windtear 追求完美: NTLM 验证机制 - smb telnet . service @ windows

« tsweb msrdp terminal port support patch - 支持端口的补丁 | Main | 新的免费地址域20040511生效 »

May 12, 2004

NTLM 验证机制 - smb telnet . service @ windows

版权声明：可以任意转载，转载时请务必以超链接形式标明文章原始出处和作者信息及本声明。
https://windtear.net/archives/2004/05/12/000274.html

首先演示一下 windows 的 telnet 服务

D:\>tlntadmn

Microsoft (R) Windows 2000 (TM) (内部版本号 2195)
Telnet Server Admin (Build 5.00.99201.1)

请在下列选项中选择一个:

0) 退出这个应用程序
1) 列出当前用户
2) 结束一个用户的会话 ...
3) 显示 / 更改注册表设置 ...
4) 开始服务
5) 停止服务

请键入一个选项的号码 [0 - 5] 以选择该选项: 3

请在下列选项中选择一个:

0) 退出这个菜单
1) AllowTrustedDomain
2) AltKeyMapping
3) DefaultDomain
4) DefaultShell
5) LoginScript
6) MaxFailedLogins
7) NTLM
8) TelnetPort
请键入一个选项的号码 [0 - 8] 以选择该选项: 7
NTLM 的当前值 = 0
您确实想更改这个值吗 ? [y/n]y
NTLM [ 当前值  = 0; 可接受的值 0、1 或 2 ] :2
您确实想将 NTLM 设置为 : 2 ? [y/n]y

只有当 Telnet 服务重新开始后设置才会生效

请在下列选项中选择一个:

0) 退出这个菜单
1) AllowTrustedDomain
2) AltKeyMapping
3) DefaultDomain
4) DefaultShell
5) LoginScript
6) MaxFailedLogins
7) NTLM
8) TelnetPort
请键入一个选项的号码 [0 - 8] 以选择该选项: 0

请在下列选项中选择一个:

0) 退出这个应用程序
1) 列出当前用户
2) 结束一个用户的会话 ...
3) 显示 / 更改注册表设置 ...
4) 开始服务
5) 停止服务

请键入一个选项的号码 [0 - 5] 以选择该选项: 0

D:\>net start tlntsvr
Telnet 服务正在启动 .
Telnet 服务已经启动成功。

D:\>

注意 NTLM 设置地方

NTLM [ 当前值  = 0; 可接受的值 0、1 或 2 ] :2
首先我们设置成 2
        2 是只允许 NTLM 验证
        0 是只允许 user/password 验证
        1 是 NTLM 和 U/P 验证都允许

D:\>telnet 127.0.0.1
Microsoft (R) Windows 2000 (TM) 版本 5.00 (内部版本号 2195)
欢迎使用 Microsoft Telnet Client
Telnet Client 内部版本号 5.00.99206.1

Escape 字符为 'CTRL+]'

您将要发送密码信息到 Internet 区域中的远程计算机。这可能不安全。是否还要发送(y/n
):y

*===============================================================
欢迎使用 Microsoft Telnet 服务器。
*===============================================================
C:\>exit

遗失对主机的连接。
D:\>

如果选 n

Server allows NTLM authentication only
Server has closed connection

遗失对主机的连接。
D:\>

如果 NTLM 设置选的是 1 并且刚才输入 n 后会让输入用户密码

Microsoft (R) Windows (TM) Version 5.00 (Build 2195)
Welcome to Microsoft Telnet Service
Telnet Server Build 5.00.99206.1
login:

(相关注册表)
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0]
"NTLM"=dword:00000000
"TelnetPort"=dword:00000017

如果不通过 tlntadmn 修改设置可以直接修改注册表
1.修改注册表可以用 .reg
2.或者用命令行小工具 reg.exe 18,944 02-12-21 21:57
Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001.  All rights reserved

REG Operation [Parameter List]

  Operation  [ QUERY   | ADD    | DELETE  | COPY    |
               SAVE    | LOAD   | UNLOAD  | RESTORE |
               COMPARE | EXPORT | IMPORT ]

Return Code: (Except of REG COMPARE)

  0 - Succussful
  1 - Failed

For help on a specific operation type:

  REG Operation /?

