836 | }
837 |
838 | public static string GetString(byte[] bytes, int index, int count)
839 | {
840 | return Encoding.UTF8.GetString(bytes, index, count);
841 | }
842 |
843 | }
844 | }
--------------------------------------------------------------------------------
/RdpInfo/RdpInfo/RdpFull/Protocol/Negotiation/NTLM.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Security.Cryptography;
4 | using System.Text;
5 |
6 | namespace SharpRDPCheck
7 | {
8 | internal class NTLM
9 | {
10 | private byte[] ClientSealingKey;
11 | private byte[] ClientSigningKey;
12 | private bool m_bNTLMv2 = true;
13 | private byte[] m_ChallengeMsg;
14 | private RC4 m_ClientSealingRC4;
15 | private byte[] m_NegotiateMsg;
16 | private uint m_ReceiveSequenceNum;
17 | private string m_sDomain;
18 | private RC4 m_ServerSealingRC4;
19 | private uint m_SigningSequenceNum;
20 | private NetworkSocket m_Socket;
21 | private string m_sPassword;
22 | private string m_sUsername;
23 | private string m_sWorkstation;
24 | private const int NTLMSSP_AUTHENTICATE = 3;
25 | private const int NTLMSSP_CHALLENGE = 2;
26 | private const int NTLMSSP_NEGOTIATE = 1;
27 | private const uint NTLMSSP_NEGOTIATE_128 = 0x20000000;
28 | private const uint NTLMSSP_NEGOTIATE_56 = 0x80000000;
29 | public static uint NTLMSSP_NEGOTIATE_ALWAYS_SIGN = 0x8000;
30 | public static uint NTLMSSP_NEGOTIATE_ANONYMOUS = 0x800;
31 | public static uint NTLMSSP_NEGOTIATE_DATAGRAM = 0x40;
32 | public static uint NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY = 0x80000;
33 | public static uint NTLMSSP_NEGOTIATE_IDENTIFY = 0x100000;
34 | private const uint NTLMSSP_NEGOTIATE_KEY_EXCH = 0x40000000;
35 | public static uint NTLMSSP_NEGOTIATE_LM_KEY = 0x80;
36 | public static uint NTLMSSP_NEGOTIATE_NTLM = 0x200;
37 | public static uint NTLMSSP_NEGOTIATE_OEM = 2;
38 | public static uint NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED = 0x1000;
39 | public static uint NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED = 0x2000;
40 | public static uint NTLMSSP_NEGOTIATE_SEAL = 0x20;
41 | public static uint NTLMSSP_NEGOTIATE_SIGN = 0x10;
42 | private const uint NTLMSSP_NEGOTIATE_TARGET_INFO = 0x800000;
43 | public static uint NTLMSSP_NEGOTIATE_UNICODE = 1;
44 | private const uint NTLMSSP_NEGOTIATE_VERSION = 0x2000000;
45 | public static uint NTLMSSP_REQUEST_NON_NT_SESSION_KEY = 0x400000;
46 | public static uint NTLMSSP_REQUEST_TARGET = 4;
47 | public static uint NTLMSSP_TARGET_TYPE_DOMAIN = 0x10000;
48 | public static uint NTLMSSP_TARGET_TYPE_SERVER = 0x20000;
49 | private byte[] ServerSealingKey;
50 | private byte[] ServerSigningKey;
51 |
52 | public NTLM(NetworkSocket socket, string sUsername, string sPassword, string sDomain)
53 | {
54 | this.m_Socket = socket;
55 | this.m_sUsername = sUsername;
56 | this.m_sPassword = sPassword;
57 | this.m_sDomain = sDomain;
58 | this.m_sWorkstation = Options.ClientName;
59 | this.m_bNTLMv2 = false;
60 | }
61 |
62 | private byte[] Authenticate(byte[] lmChallengeResponse, byte[] ntChallengeResponse, string sDomainName, string sUser, string sWorkstation, byte[] EncryptedRandomSessionKey, byte[] ExportedSessionKey, bool bGenerateMIC)
63 | {
64 | RdpPacket packet = new RdpPacket();
65 | uint flags = (
66 | (((((0xe2800000 | NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY) |
67 | NTLMSSP_NEGOTIATE_ALWAYS_SIGN) | NTLMSSP_NEGOTIATE_NTLM) |
68 | NTLMSSP_NEGOTIATE_SEAL) | NTLMSSP_NEGOTIATE_SIGN) |
69 | NTLMSSP_REQUEST_TARGET) | NTLMSSP_NEGOTIATE_UNICODE;
70 |
