Network penetration - permission to maintain

First, the rights sustain:

When the attacker permission to get the server, usually using some of the backdoor techniques to maintain their current rights to get the server back door once implanted, the attacker into the next much more convenient.

Since the attack could be found, it will remove some of the shell, resulting in the loss of goals, so it is necessary to leave the back door to maintain the privileges, the purpose of continuous control.

Second, get windows system login account:

System login account store location: C: \ Windows \ System32 \ config \ SAM.

On Windows systems, security management for user accounts using the SAM (Security Account Manager, security account management) mechanism, user accounts and passwords after Hash encryption, are stored in the SAM database.

SAM database stored in the C: \ WINDOWS \ system32 \ config \ SAM file, when users log into the system, we must first be compared with the account information stored in the SAM file, verify through before login. SAM file system to provide protection, not copy it or delete, can not read the contents directly.

• SAM file two encryption modes:

LM Encryption: 14 up password, if the password is less than 14, less than some padded with 0, all converted to uppercase characters, and then divided into two groups, 7 in each group encrypted, then spliced ​​together, is the final the LM hash, essentially DES encryption.

NTLM encryption: first converted to unicode encoded user password, then the encrypted one-way hash MD4 standard

LM is much lower than NTLM encryption security encryption, because it allows the use of longer NTLM encrypted password, allowing different sensitive, but also without the password into smaller, more easily cracked block. So NTLM in a pure environment, should be closed Lan Manager encryption.

Administrator:500:AAD3B435B51404EEAAD3B435B51404EE:AFFFEBA176210FAD4628F0524BFE1942::: Note: af is the password to 42

• Free to kill non-tool version:

wce.exe

QuarksPwDump.exe

Pwdump7.exe

gethash.exe

mimikatz

• Windows administrator password reads:

Use Registry Export hash:	reg save hklm\sam C:\hash\sam.hive reg save hklm\system C:\hash\system.hive
Export sam file:	shadow copy (generally used in the domain controller when tens of thousands of users)
other methods:	ProcDump (or lsadump) + mimikatz Powershell + mimikatz PowerShell + getpasshash PowerShell other tools +

• Hack:

Online hack:	http://cmd5.com https://somd5.com
Local break:	Brute force LM encryption cain
NTLM encryption:	ophcrack + rainbow tables (rainbow tables Download: http: //ophcrack.sourceforge.net/tables.php)

• Crawling account expressly principle:

Lsass.exe directly obtained from the process of password information to crack, and the crack should not exhaustive way, but directly reverse calculation according to the algorithm.

lsass.exe is a system process for the Local Security Authority Service.

• Precautions

(1) LM can store cryptographic hash 14 or less characters, if the password is greater than 14, windows automatically using the NTLM encrypt only the hash is available the corresponding NTLM, LM-Password will be the full 0 display.

(2) using the hash tool generally has a corresponding derived value LM and NTLM, that is to say the number of passwords <= 14, then there will be a value LM, LM 0s except than in the old version see LM: beginning aad3b435b51404eeaad3b435b51404ee display indicates the password is blank or more than 14 digits

(3) Before win2K3 including win2K3 LM encryption enabled by default, after the system win2K3 disabled LM encryption, encryption using NTLM

（4）LM方式的加密会存在一个对应的NTLM hash值

获取linux/unix系统登陆账号：

linux/unix账号信息存储位置：	/etc/passwd /etc/shadow
root:$1$Bg1H/4mz$X89TqH7tpi9dX1B9j5YsF.:14838:0:99999:7:::	当id为1时，使用md5加密，id为5，采用SHA256进行加密，id为6采用SHA512进行加。
破解：	John the ripper

安装后门程序：

• 常见的后门技术列表：

1、	攻击者在获取服务器权限后，通常会用一些后门技术来维持服务器权限，服务器一旦被植入后门，攻击者如入无人之境。
2、	隐藏、克隆账户。
3、shift后门：	原理：          利用cmd.exe重命名，并覆盖原来的粘连键。当我们再次触发粘连键时，相当于运行了cmd.exe  流程：          使用以下命令，将cmd.exe 重命名并替换掉shift（粘滞键）(sethc.exe)功能，这样在通过远程桌面登录服务器之后，在输入帐号密码处，按5次shift即可弹出cmd的命令行，权限为system。
4、	启动项、计划任务。
5、DLL劫持技术：	原理：         你安装了酷狗播放器，而酷狗播放器在播放音乐的时候必须调用Windows系统下一个标准动态链接库mp3play.dll，那么黑客就自己开发一个恶意的mp3play.dll，然后再找一个MP3歌曲，将这个恶意的DLL和歌曲放在同一个文件夹下，然后打包压缩发给受害者。 注：         如果受害者用右键将这个压缩包中的MP3文件和DLL文件都解压缩到了一个目录中（90%的人会这样干），那么当受害者点击这个MP3文件的时候，酷狗就会先去寻找mp3play.dll进行加载，而微软设计的加载dll顺序是先从默认文件本身的目录进行寻找，于是那个虚假的、恶意的mp3play.dll就先被加载运行了。
6、	Powershell后门。
7、	远控软件。