版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本声明。
https://windtear.net/archives/2004/05/12/000274.html
首先演示一下 windows 的 telnet 服务
D:\>tlntadmn
Microsoft (R) Windows 2000 (TM) (内部版本号 2195) Telnet Server Admin (Build 5.00.99201.1)
请在下列选项中选择一个:
0) 退出这个应用程序 1) 列出当前用户 2) 结束一个用户的会话 ... 3) 显示 / 更改注册表设置 ... 4) 开始服务 5) 停止服务
请键入一个选项的号码 [0 - 5] 以选择该选项: 3
请在下列选项中选择一个:
0) 退出这个菜单 1) AllowTrustedDomain 2) AltKeyMapping 3) DefaultDomain 4) DefaultShell 5) LoginScript 6) MaxFailedLogins 7) NTLM 8) TelnetPort 请键入一个选项的号码 [0 - 8] 以选择该选项: 7 NTLM 的当前值 = 0 您确实想更改这个值吗 ? [y/n]y NTLM [ 当前值 = 0; 可接受的值 0、1 或 2 ] :2 您确实想将 NTLM 设置为 : 2 ? [y/n]y
只有当 Telnet 服务重新开始后设置才会生效
请在下列选项中选择一个:
0) 退出这个菜单 1) AllowTrustedDomain 2) AltKeyMapping 3) DefaultDomain 4) DefaultShell 5) LoginScript 6) MaxFailedLogins 7) NTLM 8) TelnetPort 请键入一个选项的号码 [0 - 8] 以选择该选项: 0
请在下列选项中选择一个:
0) 退出这个应用程序 1) 列出当前用户 2) 结束一个用户的会话 ... 3) 显示 / 更改注册表设置 ... 4) 开始服务 5) 停止服务
请键入一个选项的号码 [0 - 5] 以选择该选项: 0
D:\>net start tlntsvr Telnet 服务正在启动 . Telnet 服务已经启动成功。
D:\>
注意 NTLM 设置地方
NTLM [ 当前值 = 0; 可接受的值 0、1 或 2 ] :2 首先我们设置成 2 2 是只允许 NTLM 验证 0 是只允许 user/password 验证 1 是 NTLM 和 U/P 验证都允许
D:\>telnet 127.0.0.1 Microsoft (R) Windows 2000 (TM) 版本 5.00 (内部版本号 2195) 欢迎使用 Microsoft Telnet Client Telnet Client 内部版本号 5.00.99206.1
Escape 字符为 'CTRL+]'
您将要发送密码信息到 Internet 区域中的远程计算机。这可能不安全。是否还要发送(y/n ):y
*=============================================================== 欢迎使用 Microsoft Telnet 服务器。 *=============================================================== C:\>exit
遗失对主机的连接。 D:\>
如果选 n
Server allows NTLM authentication only Server has closed connection
遗失对主机的连接。 D:\>
如果 NTLM 设置选的是 1 并且刚才输入 n 后 会让输入用户密码
Microsoft (R) Windows (TM) Version 5.00 (Build 2195) Welcome to Microsoft Telnet Service Telnet Server Build 5.00.99206.1 login:
(相关注册表) REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0] "NTLM"=dword:00000000 "TelnetPort"=dword:00000017
如果不通过 tlntadmn 修改设置可以直接修改注册表 1.修改注册表可以用 .reg 2.或者用命令行小工具 reg.exe 18,944 02-12-21 21:57 Console Registry Tool for Windows - version 3.0 Copyright (C) Microsoft Corp. 1981-2001. All rights reserved
REG Operation [Parameter List]
Operation [ QUERY | ADD | DELETE | COPY | SAVE | LOAD | UNLOAD | RESTORE | COMPARE | EXPORT | IMPORT ]
Return Code: (Except of REG COMPARE)
0 - Succussful 1 - Failed
For help on a specific operation type:
REG Operation /?
Examples:
REG QUERY /? REG ADD /? REG DELETE /? REG COPY /? REG SAVE /? REG RESTORE /? REG LOAD /? REG UNLOAD /? REG COMPARE /? REG EXPORT /? REG IMPORT /?
