The experiment belongs to a series of ： Operating system security
Subjects ： Undergraduate / Specialized in information security
Related courses and majors ： Introduction to information network security 、 computer network
The hours of the experiment （ credits ）：2 Class hours
Experimental categories ： Practical experiment class
The experiment purpose
1、 understand Windows2000/XP/Server 2003 The encryption mechanism of system password and its vulnerability ;
2、 Learn how to use Windows Local password cracking tools to crack passwords and audit the security of passwords ;
3、 Learn about setting robust Windows password , And the need to configure strong password policies .
Windows NT The basic principle of system password storage
SAM(Security Accounts Manager Security account manager ) yes Windows NT Kernel operating system , Include Windows2000/XP/Server 2003/Vista/7 User account database of , The login name and password of all users are saved in this file . The system is saving sam Before the message to sam The information is compressed , therefore ,sam The information in the file is unreadable . Besides , During system operation ,sam The file is system Account lock , Even if it's administartor The account can't be opened .sam The database is located in the registry HKLM\SAM\SAM Next , suffer ACL Protect , have access to regedt32.exe Open the registry editor and set the appropriate permissions to view SAM The content in .SAM The database is stored on disk in %systemroot%system32\config\ In the catalog SAM In file , There is also a security file , It's the content of the secure database , There is less relationship between the two .SAM The database includes all groups , Account information , Include password HASH、 account SID etc. .
Windows The system is in SAM Two kinds of cipher encryption mechanism are used in , therefore , stay sam There are two password words in the file , One is LanMan Hash value of version （LM）, The other is NT Hash value of version （NTLM）.
◆ LanMan Hash algorithm （LM）
LanMan The process of hash algorithm processing user password is ： Split the user password in half , Each half is 7 Characters （ Insufficient 7 A character with 0x00 A filling ）, Then encrypt the other password separately , Finally, the encrypted hash values are concatenated together , To get the final LM Hash value .
◆ NT Hash algorithm （NTLM）
The cipher hash consists of two parts ： Part of it is through liquidation DES Algorithm , Use the uppercase of the password OEM Format as key （ Divide into 2 individual KEY, Every KEY7 byte , use 0 Make up 14 Bytes ）, adopt DESECB Way to get a 128 A key , Encrypt special strings "KGS!@#$%" To obtain a 16 The value of byte length . The other part is to use MD4 On the password UNICODE A hash obtained by encryption in the form of .
From the above LM In terms of algorithm flow , You can find LM There are several deficiencies in security ：
1）LM Algorithm will 14 The password is divided into two groups and encrypted separately , So that two groups of ciphertext can be cracked separately , And plaintext space from 95^14 Reduced to 95^7;
2）LM The algorithm does not distinguish between uppercase and lowercase characters of passwords , Make the plaintext space from 95^7 Reduced to 69^7;
3）LM The algorithm does not contain random initial vectors like other hash algorithms IV, Make space for time dictionary attack （ Like the rainbow watch ） When it becomes possible ,2^43 The use of rainbow table in plaintext space can be cracked in a few hours at most .
although LM It's very unsafe , but Windows In order to maintain compatibility , A lot of people used to support LM Certified classic applications don't suddenly become unavailable , therefore LM Throw exists in quite Windows In various versions of the operating system , however Vista/7 It is not used by default LM Store account password hash .
NTLM Hash is more secure than LM Some improvement , Because its plaintext space has expanded to 95^128, The time complexity of brute force cracking is greatly increased . however NTLM Hash and LM Hash like , No random data is included in the algorithm （salt）, So it's still going to be attacked by dictionaries . But because of NTLM The plaintext space of is larger , The space occupied by its fields will also increase geometrically （NTLM The size of the rainbow table is 200G about , and LM The rainbow watch only needs a few hundred megabytes ）, The time to crack is naturally longer LM A lot longer .
SAM How to export
SAM The file system is protected at runtime , Only for those that are readable and writable system, So when the system is running, you can't put SAM Copy the file , You have to use a different system boot to copy SAM file .
SAM There are four ways to get the file ：
◆ Through physical contact with the host , Start other operating systems to get windows On the partition SAM file .
◆ obtain %SystemRoot%\repair\sam file .
