NTLM Unit Tests (#194)

ktstrader · web-flow · commit 26001a33e0b5 · 2025-04-11T12:19:07.000-07:00
* chore: add unit tests for NTLM

* chore: add unit tests for NTLM

* chore: fix SmbProcessorTest.cs

* chore: using internal instead of public
diff --git a/src/CommonLib/Ntlm/HttpNtlmAuthenticationService.cs b/src/CommonLib/Ntlm/HttpNtlmAuthenticationService.cs
@@ -57,7 +57,7 @@ private async Task<string[]> GetSupportedNtlmAuthSchemesAsync(Uri url) {
         return ExtractAuthSchemes(getResponse);
     }
 
-    private string[] ExtractAuthSchemes(HttpResponseMessage response) {
+    internal string[] ExtractAuthSchemes(HttpResponseMessage response) {
         if (response.StatusCode == HttpStatusCode.OK) {
             throw new AuthNotRequiredException(
                 "Authorization was not solicited when enumerating Authentication schemes");
diff --git a/src/CommonLib/Processors/CAEnrollmentProcessor.cs b/src/CommonLib/Processors/CAEnrollmentProcessor.cs
@@ -107,7 +107,7 @@ private async Task<IEnumerable<APIResult<CAEnrollmentEndpoint>>>
             return endpoints;
         }
 
-        private (Uri httpUrl, Uri httpsUrl) BuildEnrollmentUrls(CAEnrollmentEndpointType type) {
+        internal (Uri httpUrl, Uri httpsUrl) BuildEnrollmentUrls(CAEnrollmentEndpointType type) {
             switch (type) {
                 case CAEnrollmentEndpointType.WebEnrollmentApplication:
                     return (new Uri($"http://{_caDnsHostname}/certsrv/"),
diff --git a/src/CommonLib/Processors/DCLdapProcessor.cs b/src/CommonLib/Processors/DCLdapProcessor.cs
@@ -125,7 +125,7 @@ public virtual async Task<bool> TestLdapsPort() {
         return await _scanner.CheckPort(_ldapSslEndpoint.Host, _ldapSslEndpoint.Port, _portScanTimeout);
     }
 
-    public virtual async Task<SharpHoundRPC.Result<bool>> CheckIsNtlmSigningRequired() {
+    public async Task<SharpHoundRPC.Result<bool>> CheckIsNtlmSigningRequired() {
         try {
             var options = new LdapAuthOptions() {
                 Signing = false
@@ -147,7 +147,7 @@ public virtual async Task<bool> TestLdapsPort() {
     // 3) Correct bindings to ensure NTLM auth is enabled
     // However, as of right now we only do #2. We can't do #1 right now since the
     // Window's SSPI APIs (InitSecurityContext) always add channel bindings.
-    public virtual async Task<SharpHoundRPC.Result<bool>> CheckIsChannelBindingDisabled() {
+    public async Task<SharpHoundRPC.Result<bool>> CheckIsChannelBindingDisabled() {
         try {
             // 1) Can we connect with *invalid* bindings
 
