Knowing+NTLM

最新推荐文章于 2024-06-25 15:30:00 发布
最新推荐文章于 2024-06-25 15:30:00 发布
阅读量1.2k 收藏 1
点赞数
文章标签: domain security c string user buffer
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/hankhanti/article/details/6870925
版权


Refer to http://davenport.sourceforge.net/ntlm.html and wget source code


NTLM 认证流程:


Connecting to 172.20.168.88:80... connected.
HTTP request sent, awaiting response... 401 Unauthorized


Creating a type-1 NTLM message.
TYPE1_MSG=NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=


Reusing existing connection to 172.20.168.88:80.
HTTP request sent, awaiting response... 401 Unauthorized
TYPE2_MSG=TlRMTVNTUAACAAAAAAAAADgAAAACAgACjjnPlWOz9zgAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=


Creating a type-3 NTLM message.

TYPE3_MSG=NTLM TlRMTVNTUAADAAAAGAAYAFAAAAAYABgAaAAAAAgACABAAAAACAAIAEgAAAAAAAAAUAAAAAAAAACAAAAAAYIAAHF1Y

W50YWNuOTUwODMxMDHnTb3gPjCDB/OLXKSIjBeGL0AIsN4D/TWMw9CSzo44hAsR7M+zrOLPRTQcOUsafeI=


Reusing existing connection to 172.20.168.88:80.
HTTP request sent, awaiting response... 302 Object moved
Location: http://172.20.168.53 [following]
--2011-10-13 12:42:36--  http://172.20.168.53/


Connecting to 172.20.168.53:80... connected.
HTTP request sent, awaiting response... 401 Unauthorized


Creating a type-1 NTLM message.
TYPE1_MSG=NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=


Reusing existing connection to 172.20.168.53:80.
HTTP request sent, awaiting response... 401 Unauthorized

TYPE2_MSG=TlRMTVNTUAACAAAACAAIADgAAAAGAoECkSVpVi+DIRgAAAAAAAAAAJoAmgBAAAAABgGwHQAAAA9SU1FVQU5UQQIAEABSAFM

AUQBVAEEATgBUAEEAAQAOAFEAUwBNAEMASABSADIABAAYAFIAUwBRAHUAYQBuAHQAYQAuAGMAbwBtAAMAKABxAHMAbQBjAGgAcgAyAC4A

UgBTAFEAdQBhAG4AdABhAC4AYwBvAG0ABQAYAFIAUwBRAHUAYQBuAHQAYQAuAGMAbwBtAAcACABpFEqgYonMAQAAAAA=


Creating a type-3 NTLM message.

TYPE3_MSG=NTLM TlRMTVNTUAADAAAAGAAYAFAAAAAYABgAaAAAAAgACABAAAAACAAIAEgAAAAAAAAAUAAAAAAAAACAAAAAAYIAAHF1YW50YWNuOTUwODMx

MDHDmh1xv/Uoz9B6TWUTOBCxIOjUpN7/8iejYOfw40MUOlXE7hY6iQbd8wENqrnDLnY=


Reusing existing connection to 172.20.168.53:80.
HTTP request sent, awaiting response... 302 Object moved
Location: http://qsmchr5/hrui/webui/ [following]
--2011-10-13 12:42:36--  http://qsmchr5/hrui/webui/
Resolving qsmchr5 (qsmchr5)... 172.20.168.88


Connecting to qsmchr5 (qsmchr5)|172.20.168.88|:80... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Creating a type-1 NTLM message.

TYPE1_MSG=NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=


Reusing existing connection to qsmchr5:80.
HTTP request sent, awaiting response... 401 Unauthorized

TYPE2_MSG=TlRMTVNTUAACAAAAAAAAADgAAAACAgACdZNyW+yWh0oAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=


Creating a type-3 NTLM message.

