Documentation ¶
Overview ¶
Package NTLM implements the interfaces used for interacting with NTLMv1 and NTLMv2. To create NTLM v1 or v2 sessions you would use CreateClientSession and create ClientServerSession.
Index ¶
- Constants
- Variables
- func FlagsToString(flags NegotiateFlag) string
- func GetFlagName(flag NegotiateFlag) string
- func MacsEqual(slice1, slice2 []byte) bool
- func NtlmV2Mac(message []byte, sequenceNumber int, handle *rc4P.Cipher, ...) []byte
- func NtlmVCommonMac(message []byte, sequenceNumber int, sealingKey, signingKey []byte, ...) []byte
- func UintToString(flags uint32) string
- type AuthenticateMessage
- type AvPair
- type AvPairType
- type AvPairs
- func (p *AvPairs) AddAvPair(avId AvPairType, bytes []byte)
- func (p *AvPairs) ByteValue(avType AvPairType) (result []byte)
- func (p *AvPairs) Bytes() (result []byte)
- func (p *AvPairs) Find(avType AvPairType) (result *AvPair)
- func (p *AvPairs) String() string
- func (p *AvPairs) StringValue(avType AvPairType) (result string)
- type ChallengeMessage
- type ClientSession
- type LmV1Response
- type LmV2Response
- type MessageType
- type Mode
- type NegotiateFlag
- type NegotiateMessage
- type NtlmV1Response
- type NtlmV2ClientChallenge
- type NtlmV2Response
- type NtlmsspMessageSignature
- type PayloadStruct
- func CreateBytePayload(bytes []byte) (*PayloadStruct, error)
- func CreateStringPayload(value string) (*PayloadStruct, error)
- func ReadBytePayload(startByte int, bytes []byte) (*PayloadStruct, error)
- func ReadPayloadStruct(startByte int, bytes []byte, PayloadType int) (*PayloadStruct, error)
- func ReadStringPayload(startByte int, bytes []byte) (*PayloadStruct, error)
- type ServerSession
- type SessionData
- type V1ClientSession
- func (n *V1ClientSession) GenerateAuthenticateMessage() (am *AuthenticateMessage, err error)
- func (n *V1ClientSession) GenerateNegotiateMessage() (nm *NegotiateMessage, err error)
- func (n *V1ClientSession) Mac(message []byte, sequenceNumber int) ([]byte, error)
- func (n *V1ClientSession) ProcessChallengeMessage(cm *ChallengeMessage) (err error)
- func (n *V1ClientSession) VerifyMac(message, expectedMac []byte, sequenceNumber int) (bool, error)
- type V1ServerSession
- func (n *V1ServerSession) GenerateChallengeMessage() (cm *ChallengeMessage, err error)
- func (n *V1ServerSession) GetSessionData() *SessionData
- func (n *V1ServerSession) Mac(message []byte, sequenceNumber int) ([]byte, error)
- func (n *V1ServerSession) ProcessAuthenticateMessage(am *AuthenticateMessage) (err error)
- func (n *V1ServerSession) ProcessNegotiateMessage(nm *NegotiateMessage) (err error)
- func (n *V1ServerSession) SetServerChallenge(challenge []byte)
- func (n *V1ServerSession) VerifyMac(message, expectedMac []byte, sequenceNumber int) (bool, error)
- type V1Session
- func (n *V1Session) GetUserInfo() (string, string, string)
- func (n *V1Session) Seal(_ []byte) ([]byte, error)
- func (n *V1Session) SetMode(mode Mode)
- func (n *V1Session) SetUserInfo(username string, password string, domain string)
- func (n *V1Session) Sign(_ []byte) ([]byte, error)
- func (n *V1Session) Version() int
- type V2ClientSession
- func (n *V2ClientSession) GenerateAuthenticateMessage() (am *AuthenticateMessage, err error)
- func (n *V2ClientSession) GenerateNegotiateMessage() (nm *NegotiateMessage, err error)
- func (n *V2ClientSession) Mac(message []byte, sequenceNumber int) ([]byte, error)
- func (n *V2ClientSession) ProcessChallengeMessage(cm *ChallengeMessage) (err error)
- func (n *V2ClientSession) VerifyMac(message, expectedMac []byte, sequenceNumber int) (bool, error)
- type V2ServerSession
- func (n *V2ServerSession) GenerateChallengeMessage() (cm *ChallengeMessage, err error)
- func (n *V2ServerSession) GetSessionData() *SessionData
- func (n *V2ServerSession) Mac(message []byte, sequenceNumber int) ([]byte, error)
- func (n *V2ServerSession) ProcessAuthenticateMessage(am *AuthenticateMessage) (err error)
- func (n *V2ServerSession) ProcessNegotiateMessage(nm *NegotiateMessage) (err error)
- func (n *V2ServerSession) SetServerChallenge(challenge []byte)
- func (n *V2ServerSession) VerifyMac(message, expectedMac []byte, sequenceNumber int) (bool, error)
