OllyDBG disassembly crack Radmin Password

Source: Internet
Author: User
Tags md5 hash

Comments: Radmin is a very good server management, whether it is remote desktop control or file transmission speed is very fast and very convenient. This also forms a lot of servers installed such as radmin. Now you say that the default port 4899 does not have where do you find the password server? As we all know, the radmin password is a 32-bit md5 encryption and stored in the registry. Radmin is a very good server management.
Remote Desktop control or file transfer
Fast and convenient
In this way, many servers are installed with radmin.
Now, where are you looking for a server with no password on the default port 4899?
We all know that the radmin password is encrypted with 32-bit md5.
Stored in the registry
The specific table key value is HKLM \ SYSTEM \ RAdmin \ v2.0 \ Server \ Parameters \

How can we further escalate permissions when attacking a web server?
If you say brute force password cracking is okay
You only need to have enough time and energy.
I think few people spend weeks, months, or even years cracking the password.
Http://amxking.bokee.com
Haha, where did I get a copy of my friend recently?
Is how to access the service weapon without cracking the Radmin password.
This is called password spoofing. I don't know either of them.
I used this idea to handle a lot of servers. Haha
Want to know how to implement it? Let's take a look.
Prerequisites:
It is recommended that a webshell have the permission to read the registry.
If you cannot read the radmin registry, at least the wscript. shell component is not deleted, we can call cmd.
Export the radmin table Value
The registry value of radmin, that is, the encrypted MD5 hash value is 32 bits.
For example, the password in the radmin registry is stored like this.
Port
Parameter REG_BINARY 1f 19 8c dd ************ there are 16 groups, each of which is a 32-bit combination.

Tools:
Radmin Controller
OllyDBG Disassembly

First, open the radmin Console (client) with OllyDBG)
Run ctrl f to search for jmp eax.
Then press F4. then press f8.
Right-click and choose "Search"> "all constants ".
Enter 10325476 (76543210 in turn)
In the pop-up window, select the first line F2 to be disconnected
Then run F9
Then you use radmin to connect to the server you want to intrude.
A prompt box will pop up asking you to enter your password.
After entering the information, the OD will be activated.

At this time, you need to run Ctrl F9 first, and then select the red block in the upper lines, which is the last part of the disconnection.
Press F2 again to cancel the breakpoint, and then press F8. Then, move the mouse down to find it.
Add es, 18 click F4.
In this case, you can just find a place in hex in the lower left corner.
Run Ctrl G and enter [esp] in the pop-up column. Note that
Then Replace the first line with the hash value of the radmin password we just obtained.
Then press F9 to see if Haha is working.
This method has very limited limitations. Generally, webshells can view the radmin registry.
Or you can use wscript. shell to export the radmin password.
I don't know how much time it will save compared to brute force cracking .....

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.