Windows NT攻击大全 Windows NT attacks Daquan

苗得雨 Miao Yu

在当今的潮流下Windows NT已经成为了一种服务器操作系统的潮流，无论在局域网还是在互联网中，我们似乎都可以看到Windows NT的身影。 In today's tide has become a Windows NT server operating system, the trend, both in the local area network or the Internet, we seem to see the Windows NT figure. 但是由于它的源代码保密性和简单的图形接口，致使Windows NT成为了黑客们攻击的首选目标，寻找NT的漏洞也成为了黑客的一项基本工作。 However, due to the confidentiality of its source code and a simple graphical interface, resulting in the Windows NT has become a prime target for hackers to attack, looking for loopholes in the NT has become an essential task of hackers.

为什么黑客会认为Windows NT的安全机制很脆弱呢？ Why do hackers think that the Windows NT security mechanisms are vulnerable to it? 一个突出的问题是它的操作简单与便捷，还有就是它对于反向兼容的依赖，特别值得注意的是为了扩展市场不得不继续遵循一些网络中原有的通讯协议，这使得Windows NT的一些安全措施没有达到预想的方案。 An outstanding problem is that it's simple and convenient, there is its dependence for backward compatibility, especially worthy of note that in order to expand the market have to continue to follow some of the Central Plains and some network communication protocol, which makes some of the security of Windows NT measures do not achieve the desired program. 特别是Windows NT的底层网络支撑体系依然沿用NetBIOS/CIFS（Common Internet File System，公共广域网文件系统）和SMB（Server Message Block，服务器消息模块）等网络协议，这使得那些有入侵经验的老手对Windows NT的一些新的防范措施不屑一顾，他们能够利用旧有的一些协议漏洞和原理同样的让他们在NT的身上奏效。 In particular, Windows NT, the underlying network support system still in use NetBIOS / CIFS (Common Internet File System, the public wide area network file system) and SMB (Server Message Block, Server Message Block) and other network protocols, which makes those who have invaded veteran for Windows NT's some new precautions dismissive, they can take advantage of loopholes in the old number of agreements and principles of the same body so that they work in the NT. 而且NT对一些用户信息保密字的加密处理也不是很完善，它依然沿用了旧有的Lan Manager算法，使得破解工作变得异常的简单。 And NT word for some users of encrypted confidential information is not perfect, it still follows the old Lan Manager algorithm, making the break work becomes extremely simple.

本文详细介绍黑客在攻击Windows NT系统时常用的一些方法和具体攻击步骤，让网络系统管理员在维护系统时尽量做到有的放矢。 This paper describes the hacker attacks on Windows NT systems in a number of commonly used methods and specific attack steps, allowing network administrators to maintain the system as far as possible be targeted. 有一句话非常有道理：“世界上没有绝对愚蠢的系统，只有绝对愚蠢的管理员。”只要我们的网络管理员能够细心地维护系统，相信黑客们是没有可乘之机的。 There is a saying a lot of sense: "There is no absolutely stupid system, only the administrator is absolutely stupid." As long as our network administrators to carefully maintain the system, I believe that there is no opportunity for hackers.

黑客们又是如何使用这些方法对NT进行破坏性攻击？ Hackers use these methods is how to make devastating attacks on NT? 以下介绍运用这些手段时的具体步骤。 The following describes the use of these means of the specific steps.

获取Administrator权限帐号 Access to Administrator account permissions

在NT中如果一个攻击者如果获得不了Administrator权限的帐号，那么这个攻击这对于你的系统就无可奈何。 In the NT, if an attacker can not obtain Administrator privileges if the account, then the attack that do nothing for your system. 而NT恰恰又不提供远程执行命令的权限，即便是提供了权限，能够进行远程交互管理的也仅仅局限在几个特权帐号上，这样的举措让NT的安全性大大的提高，同时限制了普通型和非管理级别用户搞破坏的能力。 The NT provides remote execution of commands not just permission, even providing access to remote interaction management is also confined to a few privileged account, so the move to NT's security is greatly improved, while limiting the ordinary and non-management level users the ability to engage in sabotage. 但是那些老谋深算的黑客们会像狡诈的狐狸一样依靠灵敏的感官洞察你的每一个弱点，而当我们的管理员面对这些久经杀场的入侵者时，那些看似安全的防范似乎都变为了一个漏洞百出的系统。 But those wily hackers would like to rely on cunning of the fox as a sensitive insight into each of your senses a weakness, and administrators face when we kill these well-field invaders, those seemingly security precautions seem to have changed to a flawed system.

