ad-time 1.1.0

Active Directory time discovery protocols for red teams.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376

//! NTLM Type 2 Challenge time source — stealthy extraction over SMB TCP/445.
//!
//! Protocol Specifications:
//! - **MS-SMB2 §2.2.5**: SMB2 SESSION_SETUP Request
//! - **MS-SMB2 §2.2.6**: SMB2 SESSION_SETUP Response
//! - **MS-NLMP §2.2.1.1**: NTLMSSP_NEGOTIATE Message (Type 1)
//! - **MS-NLMP §2.2.1.2**: CHALLENGE_MESSAGE (Type 2)
//! - **MS-NLMP §2.2.2.1**: AV_PAIR Structure
//!
//! Sends an SMB2 NEGOTIATE, followed by an SMB2 SESSION_SETUP containing an NTLM Type 1
//! (Negotiate) message. The server responds with STATUS_MORE_PROCESSING_REQUIRED and an
//! NTLM Type 2 (Challenge) message. We extract the `MsvAvTimestamp` (AV_PAIR ID 7) from
//! the TargetInfo structure.
//!
//! This provides 100ns precision. Crucially, we disconnect immediately after receiving
//! the Type 2 challenge, without ever sending a Type 3 (Authenticate) message. Because
//! no credentials are submitted, the LSA does not log a logon attempt, preventing
//! Event IDs 4624/4625.

use std::io::{Read, Write};
use std::net::{SocketAddr, TcpStream};
use std::time::{Duration, Instant, SystemTime};

use super::common::{filetime_to_system_time, map_io_err, system_time_to_us};
use super::smb_common::build_negotiate_request;
use crate::time_src::{OffsetMicros, TimeSource, TimeSourceError};

pub struct NtlmSource;

impl TimeSource for NtlmSource {
    fn name(&self) -> &'static str {
        "ntlm"
    }

    fn fetch(
        &self,
        target: SocketAddr,
        timeout: Duration,
    ) -> Result<OffsetMicros, TimeSourceError> {
        let smb_addr: SocketAddr = (target.ip(), 445).into();
        fetch_ntlm(smb_addr, timeout)
    }
}

fn fetch_ntlm(addr: SocketAddr, timeout: Duration) -> Result<OffsetMicros, TimeSourceError> {
    let mut stream =
        TcpStream::connect_timeout(&addr, timeout).map_err(|e| map_io_err(e, "connect"))?;
    stream
        .set_read_timeout(Some(timeout))
        .map_err(|e| TimeSourceError::Protocol(e.to_string()))?;
    stream
        .set_write_timeout(Some(timeout))
        .map_err(|e| TimeSourceError::Protocol(e.to_string()))?;

    let t_send = Instant::now();
    let t_send_sys = SystemTime::now();

    // 1. Send SMB2 NEGOTIATE
    let negotiate_req = build_negotiate_request();
    stream
        .write_all(&negotiate_req)
        .map_err(|e| TimeSourceError::Protocol(e.to_string()))?;

    // Read NEGOTIATE response (ignore contents, we just need to consume it)
    let _neg_resp = read_smb_message(&mut stream)?;

    // 2. Send SMB2 SESSION_SETUP with NTLM Type 1
    let session_setup_req = build_session_setup_type1();
    stream
        .write_all(&session_setup_req)
        .map_err(|e| TimeSourceError::Protocol(e.to_string()))?;

    // Read SESSION_SETUP response (contains NTLM Type 2)
    let setup_resp = read_smb_message(&mut stream)?;

    // 3. IMPORTANT OPSEC: Disconnect immediately! Do not send Type 3.
    // This aborts the NTLM handshake before the DC's LSA validates credentials,
    // avoiding Event ID 4625 (Logon Failure).
    drop(stream);

    let rtt = t_send.elapsed();

    let server_time = parse_session_setup_response(&setup_resp)?;

    let t_mid_us = system_time_to_us(t_send_sys)? + (rtt.as_micros() as i64) / 2;
    let server_us = system_time_to_us(server_time)?;

    Ok(server_us - t_mid_us)
}

fn build_session_setup_type1() -> Vec<u8> {
    // Build NTLMSSP Type 1 (MS-NLMP §2.2.1.1)
    let mut ntlm = vec![];
    ntlm.extend_from_slice(b"NTLMSSP\0");
    ntlm.extend_from_slice(&1u32.to_le_bytes()); // MessageType = 1 (Negotiate)

