ntlm验证机制学习札记-电脑资料

1、ntlm验证机制学习札记-电脑资料作者：awen发表于：2003-1-16一几个特殊现象的实验假设一个特殊的情况：客户端a,服务端b均为windowsnt或者2000系统a的为111.111.111.111b的为222.222.222.222客户端当前登录的账号为admin,密码为:awenpatching服务端存在一个同样的账号，即，账号为admin,密码为：awenpatching，并不要求服务端也用b账号登录。第一种情况：共享访问windows默认的共享时，会发生这样的情况：a访问b的c$，当敲入222.222.222.222c$,回车后发现不要输入密码，就可以访问到b的c$.第二种情况

2、：telnettelnet222.222.222.222提示信息如下：欢迎使用MicrosoftTelnetClientTelnetClient内部版本号5.00.99206.1Escape字符为CTRL+您将要发送密码信息到Internet区域中的远程计算机。这可能不安全。是否还要发送(y/n):输入y然后发现a已经telnet到b了第三种情况：mssqlserver一般来说大家都是通过使用sqlserver的身份验证来远程连接的。而这种情况下，当你选择windows身份验证呢，你会发现可以连接上去。打开你的查询分析器验证一下，的确可以。二原理分析上面似乎都绕过了身份验证的过程，实际上并不是

3、这样子的。先看看windowsntlm身份验证的机制。以共享为例，具体的方法是这样的：1、客户端<建立TCPH接->服务端2、客户端客户端类型、支持的服务方式列表等->服务端3、客户端<服务器支持协议、认证方式、加密用的key等服务端4、客户端用户名、加密后密码->服务端5、客户端<认证成功否-服务端简单解释一下上面的ntlm机制的验证过程：微软采用NTLM制：如在一个NT域中，客户机登录域服务器时,首先由服务器向客户端发送一段随机值，客户端用自己密码的散列函数对这个随机值进行混编并返还给服务器，服务器由本地的SAM数据库中读取该用户的密码散列函数对它发出的

4、随机值进行混编，最后把两个结果进行比较，如果相同，即认证通过。这是一个普遍的过程，实际上以上三个例子都同样实现了这样的一个过程，只不过由于身份验证机制中一个缺陷，导致出现了上面的三种特殊的情形。WIN9XWINNTWIN200游这有个缺陷，不经过提示等就把当前用户名，密码加密后发过去了。也就是在上面的第四步中发送的是客户端的加密后的用户名和密码。在我们上面的几个具体的例子中间，过程如下：a和b建立tcp连接，然后a把客户端类型、支持的服务方式列表等发送给b,b然后将服务器支持协议、认证方式、加密用的key等发送给a,a自动就把当前用户名，密码加密后发过去了。和b的SAhM据库中（经过一系列处理

5、后的值）的进行比较，两者一样。认证成功。三对sql连接的详细分析通过网络协议分析工具iris，设定为截获在两计算机间所有的分组。我们发现与服务器的连接全部是通过与1433端口的通信所实现的。实际操作中曾发现有137udp端口的分组，但是本人通过ipsec过滤137后，发现同样可以连接。注：137udp是用来提供netbios名字服务的。总共得到了81个分组，下面只列出与>服务端客户端客户端类型、支持的服务方式列表等No:6Timestamp:16:22:29:984MACsourceaddress:00:50:BF:2A:40:64MACdestaddress:00:09:7B:51:B

6、B:FCFrame.type:IPProtocol:TCP->1042SourceIPaddress:awenDestIPaddress:FLDserverSourceport:1042Destinationport:1433SEQ:3106511279ACK:2759799333Packetsize:241Packetdata:0000:00097B51BBFC0050BF2A406408004500.Q.P.*d.E.0010:00E307284000800639DCAC1101BCD341.(.9A0020:380204120599B92999AFA47F322550188)2%P

7、.0030:FACB472D0000100100BB00000100B300.G-0040:0000010000710000000000000007C804q0050:000000000000E083000020FEFFFF04080060:00005600000000000000000000005600.VV.0070:090068000B00000000007E0004008600.h0080:0000860000000050BF2A406486002D00.P.*d.-.0090:B3000000530051004c002000E567E28B.S.Q.L.g.00A0:06529067

8、68563200310031002E003600.R.ghV2.0.2.5.00B0:35002E00350036002E0032004F0044008.5.6.2.O.D.00C0:420043004E544C4D5353500001000000B.C.NTLMSSP.00D0:07B200A0090009002400000004000400$00E0:200000004157454E574F524B47524F55.AWENWORKGROU00F0:50P客户端<服务器支持协议、认证方式、加密用的key等-服务端=No:7Timestamp:16:22:29:984MACsource

