Adding NTLM Type 2 Message Decoding (#545)

Author: lobsterjerusalem

framework.go

@@ -72,7 +72,6 @@ import (
 	"time"
 
 	"github.com/Masterminds/semver"
-
 	"github.com/vulncheck-oss/go-exploit/c2"
 	"github.com/vulncheck-oss/go-exploit/c2/channel"
 	"github.com/vulncheck-oss/go-exploit/cli"

transform/encode.go

@@ -12,11 +12,176 @@ import (
 	"unicode/utf16"
 
 	"golang.org/x/text/cases"
+	"golang.org/x/text/encoding/unicode"
 	"golang.org/x/text/language"
 
 	"github.com/vulncheck-oss/go-exploit/output"
 )
 
+// Non-public function, used to parse individual target info types from NTLMType2 messages.
+func decodeNTLM2TargetInfo(targetInfoBytes []byte) ([]TargetInfo, bool) {
+	/* This helper only supports the standard string-based AV_PAIR types defined for NTLM TargetInfo.
+	Known and expected types:
+	  Type 0: Terminator subblock (0x0000)
+	  Type 1: Server name (UTF-16LE string, e.g., "server")
+	  Type 2: Domain name (UTF-16LE string, e.g., "domain.com")
+	  Type 3: DNS Server Name subblock (UTF-16LE string, e.g., "server.domain.com")
+	  Type 4: DNS Domain Name (UTF-16LE string, e.g., "domain.com")
+	All messages processed by this function are expected to end with a type 0 terminator block. Other AV_PAIR
+	types (e.g., timestamps, flags) are not handled here and may require different parsing logic. */
+	cursor := 0
+
+	retArr := []TargetInfo{}
+	totalLen := len(targetInfoBytes)
+	if totalLen < 4 {
+		output.PrintFrameworkError("Failed to decode target info: TargetInfo bytes buffer is too short")
+
+		return []TargetInfo{}, false
+	}
+
+	// Making sure this ends with a terminator block (0x00000000)
+	if !bytes.Equal(targetInfoBytes[totalLen-4:], []byte{0x00, 0x00, 0x00, 0x00}) {
+		output.PrintFrameworkError("Decoding NTLM Type 2 Target Info failed, invalid targetinfo buffer provided, the provided buffer does not end with a terminator block")
+
+		return []TargetInfo{}, false
+	}
+
+	// A terminator-only TargetInfo (4 bytes) is a valid empty AV-pair list in NTLM.
+	if totalLen == 4 {
+		return retArr, true
+	}
+
+	// Actual targetinfo parsing
+	for cursor < totalLen-4 {
+		if cursor+4 > totalLen-1 {
+			output.PrintFrameworkError("Invalid TargetInfo, not enough data in the buffer to parse")
+
+			return retArr, true
+		}
+
+		// Grabbing type
+		targetInfoType := int(binary.LittleEndian.Uint16(targetInfoBytes[cursor : cursor+2]))
+		if targetInfoType == 0 { // Should not really hit/caution
+			output.PrintFrameworkWarn("Hit terminator block prematurely during TargetInfo decoding of NTLM Type 2 Message")
+
+			return retArr, true
+		}
+
+		// Decoding the value, after length check
+		targetInfoLen := binary.LittleEndian.Uint16(targetInfoBytes[cursor+2 : cursor+4])
+		if (cursor + 4 + int(targetInfoLen)) > totalLen-1 {
+			output.PrintFrameworkError("Decoding NTLM Type 2 Target Info failed, Invalid target info length provided")
+
+			return []TargetInfo{}, false
+		}
+
+		value, ok := DecodeUTF16LE(targetInfoBytes[cursor+4 : cursor+4+int(targetInfoLen)])
+		if !ok {
+			return []TargetInfo{}, false
+		}
+
+		retArr = append(retArr, TargetInfo{Type: targetInfoType, Value: value})
+		cursor = cursor + 4 + int(targetInfoLen)
+	}
+
+	return retArr, true
+}
+
+type TargetInfo struct {
+	Type  int
+	Value string
+}
+
+type NTLMType2Message struct {
+	TargetName    string
+	TargetInfoArr []TargetInfo
+	Challenge     []byte
+	Flags         uint32
+}
+
+// Decodes an NTLM Type 2 message, Spec reference: https://curl.se/rfc/ntlm.html.
+// The input value should be a base64 value.
+// Returns an NTLMType2Message struct as a value.
