Added Negotiate Token parsing.

Author: tyranid

NtApiDotNet/NtApiDotNet.csproj

@@ -366,7 +366,9 @@
     <Compile Include="Win32\Security\Authentication\Kerberos\KerberosNameType.cs" />
     <Compile Include="Win32\Security\Authentication\Kerberos\Ndr\PacDeviceInfoParser.cs" />
     <Compile Include="Win32\Security\Authentication\Kerberos\PrincipalName.cs" />
+    <Compile Include="Win32\Security\Authentication\Negotiate\NegotiateInitAuthenticationToken.cs" />
     <Compile Include="Win32\Security\Authentication\Negotiate\NegotiateAuthenticationToken.cs" />
+    <Compile Include="Win32\Security\Authentication\Negotiate\NegotiateResponseAuthenticationToken.cs" />
     <Compile Include="Win32\Security\Authentication\Ntlm\NtlmAuthenticateAuthenticationTokenV2.cs" />
     <Compile Include="Win32\Security\Native\KERB_TICKET_LOGON.cs" />
     <Compile Include="Win32\Security\Native\SecPkgContextStructs.cs" />

NtApiDotNet/Utilities/ASN1/DERValue.cs

@@ -136,6 +136,15 @@ public int ReadChildInteger()
             return Children[0].ReadInteger();
         }
 
+        public int ReadChildEnumerated()
+        {
+            if (!HasChildren() || (!Children[0].CheckPrimitive(UniversalTag.ENUMERATED) && !Children[0].CheckPrimitive(UniversalTag.INTEGER)))
+            {
+                throw new InvalidDataException();
+            }
+            return Children[0].ReadInteger();
+        }
+
         public byte[] ReadChildOctetString()
         {
             if (!HasChildren() || !Children[0].CheckPrimitive(UniversalTag.OCTET_STRING))
@@ -154,6 +163,15 @@ public string ReadChildGeneralString()
             return Children[0].ReadGeneralString();
         }
 
+        public string ReadChildObjID()
+        {
+            if (!HasChildren() || !Children[0].CheckPrimitive(UniversalTag.OBJECT_IDENTIFIER))
+            {
+                throw new InvalidDataException();
+            }
+            return Children[0].ReadObjID();
+        }
+
         public string ReadChildGeneralizedTime()
         {
             if (!HasChildren() || !Children[0].CheckPrimitive(UniversalTag.GeneralizedTime))

NtApiDotNet/Utilities/ASN1/OIDValues.cs

@@ -21,10 +21,33 @@ internal static class OIDValues
     {
         internal const string KERBEROS_NAME = "1.2.840.113554.1.2.2.1";
         internal const string KERBEROS_PRINCIPAL = "1.2.840.113554.1.2.2.2";
-        internal const string KERBEROS_USER_TO_USER_OID = "1.2.840.113554.1.2.2.3";
-        internal const string KERBEROS_OID = "1.2.840.113554.1.2.2";
+        internal const string KERBEROS_USER_TO_USER = "1.2.840.113554.1.2.2.3";
+        internal const string KERBEROS = "1.2.840.113554.1.2.2";
         internal const string MS_KERBEROS = "1.2.840.48018.1.2.2";
         internal const string NTLM_SSP = "1.3.6.1.4.1.311.2.2.10";
         internal const string MS_NEGOX = "1.3.6.1.4.1.311.2.2.30";
+        internal const string SPNEGO = "1.3.6.1.5.5.2";
+
+        public static string ToString(string oid)
+        {
+            switch (oid)
+            {
+                case KERBEROS:
+                case KERBEROS_NAME:
+                    return "Kerberos";
+                case KERBEROS_USER_TO_USER:
+                    return "Kerberos User to User";
+                case MS_KERBEROS:
+                    return "Microsoft Kerberos";
+                case NTLM_SSP:
+                    return "NTLM";
+                case MS_NEGOX:
+                    return "Microsoft Negotiate Extended";
+                case SPNEGO:
+                    return "SPNEGO";
+                default:
+                    return "UNKNOWN OID";
+            }
+        }
     }
 }

NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosAuthenticationToken.cs

@@ -81,8 +81,8 @@ internal static bool TryParse(byte[] data, int token_count, bool client, out Ker
 
                 switch (oid)
                 {
-                    case OIDValues.KERBEROS_OID:
-                    case OIDValues.KERBEROS_USER_TO_USER_OID:
+                    case OIDValues.KERBEROS:
+                    case OIDValues.KERBEROS_USER_TO_USER:
                         if (tok_id[0] == 1)
                         {
                             if (KerberosAPRequestAuthenticationToken.TryParse(data, values, out token))

NtApiDotNet/Win32/Security/Authentication/Negotiate/NegotiateAuthenticationToken.cs

@@ -12,19 +12,221 @@
 //  See the License for the specific language governing permissions and
 //  limitations under the License.
 