- type V2Session
- func (n *V2Session) GetUserInfo() (string, string, string)
- func (n *V2Session) Seal(_ []byte) ([]byte, error)
- func (n *V2Session) SetMode(mode Mode)
- func (n *V2Session) SetUserInfo(username string, password string, domain string)
- func (n *V2Session) Sign(_ []byte) ([]byte, error)
- func (n *V2Session) Version() int
- type Version
- type VersionStruct
Constants ¶
const ( UnicodeStringPayload = iota OemStringPayload BytesPayload )
Variables ¶
var Signature = []byte("NTLMSSP\x00")
Functions ¶
func FlagsToString ¶
func FlagsToString(flags NegotiateFlag) string
func GetFlagName ¶
func GetFlagName(flag NegotiateFlag) string
func NtlmVCommonMac ¶
func NtlmVCommonMac(message []byte, sequenceNumber int, sealingKey, signingKey []byte, NegotiateFlags NegotiateFlag) []byte
Mildly ghetto that we expose this
func UintToString ¶
Types ¶
type AuthenticateMessage ¶
type AuthenticateMessage struct { // sig - 8 bytes Signature []byte // message type - 4 bytes MessageType MessageType // The LmChallenge Response can be v1 or v2 LmChallengeResponse *PayloadStruct // 8 bytes LmV1Response *LmV1Response LmV2Response *LmV2Response // The NtChallengeResponse can be v1 or v2 NtChallengeResponseFields *PayloadStruct // 8 bytes NtlmV1Response *NtlmV1Response NtlmV2Response *NtlmV2Response DomainName *PayloadStruct // 8 bytes UserName *PayloadStruct // 8 bytes Workstation *PayloadStruct // 8 bytes // If the NTLMSSP_NEGOTIATE_KEY_EXCH flag is set in the negotiate flags then this will point to the offset in the payload // with the key, otherwise it will have Len = 0. According to Davenport these bytes are optional (see Type3 message). // The MS-NLMP docs do not mention this. EncryptedRandomSessionKey *PayloadStruct // 8 bytes /// MS-NLMP 2.2.1.3 - In connectionless mode, a NEGOTIATE structure that contains a set of bit flags (section 2.2.2.5) and represents the // conclusion of negotiation—the choices the client has made from the options the server offered in the CHALLENGE_MESSAGE. // In connection-oriented mode, a NEGOTIATE structure that contains the set of bit flags (section 2.2.2.5) negotiated in // the previous NegotiateFlags NegotiateFlag // 4 bytes // Version (8 bytes): A VERSION structure (section 2.2.2.10) that is present only when the NTLMSSP_NEGOTIATE_VERSION // flag is set in the NegotiateFlags field. This structure is used for debugging purposes only. In normal protocol // messages, it is ignored and does not affect the NTLM message processing.<9> Version *VersionStruct // The message integrity for the NTLM NEGOTIATE_MESSAGE, CHALLENGE_MESSAGE, and AUTHENTICATE_MESSAGE.<10> Mic []byte // 16 bytes // payload - variable Payload []byte }
func ParseAuthenticateMessage ¶
func ParseAuthenticateMessage(body []byte, ntlmVersion int) (*AuthenticateMessage, error)
func (*AuthenticateMessage) Bytes ¶
func (a *AuthenticateMessage) Bytes() []byte
func (*AuthenticateMessage) ClientChallenge ¶
func (a *AuthenticateMessage) ClientChallenge() (response []byte)
func (*AuthenticateMessage) String ¶
func (a *AuthenticateMessage) String() string
type AvPair ¶
type AvPair struct { AvId AvPairType AvLen uint16 Value []byte }
AvPair as described by MS-NLMP
func ReadAvPair ¶
func (*AvPair) UnicodeStringValue ¶
type AvPairType ¶
type AvPairType uint16
const ( // Indicates that this is the last AV_PAIR in the list. AvLen MUST be 0. This type of information MUST be present in the AV pair list. MsvAvEOL AvPairType = iota // The server's NetBIOS computer name. The name MUST be in Unicode, and is not null-terminated. This type of information MUST be present in the AV_pair list. MsvAvNbComputerName // The server's NetBIOS domain name. The name MUST be in Unicode, and is not null-terminated. This type of information MUST be present in the AV_pair list. MsvAvNbDomainName // The fully qualified domain name (FQDN (1)) of the computer. The name MUST be in Unicode, and is not null-terminated. MsvAvDnsComputerName // The FQDN (2) of the domain. The name MUST be in Unicode, and is not null-terminate. MsvAvDnsDomainName // The FQDN (2) of the forest. The name MUST be in Unicode, and is not null-terminated.