对于手工猜解和自动暴力破解这两种方法，攻击者首先要做的是搞到一份用户名单。 Solution for manual and automated brute-force guess the two methods, an attacker would first need to do is got to a user list. 黑客们通常会先对目标服务器进行一些端口的扫描，小榕的流光和很多国外的软件都具备这种功能。 Hackers will usually be some of the ports on the target server scan, small Banyan streamer and a lot of foreign software have this feature. 通过对端口信息的扫描黑客通常会找到许多有价值的信息。 Information through the port scan hackers often find many valuable information.

在获取到端口信息后，黑客们可以根据端口的对一些防范不当的主机进行用户列表的索取，黑客们通常使用一个空连接命令去打开已知的通道，其中最为简单的方法就是使用nbtstat命令了： In access to the port information, hackers can port to prevent inappropriate for some users to the list of hosts obtained, hackers usually use an empty Connect command to open the channel is known, one of the most simple way is to use the nbtstat command of the :

瞧！ Look! 我们看到了什么，这些就是这台服务器系统上NetBIOS的信息，当然还有系统名和这台计算机所在的域，我们也得到了一些已经登陆这台服务器用户的信息。 What we see, these are on this server NetBIOS information system, of course, this computer system name and the domain where we got some already landed this server users. 当然我们任何一个人都知道，那些老谋深算的黑客不会单纯的就凭借着这些信息来攻击你的，他们需要更多的情报，更多的更详细的关于他们猎物的详细情况，而且每一个黑客都有足够的耐心来等待完成这些信息的获取。 Of course, any one of us knows, those wily hackers will not simply on the virtue of that information to attack you, they need more information, more detailed and more details about their prey, and every hacker have enough patience to wait for the completion of the access to information. 一般来说他们会凭借一些工具来获取更详细的信息，在这些工具中有几个是他们的最爱，其中有被称之为黑客工具箱的Windows NT Resource Kit（简称NTRK），还有著名的DumpACL与NetCAT，当然开发这些工具的初衷是为了网管们更加方便的获取网络和自己系统的信息，以方便网管对网络和服务器进行方便的管理。 Generally they will with some tools to get more detailed information, there are several of these tools is their favorite, which is known hacker toolkit Windows NT Resource Kit (referred to as NTRK), the famous The DumpACL and NetCAT, of course, the development of these tools were designed to have more convenient access to network management network and its information system to facilitate network management easy for network and server management. 但是如果黑客用上这些工具后，此时他们也会像一个网管一样方便的获取你的信息。 But if hackers use these tools, then they will be as easy as a network access to your information. 所以我提倡网管们先用一下这些工具，看看自己有哪些漏洞可以被黑客利用。 So I advocate webmasters first with how these tools and see what they have vulnerabilities that could be exploited by hackers.

看我们现在就用DumpACL连接了一台计算机，我们可以看到这台服务器有哪些可以共享的资源，当然黑客也可以看到了。 We are now looking to connect with DumpACL a computer, we can see what this server resources can be shared, of course, the hacker can see. 像这样的工具还有比较著名的Legion，它可以图形界面查询整个C类网的所有计算机的共享资源，而且最新的版本中还包括了一个可以由入侵者来设定密码的猜解共享资源密码的小东西。 There are more tools like this famous Legion, it can query the entire graphical interface for all Class C network computers shared resources, and the latest version also includes a set by an intruder to guess the password of the shared resource passwords the small things.

另外我们国内也有非常出色的共享探测工具，用户名和一些计算机名称，包括域的信息我们都可以用追捕来简单探测出来，而共享资源天行的网络刺客应该是我们的首选，特别指出的是网络刺客的功能非常的强大，有些国内的黑客就是单纯地利用它就攻破了许多的NT或者是UINX的服务器，而且国内著名的黑客探测软件开发者小榕在和我聊天时也对网络刺客赞不绝口，可以想象它的功能有多么的强大。 In addition, we are also a very good shared exploration tool, the user name and a number of computer name, including domain information we can use the hunt to simply detect them, and share resources Sky network assassin should be our first choice, in particular, noted that the network Assassin's function is very powerful, some of the domestic use of hackers is to simply break a lot of it is UINX NT or server, and the famous hacker detection software developers and small fig in the chat when I praise not the network assassin stop talking, imagine how it's powerful features.