71 | DumpFlags(flags);
72 | int position = (int) packet.Position;
73 | packet.WriteString("NTLMSSP", false);
74 | packet.WriteByte(0);
75 | packet.WriteLittleEndian32(3);
76 | int num3 = ((int) packet.Position) - position;
77 | num3 += 8;
78 | num3 += 8;
79 | num3 += 8;
80 | num3 += 8;
81 | num3 += 8;
82 | num3 += 8;
83 | num3 += 4;
84 |
85 | if ((flags & 0x2000000) != 0)
86 | {
87 | num3 += 8;
88 | }
89 |
90 | if (bGenerateMIC)
91 | {
92 | num3 += 0x10;
93 | }
94 |
95 | byte[] bytes = Encoding.Unicode.GetBytes(sDomainName);
96 | byte[] buffer = Encoding.Unicode.GetBytes(sUser);
97 | byte[] buffer3 = Encoding.Unicode.GetBytes(sWorkstation);
98 | int num4 = num3;
99 | int num5 = num4 + bytes.Length;
100 | int num6 = num5 + buffer.Length;
101 | int num7 = num6 + buffer3.Length;
102 | int num8 = num7 + lmChallengeResponse.Length;
103 | int num9 = num8 + ntChallengeResponse.Length;
104 | packet.WriteLittleEndian16((ushort) lmChallengeResponse.Length);
105 | packet.WriteLittleEndian16((ushort) lmChallengeResponse.Length);
106 | packet.WriteLittleEndian32(num7);
107 | num3 += lmChallengeResponse.Length;
108 | packet.WriteLittleEndian16((ushort) ntChallengeResponse.Length);
109 | packet.WriteLittleEndian16((ushort) ntChallengeResponse.Length);
110 | packet.WriteLittleEndian32(num8);
111 | num3 += ntChallengeResponse.Length;
112 | packet.WriteLittleEndian16((ushort) bytes.Length);
113 | packet.WriteLittleEndian16((ushort) bytes.Length);
114 | packet.WriteLittleEndian32(num4);
115 | num3 += bytes.Length;
116 | packet.WriteLittleEndian16((ushort) buffer.Length);
117 | packet.WriteLittleEndian16((ushort) buffer.Length);
118 | packet.WriteLittleEndian32(num5);
119 | num3 += buffer.Length;
120 | packet.WriteLittleEndian16((ushort) buffer3.Length);
121 | packet.WriteLittleEndian16((ushort) buffer3.Length);
122 | packet.WriteLittleEndian32(num6);
123 | num3 += buffer3.Length;
124 | packet.WriteLittleEndian16((ushort) EncryptedRandomSessionKey.Length);
125 | packet.WriteLittleEndian16((ushort) EncryptedRandomSessionKey.Length);
126 | packet.WriteLittleEndian32(num9);
127 | num3 += EncryptedRandomSessionKey.Length;
128 | packet.WriteLittleEndian32(flags);
129 |
130 | if ((flags & 0x2000000) != 0)
131 | {
132 | this.WriteVersion(packet);
133 | }
134 |
135 | long num10 = packet.Position;
136 |
137 | if (bGenerateMIC)
138 | {
139 | packet.WritePadding(0x10);
140 | }
141 |
142 | packet.Write(bytes, 0, bytes.Length);
143 | packet.Write(buffer, 0, buffer.Length);
144 | packet.Write(buffer3, 0, buffer3.Length);
145 | packet.Write(lmChallengeResponse, 0, lmChallengeResponse.Length);
146 | packet.Write(ntChallengeResponse, 0, ntChallengeResponse.Length);
147 | packet.Write(EncryptedRandomSessionKey, 0, EncryptedRandomSessionKey.Length);
148 |
149 | if (bGenerateMIC)
150 | {
151 | packet.Position = 0L;
152 | byte[] buffer4 = new byte[packet.Length];
153 | packet.Read(buffer4, 0, buffer4.Length);
154 | HMACT64 hmact = new HMACT64(ExportedSessionKey);
155 | hmact.update(this.m_NegotiateMsg);
156 | hmact.update(this.m_ChallengeMsg);
157 | hmact.update(buffer4);
158 | byte[] buffer5 = hmact.digest();
159 | packet.Position = num10;
160 | packet.Write(buffer5, 0, buffer5.Length);
161 | }
162 |
163 | packet.Position = 0L;
164 | byte[] buffer6 = new byte[packet.Length];
165 | packet.Read(buffer6, 0, buffer6.Length);
166 |
167 | return buffer6;
168 | }
169 |
170 | public static bool CompareArray(byte[] array1, byte[] array2)
171 | {
172 | if (array1.Length != array2.Length)
173 | {