<11> MsvAvDnsTreeName // A 32-bit value indicating server or client configuration. // 0x00000001: indicates to the client that the account authentication is constrained. // 0x00000002: indicates that the client is providing message integrity in the MIC field (section 2.2.1.3) in the AUTHENTICATE_MESSAGE.<12> // 0x00000004: indicates that the client is providing a target SPN generated from an untrusted source.<13> MsvAvFlags // A FILETIME structure ([MS-DTYP] section 2.3.1) in little-endian byte order that contains the server local time.<14> MsvAvTimestamp //A Restriction_Encoding (section 2.2.2.2) structure. The Value field contains a structure representing the integrity level of the security principal, as well as a MachineID created at computer startup to identify the calling machine.<15> MsAvRestrictions // The SPN of the target server. The name MUST be in Unicode and is not null-terminated.<16> MsvAvTargetName // annel bindings hash. The Value field contains an MD5 hash ([RFC4121] section 4.1.1.2) of a gss_channel_bindings_struct ([RFC2744] section 3.11). // An all-zero value of the hash is used to indicate absence of channel bindings.<17> MsvChannelBindings )
MS-NLMP - 2.2.2.1 AV_PAIR
type AvPairs ¶
type AvPairs struct {
List []AvPair
}
Helper struct that contains a list of AvPairs with helper methods for running through them
func ReadAvPairs ¶
func (*AvPairs) AddAvPair ¶
func (p *AvPairs) AddAvPair(avId AvPairType, bytes []byte)
func (*AvPairs) ByteValue ¶
func (p *AvPairs) ByteValue(avType AvPairType) (result []byte)
func (*AvPairs) Find ¶
func (p *AvPairs) Find(avType AvPairType) (result *AvPair)
func (*AvPairs) StringValue ¶
func (p *AvPairs) StringValue(avType AvPairType) (result string)
type ChallengeMessage ¶
type ChallengeMessage struct { // sig - 8 bytes Signature []byte // message type - 4 bytes MessageType MessageType // TargetName - 12 bytes TargetName *PayloadStruct // negotiate flags - 4bytes NegotiateFlags NegotiateFlag // server challenge - 8 bytes ServerChallenge []byte // reserved - 8 bytes (set to 0). This field is also known as 'context' in the davenport documentation Reserved []byte // TargetInfo - 12 bytes TargetInfoPayloadStruct *PayloadStruct TargetInfo *AvPairs // version - 8 bytes Version *VersionStruct // payload - variable Payload []byte }
func ParseChallengeMessage ¶
func ParseChallengeMessage(body []byte) (*ChallengeMessage, error)
func (*ChallengeMessage) Bytes ¶
func (c *ChallengeMessage) Bytes() []byte
func (*ChallengeMessage) String ¶
func (c *ChallengeMessage) String() string
type ClientSession ¶
type ClientSession interface { SetUserInfo(username string, password string, domain string) SetMode(mode Mode) GenerateNegotiateMessage() (*NegotiateMessage, error) ProcessChallengeMessage(*ChallengeMessage) error GenerateAuthenticateMessage() (*AuthenticateMessage, error) Seal(message []byte) ([]byte, error) Sign(message []byte) ([]byte, error) Mac(message []byte, sequenceNumber int) ([]byte, error) VerifyMac(message, expectedMac []byte, sequenceNumber int) (bool, error) SetWorkstation(ws string) }
func CreateClientSession ¶
func CreateClientSession(version Version, mode Mode) (n ClientSession, err error)
Creates an NTLM v1 or v2 client mode - This must be ConnectionlessMode or ConnectionOrientedMode depending on what type of NTLM is used version - This must be Version1 or Version2 depending on the version of NTLM used
type LmV1Response ¶
type LmV1Response struct { // 24 bytes Response []byte }
LMv1 ****
func ReadLmV1Response ¶
func ReadLmV1Response(bytes []byte) *LmV1Response
func (*LmV1Response) String ¶
func (l *LmV1Response) String() string
type LmV2Response ¶
type LmV2Response struct { // A 16-byte array of unsigned char that contains the client's LM challenge-response. // This is the portion of the LmChallengeResponse field to which the HMAC_MD5 algorithm /// has been applied, as defined in section 3.3.2. Specifically, Response corresponds // to the result of applying the HMAC_MD5 algorithm, using the key ResponseKeyLM, to a // message consisting of the concatenation of the ResponseKeyLM, ServerChallenge and ClientChallenge. Response []byte // An 8-byte array of unsigned char that contains the client's ClientChallenge, as defined in section 3.1.5.1.2. ChallengeFromClient []byte }
