2024强网杯-misc

谍影重重5.0

打开发现是SMB流量，

从NTLM流中找到数据来解密。用NTLMRawUnhide这个脚本 一键提取出数据。

下载下来

python NTLMRawUnHide.py -i 谍影重重5.0.pcapng

运行一下

复制下来到1.txt

Hashcat直接爆破

hashcat.exe -m 5600 1.txt rockyou.txt

一定要加上kali自带的字典

babygirl233

再用smb流量脚本解密

password               : babygirl233
Domain                 : .
Username               : tom
Workstation            : DESKTOP-KR221HK
sessionKey             : 5643a37f253b00b2f52df1afd48c1514
Server Challenge       : c1dec53240124487
ntProofStr             : ca32f9b5b48c04ccfa96f35213d63d75

脚本1

#!/usr/bin/env python3

"""
This is a Python3 improved/interactive version of the script made by khr0x40sh for decrypting encrypted session keys in a PCAP file to view encrypted traffic.  
If you don't specify the parameters, it should ask you for the parameter values.
It will check to see if pycryptodomex is installed, and if not, it will install it.
It can also accept NTML hashes directly as well as passwords.
Usage:
    python3 script_name.py -u USER -d DOMAIN -p PASSWORD -n NT_PROOF_STR -k ENCRYPTED_SESSION_KEY
Example:
    python3 script_name.py -u alice -d EXAMPLE -p secret123 -n aabbccddeeff00112233445566778899 -k aabbccddeeff00112233445566778899
Description:
    This script calculates the Random Session Key based on data extracted from a PCAP file (possibly).
    It uses the NTLM hash of the user's password, NTProofStr, and an encrypted session key to generate a session key via RC4 encryption.
"""

import sys
import subprocess
import hashlib
import hmac
import argparse
import binascii

# Add user's local site-packages to sys.path
import site
site.addsitedir(site.getusersitepackages())

# Function to install pycryptodomex
def install_pycryptodomex():
    try:
        # Check if pip is installed
        subprocess.check_call([sys.executable, "-m", "pip", "--version"])
    except subprocess.CalledProcessError:
        print("Error: pip is not installed. Please install pip first.")
        sys.exit(1)

    # Attempt to install pycryptodomex
    try:
        subpr