How to obtain the administrator password by cracking the hash

Source: Internet
Author: User

Therefore, I am writing an article for you to get the administrator password. I generally do not like to leave Trojans or backdoors on the server, I prefer to use the Administrator to manage the server.

I wanted to focus on the methods of capturing hash and running hash. In fact, I mainly wrote it to cainiao friends. Please skip it and I thought about several types of writing.

1. Obtain administrator password through social engineering

In social engineering, the administrator password is obtained. The administrator password is obtained by injecting a guess table. You can use webshell to view the content on the server, because some administrators will use txt to remember something; use webshell to view the mssql connection password, use the SQL connection password to try the administrator password, use the mysql connection password to try, use the flxashxp configuration file to view, and use the searched information combination. Many of them are found, it mainly refers to guessing.

2. Record the administrator password through third-party software

For example, if you add the code to the login file in webshell to record the Administrator's logon password, this is usually recorded when the Administrator's md5 cannot be cracked. The Code is as follows:


In the system, you can use the gina Trojan to record the Administrator's login password, or use a keyboard to record the Administrator's input on the terminal desktop, or capture the password.

3. Actively obtain the administrator password by cracking the hash

This is also to be detailed today, because many friends asked me how to capture and crack the hash.

Pwdump4 can capture the win2000 hash at the command prompt, which is not detailed here.

Pwdump6 is also under the command line and can capture win2003, but in many cases it is unstable.

In the win2000 system, we can use the query user to check whether the administrator user is there. If we can read the password from the memory, I usually use the aio-findpassword to read it, because aio has many functions, mt is often used in the past, but mt is too fierce.

: In win2000, query user

It indicates that the Administrator has not logged out when disconnected. We can use findpassword. for example, you can see that the password has been read from the memory (I have replaced the password .) next I will mainly talk about the hash captured by saminside and the hash captured by lc5, saminside: Http://www.ncph.net/sam.rarLc5: Http://www.ncph.net/lc5.zipIn fact, it is easy to use. You can use saminside to capture the hash of the system. For example, you can enable saminside to capture win2000 and win2003, with few errors. after opening the task, we use "Local scheduled task" to capture the task. After selecting "use scheduled task input local user", wait until the following progress bar is executed. The captured information is as follows: after the hash is captured, we will export a text in the txt format of pwdump ,:
Select "output user to pwdump File". Next we use NotePad to open the output hash file, for example, OK. hash is captured. Next we will use lc5 to crack it. install lc5 first, create a session after installation, and then import hash. For example, select the pwdump format. After import, you can set the combination mode in the session option. select the combination mode in the drop-down box below. Generally, you can select letters and numbers. If you do not run the command, select the following special characters and numbers ..... okay. Now let's click the key to crack it. I usually run it on a meat machine. Haha ....

You can alsoHttp://www.objectif-securite.ch/en/products.phpDecryption

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.