Analysis of password intrusion attacks leaked by hackers in practice

When WINDOWS accesses port 139, it automatically uses the current user and password to connect, resulting in leakage of the user password. Although the password is encrypted, it can also be used for attacks.

The following is the SMB password authentication method.

The access process of port 139 in WINDOWS. The arrow indicates the data direction:

1. client <-------------------- establish a TCP connection ---------------> Server

2. Client ------- list of client types and supported service methods --------> Server

3. client <--------- server authentication method, encryption key, etc. --------- Server

The authentication method is user-level authentication, shared-level authentication, and password encryption. The key is an 8-byte randomly generated by the server, and WIN2000 supports 16-byte keys.

4. Client ------------ user name, encrypted password -----------------> Server

WIN9X, WINNT, and WIN2000 vulnerabilities. The current user name and password are encrypted before being prompted, resulting in password leakage. Here the encryption is the deformation of DES, lockedpass = chgdes (key, pass ). Here, the pass is used as the KEY for DES deformation, and the key is used as the data to be encrypted for DES deformation.

5. client <--------------- whether the authentication is successful --------------------- Server

The WINDOWS client has a vulnerability in step 1. Obviously, the server can get username and lockedpass = chgdes (key, pass), where the key can be freely specified because this is provided by the service provider, usname and pass are the username and password of the client's current visitor. The encryption transformation here is irreversible, but it can be cracked by using the law, and such a program already exists. In fact, sometimes we do not have to obtain the plaintext of the password, as long as the connection needs can be provided. Let's see what the lockedpass is for. Let's look at it. For connections such as telnet and ftp, The lockedpass obtained in plain text cannot be provided, so what should we consider using the same encryption algorithm to transmit the ciphertext service? For example, the NETBIOS shared service. The front is what the server gets, and now it is standing on the client. Then we can look at the previous process. Obviously, we don't need to provide pass. Do we only need to provide username and lockedpass2 = chgdes (key2, pass) that's it? Key2 is provided by the current server. Let's see if we have usname and lockedpass = chgdes (key, pass). We can specify the key as needed. As long as the key is key2, we all need it, right? So we need to make key = key2.

Let's take a closer look at the connection process. Other people connect two steps 1 and 2:

1. client <-------------------- establish a TCP connection ---------------> Server

2. Client ------- list of client types and supported service methods --------> Server

Now

3. client <--------- server authentication method, encryption key, etc. --------- Server

In this case, we need to provide the key. Here we cannot provide the key at will. If we need to provide key2, we need to get key2. Obviously, we need to connect to the NETBIOS service. Obviously, the key2 can be obtained only after three steps (marked with a duplicate number to distinguish the steps that are connected back) in steps 11, 22, and 33, obviously, steps 2 and 3 do not need to be sequenced. Therefore, we can get the NETBIOS service connected to the specified IP address and wait for the user to access it. This may take some time to timeout or wait until any IP address connects to the NETBIOS service, it is easy to handle and meet the needs.

The following is clearly set key = key2 to return 3. Then wait for 4 to get the lockedpass. in step 2, you are free to handle it. Otherwise, a Password error will be returned, followed by 44, 55 ......

The total number is 1, 2, 11, 22, 3, 3, 4, 5, 4, 55 ...... Obviously, you access your NETBIOS service as the machine accesses your user. What can you do depends on the user's permissions.

If you are interested, you can add the client program modification of the SAMB package to the first few steps of the service. Apparently, this is mainly because WINDOWS exposes the current user name and encrypted password vulnerability. In addition, this requires someone to access your machine. This is easy to handle, mail, or home page.

IMGsrc "=" file: // ip/filename "...

You can. I tried to remove the 139 port Server Service (if there are 139 ports that will affect the port redirection at the end) and use the port Redirection Program to direct the Port Back To The 139 port, find another WINNT machine and use \ ip to access the machine with the redirection port 139. The result is that the WINNT machine itself is displayed without a password prompt. In fact, the redirection port program has already used the current user of the WINNT machine to access WINNT, but it cannot be operated because there is no client processing interface.