TYPE3_MSG=NTLM TlRMTVNTUAADAAAAGAAYAFAAAAAYABgAaAAAAAgACABAAAAACAAIAEgAAAAAAAAAUAAAAAAAAACAAAAAAYIAAHF1YW50YWNuOTUwODMxM

DER6h6SH+Dq3dFaDlrvwP+Ukeqq8wCx5uHDUXpv0oOrvBcq/HFWJx0F0HBVXZvu6t8=

Reusing existing connection to qsmchr5:80.
HTTP request sent, awaiting response... 200 OK


NTLM 编码规则:


TYPE1 - 


#define SHORTPAIR(x) ((x) & 0xff), ((x) >> 8)


domain length = SHORTPAIR(domain length)
host offset = 32
domain offset = hostoff + hostlen


[0x00 - 0x07] 0x4e 0x54 0x4c 0x4d 0x53 0x53 0x50 0x00 # NTLMSSP\0
[0x08 - 0x0f] 0x01 0x00 0x00 0x00 0x02 0x02 0x00 0x00 # 32 bit type = 1, 32 bit NTLM flag field: 

                                                      # Negotiate NTLM (0x00000200)| Negotiate OEM (0x00000002)
[0x10 - 0x17] 0x00 0x00 0x00 0x00 0x20 0x00 0x00 0x00 # domain length[2], domain space[2], 

                                                      # domain offset[2], zero[2]
[0x18 - 0x1f] 0x00 0x00 0x00 0x00 0x20 0x00 0x00 0x00 # host length[2], host space[2], host offset[2], zero[2]


00000000  4e 54 4c 4d 53 53 50 00  01 00 00 00 02 02 00 00  |NTLMSSP.........|
00000010  00 00 00 00 20 00 00 00  00 00 00 00 20 00 00 00  |.... ....... ...|


BASE64_STRING: TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
 
======================


TYPE2 -


[0x00 - 0x07] 0x4e 0x54 0x4c 0x4d 0x53 0x53 0x50 0x00 # NTLMSSP\0
[0x08 - 0x0b] 0x02 0x00 0x00 0x00                     # 32 bit type = 2
[0x0c - 0x13] 0x00 0x00 0x00 0x00 0x38 0x00 0x00 0x00 # Target Name Security Buffer

                                                      # (length[2]=0, space[2]=0, offset[4]=0x38)
[0x14 - 0x17] 0x02 0x02 0x00 0x02                     # 32 bit NTLM flag field
[0x18 - 0x1f] 0x8e 0x39 0xcf 0x95 0x63 0xb3 0xf7 0x38 # The nonce randomly generated
[0x20 - 0x27] 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 # Context
[0x28 - 0x2f] 0x00 0x00 0x00 0x00 0x38 0x00 0x00 0x00 # Target Information Security Buffer

                                                      # (length[2]=0, space[2]=0, offset[4]=0x38)
[0x30 - 0x37] 0x05 0x02 0xce 0x0e 0x00 0x00 0x00 0x0f # start of data block


00000000  4e 54 4c 4d 53 53 50 00  02 00 00 00 00 00 00 00  |NTLMSSP.........|
00000010  38 00 00 00 02 02 00 02  8e 39 cf 95 63 b3 f7 38  |8........9..c..8|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 38 00 00 00  |............8...|
00000030  05 02 ce 0e 00 00 00 0f                           |........|


BASE64_STRING: TlRMTVNTUAACAAAAAAAAADgAAAACAgACjjnPlWOz9zgAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=


=======================


TYPE3 -

domoff    = 64
useroff   = domoff  + domlen = 64 + 8 (以下例为例) = 72
hostoff   = useroff + userlen = 72 + 8 (以下例为例) = 80
lmrespoff = hostoff + hostlen = 80 + 0 = 80
ntrespoff = lmrespoff + 0x18 = 80 + 24 = 104

计算 hash 过的 password: 以 password 为 key, magic 为 message, 加密计算, 过程如下:


setup_des_key: 1qaz2ws => 1QAZ2WS


origin keys= (第一组)


pw1[0] = 31
pw1[1] = 51
pw1[2] = 41
pw1[3] = 5a
pw1[4] = 32
pw1[5] = 57
pw1[6] = 53
pw1[7] = 58


