Initial NTLM Implementation #177

rvazarkar · 2024-12-09T15:47:00Z

Description

This is the initial implementation of the new NTLM modelling, courtesy of @leechristensen .

Motivation and Context

https://specterops.atlassian.net/browse/BED-5113

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

Chore (a change that does not modify the application functionality)
Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

Documentation updates are needed, and have been made accordingly.
I have added and/or updated tests to cover my changes.
All new and existing tests passed.
My changes include a database migration.

src/CommonLib/Ntlm/HttpNtlmAuthenticationService.cs

src/CommonLib/Ntlm/HttpTransport.cs

src/CommonLib/Ntlm/LdapNative.cs

src/CommonLib/Ntlm/NtlmAuthenticationHandler.cs

mvlipka

Looking good, mostly style comments and naming conventions that I think we can improve on

src/CommonLib/OutputTypes/APIResult.cs

src/CommonLib/OutputTypes/NtlmSession.cs

src/CommonLib/ThirdParty/PSOpenAD/Authentication.cs

src/CommonLib/ThirdParty/PSOpenAD/SSPI.cs

src/CommonLib/Ntlm/LdapNative.cs

src/CommonLib/ThirdParty/PSOpenAD/SSPI.cs

src/CommonLib/LdapProducerQueryGenerator.cs

rvazarkar · 2025-01-08T15:32:50Z

recheck

# Conflicts: # src/CommonLib/LdapConnectionPool.cs

src/CommonLib/LdapUtils.cs

definitelynotagoblin · 2025-02-06T21:44:26Z

src/CommonLib/Ntlm/HttpNtlmAuthenticationService.cs

+            throw new ArgumentException("Url property is null");
+
+        if (useBadChannelBindings == null && url.Scheme == "https")
+            throw new ArgumentException("When using HTTPS, useBadChannelBindings must be set");


Nitpicking, but trinary args like this tend to create some funky logic flows that can be hard to follow if you're smooth-brained like I am.
Here I think we're taking on some complexity by managing arg validations that the callers could be doing instead.

I might split this into two functions for clarity: the public function that does everything up to this point, then a private EnsureRequiresAuth(Uri url, bool useBadChannelBindings) that this one calls, feeding the appropriate coerced useBadChannelBindings:

EnsureRequiresAuth(url, useBadChannelBindings ?? true);

definitelynotagoblin · 2025-02-06T21:45:54Z

src/CommonLib/Ntlm/HttpNtlmAuthenticationService.cs

+        return schemes;
+    }
+
+    private async Task AuthWithBadChannelBindings(Uri url, string authScheme) {


Could use "-Async" suffix

src/CommonLib/OutputTypes/APIResult/APIResult.cs

definitelynotagoblin · 2025-02-06T22:14:25Z

src/CommonLib/OutputTypes/APIResult/AceRegistryAPIResult.cs

@@ -2,7 +2,7 @@

 namespace SharpHoundCommonLib.OutputTypes
 {
-    public class AceRegistryAPIResult : APIResult
+    public class AceRegistryAPIResult : APIResult.APIResult


Prefer the namespace and class had different names but not a blocker

definitelynotagoblin · 2025-02-06T22:17:33Z

src/CommonLib/OutputTypes/Computer.cs

-        public TypedPrincipal[] AllowedToAct { get; set; } = Array.Empty<TypedPrincipal>();
-        public TypedPrincipal[] HasSIDHistory { get; set; } = Array.Empty<TypedPrincipal>();
-        public TypedPrincipal[] DumpSMSAPassword { get; set; } = Array.Empty<TypedPrincipal>();
+        public TypedPrincipal[] AllowedToDelegate { get; set; } = [];


This syntax may not compile with older dotnet sdks

Looks like this syntax feature isn't available til dotnet 8
Feature 'collection expressions' is not available in C# 11.0. Please use language version 12.0 or greater.

Thanks dotnet fiddle

definitelynotagoblin

https://github.com/SpecterOps/SharpHoundCommon/pull/177/files#r1945552460

rvazarkar added 2 commits December 9, 2024 10:41

feat: initial NTLM commit

076f41d

chore: code formatter

9a5eb07