{"id":1007,"date":"2024-03-15T20:27:20","date_gmt":"2024-03-15T12:27:20","guid":{"rendered":"http:\/\/www.ccwifi.cc\/blogs\/?p=1007"},"modified":"2024-03-15T20:27:20","modified_gmt":"2024-03-15T12:27:20","slug":"windows%e5%86%85%e7%bd%91%e5%8d%8f%e8%ae%ae%e5%ad%a6%e4%b9%a0ntlm%e7%af%87%e4%b9%8bnet-ntlm%e5%88%a9%e7%94%a8","status":"publish","type":"post","link":"https:\/\/www.ccwifi.cc\/blogs\/2024\/03\/15\/windows%e5%86%85%e7%bd%91%e5%8d%8f%e8%ae%ae%e5%ad%a6%e4%b9%a0ntlm%e7%af%87%e4%b9%8bnet-ntlm%e5%88%a9%e7%94%a8\/","title":{"rendered":"Windows\u5185\u7f51\u534f\u8bae\u5b66\u4e60NTLM\u7bc7\u4e4bNet-NTLM\u5229\u7528"},"content":{"rendered":"
\n

\u5728\u7ebfwifi\u8dd1\u5305 \u91d1\u521a\u5305\u8dd1\u5305 cap\u8dd1\u5305 hccapx ewsa\u5728\u7ebf \u5c31\u6765 \u63e1\u624b\u5305\u8dd1\u5305<\/a><\/strong><\/p>\n

\u5404\u4f4d\u597d \u53c8\u89c1\u9762\u4e86 \u6211\u662f\u66f9\u64cd \u4eca\u5929\u7ed9\u5927\u5bb6\u5e26\u6765\u4e00\u7bc7\u65b0\u7684\u6559\u7a0b<\/p>\n

\u5e0c\u671b\u5404\u4f4d\u7ec6\u5fc3\u5b66\u4e60 \u4f4e\u8c03\u7528\u7f51<\/p>\n<\/div>\n

\"hashcat\u6ca1\u6709\u6743\u9650\"\"hashcat\u6ca1\u6709\u6743\u9650\"\"hashcat\u6ca1\u6709\u6743\u9650\"<\/p>\n

\u539f\u6765\u7684NegoFlags\u503c\u4e3ax05x02x89xa2\uff0c\u73b0\u5728\u6539\u4e3ax05x02x81xa2\uff0c\u4ee5\u83b7\u53d6Net-NTLM v1\u3002\u7136\u540e\u4f7f\u7528ntlmv1-multi\u4e2d\u7684ntlmv1.py\u8fdb\u884c\u8f6c\u6362\u3002\u5f97\u5230\u7684Net-NTLM v1\u662fwin10::WIN10-1:F1586DA184365E9431C22EF206F5A2C918659E1B1FD7F64D:F1586DA184365E9431C22EF206F5A2C918659E1B1FD7F64D:1122334455667788\u3002<\/p>\n

\"hashcat\u6ca1\u6709\u6743\u9650\"\"hashcat\u6ca1\u6709\u6743\u9650\"\"hashcat\u6ca1\u6709\u6743\u9650\"<\/p>\n