+using NtApiDotNet.Utilities.ASN1;
+using NtApiDotNet.Win32.Security.Authentication.Kerberos;
+using NtApiDotNet.Win32.Security.Authentication.Ntlm;
+using System;
+using System.Collections;
+using System.Collections.Generic;
 using System.IO;
+using System.Text;
 
 namespace NtApiDotNet.Win32.Security.Authentication.Negotiate
 {
     /// <summary>
     /// SPNEGO Authentication Token.
     /// </summary>
-    public class NegotiateAuthenticationToken : ASN1AuthenticationToken
+    public abstract class NegotiateAuthenticationToken : ASN1AuthenticationToken
     {
-        internal NegotiateAuthenticationToken(byte[] data) 
+        /// <summary>
+        /// The negotiated authentication token.
+        /// </summary>
+        public AuthenticationToken Token { get; private set; }
+
+        /// <summary>
+        /// Optional message integrity code.
+        /// </summary>
+        public byte[] MessageIntegrityCode { get; }
+
+        /// <summary>
+        /// Decrypt the Authentication Token using a keyset.
+        /// </summary>
+        /// <param name="keyset">The set of keys to decrypt the </param>
+        /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
+        public override AuthenticationToken Decrypt(IEnumerable<AuthenticationKey> keyset)
+        {
+            if (Token == null)
+                return this;
+            var ret = (NegotiateAuthenticationToken)MemberwiseClone();
+            ret.Token = Token.Decrypt(keyset);
+            return ret;
+        }
+
+        /// <summary>
+        /// Format the authentication token.
+        /// </summary>
+        /// <returns>The token as a formatted string.</returns>
+        public override string Format()
+        {
+            StringBuilder builder = new StringBuilder();
+            builder.AppendLine($"<SPNEGO {(this is NegotiateInitAuthenticationToken ? "Init" : "Response")}>");
+            FormatData(builder);
+            string token_format = Token?.Format();
+            if (!string.IsNullOrWhiteSpace(token_format))
+            {
+                builder.AppendLine("<SPNEGO Token>");
+                builder.AppendLine(token_format.TrimEnd());
+                builder.AppendLine("</SPNEGO Token>");
+            }
+            return builder.ToString();
+        }
+
+        private protected abstract void FormatData(StringBuilder builder);
+
+        private static AuthenticationToken ParseToken(byte[] data, int token_count, bool client)
+        {
+            if (NtlmAuthenticationToken.TryParse(data, token_count, client, out NtlmAuthenticationToken ntlm_token))
+            {
+                return ntlm_token;
+            }
+
+            if (KerberosAuthenticationToken.TryParse(data, token_count, client, out KerberosAuthenticationToken kerb_token))
+            {
+                return kerb_token;
+            }
+
+            return new AuthenticationToken(data);
+        }
+
+        private static IEnumerable<string> ParseMechList(DERValue[] values)
+        {
+            List<string> mech_list = new List<string>();
+            if (values.CheckValueSequence())
+            {
+                foreach (var next in values[0].Children)
+                {
+                    if (!next.CheckPrimitive(UniversalTag.OBJECT_IDENTIFIER))
+                    {
+                        throw new InvalidDataException();
+                    }
+                    mech_list.Add(next.ReadObjID());
+                }
+            }
+            return mech_list.AsReadOnly();
+        }
+
+        private static NegotiateContextFlags ConvertContextFlags(BitArray flags)
+        {
+            if (flags.Length > 32)
+                throw new InvalidDataException();
+            int ret = 0;
+            for (int i = 0; i < flags.Length; ++i)
+            {
+                if (flags[i])
+                    ret |= (1 << i);
+            }
+            return (NegotiateContextFlags)ret;
+        }
+
+        private static bool ParseInit(byte[] data, DERValue[] values, int token_count, bool client, out NegotiateAuthenticationToken token)
+        {
+            token = null;
+            if (!values.CheckValueSequence())
+            {
+                return false;
+            }
+
+            IEnumerable<string> mech_list = null;
+            NegotiateContextFlags flags = NegotiateContextFlags.None;
+            AuthenticationToken auth_token = null;
+            byte[] mic = null;
+
+            foreach (var next in values[0].Children)
+            {
+                if (next.Type != DERTagType.ContextSpecific)
+                    return false;
+                switch (next.Tag)
+                {
+                    case 0:
+                        mech_list = ParseMechList(next.Children);
+                        break;
+                    case 1:
+                        flags = ConvertContextFlags(next.ReadChildBitString());
