Introduction
When the attacker permission to get the server, usually using some of the backdoor techniques to maintain their current rights to get the server once they are implanted in the back door, then the next time you enter an attacker more convenient
purpose
Since the attack could be discovered, it might be to get the post before being cleared webshell found, leading to the loss of goals, so it is necessary to leave the back door to maintain the privileges, the purpose of continuous control
Acquisition system login account password
windows acquisition system login account password
windows system account password storage location:
C:\Windows\System32\config\SAM
windows password authentication principle:
On Windows systems, security management for user accounts using the SAM (Security Account Manager, security account management) mechanism, user accounts and passwords after Hash encryption, are stored in the SAM database.
SAM database stored in the C: \ WINDOWS \ system32 \ config \ SAM file, when users log into the system, we must first be compared with the account information stored in the SAM file, verify through before login. SAM file system to provide protection, not copy it or delete, can not read the contents directly.
SAM file encryption:
1.LM encryption: Before Windows2003, including win2003 system
2.NTLM encryption: Windows system after 2003
LM and NTLM Hash encryption are based, but there are differences in their security mechanisms and security strength, LM password hashes security is relatively poor. Although there have been very few people use the old version of the system prior to Windows2k, but in order to maintain backward compatibility, by default, the system will still user passwords are encrypted using these two mechanisms stored in the SAM database.
Difference:
the LM encryption, password up to 14, if the password is less than 14, less than some padded with 0, all converted to uppercase characters, and then divided into two groups, 7 in each group encrypted, then spliced together, It is the ultimate LM hash, essentially DES encryption.
NTLM encryption, user passwords into first unicode encoding, then the encrypted one-way hash MD4 standard.
LM is much lower than NTLM encryption security encryption, because it allows the use of longer NTLM encrypted password, allowing different sensitive, but also without the password into smaller, more easily cracked block. So NTLM in a pure environment, you should turn off encryption Lan Manager
Gets SAM file contents:
Sam way to get the password
1. Non-free version tools: wce.exe, QuarksPwDump.exe, Pwdump7.exe, gethash.exe, mimikatz
2. free version:
2.1 Export Registry hash:
command
reg save hklm\sam C:\hash\sam.hive
reg save hklm\system C:\hash\system.hiveAfter the exported file download, crack use Pwdump7
2.2 Export sam file
shadow copy (generally with tens of thousands of users on a domain controller when)
2.3 Other ways
procdump (or lsadump) + mimikatz
Powershell + mimikatz
PowerShell + getpasshash
powershell + other tools
Crack passwords
1. Online cracked
http://www.objectif-securite.ch/en/ophcrack.php
http://cmd5.com
https://somd5.com
2. local crack (brute force)
LM encryption: Cain
NTLM encryption: ophcrack + rainbow tables (rainbow tables Download: http: //ophcrack.sourceforge.net/tables.php)
Note
1.LM can only store less than or equal to 14 characters password hash, if the password is greater than 14, windows will automatically be encrypted using NTLM, only the corresponding NTLM hash is available, and the LM-Password will be full 0 display.
Use tool to export 2. Under normal circumstances hash has a corresponding LM and NTLM value, this means that the number of passwords <= 14, then there will be value LM, LM 0s in addition to outside, in the old version see LM: it represents the beginning aad3b435b51404eeaad3b435b51404ee password is blank or display digits over 14
3. before win2K3 including win2K3 LM encryption enabled by default, after the system win2K3 disabled LM encryption, use NTLM encryption
4.LM way encryption there will be a corresponding NTLM hash value
Example 1: Non-free to kill QuarksPwDump.exe export the local hash value tool
1. Using ms15-051x64.exe (exp) kitchen knife virtual terminal input command mention the right to succeed:
C:\Windows\Temp\ms15-051x64.exe "C:\Windows\Temp\QuarksPwDump.exe --dump-hash-local"
2.AFFFEBA176210FAD4628F0524BFE1942 is the password, you can get after cmd5 crack
Example 2: Using mimikatz crawl account password in clear text
Note: You can grab a user's password has landed
Principle:
get lsass.exe process directly from the password information to crack, and the crack should not exhaustive way, but rather directly from the reverse calculation algorithm
lsass.exe is a system process for the Local Security Authority Service
1. Using a kitchen knife mimikatz uploaded to the target machine C: \ Windows \ Temp \ under
2. Use ms15-051x64.exe (exp) kitchen knife virtual terminal input command mention the right to succeed:
C:\Windows\Temp\ms15-051x64.exe "C:\Windows\Temp\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit"
inux, unix acquisition system login account password
The system account password storage location:
Password: / etc / shadow account: / etc / passwd
/ etc / shadow
Example: root: $ 1 $ Bg1H / 4mz $ X89TqH7tpi9dX1B9j5YsF:. 14838: 0: 99999: 7 :::
when $ 1 is 1, md5 encrypted, encrypting is 5, using the SHA256, is 6, be added using SHA512
Crack:
John at The Ripper
Other methods continually updated in .........................