174 | return false;
175 | }
176 |
177 | for (int i = 0; i < array1.Length; i++)
178 | {
179 | if (array1[i] != array2[i])
180 | {
181 | return false;
182 | }
183 | }
184 |
185 | return true;
186 | }
187 |
188 | private static byte[] computeResponse(byte[] responseKey, byte[] serverChallenge, byte[] clientData, int offset, int length, out byte[] keyExchangeKey)
189 | {
190 | HMACT64 hmact = new HMACT64(responseKey);
191 | hmact.update(serverChallenge);
192 | hmact.update(clientData, offset, length);
193 | byte[] sourceArray = hmact.digest();
194 | byte[] destinationArray = new byte[sourceArray.Length + clientData.Length];
195 | Array.Copy(sourceArray, 0, destinationArray, 0, sourceArray.Length);
196 | Array.Copy(clientData, 0, destinationArray, sourceArray.Length, clientData.Length);
197 | hmact = new HMACT64(responseKey);
198 | hmact.update(sourceArray);
199 | keyExchangeKey = hmact.digest();
200 |
201 | return destinationArray;
202 | }
203 |
204 | public byte[] DecryptMessage(byte[] cryptmessage)
205 | {
206 | byte[] destinationArray = new byte[0x10];
207 | Array.Copy(cryptmessage, 0, destinationArray, 0, 0x10);
208 | byte[] message = this.m_ServerSealingRC4.crypt(cryptmessage, 0x10, cryptmessage.Length - 0x10);
209 | this.VerifySignature(message, destinationArray);
210 |
211 | return message;
212 | }
213 |
214 | private static void DumpFlags(uint flags)
215 | {
216 |
217 | }
218 |
219 | public static void DumpHex(byte[] data, int length, string sInfo)
220 | {
221 | //Console.WriteLine(sInfo);
222 | //Console.WriteLine(BitConverter.ToString(data).Replace("-", ""));
223 | //Console.WriteLine();
224 | }
225 |
226 | public byte[] EncryptMessage(byte[] message)
227 | {
228 | byte[] collection = this.m_ClientSealingRC4.crypt(message);
229 | List list = new List();
230 | list.AddRange(MakeSignature(this.m_ClientSealingRC4, this.ClientSigningKey, message, ref this.m_SigningSequenceNum));
231 | list.AddRange(collection);
232 |
233 | return list.ToArray();
234 | }
235 |
236 | private static byte[] GenerateSealKey(byte[] exportedSessionKey, byte[] constant)
237 | {
238 | List list = new List();
239 | list.AddRange(exportedSessionKey);
240 | list.AddRange(constant);
241 |
242 | return MD5.ComputeHash(list.ToArray());
243 | }
244 |
245 | private static byte[] GenerateSignKey(byte[] exportedSessionKey, byte[] constant)
246 | {
247 | List list = new List();
248 | list.AddRange(exportedSessionKey);
249 | list.AddRange(constant);
250 |
251 | return MD5.ComputeHash(list.ToArray());
252 | }
253 |
254 | private static byte[] getLMv2Response(byte[] responseKeyNT, byte[] serverChallenge, byte[] clientChallenge)
255 | {
256 | byte[] buf = new byte[0x18];
257 | HMACT64 hmact = new HMACT64(responseKeyNT);
258 | hmact.update(serverChallenge);
259 | hmact.update(clientChallenge);
260 | hmact.digest(buf, 0, 0x10);
261 | Array.Copy(clientChallenge, 0, buf, 0x10, 8);
262 |
263 | return buf;
264 | }
265 |
266 | private static byte[] getNTLMv2Response(byte[] responseKeyNT, byte[] serverChallenge, byte[] clientChallenge, byte[] nanos1601, byte[] av_pairs, out byte[] keyExchangeKey)
267 | {
268 | List list = new List { 1, 1, 0, 0, 0, 0, 0, 0 };
269 | list.AddRange(nanos1601);
270 | list.AddRange(clientChallenge);
271 | list.Add(0);
272 | list.Add(0);
273 | list.Add(0);
274 | list.Add(0);
275 | list.AddRange(av_pairs);
276 |
277 | return computeResponse(responseKeyNT, serverChallenge, list.ToArray(), 0, list.Count, out keyExchangeKey);
278 | }
279 |
