Windows password security and crack--saminside hack local sam Hash

Source: Internet
Author: User

"Experimental Purpose"

1) Understand how saminside cracked the local SAM hash

2) Learn psaminside the process of cracking local SAM hashes

"Experimental principle"

The Windows hash consists of two parts, the LM hash&nt hash, respectively. The composition of the Windows system for hashing is as follows:


User name: ' Rid:lm-hash value: Nt-hash value '


LM Hash Generation rule:


1. The user's password is limited to a maximum of 14 characters.

2. The user's password is converted to uppercase.

3. The user's password code in the system uses the OEM code page

4. Less than 14 bytes of password will be used to complete the completion.

5. A fixed-length password is divided into two 7byte parts. Each part is converted to a bitstream, adding 0 to the end of a group at 7bit, forming a new encoding

6. The 8byte two groups obtained in the previous step, respectively, as Des key for "[email protected]#$%" encryption.

7. Two sets of Des encrypted encoding splicing, to obtain the final LM hash value.


The principle of NT hash generation


There are several weaknesses in the LM hash algorithm designed by IBM, and Microsoft has presented its own challenge response mechanism while maintaining backward compatibility, and the NTLM hash has emerged. Assuming that the plaintext password is "123456", first converted to a Unicode string, unlike the LM hash algorithm, this time does not need to add 0 to complement 14 bytes


"123456"->310032003300340035003600.


When converting from an ASCII string to a Unicode string, using the Little-endian sequence, Microsoft does not consider the Big-endian sequence when designing the entire SMB protocol, and the ntoh* () and hton* () functions are not suitable for SMB packet decoding. The standard ASCII code before 0x80 is converted into a Unicode code, which simply converts from 0x to 0x00. Such standard ASCII strings are converted into Unicode strings in Little-endian order, simply by adding 0x00 after each byte of the original. A standard MD4 one-way hash of the obtained Unicode string, regardless of the number of bytes in the data source, MD4 fixed 128-bit hash value, 16 bytes ' 310032003300340035003600 '-for standard MD4 one-way hash 32ed87bdb5fdc5e9 Cba88547376818d4, you get the last NTLM Hash.


NTLM ' Hash:32ed87bdb5fdc5e9cba88547376818d4 '.

# # "Experimental Environment"

This environment is simulated hacker in the case that has obtained the target machine hash, through the saminside to the target hash to crack

"Experimental Steps"

First, get the system Sam value


Example:pwdump export local sam Hash http://klmyoil.blog.51cto.com/10978910/1721965


Two get the system password

2.1 Opening SAMInside.exe


650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/77/9E/wKioL1ZqUDDi_fZKAAFpXM1PqrI187.png "style=" float: none; "title=" 111.png "alt=" Wkiol1zquddi_fzkaafpxm1pqri187.png "/>


2.2 Import the hash value document we saved on the desktop



2.3 Select the account to be cracked



2.4 Click ' Audit ', tick ' Nt-hash ATTACK ' and ' Dictionarie ATTACK '





650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/77/9E/wKioL1ZqUDPjJkOVAAIiyADiXgo204.png "style=" float: none; "title=" 222.png "alt=" Wkiol1zqudpjjkovaaiiyadixgo204.png "/>


2.5 Click the Opintos option under the Toolbox



2.6 Select the Dictionaries option


650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/77/9E/wKioL1ZqUDXTw5-hAAD6FGd9RAo890.png "style=" float: none; "title=" 333.png "alt=" Wkiol1zqudxtw5-haad6fgd9rao890.png "/>

2.7 Select ' Add ', option, add saminside file under dictionaries under the Insidepro (Mini). DiC Password Dictionary


650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/77/9F/wKiom1ZqUDnRqGYYAAEniuYgNMU812.png "style=" float: none; "title=" 444.png "alt=" Wkiom1zqudnrqgyyaaeniuygnmu812.png "/>


2.8 Select Start button


650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/77/9F/wKiom1ZqUD2xiu7qAAEngTOtscw909.png "style=" float: none; "title=" 555.png "alt=" Wkiom1zqud2xiu7qaaengtotscw909.png "/>



2.9 The password was cracked, and the experiment ended.

Windows password security and crack--saminside hack local sam Hash

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.