smb和rdp暴破差异分析

标签：0x0 rdp 暴破 NTLM DESKTOP user credentials smb

大量smb爆破：

smb和rdp暴破差异分析_Data

详细日志：

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
  <EventID>4625</EventID>
  <Version>0</Version>
  <Level>0</Level>
  <Task>12544</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8010000000000000</Keywords>
  <TimeCreated SystemTime="2022-07-28T03:07:32.3129542Z" />
  <EventRecordID>351668</EventRecordID>
  <Correlation ActivityID="{588d7746-a22d-0006-5e77-8d582da2d801}" />
  <Execution ProcessID="1020" ThreadID="564" />
  <Channel>Security</Channel>
  <Computer>DESKTOP-UKRDUMC</Computer>
  <Security />
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-0-0</Data>
  <Data Name="SubjectUserName">-</Data>
  <Data Name="SubjectDomainName">-</Data>
  <Data Name="SubjectLogonId">0x0</Data>
  <Data Name="TargetUserSid">S-1-0-0</Data>
  <Data Name="TargetUserName">admin</Data>
  <Data Name="TargetDomainName">DESKTOP-PTV6LGO</Data>
  <Data Name="Status">0xc000006d</Data>
  <Data Name="FailureReason">%%2313</Data>
  <Data Name="SubStatus">0xc0000064</Data>
  <Data Name="LogonType">3</Data>
  <Data Name="LogonProcessName">NtLmSsp</Data>
  <Data Name="AuthenticationPackageName">NTLM</Data>
  <Data Name="WorkstationName">DESKTOP-PTV6LGO</Data>
  <Data Name="TransmittedServices">-</Data>
  <Data Name="LmPackageName">-</Data>
  <Data Name="KeyLength">0</Data>
  <Data Name="ProcessId">0x0</Data>
  <Data Name="ProcessName">-</Data>
  <Data Name="IpAddress">172.16.111.120</Data>
  <Data Name="IpPort">51304</Data>
  </EventData>
  </Event>
 
https://docs.microsoft.com/zh-cn/windows/security/threat-protection/auditing/event-4625
  <Data Name="SubStatus">0xc0000064</Data>

含义：

0xC0000064	用户使用拼写错误或错误用户帐户进行登录

0 xc000006d	似乎是由于系统问题和不安全。

看看抓包：

smb和rdp暴破差异分析_安全分析_02

可以看到是445端口！！！针对smb2协议的445端口！！！

然后我用rdp爆破试试看差异点：

smb和rdp暴破差异分析_Data_03

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
  <EventID>4625</EventID>
  <Version>0</Version>
  <Level>0</Level>
  <Task>12544</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8010000000000000</Keywords>
  <TimeCreated SystemTime="2022-07-28T03:27:52.0182105Z" />
  <EventRecordID>351826</EventRecordID>
  <Correlation ActivityID="{588d7746-a22d-0006-5e77-8d582da2d801}" />
  <Execution ProcessID="1020" ThreadID="6408" />
  <Channel>Security</Channel>
  <Computer>DESKTOP-UKRDUMC</Computer>
  <Security />
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-0-0</Data>
  <Data Name="SubjectUserName">-</Data>
  <Data Name="SubjectDomainName">-</Data>
  <Data Name="SubjectLogonId">0x0</Data>
  <Data Name="TargetUserSid">S-1-0-0</Data>
  <Data Name="TargetUserName">tj</Data>
  <Data Name="TargetDomainName" />
  <Data Name="Status">0xc000006d</Data>
  <Data Name="FailureReason">%%2313</Data>
  <Data Name="SubStatus">0xc000006a</Data>
  <Data Name="LogonType">3</Data>
  <Data Name="LogonProcessName">NtLmSsp</Data>
  <Data Name="AuthenticationPackageName">NTLM</Data>
  <Data Name="WorkstationName">DESKTOP-PTV6LGO</Data>
  <Data Name="TransmittedServices">-</Data>
  <Data Name="LmPackageName">-</Data>
  <Data Name="KeyLength">0</Data>
  <Data Name="ProcessId">0x0</Data>
  <Data Name="ProcessName">-</Data>
  <Data Name="IpAddress">172.16.111.120</Data>
  <Data Name="IpPort">0</Data>
  </EventData>
  </Event>

