大量smb爆破:
详细日志:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2022-07-28T03:07:32.3129542Z" />
<EventRecordID>351668</EventRecordID>
<Correlation ActivityID="{588d7746-a22d-0006-5e77-8d582da2d801}" />
<Execution ProcessID="1020" ThreadID="564" />
<Channel>Security</Channel>
<Computer>DESKTOP-UKRDUMC</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">admin</Data>
<Data Name="TargetDomainName">DESKTOP-PTV6LGO</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc0000064</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp</Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">DESKTOP-PTV6LGO</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">172.16.111.120</Data>
<Data Name="IpPort">51304</Data>
</EventData>
</Event>
https://docs.microsoft.com/zh-cn/windows/security/threat-protection/auditing/event-4625
<Data Name="SubStatus">0xc0000064</Data>
含义:
0xC0000064 | 用户使用拼写错误或错误用户帐户进行登录 |
<Data Name="Status">0xc000006d</Data>
0 xc000006d | 似乎是由于系统问题和不安全。 |
<Data Name="AuthenticationPackageName">NTLM</Data>
看看抓包:
可以看到是445端口!!!针对smb2协议的445端口!!!
然后我用rdp爆破试试看差异点:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2022-07-28T03:27:52.0182105Z" />
<EventRecordID>351826</EventRecordID>
<Correlation ActivityID="{588d7746-a22d-0006-5e77-8d582da2d801}" />
<Execution ProcessID="1020" ThreadID="6408" />
<Channel>Security</Channel>
<Computer>DESKTOP-UKRDUMC</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">tj</Data>
<Data Name="TargetDomainName" />
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc000006a</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp</Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">DESKTOP-PTV6LGO</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">172.16.111.120</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
可以看到是密码不对,
0xC000006A | 用户使用拼写错误或错误密码进行登陆 |
Smb那个是用户名不对!
但是二者都是NTLM,所以从AuthenticationPackageName上无法区分rdp和smb爆破。
抓包看看:
因为源端口是0,所以无法准确关联。
Login type 3都是远程网络登录方式。
Table 11: Windows Logon Types
Logon Type | Logon Title | Description |
2 | Interactive | A user logged on to this computer. |
3 | Network | A user or computer logged on to this computer from the network. |
4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
5 | Service | A service was started by the Service Control Manager. |
7 | Unlock | This workstation was unlocked. |
8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
注意:我是局域网里的暴破。
NTLM是NT LAN Manager的缩写,这也说明了协议的来源。 NTLM 是指telnet 的一种验证身份方式,即问询/应答身份验证协议,是Windows NT 早期版本的标准安全协议,Windows 2000 支持NTLM 是为了保持向后兼容。 Windows 2000内置三种基本安全协议之一。
但是实际看,远程rdp暴破也是ntlm,
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2022-07-28T03:54:10.2403785Z" />
<EventRecordID>351961</EventRecordID>
<Correlation ActivityID="{588d7746-a22d-0006-5e77-8d582da2d801}" />
<Execution ProcessID="1020" ThreadID="12228" />
<Channel>Security</Channel>
<Computer>DESKTOP-UKRDUMC</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">tj</Data>
<Data Name="TargetDomainName" />
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc000006a</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp</Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">DESKTOP-PTV6LGO</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">172.16.111.120</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
公网暴破smb的话,一直提示网络无法接通,
hydra.exe -l xxx -P password.txt -vV smb://1xxxxxx
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-07-28 12:01:43
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 108 login tries (l:1/p:108), ~108 tries per task
[DATA] attacking smb://1xxxxxxx:445/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
Process 823: Can not connect [unreachable], retrying (1 of 1 retries)
Process 823: Can not connect [unreachable]
[ERROR] could not connect to target smb://1xxxxxx:445/
参考:
SMB配置 https://zhuanlan.zhihu.com/p/110788184
Hydra使用
标签:0x0,rdp,暴破,NTLM,DESKTOP,user,credentials,smb From: https://blog.51cto.com/u_11908275/6941827