class RubySMB::Gss::Provider::NTLM::Authenticator
Attributes
Public Instance Methods
# File lib/ruby_smb/gss/provider/ntlm.rb, line 26 def process(request_buffer=nil) if request_buffer.nil? # this is only NTLMSSP (as opposed to SPNEGO + NTLMSSP) buffer = OpenSSL::ASN1::ASN1Data.new([ Gss::OID_SPNEGO, OpenSSL::ASN1::ASN1Data.new([ OpenSSL::ASN1::Sequence.new([ OpenSSL::ASN1::ASN1Data.new([ OpenSSL::ASN1::Sequence.new([ Gss::OID_NTLMSSP ]) ], 0, :CONTEXT_SPECIFIC), OpenSSL::ASN1::ASN1Data.new([ OpenSSL::ASN1::ASN1Data.new([ OpenSSL::ASN1::ASN1Data.new([ OpenSSL::ASN1::GeneralString.new('not_defined_in_RFC4178@please_ignore') ], 0, :CONTEXT_SPECIFIC) ], 16, :UNIVERSAL) ], 3, :CONTEXT_SPECIFIC) ]) ], 0, :CONTEXT_SPECIFIC) ], 0, :APPLICATION).to_der return Result.new(buffer, WindowsError::NTStatus::STATUS_SUCCESS) end begin gss_api = OpenSSL::ASN1.decode(request_buffer) rescue OpenSSL::ASN1::ASN1Error return end if gss_api&.tag == 0 && gss_api&.tag_class == :APPLICATION result = process_gss_type1(gss_api) elsif gss_api&.tag == 1 && gss_api&.tag_class == :CONTEXT_SPECIFIC result = process_gss_type3(gss_api) end result end
Process the NTLM
type 1 message and build a type 2 response message.
@param [Net::NTLM::Message::Type1] type1_msg the NTLM
type 1 message received by the client that should be
processed
@return [Net::NTLM::Message::Type2] the NTLM
type 2 response message with which to reply to the client
# File lib/ruby_smb/gss/provider/ntlm.rb, line 72 def process_ntlm_type1(type1_msg) type2_msg = Net::NTLM::Message::Type2.new.tap do |msg| msg.target_name = 'LOCALHOST'.encode('UTF-16LE').b msg.flag = 0 %i{ KEY56 KEY128 KEY_EXCHANGE UNICODE TARGET_INFO VERSION_INFO }.each do |flag| msg.flag |= NTLM::NEGOTIATE_FLAGS.fetch(flag) end @server_challenge = @provider.generate_server_challenge msg.challenge = @server_challenge.unpack1('Q<') # 64-bit unsigned, little endian (uint64_t) target_info = Net::NTLM::TargetInfo.new('') target_info.av_pairs.merge!({ Net::NTLM::TargetInfo::MSV_AV_NB_DOMAIN_NAME => @provider.netbios_domain.encode('UTF-16LE').b, Net::NTLM::TargetInfo::MSV_AV_NB_COMPUTER_NAME => @provider.netbios_hostname.encode('UTF-16LE').b, Net::NTLM::TargetInfo::MSV_AV_DNS_DOMAIN_NAME => @provider.dns_domain.encode('UTF-16LE').b, Net::NTLM::TargetInfo::MSV_AV_DNS_COMPUTER_NAME => @provider.dns_hostname.encode('UTF-16LE').b, Net::NTLM::TargetInfo::MSV_AV_TIMESTAMP => [(Time.now.to_i + Net::NTLM::TIME_OFFSET) * Field::FileTime::NS_MULTIPLIER].pack('Q') }) msg.target_info = target_info.to_s msg.enable(:target_info) msg.context = 0 msg.enable(:context) msg.os_version = NTLM::OSVersion.new(major: 6, minor: 3).to_binary_s msg.enable(:os_version) end type2_msg end
Process the NTLM
type 3 message and either accept or reject the authentication attempt.