    // NTLM Type 1 negotiate flags. Per MS-NLMP §2.2.2.5, all bits in this value
    // map to named flags; no MUST-BE-ZERO reserved bits are set:
    //   0x80000000 NEGOTIATE_56 | 0x40000000 NEGOTIATE_KEY_EXCH
    //   0x20000000 NEGOTIATE_128 | 0x02000000 NEGOTIATE_VERSION (requires Version field below)
    //   0x00800000 NEGOTIATE_TARGET_INFO | 0x00080000 NEGOTIATE_EXTENDED_SESSIONSECURITY
    //   0x00008000 NEGOTIATE_ALWAYS_SIGN | 0x00000200 NEGOTIATE_NTLM
    //   0x00000020 NEGOTIATE_SEAL | 0x00000010 NEGOTIATE_SIGN
    //   0x00000002 NEGOTIATE_OEM | 0x00000001 NEGOTIATE_UNICODE
    // This combination is plausible for Windows 10/11 based on flag analysis.
    // NOTE: the exact value sent by a real Windows client must be validated against
    // a live pcap — the MS-NLMP spec does not document a per-version flag constant.
    let flags: u32 = 0xE2888233;
    ntlm.extend_from_slice(&flags.to_le_bytes());

    // DomainNameFields: Len=0, MaxLen=0, BufferOffset=40 (size of fixed fields with Version)
    ntlm.extend_from_slice(&0u16.to_le_bytes());
    ntlm.extend_from_slice(&0u16.to_le_bytes());
    ntlm.extend_from_slice(&40u32.to_le_bytes());

    // WorkstationFields: Len=0, MaxLen=0, BufferOffset=40
    ntlm.extend_from_slice(&0u16.to_le_bytes());
    ntlm.extend_from_slice(&0u16.to_le_bytes());
    ntlm.extend_from_slice(&40u32.to_le_bytes());

    // Version (MS-NLMP §2.2.2.10):
    //   Major=0x0A (10), Minor=0x00 — CONFIRMED for Windows 10/11 per MS-NLMP Appendix B §33.
    //   Build=0x4A61 (19041, Win10 20H1) — a valid build; actual value varies per install.
    //   Reserved=0x000000, NTLMRevisionCurrent=0x0F — CONFIRMED: NTLMSSP_REVISION_W2K3
    //   is the sole defined value per MS-NLMP §2.2.2.10 and applies to all post-W2K3 Windows.
    // NOTE: ProductBuild should be validated; use any realistic Win10/11 build (18362–26100).
    ntlm.extend_from_slice(&[0x0A, 0x00, 0x61, 0x4A, 0x00, 0x00, 0x00, 0x0F]);

    let ntlm_len = ntlm.len();

    // SMB2 SESSION_SETUP body size is 24 + length of security buffer
    // But structure size field is always 25.
    let body_size = 24 + ntlm_len;
    let smb2_header_size = 64usize;
    let total = smb2_header_size + body_size;

    let mut pkt = vec![0u8; 4 + total];
    pkt[1] = ((total >> 16) & 0xFF) as u8;
    pkt[2] = ((total >> 8) & 0xFF) as u8;
    pkt[3] = (total & 0xFF) as u8;

    let h = &mut pkt[4..4 + smb2_header_size];
    h[0..4].copy_from_slice(b"\xfeSMB");
    h[4..6].copy_from_slice(&64u16.to_le_bytes());
    h[12..14].copy_from_slice(&1u16.to_le_bytes()); // SESSION_SETUP (0x0001)
    h[18..20].copy_from_slice(&1u16.to_le_bytes()); // CreditRequest
    h[28..36].copy_from_slice(&2u64.to_le_bytes()); // MessageId = 2

    let b = &mut pkt[4 + smb2_header_size..];
    b[0..2].copy_from_slice(&25u16.to_le_bytes()); // StructureSize = 25
    b[2] = 0; // Flags
    b[3] = 1; // SecurityMode
    b[4..8].copy_from_slice(&0x01u32.to_le_bytes()); // Capabilities: SMB2_GLOBAL_CAP_DFS only (MS-SMB2 §2.2.5; Windows always sends 0x01 in SESSION_SETUP)
    b[8..12].copy_from_slice(&0u32.to_le_bytes()); // Channel
    b[12..14].copy_from_slice(&88u16.to_le_bytes()); // SecurityBufferOffset = 64 + 24
    b[14..16].copy_from_slice(&(ntlm_len as u16).to_le_bytes()); // SecurityBufferLength
    b[16..24].copy_from_slice(&0u64.to_le_bytes()); // PreviousSessionId

