Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: NTLM Implementation #177

Open
wants to merge 3 commits into
base: v4
Choose a base branch
from
Open

WIP: NTLM Implementation #177

wants to merge 3 commits into from

Conversation

rvazarkar
Copy link
Contributor

Description

This is the initial implementation of the new NTLM modelling, courtesy of @leechristensen .

Motivation and Context

https://specterops.atlassian.net/browse/BED-5113

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

  • Chore (a change that does not modify the application functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Documentation updates are needed, and have been made accordingly.
  • I have added and/or updated tests to cover my changes.
  • All new and existing tests passed.
  • My changes include a database migration.


public async Task EnsureRequiresAuth(bool enableSigning, bool? useBadChannelBindings)
{
if (Url == null)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like the Url property is only used on this method while being passed in to our other methods, might be worth moving this to a required argument rather than a property


public class HttpTransport : INtlmTransport
{
private readonly ILogger _logger;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

_logger doesn't seem to be used, might not be needed, or potentially was forgot to be used

throw new InvalidOperationException("No WWW-Authenticate header found in response");
}

var authHeaders = response.Headers.WwwAuthenticate.Where(a => a.Scheme == _authScheme);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Slight performance nit: we can convert this to a list to avoid enumerating the elements again, probably not a large enough collection to make a large difference

// {
// Marshal.FreeHGlobal(responseBerval.bv_val);
// }
// Marshal.FreeHGlobal(response);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that the memory is cleaned up at the end of the PInvoke call since, which could potentially be causing the crash


// NEGOTIATE
var negotiateMsgBytes = context.Step();
//_logger.LogDebug($"NTLM-NEGOTIATE message: {Convert.ToBase64String(negotiateMsgBytes)}");
Copy link

@mvlipka mvlipka Dec 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if intentionally left out, but _logger is no longer used if intentional

We also don't use _host or NtlmAuthPackageName

Copy link

@mvlipka mvlipka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good, mostly style comments and naming conventions that I think we can improve on

src/CommonLib/OutputTypes/APIResult.cs Outdated Show resolved Hide resolved
if (evnt.Id != 4624)
throw new ArgumentException("Not a logon event");

//var subjectUserSid = eventDetail.Properties[0].Value.ToString();
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking we can remove these

public override string ToString()
{
var targetUser = AccountDomain + "\\" + AccountName;
var source = (SourceIp != null || SourcePort != null) ? $"{SourceIp}:{SourcePort}" : "";
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unused, maybe was meant for logging?

string packageName
)
{
public string Host { get; set; } = host; // Hostname the sessions occurred on
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unused


public static NtlmSession FromLogonEvent(string host, EventRecord evnt)
{
if (evnt.Id != 4624)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these magic numbers be moved to an enum? Maybe a constant for this

if (buffers[2].cbBuffer > 0)
{
Buffer.BlockCopy(padding, 0, wrapped, offset, (int)buffers[2].cbBuffer);
offset += (int)buffers[2].cbBuffer;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can remove since we no longer use the offset after this if block, might have been kept for future changes, though?

internal static partial class Helpers
{
[StructLayout(LayoutKind.Sequential)]
public struct SEC_CHANNEL_BINDINGS
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty sure these are the names from the shared library, but we should follow our managed code's styling


internal static class SSPI
{
private const Int32 SEC_I_CONTINUE_NEEDED = 0x00090312;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here with matching C#'s styles

src/CommonLib/Ntlm/LdapNative.cs Show resolved Hide resolved
[Flags]
internal enum InitiatorContextRequestFlags : uint
{
ISC_REQ_DELEGATE = 0x00000001,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Naming in these enums as well

@@ -46,7 +46,7 @@ public static GeneratedLdapParameters GenerateDefaultPartitionParameters(Collect
if (methods.HasFlag(CollectionMethod.SPNTargets))
properties.AddRange(CommonProperties.SPNTargetProps);

if (methods.HasFlag(CollectionMethod.DCRegistry))
if (methods.HasFlag(CollectionMethod.DCRegistry) || methods.HasFlag(CollectionMethod.LdapServices))
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need WebClientService/SMBInfo/EventLogs added to it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants