Three ways to help you get the login password in win 2003

  
                

In all NT systems, there are several ways to get the password of the logged in user. The three methods I know can achieve my goals.

1.Hook a few functions in winlogon, there are also this type of program on the Internet, the project called winlogonhijack is available in rootkit.com, but the project is only valid for local login users, remote login users are invalid.

2. Use Gina and winlogon for socketing. As long as you execute your own code for recording passwords for certain functions, you can record the passwords with high stability and effective for local or remote login. Existing gina backdoor programs have not been exported in XP or 2003, mainly because xp and 2003 have added new functions to winlogon.

3. Directly read the memory data to get the plain text password. In NT 4.0/2K, the program findpass can directly read the memory data in the winlogon process and directly get the login user password, because in NT4.0 and 2K, the account information, including the domain name, account number and password are It is regularly in the specific address in winlogon memory, so it can be obtained very simply. But in XP and 2003 systems, this method is invalid, it seems that we have no way to read the plaintext address directly. Let's talk about how to get the password of the login user in the server 2003 like findpass in NT 4.0 and 2K.

Although XP and 2003 do not store login user information in the memory address of the winlogon process as in the previous NT system, the base Lsass process needs to obtain the plaintext login user password when processing some information. So the login user's password will appear in the Lsass process (Microsoft did not encrypt the password in the Lsass process, Microsoft said that because Lsass needs to obtain the plaintext password, even if the password is encrypted, it can only be reversibly encrypted. As long as you track the operation of lsass, you can get the plaintext password, so Microsoft uses a lazy method, which may also be used to speed up the response, so the plaintext password is placed in the lsass process memory. Having said that, everyone knows that the password of the login user is in the memory of the lsass process. Yes, that's the way it is, but to get this plaintext password is as easy as using findpass under NT 4.0 and 2K? It's not that easy, for the following reasons:

A. The memory address stored in the lsass process is irregular.

B. The password may be overwritten by the last logged-in user (for example, the administrator abc logs in locally, then the administrator bbb logs in from the remote, and then manages The member bbb logs out the terminal, the password stored in the memory of the lsass.exe process, or the password of the administrator bbb), or after the user logs in, and then logs out, then even if we get the password, we do not know which user's password.

C. The data before and after the password is also irregular. If there is a regularity, such as the data before the password, there must be a segment of data that is all 01 characters, then the location password is simple.

Causes A and C both give us the difficulty of locating passwords. The original B brings problems that cannot be determined by passwords and accounts. It seems that Microsoft has done some work on the new system. However, we will not give up, even if we try our luck, we can see if we can get the password. If it fails, it doesn't matter.

The final code, I wrote to test whether I can get the password of the guest in the 2003 system, and the result is just like the analysis above (of course, the above result is to use this program) Measured). The success rate is of course not high, because it is affected by too many reasons, the difficulty of locating the password or the inability to locate, or the information that is not the password, etc., the failure rate is quite high, but it is always a method, or Someone can accurately locate in the future, and that is pleasing. Although the failure rate is high, in one case, the success rate is very high, that is, the administrator just logs in locally or in the terminal, and no user logs in from the local or terminal in the future, and the administrator does not have After locking the system, the success rate will be quite high. Previous12345Next page Total 5 pages

Copyright © Windows knowledge All Rights Reserved