@param [Net::NTLM::Message::Type3] type3_msg the NTLM
type 3 message received by the client that should be
processed
@return [WindowsError::ErrorCode] an NT Status error code representing the operations outcome where
STATUS_SUCCESS is a successful authentication attempt and anything else is a failure
# File lib/ruby_smb/gss/provider/ntlm.rb, line 108 def process_ntlm_type3(type3_msg) if type3_msg.user == '' && type3_msg.domain == '' if @provider.allow_anonymous return WindowsError::NTStatus::STATUS_SUCCESS end return WindowsError::NTStatus::STATUS_LOGON_FAILURE end account = @provider.get_account( type3_msg.user, domain: type3_msg.domain ) return WindowsError::NTStatus::STATUS_LOGON_FAILURE if account.nil? matches = false case type3_msg.ntlm_version when :ntlmv1 my_ntlm_response = Net::NTLM::ntlm_response( ntlm_hash: Net::NTLM::ntlm_hash(account.password.encode('UTF-16LE'), unicode: true), challenge: @server_challenge ) matches = my_ntlm_response == type3_msg.ntlm_response when :ntlmv2 digest = OpenSSL::Digest::MD5.new their_nt_proof_str = type3_msg.ntlm_response[0...digest.digest_length] their_blob = type3_msg.ntlm_response[digest.digest_length..-1] ntlmv2_hash = Net::NTLM.ntlmv2_hash( account.username.encode('UTF-16LE'), account.password.encode('UTF-16LE'), type3_msg.domain.encode('UTF-16LE'), # don't use the account domain because of the special '.' value {client_challenge: their_blob[16...24], unicode: true} ) my_nt_proof_str = OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, ntlmv2_hash, @server_challenge + their_blob) matches = my_nt_proof_str == their_nt_proof_str if matches user_session_key = OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, ntlmv2_hash, my_nt_proof_str) if type3_msg.flag & NTLM::NEGOTIATE_FLAGS[:KEY_EXCHANGE] == NTLM::NEGOTIATE_FLAGS[:KEY_EXCHANGE] && type3_msg.session_key.length == 16 rc4 = OpenSSL::Cipher.new('rc4') rc4.decrypt rc4.key = user_session_key @session_key = rc4.update type3_msg.session_key @session_key << rc4.final else @session_key = user_session_key end end else # the only other value Net::NTLM will return for this is ntlm_session raise NotImplementedError, "authentication via ntlm version #{type3_msg.ntlm_version} is not supported" end return WindowsError::NTStatus::STATUS_LOGON_FAILURE unless matches WindowsError::NTStatus::STATUS_SUCCESS end
RubySMB::Gss::Provider::Authenticator::Base#reset!
# File lib/ruby_smb/gss/provider/ntlm.rb, line 21 def reset! super @server_challenge = nil end
Private Instance Methods
take the GSS blob, extract the NTLM
type 1 message and pass it to the process method to build the response which is then put back into a new GSS reply-blob
# File lib/ruby_smb/gss/provider/ntlm.rb, line 173 def process_gss_type1(gss_api) unless Gss.asn1dig(gss_api, 1, 0, 0, 0, 0)&.value == Gss::OID_NTLMSSP.value return end raw_type1_msg = Gss.asn1dig(gss_api, 1, 0, 1, 0)&.value return unless raw_type1_msg type1_msg = Net::NTLM::Message.parse(raw_type1_msg) if type1_msg.flag & NTLM::NEGOTIATE_FLAGS[:UNICODE] == NTLM::NEGOTIATE_FLAGS[:UNICODE] type1_msg.domain.force_encoding('UTF-16LE') type1_msg.workstation.force_encoding('UTF-16LE') end type2_msg = process_ntlm_type1(type1_msg) Result.new(Gss.gss_type2(type2_msg.serialize), WindowsError::NTStatus::STATUS_MORE_PROCESSING_REQUIRED) end
take the GSS blob, extract the NTLM
type 3 message and pass it to the process method to build the response which is then put back into a new GSS reply-blob
# File lib/ruby_smb/gss/provider/ntlm.rb, line 193 def process_gss_type3(gss_api) neg_token_init = Hash[RubySMB::Gss.asn1dig(gss_api, 0).value.map { |obj| [obj.tag, obj.value[0].value] }] raw_type3_msg = neg_token_init[2] type3_msg = Net::NTLM::Message.parse(raw_type3_msg) if type3_msg.flag & NTLM::NEGOTIATE_FLAGS[:UNICODE] == NTLM::NEGOTIATE_FLAGS[:UNICODE] type3_msg.domain.force_encoding('UTF-16LE') type3_msg.user.force_encoding('UTF-16LE') type3_msg.workstation.force_encoding('UTF-16LE') end nt_status = process_ntlm_type3(type3_msg) buffer = identity = nil case nt_status when WindowsError::NTStatus::STATUS_SUCCESS buffer = OpenSSL::ASN1::ASN1Data.new([ OpenSSL::ASN1::Sequence.new([ OpenSSL::ASN1::ASN1Data.new([ OpenSSL::ASN1::Enumerated.new(OpenSSL::BN.new(0)), ], 0, :CONTEXT_SPECIFIC) ]) ], 1, :CONTEXT_SPECIFIC).to_der account = @provider.get_account( type3_msg.user, domain: type3_msg.domain ) if account.nil? if @provider.allow_anonymous identity = IDENTITY_ANONYMOUS end else identity = account.to_s end end Result.new(buffer, nt_status, identity) end