@@ -171,7 +171,7 @@ public virtual async Task<bool> TestLdapsPort() {
     /// <param name="endpoint"></param>
     /// <param name="options"></param>
     /// <returns></returns>
-    private async Task<bool> Authenticate(Uri endpoint, LdapAuthOptions options) {
+    protected internal virtual async Task<bool> Authenticate(Uri endpoint, LdapAuthOptions options) {
         var host = endpoint.Host;
         var auth = new NtlmAuthenticationHandler($"LDAP/{host.ToUpper()}") {
             Options = options
diff --git a/test/unit/CAEnrollmentProcessorTest.cs b/test/unit/CAEnrollmentProcessorTest.cs
@@ -0,0 +1,59 @@
+﻿using System;
+using System.Collections.Generic;
+using System.Diagnostics.CodeAnalysis;
+using System.Linq;
+using System.Net;
+using System.Net.Sockets;
+using System.Threading;
+using System.Threading.Tasks;
+using Moq;
+using SharpHoundCommonLib;
+using SharpHoundCommonLib.OutputTypes;
+using SharpHoundCommonLib.Processors;
+using SharpHoundRPC;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace CommonLibTest {
+    [SuppressMessage("Interoperability", "CA1416:Validate platform compatibility")]
+    public class CAEnrollmentProcessorTest : IDisposable {
+
+        private readonly ITestOutputHelper _testOutputHelper;
+
+        public CAEnrollmentProcessorTest(ITestOutputHelper testOutputHelper) {
+            _testOutputHelper = testOutputHelper;
+        }
+
+        public void Dispose() {
+        }
+    
+        // TODO: Has error "The requested security protocol is not supported
+        // [Theory]
+        // [MemberData(nameof(BuildEnrollmentUrlsData))]
+        // public async Task CAEnrollmentProcessor_BuildEnrollmentUrls(CAEnrollmentEndpointType type, Uri expectedhttpUrl, Uri expectedhttpsUrl)
+        // {
+        //     var processor = new CAEnrollmentProcessor("primary.testlab.local", "primary-dc-ca");
+        //     (Uri httpUrl, Uri httpsUrl) = processor.BuildEnrollmentUrls(type);
+        //
+        //     Assert.Equal(httpUrl, expectedhttpUrl);
+        //     Assert.Equal(httpsUrl, expectedhttpsUrl);
+        // }
+        //
+        // public static IEnumerable<object[]> BuildEnrollmentUrlsData =>
+        //     new List<object[]>
+        //     {
+        //         new object[]
+        //         {
+        //             CAEnrollmentEndpointType.WebEnrollmentApplication,
+        //             new Uri("http://primary.testlab.local/certsrv/"),
+        //             new Uri("https://primary.testlab.local/certsrv/")
+        //         },
+        //         new object[]
+        //         {
+        //             CAEnrollmentEndpointType.EnrollmentWebService,
+        //             new Uri("http://primary.testlab.local/primary-dc-ca_CES_Kerberos/service.svc"),
+        //             new Uri("https://primary.testlab.local/primary-dc-ca_CES_Kerberos/service.svc")
+        //         }
+        //     };
+    }
+}
diff --git a/test/unit/DCLdapProcessorTest.cs b/test/unit/DCLdapProcessorTest.cs
@@ -1,6 +1,7 @@
 ﻿using System;
 using System.Collections.Generic;
 using System.Diagnostics.CodeAnalysis;
+using System.Runtime.CompilerServices;
 using System.Threading.Tasks;
 using Moq;
 using SharpHoundCommonLib;
@@ -21,19 +22,70 @@ public DCLdapProcessorTest(ITestOutputHelper testOutputHelper) {
 
