Windows password cracking strategy (hash cracking)

Source: Internet
Author: User
Tags old windows pcanywhere

Author: hackest [h.s. T.]
Source: hackest's blog



I have been wondering, in what way can I control the permissions that have been obtained for a long time? Webshell, Trojan, or even rootkit? The webshell trace is too obvious. Even a webshell with one sentence is easily cleared by the Administrator. Trojan horses are easy to be detected by experienced administrators. After all, there are still few Trojans that can be used in silent and colorless scenarios. In the early stage, we had to build a process by ourselves, and the process was over after the process was completed. Later we had a trojan injection process, and later we had a trojan started with a service, some of them are started by replacing some irrelevant system services ...... However, the above method is too concealed. No matter how perfect your backdoor is, no matter how easy your Trojan program is to be killed, you still cannot leave no trace.

Is there no way? Also, a famous saying from a predecessor (withered rose) woke up n nookies (such as my stream): I generally do not like to leave Trojans or backdoors on the server, I prefer to use the Administrator's access method to manage the server ). What is the administrator's access method? In other words, the administrator can access the server. If the terminal is 3389, We will access the terminal. Of course, the premise is to find a way to get the password of his administrator user; if the terminal is pcAnywhere, we can find a way to get his pcAnywhere password to enter. If he is Radmin into the server, we also need to find a way to get his Ramin password to enter. In this way, the concealment is greatly improved, and it is not so easy for bots to run away. If the password is the domain administrator password, if the password can be used to manage machines in the entire data center, if the password can be used to kill the Intranet, if this password can still be used to log on to his QQ! To be exaggerated, even if he reinstalls the system, he still uses the password. Then your zombie will be revived ...... It's terrible )! Go straight to the theme-Windows password cracking strategy. This article refers to system password cracking without physical access. If hackers are physically exposed to computers, there will be no system at all, and the operation will be simpler and faster.


To crack the password of a program, you must first understand its background knowledge. Let's briefly talk about the encryption algorithm of Windows system passwords. Early SMB protocols transmit plaintext passwords over the network. Later, the "LAN Manager challenge/response" verification mechanism, lm for short, was found to be so simple that it could be easily cracked. Microsoft proposed the WindowsNT challenge/response verification mechanism, called NTLM. Now we have an updated NTLMv2 and Kerberos verification system. The Windows encrypted password is called Hash (Chinese: hash). The windows system password hash is generally composed of two parts by default: The first part is Lm-hash, the second part is NTLM-hash. The following content is extracted from the security focus:

-------------------------------------- Start of citation ----------------------------------------------

1. How to generate lm-hash from the plaintext password?

1. Assume that the plaintext password is "welcome". First, convert all the passwords into large-sized welcome, and then convert them as follows:
"Welcome"-> 57454c434f4d4500000000000000
First, convert the Welcome To The hexadecimal format. When the plaintext password is less than 14 bytes, add 0x00 to supplement 14 bytes. Some books describe how to add spaces (0x20) to supplement 14 bytes. This is incorrect. I don't know whether the original author is wrong or the translator's problem.

2. Split the data into two groups of 7 bytes, which are respectively processed by the str_to_key () function (the code has been attached to the disc) to obtain two groups of 8 bytes of data:
57454c434f4d45-str_to_key ()-> 56a25288425a348a
00000000000000-str_to_key ()-> 0000000000000000

3. These two groups of 8-byte data will be used as the secret key to the magic string "kgs! @ # $ % "Standard DES encryption (the code has been attached with a CD ):

"Kgs! @ # $ % "-> 4b47532140232425

56a25288425a348a-standard DES encryption for 4b47532140232425-> c23413a8a1e7665f
0000000000000000-standard DES encryption for 4b47532140232425-> aad3b435b51404ee

4. Simply splice the encrypted data sets to obtain the final lm-hash.

Lm-hash of welcome: c23413a8a1e7665faad3b435b51404ee.

Obviously, since all plaintext passwords are converted to uppercase at the beginning, multiple Plaintext Passwords correspond to one lm-hash. In turn, when the LM-hash is cracked, the obtained password may not be the original password, because it is impossible to determine the case sensitivity. Observe the aforementioned SMB authentication process carefully, even if the obtained password is not the original password (case-insensitive), it can also pass SMB authentication. This conversion method reduces the difficulty of brute force cracking.

