2 // Mono.Security.Protocol.Ntlm.ChallengeResponse
3 // Implements Challenge Response for NTLM v1 and NTLM v2 Session
6 // Sebastien Pouliot <sebastien@ximian.com>
7 // Martin Baulig <martin.baulig@xamarin.com>
9 // (C) 2003 Motus Technologies Inc. (http://www.motus.com)
10 // (C) 2004 Novell (http://www.novell.com)
11 // (C) 2012 Xamarin, Inc. (http://www.xamarin.com)
14 // a. NTLM Authentication Scheme for HTTP, Ronald Tschalär
15 // http://www.innovation.ch/java/ntlm.html
16 // b. The NTLM Authentication Protocol, Copyright © 2003 Eric Glass
17 // http://davenport.sourceforge.net/ntlm.html
21 // Permission is hereby granted, free of charge, to any person obtaining
22 // a copy of this software and associated documentation files (the
23 // "Software"), to deal in the Software without restriction, including
24 // without limitation the rights to use, copy, modify, merge, publish,
25 // distribute, sublicense, and/or sell copies of the Software, and to
26 // permit persons to whom the Software is furnished to do so, subject to
27 // the following conditions:
29 // The above copyright notice and this permission notice shall be
30 // included in all copies or substantial portions of the Software.
32 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
33 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
34 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
35 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
36 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
37 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
38 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
44 using System.Globalization;
45 using System.Security.Cryptography;
48 using Mono.Security.Cryptography;
50 namespace Mono.Security.Protocol.Ntlm {
52 public static class ChallengeResponse2 {
54 static private byte[] magic = { 0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 };
56 // This is the pre-encrypted magic value with a null DES key (0xAAD3B435B51404EE)
57 // Ref: http://packetstormsecurity.nl/Crackers/NT/l0phtcrack/l0phtcrack2.5-readme.html
58 static private byte[] nullEncMagic = { 0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE };
60 static byte[] Compute_LM (string password, byte[] challenge)
62 var buffer = new byte [21];
64 // create Lan Manager password
66 DESCryptoServiceProvider des = new DESCryptoServiceProvider ();
68 DES des = DES.Create ();
70 des.Mode = CipherMode.ECB;
71 ICryptoTransform ct = null;
73 // Note: In .NET DES cannot accept a weak key
74 // this can happen for a null password
75 if ((password == null) || (password.Length < 1)) {
76 Buffer.BlockCopy (nullEncMagic, 0, buffer, 0, 8);
78 des.Key = PasswordToKey (password, 0);
79 ct = des.CreateEncryptor ();
80 ct.TransformBlock (magic, 0, 8, buffer, 0);
83 // and if a password has less than 8 characters
84 if ((password == null) || (password.Length < 8)) {
85 Buffer.BlockCopy (nullEncMagic, 0, buffer, 8, 8);
87 des.Key = PasswordToKey (password, 7);
88 ct = des.CreateEncryptor ();
89 ct.TransformBlock (magic, 0, 8, buffer, 8);
94 return GetResponse (challenge, buffer);
97 static byte[] Compute_NTLM_Password (string password)
99 var buffer = new byte [21];
101 // create NT password
103 MD4Managed md4 = new MD4Managed ();
105 MD4 md4 = MD4.Create ();
107 byte[] data = ((password == null) ? (new byte [0]) : (Encoding.Unicode.GetBytes (password)));
108 byte[] hash = md4.ComputeHash (data);
109 Buffer.BlockCopy (hash, 0, buffer, 0, 16);
112 Array.Clear (data, 0, data.Length);
113 Array.Clear (hash, 0, hash.Length);
118 static byte[] Compute_NTLM (string password, byte[] challenge)
120 var buffer = Compute_NTLM_Password (password);
121 return GetResponse (challenge, buffer);
124 static void Compute_NTLMv2_Session (string password, byte[] challenge,
125 out byte[] lm, out byte[] ntlm)
127 var nonce = new byte [8];
128 var rng = RandomNumberGenerator.Create ();
129 rng.GetBytes (nonce);
131 var sessionNonce = new byte [challenge.Length + 8];
132 challenge.CopyTo (sessionNonce, 0);
133 nonce.CopyTo (sessionNonce, challenge.Length);
136 nonce.CopyTo (lm, 0);
139 MD5Managed md5 = new MD5Managed ();
141 MD5 md5 = MD5.Create ();
144 var hash = md5.ComputeHash (sessionNonce);
145 var newChallenge = new byte [8];
146 Array.Copy (hash, newChallenge, 8);
148 ntlm = Compute_NTLM (password, newChallenge);
151 Array.Clear (nonce, 0, nonce.Length);
152 Array.Clear (sessionNonce, 0, sessionNonce.Length);