         public void Dispose() {
         }
+        
+        [Fact]
+        public async Task DCLdapProcessor_Scan() {
+            var mockProcessor = new Mock<DCLdapProcessor>(It.IsAny<int>(), "primary.testlab.local", null);
+            
+            mockProcessor.Setup(x => x.Authenticate(It.IsAny<Uri>(), It.IsAny<LdapAuthOptions>())).ReturnsAsync(false);
+
+            mockProcessor.Setup(x => x.TestLdapPort()).ReturnsAsync(true);
+            mockProcessor.Setup(x => x.TestLdapsPort()).ReturnsAsync(true);
+            
+            var processor = mockProcessor.Object;
+            var receivedStatus = new List<CSVComputerStatus>();
+            processor.ComputerStatusEvent += async status =>  {
+                receivedStatus.Add(status);
+            };
+            var results = await processor.Scan("primary.testlab.local", TimeSpan.FromMinutes(2));
+
+            Assert.Equal(2, receivedStatus.Count);
+            var status = receivedStatus[0];
+            Assert.Equal(CSVComputerStatus.StatusSuccess, status.Status);
+            status = receivedStatus[1];
+            Assert.Equal(CSVComputerStatus.StatusSuccess, status.Status);
+            Assert.True(results.HasLdap);
+            Assert.True(results.HasLdaps);
+            Assert.True(results.IsSigningRequired.Result);
+            Assert.False(results.IsChannelBindingDisabled.Result);
+        }
+        
+        [Fact]
+        public async Task DCLdapProcessor_Scan_Failed() {
+            var mockProcessor = new Mock<DCLdapProcessor>(It.IsAny<int>(), "primary.testlab.local", null);
+            
+            mockProcessor.Setup(x => x.Authenticate(It.IsAny<Uri>(), It.IsAny<LdapAuthOptions>())).Throws(new Exception("Error"));
+
+            mockProcessor.Setup(x => x.TestLdapPort()).ReturnsAsync(true);
+            mockProcessor.Setup(x => x.TestLdapsPort()).ReturnsAsync(true);
+            
+            var processor = mockProcessor.Object;
+            var receivedStatus = new List<CSVComputerStatus>();
+            processor.ComputerStatusEvent += async status =>  {
+                receivedStatus.Add(status);
+            };
+            var results = await processor.Scan("primary.testlab.local", TimeSpan.FromMinutes(2));
+
+            Assert.Equal(2, receivedStatus.Count);
+            var status = receivedStatus[0];
+            Assert.Contains("CheckIsNtlmSigningRequired failed: System.Exception: Error", status.Status);
+            status = receivedStatus[1];
+            Assert.Contains("CheckIsNtlmSigningRequired failed: System.Exception: Error", status.Status);
+            Assert.True(results.HasLdap);
+            Assert.True(results.HasLdaps);
+            Assert.False(results.IsSigningRequired.Result);
+            Assert.False(results.IsChannelBindingDisabled.Result);
+            Assert.False(results.IsSigningRequired.Collected);
+            Assert.False(results.IsChannelBindingDisabled.Collected);
+        }
     
         [Fact]
         public async Task DCLdapProcessor_CheckScan_Timeout() {
             var mockProcessor = new Mock<DCLdapProcessor>(2, "primary.testlab.local", null);
             
-            mockProcessor.Setup(x => x.CheckIsNtlmSigningRequired()).ReturnsAsync(() => {
+            mockProcessor.Setup(x => x.Authenticate(It.IsAny<Uri>(), It.IsAny<LdapAuthOptions>())).ReturnsAsync(() => {
                 Task.Delay(100).Wait();
-                return NtStatus.StatusAccessDenied;
-            });
-            
-            mockProcessor.Setup(x => x.CheckIsChannelBindingDisabled()).ReturnsAsync(() => {
-                Task.Delay(100).Wait();
-                return NtStatus.StatusAccessDenied;
+                return false;
             });
 
