Merge pull request #16 from WinRb/dan/ntlm-client

Initial go at an NTLM Client that will do session signing/sealing

Author: zenchild

Diff for: Rakefile

@@ -12,3 +12,11 @@ task :coverage do
   Rake::Task["spec"].execute
 end
 
+desc "Open a Pry console for this library"
+task :console do
+  require 'pry'
+  require 'net/ntlm'
+  ARGV.clear
+  Pry.start
+end
+

Diff for: lib/net/ntlm.rb

@@ -57,11 +57,9 @@
 require 'net/ntlm/message/type2'
 require 'net/ntlm/message/type3'
 
-
 require 'net/ntlm/encode_util'
 
-
-
+require 'net/ntlm/client'
 
 module Net
   module NTLM
@@ -135,7 +133,7 @@ def ntlm_hash(password, opt = {})
       # @option opt :unicode (false) Unicode encode the domain
       def ntlmv2_hash(user, password, target, opt={})
         ntlmhash = ntlm_hash(password, opt)
-        userdomain = (user + target).upcase
+        userdomain = user.upcase + target
         unless opt[:unicode]
           userdomain = EncodeUtil.encode_utf16le(userdomain)
         end

Diff for: lib/net/ntlm/client.rb

@@ -0,0 +1,61 @@
+module Net
+  module NTLM
+    class Client
+
+      DEFAULT_FLAGS = NTLM::FLAGS[:UNICODE] | NTLM::FLAGS[:OEM] |
+        NTLM::FLAGS[:SIGN]   | NTLM::FLAGS[:SEAL]         | NTLM::FLAGS[:REQUEST_TARGET] |
+        NTLM::FLAGS[:NTLM]   | NTLM::FLAGS[:ALWAYS_SIGN]  | NTLM::FLAGS[:NTLM2_KEY] |
+        NTLM::FLAGS[:KEY128] | NTLM::FLAGS[:KEY_EXCHANGE] | NTLM::FLAGS[:KEY56]
+
+      attr_reader :username, :password, :domain, :workstation, :flags
+
+      # @note All string parameters should be encoded in UTF-8. The proper
+      #   final encoding for placing in the various {Message messages} will be
+      #   chosen based on negotiation with the server.
+      #
+      # @param username [String]
+      # @param password [String]
+      # @option opts [String] :domain where we're authenticating to
+      # @option opts [String] :workstation local workstation name
+      # @option opts [Fixnum] :flags (DEFAULT_FLAGS) see Net::NTLM::Message::Type1.flag
+      def initialize(username, password, opts = {})
+        @username     = username
+        @password     = password
+        @domain       = opts[:domain] || nil
+        @workstation  = opts[:workstation] || nil
+        @flags        = opts[:flags] || DEFAULT_FLAGS
+      end
+
+      # @return [NTLM::Message]
+      def init_context(resp = nil)
+        if resp.nil?
+          @session = nil
+          type1_message
+        else
+          @session = Client::Session.new(self, Net::NTLM::Message.decode64(resp))
+          @session.authenticate!
+        end
+      end
+
+      # @return [Client::Session]
+      def session
+        @session
+      end
+
+      private
+
+      # @return [Message::Type1]
+      def type1_message
+        type1 = Message::Type1.new
+        type1[:flag].value = flags
+        type1.domain = domain if domain
+        type1.workstation = workstation if workstation
+
+        type1
+      end
+
+    end
+  end
+end
+
+require "net/ntlm/client/session"