+func DecodeNTLMType2(stringMessage string) (NTLMType2Message, bool) {
+	returnMessage := NTLMType2Message{TargetName: "", TargetInfoArr: nil, Challenge: nil, Flags: 0}
+	message := []byte(DecodeBase64(stringMessage))
+	if len(message) < 32 {
+		output.PrintFrameworkError("NTLMType2Decode Failed: Message too short")
+
+		return NTLMType2Message{}, false
+	}
+
+	if !bytes.Equal(message[:8], []byte{0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00}) {
+		output.PrintFrameworkError("NTLMType2Decode Failed: Invalid NTLMSSP signature")
+
+		return NTLMType2Message{}, false
+	}
+
+	if !bytes.Equal(message[8:12], []byte{0x02, 0x00, 0x00, 0x00}) {
+		output.PrintFrameworkError("NTLMType2Decode Failed: Message type is not 2")
+
+		return NTLMType2Message{}, false
+	}
+
+	// mandatory value parsing
+	targetNameLen := uint32(binary.LittleEndian.Uint16(message[12:14]))
+	allocatedSize := uint32(binary.LittleEndian.Uint16(message[14:16]))
+	targetNameOffset := binary.LittleEndian.Uint32(message[16:20])
+	returnMessage.Flags = binary.LittleEndian.Uint32(message[20:24])
+	returnMessage.Challenge = message[24:32]
+
+	// optional value parsing
+	if (returnMessage.Flags & 0x00800000) != 0 { // Negotiate target info is set
+		if int(targetNameOffset+targetNameLen) > len(message)-1 {
+			output.PrintFrameworkError("NTLMType2Decode Failed: Message buffer is too short, may be corrupted/truncated")
+
+			return NTLMType2Message{}, false
+		}
+
+		targetInfoData := message[targetNameOffset : targetNameOffset+targetNameLen]
+		if uint32(len(targetInfoData)) != allocatedSize {
+			output.PrintFrameworkError("NTLMType2Decode Failed: targetInfoData does not match reported allocated size")
+
+			return NTLMType2Message{}, false
+		}
+		targetInfoLen := uint32(binary.LittleEndian.Uint16(message[40:42]))
+		targetInfoOffset := binary.LittleEndian.Uint32(message[44:48])
+
+		targetName, ok := DecodeUTF16LE(message[targetNameOffset : targetNameOffset+targetNameLen])
+		if !ok {
+			return NTLMType2Message{}, false
+		}
+
+		targetInfoBuf := message[targetInfoOffset : targetInfoOffset+targetInfoLen]
+		targetInfoArr, ok := decodeNTLM2TargetInfo(targetInfoBuf)
+		if !ok {
+			output.PrintFrameworkError("NTLMType2Decode Failed: could not parse target info")
+
+			return NTLMType2Message{}, false
+		}
+
+		returnMessage.TargetName = targetName
+		returnMessage.TargetInfoArr = targetInfoArr
+		output.PrintfFrameworkDebug("NTLM Type 2: Parsed TargetName: %s", returnMessage.TargetName)
+		output.PrintfFrameworkDebug("NTLM Type 2: Parsed TargetInfo Data: %v", returnMessage.TargetInfoArr)
+	}
+
+	return returnMessage, true
+}
+
+// Converts a provided byte buffer to a UTF-16LE decoded string.
+func DecodeUTF16LE(data []byte) (string, bool) {
+	decoder := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM).NewDecoder()
+	utf8bytes, err := decoder.Bytes(data)
+	if err != nil {
+		output.PrintfFrameworkError("Failed to decode input: %v", err)
+
+		return "", false
+	}
+
+	return string(utf8bytes), true
+}
+
 func StringToUnicodeByteArray(s string) []byte {
 	//nolint:prealloc
 	var byteArray []byte
@@ -164,9 +329,11 @@ func Title(s string) string {
 // URL encode every character in the provided string.
 func URLEncodeString(inputString string) string {
 	encodedChars := ""
+	var encodedCharsSb315 strings.Builder
 	for _, char := range inputString {
-		encodedChars += "%" + strconv.FormatInt(int64(char), 16)
+		encodedCharsSb315.WriteString("%" + strconv.FormatInt(int64(char), 16))
 	}
+	encodedChars += encodedCharsSb315.String()
 