好了，既然黑客们已经用这些工具获得了一些他们认为对他们有价值的东西，那么他们就应该采取下一个阶段的行动了，这就对服务器进行突破入侵。 Well, since hackers have used these tools to get something they think they are something of value, then they should take the next stage of action, which break through the invasion of the server. 一些狡诈的黑客一般不会选择从服务器下手，而是从你的局部工作站开始突破，因为他们知道本地工作站更能够让管理员疏忽，而且也是所有网络中最脆弱的环节之所在。 Some crafty hackers generally do not choose to start from the server, but from your local station started to break, because they know the local workstation that allows administrators to more oversight, but also all of the most vulnerable part of the network lies. 而中心服务器会有更严格的密码管理手段，往往不是很轻易就能够突破的，而且服务器的工作站分机的一般都允许用户交互登陆，允许远程执行一些命令，这些都会成为黑客以后突破服务器的一个入口。 The central server will be more stringent password management tools, often not easily able to break through, and the server workstation to allow the extension of the general user interaction log, allow remote execution of commands, the server will become a hacker break after the entry .

就在我们的网管睡觉的时候，黑客们便开始了他们的工作，他们在破解你的密码的时候一般会选择诸如NetBIOS Auditing Tool（俗称NAT）和Legion这样的工具。 Network in our sleep, when hackers began their work, they crack your password will generally choose the time, such as NetBIOS Auditing Tool (commonly known as NAT) and Legion such a tool. 然后他们只需要用乱刀等工具生成或者是在互联网上下载一个猜解密码用的字典就可以了。 Then they only need to generate random knife or other tools on the Internet to download a guess passwords using a dictionary on it. 当黑客具备一切条件后，他们只需要用NAT连接到一个目标，NAT就会根据用户名清单和密码字典进行自动破解，一个简单的FOR命令足以攻破一个脆弱的密码，具体操作如下： When the hacker has all the conditions, they only need to use NAT to connect to a target, NAT will list the user name and password for automatic dictionary crack, a simple FOR command a fragile enough to break the password, as follows:

D:\FOR /L %i IN(1,1,254)Do nat -u userlist.txt -p passlist.txt [输入服务器IP地址，例如：202.11.22.33] %I >> nat_output.txt D: \ FOR / L% i IN (1,1,254) Do nat-u userlist.txt-p passlist.txt [enter the server IP address, for example: 202.11.22.33]% I>> nat_output.txt
[*]---Checking host: 202.11.22.33 [*]--- Checking host: 202.11.22.33
[*]---Obtaining list of remote NetBIOS names [*]--- Obtaining list of remote NetBIOS names
[*]---Attempting to connect with Username : 'ADMINISTRATOR' Password: 'ADMINISTRATOR' [*]--- Attempting to connect with Username: 'ADMINISTRATOR' Password: 'ADMINISTRATOR'
[*]---Attempting to connect with Username : 'ADMINISTRATOR' Password: 'GUEST' [*]--- Attempting to connect with Username: 'ADMINISTRATOR' Password: 'GUEST'
… ...
[*]---CONNECTED:USERNAME:'ADMINISTRATOR' Password: 'PASSWORD' [*]--- CONNECTED: USERNAME: 'ADMINISTRATOR' Password: 'PASSWORD'
[*]---Attempting to access share :\\*SMBSERVER\TEMP [*]--- Attempting to access share: \ \ * SMBSERVER \ TEMP
[*]---WARNING:Able to access share:\\* SMBSERVER\TEMP [*]--- WARNING: Able to access share: \ \ * SMBSERVER \ TEMP
[*]---Checking write access in:\\* SMBSERVER\TEMP [*]--- Checking write access in: \ \ * SMBSERVER \ TEMP
[*]---WARNING:Directory is writeable:\\* SMBSERVER\TEMP [*]--- WARNING: Directory is writeable: \ \ * SMBSERVER \ TEMP
[*]---Attempting to exercises..bug on:\\ *SMBSERVER\TEMP [*]--- Attempting to exercises .. bug on: \ \ * SMBSERVER \ TEMP
… ...
OK，这样一个密码我们就搞到手了。 OK, so we are picking up a password. 当然像这样的好工具我们还有许多。 Of course, such a good tool for us as there are many. 均可以实现暴力破解。 Brute force can be achieved. 对于一些职业的黑客或者是一些骨灰级的黑客，他们通常会选用一些商业性的破解工具，这些工具运行速度非常快，且可以分许多线程进行破解和并行grinding session，由于这种工具是需要付费的，所以一般黑客不容易得到。 For some professional hackers or some hardcore hackers, they usually use some commercial cracking tools that run very fast, and the crack can be divided into many threads and parallel grinding session, because this tool is required to pay costs, it is generally not easy to get hackers.


