Table of contents
1. Windows authentication process
Windows authentication includes three parts: local authentication, network authentication and domain authentication. Windows authentication and password capture can be said to be the first step in intranet penetration.
1. Windows authentication process
The Windows login password is stored in the local SAM file of the system. When logging in to Windows, the system will compare the password entered by the user with the password in the SAM file. If they are the same, the authentication is successful.
The SAM file is located in the %SystemRoot%\system32\config\ directory and is used to store the credential information of all local users, but when we click on it, we will find that we cannot directly view it.
Simply speaking, the local authentication process can be divided into five steps:
winlogon.exe - the user enters the account password - lsass.exe - converts to NTLM Hash and compares it with the value in the SAM file - the login succeeds or fails.
After the user logs out, restarts, and locks the screen, the operating system will let winlogon.exe display the login interface, that is, the input box interface. After receiving the user's input information, the password will be handed over to the lsass process. During this process, a clear text password will be saved. Encrypt the plaintext password into NTLM Hash, and compare and authenticate the SAM database.
Windows Logon Process (winlogon.exe): It is a Windows NT user login program, used to manage user login and exit
LSASS: A security mechanism for Microsoft Windows systems, it is used for local security and login policies
The process used to process the user's input password in local authentication is lsass.exe, and the password will be saved in plain text in this process for the process to calculate the password into NTLM. Hash is compared with sam, and we use mimikatz to obtain the plaintext password, which is read during this process.
2. LM Hash and NTLM Hash
The Windows operating system usually uses two methods to encrypt the user's plaintext password. In a domain environment, user information is stored in ntds.dit, which is hashed after encryption. The password in the Windows operating system generally consists of two parts, one part is LM Hash, and the other part is NTLM Hash. In the Windows operating system, the Hash structure is usually as follows: username:RID:LM‐HASH:NT‐HASH
2.1 Principle of LM Hash
a. Convert the plaintext password to its uppercase form. Assuming that the plaintext Admin@123 is taken as an example, the uppercase format is: ADMIN@123
b. After capitalizing the string, convert it to a hexadecimal string and convert it to 41 44 4D 49 4E 40 31 32 33
c. If the password is less than 14 bytes, it needs to be completed with 0, and divided into 2 groups of 7 bytes
1Byte=8bit, the above hexadecimal string has a total of 9 bytes, with a difference of 5 bytes, use 00 00 00 00 00 to complete as
41 44 4D 49 4E 40 31
32 33 00 00 00 00 00
d. Convert each group of 7-byte hexadecimal to binary, add 0 at the end of each 7-bit group, and then convert it into hexadecimal to obtain two groups of 8-byte codes
First group
e. Use the two sets of 8-byte codes obtained in the above steps as DES keys to encrypt the magic string KGS!@#$% and the hexadecimal system of KGS!@#$% is 4B47532140232425
f. The final result can be spliced.
2.2. Principle of NTLM Hash
a. Convert the plaintext password into a hexadecimal format such as: Admin@123 into Unicode format, that is, add 0x00 after each byte
like:
Admin@123 to hexadecimal 41646D696E40313233
Add 00: 410064006D0069006E004000310032003300
b. Encrypt the Unicode string with MD4 to generate a 32-bit hexadecimal number string