Radmin password cracking

Comments: Radmin is a very good server management, whether it is remote desktop control or file transmission speed is very fast and very convenient. This also forms a lot of servers installed such as radmin. Now you say that the default port 4899 does not have where do you find the password server? As we all know, the radmin password is a 32-bit md5 encryption and stored in the registry. Radmin is a very good server management.
Remote Desktop control or file transfer
Fast and convenient
In this way, many servers are installed with radmin.
Now, where are you looking for a server with no password on the default port 4899?
We all know that the radmin password is encrypted with 32-bit md5.
Stored in the registry
The specific table key value is HKLM \ SYSTEM \ RAdmin \ v2.0 \ Server \ Parameters \. How can we further escalate permissions when a web Server is attacked?
If you say brute force password cracking is okay
You only need to have enough time and energy.
I think few people spend a few weeks, months, or even years cracking the password. Haha, where did I get a piece of information from my friends recently?
Is how to access the service weapon without cracking the Radmin password.
This is called password spoofing. I don't know either of them.
I used this idea to handle a lot of servers. Haha
Want to know how to implement it? Let's take a look.
Prerequisites:
It is recommended that a webshell have the permission to read the registry.
If you cannot read the radmin registry, at least the wscript. shell component is not deleted, we can call cmd.
Export the radmin table Value
The registry value of radmin, that is, the encrypted MD5 hash value is 32 bits.
For example, the password in the radmin registry is stored like this.
Port
Parameter REG_BINARY 1f 19 8c dd ************* there are 16 groups, each of which is a 32-Bit Tool:
Radmin Controller
OllyDBG disassembly first use OllyDBG to open the radmin control end (client)
Run ctrl f to search for jmp eax.
Then press F4. then press f8.
Right-click and choose "Search"> "all constants ".
Enter 10325476 (76543210 in turn)
In the pop-up window, select the first line F2 to be disconnected
Then run F9
Then you use radmin to connect to the server you want to intrude.
A prompt box will pop up asking you to enter your password.
After you input it, the OD will be activated. Then you need to run Ctrl F9 first and then select the red block in the upper lines, which is the place where the disconnection just occurred.
Press F2 again to cancel the breakpoint, and then press F8. Then, move the mouse down to find it.
Add es, 18 click F4.
In this case, you can just find a place in hex in the lower left corner.
Run Ctrl G and enter [esp] in the pop-up column. Note that
Then Replace the first line with the hash value of the radmin password we just obtained.
Then press F9 to see if Haha is working.
This method has very limited limitations. Generally, webshells can view the radmin registry.
Or you can use wscript. shell to export the radmin password.
I don't know how many times you need to save for brute force cracking ...... What surprised me is that OD can be used in addition to cracking software.