权限突破 Access breakthrough

权限突破是一种黑客们经常使用到的方法，也是最常见的黑客入侵手段。 Hackers break is a privilege often used method is the most common hacking tools. 通常的情况下，当黑客们得到一个NT服务器上的一个正常的普通用户名和有效地密码的时候（此密码不等同于Administrator级别的用户名密码），他们就会利用一些NT本身的漏洞和管理员的疏忽所造成的失误性漏洞，对其掌握的帐号进行权限突破，也就是所谓的将自己的普通权限帐号升级为特殊权限的帐号。 Usually the case, when hackers get a NT server on a normal regular user name and password when effective (this password is not equivalent to Administrator-level username and password), they will use some of the NT's own vulnerability and management members of the mistakes caused by the negligence of vulnerability, for permission for its breakthrough to master account, also known to upgrade their account to the general authority account with special privileges.

攻击者在得到非管理级帐号后，他们首先做的就是对所掌握的目标服务器进行端口和系统信息的探查，黑客们会进行路径的试探性访问，并可以配合前面所提到的NTRK进行共享资源的探查，国内的黑客一般喜欢用网络刺客这一类的工具进行初步的探测。 Attack by the non-management level in the account, they first thing they do is the understanding of the target server and port information of the probe system, hackers will be the path of exploratory visits, and with the previously mentioned can be shared NTRK resource exploration, domestic hackers generally prefer to use network tool for this type of assassin initial detection. 在摸清服务器的情况后，他们一般会选择一个名为sechole的工具来进行下一步的动作，这就是权限突破。 In the case of the server to find out, they will generally choose a tool called sechole to the next step of action, this is the privilege breakthrough.

Sechole具有的最神奇的功能就是通过黑客手中掌握的普通权限帐号升级为Administrators级别的用户。 Sechole has the most amazing feature is by hacking the hands of ordinary account permissions for the Administrators to upgrade the user level. Updated版的Secholed可以很轻松地把普通级别用户升级为特权用户加入Domain Admins用户组中。 Updated version of Secholed can easily upgrade to the ordinary privileges of the user-level users by adding Domain Admins user group. 当黑客利用远程开启执行Sechole后，sechole会修改OpenProcess API调用的内存中的一些指令，然后它会跨越权限，使自己正确的衔接在某个特权的进程之中，当成功的衔接上特权程序后，它会利用一种类似于DLL injection（DLL注射）的方法，把一些恶意代码加入具备能够控制Administrators特权的用户进程中进行特权升级。 When hackers use remote execution Sechole open after, sechole will modify the OpenProcess API call to the memory of some of the instructions, then it will be across the authority, the right to own the process of convergence in a privileged among the privileged on the interface when the successful procedures It will use a similar DLL injection (DLL injection) method, with some malicious code to the user to control the process of Administrators privileges to privilege escalation.

不过sechole必须要在目标服务器系统上进行本地运行，而想要达到本地运行的目的，目标服务器就要符合几个特定的标准，如服务器需启动 IIS（Internet Information Sener）服务等，而通常情况下，黑客很难轻易获取一个既能够读取又能够写入的IIS目录的访问权限。 But sechole the target server must be run locally on the system, but want to achieve the purpose of running locally, the target server must meet several specific criteria, such as the server must start IIS (Internet Information Sener) services, and usually , is difficult to easily obtain a hacker to read and to write both the IIS directory access. 但当黑客们获得权限后，他们会迅速地把sechole上传到几个特定的目录下，这些目录通常为： But when hackers gain access, they will quickly put sechole uploaded to a few specific directories, these directories are usually:

C:\Inerpub\msadc\ C: \ Inerpub \ msadc \
C:\Inerpub\News\ C: \ Inerpub \ News \
C:\Inerpub\Cgi-bing\ C: \ Inerpub \ Cgi-bing \
C:\Inerpub\scripts\ C: \ Inerpub \ scripts \
C:\Inerpub\_vti_bing\ C: \ Inerpub \ _vti_bing \
…… ... ...