 	return encodedChars
 }

transform/encode_test.go

@@ -1,13 +1,139 @@
 package transform
 
 import (
+	"encoding/binary"
+	"encoding/hex"
+	"reflect"
 	"testing"
 )
 
 const (
 	urlTestString = "Theskyabovetheportwasthecoloroftelevision,tunedtoadeadchannel.\xff\xff\xff\x3e\xfe\x00"
 )
 
+func TestDecodeUTF16LE(t *testing.T) {
+	inputHex := "44004f004d00410049004e00"
+	inputBytes, err := hex.DecodeString(inputHex)
+	if err != nil {
+		t.Fatal("Failed to decode test case")
+	}
+	decodedString, ok := DecodeUTF16LE(inputBytes)
+	if !ok {
+		t.Fatal("Failed to decode")
+	}
+
+	if !reflect.DeepEqual("DOMAIN", decodedString) {
+		t.Fatalf("Unexpected decoded value: %q", decodedString)
+	}
+
+	t.Logf("Decoded UTF16LE String: %q", decodedString)
+}
+
+func TestDecodeTargetInfo(t *testing.T) {
+	inputHex := "02000c0044004f004d00410049004e0001000c005300450052005600450052000400140064006f006d00610069006e002e0063006f006d00030022007300650072007600650072002e0064006f006d00610069006e002e0063006f006d0000000000"
+	inputBytes, err := hex.DecodeString(inputHex)
+	if err != nil {
+		t.Fatal("Failed to decode test case")
+	}
+	targetInfoArr, ok := decodeNTLM2TargetInfo(inputBytes)
+	if !ok {
+		t.Fatal("Failed to decode")
+	}
+
+	if !reflect.DeepEqual(targetInfoArr, []TargetInfo{
+		{Type: 2, Value: "DOMAIN"},
+		{Type: 1, Value: "SERVER"},
+		{Type: 4, Value: "domain.com"},
+		{Type: 3, Value: "server.domain.com"},
+	}) {
+		t.Fatalf("Unexpected decoded value: %v", targetInfoArr)
+	}
+
+	t.Logf("Decoded Type 2 TargetInfo: %v", targetInfoArr)
+}
+
+func TestDecodeNTLMType2Truncated(t *testing.T) {
+	inputHex := "4e544c4d53535000020000000c000c0030000000010281000123456789abcdef0000000000000000620062003c000000"
+	inputBytes, err := hex.DecodeString(inputHex)
+	if err != nil {
+		t.Fatal("Failed to decode test case")
+	}
+	inputBase64 := EncodeBase64(string(inputBytes))
+	_, ok := DecodeNTLMType2(inputBase64)
+	if ok {
+		t.Fatal("Test case should have failed, but decoding was reported as successful")
+	}
+	t.Log("Truncated message failed to decode as expected")
+}
+
+func TestDecodeNTLMType2(t *testing.T) {
+	inputHex := "4e544c4d53535000020000000c000c0030000000010281000123456789abcdef0000000000000000620062003c00000044004f004d00410049004e0002000c0044004f004d00410049004e0001000c005300450052005600450052000400140064006f006d00610069006e002e0063006f006d00030022007300650072007600650072002e0064006f006d00610069006e002e0063006f006d0000000000"
+	inputBytes, err := hex.DecodeString(inputHex)
+	if err != nil {
+		t.Fatal("Failed to decode test case")
+	}
+	inputBase64 := EncodeBase64(string(inputBytes))
+	message, ok := DecodeNTLMType2(inputBase64)
+	if !ok {
+		t.Fatal("Failed to decode")
+	}
+
+	if !reflect.DeepEqual(message, NTLMType2Message{
+		TargetName: "DOMAIN",
+		TargetInfoArr: []TargetInfo{
+			{Type: 2, Value: "DOMAIN"},
+			{Type: 1, Value: "SERVER"},
+			{Type: 4, Value: "domain.com"},
+			{Type: 3, Value: "server.domain.com"},
+		},
+		Challenge: []byte("\x01#Eg\x89\xab\xcd\xef"),
+		Flags:     binary.LittleEndian.Uint32([]byte("\x01\x02\x81\x00")),
+	}) {
+		t.Fatalf("Unexpected decoded value: %#v", message)
+	}
+
+	t.Logf("Decoded Type 2 Message: %#v", message)
+}
+
+func TestDecodeNTLMType2Overflow(t *testing.T) {
+	inputHex := "4e544c4d53535000020000000c000c0030000000010281000123456789abcdef0000000000000000620062003c00000044004f004d00410049004e000200120044004f004d00410049004e0001000c005300450052005600450052000400140064006f006d00610069006e002e0063006f006d00030022007300650072007600650072002e0064006f006d00610069006e002e0063006f006d0000000000"
+	inputBytes, err := hex.DecodeString(inputHex)
+	if err != nil {
+		t.Fatal("Failed to decode test case")
+	}
+	inputBase64 := EncodeBase64(string(inputBytes))
+	_, ok := DecodeNTLMType2(inputBase64)
+	if ok {
+		t.Fatal("Invalid NTLM Message decoded successfully, this should not happen")
+	}
+
+	t.Log("Properly failed on invalid message")
+}
+
+func TestDecodeNTLMType2Minimal(t *testing.T) {
+	inputHex := "4e544c4d53535000020000000000000000000000020200000123456789abcdef"
+	inputBytes, err := hex.DecodeString(inputHex)
+	if err != nil {
+		t.Fatal("Failed to decode test case")
+	}
+	inputBase64 := EncodeBase64(string(inputBytes))
+	message, ok := DecodeNTLMType2(inputBase64)
+	if !ok {
+		t.Fatal("Failed to decode")
+	}
+
+	if !reflect.DeepEqual(message, NTLMType2Message{
+		TargetName:    "",
+		TargetInfoArr: nil,
+		Challenge:     []byte("\x01\x23\x45\x67\x89\xab\xcd\xef"),
+		Flags:         binary.LittleEndian.Uint32([]byte("\x02\x02\x00\x00")),
+	}) {
+		t.Fatalf("Unexpected decoded value: %#v", message)
+	}
+
+	t.Logf("Decoded Type 2 Message: %#v", message)
+}
+
 func TestURLEncodeString(t *testing.T) {
 	encoded := URLEncodeString("foo !~")