             mockProcessor.Setup(x => x.TestLdapPort()).ReturnsAsync(true);
@@ -51,7 +103,30 @@ public async Task DCLdapProcessor_CheckScan_Timeout() {
             Assert.Equal("Timeout", status.Status);
             status = receivedStatus[1];
             Assert.Equal("Timeout", status.Status);
+            Assert.Equal("Timeout",results.IsSigningRequired.FailureReason);
+            Assert.Equal("Timeout",results.IsChannelBindingDisabled.FailureReason);
+        }
+
+        [Fact]
+        public async Task DCLdapProcessor_CheckIsNtlmSigningRequired()
+        {
+            var mockProcessor = new Mock<DCLdapProcessor>(It.IsAny<int>(), "primary.testlab.local", null);
+            mockProcessor.Setup(x => x.Authenticate(It.IsAny<Uri>(), It.IsAny<LdapAuthOptions>())).ReturnsAsync(false);
+            var processor = mockProcessor.Object;
+            var result = await processor.CheckIsNtlmSigningRequired();
+            Assert.True(result.IsSuccess);
+            Assert.True(result.Value);
+        }
+
+        [Fact]
+        public async Task DCLdapProcessor_CheckIsNtlmSigningRequired_Exception()
+        {
+            var mockProcessor = new Mock<DCLdapProcessor>(It.IsAny<int>(), "primary.testlab.local", null);
+            mockProcessor.Setup(x => x.Authenticate(It.IsAny<Uri>(), It.IsAny<LdapAuthOptions>())).Throws(new Exception("Error"));
+            var processor = mockProcessor.Object;
+            var result = await processor.CheckIsNtlmSigningRequired();
+            Assert.True(result.IsFailed);
+            Assert.Contains("CheckIsNtlmSigningRequired failed: System.Exception: Error", result.Error);
         }
-        
     }
 }
diff --git a/test/unit/HttpNtlmAuthenticationServiceTest.cs b/test/unit/HttpNtlmAuthenticationServiceTest.cs
@@ -0,0 +1,93 @@
+﻿using System;
+using System.Collections.Generic;
+using System.Diagnostics.CodeAnalysis;
+using System.Net;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Net.Sockets;
+using System.Threading;
+using System.Threading.Tasks;
+using Moq;
+using SharpHoundCommonLib;
+using SharpHoundCommonLib.Ntlm;
+using SharpHoundCommonLib.OutputTypes;
+using SharpHoundCommonLib.Processors;
+using SharpHoundRPC;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace CommonLibTest {
+    [SuppressMessage("Interoperability", "CA1416:Validate platform compatibility")]
+    public class HttpNtlmAuthenticationServiceTest : IDisposable {
+
+        private readonly ITestOutputHelper _testOutputHelper;
+
+        public HttpNtlmAuthenticationServiceTest(ITestOutputHelper testOutputHelper) {
+            _testOutputHelper = testOutputHelper;
+        }
+
+        public void Dispose() {
+        }
+    
+        [Fact]
+        public async Task HttpNtlmAuthenticationService_ExtractAuthSchemes_AuthNotRequiredException()
+        {
+            var service = new HttpNtlmAuthenticationService(new HttpClientFactory(), null);
+            var httpResponseMessage = new HttpResponseMessage
+            {
+                StatusCode = HttpStatusCode.OK,
+            };
+
+            var ex = Assert.Throws<AuthNotRequiredException>(() => service.ExtractAuthSchemes(httpResponseMessage));
+
+            Assert.Equal(ex.Message, "Authorization was not solicited when enumerating Authentication schemes");
+        }
+        
+        [Fact]
+        public async Task HttpNtlmAuthenticationService_ExtractAuthSchemes_HttpForbiddenException()
+        {
+            var service = new HttpNtlmAuthenticationService(new HttpClientFactory(), null);
+            var httpResponseMessage = new HttpResponseMessage
+            {
+                StatusCode = HttpStatusCode.Forbidden,
+            };
+
+            var ex = Assert.Throws<HttpForbiddenException>(() => service.ExtractAuthSchemes(httpResponseMessage));
+
+            Assert.Equal(ex.Message, "Forbidden when enumerating Auth schemes");
+        }
+        
+        [Fact]
+        public async Task HttpNtlmAuthenticationService_ExtractAuthSchemes_HttpServerErrorException()
+        {
+            var service = new HttpNtlmAuthenticationService(new HttpClientFactory(), null);
+            var httpResponseMessage = new HttpResponseMessage
+            {
+                StatusCode = HttpStatusCode.InternalServerError,
+            };
+
+            var ex = Assert.Throws<HttpServerErrorException>(() => service.ExtractAuthSchemes(httpResponseMessage));
+
+            Assert.Equal(ex.Message, "Server Error when enumerating Auth schemes");
+        }
+        
+        [Fact]
+        public async Task HttpNtlmAuthenticationService_ExtractAuthSchemes_Success()
+        {
+            var service = new HttpNtlmAuthenticationService(new HttpClientFactory(), null);
+            var httpResponseMessage = new HttpResponseMessage();
+            httpResponseMessage.StatusCode = HttpStatusCode.Accepted;
+            httpResponseMessage.Headers.WwwAuthenticate.Add(
+                new AuthenticationHeaderValue("NTLM", "realm=localhost"));
+            httpResponseMessage.Headers.WwwAuthenticate.Add(
+                new AuthenticationHeaderValue("Negotiate", "realm=localhost"));
+            httpResponseMessage.Headers.WwwAuthenticate.Add(
+                new AuthenticationHeaderValue("Basic", "realm=localhost"));
+
+            var result = service.ExtractAuthSchemes(httpResponseMessage);
+
+            Assert.Equal(result[0], "NTLM");
+            Assert.Equal(result[1], "Negotiate");
+        }
+    }
+}
diff --git a/test/unit/SmbProcessorTest.cs b/test/unit/SmbProcessorTest.cs
@@ -25,7 +25,7 @@ public void Dispose() {
     