280 | private void InitSignKeys(byte[] exportedSessionKey)
281 | {
282 | byte[] bytes = ASCIIEncoding.GetBytes("session key to client-to-server signing key magic constant\0");
283 | byte[] constant = ASCIIEncoding.GetBytes("session key to client-to-server sealing key magic constant\0");
284 | byte[] buffer3 = ASCIIEncoding.GetBytes("session key to server-to-client signing key magic constant\0");
285 | byte[] buffer4 = ASCIIEncoding.GetBytes("session key to server-to-client sealing key magic constant\0");
286 | this.ClientSigningKey = GenerateSignKey(exportedSessionKey, bytes);
287 | this.ServerSigningKey = GenerateSignKey(exportedSessionKey, buffer3);
288 | this.ClientSealingKey = GenerateSealKey(exportedSessionKey, constant);
289 | this.ServerSealingKey = GenerateSealKey(exportedSessionKey, buffer4);
290 | this.m_ClientSealingRC4 = new RC4();
291 | this.m_ClientSealingRC4.engineInitEncrypt(this.ClientSealingKey);
292 | this.m_ServerSealingRC4 = new RC4();
293 | this.m_ServerSealingRC4.engineInitDecrypt(this.ServerSealingKey);
294 | this.m_SigningSequenceNum = this.m_ReceiveSequenceNum = 0;
295 | }
296 |
297 |
298 | private static byte[] MakeSignature(RC4 SealKey, byte[] SignKey, byte[] message, ref uint sequenceNum)
299 | {
300 | HMACT64 hmact = new HMACT64(SignKey);
301 | byte[] bytes = BitConverter.GetBytes(sequenceNum++);
302 | hmact.update(bytes);
303 | hmact.update(message);
304 | byte[] data = hmact.digest();
305 | byte[] collection = SealKey.crypt(data, 0, 8);
306 | List list = new List { 1, 0, 0, 0 };
307 | list.AddRange(collection);
308 | list.AddRange(bytes);
309 |
310 | return list.ToArray();
311 | }
312 |
313 | public byte[] Negotiate()
314 | {
315 | RdpPacket packet = new RdpPacket();
316 | uint num = (((((((0xe2000000 | NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY) | NTLMSSP_NEGOTIATE_ALWAYS_SIGN) | NTLMSSP_NEGOTIATE_NTLM) | NTLMSSP_NEGOTIATE_SEAL) | NTLMSSP_NEGOTIATE_SIGN) | NTLMSSP_REQUEST_TARGET) | NTLMSSP_NEGOTIATE_OEM) | NTLMSSP_NEGOTIATE_UNICODE;
317 | int position = (int) packet.Position;
318 | packet.WriteString("NTLMSSP", false);
319 | packet.WriteByte(0);
320 | packet.WriteLittleEndian32(1);
321 | packet.WriteLittleEndian32(num);
322 | int num3 = ((int) packet.Position) - position;
323 | num3 += 8;
324 | num3 += 8;
325 |
326 | if ((num & 0x2000000) != 0)
327 | {
328 | num3 += 8;
329 | }
330 |
331 | packet.WriteLittleEndian16((short) 0);
332 | packet.WriteLittleEndian16((short) 0);
333 | packet.WriteLittleEndian32(0);
334 | packet.WriteLittleEndian16((short) 0);
335 | packet.WriteLittleEndian16((short) 0);
336 | packet.WriteLittleEndian32(0);
337 |
338 | if ((num & 0x2000000) != 0)
339 | {
340 | this.WriteVersion(packet);
341 | }
342 |
343 | packet.Position = 0L;
344 | this.m_NegotiateMsg = new byte[packet.Length];
345 | packet.Read(this.m_NegotiateMsg, 0, this.m_NegotiateMsg.Length);
346 |
347 | return this.m_NegotiateMsg;
348 | }
349 |
350 | private static byte[] nTOWFv1(string password)
351 | {
352 | if (password == null)
353 | {
354 | throw new Exception("Password parameter is required");
355 | }
356 |
357 | return MD4.ComputeHash(Encoding.Unicode.GetBytes(password));
358 | }
359 |
360 | public static byte[] ConvertHexStringToBytes(string hexString)
361 | {
362 | hexString = hexString.Replace(" ", "");
363 | if (hexString.Length % 2 != 0)
364 | {
365 | throw new ArgumentException("wrong length of ntlm hash");
366 | }
367 |
368 | byte[] returnBytes = new byte[hexString.Length / 2];
369 | for (int i = 0; i < returnBytes.Length; i++)
