标签:rdp Windows 暴破 NTLM computer user credentials smb network
大量smb爆破:
详细日志:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2022-07-28T03:07:32.3129542Z" />
<EventRecordID>351668</EventRecordID>
<Correlation ActivityID="{588d7746-a22d-0006-5e77-8d582da2d801}" />
<Execution ProcessID="1020" ThreadID="564" />
<Channel>Security</Channel>
<Computer>DESKTOP-UKRDUMC</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">admin</Data>
<Data Name="TargetDomainName">DESKTOP-PTV6LGO</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc0000064</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp</Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">DESKTOP-PTV6LGO</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">172.16.111.120</Data>
<Data Name="IpPort">51304</Data>
</EventData>
</Event>
https://docs.microsoft.com/zh-cn/windows/security/threat-protection/auditing/event-4625
<Data Name="SubStatus">0xc0000064</Data>
含义:
|
0xC0000064 |
用户使用拼写错误或错误用户帐户进行登录 |
<Data Name="Status">0xc000006d</Data>
|
0 xc000006d |
似乎是由于系统问题和不安全。 |
<Data Name="AuthenticationPackageName">NTLM</Data>
看看抓包:
可以看到是445端口!!!针对smb2协议的445端口!!!
然后我用rdp爆破试试看差异点:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2022-07-28T03:27:52.0182105Z" />
<EventRecordID>351826</EventRecordID>
<Correlation ActivityID="{588d7746-a22d-0006-5e77-8d582da2d801}" />
<Execution ProcessID="1020" ThreadID="6408" />
<Channel>Security</Channel>
<Computer>DESKTOP-UKRDUMC</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">tj</Data>
<Data Name="TargetDomainName" />
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc000006a</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp</Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">DESKTOP-PTV6LGO</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">172.16.111.120</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
可以看到是密码不对,
|
0xC000006A |
用户使用拼写错误或错误密码进行登陆 |
Smb那个是用户名不对!
但是二者都是NTLM,所以从AuthenticationPackageName上无法区分rdp和smb爆破。
抓包看看:
因为源端口是0,所以无法准确关联。
Login type 3都是远程网络登录方式。
Table 11: Windows Logon Types
|
Logon Type |
Logon Title |
Description |
|
2 |
Interactive |
A user logged on to this computer. |
|
3 |
Network |
A user or computer logged on to this computer from the network. |
|
4 |
Batch |
Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
|
5 |
Service |
A service was started by the Service Control Manager. |
|
7 |
Unlock |
This workstation was unlocked. |
|
8 |
NetworkCleartext |
A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
|
9 |
NewCredentials |
A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
|
10 |
RemoteInteractive |
A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
|
11 |
CachedInteractive |
A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
注意:我是局域网里的暴破。
NTLM是NT LAN Manager的缩写,这也说明了协议的来源。 NTLM 是指telnet 的一种验证身份方式,即问询/应答身份验证协议,是Windows NT 早期版本的标准安全协议,Windows 2000 支持NTLM 是为了保持向后兼容。 Windows 2000内置三种基本安全协议之一。
参考:
SMB配置 https://zhuanlan.zhihu.com/p/110788184
Hydra使用 https://blog.csdn.net/weixin_45101989/article/details/117306867
标签:rdp,Windows,暴破,NTLM,computer,user,credentials,smb,network 来源: https://www.cnblogs.com/bonelee/p/16528178.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。