ntlm驗(yàn)證機(jī)制學(xué)習(xí)札記-電腦資料

1、ntlm驗(yàn)證機(jī)制學(xué)習(xí)札記-電腦資料作者：awen發(fā)表于：2003-1-16一幾個特殊現(xiàn)象的實(shí)驗(yàn)假設(shè)一個特殊的情況：客戶端a,服務(wù)端b均為windowsnt或者2000系統(tǒng)a的為111.111.111.111b的為222.222.222.222客戶端當(dāng)前登錄的賬號為admin,密碼為:awenpatching服務(wù)端存在一個同樣的賬號，即，賬號為admin,密碼為：awenpatching，并不要求服務(wù)端也用b賬號登錄。第一種情況：共享訪問windows默認(rèn)的共享時，會發(fā)生這樣的情況：a訪問b的c$，當(dāng)敲入222.222.222.222c$,回車后發(fā)現(xiàn)不要輸入密碼，就可以訪問到b的c$.第二種情況

2、：telnettelnet222.222.222.222提示信息如下：歡迎使用MicrosoftTelnetClientTelnetClient內(nèi)部版本號5.00.99206.1Escape字符為CTRL+您將要發(fā)送密碼信息到Internet區(qū)域中的遠(yuǎn)程計算機(jī)。這可能不安全。是否還要發(fā)送(y/n):輸入y然后發(fā)現(xiàn)a已經(jīng)telnet到b了第三種情況：mssqlserver一般來說大家都是通過使用sqlserver的身份驗(yàn)證來遠(yuǎn)程連接的。而這種情況下，當(dāng)你選擇windows身份驗(yàn)證呢，你會發(fā)現(xiàn)可以連接上去。打開你的查詢分析器驗(yàn)證一下，的確可以。二原理分析上面似乎都繞過了身份驗(yàn)證的過程，實(shí)際上并不是

3、這樣子的。先看看windowsntlm身份驗(yàn)證的機(jī)制。以共享為例，具體的方法是這樣的：1、客戶端<建立TCPH接->服務(wù)端2、客戶端客戶端類型、支持的服務(wù)方式列表等->服務(wù)端3、客戶端<服務(wù)器支持協(xié)議、認(rèn)證方式、加密用的key等服務(wù)端4、客戶端用戶名、加密后密碼->服務(wù)端5、客戶端<認(rèn)證成功否-服務(wù)端簡單解釋一下上面的ntlm機(jī)制的驗(yàn)證過程：微軟采用NTLM制：如在一個NT域中，客戶機(jī)登錄域服務(wù)器時,首先由服務(wù)器向客戶端發(fā)送一段隨機(jī)值，客戶端用自己密碼的散列函數(shù)對這個隨機(jī)值進(jìn)行混編并返還給服務(wù)器，服務(wù)器由本地的SAM數(shù)據(jù)庫中讀取該用戶的密碼散列函數(shù)對它發(fā)出的

4、隨機(jī)值進(jìn)行混編，最后把兩個結(jié)果進(jìn)行比較，如果相同，即認(rèn)證通過。這是一個普遍的過程，實(shí)際上以上三個例子都同樣實(shí)現(xiàn)了這樣的一個過程，只不過由于身份驗(yàn)證機(jī)制中一個缺陷，導(dǎo)致出現(xiàn)了上面的三種特殊的情形。WIN9XWINNTWIN200游這有個缺陷，不經(jīng)過提示等就把當(dāng)前用戶名，密碼加密后發(fā)過去了。也就是在上面的第四步中發(fā)送的是客戶端的加密后的用戶名和密碼。在我們上面的幾個具體的例子中間，過程如下：a和b建立tcp連接，然后a把客戶端類型、支持的服務(wù)方式列表等發(fā)送給b,b然后將服務(wù)器支持協(xié)議、認(rèn)證方式、加密用的key等發(fā)送給a,a自動就把當(dāng)前用戶名，密碼加密后發(fā)過去了。和b的SAhM據(jù)庫中（經(jīng)過一系列處理

