Teach you a few tricks to crack Windows 2003 login password

A cipher is a symbol that is compiled by a particular law to make a secret change to the information on both sides of the communication. In other words, the cipher is a symbolic sequence that hides the real content. Is the use of public, standard information encoded information by means of a transformation, to the other than the communication between the two people can not read the information encoding, this unique information code is the password.

Password is a science, has a long history. Passwords were used in ancient times to deliver secret messages. In modern warfare, the transmission of information and command of war are inseparable from the password, the diplomatic struggle can not be separated from the password. Passwords are generally used for confidentiality and storage during the transmission of information and communications. With the development of computer and http://www.aliyun.com/zixun/aggregation/14054.html "> Information Technology, the development of cryptography technology is very rapid and the application field is expanding." In addition to information encryption, passwords are also used for data information signing and security authentication. In this way, the application of passwords is no longer confined to the military and diplomatic service, it is also widely used in social and economic activities.

In today's world, there has been a trend of socialization and personal application of cryptography. For example, you can apply cryptography technology to e-business, to identify the identities and commercial credit of both sides of the online transaction, to prevent the "hackers" and fraudulent acts in e-commerce, and to apply them to the VAT invoices, which can be anti-counterfeiting and tamper-proof, and eliminate all kinds of the behavior of using VAT invoices to steal, leak, flee and cheat national tax. and greatly facilitate the tax inspection, the application of bank check identification, can greatly reduce the use of counterfeit cheques financial fraud, financial crime; applied to personal mobile communication, greatly enhanced the confidentiality of communication information and so on.

In all NT systems, there are several ways to get the password of the login user. I know three ways to achieve this.

1.hook Winlogon several functions, online also has this type of program, called Winlogonhijack Project in Rootkit.com has provided, but that project only for local landing users valid, remote landing users invalid.
2. Using Gina and Winlogon for a socket, the password can be recorded, high stability, and valid for both local and remote landings, as long as the code that executes its own record password for some functions, but the existing Gina backdoor is not exported in XP or 2003. This is mainly because XP and 2003 have added new functions to Winlogon.

3. Directly read the memory data to get the plaintext password. In NT 4.0/2K, there is already a program Findpass can read directly to the memory data in the Winlogon process and get the login user password directly, Because in NT4.0 and 2K, account information, including domain name, account number and password are regularly in Winlogon memory specific address, so can be very simple to get. But in the XP and 2003 system, this method is ineffective, it seems that we do not have the means to read directly the clear address. Let's talk about how, like Findpass, in NT 4.0 and 2K, you get the password of the login user in Server 2003.

Although XP and 2003 are not the same as the previous NT system to save the login user information in the Winlogon process memory address, but the base LSASS process to process some information, need to get the plaintext password, so the login user's password will appear in the LSASS process ( Microsoft did not encrypt the password in the LSASS process, Microsoft's argument is because LSASS need to get plaintext password, even if the password encryption, also can only use reversible method encryption, as long as tracking LSASS operation, as can get plaintext password, so Microsoft used a more lazy method, may also be to speed up the response, so the plaintext password is placed in the LSASS process memory. Speaking of which, we all know that the login user's password is in the memory of the LSASS process. Yes, that's the thing, but is it as easy to get this plaintext password as it is with the Findpass under NT 4.0 and 2K? In fact it is not so easy because of the following reasons:

A. The memory address of the password stored in the LSASS process is irregular

B. The password is likely to be covered by the last user (for example, the administrator ABC logs from the local, then the admin BBB is logged in remotely, then the admin BBB cancels the terminal, the password stored in the Lsass.exe process memory, or the password of the Administrator BBB), or the user logs in and then log off So if we get the password, we don't know which user's password.

C. The data before and after the password is also not regular, if there is a rule, such as the data before the password, must be a paragraph is all 01 characters of data section, then locate the password is simple.

Reason A and C all bring us the difficulty of locating the password, the original B brings the problem that cannot determine the password and account number. It seems that Microsoft has done a bit of work on the new system. But we will not give up, even if it is to take a chance, also see can get the password, anyway, even if the failure, it does not matter.

The final code, which I wrote to test if I could get the user's password in 2003 of the system, was exactly the same as the analysis above (of course, the results were measured with this program). The success rate is certainly not high, because of too many reasons, the difficulty of locating passwords or being unable to locate them, or getting information that is not a password, and so on, makes the failure rate very high, but it is always a way, or someone in the future can accurately locate, that is pleasing. Although the failure rate is high, but in one case, the success rate is very high, that is, the administrator is only in the local or terminal landing, and then no user from the local or terminal landing, and the administrator has not locked the system, then the success rate will be quite high.