注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

且行且记录

点滴记录,行的更远!

 
 
 

日志

 
 

跟下密码到NTHASH过程  

2014-05-09 17:27:07|  分类: 调试记录 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

先查到网上查一个密码与hash正确的一对,这样便于验证。
1122
NTLM        : 9cbef67993aae509c59cfa647c8b13fb
LM          : 649e289f70fdb196aad3b435b51404ee

在msv1_0的下面那个地方下个断点,他的esi指向存储的hash,ebx指向输入密码的计算出的hash

001b:77c4985c call    dword ptr [msv1_0!_imp__RtlCompareMemory (77c41234)]

kd> db esi l10
0096f034  9c be f6 79 93 aa e5 09-c5 9c fa 64 7c 8b 13 fb  ...y.......d|...
kd> db ebx l10
0096f7f4  9c be f6 79 93 aa e5 09-c5 9c fa 64 7c 8b 13 fb  ...y.......d|...
kd> ub .
001b:77c49855  push    10h
001b:77c49857  add     ebx,34h
001b:77c4985a  push    ebx
001b:77c4985b   push    esi
kd> u
msv1_0!MsvpPasswordValidate+0x37a:
001b:77c4985c  call    dword ptr [msv1_0!_imp__RtlCompareMemory (77c41234)]
001b:77c49862  cmp     eax,10h
kd> kn
 # ChildEBP RetAddr 
00 0096ec4c 77c4ab18 msv1_0!MsvpPasswordValidate+0x37a
01 0096f2b4 77c4a7fe msv1_0!MsvpSamValidate+0x7c7
02 0096f42c 77c4a750 msv1_0!MsvSamValidate+0xef
03 0096fc8c 744a78f4 msv1_0!LsaApLogonUserEx2+0x1369
04 0096fcf8 74492891 LSASRV!NegLogonUserEx2+0x22d
05 0096fe98 744922ae LSASRV!LsapAuApiDispatchLogonUser+0x33b
06 0096feac 74489481 LSASRV!LpcLsaLogonUser+0x22

之后就是回溯了,最后定位在ADVAPI32!SystemFunction007里面有MD4运算。

00 0007f370 77dc5312 ntdll!memmove+0x11c
01 0007f3f8 77c446eb ADVAPI32!SystemFunction007+0x64
02 0007f454 77c49b70 msv1_0!NlpPutOwfsInPrimaryCredential+0x6b
03 0007fc8c 744a78f4 msv1_0!LsaApLogonUserEx2+0xb5a
04 0007fcf8 74492891 LSASRV!NegLogonUserEx2+0x22d
05 0007fe98 744922ae LSASRV!LsapAuApiDispatchLogonUser+0x33b
06 0007feac 74489481 LSASRV!LpcLsaLogonUser+0x22
kd> uf /c ADVAPI32!SystemFunction007
ADVAPI32!SystemFunction007 (77dc52ae)
  ADVAPI32!SystemFunction007+0x26 (77dc52d4):
    call to ADVAPI32!UseOutsideStringToKey (77dc532a)
  ADVAPI32!SystemFunction007+0x3a (77dc52e8):
    call to ADVAPI32!MD4Init (77da876b)
  ADVAPI32!SystemFunction007+0x4a (77dc52f8):
    call to ADVAPI32!MD4Update (77da8d04)
  ADVAPI32!SystemFunction007+0x53 (77dc5301):
    call to ADVAPI32!MD4Final (77da879f)
  ADVAPI32!SystemFunction007+0x5f (77dc530d):
    call to ADVAPI32!memmove (77da694e)
  ADVAPI32!SystemFunction007+0x6e (77dc531c):
    call to ADVAPI32!__security_check_cookie (77da6930)

001b:77c446e1 lea     eax,[ebx+10h]
001b:77c446e4 push    eax <==== NTHASH输出缓冲区
001b:77c446e5 push    esi <==== 密码输入
001b:77c446e6 call    msv1_0!SystemFunction007 (77c44654)
kd> u
msv1_0!NlpPutOwfsInPrimaryCredential+0x6b:
001b:77c446eb lea     eax,[ebx+30h]

 

弄个脚本

*nthash.x

bp 77c4985c ".echo =esi [store]=;db esi l10;.echo =ebx [input]=;db ebx l10;g"
bp 77c446eb ".echo =====;dS esi;.echo =====;db ebx+10h l10;g"

这样就容易验证了

kd> bl
 0 e 77c4985c     0001 (0001) msv1_0!MsvpPasswordValidate+0x37a ".echo =esi [store]=;db esi l10;.echo =ebx [input]=;db ebx l10;g"
 1 e 77c446eb     0001 (0001) msv1_0!NlpPutOwfsInPrimaryCredential+0x6b ".echo =====;dS esi;.echo =====;db ebx+10h l10;g"

kd> g
=====
000e7400  "111222"
=====
0007f72c  65 44 49 e9 ef 28 e1 49-e7 d6 35 20 4b f5 2f f4  eDI..(.I..5 K./.
=esi [store]=
0007f034  9c be f6 79 93 aa e5 09-c5 9c fa 64 7c 8b 13 fb  ...y.......d|...
=ebx [input]=
0007f7f4  65 44 49 e9 ef 28 e1 49-e7 d6 35 20 4b f5 2f f4  eDI..(.I..5 K./.
=====
000dc0b8  "123456"
=====
0007f72c  32 ed 87 bd b5 fd c5 e9-cb a8 85 47 37 68 18 d4  2..........G7h..
=esi [store]=
0007f034  9c be f6 79 93 aa e5 09-c5 9c fa 64 7c 8b 13 fb  ...y.......d|...
=ebx [input]=
0007f7f4  32 ed 87 bd b5 fd c5 e9-cb a8 85 47 37 68 18 d4  2..........G7h..
=====
000c9778  "helloworld"
=====
0007f72c  72 fc 5e f3 8c 07 f2 43-88 01 7c 74 8c ea b3 30  r.^....C..|t...0
=esi [store]=
0007f034  9c be f6 79 93 aa e5 09-c5 9c fa 64 7c 8b 13 fb  ...y.......d|...
=ebx [input]=
0007f7f4  72 fc 5e f3 8c 07 f2 43-88 01 7c 74 8c ea b3 30  r.^....C..|t...0

  评论这张
 
阅读(333)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017