5、后的值）的進(jìn)行比較，兩者一樣。認(rèn)證成功。三對sql連接的詳細(xì)分析通過網(wǎng)絡(luò)協(xié)議分析工具iris，設(shè)定為截獲在兩計算機(jī)間所有的分組。我們發(fā)現(xiàn)與服務(wù)器的連接全部是通過與1433端口的通信所實(shí)現(xiàn)的。實(shí)際操作中曾發(fā)現(xiàn)有137udp端口的分組，但是本人通過ipsec過濾137后，發(fā)現(xiàn)同樣可以連接。注：137udp是用來提供netbios名字服務(wù)的?？偣驳玫搅?1個分組，下面只列出與>服務(wù)端客戶端客戶端類型、支持的服務(wù)方式列表等No:6Timestamp:16:22:29:984MACsourceaddress:00:50:BF:2A:40:64MACdestaddress:00:09:7B:51:B

6、B:FCFrame.type:IPProtocol:TCP->1042SourceIPaddress:awenDestIPaddress:FLDserverSourceport:1042Destinationport:1433SEQ:3106511279ACK:2759799333Packetsize:241Packetdata:0000:00097B51BBFC0050BF2A406408004500.Q.P.*d.E.0010:00E307284000800639DCAC1101BCD341.(.9A0020:380204120599B92999AFA47F322550188)2%P

7、.0030:FACB472D0000100100BB00000100B300.G-0040:0000010000710000000000000007C804q0050:000000000000E083000020FEFFFF04080060:00005600000000000000000000005600.VV.0070:090068000B00000000007E0004008600.h0080:0000860000000050BF2A406486002D00.P.*d.-.0090:B3000000530051004c002000E567E28B.S.Q.L.g.00A0:06529067

8、68563200310031002E003600.R.ghV2.0.2.5.00B0:35002E00350036002E0032004F0044008.5.6.2.O.D.00C0:420043004E544C4D5353500001000000B.C.NTLMSSP.00D0:07B200A0090009002400000004000400$00E0:200000004157454E574F524B47524F55.AWENWORKGROU00F0:50P客戶端<服務(wù)器支持協(xié)議、認(rèn)證方式、加密用的key等-服務(wù)端=No:7Timestamp:16:22:29:984MACsource

9、address:00:09:7B:51:BB:FCMACdestaddress:00:50:BF:2A:40:64Frame.type:IPProtocol:TCP->1042SourceIPaddress:FLDserverDestIPaddress:awenSourceport:1433Destinationport:1042SEQ:2759799333ACK:3106511466Packetsize:223Packetdata:0000:0050BF2A406400097B51BBFC08004500.P.*d.QE.0010:00D1DE1A40007E0664FBD341380

10、2AC11.d.A8.0020:01BC05990412A47F3225B9299A6A50182%.).jP.0030:FA01C3DC0000040000A900000100ED9E0040:004E544C4D5353500002000000120012.NTLMSSP0050:0030000000058282A0F2D405C1C0BC45.0E0060:9500000000000000005C005C00420000.B.0070:0046004C004400530045005200560045.F.L.D.S.E.R.V.E0080:0052000200120046004C0044

11、00530045.RF.L.D.S.E0090:0052005600450052000100120046004C.R.V.E.RF.L00A0:00440053004500520056004500520004.D.S.E.R.V.E.R.00B0:00120066006C00640073006500720076.f.l.d.s.e.r.v00C0:00650072000300120066006C00640073.e.rf.l.d.s客戶端用戶名、加密后密碼>服務(wù)端服務(wù)器的名稱awen用戶名為admin,后面是加密后的散列值=No:8Timestamp:16:22:29:994MACsou

12、rceaddress:00:50:BF:2A:40:64MACdestaddress:00:09:7B:51:BB:FCFrame.type:IPProtocol:TCP->1042SourceIPaddress:awenDestIPaddress:FLDserverSourceport:1042Destinationport:1433SEQ:3106511466ACK:2759799502Packetsize:200Packetdata:0000:00097B51BBFC0050BF2A406408004500.Q.P.*d.E.0010:00BA072A400080063A03AC1