*经过转换 -
(
key[0] = key_56[0];
key[1] = ((key_56[0] << 7) & 0xFF) | (key_56[1] >> 1);
key[2] = ((key_56[1] << 6) & 0xFF) | (key_56[2] >> 2);
key[3] = ((key_56[2] << 5) & 0xFF) | (key_56[3] >> 3);
key[4] = ((key_56[3] << 4) & 0xFF) | (key_56[4] >> 4);
key[5] = ((key_56[4] << 3) & 0xFF) | (key_56[5] >> 5);
key[6] = ((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6);
key[7] =  (key_56[6] << 1) & 0xFF;
)


KEY1[0] = 31
KEY1[1] = a8
KEY1[2] = 50
KEY1[3] = 2b
KEY1[4] = a3
KEY1[5] = 92
KEY1[6] = 5d
KEY1[7] = a6


*DES_set_odd_parity
@odd_parity=(
  1,  1,  2,  2,  4,  4,  7,  7,  8,  8, 11, 11, 13, 13, 14, 14,
 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254);


KEY1[0] = 31
KEY1[1] = a8
KEY1[2] = 51
KEY1[3] = 2a
KEY1[4] = a2
KEY1[5] = 92
KEY1[6] = 5d
KEY1[7] = a7


MAG1[0] = 4b
MAG1[1] = 47
MAG1[2] = 53
MAG1[3] = 21
MAG1[4] = 40
MAG1[5] = 23
MAG1[6] = 24
MAG1[7] = 25


*DES 编码 -


LMBUFF1[0] = 77
LMBUFF1[1] = 11
LMBUFF1[2] = 04
LMBUFF1[3] = 12
LMBUFF1[4] = e3
LMBUFF1[5] = 54
LMBUFF1[6] = 4d
LMBUFF1[7] = 2f


(origin key) 第二组


pw2[0] = 58
pw2[1] = 33
pw2[2] = 57
pw2[3] = 53
pw2[4] = 58
pw2[5] = 00
pw2[6] = 00
pw2[7] = 00


* 转换


KEY[0] = 58
KEY[1] = 19
KEY[2] = d5
KEY[3] = ea
KEY[4] = 35
KEY[5] = c0
KEY[6] = 00
KEY[7] = 00


*set_des_odd_parity


KEY[0] = 58
KEY[1] = 19
KEY[2] = d5
KEY[3] = ea
KEY[4] = 34
KEY[5] = c1
KEY[6] = 01
KEY[7] = 01


MAG2[0] = 4b
MAG2[1] = 47
MAG2[2] = 53
MAG2[3] = 21
MAG2[4] = 40
MAG2[5] = 23
MAG2[6] = 24
MAG2[7] = 25


*DES 编码


LMBUFF2[0] = 08
LMBUFF2[1] = 3b
LMBUFF2[2] = 70
LMBUFF2[3] = 34
LMBUFF2[4] = aa
LMBUFF2[5] = fc
LMBUFF2[6] = db
LMBUFF2[7] = ff


组合LMBUFF1, LMBUFF2 成 LMBUFF


LMBUFF[0] = 77
LMBUFF[1] = 11
LMBUFF[2] = 04
LMBUFF[3] = 12
LMBUFF[4] = e3
LMBUFF[5] = 54
LMBUFF[6] = 4d
LMBUFF[7] = 2f
LMBUFF[8] = 08
LMBUFF[9] = 3b
LMBUFF[10] = 70
LMBUFF[11] = 34
LMBUFF[12] = aa
LMBUFF[13] = fc
LMBUFF[14] = db
LMBUFF[15] = ff
LMBUFF[16] = 00
LMBUFF[17] = 00
LMBUFF[18] = 00
LMBUFF[19] = 00
LMBUFF[20] = 00