*** LMv2
func ReadLmV2Response ¶
func ReadLmV2Response(bytes []byte) *LmV2Response
func (*LmV2Response) String ¶
func (l *LmV2Response) String() string
type MessageType ¶
type MessageType uint32
const ( NEGOTATE_MESSAGE MessageType = 1 << iota CHALLENGE_MESSAGE AUTHENTICATE_MESSAGE )
func ParseMessageType ¶
func ParseMessageType(in []byte) MessageType
func (MessageType) Bytes ¶
func (m MessageType) Bytes() (result []byte)
type NegotiateFlag ¶
type NegotiateFlag uint32
const ( // A (1 bit): If set, requests Unicode character set encoding. An alternate name for this field is NTLMSSP_NEGOTIATE_UNICODE. NTLMSSP_NEGOTIATE_UNICODE NegotiateFlag = 1 << iota // B (1 bit): If set, requests OEM character set encoding. An alternate name for this field is NTLM_NEGOTIATE_OEM. See bit A for details. NTLM_NEGOTIATE_OEM // The A and B bits are evaluated together as follows: // A==1: The choice of character set encoding MUST be Unicode. // A==0 and B==1: The choice of character set encoding MUST be OEM. // A==0 and B==0: The protocol MUST return SEC_E_INVALID_TOKEN. // C (1 bit): If set, a TargetName field of the CHALLENGE_MESSAGE (section 2.2.1.2) MUST be supplied. An alternate name for this field is NTLMSSP_REQUEST_TARGET. NTLMSSP_REQUEST_TARGET // r10 (1 bit): This bit is unused and MUST be zero. NTLMSSP_R10 // D (1 bit): If set, requests session key negotiation for message signatures. If the client sends NTLMSSP_NEGOTIATE_SIGN to the server // in the NEGOTIATE_MESSAGE, the server MUST return NTLMSSP_NEGOTIATE_SIGN to the client in the CHALLENGE_MESSAGE. An alternate name // for this field is NTLMSSP_NEGOTIATE_SIGN. NTLMSSP_NEGOTIATE_SIGN // E (1 bit): If set, requests session key negotiation for message confidentiality. If the client sends NTLMSSP_NEGOTIATE_SEAL // to the server in the NEGOTIATE_MESSAGE, the server MUST return NTLMSSP_NEGOTIATE_SEAL to the client in the CHALLENGE_MESSAGE. // Clients and servers that set NTLMSSP_NEGOTIATE_SEAL SHOULD always set NTLMSSP_NEGOTIATE_56 and NTLMSSP_NEGOTIATE_128, // if they are supported. An alternate name for this field is NTLMSSP_NEGOTIATE_SEAL. NTLMSSP_NEGOTIATE_SEAL // F (1 bit): If set, requests connectionless authentication. If NTLMSSP_NEGOTIATE_DATAGRAM is set, then NTLMSSP_NEGOTIATE_KEY_EXCH // MUST always be set in the AUTHENTICATE_MESSAGE to the server and the CHALLENGE_MESSAGE to the client. An alternate name for // this field is NTLMSSP_NEGOTIATE_DATAGRAM. NTLMSSP_NEGOTIATE_DATAGRAM // G (1 bit): If set, requests LAN Manager (LM) session key computation. NTLMSSP_NEGOTIATE_LM_KEY and NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY // are mutually exclusive. If both NTLMSSP_NEGOTIATE_LM_KEY and NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY are requested, // NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY alone MUST be returned to the client. NTLM v2 authentication session key generation // MUST be supported by both the client and the DC in order to be used, and extended session security signing and sealing requires // support from the client and the server to be used. An alternate name for this field is NTLMSSP_NEGOTIATE_LM_KEY. NTLMSSP_NEGOTIATE_LM_KEY // r9 (1 bit): This bit is unused and MUST be zero. NTLMSSP_R9 // H (1 bit): If set, requests usage of the NTLM v1 session security protocol. NTLMSSP_NEGOTIATE_NTLM MUST be set in the // NEGOTIATE_MESSAGE to the server and the CHALLENGE_MESSAGE to the client. An alternate name for this field is NTLMSSP_NEGOTIATE_NTLM. NTLMSSP_NEGOTIATE_NTLM // r8 (1 bit): This bit is unused and MUST be zero. NTLMSSP_R8 // J (1 bit): If set, the connection SHOULD be anonymous.<26> r8 (1 bit): This bit is unused and SHOULD be zero.<27> NTLMSSP_ANONYMOUS // K (1 bit): If set, the domain name is provided (section 2.2.1.1).<25> An alternate name for this field is NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED. NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED // L (1 bit): This flag indicates whether the Workstation field is present. If this flag is not set, the Workstation field // MUST be ignored. If this flag is set, the length field of the Workstation field specifies whether the workstation name // is nonempty or not.