Therefore, I am writing an article for you to get the administrator password. I generally do not like to leave Trojans or backdoors on the server, I prefer to use the Administrator to manage the server.
I wanted to focus on the methods of capturing hash and running hash. In fact, I mainly wrote it to cainiao friends. Please skip it and I thought about several types of writing.
1. Obtain administrator password through social engineering
In social engineering, the administrator password is obtained. The administrator password is obtained by injecting a guess table. You can use webshell to view the content on the server, because some administrators will use txt to remember something; use webshell to view the mssql connection password, use the SQL connection password to try the administrator password, use the mysql connection password to try, use the flxashxp configuration file to view, and use the searched information combination. Many of them are found, it mainly refers to guessing.
2. Record the administrator password through third-party software
For example, if you add the code to the login file in webshell to record the Administrator's logon password, this is usually recorded when the Administrator's md5 cannot be cracked. The Code is as follows:
In the system, you can use the gina Trojan to record the Administrator's login password, or use a keyboard to record the Administrator's input on the terminal desktop, or capture the password.
3. Actively obtain the administrator password by cracking the hash
This is also to be detailed today, because many friends asked me how to capture and crack the hash.
Pwdump4 can capture the win2000 hash at the command prompt, which is not detailed here.
Pwdump6 is also under the command line and can capture win2003, but in many cases it is unstable.
In the win2000 system, we can use the query user to check whether the administrator user is there. If we can read the password from the memory, I usually use the aio-findpassword to read it, because aio has many functions, mt is often used in the past, but mt is too fierce.
: In win2000, query user
It indicates that the Administrator has not logged out when disconnected. We can use findpassword. for example, you can see that the password has been read from the memory (I have replaced the password .) next I will mainly talk about the hash captured by saminside and the hash captured by lc5, saminside: Http://www.ncph.net/sam.rarLc5: Http://www.ncph.net/lc5.zipIn fact, it is easy to use. You can use saminside to capture the hash of the system. For example, you can enable saminside to capture win2000 and win2003, with few errors. after opening the task, we use "Local scheduled task" to capture the task. After selecting "use scheduled task input local user", wait until the following progress bar is executed. The captured information is as follows: after the hash is captured, we will export a text in the txt format of pwdump ,:You can alsoHttp://www.objectif-securite.ch/en/products.phpDecryption
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