(End of hash password)
===================================


加密 NONCE


NONCE = \x6b \x4b \xa4 \x59 \xbe \xed \xb7 \x68


KEY[0] = 77
KEY[1] = 11
KEY[2] = 04
KEY[3] = 12
KEY[4] = e3
KEY[5] = 54
KEY[6] = 4d
KEY[7] = 2f


*经过转换 -


(
key[0] = key_56[0];
key[1] = ((key_56[0] << 7) & 0xFF) | (key_56[1] >> 1);
key[2] = ((key_56[1] << 6) & 0xFF) | (key_56[2] >> 2);
key[3] = ((key_56[2] << 5) & 0xFF) | (key_56[3] >> 3);
key[4] = ((key_56[3] << 4) & 0xFF) | (key_56[4] >> 4);
key[5] = ((key_56[4] << 3) & 0xFF) | (key_56[5] >> 5);
key[6] = ((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6);
key[7] =  (key_56[6] << 1) & 0xFF;
)


KEY2[0] = 77
KEY2[1] = 88
KEY2[2] = 41
KEY2[3] = 82
KEY2[4] = 2e
KEY2[5] = 1a
KEY2[6] = 51
KEY2[7] = 9a


*DES_set_odd_parity


@odd_parity=(
  1,  1,  2,  2,  4,  4,  7,  7,  8,  8, 11, 11, 13, 13, 14, 14,
 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254);


KEY3[0] = 76 
KEY3[1] = 89 
KEY3[2] = 40 
KEY3[3] = 83 
KEY3[4] = 2f 
KEY3[5] = 1a
KEY3[6] = 51
KEY3[7] = 9b 


*DES 编码 -


RESULT1[0] = 6a
RESULT1[1] = eb
RESULT1[2] = 44
RESULT1[3] = 3d
RESULT1[4] = a7
RESULT1[5] = d6
RESULT1[6] = 24
RESULT1[7] = 3c


(第二组: k2= k1+7)
KEY2[0] = 2f
KEY2[1] = 08
KEY2[2] = 3b
KEY2[3] = 70
KEY2[4] = 34
KEY2[5] = aa
KEY2[6] = fc
KEY2[7] = db


*转换
*set_des_odd_parity
*DES 编码


RESULT2[0] = 78
RESULT2[1] = 1b
RESULT2[2] = 33
RESULT2[3] = ca
RESULT2[4] = 6e
RESULT2[5] = fa
RESULT2[6] = ff
RESULT2[7] = 4a


(第三组 k3 = k1+14)
KEY2[0] = db
KEY2[1] = ff
KEY2[2] = 00
KEY2[3] = 00
KEY2[4] = 00
KEY2[5] = 00
KEY2[6] = 00
KEY2[7] = 00


*转换
*set_des_odd_parity
*DES 编码


RESULT[0] = 20
RESULT[1] = 8d
RESULT[2] = 2e
RESULT[3] = 7d
RESULT[4] = ea
RESULT[5] = 6f
RESULT[6] = 48
RESULT[7] = 1a


lmresp=
0x6a 0xeb 0x44 0x3d 0xa7 0xd6 0x24 0x3c
0x78 0x1b 0x33 0xca 0x6e 0xfa 0xff 0x4a
0x20 0x8d 0x2e 0x7d 0xea 0x6f 0x48 0x1a