<24> An alternate name for this field is NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED. NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED // r7 (1 bit): This bit is unused and MUST be zero. NTLMSSP_R7 // M (1 bit): If set, requests the presence of a signature block on all NTLMSSP_NEGOTIATE_ALWAYS_SIGN MUST be // set in the NEGOTIATE_MESSAGE to the server and the CHALLENGE_MESSAGE to the client. NTLMSSP_NEGOTIATE_ALWAYS_SIGN is // overridden by NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL, if they are supported. An alternate name for this field // is NTLMSSP_NEGOTIATE_ALWAYS_SIGN. NTLMSSP_NEGOTIATE_ALWAYS_SIGN // N (1 bit): If set, TargetName MUST be a domain name. The data corresponding to this flag is provided by the server in the // TargetName field of the CHALLENGE_MESSAGE. If set, then NTLMSSP_TARGET_TYPE_SERVER MUST NOT be set. This flag MUST be ignored // in the NEGOTIATE_MESSAGE and the AUTHENTICATE_MESSAGE. An alternate name for this field is NTLMSSP_TARGET_TYPE_DOMAIN. NTLMSSP_TARGET_TYPE_DOMAIN // O (1 bit): If set, TargetName MUST be a server name. The data corresponding to this flag is provided by the server in the // TargetName field of the CHALLENGE_MESSAGE. If this bit is set, then NTLMSSP_TARGET_TYPE_DOMAIN MUST NOT be set. This flag MUST // be ignored in the NEGOTIATE_MESSAGE and the AUTHENTICATE_MESSAGE. An alternate name for this field is NTLMSSP_TARGET_TYPE_SERVER. NTLMSSP_TARGET_TYPE_SERVER // r6 (1 bit): This bit is unused and MUST be zero. NTLMSSP_R6 // P (1 bit): If set, requests usage of the NTLM v2 session security. NTLM v2 session security is a misnomer because it is not // NTLM v2. It is NTLM v1 using the extended session security that is also in NTLM v2. NTLMSSP_NEGOTIATE_LM_KEY and // NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY are mutually exclusive. If both NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY and // NTLMSSP_NEGOTIATE_LM_KEY are requested, NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY alone MUST be returned to the client. // NTLM v2 authentication session key generation MUST be supported by both the client and the DC in order to be used, and extended // session security signing and sealing requires support from the client and the server in order to be used.<23> An alternate name // for this field is NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY. NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY // Q (1 bit): If set, requests an identify level token. An alternate name for this field is NTLMSSP_NEGOTIATE_IDENTIFY. NTLMSSP_NEGOTIATE_IDENTIFY // r5 (1 bit): This bit is unused and MUST be zero. NTLMSSP_R5 // R (1 bit): If set, requests the usage of the LMOWF (section 3.3). An alternate name for this field is NTLMSSP_REQUEST_NON_NT_SESSION_KEY. NTLMSSP_REQUEST_NON_NT_SESSION_KEY // S (1 bit): If set, indicates that the TargetInfo fields in the CHALLENGE_MESSAGE (section 2.2.1.2) are populated. An alternate // name for this field is NTLMSSP_NEGOTIATE_TARGET_INFO. NTLMSSP_NEGOTIATE_TARGET_INFO // r4 (1 bit): This bit is unused and MUST be zero. NTLMSSP_R4 // T (1 bit): If set, requests the protocol version number. The data corresponding to this flag is provided in the Version field of the // NEGOTIATE_MESSAGE, the CHALLENGE_MESSAGE, and the AUTHENTICATE_MESSAGE.<22> An alternate name for this field is NTLMSSP_NEGOTIATE_VERSION. NTLMSSP_NEGOTIATE_VERSION // r3 (1 bit): This bit is unused and MUST be zero. NTLMSSP_R3 // r2 (1 bit): This bit is unused and MUST be zero. NTLMSSP_R2 // r1 (1 bit): This bit is unused and MUST be zero. NTLMSSP_R1 // U (1 bit): If set, requests 128-bit session key negotiation. An alternate name for this field is NTLMSSP_NEGOTIATE_128. If the client // sends NTLMSSP_NEGOTIATE_128 to the server in the NEGOTIATE_MESSAGE, the server MUST return NTLMSSP_NEGOTIATE_128 to the client in the // CHALLENGE_MESSAGE only if the client sets NTLMSSP_NEGOTIATE_SEAL or NTLMSSP_NEGOTIATE_SIGN. Otherwise it is ignored. If both // NTLMSSP_NEGOTIATE_56 and NTLMSSP_NEGOTIATE_128 are requested and supported by the client and server, NTLMSSP_NEGOTIATE_56 and // NTLMSSP_NEGOTIATE_128 will both be returned to the client. Clients and servers that set NTLMSSP_NEGOTIATE_SEAL SHOULD set // NTLMSSP_NEGOTIATE_128 if it is supported. An alternate name for this field is NTLMSSP_NEGOTIATE_128.