◆ Use pwdump Export from the registry SAM Hash value , Dump to something similar to UNIX Systematic password Format file .
◆ Sniffing analysis from the network SMB message , Get the password hash string from it .
stay Windows NT 4.0 SP3 Before , All password hashes are very simple DES Encryption for secure storage ,DES The key is only from the user account SID To derive , So you just need to SAM The file can crack the encrypted hash .
But in NT 4.0 SP3 Later versions ,Windows Introduced SysKey, And in 2000 Then as the default implementation of encryption means . So to crack the process SysKey Encrypted SAM hash , You have to start with system Export from file boot key, And then use it MD5 export hashed boot key, Reuse hashed boot key export RC4 key, Use this RC4 key You can decrypt and Windows NT Of SAM The same hash ciphertext in . Last use NT In order to obtain the password hash which can be used to attack dictionary .
SAMInside Crack software
SAMInside For a Russian password cracking Software , Support Windows NT/2000/XP/Server 2003/Vista/7 Isooperating system , It is mainly used for recovery Windows User login password of . With general Windows The difference in password cracking software is . Most of them Windows Password recovery software will Windows User password reset , such as Passware Kit In the series Windows Key wait .SAMInside It is to crack the user's password in plain text that can be read , and SAMInside Multiple computers can be used to attack at the same time , Greatly improve the speed of cracking .
SAMInside You need to use it offline sam Document box syskey File import before cracking , Online mode can be directly obtained from the machine , It can be downloaded from LSASS The process imports the required information directly , Then the designated user can be cracked .
Student experiment host ：WindowsXP.
Experiment target server ： nothing .
The network environment ： LAN .
Experiment content and steps
open Windows The experimental station , function WindowsXP System .
1. First, check the password policy of the local host .
stay " Start " Open in menu " function " Dialog box , Input "secpol.msc" open " Local security policy editor ".
1） Ban " Password must meet complexity requirements ".
2） Set up " Minimum password length "：8 Above position .
And then visit " Security Settings " -->" The local policy "-->" Security options ", And then find it on the right " Network security ： Don't change the password the next time it's stored LAN Manager Hash value of " Set up , Confirm or change it to " Ban "（ The default is “ Ban ”）.
2. Create a new user on the local computer . Password set to 8-14 Random pure number combination of , If the user name is “test”, The password for “13678954376”.
You can open a command prompt , Enter the following command to add the user directly .
net user test 13678954376 /add
Of course , You can also add new users and set their passwords through the user account component in the control panel .
3. Open a command prompt , Go to the lab tool catalog “pwdump7”, function Pwdump7.exe After that, all users on the local computer and their password hash values can be displayed directly （ Include LM Hash values and NTLM Hash value ）.
The basic format of the above output user information is as follows ：
“ user name ： Security relative notation （RID）：LM hash ：NTLM hash ”
next , We use the following command to store the above user hash information on disk “C:\sam.txt” In the document .
notes ： there sam.txt Attention should be paid to the documents , It's not right to type directly , To be in front of pwdump Run out of the user information copy and paste into sam.txt To save the text document
4. Go to the lab tool catalog “SAMInside2.6.1”, Double-click on the run SAMInside Program （SAMInside.exe）, The main interface is shown below .
5. Click on the menu item ：“File”——>“Import From PWDUMP -file ……”. Then select the local user password hash file stored earlier “C:\sam.txt”, Click on “ open ” Button to return to the main interface .
6. stay “User” Select only the temporary users we just added in the column （“ Such as “test”）.
7. Click on the menu item “Audit”, Make sure to check “LM-Hash Attack”, Make sure to check “Brute-force Attack”, That is, brute force cracking .
8. Click on the menu item “Service”->“option”, On the left “Brute-force Attack”, Then customize the brute force character set on the right side .
In order to guarantee the experiment time , Therefore, the password of the temporary test user we added earlier is 8-14 A random pure number combination of bits , So we only choose here [0...9] Character set , Click on “oK” Back to the main interface . Click again “Audit” choice “Start attack” Start brutally cracking . Users displayed after cracking LM-password It is the user password set before .
The experiment was successful here , Oh yeah ！！
The harder you work, the luckier you are , I wish you all the best ~~