可以看到是密码不对，

0xC000006A	用户使用拼写错误或错误密码进行登陆

Smb那个是用户名不对！

但是二者都是NTLM，所以从AuthenticationPackageName上无法区分rdp和smb爆破。

抓包看看：

smb和rdp暴破差异分析_安全分析_04

因为源端口是0，所以无法准确关联。

Login type 3都是远程网络登录方式。

Table 11: Windows Logon Types

Logon Type	Logon Title	Description
2	Interactive	A user logged on to this computer.
3	Network	A user or computer logged on to this computer from the network.
4	Batch	Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
5	Service	A service was started by the Service Control Manager.
7	Unlock	This workstation was unlocked.
8	NetworkCleartext	A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
9	NewCredentials	A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
10	RemoteInteractive	A user logged on to this computer remotely using Terminal Services or Remote Desktop.
11	CachedInteractive	A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

注意：我是局域网里的暴破。

NTLM是NT LAN Manager的缩写，这也说明了协议的来源。 NTLM 是指telnet 的一种验证身份方式，即问询/应答身份验证协议，是Windows NT 早期版本的标准安全协议，Windows 2000 支持NTLM 是为了保持向后兼容。 Windows 2000内置三种基本安全协议之一。

但是实际看，远程rdp暴破也是ntlm，

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
  <EventID>4625</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>12544</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8010000000000000</Keywords> 
  <TimeCreated SystemTime="2022-07-28T03:54:10.2403785Z" /> 
  <EventRecordID>351961</EventRecordID> 
  <Correlation ActivityID="{588d7746-a22d-0006-5e77-8d582da2d801}" /> 
  <Execution ProcessID="1020" ThreadID="12228" /> 
  <Channel>Security</Channel> 
  <Computer>DESKTOP-UKRDUMC</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-0-0</Data> 
  <Data Name="SubjectUserName">-</Data> 
  <Data Name="SubjectDomainName">-</Data> 
  <Data Name="SubjectLogonId">0x0</Data> 
  <Data Name="TargetUserSid">S-1-0-0</Data> 
  <Data Name="TargetUserName">tj</Data> 
  <Data Name="TargetDomainName" /> 
  <Data Name="Status">0xc000006d</Data> 
  <Data Name="FailureReason">%%2313</Data> 
  <Data Name="SubStatus">0xc000006a</Data> 
  <Data Name="LogonType">3</Data> 
  <Data Name="LogonProcessName">NtLmSsp</Data> 
  <Data Name="AuthenticationPackageName">NTLM</Data> 
  <Data Name="WorkstationName">DESKTOP-PTV6LGO</Data> 
  <Data Name="TransmittedServices">-</Data> 
  <Data Name="LmPackageName">-</Data> 
  <Data Name="KeyLength">0</Data> 
  <Data Name="ProcessId">0x0</Data> 
  <Data Name="ProcessName">-</Data> 
  <Data Name="IpAddress">172.16.111.120</Data> 
  <Data Name="IpPort">0</Data> 
  </EventData>
  </Event>

公网暴破smb的话，一直提示网络无法接通，

hydra.exe -l xxx -P password.txt -vV smb://1xxxxxx
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-07-28 12:01:43
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 108 login tries (l:1/p:108), ~108 tries per task
[DATA] attacking smb://1xxxxxxx:445/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
Process 823: Can not connect [unreachable], retrying (1 of 1 retries)
Process 823: Can not connect [unreachable]
[ERROR] could not connect to target smb://1xxxxxx:445/

参考：

SMB配置 https://zhuanlan.zhihu.com/p/110788184

Hydra使用

标签：0x0,rdp,暴破,NTLM,DESKTOP,user,credentials,smb
From： https://blog.51cto.com/u_11908275/6941827

相关文章

赞助商

阅读排行