1、直接使用 CAIN 工具嗅探,然后分析嗅探到的数据包,分析方法见底下。
2、先看那机器的终端是谁连过去的,然后架 rdp proxy,然后 arp 欺骗,最后从 rdp proxy 的嗅探记录里,直接拿到登陆明文。
3、钓鱼攻击,使用 Arp 劫持,欺骗本机为目标机器,然后在本机安装本地密码记录软件,例如: WinlogonHack 、 WinPswLogger 等工具(注意:这些工具都要修改,改成即使是错误密码也要记录,不然你什么都记录不到!),然后坐等管理员连接,得到密码后恢复 Arp 劫持。
4、Arp 劫持 + 中间人转发数据的嗅探的方法,详细描述见底下。
从 CAIN 嗅探到的RDP数据包中,如何得到账号、密码的方法:
你认真看看 CAIN 的数据包,如果是在远程桌面连接工具(mstsc.exe)本地保存密码登录的,那么就直接有明文。
如果不是本地保存登录的,是连接后才输入账号密码的,那么嗅探到的 RDP 数据包里面就有一段是专门解密的,每行一个字母,你认真找找,格式大概是这样的:
…… 省略 ……
Key pressed client-side: 0x2c - 'z'
…… 省略 ……
Key pressed client-side: 0x23 - 'h'
…… 省略 ……
Key pressed client-side: 0x12 - 'a'
…… 省略 ……
Key released client-side: 0x31 - 'n'
…… 省略 ……
Key pressed client-side: 0x22 - 'g'
…… 省略 ……
Key pressed client-side: 0x20 - 'h'
…… 省略 ……
Key pressed client-side: 0x17 - 'a'
…… 省略 ……
Key pressed client-side: 0x31 - 'o'
…… 省略 ……
//字符串为:zhanghao
搜索 Key pressed、Key released 可以得到,是一个个的字母的列出来的,这里就是用户连接成功后所输入的按键信息,组合一下,就可以得出账号密码。
这里要注意一下特殊字符,例如回车、空格、退格等,还有左、右方向键,这是切换输入框光标位置用的,不注意的话,出来的密码顺序是错误的。
同时告诉大家一个防止嗅探、密码记录的小技巧,你可以先输后半段,然后使用鼠标将输入框的光标切换到最前边(为什么不能用方向键切换光标?因为是可以从数据包中得到方向键按键记录的),然后再输入前半段,这样攻击者最终组合出来的密码顺序是错误的。
这招可以对付所有按键记录类软件,当然,你可以再发挥下,使用更复杂的输入顺序。(参考这个帖子:CainARP嗅探3389密码问题解决杂谈)
解开 rdp 数据包工具:
有个工具叫RDP Parser,可以解开嗅探或截取到的 RDP 数据包文件,然后提取一些按键信息,用来最终拼接出用户名和密码。(工具在这里:cain rdp parser)
Arp 劫持 + 中间人转发数据的嗅探的方法:
这个方法很早了,大概在2010年08月23日左右,有人在他博客发出来
具体就不写了,内容大致一样,如下所述。
历时半个月的空闲时间,一个与 CAIN APR RDP 功能相拟的嗅探器工具终于在这个周未完成。
值得一提是CAIN要在双向欺骗下才能嗅到RDP,如果服务端绑定网送,那么也只能嗅到连接,而不能嗅到数据,更别提密码等之类。
hijackport+rdpproxy可以做到单向欺骗获取RDP数据包并解密还原。
关于 sniffer rdp,比 cain arp rdp 更强大的组合 hijackport + rdpproxy,获取密码方法。
1、钓鱼 (有点二)
2、单向模式sniffer rdp 比起 cain arp rdp 更强 (cain arp rdp 要取得密码等信息必需双向模式. hijackport + rdpproxy 可以突破对方在绑定的情况下获得密码或对方所输入的所有键盘消息)
其他另类 Arp 方法:
这个另类,是思路另类一点,走的路不同.
这个直播比1还要早.原理更简单.
原理:
A.中间人
B.目标
C.客户端
注:
因为环境有点点特殊.在这说明一下.过程中..是取不取对方的MAC.只能取得网关MAC.
但也没有关系.为了测试环境达不达要求. 向网关发送了一条ARP.B.目标挂掉.整个恢复过程20分钟
由此判断网关没有绑定.是可以ARP.但一条ARP可以导至目标挂掉20分钟.这也说明网关的ARP表刷新的速度是每20分种一次.如何在没有目标MAC就意味着.通过中间人去进行数据转发.所以做了一个很大胆的测试.