3.一个简单的修改C代码 来自nsfocus (http://www.nsfocus.net/index.php?act=sec_self&do=view&doc_id=392) - ------------------------ TNTLM.cpp ------------------------ /* * (C) Copyright Nsfocus. 2000 * All Rights Reserved * * TNTLM.cpp: Modify authentication method of Microsoft Windows * 2000 Telnet Server. * * Usage: TNTLM [option] * option: 0 - No NTLM authentication (default) * 1 - Try NTLM authentication first. * If failed, then try username/password. * 2 - Require NTLM authentication. * * Written by: backend, <backend@nsfocus.com> * <http://www.nsfocus.com> * Date: 2000/08/31 * * WARNING: THIS PROGRAM IS JUST FOR EDUCATIONAL PURPOSE!!! * YOU ARE USING THIS SOFTWARE ON YOUR OWN RISK. THIS IS A * PROOF-OF-CONCEPT PROGRAM AND YOU TAKE FULL RESPONSIBILITY * FOR WHAT YOU DO WITH IT! DO NOT ABUSE THIS FOR ILLICIT * PURPOSES! * * Greetings to: Netguy */
#include <windows.h> #include <stdlib.h> #include <stdio.h>
int main(int argc, char* argv[]) { HKEY hKey; char SubKeyName[] = "SOFTWARE\\Microsoft\\Windows\\TelnetServer\\1.0"; char ValueName[] = "NTLM"; DWORD NewValue = 0;
if ( argc > 1 ) NewValue = atol( argv[1] ); if ( RegOpenKeyEx(HKEY_LOCAL_MACHINE, SubKeyName, 0, KEY_ALL_ACCESS, &hKey) != ERROR_SUCCESS ) { perror( "RegOpenKeyEx" ); return -1; }
if ( RegSetValueEx( hKey, ValueName, 0, REG_DWORD, ( CONST BYTE * ) &NewValue, sizeof( DWORD )) != ERROR_SUCCESS ) { perror( "RegSetValueEx" ); RegCloseKey( hKey ); return -1; }
RegCloseKey( hKey );
return 0; } - ------------------------ TNTLM.cpp ------------------------
可以看到 如果使用 NTLM 的话不需输入密码就进入系统 同样的情况还会发生在 网上邻居访问时和连接 MS SQL Server 时 这在很多时候做身份验证很方便
The NTLM Authentication Protocol http://davenport.sourceforge.net/ntlm.html
What is NTLM? NTLM is an authentication protocol used in various Microsoft network protocol implementations and supported by the NTLM Security Support Provider ("NTLMSSP"). Originally used for authentication and negotiation of secure DCE/RPC, NTLM is also used throughout Microsoft's systems as an integrated single sign-on mechanism.
NTLM employs a challenge-response mechanism for authentication, in which clients are able to prove their identities without sending a password to the server. It consists of three messages, commonly referred to as Type 1 (negotiation), Type 2 (challenge) and Type 3 (authentication). It basically works like this:
The client sends a Type 1 message to the server. This primarily contains a list of features supported by the client and requested of the server. The server responds with a Type 2 message. This contains a list of features supported and agreed upon by the server. Most importantly, however, it contains a challenge generated by the server. The client replies to the challenge with a Type 3 message. This contains several pieces of information about the client, including the domain and username of the client user. It also contains one or more responses to the Type 2 challenge. The responses in the Type 3 message are the most critical piece, as they prove to the server that the client user has knowledge of the account password.
那么NTLM 是怎么验证的呢? 以共享为例,具体的方法是这样的: 1、客户端<--------------------建立TCP连接----------------->服务端 2、客户端-------客户端类型、支持的服务方式列表等----------->服务端 3、客户端<------服务器支持协议、认证方式、加密用的key等-----服务端 4、客户端--------------用户名、加密后密码----------------->服务端 5、客户端<---------------认证成功否-----------------------服务端 微软采用NTLM机制:如在一个NT域中,客户机登录域服务器时,首先由服务器 向客户端发送一段随机值,客户端用自己密码的散列函数对这个随机值进行混编并 返还给服务器,服务器由本地的SAM数据库中读取该用户的密码散列函数对它发出的 随机值进行混编,最后把两个结果进行比较,如果相同,即认证通过。