<21> NTLMSSP_NEGOTIATE_128 // V (1 bit): If set, requests an explicit key exchange. This capability SHOULD be used because it improves security for message integrity or // confidentiality. See sections 3.2.5.1.2, 3.2.5.2.1, and 3.2.5.2.2 for details. An alternate name for this field is NTLMSSP_NEGOTIATE_KEY_EXCH. NTLMSSP_NEGOTIATE_KEY_EXCH // If set, requests 56-bit encryption. If the client sends NTLMSSP_NEGOTIATE_SEAL or NTLMSSP_NEGOTIATE_SIGN with NTLMSSP_NEGOTIATE_56 to the // server in the NEGOTIATE_MESSAGE, the server MUST return NTLMSSP_NEGOTIATE_56 to the client in the CHALLENGE_MESSAGE. Otherwise it is ignored. // If both NTLMSSP_NEGOTIATE_56 and NTLMSSP_NEGOTIATE_128 are requested and supported by the client and server, NTLMSSP_NEGOTIATE_56 and // NTLMSSP_NEGOTIATE_128 will both be returned to the client. Clients and servers that set NTLMSSP_NEGOTIATE_SEAL SHOULD set NTLMSSP_NEGOTIATE_56 // if it is supported. An alternate name for this field is NTLMSSP_NEGOTIATE_56. NTLMSSP_NEGOTIATE_56 )
func NegotiateFlags ¶
func NegotiateFlags(nfs ...NegotiateFlag) NegotiateFlag
func ParseNegotiateFlags ¶
func ParseNegotiateFlags(in []byte) NegotiateFlag
func (NegotiateFlag) Bytes ¶
func (f NegotiateFlag) Bytes() []byte
func (NegotiateFlag) IsSet ¶
func (f NegotiateFlag) IsSet(flags NegotiateFlag) bool
func (NegotiateFlag) Set ¶
func (f NegotiateFlag) Set(flags NegotiateFlag) NegotiateFlag
func (NegotiateFlag) String ¶
func (f NegotiateFlag) String() string
func (NegotiateFlag) Unset ¶
func (f NegotiateFlag) Unset(flags NegotiateFlag) NegotiateFlag
type NegotiateMessage ¶
type NegotiateMessage struct { // sig - 8 bytes Signature []byte // message type - 4 bytes MessageType MessageType // negotiate flags - 4bytes NegotiateFlags NegotiateFlag // If the NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED flag is not set in NegotiateFlags, // indicating that no DomainName is supplied in Payload - then this should have Len 0 / MaxLen 0 // this contains a domain name DomainNameFields *PayloadStruct // If the NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED flag is not set in NegotiateFlags, // indicating that no WorkstationName is supplied in Payload - then this should have Len 0 / MaxLen 0 WorkstationFields *PayloadStruct // version - 8 bytes Version *VersionStruct // payload - variable Payload []byte PayloadOffset int }
func (*NegotiateMessage) Bytes ¶
func (n *NegotiateMessage) Bytes() []byte
type NtlmV1Response ¶
type NtlmV1Response struct { // 24 byte array Response []byte }
NTLMv1 ******
func ReadNtlmV1Response ¶
func ReadNtlmV1Response(bytes []byte) (*NtlmV1Response, error)
func (*NtlmV1Response) String ¶
func (n *NtlmV1Response) String() string
type NtlmV2ClientChallenge ¶
type NtlmV2ClientChallenge struct { // An 8-bit unsigned char that contains the current version of the challenge response type. // This field MUST be 0x01. RespType byte // An 8-bit unsigned char that contains the maximum supported version of the challenge response type. // This field MUST be 0x01. HiRespType byte // A 16-bit unsigned integer that SHOULD be 0x0000 and MUST be ignored on receipt. Reserved1 uint16 // A 32-bit unsigned integer that SHOULD be 0x00000000 and MUST be ignored on receipt. Reserved2 uint32 // A 64-bit unsigned integer that contains the current system time, represented as the number of 100 nanosecond // ticks elapsed since midnight of January 1, 1601 (UTC). TimeStamp []byte // An 8-byte array of unsigned char that contains the client's ClientChallenge (section 3.1.5.1.2). ChallengeFromClient []byte // A 32-bit unsigned integer that SHOULD be 0x00000000 and MUST be ignored on receipt. Reserved3 uint32 AvPairs *AvPairs }
*** NTLMv2 The NTLMv2_CLIENT_CHALLENGE structure defines the client challenge in the AUTHENTICATE_MESSAGE. This structure is used only when NTLM v2 authentication is configured.
