Skip to content

Commit

Permalink
Merge pull request #84 from bjowes/master
Browse files Browse the repository at this point in the history 
Fix NTLM type 2 message generation
  • Loading branch information
@einfallstoll
einfallstoll authored Aug 25, 2021
2 parents b3ff615 + 5014128 commit 0288bd8
Showing 1 changed file with 18 additions and 13 deletions.
31 changes: 18 additions & 13 deletions lib/NTLM_No_Proxy.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,29 +16,34 @@ const NEGOTIATE_TARGET_INFO = 1 << 23;

NTLM_No_Proxy.prototype.negotiate = function(ntlm_negotiate, negotiate_callback) {
const target_name = 'ALPHA';
let challenge_flags = NEGOTIATE_OEM | REQUEST_TARGET | TARGET_TYPE_DOMAIN;
let challenge_flags = REQUEST_TARGET | TARGET_TYPE_DOMAIN;

// Follow requested NTLM protocol version
const request_flags = ntlm_negotiate.readUInt32LE(12);
const ntlm_version = request_flags & NEGOTIATE_NTLM2_KEY ? 2 : 1;
const is_unicode = request_flags & NEGOTIATE_UNICODE;
const use_unicode = request_flags & NEGOTIATE_UNICODE;
let header_len;
let data_len;
let target_name_buffer_len;

if (use_unicode) {
challenge_flags |= NEGOTIATE_UNICODE;
target_name_buffer_len = target_name.length * 2;
} else {
challenge_flags |= NEGOTIATE_OEM;
target_name_buffer_len = target_name.length;
}

if (ntlm_version === 2) {
challenge_flags |= NEGOTIATE_NTLM2_KEY | NEGOTIATE_TARGET_INFO;
header_len = 40 + 8;
data_len = target_name.length + ((2 * target_name.length) + 8);
data_len = target_name_buffer_len + ((2 * target_name.length) + 8);
} else {
challenge_flags |= NEGOTIATE_NTLM_KEY;
header_len = 40;
data_len = target_name.length;
data_len = target_name_buffer_len;
}

if (is_unicode) {
challenge_flags |= NEGOTIATE_UNICODE;
}

let challenge = new Buffer(header_len + data_len);
let offset = 0;

Expand All @@ -49,8 +54,8 @@ NTLM_No_Proxy.prototype.negotiate = function(ntlm_negotiate, negotiate_callback)
offset = challenge.writeUInt32LE(0x00000002, offset);

// Target name security buffer
offset = challenge.writeUInt16LE(target_name.length, offset);
offset = challenge.writeUInt16LE(target_name.length, offset);
offset = challenge.writeUInt16LE(target_name_buffer_len, offset);
offset = challenge.writeUInt16LE(target_name_buffer_len, offset);
offset = challenge.writeUInt32LE(header_len, offset);

// Flags
Expand All @@ -68,15 +73,15 @@ NTLM_No_Proxy.prototype.negotiate = function(ntlm_negotiate, negotiate_callback)
// Target info security buffer
offset = challenge.writeUInt16LE(target_name.length * 2 + 8, offset);
offset = challenge.writeUInt16LE(target_name.length * 2 + 8, offset);
offset = challenge.writeUInt32LE(header_len + target_name.length, offset);
offset = challenge.writeUInt32LE(header_len + target_name_buffer_len, offset);
}

// Target name data
offset += challenge.write(target_name, offset, 'ascii');
offset += challenge.write(target_name, offset, use_unicode ? 'ucs2' : 'ascii');

if (ntlm_version === 2) {
// Target info data
offset = challenge.writeUInt16LE(0x0200, offset); // Domain
offset = challenge.writeUInt16LE(0x0002, offset); // Domain
offset = challenge.writeUInt16LE(target_name.length * 2, offset);
offset += challenge.write(target_name, offset, 'ucs2');
offset = challenge.writeUInt16LE(0x0000, offset); // Terminator block
Expand Down

0 comments on commit 0288bd8

Please sign in to comment.