Gain insight into Windows

1.1. What is window

Microsoft Windows, a set of operating systems developed by Microsoft in the United States, was invented in 1985 and was initially just a microsoft-dos simulation environment, and the subsequent system versions were not only easy to use because of Microsoft's ongoing update upgrade. It is also slowly becoming the most popular operating system for every household. Windows uses a graphical GUI, which is more user-friendly than the way the previous DOS requires typing instructions. With the computer hardware and software upgrading, Microsoft's Windows is also constantly upgrading, from the architecture of the 16-bit, 32-bit to 64-bit, the system version from the original Windows 1.0 to everyone familiar with Windows 95, Windows 98, Windows ME, Windows 2000, Windows 2003, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, and Windows Server server Enterprise operating systems.


1.2. Common Windows users

• SYSTEM: The user with the highest privileges on the local machine.
• Administrator: The user with the highest privileges on the local machine.
• Guest: Has relatively few permissions and is disabled by default.

1.3. Common Windows user groups

Administrators, Administrators group, by default, users in Administrators have unrestricted full access to the computer/domain. The default permissions assigned to the group allow full control of the entire system. Therefore, only trusted people can become members of this group.

Power Users, the advanced user group, can perform any operating system task other than the tasks reserved for the Administrators group. The default permissions that are assigned to the Power Users group allow members of the Power Users group to modify the settings for the entire computer. However, Power Users do not have the right to add themselves to the Administrators group. In the permission settings, the permissions of this group are second only to administrators.

Users: Normal user group, the user of this group cannot make intentional or unintentional changes. As a result, users can run validated applications, but they cannot run most legacy applications. The Users group is the safest group because the default permissions assigned to the group do not allow members to modify the operating system settings or user profile. The Users group provides the safest program run environment. On NTFS-formatted volumes, the default security settings are designed to prohibit members of the group from compromising the integrity of the operating system and installed programs. Users cannot modify system registry settings, operating system files, or program files. Users can shut down the workstation, but cannot shut down the server. Users can create local groups, but can only modify local groups that they create.

Guests: Guest group, by default, guest has equal access to members of normal users, but the Guest account has more restrictions.

Everyone: As the name implies, all users, all users on this computer belong to this group.

1.4, Windows folder permissions
 

① Full Control:
This permission allows users to take full control of folders, subfolders, files, If you modify the permissions of a resource, get the owner of a resource, delete a resource, and so on, having full control is equal to having all other permissions;
② Modify (Modify):
This permission allows the user to modify or delete the resource while allowing the user to have write and read and run permissions;
③ Read and run (Read & Execute):
This permission allows the user to read and list the resource directory, and also allows the user to move and traverse through the resource, allowing the user to access the subfolders and files directly, even if the user does not have permission to access the path;
④ List Folder directory (List folders Contents):
This permission allows the user to view subfolders and file names in the resource;
⑤ read:
This permission allows a user to view the files and subfolders in the folder, as well as to view the properties of the folder , owner, and owned permissions, and so on;
⑥ write:
This permission allows users to create new files and subfolders in the folder, to change the properties of a folder, to view the owner and permissions of a folder, and so on.


section II Windows password Security

Tools One, quarks PwDump
Quarks PwDump is a system licensing information export tool in a WIN32 environment, Currently there is no other tool that can export such comprehensive information, supports so many OS versions, and is fairly stable. It can now be exported:-local accounts NT/LM hashes + history native NT/LM hash + historical login record –domain accounts NT/LM hashes + history domain NT/LM hash + historical Login Record the domain management password in the –cached domain password cache –bitlocker recovery information (Recovery passwords & key packages) using Bitlocker Supported operating systems for post-recovery information: xp/2003/vista/7/2008/81/usage

 

Instructions for use:

[Bash Shell] Plain Text View Copy Code?

010203040506070809101112

quarks-pwdump.exe <options>Options :-dhl  --dump-hash-local-dhdc --dump-hash-domain-cached-dhd  --dump-hash-domain (NTDS_FILE must be specified)-db   --dump-bitlocker (NTDS_FILE must be specified)-nt   --ntds-file FILE-hist --with-history (optional)-t    --output-type JOHN/LC (optional, if no=>JOHN)-o    --output FILE (optional, if no=>stdout)Example: quarks-pwdump.exe --dump-hash-domain --with-history

Tool two, Saminside

Saminside is a Russian-produced Windows password recovery software that supports the Windows Nt/2000/xp/vista operating system and is primarily used to restore the Windows user login password.



Instructions for use:
Import the Local system and files, of course, you can also import from the project files, files, note that the SAM file is the system Sam file, generally under the C:\WINDOWS\system32\config path, see:





Press the shortcut key "F4", depending on the password complexity, password length and machine performance, sometimes quickly wait until the result, if the time is too long, you can pause, save the cracked state for the next run.


Tool three, Mimikatz

What the great gods know, penetration testing is a common tool. A man of French cow B. A lightweight debugger that can help security testers crawl windows passwords.


Instructions for use:

[Bash Shell] Plain Text View Copy Code?

1234	第一条：privilege::debug                //提升权限第二条：sekurlsa::logonpasswords              //抓取密码

First you need to know the number of bits of your operating system
Right-click My Computer properties


If your computer is 64-bit, it will be clearly labeled "x64", if not indicated, your computer is 32-bit.




The third section uses the hash remote login system


In the second section we get the hash:

[AppleScript] Plain Text View Copy Code?

1	44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4

Open Metasploit

[Bash Shell] Plain Text View Copy Code?

1	use exploit/windows/smb/psexec //没办法，请去掉中间空格，在一起会被屏蔽

Set the attack parameters


Set payload


What if I can't use it?

Local brute force hack hash
Local software download Rainbow Watch for brute force I won't explain it here.
To everyone an online crack site, convenient and fast.
http://www.objectif-securite.ch/ophcrack.php


Tips: Windows2003-shift back door

Shift Backdoor Production

Sethc.exe is the sticky key for Windows, let's back it up.


Change Cmd.exe to Sethc.exe


Double-click the user login screen five times shift

Gain insight into Windows