370 | {
371 | returnBytes[i] = Convert.ToByte(hexString.Substring(i * 2, 2), 16);
372 | }
373 |
374 | return returnBytes;
375 | }
376 |
377 | private static byte[] nTOWFv2(string domain, string username, string password)
378 | {
379 | byte[] byteArray = null;
380 |
381 | if (Options.hash.Length > 0)
382 | byteArray = ConvertHexStringToBytes(Options.hash);
383 | else
384 | byteArray = nTOWFv1(password);
385 | HMACT64 hmact = new HMACT64(byteArray);
386 | hmact.update(Encoding.Unicode.GetBytes(username.ToUpper()));
387 | hmact.update(Encoding.Unicode.GetBytes(domain));
388 |
389 | return hmact.digest();
390 | }
391 |
392 | public byte[] ProcessChallenge(byte[] Challenge)
393 | {
394 | byte[] bytes;
395 | RdpPacket packet = new RdpPacket();
396 | this.m_ChallengeMsg = Challenge;
397 | packet.Write(Challenge, 0, Challenge.Length);
398 | packet.Position = 0L;
399 | long position = packet.Position;
400 |
401 | if (packet.ReadString(8) != "NTLMSSP\0")
402 | {
403 | throw new Exception("Invalid negotiation token!");
404 | }
405 |
406 | if (packet.ReadLittleEndian32() != 2)
407 | {
408 | throw new Exception("Expected challenge!");
409 | }
410 |
411 | int count = packet.ReadLittleEndian16();
412 | packet.ReadLittleEndian16();
413 | int num4 = packet.ReadLittleEndian32();
414 | uint flags = (uint) packet.ReadLittleEndian32();
415 | DumpFlags(flags);
416 | byte[] buffer = new byte[8];
417 | packet.Read(buffer, 0, 8);
418 | DumpHex(buffer, buffer.Length, "Server Challenge");
419 | byte[] buffer2 = new byte[8];
420 | packet.Read(buffer2, 0, 8);
421 | int num5 = packet.ReadLittleEndian16();
422 | packet.ReadLittleEndian16();
423 | int num6 = packet.ReadLittleEndian32();
424 |
425 | if ((flags & 0x2000000) != 0)
426 | {
427 | byte[] buffer3 = new byte[8];
428 | packet.Read(buffer3, 0, 8);
429 | }
430 |
431 | if ((flags & 0x20000000) == 0)
432 | {
433 | throw new Exception("Strong Encryption not supported by server");
434 | }
435 |
436 | byte[] buffer4 = null;
437 |
438 | if (count > 0)
439 | {
440 | buffer4 = new byte[count];
441 | packet.Position = position + num4;
442 | packet.Read(buffer4, 0, count);
443 | Encoding.Unicode.GetString(buffer4, 0, buffer4.Length);
444 | }
445 |
446 | AV_PAIRS av_pairs = new AV_PAIRS();
447 | byte[] buffer5 = null;
448 |
449 | if (num5 <= 0)
450 | {
451 | throw new Exception("No TargetInfo!");
452 | }
453 |
454 | packet.Position = position + num6;
455 | buffer5 = new byte[num5];
456 | packet.Read(buffer5, 0, num5);
457 | packet = new RdpPacket();
458 | packet.Write(buffer5, 0, buffer5.Length);
459 | packet.Position = 0L;
460 | av_pairs.Parse(packet);
461 |
462 | buffer5 = av_pairs.Serialise();
463 |
464 | byte[] data = nTOWFv2(this.m_sDomain, this.m_sUsername, this.m_sPassword);
465 |
466 | if (Network.Logger != null)
467 | {
468 | if (Network.Logger.Reading)
469 | {
470 | data = this.m_Socket.GetBlob(PacketLogger.PacketType.NTLM_ResponseKeyNT);
471 | }
472 | else
473 | {
474 | this.m_Socket.AddBlob(PacketLogger.PacketType.NTLM_ResponseKeyNT, data);
475 | }
476 | }
477 |
478 | byte[] blob = new byte[8];
479 | RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
480 | provider.GetBytes(blob);
481 |
482 | if (Network.Logger != null)
483 | {
484 | if (Network.Logger.Reading)
485 | {
486 | blob = this.m_Socket.GetBlob(PacketLogger.PacketType.NTLM_ClientChallenge);
487 | }
488 | else
489 | {
490 | this.m_Socket.AddBlob(PacketLogger.PacketType.NTLM_ClientChallenge, blob);
491 | }
492 | }
493 |
494 | DumpHex(blob, blob.Length, "Client Challenge");
