Windows password security and crack--lc4 hack local sam Hash

"Experimental Purpose"

1) Understand how LC4 cracked the local SAM hash

2) Learn LC4 the process of cracking local SAM hashes

"Experimental principle"

The Windows hash consists of two parts, the LM hash&nt hash, respectively. The composition of the Windows system for hashing is as follows:

User name: ' Rid:lm-hash value: Nt-hash value '

LM Hash Generation rule:

1. The user's password is limited to a maximum of 14 characters.

2. The user's password is converted to uppercase.

3. The user's password code in the system uses the OEM code page

4. Less than 14 bytes of password will be used to complete the completion.

5. A fixed-length password is divided into two 7byte parts. Each part is converted to a bitstream, adding 0 to the end of a group at 7bit, forming a new encoding

6. The 8byte two groups obtained in the previous step, respectively, as Des key for "[email protected]#$%" encryption.

7. Two sets of Des encrypted encoding splicing, to obtain the final LM hash value.

NT Hash Generation principle:

There are several weaknesses in the LM hash algorithm designed by IBM, and Microsoft has presented its own challenge response mechanism while maintaining backward compatibility, and the NTLM hash has emerged. Assuming that the plaintext password is "123456", first converted to a Unicode string, unlike the LM hash algorithm, this time does not need to add 0 to complement 14 bytes

"123456"->310032003300340035003600.

When converting from an ASCII string to a Unicode string, using the Little-endian sequence, Microsoft does not consider the Big-endian sequence when designing the entire SMB protocol, and the ntoh* () and hton* () functions are not suitable for SMB packet decoding. The standard ASCII code before 0x80 is converted into a Unicode code, which simply converts from 0x to 0x00. Such standard ASCII strings are converted into Unicode strings in Little-endian order, simply by adding 0x00 after each byte of the original. A standard MD4 one-way hash of the obtained Unicode string, regardless of the number of bytes in the data source, MD4 fixed 128-bit hash value, 16 bytes ' 310032003300340035003600 '-for standard MD4 one-way hash 32ed87bdb5fdc5e9 Cba88547376818d4, you get the last NTLM Hash.

NTLM ' Hash:32ed87bdb5fdc5e9cba88547376818d4 '.

"Experimental Environment"

This environment is simulated hacker in the case of the target machine has been obtained hash, through the LC4 password dictionary to crack the target hash

"Experimental Steps"

First, get the system Sam value

Export local sam Hash http://klmyoil.blog.51cto.com/10978910/1721965 as Pwdump

Second, obtain the system password

2.1 After opening the LC4 folder, open the LC4 Chinese version

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/77/9F/wKiom1ZqS_aC_hr6AAD7PabYZtw710.png "style=" float: none; "title=" 11.png "alt=" Wkiom1zqs_ac_hr6aad7pabyztw710.png "/>

2.2 Open the ' New Task ' option in the ' file ' in the upper left corner

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/77/9F/wKiom1ZqS_nzjws9AAGdM0CmpjI798.png "style=" float: none; "title=" 22.png "alt=" Wkiom1zqs_nzjws9aagdm0cmpji798.png "/>

2.3 Open the ' Import from pwdump ' option in ' Imports '

2.4 Select the document where we store the hash value

2.5 Click ' Start Hack ' button to start cracking

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/77/9D/wKioL1ZqTACziL-QAAG_39zWgsQ268.png "style=" float: none; "title=" 33.png "alt=" Wkiol1zqtaczil-qaag_39zwgsq268.png "/>

2.6 The password was successfully cracked.

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/77/9D/wKioL1ZqTALAyzxOAAFS6xZsVLI206.png "style=" float: none; "title=" 44.png "alt=" Wkiol1zqtalayzxoaafs6xzsvli206.png "/>

2.7 So far, LC4 cracked local SAM experiment completed.

This article from "Hong Seven public" blog, please be sure to keep this source http://klmyoil.blog.51cto.com/10978910/1721973

Windows password security and crack--lc4 hack local sam Hash