         [Fact]
         public async Task SmbProcessor_TestTimeout() {
-
+            
             var mockSmbScanner = new Mock<ISmbScanner>();
             mockSmbScanner
                 .Setup(x => x.ScanHost(It.IsAny<string>(), It.IsAny<int>()))
@@ -34,7 +34,6 @@ public async Task SmbProcessor_TestTimeout() {
                     return NtStatus.StatusAccessDenied;
                 });
 
-
             var mockProcessor = new SmbProcessor(2, mockSmbScanner.Object);
             var receivedStatus = new List<CSVComputerStatus>();
             mockProcessor.ComputerStatusEvent += async status => receivedStatus.Add(status);
diff --git a/test/unit/WebClientServiceProcessorTest.cs b/test/unit/WebClientServiceProcessorTest.cs
@@ -0,0 +1,41 @@
+﻿using System;
+using System.Collections.Generic;
+using System.Diagnostics.CodeAnalysis;
+using System.IO;
+using System.Net.Sockets;
+using System.Threading;
+using System.Threading.Tasks;
+using Moq;
+using SharpHoundCommonLib;
+using SharpHoundCommonLib.OutputTypes;
+using SharpHoundCommonLib.Processors;
+using SharpHoundRPC;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace CommonLibTest {
+    [SuppressMessage("Interoperability", "CA1416:Validate platform compatibility")]
+    public class WebClientServiceProcessorTest : IDisposable {
+
+        private readonly ITestOutputHelper _testOutputHelper;
+
+        public WebClientServiceProcessorTest(ITestOutputHelper testOutputHelper) {
+            _testOutputHelper = testOutputHelper;
+        }
+
+        public void Dispose() {
+        }
+    
+        [Fact]
+        public async Task WebClientServiceProcessorTest_TestPathExists()
+        {
+            var processor = new WebClientServiceProcessor();
+            
+            var result = await processor.IsWebClientRunning("primary.testlab.local");
+            
+            Assert.True(result.Collected);
+            Assert.False(result.Result);
+        }
+        
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ private async Task<string[]> GetSupportedNtlmAuthSchemesAsync(Uri url) {`
`57`	`57`	`return ExtractAuthSchemes(getResponse);`
`58`	`58`	`}`
`59`	`59`
`60`		`- private string[] ExtractAuthSchemes(HttpResponseMessage response) {`
	`60`	`+ internal string[] ExtractAuthSchemes(HttpResponseMessage response) {`
`61`	`61`	`if (response.StatusCode == HttpStatusCode.OK) {`
`62`	`62`	`throw new AuthNotRequiredException(`
`63`	`63`	`"Authorization was not solicited when enumerating Authentication schemes");`
Original file line number	Diff line number	Diff line change
`@@ -107,7 +107,7 @@ private async Task<IEnumerable<APIResult<CAEnrollmentEndpoint>>>`
`107`	`107`	`return endpoints;`
`108`	`108`	`}`
`109`	`109`
`110`		`- private (Uri httpUrl, Uri httpsUrl) BuildEnrollmentUrls(CAEnrollmentEndpointType type) {`
	`110`	`+ internal (Uri httpUrl, Uri httpsUrl) BuildEnrollmentUrls(CAEnrollmentEndpointType type) {`
`111`	`111`	`switch (type) {`
`112`	`112`	`case CAEnrollmentEndpointType.WebEnrollmentApplication:`
`113`	`113`	`return (new Uri($"http://{_caDnsHostname}/certsrv/"),`