smb和rdp暴破差异分析
大量smb爆破:
详细日志:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2022-07-28T03:07:32.3129542Z" />
<EventRecordID>351668</EventRecordID>
<Correlation ActivityID="{588d7746-a22d-0006-5e77-8d582da2d801}" />
<Execution ProcessID="1020" ThreadID="564" />
<Channel>Security</Channel>
<Computer>DESKTOP-UKRDUMC</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">admin</Data>
<Data Name="TargetDomainName">DESKTOP-PTV6LGO</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc0000064</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp</Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">DESKTOP-PTV6LGO</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">172.16.111.120</Data>
<Data Name="IpPort">51304</Data>
</EventData>
</Event>
https://docs.microsoft.com/zh-cn/windows/security/threat-protection/auditing/event-4625
<Data Name="SubStatus">0xc0000064</Data>
含义:
|
0xC0000064 |
用户使用拼写错误或错误用户帐户进行登录 |
<Data Name="Status">0xc000006d</Data>
|
0 xc000006d |
似乎是由于系统问题和不安全。 |
<Data Name="AuthenticationPackageName">NTLM</Data>
看看抓包:
可以看到是445端口!!!针对smb2协议的445端口!!!
然后我用rdp爆破试试看差异点:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2022-07-28T03:27:52.0182105Z" />
<EventRecordID>351826</EventRecordID>
<Correlation ActivityID="{588d7746-a22d-0006-5e77-8d582da2d801}" />
<Execution ProcessID="1020" ThreadID="6408" />
<Channel>Security</Channel>
<Computer>DESKTOP-UKRDUMC</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">tj</Data>
<Data Name="TargetDomainName" />
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc000006a</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp</Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">DESKTOP-PTV6LGO</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">172.16.111.120</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
可以看到是密码不对,
|
0xC000006A |
用户使用拼写错误或错误密码进行登陆 |
Smb那个是用户名不对!
但是二者都是NTLM,所以从AuthenticationPackageName上无法区分rdp和smb爆破。
抓包看看:
因为源端口是0,所以无法准确关联。
Login type 3都是远程网络登录方式。
Table 11: Windows Logon Types
|
Logon Type |
Logon Title |
Description |
|
2 |
Interactive |
A user logged on to this computer. |
|
3 |
Network |
A user or computer logged on to this computer from the network. |
|
4 |
Batch |
Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
|
5 |
Service |
A service was started by the Service Control Manager. |
|
7 |
Unlock |
This workstation was unlocked. |
|
8 |
NetworkCleartext |
A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
|
9 |
NewCredentials |
A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
|
10 |
RemoteInteractive |
A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
|
11 |
CachedInteractive |
A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
注意:我是局域网里的暴破。
NTLM是NT LAN Manager的缩写,这也说明了协议的来源。 NTLM 是指telnet 的一种验证身份方式,即问询/应答身份验证协议,是Windows NT 早期版本的标准安全协议,Windows 2000 支持NTLM 是为了保持向后兼容。 Windows 2000内置三种基本安全协议之一。
但是实际看,远程rdp暴破也是ntlm,
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2022-07-28T03:54:10.2403785Z" />
<EventRecordID>351961</EventRecordID>
<Correlation ActivityID="{588d7746-a22d-0006-5e77-8d582da2d801}" />
<Execution ProcessID="1020" ThreadID="12228" />
<Channel>Security</Channel>
<Computer>DESKTOP-UKRDUMC</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">tj</Data>
<Data Name="TargetDomainName" />
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc000006a</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp</Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">DESKTOP-PTV6LGO</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">172.16.111.120</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
公网暴破smb的话,一直提示网络无法接通,
hydra.exe -l xxx -P password.txt -vV smb://1xxxxxx Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-07-28 12:01:43 [INFO] Reduced number of tasks to 1 (smb does not like parallel connections) [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 1 task per 1 server, overall 1 task, 108 login tries (l:1/p:108), ~108 tries per task [DATA] attacking smb://1xxxxxxx:445/ [VERBOSE] Resolving addresses ... [VERBOSE] resolving done Process 823: Can not connect [unreachable], retrying (1 of 1 retries) Process 823: Can not connect [unreachable] [ERROR] could not connect to target smb://1xxxxxx:445/
参考:
SMB配置 https://zhuanlan.zhihu.com/p/110788184
Hydra使用 https://blog.csdn.net/weixin_45101989/article/details/117306867