func (*NtlmV2ClientChallenge) String ¶
func (n *NtlmV2ClientChallenge) String() string
type NtlmV2Response ¶
type NtlmV2Response struct { // A 16-byte array of unsigned char that contains the client's NT challenge- response as defined in section 3.3.2. // Response corresponds to the NTProofStr variable from section 3.3.2. Response []byte // A variable-length byte array that contains the ClientChallenge as defined in section 3.3.2. // ChallengeFromClient corresponds to the temp variable from section 3.3.2. NtlmV2ClientChallenge *NtlmV2ClientChallenge }
The NTLMv2_RESPONSE structure defines the NTLMv2 authentication NtChallengeResponse in the AUTHENTICATE_MESSAGE. This response is used only when NTLMv2 authentication is configured.
func ReadNtlmV2Response ¶
func ReadNtlmV2Response(bytes []byte) (*NtlmV2Response, error)
func (*NtlmV2Response) String ¶
func (n *NtlmV2Response) String() string
type NtlmsspMessageSignature ¶
type NtlmsspMessageSignature struct { ByteData []byte // A 32-bit unsigned integer that contains the signature version. This field MUST be 0x00000001. Version []byte // A 4-byte array that contains the random pad for the message. RandomPad []byte // A 4-byte array that contains the checksum for the message. CheckSum []byte // A 32-bit unsigned integer that contains the NTLM sequence number for this application message. SeqNum []byte }
func (*NtlmsspMessageSignature) Bytes ¶
func (n *NtlmsspMessageSignature) Bytes() []byte
func (*NtlmsspMessageSignature) String ¶
func (n *NtlmsspMessageSignature) String() string
type PayloadStruct ¶
func CreateBytePayload ¶
func CreateBytePayload(bytes []byte) (*PayloadStruct, error)
func CreateStringPayload ¶
func CreateStringPayload(value string) (*PayloadStruct, error)
func ReadBytePayload ¶
func ReadBytePayload(startByte int, bytes []byte) (*PayloadStruct, error)
func ReadPayloadStruct ¶
func ReadPayloadStruct(startByte int, bytes []byte, PayloadType int) (*PayloadStruct, error)
func ReadStringPayload ¶
func ReadStringPayload(startByte int, bytes []byte) (*PayloadStruct, error)
func (*PayloadStruct) Bytes ¶
func (p *PayloadStruct) Bytes() []byte
func (*PayloadStruct) String ¶
func (p *PayloadStruct) String() string
type ServerSession ¶
type ServerSession interface { SetUserInfo(username string, password string, domain string) GetUserInfo() (string, string, string) SetMode(mode Mode) SetServerChallenge(challenge []byte) ProcessNegotiateMessage(*NegotiateMessage) error GenerateChallengeMessage() (*ChallengeMessage, error) ProcessAuthenticateMessage(*AuthenticateMessage) error GetSessionData() *SessionData Version() int Seal(message []byte) ([]byte, error) Sign(message []byte) ([]byte, error) Mac(message []byte, sequenceNumber int) ([]byte, error) VerifyMac(message, expectedMac []byte, sequenceNumber int) (bool, error) }
func CreateServerSession ¶
func CreateServerSession(version Version, mode Mode) (n ServerSession, err error)
Creates an NTLM v1 or v2 server mode - This must be ConnectionlessMode or ConnectionOrientedMode depending on what type of NTLM is used version - This must be Version1 or Version2 depending on the version of NTLM used
type SessionData ¶
type SessionData struct { NegotiateFlags NegotiateFlag ClientSigningKey []byte ServerSigningKey []byte ClientSealingKey []byte ServerSealingKey []byte // contains filtered or unexported fields }