9、address:00:09:7B:51:BB:FCMACdestaddress:00:50:BF:2A:40:64Frame.type:IPProtocol:TCP->1042SourceIPaddress:FLDserverDestIPaddress:awenSourceport:1433Destinationport:1042SEQ:2759799333ACK:3106511466Packetsize:223Packetdata:0000:0050BF2A406400097B51BBFC08004500.P.*d.QE.0010:00D1DE1A40007E0664FBD341380

10、2AC11.d.A8.0020:01BC05990412A47F3225B9299A6A50182%.).jP.0030:FA01C3DC0000040000A900000100ED9E0040:004E544C4D5353500002000000120012.NTLMSSP0050:0030000000058282A0F2D405C1C0BC45.0E0060:9500000000000000005C005C00420000.B.0070:0046004C004400530045005200560045.F.L.D.S.E.R.V.E0080:0052000200120046004C0044

11、00530045.RF.L.D.S.E0090:0052005600450052000100120046004C.R.V.E.RF.L00A0:00440053004500520056004500520004.D.S.E.R.V.E.R.00B0:00120066006C00640073006500720076.f.l.d.s.e.r.v00C0:00650072000300120066006C00640073.e.rf.l.d.s客户端用户名、加密后密码>服务端服务器的名称awen用户名为admin,后面是加密后的散列值=No:8Timestamp:16:22:29:994MACsou

12、rceaddress:00:50:BF:2A:40:64MACdestaddress:00:09:7B:51:BB:FCFrame.type:IPProtocol:TCP->1042SourceIPaddress:awenDestIPaddress:FLDserverSourceport:1042Destinationport:1433SEQ:3106511466ACK:2759799502Packetsize:200Packetdata:0000:00097B51BBFC0050BF2A406408004500.Q.P.*d.E.0010:00BA072A400080063A03AC1

13、101BCD341*:A0020:380204120599B9299A6AA47F32CE50188.).j.2.P.0030:FA22350C000011010092000001004E54."5NT0040：4C4D5353500003000000180018005A00LMSSPZ.0050:00001800180072000000080008004000.r.0060:00000A000A0048000000080008005200HR.0070:0000000000008A000000058280A04100A.0080:570045004E00610064006D0069

14、006E00W.E.N.a.d.m.i.n.0090:4100570045004E00A3581F51AF9B9723A.W.E.N.X.Q.#00A0:7402A03C3DEDA70231CAC84F1DF9B178t.=.1.O.x00B0:4EABA5C0D113D72982B84C06B0AD7D03N.).L.00C0:1B9EFF2B8B4F8A64.+.O.d=验证通过=No:9Timestamp:16:22:30:014MACsourceaddress:00:09:7B:51:BB:FCMACdestaddress:00:50:BF:2A:40:64Frame.type:IPP

15、rotocol:TCP->1042DestIPaddress:awenSourceport:1433Destinationport:1042SEQ:2759799502ACK:3106511612Packetsize:339Packetdata:0000:0050BF2A406400097B51BBFC08004500.P.*d.QE.0010:0145DE1B40007E066486D3413802AC11.E.d.A8.0020:01BC05990412A47F32CEB9299AFC50182.).P.0030:F96FC40D00000401011D00330200E31B.o3

16、0040:0001066D006100730074006500720006.m.a.s.t.e.r.0050:6D0061007300740065007200AB460045m.a.s.t.e.r.F.E0060:16000002001400F25D065C70656E6393.penc.0070:5E0A4E0B4E876539653A4E200027006DANNe9e:N，m0080:00610073007400650072002700023009.a.s.t.e.r.0.0090:46004C00440053004500520056004500F.L.D.S.E.R.V.E.00A0:

17、5200000000E3080007050408D0000000R00B0:E30B000204807B534F2D4E876500AB3ASO-N.e.:00C0:004716000001000E00F25D065CED8B00.G.00D0:8ABE8B6E7F39653A4E2000807B534F2D.n.9e:N.SO-00E0:4E876502300946004C00440053004500N.e.0.F.L.D.S.E.00F0:5200560045005200000000AD36000107R.V.E.R6.0100:010000164D006900630072006F0073

18、00.M.i.c.r,o,s.0110:6F00660074002000530051004c002000o.f.t.S.Q.L.0120:53006500720076006500720000000000S.e.r.v.e.r.0130:080000C2E313000404340030003900364.0.9.60140:00043400300039003600FD0000000000.4.0.9.6.0150:000000.四对TELNETS程的分析同样是通过IRIS进行分析，可以发现=客户端-客户端类型、支持的服务方式列表等>服务端No:9Timestamp:19:43:48:362