1.每隔20分钟发送一次ARP欺骗.
2.模拟ICMP使其能ping通目标.
3.模拟TCP三次握手.伪造http反回一个黑页假象.
4.C --> B.3389 转为 C --> A.3389 记录密码
5.如果成功取得密码.停止端口转向.停止模拟.停止arp发送.等待网关刷新arp缓存.这时双方都不能登录.直到网关刷新.在这个漫长的等待中.ping 目标IP -T 抢在管理上线.
6.接下来就是拼人品.
相关工具介绍:
1、rdpproxy:Rdp Proxy 一个转发rdp协议数据包的软件,用于转发3389的数据,然后截取,你懂的……
2、hijackport:Hijack Port 劫持端口用的,一般和 Rdp Proxy 配套使用。
3、Cain:著名的综合黑客工具,大家都懂,就不解释了……
4、RDP Parser:可以解开嗅探或截取到的 RDP 数据包文件,然后提取一些按键信息,用来最终拼接出用户名和密码。
演示细节:
自己:
IP: 192.168.0.189 --> Mac:00:23:CD:95:17:A1 --> windows XP (经典主题) 或 Windows 2003
189 在这里是充当一个机房网关的角色,备注中有详细说明。
虚拟机:
IP: 192.168.0.220 --> Mac:00:03:FF:95:17:A1 --> Windows XP
Having a side income is always good, especially when you can easily manage the work along with your full time job. If your regular work involves working on an Internet-connected computer, trading stocks is a popular option to earn a few extra bucks.
While there are quite a few stock-monitoring applications available for linux, most of them are GUI-based. What if you’re a Linux professional who spends a lot (or all) of your time working on machines that do not have any GUI installed? Are you out of luck? Well, no, there are some command line stock-tracking tools, including Mop, which we’ll be discussing in this article.
Mop
Mop, as already mentioned in the introduction above, is a command line tool that displays continuous and updated information about the US stock markets and individual stocks. Implemented in the GO programming language, the project is the brain child of Michael Dvorkin.
Download and Install
Since the project is implemented in GO, before installing the tool, you’ll first have to make sure that the programming language is installed on your machine. Following are the steps required to install GO on a Debian-based system like Ubuntu:
sudo apt-get install golang mkdir ~/workspace echo 'export GOPATH="$HOME/workspace"' >> ~/.bashrc source ~/.bashrc
Once GO is installed, the next step is to install the Mop tool and set the environment, something which you can do by running the following commands:
sudo apt-get install git go get github.com/michaeldv/mop cd $GOPATH/src/github.com/michaeldv/mop make install export PATH="$PATH:$GOPATH/bin"
Once done, just run the following command to execute Mop:
cmd Features
When you run the Mop command for the first time, you’ll see an output similar to the following.
As you can see in the image above, the output – which auto-refreshes frequently – contains information related to various popular stock exchanges around the world as well as individual stocks.
Add/remove stocks
Mop allows you to easily add/remove individual stocks to and from the output list. To add a stock, all you have to do is to press “+” and mention the stock listing name when prompted. For example, the following screenshot was taken while adding Facebook (FB) to the list.
As I pressed the “+” key, a row containing text “Add tickers:” appeared, prompting me to add the stock listing name – I added FB for Facebook and pressed Enter. The output refreshed, and the new stock was added to the list:
Similarly, you can delete a stock listing by pressing “-” and mentioning its name.
Group stocks based on value
There is a way togroup stocks based on whether their value is going up or down – all you have to do is to press the “g” key. Following this, the stocks which are advancing will be groupedtogether and shown in green, while those whose value is going down will be represented in black.
Here is an example screenshot.
Column sort
Mop also allows you to change the sort order of individual columns. For this you first need to press “o” (this will select the first column by default), and then use the left and right arrow keys to select the column you want to sort. Once done, press enter to sort the column contents.
For example, the following screenshot shows the output after the contents of the first column were sorted in descending alphabetical order.
Note: to better understand, compare it with the previous screenshot.
Other options
Other available options include “p” for pausing market data and stock updates, “q” or “esc” for quitting the command line application, and “?” for displaying the help page.
关注网络安全。关注8090
欢迎访问:中国8090小组
发表评论