Examples:

  REG QUERY /?
  REG ADD /?
  REG DELETE /?
  REG COPY /?
  REG SAVE /?
  REG RESTORE /?
  REG LOAD /?
  REG UNLOAD /?
  REG COMPARE /?
  REG EXPORT /?
  REG IMPORT /?

3.一个简单的修改C代码来自nsfocus (http://www.nsfocus.net/index.php?act=sec_self&do=view&doc_id=392)
- ------------------------ TNTLM.cpp ------------------------
/*
* (C) Copyright Nsfocus. 2000
* All Rights Reserved
*
* TNTLM.cpp: Modify authentication method of Microsoft Windows
*            2000 Telnet Server.
*
* Usage: TNTLM [option]
*        option: 0 - No NTLM authentication (default)
*                1 - Try NTLM authentication first.
*                    If failed, then try username/password.
*                2 - Require NTLM authentication.
*
* Written by: backend, <backend@nsfocus.com>
*                      <http://www.nsfocus.com>
* Date: 2000/08/31
*
* WARNING: THIS PROGRAM IS JUST FOR EDUCATIONAL PURPOSE!!!
*          YOU ARE USING THIS SOFTWARE ON YOUR OWN RISK. THIS IS A
*          PROOF-OF-CONCEPT PROGRAM AND YOU TAKE FULL RESPONSIBILITY
*          FOR WHAT YOU DO WITH IT! DO NOT ABUSE THIS FOR ILLICIT
*          PURPOSES!
*
* Greetings to: Netguy
*/

#include <windows.h>
#include <stdlib.h>
#include <stdio.h>

int main(int argc, char* argv[])
{
HKEY hKey;
char SubKeyName[] =
"SOFTWARE\\Microsoft\\Windows\\TelnetServer\\1.0";
char ValueName[] = "NTLM";
DWORD NewValue = 0;

if ( argc > 1 ) NewValue = atol( argv[1] );
if ( RegOpenKeyEx(HKEY_LOCAL_MACHINE, SubKeyName, 0, KEY_ALL_ACCESS,
&hKey) != ERROR_SUCCESS ) {
  perror( "RegOpenKeyEx" );
  return -1;
}

if ( RegSetValueEx( hKey, ValueName, 0, REG_DWORD, ( CONST BYTE * )
&NewValue, sizeof( DWORD )) != ERROR_SUCCESS ) {
  perror( "RegSetValueEx" );
  RegCloseKey( hKey );
  return -1;
}

RegCloseKey( hKey );

return 0;
}
- ------------------------ TNTLM.cpp ------------------------

可以看到如果使用 NTLM 的话不需输入密码就进入系统
同样的情况还会发生在网上邻居访问时和连接 MS SQL Server 时
这在很多时候做身份验证很方便

The NTLM Authentication Protocol
http://davenport.sourceforge.net/ntlm.html

What is NTLM?
NTLM is an authentication protocol used in various Microsoft network protocol implementations and supported by the NTLM Security Support Provider ("NTLMSSP"). Originally used for authentication and negotiation of secure DCE/RPC, NTLM is also used throughout Microsoft's systems as an integrated single sign-on mechanism.

NTLM employs a challenge-response mechanism for authentication, in which clients are able to prove their identities without sending a password to the server. It consists of three messages, commonly referred to as Type 1 (negotiation), Type 2 (challenge) and Type 3 (authentication). It basically works like this:

The client sends a Type 1 message to the server. This primarily contains a list of features supported by the client and requested of the server.
The server responds with a Type 2 message. This contains a list of features supported and agreed upon by the server. Most importantly, however, it contains a challenge generated by the server.
The client replies to the challenge with a Type 3 message. This contains several pieces of information about the client, including the domain and username of the client user. It also contains one or more responses to the Type 2 challenge.
The responses in the Type 3 message are the most critical piece, as they prove to the server that the client user has knowledge of the account password.