然后同时上传与sechole关联的几个DLL文件和一个NT命令解释器(ntcmd.exe)，然后再上传一个用于修改用户和用户组及策略的程序，一般是一个名为ntuser的程序。 Then upload the same time associated with sechole a few DLL files and NT command interpreter (ntcmd.exe), and then upload to change user and user groups and policy program, usually called ntuser program. 再上传完这些程序后，黑客就可以通过一个WEB浏览器通过输入URL的连接远程的启动sechole程序，黑客此时就能够把他指定的帐户添加到到Administrators用户组。 After re-upload these procedures, the hacker can, through a WEB browser by entering the URL to connect to remote start sechole program, then the hacker will be able to add him to the designated account to the Administrators user group. 一般狡猾的黑客为了隐蔽自己的行动会使用ntuser在目标服务器中新添加一个用户。 General crafty hackers to cover their own actions will use ntuser in the target server to add a new user. 一下就是通过浏览器启动ntuser的URL命令： What is the start ntuser browser the URL command:

http://127.0.0.1/scripts/ntcmd.exe? /C%20C:\inetpub\scripts\ntuser.exe%20-s%20server1%20%add%20matrix%20-password%20thematrix http://127.0.0.1/scripts/ntcmd.exe? / C% 20C: \ inetpub \ scripts \ ntuser.exe% 20-s% 20server1% 20% add% 20matrix% 20-password% 20thematrix

上面的URL连接中的服务器名字为“server1”，用户名为“matrix”，密码为“thematrix”这一长串的命令在目标服务器上会被ntuser传送给一个shell，命令在服务器中执行的的原意为： The URL above to connect the server name as "server1", the user name "matrix", password "thematrix" This is a long list of commands on the target server will be ntuser sent to a shell, the command executed in the server's intent to:

ntcmd /c ntuser –s servername add username –password password ntcmd / c ntuser-s servername add username-password password

而且黑客们还可以把指定的帐号加入到Administrators用户组中，此命令的URL控制连接为： And hackers can also specify a user account added to the Administrators group, this command control the connection to the URL:

http://127.0.0.1/scripts/ntcmd.exe? /C%20%C:\inetpub\scripts\ntuser.exe%20-s%20server1%20groupA%20append%20Administrators%20matrix http://127.0.0.1/scripts/ntcmd.exe? / C% 20% C: \ inetpub \ scripts \ ntuser.exe% 20-s% 20server1% 20groupA% 20append% 20Administrators% 20matrix

在NT中执行的命令为： In the NT, execute the command as follows:

ntcmd /c ntuser –s servername LGROUP APPEND groupname username .. ntcmd / c ntuser-s servername LGROUP APPEND groupname username ..

瞧，黑客们就通过把这么几个指令输入到他的浏览器上就可以让自己成为Administrators级别的用户了，他可以想做任何他想做的事情了。 Look, hackers are so few on the adoption of the directive entered into his browser, Administrators can allow themselves to be the user level, he can want to do whatever he wants things.

攻破SAM Break SAM

当一个黑客获取你的Administrator 权限后他会罢手吗，我们希望他会，但是一般来说他们不会仅仅满足一个管理员身份的，他们渴望知道你的秘密，所有的秘密。 When a hacker access to your Administrator privileges he will give up after you, we hope he will, but in general they will not only satisfy the identity of an administrator, they are eager to know your secrets, all secrets. 而想要掌握更多的秘密，Windows NT的SAM（Security Accounts Manager）就成为了他们抢先下手的首选目标。 And want to have more secrets, Windows NT's SAM (Security Accounts Manager) has become a prime target for their first start. 因为SAM中包含有本地系统及所控制域的所有用户信息和用户名及密码，它类似于UNIX中的Password文件。 Because SAM contains a domain controlled by the local system and all user information and user name and password, which is similar to the UNIX Password file. 当然SAM文件是经过加密后的一个文档，但是由于微软考虑到Windows的兼容性致使SAM的加密算法沿用了LanManager的散列单项加密算法，结果直接导致了黑客们很轻松地就可以逆向破解这种算法加密的SAM。 Of course, after the SAM file is encrypted, a document, but due to Microsoft's Windows compatibility taking into account the resulting SAM encryption algorithm follows the individual LanManager hash encryption algorithm, the results led directly to the hackers can easily crack the reverse encryption algorithm SAM. 其中破解SAM最为常用的工具就是L0phtcrack，如果有一台PII450，黑客们便可以利用L0phtcrack在24小时内破解出所有可能的数字与字母组合。 One of the most commonly used tools to crack SAM is L0phtcrack, if there is a PII450, hackers can use L0phtcrack break out within 24 hours all the possible combinations of numbers and letters.

