When the attacker permission to get the server, usually using some of the backdoor techniques to maintain their current rights to get the server back door once implanted, the attacker into the next much more convenient.
Since the attack could be found, it will remove some of the shell, resulting in the loss of goals, so it is necessary to leave the back door to maintain the privileges, the purpose of continuous control.
Second, get windows system login account:
System login account store location: C: \ Windows \ System32 \ config \ SAM.
On Windows systems, security management for user accounts using the SAM (Security Account Manager, security account management) mechanism, user accounts and passwords after Hash encryption, are stored in the SAM database.
SAM database stored in the C: \ WINDOWS \ system32 \ config \ SAM file, when users log into the system, we must first be compared with the account information stored in the SAM file, verify through before login. SAM file system to provide protection, not copy it or delete, can not read the contents directly.
SAM file two encryption modes:
LM Encryption: 14 up password, if the password is less than 14, less than some padded with 0, all converted to uppercase characters, and then divided into two groups, 7 in each group encrypted, then spliced together, is the final the LM hash, essentially DES encryption.
NTLM encryption: first converted to unicode encoded user password, then the encrypted one-way hash MD4 standard
LM is much lower than NTLM encryption security encryption, because it allows the use of longer NTLM encrypted password, allowing different sensitive, but also without the password into smaller, more easily cracked block. So NTLM in a pure environment, should be closed Lan Manager encryption.
Lsass.exe directly obtained from the process of password information to crack, and the crack should not exhaustive way, but directly reverse calculation according to the algorithm.
lsass.exe is a system process for the Local Security Authority Service.
Precautions
(1) LM can store cryptographic hash 14 or less characters, if the password is greater than 14, windows automatically using the NTLM encrypt only the hash is available the corresponding NTLM, LM-Password will be the full 0 display.
(2) using the hash tool generally has a corresponding derived value LM and NTLM, that is to say the number of passwords <= 14, then there will be a value LM, LM 0s except than in the old version see LM: beginning aad3b435b51404eeaad3b435b51404ee display indicates the password is blank or more than 14 digits
(3) Before win2K3 including win2K3 LM encryption enabled by default, after the system win2K3 disabled LM encryption, encryption using NTLM