19、MACsourceaddress:00:50:BF:2A:40:64MACdestaddress:00:09:7B:51:BB:FCFrame.type:IPProtocol:TCP->TELNETSourceIPaddress:awenSourceport:2255Destinationport:23SEQ:1865769009ACK:1218937261Packetsize:103Packetdata:0000:00097B51BBFC0050BF2A406408004500.Q.P.*d.E.0010:0059B219400080068F74AC1101BCD341.Y.t.A00

20、20:380208CF00176F35603148A781AD50188.o5'1H.P.0030:FAD6DC150000FFFA25000F0000200000%0040:00020000004E544C4D53535000010000.NTLMSSP.0050:00978208E000000000000000000000000060:0000000000FFF0客户端-_客户端类型、支持的服务方式列表等>服务端=No:10Timestamp:19:43:48:462MACsourceaddress:00:09:7B:51:BB:FCMACdestaddress:00:50:

21、BF:2A:40:64Frame.type:IPProtocol:TCP->TELNETSourceIPaddress:fldserverDestIPaddress:awenSourceport:23Destinationport:2255SEQ:1218937261ACK:1865769058Packetsize:229Packetdata:0000:0050BF2A406400097B51BBFC08004500.P.*d.QE.0010:00D7F78440007E064B8BD3413802AC11.K.A8.0020:01BC001708CF48A781AD6F35606250

22、18H.o5'bP.0030:FAA41EB50000FFFA25020F00019E0000%0040:00020000004E544C4D53535000020000NTLMSSP0050:00120012003000000015828AE0ED8337070070:004200000046004C0044005300450052.B.F.L.D.S.E.R0080:005600450052000200120046004C0044.V.E.RF.L.D0090:00530045005200560045005200010012.S.E.R.V.E.R00A0:0046004C0044

23、00530045005200560045.F.L.D.S.E.R.V.E00B0:0052000400120066006C006400730065.Rf.l.d.s.e00C0:0072007600650072000300120066006C.r.v.e.rf.l00D0:00640073006500720076006500720000.d.s.e.r.v.e.r.00E0:000000FFF0客户端用户名、加密后密码>服务端服务器的名称awen用户名为admin,后面是加密后的散列值No:11Timestamp:19:43:48:472MACsourceaddress:00:50:BF

24、:2A:40:64MACdestaddress:00:09:7B:51:BB:FCFrame.type:IPProtocol:TCP->TELNETSourceIPaddress:awenDestIPaddress:fldserverSourceport:2255Destinationport:23SEQ:1865769058ACK:1218937436Packetsize:225Packetdata:0000:00097B51BBFC0050BF2A406408004500.Q.P.*d.E.0010:00D3B21A400080068EF9AC1101BCD341.A0020:380

25、208CF00176F35606248A7825C50188.o5'bH.P.0030:FA276F630000FFFA25000F00029A0000.oc.%.0040:00020000004E544C4D53535000030000.NTLMSSP.0050:00180018005A00000018001800720000.Z.r.0060:0008000800400000000A000A00480000.H.0070:000800080052000000100010008A0000.R0080:00158288E04100570045004E00610064.A.W.E.N.a

26、.d0090:006D0069006E004100570045004E0068.m.i.n.A.W.E.N.h00A0:B654083F5F5DA5000000000000000000.T.?_00B0:0000000000000029B6965EFB78C11A96.).A.x.00C0:EC11A7D4D51ACC72D21A98613C8EDA51.r.a.Q00D0:0828F81CF9778F4A4132943B9E9742FF.(.w.JA2.;.B.00E0:F0.验证通过No:16Timestamp:19:43:48:853MACsourceaddress:00:09:7B:5

27、1:BB:FCMACdestaddress:00:50:BF:2A:40:64Frame.type:IPProtocol:TCP->TELNETSourceIPaddress:fldserverDestIPaddress:awenSourceport:23Destinationport:2255SEQ:1218937454ACK:1865769242Packetsize:609Packetdata:0000:0050BF2A406400097B51BBFC08004500.P.*d.QE.0010:0253F78740007E064A0CD3413802AC11.S.J.A8.0020:

28、01BC001708CF48A7826E6F35611A5018H.no5a.P.0030:F9EC0AF500001B5B313B31482A3D3D3D1;1H*=0040:3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D=0050:3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D=0060:3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D=0070:3D3D3D3D3D3D3D3D3D3D3D3D20202020=0080:2020202020202020202020201B5B323B.2;0090:3148BBB6D3ADCAB9D3C

29、3204D6963726F1HMicro00A0:736F66742054656C6E657420B7FECEF1softTelnet00B0:C6F7A1A320202020202020202020202000C0:2020202020202020202020202020202000D0:2020202020202020202020202020202000E0:20201B5B333B31482A3D3D3D3D3D3D3D.3;1H*=00F0:3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D=0100:3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D=011