那么NTLM 是怎么验证的呢？
以共享为例，具体的方法是这样的：
1、客户端<--------------------建立TCP连接----------------->服务端
2、客户端-------客户端类型、支持的服务方式列表等----------->服务端
3、客户端<------服务器支持协议、认证方式、加密用的key等-----服务端
4、客户端--------------用户名、加密后密码----------------->服务端
5、客户端<---------------认证成功否-----------------------服务端
微软采用NTLM机制：如在一个NT域中，客户机登录域服务器时，首先由服务器
向客户端发送一段随机值，客户端用自己密码的散列函数对这个随机值进行混编并
返还给服务器，服务器由本地的SAM数据库中读取该用户的密码散列函数对它发出的
随机值进行混编，最后把两个结果进行比较，如果相同，即认证通过。

通过IRIS对TELNET过程的分析：
<摘自 ntlm验证机制学习札记      awen    2003-1-16>
<http://www.patching.net/org/content/25.htm>
=====================================================================
客户端-------客户端类型、支持的服务方式列表等----------->服务端
=====================================================================
No: 9
Timestamp: 19:43:48:362
MAC source address: 00:50:BF:2A:40:64
MAC dest address: 00:09:7B:51:BB:FC
Frame type: IP
Protocol: TCP-> TELNET
Source IP address: awen
Dest IP address: fldserver
Source port: 2255
Destination port: 23
SEQ: 1865769009
ACK: 1218937261
Packet size: 103
Packet data:
0000: 00 09 7B 51 BB FC 00 50 BF 2A 40 64 08 00 45 00 ..{Q...P.*@d..E.
0010: 00 59 B2 19 40 00 80 06 8F 74 AC 11 01 BC D3 41 .Y..@....t.....A
0020: 38 02 08 CF 00 17 6F 35 60 31 48 A7 81 AD 50 18 8.....o5`1H...P.
0030: FA D6 DC 15 00 00 FF FA 25 00 0F 00 00 20 00 00 ........%.... ..
0040: 00 02 00 00 00 4E 54 4C 4D 53 53 50 00 01 00 00 .....NTLMSSP....
0050: 00 97 82 08 E0 00 00 00 00 00 00 00 00 00 00 00 ................
0060: 00 00 00 00 00 FF F0 .......
=====================================================================
客户端-------客户端类型、支持的服务方式列表等----------->服务端
=====================================================================
No: 10
Timestamp: 19:43:48:462
MAC source address: 00:09:7B:51:BB:FC
MAC dest address: 00:50:BF:2A:40:64
Frame type: IP
Protocol: TCP-> TELNET
Source IP address: fldserver
Dest IP address: awen
Source port: 23
Destination port: 2255
SEQ: 1218937261
ACK: 1865769058
Packet size: 229
Packet data:
0000: 00 50 BF 2A 40 64 00 09 7B 51 BB FC 08 00 45 00 .P.*@d..{Q....E.
0010: 00 D7 F7 84 40 00 7E 06 4B 8B D3 41 38 02 AC 11 ....@...K..A8...
0020: 01 BC 00 17 08 CF 48 A7 81 AD 6F 35 60 62 50 18 ......H...o5`bP.
0030: FA A4 1E B5 00 00 FF FA 25 02 0F 00 01 9E 00 00 ........%.......
0040: 00 02 00 00 00 4E 54 4C 4D 53 53 50 00 02 00 00 .....NTLMSSP....
0050: 00 12 00 12 00 30 00 00 00 15 82 8A E0 ED 83 37 .....0.........7
0060: 4B DD 44 1F 96 00 00 00 00 00 00 00 00 5C 00 5C K.D..........\.\
0070: 00 42 00 00 00 46 00 4C 00 44 00 53 00 45 00 52 .B...F.L.D.S.E.R
0080: 00 56 00 45 00 52 00 02 00 12 00 46 00 4C 00 44 .V.E.R.....F.L.D