[0x00 - 0x07] 0x4e 0x54 0x4c 0x4d 0x53 0x53 0x50 0x00 # NTLMSSP\0
[0x08 - 0x0b] 0x03 0x00 0x00 0x00                     # 32 bit type = 3
[0x0c - 0x0f] 0x18 0x00 0x18 0x00                     # LanManager response length=SHORTPAIR(0x18), twice
[0x10 - 0x13] 0x50 0x00 0x00 0x00                     # LanManager response offset[2]=SHORTPAIR(lmrespoff), zero[2]
[0x14 - 0x17] 0x18 0x00 0x18 0x00                     # NT response length=SHORTPAIR(0x18), twice
[0x18 - 0x1b] 0x68 0x00 0x00 0x00                     # NT response offset[2]=SHORTPAIR(ntrespoff), zero[2]
[0x1c - 0x1f] 0x08 0x00 0x08 0x00                     # domain length, domain space = SHORTPAIR(domlen)
[0x20 - 0x23] 0x40 0x00 0x00 0x00                     # domain offset[2]=SHORTPAIR(domoff), zero[2]
[0x24 - 0x27] 0x08 0x00 0x08 0x00                     # user length, user space = SHORTPAIR(usrlen)
[0x28 - 0x2b] 0x48 0x00 0x00 0x00                     # user offset[2] = SHORTPAIR(useroff), zero[2]
[0x2c - 0x2f] 0x00 0x00 0x00 0x00                     # host length, host space = SHORTPAIR(hostlen)
[0x30 - 0x33] 0x50 0x00 0x00 0x00                     # host offset[2] = SHORTPAIR(hostoff), zero[2]
[0x34 - 0x37] 0x00 0x00 0x00 0x00                     # zero[4]
[0x38 - 0x3b] 0xff 0xff 0x00 0x00                     # message length, zero[2]
[0x3c - 0x3f] 0x01 0x82 0x00 0x00                     # flags, zero[2]
[0x40 - 0x47] 0x71 0x75 0x61 0x6e 0x74 0x61 0x63 0x6e # domain(quantacn)
[0x48 - 0x4f] 0x39 0x35 0x30 0x38 0x33 0x31 0x30 0x31 # user (95083101)
[0x50 - 0x57] 0xe7 0x4d 0xbd 0xe0 0x3e 0x30 0x83 0x07 # lmresp[00-07]
[0x58 - 0x5f] 0xf3 0x8b 0x5c 0xa4 0x88 0x8c 0x17 0x86 # lmresp[08-15]
[0x60 - 0x67] 0x2f 0x40 0x08 0xb0 0xde 0x03 0xfd 0x35 # lmresp[16-23]
[0x68 - 0x6f] 0x8c 0xc3 0xd0 0x92 0xce 0x8e 0x38 0x84 # ntresp[00-07]
[0x70 - 0x77] 0x0b 0x11 0xec 0xcf 0xb3 0xac 0xe2 0xcf # ntresp[08-15]
[0x78 - 0x7f] 0x45 0x34 0x1c 0x39 0x4b 0x1a 0x7d 0xe2 # ntresp[16-23]

ntlmbuf[0x38] = size & 0xff = 0x80
ntlmbuf[0x39] = size >> 8   = 0x00

00000000  4e 54 4c 4d 53 53 50 00  03 00 00 00 18 00 18 00  |NTLMSSP.........|
00000010  50 00 00 00 18 00 18 00  68 00 00 00 08 00 08 00  |P.......h.......|
00000020  40 00 00 00 08 00 08 00  48 00 00 00 00 00 00 00  |@.......H.......|
00000030  50 00 00 00 00 00 00 00  80 00 00 00 01 82 00 00  |P...............|
00000040  71 75 61 6e 74 61 63 6e  39 35 30 38 33 31 30 31  |quantacn95083101|
00000050  e7 4d bd e0 3e 30 83 07  f3 8b 5c a4 88 8c 17 86  |.M..>0....\.....|
00000060  2f 40 08 b0 de 03 fd 35  8c c3 d0 92 ce 8e 38 84  |/@.....5......8.|
00000070  0b 11 ec cf b3 ac e2 cf  45 34 1c 39 4b 1a 7d e2  |........E4.9K.}.|