Another weakness is that when the plaintext password is smaller than 8 bytes, the calculation process of the last 8 bytes after lm-hash is always as follows:

00000000000000-str_to_key ()-> 0000000000000000

Standard DES encryption for 4b47532140232425-> aad3b435b51404ee

This will also reduce the difficulty of brute force cracking.

IBM designed this lm-hash algorithm, the magic string "kgs! The meaning of @ # $ % "cannot be verified. This algorithm is called "hash", which is completely reversible due to standard DES encryption. Of course, it is different from the traditional reversible method because we need to raise the limit ey itself.

Ii. How to generate NTLM-hash from the plaintext password?

The LM-hash algorithm designed by IBM has several weaknesses. Microsoft puts forward its own challenge response mechanism while maintaining backward compatibility. Therefore, NTLM-Hash came into being.

1. Assume that the plaintext password is "123456" and is first converted to a unicode string. Unlike the LM-hash algorithm, you do not need to add 0x00 to supplement 14 bytes this time:

"123456"-> 310032003300340035003600

When converting from an ASCII string to a unicode string, the little-Endian sequence is used. Microsoft did not consider the big-Endian sequence, ntoh * (), Hton * () when designing the entire SMB protocol *() the function should not be used in SMB Message decoding. The standard ASCII code before 0x80 is converted to the Unicode code, which is simply from 0x ?? 0x00 ??. This standard ASCII string is converted to a unicode string in the order of little-Endian, which simply adds 0x00 after each byte.

2. Perform a standard md4 unidirectional hash of the obtained Unicode string (the code is attached with a CD). No matter how many bytes the data source has, md4 will generate a 128-bit hash value, 16 bytes:

310032003300340035003600-perform standard md4 unidirectional hash-> 32ed87bdb5fdc5e9cba88547376818d4

3. The final NTLM-hash is obtained.

123456 NTLM-Hash: 32ed87bdb5fdc5e9cba88547376818d4.

Compared with LM-hash, NTLM-hash is case sensitive. However, NTLM-Hash cannot be used to determine whether the original plaintext password is smaller than 8 bytes! @ # $ % ".

Md4 is a real one-way hash function. It is difficult to use md4 as the plaintext of the data source. The problem is that Microsoft simply emphasizes the high NTLM-Hash strength, but avoids the fact that to maintain backward compatibility, NTLM-hash is always used with LM-Hash by default. This means that NTLM-Hash emphasizes that higher security is not helpful, but may damage security. After NTLM-hash is added, lm-hash is used to identify the case-insensitive version of the original plaintext password, and NTLM-hash is used to correct the case-sensitive version of the original plaintext password.

-------------------------------------- End of citation ----------------------------------------------


The theory is almost ready and enters the practical stage. How can you obtain the administrator password hash after you have obtained Windows system permissions? Different versions of Windows have different methods for obtaining hash. The tools used include pwdump7.exe1_gethashes.exe1_saminside.exe, LC5, Cain, proactive password auditor, and ophcrack. The following describes in detail how to capture the hash of system passwords of various Windows versions.

1. Windows 2000

There are also several sub-versions of a relatively old Windows version, which are still running on many servers. Although the performance and security cannot keep up with the pace of the times, we cannot let it go. This article focuses on the server goals. Therefore, the testing system is for Windows 2000 Advanced Server Edition, which has been patched with SP4 and has updated all patches, 1.

In, pwdump7.exe can be used to capture the hash of system users. The command format is pwdump7.exe> 2000hash.txt. to capture all user hashs, write them into the text file 2000hash.txt, 2.

You can also use the tool gethashes.exe, which is self-contained by saminside. the command format is gethashes.exe $ local> 2000.txt. the idea is to capture all user hashs and write them into the text file 2000.txt, 3.

You can also use saminside in the graphic interface to open saminside, click "file", and then click "Import local users via scheduler". After a while, the hash is successfully captured, as shown in Figure 4 and figure 5.