0090: 00 53 00 45 00 52 00 56 00 45 00 52 00 01 00 12 .S.E.R.V.E.R....
00A0: 00 46 00 4C 00 44 00 53 00 45 00 52 00 56 00 45 .F.L.D.S.E.R.V.E
00B0: 00 52 00 04 00 12 00 66 00 6C 00 64 00 73 00 65 .R.....f.l.d.s.e
00C0: 00 72 00 76 00 65 00 72 00 03 00 12 00 66 00 6C .r.v.e.r.....f.l
00D0: 00 64 00 73 00 65 00 72 00 76 00 65 00 72 00 00 .d.s.e.r.v.e.r..
00E0: 00 00 00 FF F0 .....
=====================================================================
客户端--------------用户名、加密后密码----------------->服务端
服务器的名称awen 用户名为admin，后面是加密后的散列值
=====================================================================
No: 11
Timestamp: 19:43:48:472
MAC source address: 00:50:BF:2A:40:64
MAC dest address: 00:09:7B:51:BB:FC
Frame type: IP
Protocol: TCP-> TELNET
Source IP address: awen
Dest IP address: fldserver
Source port: 2255
Destination port: 23
SEQ: 1865769058
ACK: 1218937436
Packet size: 225
Packet data:
0000: 00 09 7B 51 BB FC 00 50 BF 2A 40 64 08 00 45 00 ..{Q...P.*@d..E.
0010: 00 D3 B2 1A 40 00 80 06 8E F9 AC 11 01 BC D3 41 ....@..........A
0020: 38 02 08 CF 00 17 6F 35 60 62 48 A7 82 5C 50 18 8.....o5`bH..\P.
0030: FA 27 6F 63 00 00 FF FA 25 00 0F 00 02 9A 00 00 .‘oc....%.......
0040: 00 02 00 00 00 4E 54 4C 4D 53 53 50 00 03 00 00 .....NTLMSSP....
0050: 00 18 00 18 00 5A 00 00 00 18 00 18 00 72 00 00 .....Z.......r..
0060: 00 08 00 08 00 40 00 00 00 0A 00 0A 00 48 00 00 .....@.......H..
0070: 00 08 00 08 00 52 00 00 00 10 00 10 00 8A 00 00 .....R..........
0080: 00 15 82 88 E0 41 00 57 00 45 00 4E 00 61 00 64 .....A.W.E.N.a.d
0090: 00 6D 00 69 00 6E 00 41 00 57 00 45 00 4E 00 68 .m.i.n.A.W.E.N.h
00A0: B6 54 08 3F 5F 5D A5 00 00 00 00 00 00 00 00 00 .T.?_]..........
00B0: 00 00 00 00 00 00 00 29 B6 96 5E FB 78 C1 1A 96 .......)..^.x...
00C0: EC 11 A7 D4 D5 1A CC 72 D2 1A 98 61 3C 8E DA 51 .......r...a...Q
00D0: 08 28 F8 1C F9 77 8F 4A 41 32 94 3B 9E 97 42 FF .(...w.JA2.;..B.
00E0: F0 .
=====================================================================
验证通过
=====================================================================
No: 16
Timestamp: 19:43:48:853
MAC source address: 00:09:7B:51:BB:FC
MAC dest address: 00:50:BF:2A:40:64
Frame type: IP
Protocol: TCP-> TELNET
Source IP address: fldserver
Dest IP address: awen
Source port: 23
Destination port: 2255
SEQ: 1218937454
ACK: 1865769242
Packet size: 609
Packet data:
0000: 00 50 BF 2A 40 64 00 09 7B 51 BB FC 08 00 45 00 .P.*@d..{Q....E.
0010: 02 53 F7 87 40 00 7E 06 4A 0C D3 41 38 02 AC 11 .S..@...J..A8...
0020: 01 BC 00 17 08 CF 48 A7 82 6E 6F 35 61 1A 50 18 ......H..no5a.P.
0030: F9 EC 0A F5 00 00 1B 5B 31 3B 31 48 2A 3D 3D 3D .......[1;1H*===