\u8f6c\u6362\u540e\u7684\u683c\u5f0f\u4e3aNTHASH:F1586DA184365E9431C22EF206F5A2C918659E1B1FD7F64D\uff0c\u7136\u540e\u4f7f\u7528crack.sh\u8fdb\u884c\u7834\u89e3\u3002\u4e0b\u9762\u7b80\u8981\u63a2\u7a76\u4e00\u4e0b\u539f\u7406\uff0c\u5982\u679c\u4e0d\u611f\u5174\u8da3\u53ef\u4ee5\u76f4\u63a5\u8df3\u8fc7\uff0c\u770b\u4e0b\u4e00\u5c0f\u8282\u3002\u5728NTLM\u57fa\u7840\u4ecb\u7ecd\u4e2d\u7b80\u5355\u4ecb\u7ecd\u4e86Net-NTLM v1\u7684\u52a0\u5bc6\u65b9\u5f0f\u3002\u5c0616\u5b57\u8282\u7684NTLM hash\u7a7a\u586b\u5145\u4e3a21\u4e2a\u5b57\u8282\uff0c\u7136\u540e\u5206\u6210\u4e09\u7ec4\uff0c\u6bcf\u7ec47\u5b57\u8282\uff0c\u4f5c\u4e3a3DES\u52a0\u5bc6\u7b97\u6cd5\u7684\u4e09\u7ec4\u5bc6\u94a5\uff0c\u52a0\u5bc6\u670d\u52a1\u5668\u53d1\u9001\u7684Challenge\u3002\u5c06\u8fd9\u4e09\u4e2a\u5bc6\u6587\u503c\u8fde\u63a5\u8d77\u6765\u5f97\u5230response\u3002\u4f46\u5728\u5b9e\u8df5\u4e2d\u53d1\u73b0\uff0c\u52a0\u5bc6\u65b9\u5f0f\u7684\u8868\u8ff0\u6709\u4e9b\u95ee\u9898\uff0c\u6216\u8005\u8bf4\u4e0d\u5b8c\u6574\u3002\u4e0a\u8ff0\u53ea\u662fNet-NTLM v1\u7684\u4e00\u79cd\u52a0\u5bc6\u65b9\u5f0f\uff0cNet-NTLM v1\u8fd8\u6709\u53e6\u4e00\u79cd\u52a0\u5bc6\u65b9\u5f0f\u3002\u4e0b\u9762\u6211\u4eec\u6765\u63a2\u8ba8\u8fd9\u4e24\u79cd\u52a0\u5bc6\u65b9\u5f0f\u4ee5\u53ca\u5229\u7528\u3002<\/p>\n

\"hashcat\u6ca1\u6709\u6743\u9650\"<\/p>\n

\u4f7f\u7528ntlmv1-multi\u4e2d\u7684ntlmv1.py\u8fdb\u884c\u8f6c\u6362\uff0c\u7136\u540e\u590d\u5236NTHASH:E0F8C5B5E45247B4175698B99DBB5557CCD9241EA5A55CFB\u5230crack.sh\u8fdb\u884c\u7834\u89e3\uff0c\u586b\u5199\u90ae\u7bb1\uff0c\u7b49\u5f85\u5927\u7ea6\u4e00\u5206\u949f\u5c31\u80fd\u6536\u5230ntlm hash\u3002<\/p>\n

(2) \u52a0\u5bc6\u65b9\u5f0f2\u4e0e\u7b2c\u4e00\u79cd\u52a0\u5bc6\u65b9\u5f0f\u57fa\u672c\u76f8\u540c\u3002\u6700\u672c\u8d28\u7684\u533a\u522b\u5728\u4e8e\uff0c\u7b2c\u4e00\u79cd\u52a0\u5bc6\u65b9\u5f0f\u7684\u52a0\u5bc6\u5185\u5bb9\u662fServer Challenge\uff0c\u800c\u7b2c\u4e8c\u79cd\u52a0\u5bc6\u65b9\u5f0f\u662f\u62fc\u63a58\u5b57\u8282Server Challenge\u548c8\u5b57\u8282Client Challenge\u540e\uff0c\u6c42\u5176MD5\uff0c\u7136\u540e\u53d6MD5\u503c\u7684\u524d8\u5b57\u8282\u4f5c\u4e3a\u52a0\u5bc6\u5185\u5bb9\u3002<\/p>\n