通过IRIS对TELNET过程的分析: <摘自 ntlm验证机制学习札记 awen 2003-1-16> <http://www.patching.net/org/content/25.htm> ===================================================================== 客户端-------客户端类型、支持的服务方式列表等----------->服务端 ===================================================================== No: 9 Timestamp: 19:43:48:362 MAC source address: 00:50:BF:2A:40:64 MAC dest address: 00:09:7B:51:BB:FC Frame type: IP Protocol: TCP-> TELNET Source IP address: awen Dest IP address: fldserver Source port: 2255 Destination port: 23 SEQ: 1865769009 ACK: 1218937261 Packet size: 103 Packet data: 0000: 00 09 7B 51 BB FC 00 50 BF 2A 40 64 08 00 45 00 ..{Q...P.*@d..E. 0010: 00 59 B2 19 40 00 80 06 8F 74 AC 11 01 BC D3 41 .Y..@....t.....A 0020: 38 02 08 CF 00 17 6F 35 60 31 48 A7 81 AD 50 18 8.....o5`1H...P. 0030: FA D6 DC 15 00 00 FF FA 25 00 0F 00 00 20 00 00 ........%.... .. 0040: 00 02 00 00 00 4E 54 4C 4D 53 53 50 00 01 00 00 .....NTLMSSP.... 0050: 00 97 82 08 E0 00 00 00 00 00 00 00 00 00 00 00 ................ 0060: 00 00 00 00 00 FF F0 ....... ===================================================================== 客户端-------客户端类型、支持的服务方式列表等----------->服务端 ===================================================================== No: 10 Timestamp: 19:43:48:462 MAC source address: 00:09:7B:51:BB:FC MAC dest address: 00:50:BF:2A:40:64 Frame type: IP Protocol: TCP-> TELNET Source IP address: fldserver Dest IP address: awen Source port: 23 Destination port: 2255 SEQ: 1218937261 ACK: 1865769058 Packet size: 229 Packet data: 0000: 00 50 BF 2A 40 64 00 09 7B 51 BB FC 08 00 45 00 .P.*@d..{Q....E. 0010: 00 D7 F7 84 40 00 7E 06 4B 8B D3 41 38 02 AC 11 ....@...K..A8... 0020: 01 BC 00 17 08 CF 48 A7 81 AD 6F 35 60 62 50 18 ......H...o5`bP. 0030: FA A4 1E B5 00 00 FF FA 25 02 0F 00 01 9E 00 00 ........%....... 0040: 00 02 00 00 00 4E 54 4C 4D 53 53 50 00 02 00 00 .....NTLMSSP.... 0050: 00 12 00 12 00 30 00 00 00 15 82 8A E0 ED 83 37 .....0.........7 0060: 4B DD 44 1F 96 00 00 00 00 00 00 00 00 5C 00 5C K.D..........\.\ 0070: 00 42 00 00 00 46 00 4C 00 44 00 53 00 45 00 52 .B...F.L.D.S.E.R 0080: 00 56 00 45 00 52 00 02 00 12 00 46 00 4C 00 44 .V.E.R.....F.L.D 0090: 00 53 00 45 00 52 00 56 00 45 00 52 00 01 00 12 .S.E.R.V.E.R.... 00A0: 00 46 00 4C 00 44 00 53 00 45 00 52 00 56 00 45 .F.L.D.S.E.R.V.E 00B0: 00 52 00 04 00 12 00 66 00 6C 00 64 00 73 00 65 .R.....f.l.d.s.e 00C0: 00 72 00 76 00 65 00 72 00 03 00 12 00 66 00 6C .r.v.e.r.....f.l 00D0: 00 64 00 73 00 65 00 72 00 76 00 65 00 72 00 00 .d.s.e.r.v.e.r.. 00E0: 00 00 00 FF F0 ..... ===================================================================== 客户端--------------用户名、加密后密码----------------->服务端 服务器的名称awen 用户名为admin,后面是加密后的散列值 ===================================================================== No: 11 Timestamp: 19:43:48:472 MAC source address: 00:50:BF:2A:40:64 MAC dest address: 00:09:7B:51:BB:FC Frame type: IP Protocol: TCP-> TELNET Source IP address: awen Dest IP address: fldserver Source port: 2255 Destination port: 23 SEQ: 1865769058 ACK: 1218937436 Packet size: 225 Packet data: 0000: 00 09 7B 51 BB FC 00 50 BF 2A 40 64 08 00 45 00 ..{Q...P.*@d..E. 0010: 00 D3 B2 1A 40 00 80 06 8E F9 AC 11 01 BC D3 41 ....@..........A 0020: 38 02 08 CF 00 17 6F 35 60 62 48 A7 82 5C 50 18 8.....o5`bH..\P. 0030: FA 27 6F 63 00 00 FF FA 25 00 0F 00 02 9A 00 00 .‘oc....%....... 0040: 00 02 00 00 00 4E 54 4C 4D 53 53 50 00 03 00 00 .....NTLMSSP.... 0050: 00 18 00 18 00 5A 00 00 00 18 00 18 00 72 00 00 .....Z.......r.. 0060: 00 08 00 08 00 40 00 00 00 0A 00 0A 00 48 00 00 .....