Windows automatically uses the current user, password connection, causing the current user, password connection, causing the user password, although its password is encrypted, but can be used to attack. Below is the password authentication method of the SMB. The 139-port access process of Windows, the arrow indicates the data direction: 1. Client <------------------ Create TCP connection ----------------> Server 2. Client ------- Client Type, Supported Service Mode List, etc. --------> The server 3. Client <--------- Server authentication method, encrypted key, etc. ---------- server authentication method is user-level authentication or shared class authentication and password encryption, Key It is the 8 bytes generated randomly, and Win2000 has supported 16 bytes of Key. 4. Client -------------- User name, encrypted password -----------------> Server Win9X, Winnt, Win2000 is here Vulnerability, no prompt, send the current user name, password encryption, causing the password to leak. This is encrypted here is the deformation of DES, LockedPass = CHGDES (Key, Pass). The pass of this is the key to the DES-deformed key, and Key is a DES-deformable data. 5. Client <-------------- Certified success --------------------- Server Windows client 4 Steps have a vulnerability, obviously the server can get username and lockedpass = chgdes (key, pass), where KEY can be freely specified because this is the service provider, usname, Pass is the client's current visitor user name and password. The encryption transformation here is not reversible, but it is already possible to crack the law, and there is already such a procedure. In fact, we don't have to get a copy of the password, as long as it can provide a connection. Let's see what is used by LockedPass. We have access to visit, Telnet, FTP and other connections should password. We get the lockedpass, which we get. This is the NetBIOS sharing service. The front is the server getting something, that is now standing on the client, then look at the process, it is obvious that we don't need to provide PASS, is it necessary to provide username and lockedpass2 = chgdes (key2, pass)? Where KEY2 is provided now. See we have usname and lockedpass = chgdes (key, pass) where we can specify yourself, everyone will see if we need it as long as key = key2, is there? So we have to make key = key2. Well, let's take a closer look at the connection process, and someone connects two steps 1, 2: 1. Client <------------------ Create TCP connection ----------------> Server 2. Client ------- Client Type, Supported Service Method List, etc. ----------> The server is 3. Client <-------- Server authentication method, encrypted key, etc. ----------- server This we need to provide Key, we can't provide Key, you need to provide Key2 , Then we have to get Key2, obviously need to connect to the NetBIOS service back. Obviously this is required to connect to the 11, 22, 33 of 3 steps (in order to distinguish the back of the step) to get Key2, apparently these 2 steps and 3 steps do not need to have a success.