Because Windows scheduled tasks are captured, the Task Scheduler Service must be started; otherwise, the task cannot be captured. After capturing the hash, export it to facilitate the use of other more powerful cracking tools. To export the hash of all users, click "file", then click "Export users to PWDump file...", and save it as TXT text. If you only need one user's hash, select "Export selected users to PWDump file..." and save it as TXT text, 6.

All operations are relatively simple. Saminside is also a cracking tool that can perform simple cracking on the captured hash. It also comes with a common dictionary and can be used with the rainbow table for cracking. If the password is not too complex, the plaintext of the password can be obtained here.

By the way, in Windows 2003, the administrator password is obtained. aio.exe (AIO is short for all in one, a collection of gadgets) is used to directly read the password in the memory. Windows SP1 and SP2 are not patched, you can also read the plaintext of the password. Command Format: aio.exe-findpassword. The password is read successfully. The password is and 7.

This method can be used only when the Administrator logs on and the password is not logged off.

2. Windows XP & Windows 2003

Refer to the above 2000 steps. However, we recommend that you use saminside to . Because pwdump7 is not stable, the hash captured may be incorrect, or even cannot be captured ...... The image is captured by saminside, and the command line is captured by the small tool gethashes.exe with saminside. the hash is generally saved as a TXT file. Next we will introduce some of the tools not mentioned above to capture the hash. These tools can be captured, cracked, and powerful by themselves. Smart readers may find that only some of the tools mentioned above are available, and several of them have not yet appeared ...... Next we will introduce several other powerful tools.


If you want to use LC5 to capture the hash of the Local Machine, open "session"> "import"> "Local Machine" in sequence. After a moment, the hash can be captured successfully, if you want to import the cracked hash, you can choose "import from file"> "from PWDump file" to import it for cracking, as shown in Figure 8 and Figure 9.

Click the triangle button to start cracking. Of course, you can also make some adjustments to the cracking, "session"-> "session options... ", you can set the character set in" Character Set: "in the" btute force crack "option. The default options are Alphabet + numbers, letters and numbers, 10, and Figure 11.

LC5 is very powerful. In this case, as long as your hash is correct, there will be no broken passwords, provided that you have enough time, I have tried to run a password for 17 days (Don't be surprised, before writing this article, I have found a more powerful tool than LC5, And the cracking time is greatly shortened, ^-^) will be mentioned later )!


Cain I believe many friends who like sniffing will know about it, but do you know that it has powerful password cracking functions besides sniffing? How can we use Cain to capture hash data? It's also very simple (just imagine, when you drive Cain to sniff other machines in the same network segment, how cool it is to crack the administrator password that has been controlled ). The driver Winpcap required to install Cain can start Cain. However, if you only use it to crack the password without sniffing, when you open Cain, it prompts you to create a DLL file with the same name in the installation directory to open the file. (Cheat Cain and let it serve us, however, in this case, the sniffing function is not available ). Click "Cracker"-> "lm & NTLM hashes", click the blank area on the right, and click "Blue +" to activate it. Then, click it, "Add nt hashes from"-> "Import hashes from local System"-> check "include Password History hashes", and next, the hash is captured, as shown in figure 12 and Figure 13.

Right-click the user you want to crack, and choose "brute-force attack"> "NTLM hashes"> "start" to start brute force cracking. If your password is simple enough, the results will soon be obtained. Of course, you can also choose the character set you think is possible like LC5 to improve the cracking speed and customize the character set. The administrator password is 2009, which can be easily cracked, as shown in figure 14 and 15.

3. Windows Vista & Windows 7 & windows 2008

Eye-catching friends may find that there are still two other tools that haven't appeared. Are they even more powerful? That's right. After reading this article, you will know how powerful they are, or what you mentioned above is not enough to interest you, the following things will give you a deeper understanding of password cracking. Of course, there is a reason to separate Vista and its later Windows versions. In Windows 2008, Microsoft used different encryption methods for Sam and syskey than earlier versions of Windows. In particular, the NTLM-hash algorithm used for encryption is much more complex than the LM-hash algorithm, this invalidates all methods used to crack the administrator password on Windows NT/2000/XP (in fact, lm-hash is disabled by default in Windows 2008, so it increases the difficulty of cracking ).

