In win 2003, I get the password of the login user.

  

In order to protect personal data, most netizens will set the login password for their own computer. Everyone has a variety of passwords in their heads. Then, in win In 2003, how do I get the password of the logged in user? In all NT systems, there are several ways to get the password of the logged in user. Xiaobian will tell you the three ways he knows to achieve his goals.

1.Hook a few functions in winlogon, there are also this type of program on the Internet, the project called winlogonhijack is available in rootkit.com, but the project is only valid for local login users, remote login users are invalid.

2. Use Gina and winlogon for socketing. As long as you execute your own code for recording passwords for certain functions, you can record the passwords with high stability and effective for local or remote login. Existing gina backdoor programs have not been exported in XP or 2003, mainly because xp and 2003 have added new functions to winlogon.

3. Directly read the memory data to get the plain text password. In NT 4.0/2K, the program findpass can directly read the memory data in the winlogon process and directly get the login user password, because in NT4.0 and 2K, the account information, including the domain name, account number and password are It is regularly in the specific address in winlogon memory, so it can be obtained very simply. But in XP and 2003 systems, this method is invalid, it seems that we have no way to read the plaintext address directly. Let's talk about how to get the password of the login user in the server 2003 like findpass in NT 4.0 and 2K.

Although XP and 2003 do not store login user information in the memory address of the winlogon process as in the previous NT system, the base Lsass process needs to obtain the plaintext login user password when processing some information. So the login user's password will appear in the Lsass process (Microsoft did not encrypt the password in the Lsass process, Microsoft said that because Lsass needs to obtain the plaintext password, even if the password is encrypted, it can only be reversibly encrypted. As long as you track the operation of lsass, you can get the plaintext password, so Microsoft uses a lazy method, which may also be used to speed up the response, so the plaintext password is placed in the lsass process memory. Having said that, everyone knows that the password of the login user is in the memory of the lsass process. Yes, that's the way it is, but to get this plaintext password is as easy as using findpass under NT 4.0 and 2K? It's not that easy, for the following reasons:

A. The memory address stored in the lsass process is irregular.

B. The password may be overwritten by the last logged-in user (for example, the administrator abc logs in locally, then the administrator bbb logs in from the remote, and then manages The member bbb logs out the terminal, the password stored in the memory of the lsass.exe process, or the password of the administrator bbb), or after the user logs in, and then logs out, then even if we get the password, we do not know which user's password.

C. The data before and after the password is also irregular. If there is a regularity, such as the data before the password, there must be a segment of data that is all 01 characters, then the location password is simple.

Causes A and C both give us the difficulty of locating passwords. The original B brings problems that cannot be determined by passwords and accounts. It seems that Microsoft has done some work on the new system. However, we will not give up, even if we try our luck, we can see if we can get the password. If it fails, it doesn't matter.

The final code, I wrote to test whether I can get the password of the guest in the 2003 system, and the result is just like the analysis above (of course, the above result is to use this program) Measured). The success rate is of course not high, because it is affected by too many reasons, the difficulty of locating the password or the inability to locate, or the information that is not the password, etc., the failure rate is quite high, but it is always a method, or Someone can accurately locate in the future, and that is pleasing. Although the failure rate is high, in one case, the success rate is very high, that is, the administrator just logs in locally or in the terminal, and no user logs in from the local or terminal in the future, and the administrator does not have After locking the system, the success rate will be quite high.

Two ways to improve the success rate:

1. The program is written directly into the service, and the local or remote login is checked regularly (in fact, there is no difference). When the login is detected, the lsass process memory is searched. , try to get the password.

2. The program simulates a login (you can do it with LogonUser()), because using the LogonUser() API, you need to provide the account name and the corresponding correct password before you can succeed, then you can go Search for lsass process memory. Because we know what the password is, we can locate where the password is stored. Because the login user's password is stored in the same address or not far from the address, simulate login and search, you can first locate the password of the user who will log in later.

Regardless of the three methods, the most stable and safest method is to use Gina's method. Hijack has some methods of winlogn API. After all, it changes the system's stuff and the stability of the system. In fact, there will be a test, directly search for the lsass process memory method, although it is difficult, but the accuracy, the success rate is low.

The following code uses a very stupid, and very primitive search method, mainly searching for the string "localSystem Remote Procedure" in Lsass memory, because in quite a few tests, the password is saved. In the position after the address of this string, of course, many systems do not have this string, or even if there is, we get the wrong password. Previous123Next page Total 3 pages

Copyright © Windows knowledge All Rights Reserved