@.......H.. 0070: 00 08 00 08 00 52 00 00 00 10 00 10 00 8A 00 00 .....R.......... 0080: 00 15 82 88 E0 41 00 57 00 45 00 4E 00 61 00 64 .....A.W.E.N.a.d 0090: 00 6D 00 69 00 6E 00 41 00 57 00 45 00 4E 00 68 .m.i.n.A.W.E.N.h 00A0: B6 54 08 3F 5F 5D A5 00 00 00 00 00 00 00 00 00 .T.?_].......... 00B0: 00 00 00 00 00 00 00 29 B6 96 5E FB 78 C1 1A 96 .......)..^.x... 00C0: EC 11 A7 D4 D5 1A CC 72 D2 1A 98 61 3C 8E DA 51 .......r...a...Q 00D0: 08 28 F8 1C F9 77 8F 4A 41 32 94 3B 9E 97 42 FF .(...w.JA2.;..B. 00E0: F0 . ===================================================================== 验证通过 ===================================================================== No: 16 Timestamp: 19:43:48:853 MAC source address: 00:09:7B:51:BB:FC MAC dest address: 00:50:BF:2A:40:64 Frame type: IP Protocol: TCP-> TELNET Source IP address: fldserver Dest IP address: awen Source port: 23 Destination port: 2255 SEQ: 1218937454 ACK: 1865769242 Packet size: 609 Packet data: 0000: 00 50 BF 2A 40 64 00 09 7B 51 BB FC 08 00 45 00 .P.*@d..{Q....E. 0010: 02 53 F7 87 40 00 7E 06 4A 0C D3 41 38 02 AC 11 .S..@...J..A8... 0020: 01 BC 00 17 08 CF 48 A7 82 6E 6F 35 61 1A 50 18 ......H..no5a.P. 0030: F9 EC 0A F5 00 00 1B 5B 31 3B 31 48 2A 3D 3D 3D .......[1;1H*=== 0040: 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D ================ 0050: 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D ================ 0060: 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D ================ 0070: 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 20 20 20 20 ============ 0080: 20 20 20 20 20 20 20 20 20 20 20 20 1B 5B 32 3B .[2; 0090: 31 48 BB B6 D3 AD CA B9 D3 C3 20 4D 69 63 72 6F 1H........ Micro 00A0: 73 6F 66 74 20 54 65 6C 6E 65 74 20 B7 FE CE F1 soft Telnet .... 00B0: C6 F7 A1 A3 20 20 20 20 20 20 20 20 20 20 20 20 .... 00C0: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00D0: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00E0: 20 20 1B 5B 33 3B 31 48 2A 3D 3D 3D 3D 3D 3D 3D .[3;1H*======= 00F0: 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D ================ 0100: 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D ================ 0110: 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D ================ 0120: 3D 3D 3D 3D 3D 3D 3D 3D 20 20 20 20 20 20 20 20 ======== 0130: 20 20 20 20 20 20 20 20 1B 5B 34 3B 31 48 43 3A .[4;1HC: 0140: 5C 3E 20 20 20 20 20 20 20 20 20 20 20 20 20 20 \. 0150: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0160: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0170: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0180: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 1B 5B .[ 0190: 35 3B 31 48 1B 5B 4B 1B 5B 36 3B 31 48 1B 5B 4B 5;1H.[K.[6;1H.[K 01A0: 1B 5B 37 3B 31 48 1B 5B 4B 1B 5B 38 3B 31 48 1B .[7;1H.[K.[8;1H. 01B0: 5B 4B 1B 5B 39 3B 31 48 1B 5B 4B 1B 5B 31 30 3B [K.[9;1H.[K.[10; 01C0: 31 48 1B 5B 4B 1B 5B 31 31 3B 31 48 1B 5B 4B 1B 1H.[K.[11;1H.[K. 01D0: 5B 31 32 3B 31 48 1B 5B 4B 1B 5B 31 33 3B 31 48 [12;1H.[K.[13;1H 01E0: 1B 5B 4B 1B 5B 31 34 3B 31 48 1B 5B 4B 1B 5B 31 .[K.[14;1H.[K.[1 01F0: 35 3B 31 48 1B 5B 4B 1B 5B 31 36 3B 31 48 1B 5B 5;1H.[K.[16;1H.[ 0200: 4B 1B 5B 31 37 3B 31 48 1B 5B 4B 1B 5B 31 38 3B K.[17;1H.[K.[18; 0210: 31 48 1B 5B 4B 1B 5B 31 39 3B 31 48 1B 5B 4B 1B 1H.[K.[19;1H.[K. 0220: 5B 32 30 3B 31 48 1B 5B 4B 1B 5B 32 31 3B 31 48 [20;1H.[K.[21;1H 0230: 1B 5B 4B 1B 5B 32 32 3B 31 48 1B 5B 4B 1B 5B 32 .[K.[22;1H.[K.[2 0240: 33 3B 31 48 1B 5B 4B 1B 5B 32 34 3B 31 48 1B 5B 3;1H.[K.[24;1H.[ 0250: 4B 1B 5B 32 35 3B 31 48 1B 5B 4B 1B 5B 34 3B 35 K.[25;1H.[K.[4;5 0260: 48 H =====================================================================
|
|