Diff for: lib/net/ntlm/client/session.rb

@@ -0,0 +1,223 @@
+module Net
+  module NTLM
+    class Client::Session
+
+      VERSION_MAGIC = "\x01\x00\x00\x00"
+      TIME_OFFSET   = 11644473600
+      MAX64         = 0xffffffffffffffff
+      CLIENT_TO_SERVER_SIGNING = "session key to client-to-server signing key magic constant\0"
+      SERVER_TO_CLIENT_SIGNING = "session key to server-to-client signing key magic constant\0"
+      CLIENT_TO_SERVER_SEALING = "session key to client-to-server sealing key magic constant\0"
+      SERVER_TO_CLIENT_SEALING = "session key to server-to-client sealing key magic constant\0"
+
+      attr_reader :client, :challenge_message
+
+      # @param client [Net::NTLM::Client] the client instance
+      # @param challenge_message [Net::NTLM::Message::Type2] server message
+      def initialize(client, challenge_message)
+        @client = client
+        @challenge_message = challenge_message
+      end
+
+      # Generate an NTLMv2 AUTHENTICATE_MESSAGE
+      # @see http://msdn.microsoft.com/en-us/library/cc236643.aspx
+      # @return [Net::NTLM::Message::Type3]
+      def authenticate!
+        calculate_user_session_key!
+        type3_opts = {
+          :lm_response   => lmv2_resp,
+          :ntlm_response => ntlmv2_resp,
+          :domain        => domain,
+          :user          => username,
+          :workstation   => workstation,
+          :flag          => (challenge_message.flag & client.flags)
+        }
+        t3 = Message::Type3.create type3_opts
+        if negotiate_key_exchange?
+          t3.enable(:session_key)
+          rc4 = OpenSSL::Cipher::Cipher.new("rc4")
+          rc4.encrypt
+          rc4.key = user_session_key
+          sk = rc4.update master_key
+          sk << rc4.final
+          t3.session_key = sk
+        end
+        t3
+      end
+
+      def sign_message(message)
+        seq = sequence
+        sig = OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, client_sign_key, "#{seq}#{message}")[0..7]
+        if negotiate_key_exchange?
+          sig = client_cipher.update sig
+          sig << client_cipher.final
+        end
+        "#{VERSION_MAGIC}#{sig}#{seq}"
+      end
+
+      def verify_signature(signature, message)
+        seq = signature[-4..-1]
+        sig = OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, server_sign_key, "#{seq}#{message}")[0..7]
+        if negotiate_key_exchange?
+          sig = server_cipher.update sig
+          sig << server_cipher.final
+        end
+        "#{VERSION_MAGIC}#{sig}#{seq}" == signature
+      end
+
+      def seal_message(message)
+        emessage = client_cipher.update(message)
+        emessage + client_cipher.final
+      end
+
+      def unseal_message(emessage)
+        message = server_cipher.update(emessage)
+        message + server_cipher.final
+      end
+
+
+      private
+
+
+      def user_session_key
+        @user_session_key ||=  nil
+      end
+
+      def master_key
+        @master_key ||= begin
+                          if negotiate_key_exchange?
+                            OpenSSL::Cipher.new("rc4").random_key
+                          else
+                            user_session_key
+                          end
+                        end
+      end
+
+      def sequence
+        [raw_sequence].pack("V*")
+      end
+
+      def raw_sequence
+        if defined? @raw_sequence
+          @raw_sequence += 1
+        else
+          @raw_sequence = 0
+        end
+      end
+
+      def client_sign_key
+        @client_sign_key ||= OpenSSL::Digest::MD5.digest "#{master_key}#{CLIENT_TO_SERVER_SIGNING}"
+      end
+
+      def server_sign_key
+        @server_sign_key ||= OpenSSL::Digest::MD5.digest "#{master_key}#{SERVER_TO_CLIENT_SIGNING}"
+      end
+
+      def client_seal_key
+        @client_seal_key ||= OpenSSL::Digest::MD5.digest "#{master_key}#{CLIENT_TO_SERVER_SEALING}"
+      end
+
+      def server_seal_key
+        @server_seal_key ||= OpenSSL::Digest::MD5.digest "#{master_key}#{SERVER_TO_CLIENT_SEALING}"
+      end
+
+      def client_cipher
+        @client_cipher ||=
+          begin
+            rc4 = OpenSSL::Cipher::Cipher.new("rc4")
+            rc4.encrypt
+            rc4.key = client_seal_key
+            rc4
+          end
+      end
+
+      def server_cipher
+        @server_cipher ||=
+          begin
+            rc4 = OpenSSL::Cipher::Cipher.new("rc4")
+            rc4.decrypt
+            rc4.key = server_seal_key
+            rc4
+          end
+      end
+
+      def client_challenge
+        @client_challenge ||= NTLM.pack_int64le(rand(MAX64))
+      end
+
+      def server_challenge
+        @server_challenge ||= challenge_message[:challenge].serialize
+      end
+
+      # epoch -> milsec from Jan 1, 1601
+      # @see http://support.microsoft.com/kb/188768
+      def timestamp
+        @timestamp ||= 10_000_000 * (Time.now.to_i + TIME_OFFSET)
+      end
+
+      def use_oem_strings?
+        challenge_message.has_flag? :OEM
+      end
+
+      def negotiate_key_exchange?
+        challenge_message.has_flag? :KEY_EXCHANGE
+      end
+
+      def username
+        oem_or_unicode_str client.username
+      end
+
+      def password
+        oem_or_unicode_str client.password
+      end
+
+      def workstation
+        (client.domain ? oem_or_unicode_str(client.workstation) : "")
+      end
+
+      def domain
+        (client.domain ? oem_or_unicode_str(client.domain) : "")
+      end
+
+      def oem_or_unicode_str(str)
+        if use_oem_strings?
+          NTLM::EncodeUtil.decode_utf16le str
+        else
+          NTLM::EncodeUtil.encode_utf16le str
+        end
+      end
+
+      def ntlmv2_hash
+        @ntlmv2_hash ||= NTLM.ntlmv2_hash(username, password, domain, {:client_challenge => client_challenge, :unicode => !use_oem_strings?})
+      end
+
+      def calculate_user_session_key!
+        @user_session_key = OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, ntlmv2_hash, nt_proof_str)
+      end
+
+      def lmv2_resp
+        OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, ntlmv2_hash, server_challenge + client_challenge) + client_challenge
+      end
+
+      def ntlmv2_resp
+        nt_proof_str + blob
+      end
+
+      def nt_proof_str
+        @nt_proof_str ||= OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, ntlmv2_hash, server_challenge + blob)
+      end
+
+      def blob
+        @blob ||=
+          begin
+            b = Blob.new
+            b.timestamp = timestamp
+            b.challenge = client_challenge
+            b.target_info = challenge_message.target_info
+            b.serialize
+          end
+      end
+
+    end
+  end
+end