\"hashcat\u6ca1\u6709\u6743\u9650\"\"hashcat\u6ca1\u6709\u6743\u9650\"<\/p>\n

\u4f7f\u7528ntlmv1-multi\u4e2d\u7684ntlmv1-ssp.py\u8fdb\u884c\u8f6c\u6362\uff0c\u7136\u540e\u4f7f\u7528crack.sh\u8fdb\u884c\u7834\u89e3\u3002\u8fd9\u79cd\u65b9\u5f0f\u9700\u8981\u4ed8\u8d39\uff0c\u800c\u4e14\u4e0d\u4e00\u5b9a\u80fd\u591f\u6210\u529f\u7834\u89e3\u3002<\/p>\n

\u603b\u800c\u8a00\u4e4b\uff0c\u8fd9\u79cd\u52a0\u5bc6\u65b9\u5f0f\u4e0d\u5bb9\u6613\u7834\u89e3\uff0c\u5b9e\u9645\u4e0a\u6211\u4eec\u4e5f\u53ef\u4ee5\u8ba9\u5ba2\u6237\u7aef\u4e0d\u4f7f\u7528\u8fd9\u79cd\u52a0\u5bc6\u65b9\u5f0f\uff0c\u800c\u662f\u4f7f\u7528\u7b2c\u4e00\u79cd\u52a0\u5bc6\u65b9\u5f0f\u3002\u63a5\u4e0b\u6765\u6211\u4eec\u6765\u5206\u6790\u4e00\u4e0b\u3002<\/p>\n

\u5728Responder\u4e2d\u52a0\u4e0a–lm\u53c2\u6570\u53ef\u4ee5\u83b7\u53d6\u5230\u91c7\u7528\u7b2c\u4e00\u79cd\u52a0\u5bc6\u65b9\u5f0f\u7684Net-NTLM Hash\uff0c\u4f46\u53ea\u5bf9smb\u534f\u8bae\u6709\u6548\u3002\u5728\u6211\u7684\u6d4b\u8bd5\u4e2d\uff0c\u5373\u4f7f\u52a0\u4e0a–lm\u53c2\u6570\uff0c\u6536\u5230\u7684\u8bf7\u6c42\u662fHTTP\u534f\u8bae\u7684\u60c5\u51b5\u4e0b\uff0c\u5f97\u5230\u7684Net-NTLM v1\u4ecd\u7136\u91c7\u7528\u7b2c\u4e8c\u79cd\u52a0\u5bc6\u65b9\u5f0f\uff0c\u5f88\u96be\u7834\u89e3\u3002\u6240\u4ee5\u6211\u7814\u7a76\u4e86\u4e00\u4e0b\u5728\u4ec0\u4e48\u60c5\u51b5\u4e0b\u91c7\u7528\u7b2c\u4e00\u79cd\u52a0\u5bc6\u65b9\u5f0f\uff0c\u4ec0\u4e48\u60c5\u51b5\u4e0b\u91c7\u7528\u7b2c\u4e8c\u79cd\u52a0\u5bc6\u65b9\u5f0f\u3002<\/p>\n

\u5728\u8fd9\u7bc7\u6587\u7ae0\u4e2d\u63d0\u5230\uff0c\u5f53NTLM\u7684flag\u4f4dNTLMSSPNEGOTIATE<\/em>EXTENDED_SESSIONSECURITY\u7f6e\u4e3a1\u65f6\uff0c\u4f1a\u91c7\u7528\u7b2c\u4e8c\u79cd\u52a0\u5bc6\u65b9\u5f0f\uff0c\u5426\u5219\u4f1a\u91c7\u7528\u7b2c\u4e00\u79cd\u52a0\u5bc6\u65b9\u5f0f\u3002\u6211\u4eec\u53ef\u4ee5\u770b\u4e00\u4e0bimpacket\u4e2d\u8ba1\u7b97Net-NTLM v1\u7684\u76f8\u5173\u4ee3\u7801\u3002<\/p>\n

