谍影重重5.0

打开流量包可以发现，流量中含有大量的smb加密通信，并且使用了ntlm v2加密协议进行身份认证

包过滤ntlmssp

认证后smb协议进行了大量的数据传输

取出tom的包内数据

得到以下数据

username:tom

domain: .

NTProofStr: ca32f9b5b48c04ccfa96f35213d63d75

NTLMresponse:010100000000000040d0731fb92adb01221434d6e24970170000000002001e004400450053004b0054004f0050002d004a0030004500450039004d00520001001e004400450053004b0054004f0050002d004a0030004500450039004d00520004001e004400450053004b0054004f0050002d004a0030004500450039004d00520003001e004400450053004b0054004f0050002d004a0030004500450039004d0052000700080040d0731fb92adb0106000400020000000800300030000000000000000100000000200000bd69d88e01f6425e6c1d7f796d55f11bd4bdcb27c845c6ebfac35b8a3acc42c20a001000000000000000000000000000000000000900260063006900660073002f003100370032002e00310036002e003100300035002e003100320039000000000000000000

拼接组合一个hash爆破

tom::.:c1dec53240124487:ca32f9b5b48c04ccfa96f35213d63d75:010100000000000040d0731fb92adb01221434d6e24970170000000002001e004400450053004b0054004f0050002d004a0030004500450039004d00520001001e004400450053004b0054004f0050002d004a0030004500450039004d00520004001e004400450053004b0054004f0050002d004a0030004500450039004d00520003001e004400450053004b0054004f0050002d004a0030004500450039004d0052000700080040d0731fb92adb0106000400020000000800300030000000000000000100000000200000bd69d88e01f6425e6c1d7f796d55f11bd4bdcb27c845c6ebfac35b8a3acc42c20a001000000000000000000000000000000000000900260063006900660073002f003100370032002e00310036002e003100300035002e003100320039000000000000000000

拿到hashcat运行

得到密码babygirl233

使用下面的脚本得到解密用的session key

拿到解密用的session key和session id之后就可以解密smb流量了出来后,打开流量包

编辑->首选项->Protocols->NTLMSSP

填入密钥

babygirl233

然后导出SMB对象

发现了pfx,der 以及flag.7z

导出来压缩包

其中flag.7z是携带密码的没办法直接打开，另外的两个证书文件，根据名称可以猜测出来是远程桌面流量加密所用的证书，在流量中包含了大量的RDP流量

wireshark 添加筛选

rdp.fastpath.scancode.keycode

在wireshar中 点击文件-->导出分组解析结果-->json  ，导出后的内容如下 

scancode的值是16进制的数据，用下面脚本，映射出键盘的按键

import  json
from jsonpath import jsonpath

scancode_map = {
    0x01: 'Esc',
    0x02: '1',
    0x03: '2',
    0x04: '3',
    0x05: '4',
    0x06: '5',
    0x07: '6',
    0x08: '7',
    0x09: '8',
    0x0A: '9',
    0x0B: '0',
    0x0C: '-',
    0x0D: '=',
    0x0E: '\b',
    0x0F: '    ',
    0x10: 'Q',
    0x11: 'W',
    0x12: 'E',
    0x13: 'R',
    0x14: 'T',
    0x15: 'Y',
    0x16: 'U',
    0x17: 'I',
    0x18: 'O',
    0x19: 'P',
    0x1A: '[',
    0x1B: ']',
    0x1C: '\n',
    0x1D: 'Ctrl',
    0x1E: 'A',
    0x1F: 'S',
    0x20: 'D',
    0x21: 'F',
    0x22: 'G',
    0x23: 'H',
    0x24: 'J',
    0x25: 'K',
    0x26: 'L',
    0x27: ';',
    0x28: '\'',
    0x29: '`',
    0x2A: ' Shift ',
    0x2B: '\\',
    0x2C: 'Z',
    0x2D: 'X',
    0x2E: 'C',
    0x2F: 'V',
    0x30: 'B',
    0x31: 'N',
    0x32: 'M',
    0x33: ',',
    0x34: '.',
    0x35: '/',
    0x36: ' Shift ',
    0x37: '*',
    0x38: ' Left Alt ',
    0x39: ' ',
    0x3A: ' Caps Lock ',
    0x3B: ' F1 ',
    0x3C: ' F2 ',
    0x3D: ' F3 ',
    0x3E: ' F4 ',
    0x3F: ' F5 ',
    0x40: ' F6 ',
    0x41: ' F7 ',
    0x42: ' F8 ',
    0x43: ' F9 ',
    0x44: ' F10 ',
    0x45: ' Num Lock ',
    0x46: ' Scroll Lock ',
    0x47: ' Home ',
    0x48: ' Up Arrow ',
    0x49: ' Page Up',
    0x4A: ' Keypad -',
    0x4B: ' Left Arrow',
    0x4C: ' Keypad 5',
    0x4D: ' Right Arrow',
    0x4E: ' Keypad +',
    0x4F: ' End',
    0x50: ' Down Arrow',
    0x51: ' Page Down',
    0x52: ' Insert',
    0x53: ' Delete',
    0x57: ' F11',
    0x58: ' F12'
}

def convert_hex_string(hex_string):
    # 去掉前缀并转换为大写
    if hex_string.startswith('0x'):
        hex_value = hex_string[2:].upper()
        return f'0x{hex_value}'
    return None  # 如果字符串不以'0x'开头，返回None



with open("out.txt","r",encoding="utf-8") as file:
    lines = file.readlines()

con=[]
for line in lines:
    con.append(line.strip('\n'))

print(con)
print("\n")

for i in range (len(con)):
    if con[i]==con[i-1]:
        continue
    try:
        print(scancode_map[int(con[i],16)],end="")
    except:
        pass

得到密码：9347013182

将前边hashcat 爆破出的：babygirl233和9347013182拼接，成功解压，得到