BASE64_STRING: TlRMTVNTUAADAAAAGAAYAFAAAAAYABgAaAAAAAgACABAAAAACAAIAEgAAAAAAAAAUAAAAAAAAACAAAAAAYIAAHF1YW50YWNuOTU

wODMxMDHnTb3gPjCDB/OLXKSIjBeGL0AIsN4D/TWMw9CSzo44hAsR7M+zrOLPRTQcOUsafeI= 



hankhanti
关注
Windows内网协议学习NTLM篇之NTLM基础介绍
子曰小玖的博客
05-08 5216
0x00 前言 这个系列文章主要讲ntlm认证相关的内容。以及着重介绍ntlm两大安全问题–PTH和ntlm_relay。 ntlm篇分为四篇文章 第1篇文章也是本文,这篇文章主要简单介绍一些基础概念以及引进一些相关的漏洞,比如Pass The Hash以及ntlm_relay。 其余三篇文章的内容全部都是讲ntlm_relay,这个安全问题是ntlm篇的重点内容。 第2篇文章主要讲触发...
NTLM Authentication Scheme for HTTP
吾将上下而求索
02-15 1762
NTLM Authentication Scheme for HTTPIntroductionThis is an attempt at documenting the undocumented NTLM authentication scheme used by M$s browsers, proxies, and servers (MSIE and IIS); this scheme
NTLM Protocol - 3. MD4 编码
hankhanti的专栏
10-21 959
更确切的来说此章应为介绍如何使用 MD4 编码, 而此章所表达的重点更应该为 NTLM 中 DES 与 MD4 所扮演的角色. 使用 MD4 编码来加密资料, 在 Perl 的世界中, 有许多开发者创造了许多模组供我们使用, 而 Digest::MD4 就是其中一个, 它是由Mike McCauley所开发, 使用它可以将 MD4 加密变的很简单, 只要使用它所提供的方法, 以下就是一个例子:
Снова про NTLM и Pass the Hash
cnbird's blog
08-25 1191
На грядущем фестивале Chaos Constructions я попытаюсь рассказать о страшной и незавидной судьбе паролей, хранимых в ОС семейства Windows. Даже самые стойкие и красивые из них обречены на провал, и вин
Windows Logon Type的含义
flyhaze的专栏
06-30 1万+
Windows Logon Type的含义 我只是把主要的内容整理了一下备查。  Logon type 2 Interactive  本地交互登录。最常见的登录方式。<br />Logon type 3 Network 网络登录 - 最常见的是访问网络共享文件夹或打印机。IIS的认证也是Type 3<br />Logon type 4 Batch 计划任务<br />Logon Type 5 Service 服务<br />某些服务是用一个域帐号来运行的,出现Failure常见的情况是管理员更改了域帐号密
BloodyAD:一款功能强大的活动目录提权框架
最新发布
白帽黑客佳哥的博客
06-25 1588
BloodyAD是一款功能强大的活动目录提权框架,该框架可以通过bloodyAD.py实现手动操作,或通过结合pathgen.py和autobloody.py来实现自动化提权以及活动目录安全检测任务。该框架支持NTLM(使用密码或NTLM哈希)和Kerberos身份验证,并绑定到域控制器的LDAP/LDAPS/SAMR服务以获得活动目录权限。除此之外,广大研究人员还可以将BloodyAD结合SOCKS代理一起使用。该工具可以对域控制器执行特定的LDAP/SAMR调用,以获取和执行活动目录权限。
curl常见用法
热门推荐
liitdar的博客
06-13 2万+
本文主要介绍curl的常见用法。说明:本文介绍的curl常见用法是面向Linux操作系统的。引用Manual中关于curl的介绍,内容如下:引用GitHub中关于curl的介绍,内容如下:curl is used in command lines or scripts to transfer data. curl is also used in cars, television sets, routers, printers, audio equipment, mobile phones, tablets,
命令行工具--curl
weixin_30586085的博客
09-27 1203