Diff for: lib/net/ntlm/message.rb

@@ -20,8 +20,8 @@ module NTLM
       :LOCAL_CALL           => 0x00004000,
       :ALWAYS_SIGN          => 0x00008000,
       :TARGET_TYPE_DOMAIN   => 0x00010000,
-      :TARGET_INFO          => 0x00800000,
       :NTLM2_KEY            => 0x00080000,
+      :TARGET_INFO          => 0x00800000,
       :KEY128               => 0x20000000,
       :KEY_EXCHANGE         => 0x40000000,
       :KEY56                => 0x80000000

Diff for: lib/net/ntlm/message/type1.rb

@@ -16,5 +16,3 @@ class Type1 < Message
     end
   end
 end
-
-

Diff for: lib/net/ntlm/message/type3.rb

@@ -39,7 +39,7 @@ def create(arg, opt ={})
 
             if arg[:session_key]
               t.enable(:session_key)
-              t.session_key = arg[session_key]
+              t.session_key = arg[:session_key]
             end
 
             if arg[:flag]

Diff for: rubyntlm.gemspec

@@ -21,6 +21,7 @@ Gem::Specification.new do |s|
 
   s.license = 'MIT'
 
+  s.add_development_dependency "pry"
   s.add_development_dependency "rake"
   s.add_development_dependency "rspec", ">= 2.11"
   s.add_development_dependency "simplecov"