0040: 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D ================
0050: 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D ================
0060: 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D ================
0070: 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 20 20 20 20 ============
0080: 20 20 20 20 20 20 20 20 20 20 20 20 1B 5B 32 3B .[2;
0090: 31 48 BB B6 D3 AD CA B9 D3 C3 20 4D 69 63 72 6F 1H........ Micro
00A0: 73 6F 66 74 20 54 65 6C 6E 65 74 20 B7 FE CE F1 soft Telnet ....
00B0: C6 F7 A1 A3 20 20 20 20 20 20 20 20 20 20 20 20 ....
00C0: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00D0: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00E0: 20 20 1B 5B 33 3B 31 48 2A 3D 3D 3D 3D 3D 3D 3D .[3;1H*=======
00F0: 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D ================
0100: 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D ================
0110: 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D ================
0120: 3D 3D 3D 3D 3D 3D 3D 3D 20 20 20 20 20 20 20 20 ========
0130: 20 20 20 20 20 20 20 20 1B 5B 34 3B 31 48 43 3A .[4;1HC:
0140: 5C 3E 20 20 20 20 20 20 20 20 20 20 20 20 20 20 \.
0150: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0160: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0170: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0180: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 1B 5B .[
0190: 35 3B 31 48 1B 5B 4B 1B 5B 36 3B 31 48 1B 5B 4B 5;1H.[K.[6;1H.[K
01A0: 1B 5B 37 3B 31 48 1B 5B 4B 1B 5B 38 3B 31 48 1B .[7;1H.[K.[8;1H.
01B0: 5B 4B 1B 5B 39 3B 31 48 1B 5B 4B 1B 5B 31 30 3B [K.[9;1H.[K.[10;
01C0: 31 48 1B 5B 4B 1B 5B 31 31 3B 31 48 1B 5B 4B 1B 1H.[K.[11;1H.[K.
01D0: 5B 31 32 3B 31 48 1B 5B 4B 1B 5B 31 33 3B 31 48 [12;1H.[K.[13;1H
01E0: 1B 5B 4B 1B 5B 31 34 3B 31 48 1B 5B 4B 1B 5B 31 .[K.[14;1H.[K.[1
01F0: 35 3B 31 48 1B 5B 4B 1B 5B 31 36 3B 31 48 1B 5B 5;1H.[K.[16;1H.[
0200: 4B 1B 5B 31 37 3B 31 48 1B 5B 4B 1B 5B 31 38 3B K.[17;1H.[K.[18;
0210: 31 48 1B 5B 4B 1B 5B 31 39 3B 31 48 1B 5B 4B 1B 1H.[K.[19;1H.[K.
0220: 5B 32 30 3B 31 48 1B 5B 4B 1B 5B 32 31 3B 31 48 [20;1H.[K.[21;1H
0230: 1B 5B 4B 1B 5B 32 32 3B 31 48 1B 5B 4B 1B 5B 32 .[K.[22;1H.[K.[2
0240: 33 3B 31 48 1B 5B 4B 1B 5B 32 34 3B 31 48 1B 5B 3;1H.[K.[24;1H.[
0250: 4B 1B 5B 32 35 3B 31 48 1B 5B 4B 1B 5B 34 3B 35 K.[25;1H.[K.[4;5
0260: 48 H
=====================================================================

Posted by windtear at May 12, 2004 2:48 AM

windtear 追求完美

网络技术/Linux/自由、协作、创造－为了明天/个人原创整理

May 12, 2004

NTLM 验证机制 - smb telnet . service @ windows