This struct collects NTLM data structures and keys that are used across all types of NTLM requests
func (*SessionData) SetWorkstation ¶
func (n *SessionData) SetWorkstation(workstation string)
type V1ClientSession ¶
type V1ClientSession struct {
V1Session
}
func (*V1ClientSession) GenerateAuthenticateMessage ¶
func (n *V1ClientSession) GenerateAuthenticateMessage() (am *AuthenticateMessage, err error)
func (*V1ClientSession) GenerateNegotiateMessage ¶
func (n *V1ClientSession) GenerateNegotiateMessage() (nm *NegotiateMessage, err error)
func (*V1ClientSession) Mac ¶
func (n *V1ClientSession) Mac(message []byte, sequenceNumber int) ([]byte, error)
func (*V1ClientSession) ProcessChallengeMessage ¶
func (n *V1ClientSession) ProcessChallengeMessage(cm *ChallengeMessage) (err error)
type V1ServerSession ¶
type V1ServerSession struct {
V1Session
}
func (*V1ServerSession) GenerateChallengeMessage ¶
func (n *V1ServerSession) GenerateChallengeMessage() (cm *ChallengeMessage, err error)
func (*V1ServerSession) GetSessionData ¶
func (n *V1ServerSession) GetSessionData() *SessionData
func (*V1ServerSession) Mac ¶
func (n *V1ServerSession) Mac(message []byte, sequenceNumber int) ([]byte, error)
func (*V1ServerSession) ProcessAuthenticateMessage ¶
func (n *V1ServerSession) ProcessAuthenticateMessage(am *AuthenticateMessage) (err error)
func (*V1ServerSession) ProcessNegotiateMessage ¶
func (n *V1ServerSession) ProcessNegotiateMessage(nm *NegotiateMessage) (err error)
func (*V1ServerSession) SetServerChallenge ¶
func (n *V1ServerSession) SetServerChallenge(challenge []byte)
type V2ClientSession ¶
type V2ClientSession struct {
V2Session
}
func (*V2ClientSession) GenerateAuthenticateMessage ¶
func (n *V2ClientSession) GenerateAuthenticateMessage() (am *AuthenticateMessage, err error)
func (*V2ClientSession) GenerateNegotiateMessage ¶
func (n *V2ClientSession) GenerateNegotiateMessage() (nm *NegotiateMessage, err error)
func (*V2ClientSession) Mac ¶
func (n *V2ClientSession) Mac(message []byte, sequenceNumber int) ([]byte, error)
func (*V2ClientSession) ProcessChallengeMessage ¶
func (n *V2ClientSession) ProcessChallengeMessage(cm *ChallengeMessage) (err error)
type V2ServerSession ¶
type V2ServerSession struct {
V2Session
}
func (*V2ServerSession) GenerateChallengeMessage ¶
func (n *V2ServerSession) GenerateChallengeMessage() (cm *ChallengeMessage, err error)
func (*V2ServerSession) GetSessionData ¶
func (n *V2ServerSession) GetSessionData() *SessionData
func (*V2ServerSession) Mac ¶
func (n *V2ServerSession) Mac(message []byte, sequenceNumber int) ([]byte, error)
func (*V2ServerSession) ProcessAuthenticateMessage ¶
func (n *V2ServerSession) ProcessAuthenticateMessage(am *AuthenticateMessage) (err error)
func (*V2ServerSession) ProcessNegotiateMessage ¶
func (n *V2ServerSession) ProcessNegotiateMessage(nm *NegotiateMessage) (err error)
func (*V2ServerSession) SetServerChallenge ¶
func (n *V2ServerSession) SetServerChallenge(challenge []byte)
type VersionStruct ¶
type VersionStruct struct { ProductMajorVersion uint8 ProductMinorVersion uint8 ProductBuild uint16 Reserved []byte NTLMRevisionCurrent uint8 }
func ReadVersionStruct ¶
func ReadVersionStruct(structSource []byte) (*VersionStruct, error)
func (*VersionStruct) Bytes ¶
func (v *VersionStruct) Bytes() []byte
func (*VersionStruct) String ¶
func (v *VersionStruct) String() string