又双叒叕被打爆了,夹缝中求生😭
EZ_AD
安全研究员小张在集团办公内网捕获到一份异常流量,请你帮助小张分析,找到其中的可疑内容。
一共要解密三种协议的流量
- SharpADWS 的流量(包裹在 NMF 中的 GSS-API 流量)
- SMB2(通过 Kerberos 申请 cifs 的票据)
- DCERPC
第一步先提取NTLM v2数据爆破用户密码,有一个很好用的一键提取工具NTLMRawUnHide
1
2
3
|
python3 NTLMRawUnHide.py -i xxx.pcapng
sk::sk.com:77534d575de5f632:83889cdf4d1336bd3cc92f23c94f1f6d:010100000000000080a6da2b0464db012ad8e6c2d43a869c000000000200040053004b00010004004400430004000c0073006b002e0063006f006d0003001200440043002e0073006b002e0063006f006d0005000c0073006b002e0063006f006d00070008009dafb62b0464db01090036006c006400610070002f003100390032002e003100360038002e003100370039002e00310033003100400073006b002e0063006f006d000000000000000000
|
爆出来密码是!@#123QWEqwe
1
2
3
|
hashcat -m 5600 -a 0 "sk::sk.com:77534d575de5f632:83889cdf4d1336bd3cc92f23c94f1f6d:010100000000000080a6da2b0464db012ad8e6c2d43a869c000000000200040053004b00010004004400430004000c0073006b002e0063006f006d0003001200440043002e0073006b002e0063006f006d0005000c0073006b002e0063006f006d00070008009dafb62b0464db01090036006c006400610070002f003100390032002e003100360038002e003100370039002e00310033003100400073006b002e0063006f006d000000000000000000" rockyou.txt
SK::sk.com:77534d575de5f632:83889cdf4d1336bd3cc92f23c94f1f6d:010100000000000080a6da2b0464db012ad8e6c2d43a869c000000000200040053004b00010004004400430004000c0073006b002e0063006f006d0003001200440043002e0073006b002e0063006f006d0005000c0073006b002e0063006f006d00070008009dafb62b0464db01090036006c006400610070002f003100390032002e003100360038002e003100370039002e00310033003100400073006b002e0063006f006d000000000000000000:!@#123QWEqwe
|
将密码导入NTLMSSP
在最后一个GSS-API的Payload中可以看到是在修改Administrator的密码。结合编码规则:https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/6e803168-f140-4d23-b2d3-c3a8ab5917d2
得到账户的密码是02)78M5CcE=+
1
2
3
|
0df]&CN=Administrator,CN=Users,DC=sk,DC=com0301
0,
unicodePwd1"02)78M5CcE=+"
|
这样就拿到了用户Administrator的密码,之后都是使用Administrator用户进行Kerberos认证的。那我们制作Administrator用户的keytab就可以解密DCERPC流量了。
这里使用Create-KeyTab工具制作。
将制作完的keytab导入krb5即可解密DCERPC流量
然后找到TGS-REP里面的SessionKey和SMB2 Response里面的SessionID
| Session ID |
Session Key |
| 5500000800180000 |
78e3e3f1559813f7286374a816b99862 |
| 6500000800180000 |
b97c4cc93e3a424aacccd4dafba3ceca |
| 6900000800180000 |
b40ccbe618c34a3c54716ac5ba14408d |
导入Wireshark解密SMB2协议流量
再导出SMB协议传输的文件
flag.zip导出来以后发现有密码,导入下面这个Session ID和Session Key继续解密3.pcapng的smb流量
| Session ID |
Session Key |
| 1100000c00180000 |
3c4276a33a529832163bb2b7d7e3db87 |
导出来xml文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
\NGNhFjsY<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<Triggers>
<CalendarTrigger>
<StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary>
<Enabled>true</Enabled>
<ScheduleByDay>
<DaysInterval>1</DaysInterval>
</ScheduleByDay>
</CalendarTrigger>
</Triggers>
<Principals>
<Principal id="LocalSystem">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>true</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="LocalSystem">
<Exec>
<Command>cmd.exe</Command>
<Arguments>/C C:\Windows\7z.exe x -pwvnNDOLkjyXZ925aJ32x822dEe C:\Windows\flag.zip -y > %windir%\Temp\NGNhFjsY.tmp 2>&1</Arguments>
</Exec>
</Actions>
</Task>
|
发现其中存在一行命令
1
|
cmd.exe /C C:\Windows\7z.exe x -pwvnNDOLkjyXZ925aJ32x822dEe C:\Windows\flag.zip -y > %windir%\Temp\NGNhFjsY.tmp 2>&1
|
看到了压缩包密码wvnNDOLkjyXZ925aJ32x822dEe
其他题目未完待续……
1cePeak