    b[24..24 + ntlm_len].copy_from_slice(&ntlm);

    pkt
}

/// Parse SMB2 SESSION_SETUP_RESPONSE and extract NTLM Type 2 TargetInfo MsvAvTimestamp.
fn parse_session_setup_response(b: &[u8]) -> Result<SystemTime, TimeSourceError> {
    // Check SMB2 Header Status (offset 8)
    if b.len() < 64 {
        return Err(TimeSourceError::Parse("SMB2 response too short".into()));
    }
    let status = u32::from_le_bytes([b[8], b[9], b[10], b[11]]);
    if status != 0xC0000016 {
        // STATUS_MORE_PROCESSING_REQUIRED
        return Err(TimeSourceError::Protocol(format!(
            "Expected MORE_PROCESSING_REQUIRED, got 0x{:08X}",
            status
        )));
    }

    // SMB2 SESSION_SETUP_RESPONSE body starts at offset 64
    let body = &b[64..];
    if body.len() < 9 {
        return Err(TimeSourceError::Parse(
            "SMB2 SESSION_SETUP_RESPONSE body too short".into(),
        ));
    }

    let struct_size = u16::from_le_bytes([body[0], body[1]]);
    if struct_size != 9 {
        return Err(TimeSourceError::Protocol(
            "Unexpected SESSION_SETUP_RESPONSE structure size".into(),
        ));
    }

    let sec_offset = u16::from_le_bytes([body[4], body[5]]) as usize;
    let sec_len = u16::from_le_bytes([body[6], body[7]]) as usize;

    let sec_end = sec_offset
        .checked_add(sec_len)
        .ok_or_else(|| TimeSourceError::Parse("SecurityBuffer overflow".into()))?;
    if sec_offset < 64 || sec_end > b.len() {
        return Err(TimeSourceError::Parse(
            "SecurityBuffer out of bounds".into(),
        ));
    }

    let ntlm = &b[sec_offset..sec_end];
    parse_ntlm_type2(ntlm)
}

/// MS-NLMP §2.2.1.2 CHALLENGE_MESSAGE
fn parse_ntlm_type2(ntlm: &[u8]) -> Result<SystemTime, TimeSourceError> {
    if ntlm.len() < 48 {
        return Err(TimeSourceError::Parse(
            "NTLM Type 2 too short for TargetInfoFields".into(),
        ));
    }
    if &ntlm[0..8] != b"NTLMSSP\0" {
        return Err(TimeSourceError::Parse("Invalid NTLMSSP signature".into()));
    }
    let msg_type = u32::from_le_bytes([ntlm[8], ntlm[9], ntlm[10], ntlm[11]]);
    if msg_type != 2 {
        return Err(TimeSourceError::Parse(format!(
            "Expected NTLM Type 2, got {}",
            msg_type
        )));
    }

    // TargetInfoFields is at offset 40
    let target_info_len = u16::from_le_bytes([ntlm[40], ntlm[41]]) as usize;
    let target_info_offset = u32::from_le_bytes([ntlm[44], ntlm[45], ntlm[46], ntlm[47]]) as usize;

    let target_info_end = target_info_offset
        .checked_add(target_info_len)
        .ok_or_else(|| TimeSourceError::Parse("TargetInfo overflow".into()))?;
    if target_info_end > ntlm.len() {
        return Err(TimeSourceError::Parse(
            "TargetInfo out of bounds in NTLM".into(),
        ));
    }

    let target_info = &ntlm[target_info_offset..target_info_end];

