其他分享
首页 > 其他分享> > smb和rdp暴破差异分析

smb和rdp暴破差异分析

作者:互联网

 

大量smb爆破:

 

 

 

详细日志:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />

  <EventID>4625</EventID>

  <Version>0</Version>

  <Level>0</Level>

  <Task>12544</Task>

  <Opcode>0</Opcode>

  <Keywords>0x8010000000000000</Keywords>

  <TimeCreated SystemTime="2022-07-28T03:07:32.3129542Z" />

  <EventRecordID>351668</EventRecordID>

  <Correlation ActivityID="{588d7746-a22d-0006-5e77-8d582da2d801}" />

  <Execution ProcessID="1020" ThreadID="564" />

  <Channel>Security</Channel>

  <Computer>DESKTOP-UKRDUMC</Computer>

  <Security />

  </System>

- <EventData>

  <Data Name="SubjectUserSid">S-1-0-0</Data>

  <Data Name="SubjectUserName">-</Data>

  <Data Name="SubjectDomainName">-</Data>

  <Data Name="SubjectLogonId">0x0</Data>

  <Data Name="TargetUserSid">S-1-0-0</Data>

  <Data Name="TargetUserName">admin</Data>

  <Data Name="TargetDomainName">DESKTOP-PTV6LGO</Data>

  <Data Name="Status">0xc000006d</Data>

  <Data Name="FailureReason">%%2313</Data>

  <Data Name="SubStatus">0xc0000064</Data>

  <Data Name="LogonType">3</Data>

  <Data Name="LogonProcessName">NtLmSsp</Data>

  <Data Name="AuthenticationPackageName">NTLM</Data>

  <Data Name="WorkstationName">DESKTOP-PTV6LGO</Data>

  <Data Name="TransmittedServices">-</Data>

  <Data Name="LmPackageName">-</Data>

  <Data Name="KeyLength">0</Data>

  <Data Name="ProcessId">0x0</Data>

  <Data Name="ProcessName">-</Data>

  <Data Name="IpAddress">172.16.111.120</Data>

  <Data Name="IpPort">51304</Data>

  </EventData>

  </Event>

 

https://docs.microsoft.com/zh-cn/windows/security/threat-protection/auditing/event-4625

  <Data Name="SubStatus">0xc0000064</Data>

含义:

0xC0000064

用户使用拼写错误或错误用户帐户进行登录

 

  <Data Name="Status">0xc000006d</Data>

0 xc000006d

似乎是由于系统问题和不安全。

 

 

 

  <Data Name="AuthenticationPackageName">NTLM</Data>

 

 

看看抓包:

 

 

 

可以看到是445端口!!!针对smb2协议的445端口!!!

 

 

 

然后我用rdp爆破试试看差异点:

 

 

 

 

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />

  <EventID>4625</EventID>

  <Version>0</Version>

  <Level>0</Level>

  <Task>12544</Task>

  <Opcode>0</Opcode>

  <Keywords>0x8010000000000000</Keywords>

  <TimeCreated SystemTime="2022-07-28T03:27:52.0182105Z" />

  <EventRecordID>351826</EventRecordID>

  <Correlation ActivityID="{588d7746-a22d-0006-5e77-8d582da2d801}" />

  <Execution ProcessID="1020" ThreadID="6408" />

  <Channel>Security</Channel>

  <Computer>DESKTOP-UKRDUMC</Computer>

  <Security />

  </System>

- <EventData>

  <Data Name="SubjectUserSid">S-1-0-0</Data>

  <Data Name="SubjectUserName">-</Data>

  <Data Name="SubjectDomainName">-</Data>

  <Data Name="SubjectLogonId">0x0</Data>

  <Data Name="TargetUserSid">S-1-0-0</Data>

  <Data Name="TargetUserName">tj</Data>

  <Data Name="TargetDomainName" />

  <Data Name="Status">0xc000006d</Data>

  <Data Name="FailureReason">%%2313</Data>

  <Data Name="SubStatus">0xc000006a</Data>

  <Data Name="LogonType">3</Data>

  <Data Name="LogonProcessName">NtLmSsp</Data>

  <Data Name="AuthenticationPackageName">NTLM</Data>

  <Data Name="WorkstationName">DESKTOP-PTV6LGO</Data>

  <Data Name="TransmittedServices">-</Data>

  <Data Name="LmPackageName">-</Data>

  <Data Name="KeyLength">0</Data>

  <Data Name="ProcessId">0x0</Data>

  <Data Name="ProcessName">-</Data>

  <Data Name="IpAddress">172.16.111.120</Data>

  <Data Name="IpPort">0</Data>

  </EventData>

  </Event>

 

可以看到是密码不对,

0xC000006A

用户使用拼写错误或错误密码进行登陆

 

 

Smb那个是用户名不对!

 

但是二者都是NTLM,所以从AuthenticationPackageName上无法区分rdp和smb爆破。

 

抓包看看:

 

 

 

因为源端口是0,所以无法准确关联。

 

 

Login type 3都是远程网络登录方式。

Table 11: Windows Logon Types

Logon Type

Logon Title

Description

2

Interactive

A user logged on to this computer.

3

Network

A user or computer logged on to this computer from the network.

4

Batch

Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.

5

Service

A service was started by the Service Control Manager.

7

Unlock

This workstation was unlocked.

8

NetworkCleartext

A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).

9

NewCredentials

A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

10

RemoteInteractive

A user logged on to this computer remotely using Terminal Services or Remote Desktop.

11

CachedInteractive

A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

 

 

注意:我是局域网里的暴破。

NTLM是NT LAN Manager的缩写,这也说明了协议的来源。 NTLM 是指telnet 的一种验证身份方式,即问询/应答身份验证协议,是Windows NT 早期版本的标准安全协议,Windows 2000 支持NTLM 是为了保持向后兼容。 Windows 2000内置三种基本安全协议之一。

 

参考:

SMB配置 https://zhuanlan.zhihu.com/p/110788184

Hydra使用 https://blog.csdn.net/weixin_45101989/article/details/117306867

标签:rdp,Windows,暴破,NTLM,computer,user,credentials,smb,network
来源: https://www.cnblogs.com/bonelee/p/16528178.html