L0phtcrack破解工具实际上是一个功能强大的猜解器，它会按照入侵者制定的字典中的词汇和字符串组合进行加密计算，然后跟黑客得到的SAM散列加密信息进行对比，由于此过程不用直接连接到目标服务器上，所以管理员很难察觉，也就减少了帐号封锁的问题。 L0phtcrack crack is actually a powerful tool for guessing solver, it will follow the intruder in the development of the dictionary words and combinations of encryption string calculation, then the SAM with the hackers to get information to compare the hash encryption, as this process do not directly connected to the target server, the administrator is difficult to detect, thus reducing the account lockout problems. 而且黑客可以在任何他喜欢的时间里进行破解并中断破解或者在以后的日子里继续破解。 And hackers can at any time he likes to crack and break or crack in the days to crack. 这一过程只是一个CPU消耗和字典大小的问题。 This process is only a CPU consumption and dictionary size of the problem. 而对于现在的技术而言，这些都不是什么困难的问题。 For now the technology is concerned, these are not exactly difficult problem.

如果想要破解一个SAM文件我们必须先要获取它，而Windows NT是把它存放在%systemroot%\system32\config目录中的，而且在服务器的NT系统运行过程中SAM是被锁死的，甚至 Administrator用户也无权限更改，不过我们使用一点诡计就可以打开它的大门，对它的注册表内记录的键值进行调度。 If you want to crack a SAM file we must first get it, but Windows NT is to store it in% systemroot% \ system32 \ config directory, but also in the NT server systems running SAM is locked, and even no authority to change the Administrator user, but we use a little trick you can open it's doors, it's recorded in the registry key scheduling.

获取SAM文件的方法大致有四种： The methods to obtain the SAM file, there are four:

1、启动引导另一个操作系统 1, the boot another operating system

顾名思义，如果我们不直接启动NT系统，而用另一个系统引导服务器的话，SAM文件的保护显然也就失去了作用。 As the name suggests, if we do not directly start the NT system, and boot the server with another system, then, SAM file apparently lost its role in protection. 黑客们通常会使用System Internals公司的NTFSDOS的系统驱动来获得对NTFS硬盘格式访问的权限，然后将SAM文件提取出来。 Hackers often use System Internals system's NTFSDOS driver NTFS hard drive format to gain access permissions, and then extract the SAM file.


2、获取备份的SAM 2, to get back up the SAM

NT中的修复磁盘工具会备份系统中的关键信息，其中当然也包括了SAM文件，rdisk会在%systemroot%\repair目录中将SAM备份为一个名为SAM._的Copy压缩。 NT Repair Disk Utility in the backup system will be critical information, which of course includes the SAM file, rdisk in the% systemroot% \ repair directory will be backed up to a SAM called the Copy SAM._ compression. 而多数管理员将这些信息拷贝后一般都忘记了删除这些文件，这就给黑客们留下了利用它的可能。 And most administrators will copy the information generally forgotten after delete these files, which gives the hackers left the possibility of using it. 黑客一般会选择L0phtcrack进行导入完成获取备份的工作。 Hackers generally choose to import complete access to the backup L0phtcrack work.

3、从SAM中导出散列加密值 3, derived from the SAM cryptographic hash value

前面我们提到了如何获得Administrator访问权限，有了管理员权限后黑客就能够很轻松的获取到NT在注册表中储存的SAM密码散列。 We mentioned earlier how to get Administrator access, with administrator privileges after a hacker can easily access to the NT registry stored in the SAM password hashes. 用我们前面提到的L0phcrack或者是Pwdump这两个工具都可以轻易的获取到这些加密值。 We mentioned earlier the L0phcrack or Pwdump these tools can easily access to the encrypted value. 但是经过打补丁后的NT加密性能要坚强一些。 But after patching the NT after a strong performance to a number of encryption.