    // MS-NLMP §2.2.2.1 AV_PAIR
    let mut pos: usize = 0;
    while let Some(end_check) = pos.checked_add(4) {
        if end_check > target_info.len() {
            break;
        }

        let av_id = u16::from_le_bytes([target_info[pos], target_info[pos + 1]]);
        let av_len = u16::from_le_bytes([target_info[pos + 2], target_info[pos + 3]]) as usize;
        pos += 4;

        let av_end = pos
            .checked_add(av_len)
            .ok_or_else(|| TimeSourceError::Parse("AV_PAIR overflow".into()))?;
        if av_end > target_info.len() {
            return Err(TimeSourceError::Parse(
                "AV_PAIR length out of bounds".into(),
            ));
        }

        if av_id == 7 {
            // MsvAvTimestamp
            if av_len != 8 {
                return Err(TimeSourceError::Parse(
                    "MsvAvTimestamp has invalid length".into(),
                ));
            }
            let filetime = u64::from_le_bytes([
                target_info[pos],
                target_info[pos + 1],
                target_info[pos + 2],
                target_info[pos + 3],
                target_info[pos + 4],
                target_info[pos + 5],
                target_info[pos + 6],
                target_info[pos + 7],
            ]);
            return filetime_to_system_time(filetime);
        } else if av_id == 0 {
            // MsvAvEOL
            break;
        }

        pos += av_len;
    }

    Err(TimeSourceError::Parse(
        "MsvAvTimestamp (AV_PAIR 7) not found in NTLM TargetInfo".into(),
    ))
}

fn read_smb_message(stream: &mut TcpStream) -> Result<Vec<u8>, TimeSourceError> {
    let mut nb_header = [0u8; 4];
    stream
        .read_exact(&mut nb_header)
        .map_err(|e| map_io_err(e, "read_header"))?;
    let msg_len = u32::from_be_bytes(nb_header) & 0x00FF_FFFF;
    if msg_len > 65536 {
        return Err(TimeSourceError::Protocol(format!(
            "SMB2 response too large: {}",
            msg_len
        )));
    }
    let mut body = vec![0u8; msg_len as usize];
    stream
        .read_exact(&mut body)
        .map_err(|e| map_io_err(e, "read_body"))?;
    Ok(body)
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::time::UNIX_EPOCH;

    #[test]
    fn build_session_setup_type1_has_correct_structure() {
        let req = build_session_setup_type1();
        // NetBIOS length
        assert_eq!(req[0], 0);
        let len = u32::from_be_bytes([0, req[1], req[2], req[3]]);
        assert_eq!(len as usize, req.len() - 4);

        // SMB2 Header
        assert_eq!(&req[4..8], b"\xfeSMB");
        // Command == 1
        assert_eq!(&req[16..18], &[1, 0]);

        // SecurityBufferOffset = 88
        assert_eq!(&req[80..82], &[88, 0]);
        // NTLMSSP
        assert_eq!(&req[92..100], b"NTLMSSP\0");
    }

    // Mocking a real NTLM Type 2 parsing requires a real packet structure.
    // For now, we verify the logic manually with synthetic data.
    #[test]
    fn parse_ntlm_type2_extracts_timestamp() {
        let mut ntlm = vec![0u8; 60];
        ntlm[0..8].copy_from_slice(b"NTLMSSP\0");
        ntlm[8..12].copy_from_slice(&2u32.to_le_bytes()); // Type 2

        // TargetInfoFields
        ntlm[40..42].copy_from_slice(&12u16.to_le_bytes()); // Len = 12
        ntlm[42..44].copy_from_slice(&12u16.to_le_bytes()); // MaxLen = 12
        ntlm[44..48].copy_from_slice(&48u32.to_le_bytes()); // Offset = 48

        // TargetInfoBuffer at 48: AvId 7, AvLen 8, Value = 133485408000000000 (2024-01-01)
        ntlm[48..50].copy_from_slice(&7u16.to_le_bytes());
        ntlm[50..52].copy_from_slice(&8u16.to_le_bytes());
        let ft: u64 = 133_485_408_000_000_000;
        ntlm[52..60].copy_from_slice(&ft.to_le_bytes());

        let st = parse_ntlm_type2(&ntlm).unwrap();
        let unix_secs = st.duration_since(UNIX_EPOCH).unwrap().as_secs();
        assert_eq!(unix_secs, 1_704_067_200);
    }

    use proptest::prelude::*;

    proptest! {
        #[test]
        fn parse_ntlm_type2_never_panics(data in proptest::collection::vec(any::<u8>(), 0..512)) {
            let _ = parse_ntlm_type2(&data);
        }
    }
}

#[cfg(feature = "fuzzing")]
pub fn fuzz_parse_ntlm_type2(
    data: &[u8],
) -> Result<std::time::SystemTime, crate::time_src::TimeSourceError> {
    parse_ntlm_type2(data)
}