495 | byte[] buffer8 = getLMv2Response(data, buffer, blob);
496 | DumpHex(buffer8, buffer8.Length, "LM Response");
497 |
498 | if (this.m_bNTLMv2)
499 | {
500 | Array.Clear(buffer8, 0, buffer8.Length);
501 | }
502 |
503 | bool bGenerateMIC = false;
504 |
505 | if ((av_pairs.Timestamp.length <= 0) || !this.m_bNTLMv2)
506 | {
507 | bytes = BitConverter.GetBytes(DateTime.UtcNow.ToFileTimeUtc());
508 | }
509 | else
510 | {
511 | bytes = av_pairs.Timestamp.value;
512 | bGenerateMIC = true;
513 | av_pairs.ProcessForNTLMv2();
514 | buffer5 = av_pairs.Serialise();
515 | }
516 |
517 | DumpHex(buffer5, buffer5.Length, "targetinfo");
518 | byte[] keyExchangeKey = null;
519 | byte[] buffer11 = getNTLMv2Response(data, buffer, blob, bytes, buffer5, out keyExchangeKey);
520 | DumpHex(buffer11, buffer11.Length, "NTLMv2 Response");
521 |
522 | if (Network.Logger != null)
523 | {
524 | if (Network.Logger.Reading)
525 | {
526 | keyExchangeKey = this.m_Socket.GetBlob(PacketLogger.PacketType.NTLM_KeyExchangeKey);
527 | }
528 | else
529 | {
530 | this.m_Socket.AddBlob(PacketLogger.PacketType.NTLM_KeyExchangeKey, keyExchangeKey);
531 | }
532 | }
533 |
534 | byte[] encryptedRandomSessionKey = null;
535 | byte[] buffer13 = null;
536 | buffer13 = new byte[0x10];
537 | provider.GetBytes(buffer13);
538 |
539 | if (Network.Logger != null)
540 | {
541 | if (Network.Logger.Reading)
542 | {
543 | buffer13 = this.m_Socket.GetBlob(PacketLogger.PacketType.NTLM_ExportedSessionKey);
544 | }
545 | else
546 | {
547 | this.m_Socket.AddBlob(PacketLogger.PacketType.NTLM_ExportedSessionKey, buffer13);
548 | }
549 | }
550 |
551 | encryptedRandomSessionKey = new byte[0x10];
552 | RC4 rc = new RC4();
553 | rc.engineInitEncrypt(keyExchangeKey);
554 | encryptedRandomSessionKey = rc.crypt(buffer13);
555 |
556 | if ((flags & 0x40000000) == 0)
557 | {
558 | encryptedRandomSessionKey = new byte[0];
559 | buffer13 = keyExchangeKey;
560 | }
561 |
562 | this.InitSignKeys(buffer13);
563 |
564 | return this.Authenticate(buffer8, buffer11, this.m_sDomain, this.m_sUsername, this.m_sWorkstation, encryptedRandomSessionKey, buffer13, bGenerateMIC);
565 | }
566 |
567 | private static bool TestResult(byte[] result, byte[] expected)
568 | {
569 | if (result.Length != expected.Length)
570 | {
571 | return false;
572 | }
573 |
574 | for (int i = 0; i < result.Length; i++)
575 | {
576 | if (result[i] != expected[i])
577 | {
578 | return false;
579 | }
580 | }
581 |
582 | return true;
583 | }
584 |
585 | public void VerifySignature(byte[] message, byte[] signature)
586 | {
587 | if (!CompareArray(MakeSignature(this.m_ServerSealingRC4, this.ServerSigningKey, message, ref this.m_ReceiveSequenceNum), signature))
588 | {
589 | throw new Exception("Unable to verify received message signature!");
590 | }
591 | }
592 |
593 | private void WriteVersion(RdpPacket packet)
594 | {
595 | packet.WriteByte(6);
596 | packet.WriteByte(1);
597 | packet.WriteByte(0xb0);
598 | packet.WriteByte(0x1d);
599 | packet.WriteByte(0);
600 | packet.WriteByte(0);
601 | packet.WriteByte(0);
602 | packet.WriteByte(15);
603 | }
604 |
605 | // Битовые флаги
606 | [Flags]
607 | private enum AV_ID
608 | {
609 | MsvAvEOL,
610 | MsvAvNbComputerName,
611 | MsvAvNbDomainName,
612 | MsvAvDnsComputerName,
613 | MsvAvDnsDomainName,
614 | MsvAvDnsTreeName,
615 | MsvAvFlags,
616 | MsvAvTimestamp,
617 | MsvAvRestrictions,
618 | MsvAvTargetName,
619 | MsvChannelBindings
620 | }
621 |
622 | private class AV_PAIR
623 | {
624 | public int length;