153 Array.Clear (newChallenge, 0, newChallenge.Length);
154 Array.Clear (hash, 0, hash.Length);
157 static byte[] Compute_NTLMv2 (Type2Message type2, string username, string password)
159 var ntlm_hash = Compute_NTLM_Password (password);
161 var ubytes = Encoding.Unicode.GetBytes (username.ToUpperInvariant ());
162 var tbytes = Encoding.Unicode.GetBytes (type2.TargetName.ToUpperInvariant ());
164 var bytes = new byte [ubytes.Length + tbytes.Length];
165 ubytes.CopyTo (bytes, 0);
166 Array.Copy (tbytes, 0, bytes, ubytes.Length, tbytes.Length);
168 var md5 = new HMACMD5 (ntlm_hash);
169 var ntlm_v2_hash = md5.ComputeHash (bytes);
171 Array.Clear (ntlm_hash, 0, ntlm_hash.Length);
174 var ntlm_v2_md5 = new HMACMD5 (ntlm_v2_hash);
176 var now = DateTime.Now;
177 var timestamp = now.Ticks - 504911232000000000;
179 var nonce = new byte [8];
180 var rng = RandomNumberGenerator.Create ();
181 rng.GetBytes (nonce);
183 byte[] blob = new byte [28 + type2.TargetInfo.Length];
187 Buffer.BlockCopy (BitConverterLE.GetBytes (timestamp), 0, blob, 8, 8);
189 Buffer.BlockCopy (nonce, 0, blob, 16, 8);
190 Buffer.BlockCopy (type2.TargetInfo, 0, blob, 28, type2.TargetInfo.Length);
192 var challenge = type2.Nonce;
194 var hashInput = new byte [challenge.Length + blob.Length];
195 challenge.CopyTo (hashInput, 0);
196 blob.CopyTo (hashInput, challenge.Length);
198 var blobHash = ntlm_v2_md5.ComputeHash (hashInput);
200 var response = new byte [blob.Length + blobHash.Length];
201 blobHash.CopyTo (response, 0);
202 blob.CopyTo (response, blobHash.Length);
204 Array.Clear (ntlm_v2_hash, 0, ntlm_v2_hash.Length);
205 ntlm_v2_md5.Clear ();
206 Array.Clear (nonce, 0, nonce.Length);
207 Array.Clear (blob, 0, blob.Length);
208 Array.Clear (hashInput, 0, hashInput.Length);
209 Array.Clear (blobHash, 0, blobHash.Length);
214 public static void Compute (Type2Message type2, NtlmAuthLevel level,
215 string username, string password,
216 out byte[] lm, out byte[] ntlm)
221 case NtlmAuthLevel.LM_and_NTLM:
222 lm = Compute_LM (password, type2.Nonce);
223 ntlm = Compute_NTLM (password, type2.Nonce);
226 case NtlmAuthLevel.LM_and_NTLM_and_try_NTLMv2_Session:
227 if ((type2.Flags & NtlmFlags.NegotiateNtlm2Key) == 0)
228 goto case NtlmAuthLevel.LM_and_NTLM;
229 Compute_NTLMv2_Session (password, type2.Nonce, out lm, out ntlm);
232 case NtlmAuthLevel.NTLM_only:
233 if ((type2.Flags & NtlmFlags.NegotiateNtlm2Key) != 0)
234 Compute_NTLMv2_Session (password, type2.Nonce, out lm, out ntlm);
236 ntlm = Compute_NTLM (password, type2.Nonce);
239 case NtlmAuthLevel.NTLMv2_only:
240 ntlm = Compute_NTLMv2 (type2, username, password);
244 throw new InvalidOperationException ();
248 static byte[] GetResponse (byte[] challenge, byte[] pwd)
250 byte[] response = new byte [24];
252 DESCryptoServiceProvider des = new DESCryptoServiceProvider ();
254 DES des = DES.Create ();
256 des.Mode = CipherMode.ECB;
257 des.Key = PrepareDESKey (pwd, 0);
258 ICryptoTransform ct = des.CreateEncryptor ();
259 ct.TransformBlock (challenge, 0, 8, response, 0);
260 des.Key = PrepareDESKey (pwd, 7);
261 ct = des.CreateEncryptor ();
262 ct.TransformBlock (challenge, 0, 8, response, 8);
263 des.Key = PrepareDESKey (pwd, 14);
264 ct = des.CreateEncryptor ();
265 ct.TransformBlock (challenge, 0, 8, response, 16);
269 static byte[] PrepareDESKey (byte[] key56bits, int position)
271 // convert to 8 bytes
272 byte[] key = new byte [8];
273 key [0] = key56bits [position];
274 key [1] = (byte) ((key56bits [position] << 7) | (key56bits [position + 1] >> 1));
275 key [2] = (byte) ((key56bits [position + 1] << 6) | (key56bits [position + 2] >> 2));
276 key [3] = (byte) ((key56bits [position + 2] << 5) | (key56bits [position + 3] >> 3));
277 key [4] = (byte) ((key56bits [position + 3] << 4) | (key56bits [position + 4] >> 4));
278 key [5] = (byte) ((key56bits [position + 4] << 3) | (key56bits [position + 5] >> 5));
279 key [6] = (byte) ((key56bits [position + 5] << 2) | (key56bits [position + 6] >> 6));
280 key [7] = (byte) (key56bits [position + 6] << 1);
284 static byte[] PasswordToKey (string password, int position)
286 byte[] key7 = new byte [7];
287 int len = System.Math.Min (password.Length - position, 7);
288 Encoding.ASCII.GetBytes (password.ToUpper (CultureInfo.CurrentCulture), position, len, key7, 0);
289 byte[] key8 = PrepareDESKey (key7, 0);
290 // cleanup intermediate key material
291 Array.Clear (key7, 0, key7.Length);