"Experimental Purpose"
1) Understand how saminside cracked the local SAM hash
2) Learn psaminside the process of cracking local SAM hashes
"Experimental principle"
The Windows hash consists of two parts, the LM hash&nt hash, respectively. The composition of the Windows system for hashing is as follows:
User name: ' Rid:lm-hash value: Nt-hash value '
LM Hash Generation rule:
1. The user's password is limited to a maximum of 14 characters.
2. The user's password is converted to uppercase.
3. The user's password code in the system uses the OEM code page
4. Less than 14 bytes of password will be used to complete the completion.
5. A fixed-length password is divided into two 7byte parts. Each part is converted to a bitstream, adding 0 to the end of a group at 7bit, forming a new encoding
6. The 8byte two groups obtained in the previous step, respectively, as Des key for "[email protected]#$%" encryption.
7. Two sets of Des encrypted encoding splicing, to obtain the final LM hash value.
The principle of NT hash generation
There are several weaknesses in the LM hash algorithm designed by IBM, and Microsoft has presented its own challenge response mechanism while maintaining backward compatibility, and the NTLM hash has emerged. Assuming that the plaintext password is "123456", first converted to a Unicode string, unlike the LM hash algorithm, this time does not need to add 0 to complement 14 bytes
"123456"->310032003300340035003600.
When converting from an ASCII string to a Unicode string, using the Little-endian sequence, Microsoft does not consider the Big-endian sequence when designing the entire SMB protocol, and the ntoh* () and hton* () functions are not suitable for SMB packet decoding. The standard ASCII code before 0x80 is converted into a Unicode code, which simply converts from 0x to 0x00. Such standard ASCII strings are converted into Unicode strings in Little-endian order, simply by adding 0x00 after each byte of the original. A standard MD4 one-way hash of the obtained Unicode string, regardless of the number of bytes in the data source, MD4 fixed 128-bit hash value, 16 bytes ' 310032003300340035003600 '-for standard MD4 one-way hash 32ed87bdb5fdc5e9 Cba88547376818d4, you get the last NTLM Hash.
NTLM ' Hash:32ed87bdb5fdc5e9cba88547376818d4 '.
# # "Experimental Environment"
This environment is simulated hacker in the case that has obtained the target machine hash, through the saminside to the target hash to crack
"Experimental Steps"
First, get the system Sam value
Example:pwdump export local sam Hash http://klmyoil.blog.51cto.com/10978910/1721965
Two get the system password
2.1 Opening SAMInside.exe
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/77/9E/wKioL1ZqUDDi_fZKAAFpXM1PqrI187.png "style=" float: none; "title=" 111.png "alt=" Wkiol1zquddi_fzkaafpxm1pqri187.png "/>
2.2 Import the hash value document we saved on the desktop
2.3 Select the account to be cracked
2.4 Click ' Audit ', tick ' Nt-hash ATTACK ' and ' Dictionarie ATTACK '
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/77/9E/wKioL1ZqUDPjJkOVAAIiyADiXgo204.png "style=" float: none; "title=" 222.png "alt=" Wkiol1zqudpjjkovaaiiyadixgo204.png "/>
2.5 Click the Opintos option under the Toolbox
2.6 Select the Dictionaries option
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/77/9E/wKioL1ZqUDXTw5-hAAD6FGd9RAo890.png "style=" float: none; "title=" 333.png "alt=" Wkiol1zqudxtw5-haad6fgd9rao890.png "/>
2.7 Select ' Add ', option, add saminside file under dictionaries under the Insidepro (Mini). DiC Password Dictionary
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/77/9F/wKiom1ZqUDnRqGYYAAEniuYgNMU812.png "style=" float: none; "title=" 444.png "alt=" Wkiom1zqudnrqgyyaaeniuygnmu812.png "/>
2.8 Select Start button
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/77/9F/wKiom1ZqUD2xiu7qAAEngTOtscw909.png "style=" float: none; "title=" 555.png "alt=" Wkiom1zqud2xiu7qaaengtotscw909.png "/>
2.9 The password was cracked, and the experiment ended.
Windows password security and crack--saminside hack local sam Hash