4、监听NT密码验证交换过程 4, monitoring NT Password Authentication exchange process

在这里我们又不得不提到L0phtcrack，可以说L0phcrack最强大的功能就是具备可以直接从本地网络上嗅探出SMB服务器信息块的密码散列加密值了。 Here we have to mention L0phtcrack, it can be said L0phcrack most powerful feature is available directly from the local network can sniff out the password for an SMB server message block hashed value. 而且对于不习惯使用命令行控制版本的用户，我们还可以选择图形界面的L0phcrack，当然，这个版本的需要付一些使用费。 Not accustomed to using the command line but also for users of version control, we can choose a graphical interface L0phcrack, of course, this version of the need to pay some of the royalties. 下面我们就讲一下黑客如何使用L0phcrack破解SAM文件。 Here we talk about how to use L0phcrack hackers crack the SAM file.

我们首先打开L0phcrack，然后根据它的选项提示填入SAM指定的位置，然后我们在寻找一个足够大的字典，选择L0phcrack的File选项中的Open Wordlist File指定到字典文件的位置。 We first open L0phcrack, then the option to be prompted to fill its SAM specified location, then we find a big enough dictionary, choose the File option L0phcrack the Open Wordlist File assigned to the dictionary file. 然后选择Tool下的Options进行破解的设置，我们可以在这里看到它提供了Brute Force Attack（野蛮破解）与Hybrid Attack（混合破解），如果你认为你的计算机CPU速度足够快，那么你可以选择野蛮破解，它是利用你给出的字典和一些计算机随机生成的字符串进行猜解的。 Then select the Tool Options under the crack of the set, we can see here that it provides a Brute Force Attack (Savage crack) and Hybrid Attack (mix break), if you think your computer is fast enough CPU, you can choose savage crack, given that it is to use your dictionary, and some computer-generated random string guess solution. 而混合破解则是懒惰管理员的克星，因为它会利用像Passwword12345这样的简单组合来测试SAM的密码，很多中小企业的网站就是设置的这种简单的密码，显然，这是很脆弱的。 The hybrid crack is the bane of lazy administrators, because it will use a combination like Passwword12345 to test this simple passwords SAM, many small and medium enterprises of this site is simple to set the password, obviously, this is very fragile. 此外L0phcrack还提供暂停破解记录等强大的功能。 In addition L0phcrack pause break records also provide powerful.

说完L0phcrack之后我们不得不提一下John这个历来被黑客们誉为最爱的工具。 Then we have to mention John L0phcrack after this has always been hailed as the favorite hacker tool. John主要是用来对UNIX的Password进行破解的一个强大的工具，但是它同样的具有破解Windows NT LanManager散列加密值的功能。 John is primarily used for UNIX Password to crack a powerful tool, but it has the same crack Windows NT LanManager hashed value of the function. 不过John的操作要复杂一些，而且它对于大小写的辨别不是很敏感，不过唯一的优点就是它是Free的。 But John's operation is more complicated, and it is case of the identification is not very sensitive, but the only advantage is that it is Free of.

另外一个优秀的破解SAM文件的工具是crack5。 Another excellent tool to crack the SAM file is crack5. 它的基本性能与John很像，也具有破解Windows NT LanManager散列加密值的性能，它的优点在于它能够自己组合多达200多种的密码变换组合。 Its basic performance with John like, also has a crack Windows NT LanManager hashed value of the performance, it has the advantage that it can own as many as 200 kinds of combinations of password change combination. 唯一的缺陷是要掌握它你必须对UNIX相当的熟练。 The only drawback is you have to master it quite proficient with UNIX.

好了，对于Windows NT的安全性讨论我们就讲到这里，看了上面的介绍你可能会认为Windows NT是一个不太安全的操作系统，其实不然，如果你没有获得Administrator级别的用户权限，在远程你几乎不可能对Windows NT做任何的动作。 Well, for Windows NT security discussion, we will stop here, read the description above, you might think that Windows NT is a very secure operating system, it is not true, if you do not get Administrator-level user rights, in Remote Windows NT you almost impossible to do any action. 今天讲的这些攻击方法只要我们的管理员多加防范一定能够避免的。 Today talking about these attack methods as long as we pay more to prevent the administrator will be able to avoid.