目录 命令:curl 一、简介 二、使用案例 1、基本用法 2、保存访问的网页 3、测试网页返回值 4、指定proxy服务器以及其端口 5、cookie 6、模仿浏览器 7、伪造referer...
knowing-lu:认识LU
05-15
cd knowing-lu npm install npm start 在线版本托管在Github Pages上,并与一起部署。 测验 目前测试还处于起步阶段。 他们将很快写成。 路线图 以下是很不错的功能列表: 每条线和每个区域的当前进度 成就徽章,...
Ways of Knowing in HCI
01-09
《Ways of Knowing in HCI》是其中的一本,由Judith S. Olson和Wendy A. Kellogg编辑,这是一本集合了HCI领域多位专家的讲义和论文的合集。这本书可能涵盖了人机交互领域的广泛主题,从基础理论到具体的研究方法,再...
All-Knowing Mind-开源
04-27
All-Knowing Mind是一种Java / SWT多语言,与OS无关的游戏服务器浏览器,着重于第一人称射击游戏,类似于Yahoo现已淘汰的All-Seeing Eye。
Unit 5 Knowing Yoursel.pdf
08-17
Unit 5 Knowing Yoursel.pdf
2020版新教材高中英语 单元素养评价(一)Unit 1 Knowing me knowing you 外研版3.doc
10-19
虽然这个文档标题和描述提及的是"2020版新教材高中英语 单元素养评价(一)Unit 1 Knowing me knowing you 外研版3.doc",但内容实际上是五段听力理解的练习题目,涉及的是英语听力技能的训练。以下是基于这部分内容...
K8s 很难么?带你从头到尾捋一遍,不信你学不会
民工哥的博客
02-23 9141
点击关注公众号,回复“1024”获取2TB学习资源!为什么要学习 Kubernetes?虽然 Docker 已经很强大了,但是在实际使用上还是有诸多不便,比如集群管理、资源调度、文件管理等...
10天智能锁项目实战第1天(了解单片机STM32F401RET6和C语言基础)
北豼不太皮的博客
02-21 3666
10天智能锁项目实战第1天(了解单片机STM32F401RET6和C语言基础)一、学习目标二、了解单片机STM32F401RET6三、C语言基础 一、学习目标 二、了解单片机STM32F401RET6 4、STM32F401RE特征 三、C语言基础 1.数据类型 常用2的次方: 2^7 = 128 2^8 = 256 2^15 = 32768 2^16= 65536 51单片机常见的数据类型: char: 占内存1字节 取值范围:-128~127 -2^7 ~ 2
Android开发(1) | Fragment 的应用——新闻应用
Jormungand_V的博客
02-21 7152
文章目录 news_item.xml: <TextView xmlns:android="http://schemas.android.com/apk/res/android" android:id="@+id/news_title" android:layout_width="match_parent" android:layout_height="wrap_content" android:lines="1" android:ellipsize="
系统学习 TypeScript(四)——变量声明的初步学习
编程三昧
02-25 1783
认识了 TypeScript 中的基础类型,接下来当然是变量声明的相关学习了,我在这里记录一下我学习过程中的一些总结。
清除浮动的五种方法
weixin_52212950的博客
02-22 2770
为什么要清除浮动?因为往往浮动后的子元素因为脱离了标准流,不能自动撑起父元素的高度,所以会对后续布局产生影响,对此清除浮动不如理解为清除浮动产生的影响更为合理。 例如:我们设置了两个盒子如图所示,粉色为父盒子,只有宽度没有高度,蓝色盒子有宽有高,粉色盒子的高由蓝盒子的高度撑开。 但是给蓝色的子盒子设置了左浮动后,脱离了标准流,无法再撑开粉盒子,可以看到粉盒子高度变成了0; 清除浮动有五种方法: 直接设置父元素的高度 额外标签法 单伪元素法 双伪元素法 ove.
Knowing that x=["Hello"] and y=[*Python"], the value of the expression xty is
05-29
这个表达式 "xty" 并不是一个有效的 Python 表达式,因为它没有运算符。如果您想要将两个列表 x 和 y 中的元素拼接起来,可以使用 "+" 运算符。例如,如果您想要将列表 x 和 y 中的元素拼接成一个新的列表 z,可以...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值