First, we will try out the tools under 2000/XP/2003 and test the system version: Windows Server Enterprise SP1 (Enterprise Edition). All Patches have been updated. Pwdump7.exe can be run, but the obtained hash is obviously different from the previous one. lm-hash is an asterisk, because lm-hash and 16 are disabled in Windows 2008.

Gethashes.exe fails to capture the hash, And the generated TXT file is blank, 17.

Saminside can also be run, and the hash is captured successfully. However, the LM-Hash segment is all 0. Use the latest version, which is 18.

Let's take a look at LC5 and install and run it. After N years, the system prompts "couldn't impersonate SYSTEM account. you do not have the privileges to perform this operation. "confirm and continue to prompt" error importing passwords from the registry. you may have insufficient permissions to perform this action. "It generally means that I have no permission to perform this operation, but I run LC5 as an administrator. It cannot do it by itself, so it is very euphemistic to say that I have insufficient permissions. However, LC5 has been acquired for a long time, and the version has not been updated. In the new windows 2008, the performance is disappointing and promising, as shown in figures 19 and 20.

And the hash imported into LC5 captured by pwdump7.exe and saminside cannot be cracked, and the start button of a small triangle will immediately stop. In this round, LC5 was eliminated.

The next step is Cain, which can be easily captured. However, simple passwords are not allowed by default for Windows 2008, which makes it difficult to crack the password. Careful friends may find that, the LM-Hash segment does not display a series of 0 values in saminside, but a clear aad3b435b51404eeaad3b435b51404ee. If you are smart, you can analyze why, haha, 21.

Here, we need to mention that the hash format captured by Cain is not the same as that captured by other tools. You need to handle it yourself before importing the hash format. Otherwise, other tools will not be able to identify the hash format. Example:

Administrator: 500: No Password *********************: 03937006e74e63318b23d01a6e29a4fb :::

Administrator: "": "": aad3b435b51404eeaad3b435b51404ee: 03937006e74e63318b23d01a6e29a4fb
To enhance versatility, we would like to remind you that the hash format is subject to the first one, that is, the format captured by saminside!


The next turn is proactive password Auditor (hereinafter referred to as PPA). This is a commercial software (that is, the kind of money), but the official 60-day trial version is provided, the function is not limited, the lower version has a cracked version. This software needs to be installed, interface 22.

If you want to capture the local hash of Windows 2008, click dump to capture it. By default, it is captured from the memory of the Local Computer of "memory of local computer. The software also supports registry capturing, Sam file capturing, and remote capturing of hash, which easily captures hash, 23.

It also supports importing hash cracking, brute-force cracking, Dictionary cracking, and rainbow table cracking. Here, we will introduce how to crack the rainbow table. First, you must understand what a rainbow table is?

TIPS: What is a rainbow table?

A rainbow table is a large set of hash values pre-computed for a variety of possible character combinations, not necessarily for MD5 algorithms, it can quickly crack various types of passwords. The more complex the password is, the larger the rainbow table is. Currently, the mainstream rainbow tables are more than GB.

The method to use PPA in combination with the rainbow table cracking is also relatively simple, attack select "Rainbow"-> "NTLM attack"-> "rainbow tables list... "->" add ": select to import the rainbow table file. The format is generally *. rt. I downloaded a free rainbow table from abroad. The current size is 207 GB, and the complete table will be larger. After importing all the rainbow tables, click "recovery"-> "start recovery" to start cracking, 24, and Figure 25.

This software personally feels that it is super fast to run a pure mathematical password. It takes only a few seconds for a 14-bit long pure digital password! PPA supports cracking under Vista and 2008.


The next is the most valuable software in this article-ophcrack! Ophcrack is a free tool for cracking windows passwords based on a rainbow table. It is highly efficient. It is equipped with a Windows graphical user interface and supports multi-platform operation. In addition, you can download the official ophcrack livecd and burn it to a CD! Its official website is you can download the installation package from the official website.

The rainbow table used by ophcrack is not the same as the conventional rainbow table. It cannot recognize the rainbow table in *. RT format. It only recognizes the official rainbow table. Conventional rainbow tables cannot crack the hash of Vista, Windows 7, and Windows 2008 passwords. There are only three free rainbow tables officially available: XP free small (380 MB), XP free fast (703 MB), Vista free (461 MB ), for other more powerful rainbow tables, a certain amount of fee is required. During installation, you must be aware that you can choose whether to download the official rainbow table. If you want to install the software and download it yourself, remove the selected option, 27.