625 | public byte[] value;
626 | }
627 |
628 | private class AV_PAIRS
629 | {
630 | public NTLM.AV_PAIR ChannelBindings = new NTLM.AV_PAIR();
631 | public NTLM.AV_PAIR DnsComputerName = new NTLM.AV_PAIR();
632 | public NTLM.AV_PAIR DnsDomainName = new NTLM.AV_PAIR();
633 | public NTLM.AV_PAIR DnsTreeName = new NTLM.AV_PAIR();
634 | public int Flags;
635 | public NTLM.AV_PAIR NbComputerName = new NTLM.AV_PAIR();
636 | public NTLM.AV_PAIR NbDomainName = new NTLM.AV_PAIR();
637 | public NTLM.AV_PAIR Restrictions = new NTLM.AV_PAIR();
638 | public string sDnsComputerName;
639 | public string sDnsDomainName;
640 | public string sNbComputerName;
641 | public string sNbDomainName;
642 | public NTLM.AV_PAIR TargetName = new NTLM.AV_PAIR();
643 | public NTLM.AV_PAIR Timestamp = new NTLM.AV_PAIR();
644 |
645 | public void Parse(RdpPacket packet)
646 | {
647 | NTLM.AV_ID av_id;
648 | byte[] buffer = null;
649 | do
650 | {
651 | av_id = (NTLM.AV_ID) packet.ReadLittleEndian16();
652 | int count = packet.ReadLittleEndian16();
653 | if (count > 0)
654 | {
655 | if (av_id != NTLM.AV_ID.MsvAvFlags)
656 | {
657 | buffer = new byte[count];
658 | packet.Read(buffer, 0, count);
659 | }
660 | else
661 | {
662 | this.Flags = packet.ReadLittleEndian32();
663 | }
664 | }
665 | switch (av_id)
666 | {
667 | case NTLM.AV_ID.MsvAvNbComputerName:
668 | this.NbComputerName.length = count;
669 | this.NbComputerName.value = buffer;
670 | this.sNbComputerName = Encoding.Unicode.GetString(this.NbComputerName.value, 0, this.NbComputerName.value.Length);
671 | break;
672 |
673 | case NTLM.AV_ID.MsvAvNbDomainName:
674 | this.NbDomainName.length = count;
675 | this.NbDomainName.value = buffer;
676 | this.sNbDomainName = Encoding.Unicode.GetString(this.NbDomainName.value, 0, this.NbDomainName.value.Length);
677 | break;
678 |
679 | case NTLM.AV_ID.MsvAvDnsComputerName:
680 | this.DnsComputerName.length = count;
681 | this.DnsComputerName.value = buffer;
682 | this.sDnsComputerName = Encoding.Unicode.GetString(this.DnsComputerName.value, 0, this.DnsComputerName.value.Length);
683 | break;
684 |
685 | case NTLM.AV_ID.MsvAvDnsDomainName:
686 | this.DnsDomainName.length = count;
687 | this.DnsDomainName.value = buffer;
688 | this.sDnsDomainName = Encoding.Unicode.GetString(this.DnsDomainName.value, 0, this.DnsDomainName.value.Length);
689 | break;
690 |
691 | case NTLM.AV_ID.MsvAvDnsTreeName:
692 | this.DnsTreeName.length = count;
693 | this.DnsTreeName.value = buffer;
694 | break;
695 |
696 | case NTLM.AV_ID.MsvAvTimestamp:
697 | this.Timestamp.length = count;
698 | this.Timestamp.value = buffer;
699 | break;
700 |
701 | case NTLM.AV_ID.MsvAvRestrictions:
702 | this.Restrictions.length = count;
703 | this.Restrictions.value = buffer;
704 | break;
705 |
706 | case NTLM.AV_ID.MsvAvTargetName:
707 | this.TargetName.length = count;
708 | this.TargetName.value = buffer;
709 | break;
710 |
711 | case NTLM.AV_ID.MsvChannelBindings:
712 | this.ChannelBindings.length = count;
713 | this.ChannelBindings.value = buffer;
714 | break;
715 | }
716 | }
717 | while (av_id != NTLM.AV_ID.MsvAvEOL);
718 | }
719 |
720 | public void ProcessForNTLMv2()
721 | {
722 | this.Flags = 2;
723 | this.ChannelBindings.length = 0x10;
724 | this.ChannelBindings.value = new byte[0x10];
725 | string s = "";
726 | byte[] bytes = Encoding.Unicode.GetBytes(s);
727 | this.TargetName.length = bytes.Length;
728 | this.TargetName.value = bytes;
729 | byte[] buffer = new byte[] {
