password hashes without fgdump-阿里云开发者社区

开发者社区> cnbird> 正文

password hashes without fgdump

简介: Well, you can be quite frustrated when beloved FGdump just does not work without particular reason.
+关注继续查看

Well, you can be quite frustrated when beloved FGdump just does not work without particular reason. Password hashes are so close, but yet not achievable. But it seems there is a kind of remedy (or call it: “alternative way”) for getting the password hashes. Here is the story.

All right, we know that password hashes are stored in the registry, in the key HKLM/Security/Sam. Normally you must have administrator privileges to access it. Even you are the local admin – you still have to assign manually full control permission for this subkey to yourself. Then you may see something like this:

The juicy stuff physically is stored in two files:
C:/windows/system32/config/sam
and
C:/windows/system32/config/system

So theoretically if we would be able to get the content of those files we may pass it to Cain and play a little with it… But unfortunately those files are locked, so they can’t be copied or accesses by any way. If you will try, you will immediately have a nice error like this:

So it looks like no chance. Well, note quite. There is an interesting approach called “Dumping File Sectors Directly from Disk using Logical Offsets”, which surprisingly allow you to copy files which are locked and currently used. There is nice tool called FDump which allows you to do this. More details here: http://www.codeproject.com/KB/files/FDump.aspx
If you don’t want to go to deep into the theory (which is recommended btw), - here is the practical solution.

The target:

We must have own separate copies of both files: C:/windows/system32/config/sam and C:/windows/system32/config/system in target system (the second one is needed because of the “boot key” is stored there) so then we may process it somewhere else with Cain & Abel.

Step 1:

Run the fdump.exe with the following parameters:

fdump.exe "C:/WINDOWS/system32/config/SAM" sam.dat
fdump.exe "C:/WINDOWS/system32/config/system" system.dat

Expected result:

Step 2:

Run cain.exe and do the following thing: Select “Cracker”, then “Add to list” and then “Import hashes from Sam database”.

Then:

So after all manipulations it should looks more or less like this:

Then click “Next”, and here we are!

The rest is up to you. Now you probably need a good rainbow tables and a bit of luck. :-)

Afterword:

You may be tempted to explore the copied registry manually and see what else is there (your curiosity is more then normal), so here is the quick "how to" browse downloaded registry files with regedit:

Open regedit, and make single click on HKLM branch (important!):

Then in the main menu select “File” and “Load Hive”, then select our file: C:/myfiles/sam

...and finally provide a key name. This is the key where a new hive will be attached to.

Do not forget to assign proper permissions to this branch:

Close the regedit and open it again. Now you can browse everything! :)

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

相关文章
阿里云服务器怎么设置密码?怎么停机?怎么重启服务器?
如果在创建实例时没有设置密码,或者密码丢失,您可以在控制台上重新设置实例的登录密码。本文仅描述如何在 ECS 管理控制台上修改实例登录密码。
10095 0
阿里云服务器如何登录?阿里云服务器的三种登录方法
购买阿里云ECS云服务器后如何登录?场景不同,大概有三种登录方式:
2963 0
使用OpenApi弹性释放和设置云服务器ECS释放
云服务器ECS的一个重要特性就是按需创建资源。您可以在业务高峰期按需弹性的自定义规则进行资源创建,在完成业务计算的时候释放资源。本篇将提供几个Tips帮助您更加容易和自动化的完成云服务器的释放和弹性设置。
12078 0
阿里云服务器安全组设置内网互通的方法
虽然0.0.0.0/0使用非常方便,但是发现很多同学使用它来做内网互通,这是有安全风险的,实例有可能会在经典网络被内网IP访问到。下面介绍一下四种安全的内网互联设置方法。 购买前请先:领取阿里云幸运券,有很多优惠,可到下文中领取。
11819 0
腾讯云服务器 设置ngxin + fastdfs +tomcat 开机自启动
在tomcat中新建一个可以启动的 .sh 脚本文件 /usr/local/tomcat7/bin/ export JAVA_HOME=/usr/local/java/jdk7 export PATH=$JAVA_HOME/bin/:$PATH export CLASSPATH=.
4664 0
如何设置阿里云服务器安全组?阿里云安全组规则详细解说
阿里云安全组设置详细图文教程(收藏起来) 阿里云服务器安全组设置规则分享,阿里云服务器安全组如何放行端口设置教程。阿里云会要求客户设置安全组,如果不设置,阿里云会指定默认的安全组。那么,这个安全组是什么呢?顾名思义,就是为了服务器安全设置的。安全组其实就是一个虚拟的防火墙,可以让用户从端口、IP的维度来筛选对应服务器的访问者,从而形成一个云上的安全域。
7504 0
阿里云服务器ECS登录用户名是什么?系统不同默认账号也不同
阿里云服务器Windows系统默认用户名administrator,Linux镜像服务器用户名root
4510 0
阿里云ECS云服务器初始化设置教程方法
阿里云ECS云服务器初始化是指将云服务器系统恢复到最初状态的过程,阿里云的服务器初始化是通过更换系统盘来实现的,是免费的,阿里云百科网分享服务器初始化教程: 服务器初始化教程方法 本文的服务器初始化是指将ECS云服务器系统恢复到最初状态,服务器中的数据也会被清空,所以初始化之前一定要先备份好。
7365 0
+关注
cnbird
阿里云安全专家,主要负责阿里云云产品安全。
4036
文章
3
问答
文章排行榜
最热
最新
相关电子书
更多
《2021云上架构与运维峰会演讲合集》
立即下载
《零基础CSS入门教程》
立即下载
《零基础HTML入门教程》
立即下载