After the installation is complete, the interface is refreshing, 28.

Because some officially charged tables have been published on some foreign websites, I have two commonly used tables: XP special (7.5 GB ); the other is vista special (8.0 GB), which is officially priced at $99/device. The larger tables are not downloaded. In fact, these two tables are basically enough. Although its table is small in size, its power cannot be underestimated. It seems that I have done some optimization and compression, opened ophcrack, "LOAD"-> "Local Sam", and then flashed through a black window (in fact, I can find it in the installation directory of ophcrack, it uses pwdump6 to capture the hash, but pwdump6 is relatively stable compared to pwdump7.) The image is successfully captured in Windows 2003, because ophcrack uses pwdump6, it is impossible to capture hash in Windows 2008 and Vista (you can consider replacing pwdump6 with pwdump7 to improve this function, but I have not succeeded, the technology is limited-_-), 29, and Figure 30.

You can see the installed rainbow table under the tables tab. If the official rainbow table is not downloaded during software installation, you can install the table in tables after downloading the rainbow table, 31.

Then you can press crack to crack it. Although the ability of ophcrack to capture hash is insufficient, compared with Vista, we can use other hash capture tools to obtain the hash and then import it for cracking. Let's take a look at the results of the ophcrack attack. The password is 14 bits and 32 bits.

Note that the hash captured under Vista needs to be cracked using the rainbow table of Vista, otherwise it will fail to be cracked! However, it is said that bitlocker encryption has been cracked by foreign hackers, but no relevant information can be found, so we will not discuss it in depth. Interested friends can test it on their own.

Online query

If you think it is too troublesome to query hash websites online? The answer is yes! There is a foreign website for querying the hash online:, which has a certain relationship with the ophcrack's official team ...... However, it is a pity that only tables of tables XP free can be queried online ...... At the same time, it should be noted that the hash format should be paid attention to during online query. For example, if the username and password are both hackest's hash:
Hackest: 1011: 7831a0ffabee5fb3aad3b435b51404ee: d78df6e868e606e442313c5df93216f1 :::
We only need to copy shard: d78df6e868e606e442313c5df93216f1 and fill in the box after the hash, and then click Submit hash to query. At the same time, we also support entering the password to return the hash value, 33.

If you enable bitlocker for Vista, the preceding methods are invalid and cannot capture the hash. However, bitlocker is disabled by default. users who do not need it are generally not able to enable it.


Of course, the key to cracking is the correctness of the primary hash. The limit is whether the password length exceeds 14 characters, the character set consisting of the password, or even the Chinese password. Why can't I crack a password with more than 14 characters? Because NTLM-Hash only supports 14 characters, there is no breakthrough yet. As long as you have read this article carefully, I believe you have been able to crack the hash of most Windows system passwords. Of course, if the administrator uses a group policy to limit the password of a user to 24 hours, the next day, when another random password is automatically enabled, it makes no sense to crack the password (a server in the United States has encountered such abnormal administrators ). The password in Windows is almost over. How can I crack the password in Linux? In fact, it is much simpler (I used to kill my own password with John in ubuntu8.10), but it is not within the scope of this article. I hope that interested friends can try it on their own. This article may be a headache for many friends, because none of the software mentioned here is in Chinese! What problems does this mean? There is still a practical gap between Chinese and foreign technologies! In fact, some software also has a Chinese version. Why not choose it? Most Chinese versions are not clean, and if you are a self-improvement technician, you cannot even use a little bit of English. If you feel a headache for the English software, I still need to improve my English skills (although my English skills are poor-_-let alone I want to learn good things ). You do not need to know how many levels of English, but at least you need to understand what the software means, read some of the English technical documents, and obtain the technical details you need, to strengthen itself! This article only for technical exchanges, do not use for illegal purposes, otherwise the consequences are at your own risk, if you have no conditions to crack, you can also send hash mail to my mailbox ( ), it can be cracked for Free ^-^.
Examples, LC5, Cain, ophcrack, proactive password auditor, ophcrack XP special tables. torrent, ophcrack Vista special nthash table. torrent, Function C code has been included in the CD)


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.