730 | 0x5c, 0xca, 250, 0x4d, 0x40, 0x41, 0xc5, 0x8b, 0x43, 0x93, 0x16, 0x88, 0xce, 0x3b, 0x94, 0x63,
731 | 0xf1, 0xc5, 0x61, 0xf4, 0xe1, 0xde, 0xda, 0x7a, 0x43, 0xb8, 0xd6, 200, 0x9e, 80, 0x3f, 0x42
732 | };
733 | this.Restrictions.length = 0x30;
734 | RdpPacket packet = new RdpPacket();
735 | packet.WriteLittleEndian32(0x30);
736 | packet.WritePadding(4);
737 | packet.WriteByte(1);
738 | packet.WritePadding(3);
739 | packet.WriteLittleEndian32(0x2000);
740 | packet.Write(buffer, 0, 0x20);
741 | this.Restrictions.value = packet.ToArray();
742 | if (this.Restrictions.value.Length != this.Restrictions.length)
743 | {
744 | throw new Exception("Restrictions invalid!");
745 | }
746 | }
747 |
748 | public byte[] Serialise()
749 | {
750 | RdpPacket packet = new RdpPacket();
751 | if (this.NbDomainName.length > 0)
752 | {
753 | packet.WriteLittleEndian16((short) 2);
754 | packet.WriteLittleEndian16((short) this.NbDomainName.length);
755 | packet.Write(this.NbDomainName.value, 0, this.NbDomainName.length);
756 | }
757 | if (this.NbComputerName.length > 0)
758 | {
759 | packet.WriteLittleEndian16((short) 1);
760 | packet.WriteLittleEndian16((short) this.NbComputerName.length);
761 | packet.Write(this.NbComputerName.value, 0, this.NbComputerName.length);
762 | }
763 | if (this.DnsDomainName.length > 0)
764 | {
765 | packet.WriteLittleEndian16((short) 4);
766 | packet.WriteLittleEndian16((short) this.DnsDomainName.length);
767 | packet.Write(this.DnsDomainName.value, 0, this.DnsDomainName.length);
768 | }
769 | if (this.DnsComputerName.length > 0)
770 | {
771 | packet.WriteLittleEndian16((short) 3);
772 | packet.WriteLittleEndian16((short) this.DnsComputerName.length);
773 | packet.Write(this.DnsComputerName.value, 0, this.DnsComputerName.length);
774 | }
775 | if (this.DnsTreeName.length > 0)
776 | {
777 | packet.WriteLittleEndian16((short) 5);
778 | packet.WriteLittleEndian16((short) this.DnsTreeName.length);
779 | packet.Write(this.DnsTreeName.value, 0, this.DnsTreeName.length);
780 | }
781 | if (this.Timestamp.length > 0)
782 | {
783 | packet.WriteLittleEndian16((short) 7);
784 | packet.WriteLittleEndian16((short) this.Timestamp.length);
785 | packet.Write(this.Timestamp.value, 0, this.Timestamp.length);
786 | }
787 | if (this.Flags != 0)
788 | {
789 | packet.WriteLittleEndian16((short) 6);
790 | packet.WriteLittleEndian16((short) 4);
791 | packet.WriteLittleEndian32(this.Flags);
792 | }
793 | if (this.Restrictions.length > 0)
794 | {
795 | packet.WriteLittleEndian16((short) 8);
796 | packet.WriteLittleEndian16((short) this.Restrictions.length);
797 | packet.Write(this.Restrictions.value, 0, this.Restrictions.length);
798 | }
799 | if (this.ChannelBindings.length > 0)
800 | {
801 | packet.WriteLittleEndian16((short) 10);
802 | packet.WriteLittleEndian16((short) this.ChannelBindings.length);
803 | packet.Write(this.ChannelBindings.value, 0, this.ChannelBindings.length);
804 | }
805 | if (this.TargetName.value != null)
806 | {
807 | packet.WriteLittleEndian16((short) 9);
808 | packet.WriteLittleEndian16((short) this.TargetName.length);
809 | packet.Write(this.TargetName.value, 0, this.TargetName.length);
810 | }
811 | packet.WriteLittleEndian16((short) 0);
812 | packet.WriteLittleEndian16((short) 0);
813 | packet.WritePadding(8);
814 | byte[] buffer = new byte[packet.Length];
815 | packet.Position = 0L;
816 | packet.Read(buffer, 0, buffer.Length);
817 | return buffer;
818 | }
819 | }
820 |
821 | }
822 | }
--------------------------------------------------------------------------------