\"hashcat\u6ca1\u6709\u6743\u9650\"<\/p>\n

\u53ef\u4ee5\u6e05\u695a\u5730\u770b\u5230\uff0c\u5f53NTLMSSPNEGOTIATE<\/em>EXTENDED_SESSIONSECURITY\u4f4d\u4e3a1\u65f6\uff0c\u52a0\u5bc6\u7684\u5185\u5bb9\u4e0d\u662fServer Challenge\uff0c\u800c\u662f\u7ecf\u8fc7MD5\u54c8\u5e0c\u8fd0\u7b97\u7684Server Challenge\u548cClient Challenge\u7684\u524d8\u4f4d\u3002\u4e5f\u5c31\u662f\u8bf4\u8fd9\u662f\u7b2c\u4e8c\u79cd\u52a0\u5bc6\u65b9\u5f0f\u3002<\/p>\n

\u90a3NTLMSSPNEGOTIATE<\/em>EXTENDEDSESSIONSECURITY flag\u4f4d\u6765\u81ea\u54ea\u91cc\u5462\uff1f\u6211\u4eec\u77e5\u9053NTLM\u5206\u4e3atype1\u3001type2\u3001type3\u3002\u8ba1\u7b97response\u5c31\u5728type3\u4e2d\uff0cNTLMSSP<\/em>NEGOTIATEEXTENDED<\/em>SESSIONSECURITY flag\u4f4d\u6765\u81eatype2\u3002\u800ctype2\u4e2d\u7684\u5185\u5bb9\u901a\u5e38\u662f\u6211\u4eec\u8fd4\u56de\u7ed9\u5ba2\u6237\u7aef\u7684\u3002<\/p>\n

\"hashcat\u6ca1\u6709\u6743\u9650\"<\/p>\n

\u4e5f\u5c31\u662f\u8bf4\uff0c\u5ba2\u6237\u7aef\u9009\u62e9\u4f7f\u7528\u52a0\u5bc6\u65b9\u5f0f1\u8fd8\u662f\u52a0\u5bc6\u65b9\u5f0f2\uff0c\u6211\u4eec\u662f\u53ef\u4ee5\u63a7\u5236\u7684\u3002\u53ea\u9700\u8981\u5c06NTLMSSPNEGOTIATE<\/em>EXTENDED_SESSIONSECURITY\u4f4d\u8bbe\u7f6e\u4e3a0\uff0c\u5ba2\u6237\u7aef\u5c31\u4f1a\u9009\u62e9\u52a0\u5bc6\u65b9\u5f0f1\u3002\u5e76\u4e14\u5728Server Challenge\u4e3a1122334455667788\u7684\u60c5\u51b5\u4e0b\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528crack.sh\u5feb\u901f\u514d\u8d39\u6709\u6548\u5730\u7834\u89e3\uff0c\u83b7\u53d6\u7528\u6237\u7684NTLM Hash\u3002<\/p>\n

\u90a3\u4e48\u5982\u4f55\u5c06NTLMSSPNEGOTIATE<\/em>EXTENDEDSESSIONSECURITY\u4f4d\u8bbe\u7f6e\u4e3a0\u5462\uff1f\u901a\u5e38\u6211\u4eec\u4f7f\u7528\u73b0\u6210\u7684\u5de5\u5177Responder\u6765\u83b7\u53d6Net-NTLM Hash\u3002\u4e4b\u524d\u63d0\u5230\u8fc7\uff0c\u52a0\u4e0a–lm\u53c2\u6570\u5c31\u53ef\u4ee5\u5c06NTLMSSP<\/em>NEGOTIATEEXTENDED<\/em>SESSIONSECURITY\u4f4d\u8bbe\u7f6e\u4e3a0\u3002<\/p>\n