+                        break;
+                    case 2:
+                        auth_token = ParseToken(next.ReadChildOctetString(), token_count, client);
+                        break;
+                    case 3:
+                        // If NegTokenInit2 then just ignore neg hints.
+                        if (next.HasChildren() && next.Children[0].CheckSequence())
+                            break;
+                        mic = next.ReadChildOctetString();
+                        break;
+                    case 4:
+                        // Used if NegTokenInit2.
+                        mic = next.ReadChildOctetString();
+                        break;
+                    default:
+                        return false;
+                }
+            }
+
+            token = new NegotiateInitAuthenticationToken(data, mech_list, flags, auth_token, mic);
+            return true;
+        }
+
+        private static bool ParseResp(byte[] data, DERValue[] values, int token_count, bool client, out NegotiateAuthenticationToken token)
+        {
+            token = null;
+            if (!values.CheckValueSequence())
+            {
+                return false;
+            }
+
+            string mech = null;
+            NegotiateAuthenticationState state = NegotiateAuthenticationState.Reject;
+            AuthenticationToken auth_token = null;
+            byte[] mic = null;
+
+            foreach (var next in values[0].Children)
+            {
+                if (next.Type != DERTagType.ContextSpecific)
+                    return false;
+                switch (next.Tag)
+                {
+                    case 0:
+                        state = (NegotiateAuthenticationState)next.ReadChildEnumerated();
+                        break;
+                    case 1:
+                        mech = next.ReadChildObjID();
+                        break;
+                    case 2:
+                        auth_token = ParseToken(next.ReadChildOctetString(), token_count, client);
+                        break;
+                    case 3:
+                        mic = next.ReadChildOctetString();
+                        break;
+                    default:
+                        return false;
+                }
+            }
+
+            token = new NegotiateResponseAuthenticationToken(data, mech, state, auth_token, mic);
+            return true;
+        }
+
+        private protected NegotiateAuthenticationToken(byte[] data, AuthenticationToken token, byte[] mic) 
             : base(data)
         {
+            Token = token;
+            MessageIntegrityCode = mic;
+        }
+
+        #region Public Static Methods
+        /// <summary>
+        /// Parse bytes into a negotiate token.
+        /// </summary>
+        /// <param name="data">The negotiate token in bytes.</param>
+        /// <returns>The Negotiate token.</returns>
+        public static NegotiateAuthenticationToken Parse(byte[] data)
+        {
+            if (!TryParse(data, 0, false, out NegotiateAuthenticationToken token))
+            {
+                throw new ArgumentException(nameof(data));
+            }
+            return token;
         }
+        #endregion
 
         #region Internal Static Methods
         /// <summary>
@@ -40,13 +242,45 @@ internal static bool TryParse(byte[] data, int token_count, bool client, out Neg
             token = null;
             try
             {
-                token = new NegotiateAuthenticationToken(data);
-                return true;
+                byte[] token_data;
+                if (GSSAPIUtils.TryParse(data, out token_data, out string oid))
+                {
+                    if (oid != OIDValues.SPNEGO)
+                    {
+                        return false;
+                    }
+                }
+                else
+                {
+                    token_data = data;
+                }
+
+                DERValue[] values = DERParser.ParseData(token_data, 0);
+                if (values.Length != 1 || values[0].Type != DERTagType.ContextSpecific)
+                {
+                    return false;
+                }
+
+                if (values[0].CheckContext(0))
+                {
+                    return ParseInit(data, values[0].Children, token_count, client, out token);
+                }
+                else if (values[0].CheckContext(1))
+                {
+                    return ParseResp(data, values[0].Children, token_count, client, out token);
+                }
+                else
+                {
+                    return false;
+                }
             }
             catch (EndOfStreamException)
             {
-                return false;
             }
+            catch (InvalidDataException)
+            {
+            }
+            return false;
         }
         #endregion
     }