How to extract Windows System account passwords in penetration testing

" Object-oriented " This blog post is mainly for information security penetration test Junior personnel and information security attack and defense technology enthusiasts, Daniel please cherish life, self-bypass.

" main content " mainly describes how to use the tool to obtain the Windows operating system account password during the post-penetration testing phase.

--------------------------------------- rookie takeoff series ----------------------------------------------- -

Penetration test Task : Get the Windows System account password

attack test target : Windows server2003 2008 2012, Windows XP, Vista, Windows 7

attack test Condition : If you have entered the post-penetration test (post penetration) stage, that is, you have successfully obtained the attack Target Machine administrator administrator permission through the operating system vulnerability, Because the use of the following tools must be run under administrator privileges.

Attack test Tool : WCE (Windows credential Editor)

WCE (Windows credential Editor) has important uses in the post-infiltration phase, which can extract the operating system ntml HASH, steal ntml certificate information in memory, get Kerberos tickets, Extracts the plaintext password information in the memory authentication package. Stealing ntml certificate information in memory This is the most important feature of WCE, if you have successfully controlled a regular server in the intranet, and the domain administrator (domains Administrator) exactly through RDP connected to this server, Then you can take advantage of WCE from the server memory to obtain domain Administrator account information, successfully implement a springboard attack (Hopping-attack), successfully won the majority of the network server permissions.

WCE The working principle of the contents of the annex, we can refer to the information, the source of the tool maker Hernan Ochoa. I am inclined to a simple and rough way of learning, first use to say, the details later can be used as an advanced learning point of knowledge, so this article does not repeat the principle of content.

Run the command line with administrator privileges, execute "wce-w" to obtain the operating system login and clear text password as shown in:

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M01/85/65/wKiom1eiIinyncQAAAAo_F8sY8Y705.png-wh_500x0-wm_3 -wmp_4-s_138129071.png "title=" WCE get login account plaintext password "alt=" Wkiom1eiiinyncqaaaao_f8sy8y705.png-wh_50 "/>

You may be prevented from using antivirus software when executing WCE, so use the Shell tool (PE Packer) to shell it yourself. WCE also has other features, please use the help command or the information in the attachment to supplement your study, if you have questions or request a tool please send an email to [email protected].

"Special statement" the Information security knowledge or tools covered in this article is limited to conducting security research and communication, please abide by the laws and regulations, consciously maintain a good atmosphere of information security technology exchange.

This article from "Rookie Takeoff" blog, reproduced please contact the author!

How to extract Windows System account passwords in penetration testing