\u8fd9\u65f6\u8fd8\u6709\u4e00\u4e2a\u5c0f\u95ee\u9898\u6ca1\u6709\u89e3\u51b3\uff0c\u5c31\u662fResponder\u52a0\u4e0a–lm\u53c2\u6570\u4e3a\u4ec0\u4e48\u53ea\u5bf9smb\u534f\u8bae\u6709\u6548\uff0c\u5176\u4ed6\u534f\u8bae\u65e0\u6548\u3002\u6211\u53bb\u9605\u8bfb\u4e86Responder\u7684\u4ee3\u7801\u3002<\/p>\n

\"hashcat\u6ca1\u6709\u6743\u9650\"\"hashcat\u6ca1\u6709\u6743\u9650\"<\/p>\n

\u52a0\u4e0a–lm\u53c2\u6570\u540e\uff0c\u8c03\u7528\u7684\u6a21\u5757\u662fSMB1LM\u3002\u53d1\u73b0\u5b83\u4f7f\u7528\u7684\u662f\u65e7\u7248\u672c\u7684SMB\u5b9e\u73b0\u3002\u8fd9\u4e2a\u7248\u672c\u7684\u5b9e\u73b0\u5728SMB\u534f\u5546\u7248\u672c\u65f6\u5c31\u8fd4\u56de\u4e86Challenge\uff0c\u5e76\u5c06NTLMSSPNEGOTIATE<\/em>EXTENDED_SESSIONSECURITY\u4f4d\u8bbe\u7f6e\u4e3a0\u3002<\/p>\n

\"hashcat\u6ca1\u6709\u6743\u9650\"<\/p>\n

\u4f46\u5b8c\u5168\u53ef\u4ee5\u4e0d\u4f7f\u7528\u65e7\u7248\u672c\u7684SMB\u5b9e\u73b0\u3002\u5173\u952e\u5728\u4e8e\u5c06NTLMSSPNEGOTIATE<\/em>EXTENDED_SESSIONSECURITY\u4f4d\u8bbe\u7f6e\u4e3a0\uff0c\u5e76\u4e0d\u4e00\u5b9a\u9700\u8981\u4f7f\u7528\u65e7\u7248\u672c\u7684SMB\u3002\u53ea\u9700\u8981\u4fee\u6539NTLM SSP\u4e2d\u7684flag\u4f4d\u5373\u53ef\u3002\u5728\u5404\u4e2a\u534f\u8bae\u7684NTLM SSP\u4e2d\u4fee\u6539flag\u4f4d\uff0c\u6211\u4eec\u627e\u5230Responder\u4e2dtype2\u7684NTLM SSP\u7684flag\u4f4d\u8d4b\u503c\u7684\u5730\u65b9\u5373\u53ef\u3002Responder\u7684NTLM SSP\u5b9e\u73b0\u5e76\u4e0d\u901a\u7528\u3002\u4f8b\u5982\uff0cSMB\u90e8\u5206\u7684\u5b9e\u73b0\u5728packets.py\u7684SMBSession1Data\u7c7b\u4e2d\u3002<\/p>\n

\"hashcat\u6ca1\u6709\u6743\u9650\"\"hashcat\u6ca1\u6709\u6743\u9650\"\"hashcat\u6ca1\u6709\u6743\u9650\"<\/p>\n

\u9ed8\u8ba4\u503c\u4e3a0xe2898215\uff08\u4e0e\u56fe\u4e2d\u4e0d\u540c\uff1f\u5927\u7aef\u5c0f\u7aef\uff09\u3002NTLMSSPNEGOTIATE<\/em>EXTENDED_SESSIONSECURITY\u5bf9\u5e94\u7684\u662f\u7b2c13\u4f4d\uff0c\u5c06\u5176\u6539\u4e3a0\uff0c\u53730xe2818215\u3002\u4fee\u6539\u540e\u5373\u53ef\u3002<\/p>\n

\u5bf9\u4e8eHTTP\u534f\u8bae\uff0c\u5728packets.py\u7684NTLM_Challenge\u7c7b\u4e2d\u8fdb\u884c\u4fee\u6539\u3002<\/p>\n