打开流量包可以发现,流量中含有大量的smb加密通信,并且使用了ntlm v2加密协议进行身份认证
包过滤ntlmssp
认证后smb协议进行了大量的数据传输
取出tom的包内数据
得到以下数据
username:tom
domain: .
NTProofStr: ca32f9b5b48c04ccfa96f35213d63d75
NTLMresponse:010100000000000040d0731fb92adb01221434d6e24970170000000002001e004400450053004b0054004f0050002d004a0030004500450039004d00520001001e004400450053004b0054004f0050002d004a0030004500450039004d00520004001e004400450053004b0054004f0050002d004a0030004500450039004d00520003001e004400450053004b0054004f0050002d004a0030004500450039004d0052000700080040d0731fb92adb0106000400020000000800300030000000000000000100000000200000bd69d88e01f6425e6c1d7f796d55f11bd4bdcb27c845c6ebfac35b8a3acc42c20a001000000000000000000000000000000000000900260063006900660073002f003100370032002e00310036002e003100300035002e003100320039000000000000000000
拼接组合一个hash爆破
tom::.:c1dec53240124487:ca32f9b5b48c04ccfa96f35213d63d75:010100000000000040d0731fb92adb01221434d6e24970170000000002001e004400450053004b0054004f0050002d004a0030004500450039004d00520001001e004400450053004b0054004f0050002d004a0030004500450039004d00520004001e004400450053004b0054004f0050002d004a0030004500450039004d00520003001e004400450053004b0054004f0050002d004a0030004500450039004d0052000700080040d0731fb92adb0106000400020000000800300030000000000000000100000000200000bd69d88e01f6425e6c1d7f796d55f11bd4bdcb27c845c6ebfac35b8a3acc42c20a001000000000000000000000000000000000000900260063006900660073002f003100370032002e00310036002e003100300035002e003100320039000000000000000000
拿到hashcat运行
得到密码babygirl233
使用下面的脚本得到解密用的session key
拿到解密用的session key和session id之后就可以解密smb流量了出来后,打开流量包
编辑->首选项->Protocols->NTLMSSP
填入密钥
babygirl233
然后导出SMB对象
发现了pfx,der 以及flag.7z
导出来压缩包
其中flag.7z是携带密码的没办法直接打开,另外的两个证书文件,根据名称可以猜测出来是远程桌面流量加密所用的证书,在流量中包含了大量的RDP流量
wireshark 添加筛选
rdp.fastpath.scancode.keycode
在wireshar中 点击文件-->导出分组解析结果-->json ,导出后的内容如下
scancode的值是16进制的数据,用下面脚本,映射出键盘的按键
import json
from jsonpath import jsonpath
scancode_map = {
0x01: 'Esc',
0x02: '1',
0x03: '2',
0x04: '3',
0x05: '4',
0x06: '5',
0x07: '6',
0x08: '7',
0x09: '8',
0x0A: '9',
0x0B: '0',
0x0C: '-',
0x0D: '=',
0x0E: '\b',
0x0F: ' ',
0x10: 'Q',
0x11: 'W',
0x12: 'E',
0x13: 'R',
0x14: 'T',
0x15: 'Y',
0x16: 'U',
0x17: 'I',
0x18: 'O',
0x19: 'P',
0x1A: '[',
0x1B: ']',
0x1C: '\n',
0x1D: 'Ctrl',
0x1E: 'A',
0x1F: 'S',
0x20: 'D',
0x21: 'F',
0x22: 'G',
0x23: 'H',
0x24: 'J',
0x25: 'K',
0x26: 'L',
0x27: ';',
0x28: '\'',
0x29: '`',
0x2A: ' Shift ',
0x2B: '\\',
0x2C: 'Z',
0x2D: 'X',
0x2E: 'C',
0x2F: 'V',
0x30: 'B',
0x31: 'N',
0x32: 'M',
0x33: ',',
0x34: '.',
0x35: '/',
0x36: ' Shift ',
0x37: '*',
0x38: ' Left Alt ',
0x39: ' ',
0x3A: ' Caps Lock ',
0x3B: ' F1 ',
0x3C: ' F2 ',
0x3D: ' F3 ',
0x3E: ' F4 ',
0x3F: ' F5 ',
0x40: ' F6 ',
0x41: ' F7 ',
0x42: ' F8 ',
0x43: ' F9 ',
0x44: ' F10 ',
0x45: ' Num Lock ',
0x46: ' Scroll Lock ',
0x47: ' Home ',
0x48: ' Up Arrow ',
0x49: ' Page Up',
0x4A: ' Keypad -',
0x4B: ' Left Arrow',
0x4C: ' Keypad 5',
0x4D: ' Right Arrow',
0x4E: ' Keypad +',
0x4F: ' End',
0x50: ' Down Arrow',
0x51: ' Page Down',
0x52: ' Insert',
0x53: ' Delete',
0x57: ' F11',
0x58: ' F12'
}
def convert_hex_string(hex_string):
# 去掉前缀并转换为大写
if hex_string.startswith('0x'):
hex_value = hex_string[2:].upper()
return f'0x{hex_value}'
return None # 如果字符串不以'0x'开头,返回None
with open("out.txt","r",encoding="utf-8") as file:
lines = file.readlines()
con=[]
for line in lines:
con.append(line.strip('\n'))
print(con)
print("\n")
for i in range (len(con)):
if con[i]==con[i-1]:
continue
try:
print(scancode_map[int(con[i],16)],end="")
except:
pass
得到密码:9347013182
将前边hashcat 爆破出的:babygirl233和9347013182拼接,成功解压,得到