13、101BCD341*:A0020:380204120599B9299A6AA47F32CE50188.).j.2.P.0030:FA22350C000011010092000001004E54."5NT0040：4C4D5353500003000000180018005A00LMSSPZ.0050:00001800180072000000080008004000.r.0060:00000A000A0048000000080008005200HR.0070:0000000000008A000000058280A04100A.0080:570045004E00610064006D0069

14、006E00W.E.N.a.d.m.i.n.0090:4100570045004E00A3581F51AF9B9723A.W.E.N.X.Q.#00A0:7402A03C3DEDA70231CAC84F1DF9B178t.=.1.O.x00B0:4EABA5C0D113D72982B84C06B0AD7D03N.).L.00C0:1B9EFF2B8B4F8A64.+.O.d=驗(yàn)證通過=No:9Timestamp:16:22:30:014MACsourceaddress:00:09:7B:51:BB:FCMACdestaddress:00:50:BF:2A:40:64Frame.type:IPP

15、rotocol:TCP->1042DestIPaddress:awenSourceport:1433Destinationport:1042SEQ:2759799502ACK:3106511612Packetsize:339Packetdata:0000:0050BF2A406400097B51BBFC08004500.P.*d.QE.0010:0145DE1B40007E066486D3413802AC11.E.d.A8.0020:01BC05990412A47F32CEB9299AFC50182.).P.0030:F96FC40D00000401011D00330200E31B.o3

16、0040:0001066D006100730074006500720006.m.a.s.t.e.r.0050:6D0061007300740065007200AB460045m.a.s.t.e.r.F.E0060:16000002001400F25D065C70656E6393.penc.0070:5E0A4E0B4E876539653A4E200027006DANNe9e:N，m0080:00610073007400650072002700023009.a.s.t.e.r.0.0090:46004C00440053004500520056004500F.L.D.S.E.R.V.E.00A0:

17、5200000000E3080007050408D0000000R00B0:E30B000204807B534F2D4E876500AB3ASO-N.e.:00C0:004716000001000E00F25D065CED8B00.G.00D0:8ABE8B6E7F39653A4E2000807B534F2D.n.9e:N.SO-00E0:4E876502300946004C00440053004500N.e.0.F.L.D.S.E.00F0:5200560045005200000000AD36000107R.V.E.R6.0100:010000164D006900630072006F0073

18、00.M.i.c.r,o,s.0110:6F00660074002000530051004c002000o.f.t.S.Q.L.0120:53006500720076006500720000000000S.e.r.v.e.r.0130:080000C2E313000404340030003900364.0.9.60140:00043400300039003600FD0000000000.4.0.9.6.0150:000000.四對TELNETS程的分析同樣是通過IRIS進(jìn)行分析，可以發(fā)現(xiàn)=客戶端-客戶端類型、支持的服務(wù)方式列表等>服務(wù)端No:9Timestamp:19:43:48:362

19、MACsourceaddress:00:50:BF:2A:40:64MACdestaddress:00:09:7B:51:BB:FCFrame.type:IPProtocol:TCP->TELNETSourceIPaddress:awenSourceport:2255Destinationport:23SEQ:1865769009ACK:1218937261Packetsize:103Packetdata:0000:00097B51BBFC0050BF2A406408004500.Q.P.*d.E.0010:0059B219400080068F74AC1101BCD341.Y.t.A00

20、20:380208CF00176F35603148A781AD50188.o5'1H.P.0030:FAD6DC150000FFFA25000F0000200000%0040:00020000004E544C4D53535000010000.NTLMSSP.0050:00978208E000000000000000000000000060:0000000000FFF0客戶端-_客戶端類型、支持的服務(wù)方式列表等>服務(wù)端=No:10Timestamp:19:43:48:462MACsourceaddress:00:09:7B:51:BB:FCMACdestaddress:00:50:

21、BF:2A:40:64Frame.type:IPProtocol:TCP->TELNETSourceIPaddress:fldserverDestIPaddress:awenSourceport:23Destinationport:2255SEQ:1218937261ACK:1865769058Packetsize:229Packetdata:0000:0050BF2A406400097B51BBFC08004500.P.*d.QE.0010:00D7F78440007E064B8BD3413802AC11.K.A8.0020:01BC001708CF48A781AD6F35606250

22、18H.o5'bP.0030:FAA41EB50000FFFA25020F00019E0000%0040:00020000004E544C4D53535000020000NTLMSSP0050:00120012003000000015828AE0ED8337070070:004200000046004C0044005300450052.B.F.L.D.S.E.R0080:005600450052000200120046004C0044.V.E.RF.L.D0090:00530045005200560045005200010012.S.E.R.V.E.R00A0:0046004C0044

23、00530045005200560045.F.L.D.S.E.R.V.E00B0:0052000400120066006C006400730065.Rf.l.d.s.e00C0:0072007600650072000300120066006C.r.v.e.rf.l00D0:00640073006500720076006500720000.d.s.e.r.v.e.r.00E0:000000FFF0客戶端用戶名、加密后密碼>服務(wù)端服務(wù)器的名稱awen用戶名為admin,后面是加密后的散列值No:11Timestamp:19:43:48:472MACsourceaddress:00:50:BF

24、:2A:40:64MACdestaddress:00:09:7B:51:BB:FCFrame.type:IPProtocol:TCP->TELNETSourceIPaddress:awenDestIPaddress:fldserverSourceport:2255Destinationport:23SEQ:1865769058ACK:1218937436Packetsize:225Packetdata:0000:00097B51BBFC0050BF2A406408004500.Q.P.*d.E.0010:00D3B21A400080068EF9AC1101BCD341.A0020:380

25、208CF00176F35606248A7825C50188.o5'bH.P.0030:FA276F630000FFFA25000F00029A0000.oc.%.0040:00020000004E544C4D53535000030000.NTLMSSP.0050:00180018005A00000018001800720000.Z.r.0060:0008000800400000000A000A00480000.H.0070:000800080052000000100010008A0000.R0080:00158288E04100570045004E00610064.A.W.E.N.a

26、.d0090:006D0069006E004100570045004E0068.m.i.n.A.W.E.N.h00A0:B654083F5F5DA5000000000000000000.T.?_00B0:0000000000000029B6965EFB78C11A96.).A.x.00C0:EC11A7D4D51ACC72D21A98613C8EDA51.r.a.Q00D0:0828F81CF9778F4A4132943B9E9742FF.(.w.JA2.;.B.00E0:F0.驗(yàn)證通過No:16Timestamp:19:43:48:853MACsourceaddress:00:09:7B:5

27、1:BB:FCMACdestaddress:00:50:BF:2A:40:64Frame.type:IPProtocol:TCP->TELNETSourceIPaddress:fldserverDestIPaddress:awenSourceport:23Destinationport:2255SEQ:1218937454ACK:1865769242Packetsize:609Packetdata:0000:0050BF2A406400097B51BBFC08004500.P.*d.QE.0010:0253F78740007E064A0CD3413802AC11.S.J.A8.0020:

28、01BC001708CF48A7826E6F35611A5018H.no5a.P.0030:F9EC0AF500001B5B313B31482A3D3D3D1;1H*=0040:3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D=0050:3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D=0060:3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D=0070:3D3D3D3D3D3D3D3D3D3D3D3D20202020=0080:2020202020202020202020201B5B323B.2;0090:3148BBB6D3ADCAB9D3C

29、3204D6963726F1HMicro00A0:736F66742054656C6E657420B7FECEF1softTelnet00B0:C6F7A1A320202020202020202020202000C0:2020202020202020202020202020202000D0:2020202020202020202020202020202000E0:20201B5B333B31482A3D3D3D3D3D3D3D.3;1H*=00F0:3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D=0100:3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D=011