Radmin password cracking

You have used the eval sehll of lake2! Recently, Radmin seems to be quite popular. I also came to join us and made a plug-in to read Radmin ciphertext and port. A hexadecimal conversion has been made!

Readme:
1. Download the shell of lake2 eval.
2. Save radminreader.htm to the func directory.
3. select attribute of the drop-down table in pull lake2eval.htm
<Optionvalue = "radminreader"> radminreader </option>

PS: The program requires support from wscript. Shell! For easy reading, the read data has been converted in hexadecimal format!

: Http://201314.free.fr/attachments/200709/radminreader.rar

 

Source: fhod's blog

Radmin is a good server management service.
Remote Desktop control or file transfer
Fast and convenient
In this way, many servers are installed with Radmin.
Now, where are you looking for a server with no password on the default port 4899?
We all know that the Radmin password is encrypted with 32-bit MD5.
Stored in the registry
The specific table key value is HKLM/system/Radmin/V2.0/Server/parameters/

How can we further escalate permissions when attacking a web server?
If you say brute force password cracking is okay
You only need to have enough time and energy.
I think few people spend weeks, months, or even years cracking the password.

Haha, where did I get a copy of my friend recently?
Is how to access the service weapon without cracking the Radmin password.
This is called password spoofing. I don't know either of them.
I used this idea to handle a lot of servers. Haha
Want to know how to implement it? Let's take a look.
Prerequisites:
It is recommended that a webshell have the permission to read the registry.
If you cannot read the Radmin registry, at least the wscript. Shell component is not deleted, we can call cmd.
Export the Radmin table Value
The registry value of Radmin, that is, the encrypted MD5 hash value is 32 bits.
For example, the password in the Radmin registry is stored like this.
Port
Parameter REG_BINARY 1f 19 8C dd ************ there are 16 groups, each of which is a 32-bit combination.

Tools:
Radmin Controller
Ollydbg Disassembly

First, open the Radmin Console (client) with ollydbg)
Run Ctrl + F to search for JMP eax.
Then press F4. then press f8.
Right-click and choose "Search"> "all constants ".
Enter 10325476 (76543210 in turn)
In the pop-up window, select the first line f2 to be disconnected
Then run F9
Then you use Radmin to connect to the server you want to intrude.
A prompt box will pop up asking you to enter your password.
After entering the information, the OD will be activated.

At this time, you need to run Ctrl + F9 and then select the red block in the upper lines, which is the last part of the disconnection.
Press F2 again to cancel the breakpoint, and then press F8. Then, move the mouse down to find it.
Add es, 18 click F4.
In this case, you can just find a place in hex in the lower left corner.
Run Ctrl + G and enter [esp] in the pop-up box. Note that
Then Replace the first line with the hash value of the Radmin password we just obtained.
Then press F9 to see if Haha is working.
This method has very limited limitations. Generally, webshells can view the Radmin registry.
Or you can use wscript. Shell to export the Radmin password.
I don't know how many times it will save compared to brute force cracking ......

What surprised me is that OD can be used in addition to cracking software.

Article from: http://www.lcocn.com/read.php? Tid = 3366 & fpage = 0 & toread = & page = 1
Animation address: http://www.hack58.net/Soft/html/13/25/2007/2007082211234.htm