-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: NTLM Implementation #177
base: v4
Are you sure you want to change the base?
Conversation
|
||
public async Task EnsureRequiresAuth(bool enableSigning, bool? useBadChannelBindings) | ||
{ | ||
if (Url == null) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like the Url
property is only used on this method while being passed in to our other methods, might be worth moving this to a required argument rather than a property
|
||
public class HttpTransport : INtlmTransport | ||
{ | ||
private readonly ILogger _logger; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
_logger
doesn't seem to be used, might not be needed, or potentially was forgot to be used
src/CommonLib/Ntlm/HttpTransport.cs
Outdated
throw new InvalidOperationException("No WWW-Authenticate header found in response"); | ||
} | ||
|
||
var authHeaders = response.Headers.WwwAuthenticate.Where(a => a.Scheme == _authScheme); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Slight performance nit: we can convert this to a list to avoid enumerating the elements again, probably not a large enough collection to make a large difference
// { | ||
// Marshal.FreeHGlobal(responseBerval.bv_val); | ||
// } | ||
// Marshal.FreeHGlobal(response); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that the memory is cleaned up at the end of the PInvoke call since, which could potentially be causing the crash
|
||
// NEGOTIATE | ||
var negotiateMsgBytes = context.Step(); | ||
//_logger.LogDebug($"NTLM-NEGOTIATE message: {Convert.ToBase64String(negotiateMsgBytes)}"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if intentionally left out, but _logger is no longer used if intentional
We also don't use _host
or NtlmAuthPackageName
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good, mostly style comments and naming conventions that I think we can improve on
if (evnt.Id != 4624) | ||
throw new ArgumentException("Not a logon event"); | ||
|
||
//var subjectUserSid = eventDetail.Properties[0].Value.ToString(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thinking we can remove these
public override string ToString() | ||
{ | ||
var targetUser = AccountDomain + "\\" + AccountName; | ||
var source = (SourceIp != null || SourcePort != null) ? $"{SourceIp}:{SourcePort}" : ""; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unused, maybe was meant for logging?
string packageName | ||
) | ||
{ | ||
public string Host { get; set; } = host; // Hostname the sessions occurred on |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unused
|
||
public static NtlmSession FromLogonEvent(string host, EventRecord evnt) | ||
{ | ||
if (evnt.Id != 4624) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should these magic numbers be moved to an enum? Maybe a constant for this
if (buffers[2].cbBuffer > 0) | ||
{ | ||
Buffer.BlockCopy(padding, 0, wrapped, offset, (int)buffers[2].cbBuffer); | ||
offset += (int)buffers[2].cbBuffer; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can remove since we no longer use the offset
after this if block, might have been kept for future changes, though?
internal static partial class Helpers | ||
{ | ||
[StructLayout(LayoutKind.Sequential)] | ||
public struct SEC_CHANNEL_BINDINGS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pretty sure these are the names from the shared library, but we should follow our managed code's styling
|
||
internal static class SSPI | ||
{ | ||
private const Int32 SEC_I_CONTINUE_NEEDED = 0x00090312; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here with matching C#'s styles
[Flags] | ||
internal enum InitiatorContextRequestFlags : uint | ||
{ | ||
ISC_REQ_DELEGATE = 0x00000001, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Naming in these enums as well
@@ -46,7 +46,7 @@ public static GeneratedLdapParameters GenerateDefaultPartitionParameters(Collect | |||
if (methods.HasFlag(CollectionMethod.SPNTargets)) | |||
properties.AddRange(CommonProperties.SPNTargetProps); | |||
|
|||
if (methods.HasFlag(CollectionMethod.DCRegistry)) | |||
if (methods.HasFlag(CollectionMethod.DCRegistry) || methods.HasFlag(CollectionMethod.LdapServices)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this need WebClientService/SMBInfo/EventLogs added to it?
Description
This is the initial implementation of the new NTLM modelling, courtesy of @leechristensen .
Motivation and Context
https://specterops.atlassian.net/browse/BED-5113
How Has This Been Tested?
Screenshots (if appropriate):
Types of changes
Checklist: