While on a penetration test it is sometimes necessary to pull hash files from windows systems to crack weak passwords. You could easily do this with a Metasploit meterpreter session, but sometimes I like to do it without exploiting the box. Also doing it remotely over the network without a user’s knowledge is always a big plus. This method isn’t always usable and available, but in the right situation we can use an NMAP script called pw-dump.nse to do this. The downside is that it requires an account on the box, and right now it needs to be a Windows Server 2000 or Server 2003 OS to be able to pull the local accounts.
First, we obviously need NMAP installed. For this tutorial I’ll be using Backtrack4-R1, which currently has NMAP 5.35DC1 installed. If you look in the directory /usr/share/nmap/scripts you’ll see all sorts of scripts that do some really helpful things on a test.
What we’re going to use is the one called smb-pwdump.nse. If you don’t have that script you’ll need to download it and put it into the scripts directory. The only place I could find the script was in a slightly older version of NMAP, version 5.00.
The next thing you’ll need is the pwdump executable and dll files. Those you can get from here:
wget http://swamp.foofus.net/fizzgig/pwdump/pwdump6-1.7.2-exe-only.tar.bz2
Just extract those into this directory: /usr/share/nmap/nselib/data
Create the directory if the need be. Once you have the script and the executable/dll’s you’re ready to go. To use the script, use the following options changing to match your credentials and target…
# nmap -p 135,139,445 –script=smb-pwdump.nse –script-args=smbuser=administrator,smbpass=lamepassword 192.168.0.190
The output will look similar to this…
The hashes are dumped out in lm:ntlm form and are ready to be cracked in a tool like ophcrack, which I’ll cover in a later post. Remember, this information is only intended for use on systems you own or have permission to use it on.
Information gathered from http://seclists.org/nmap-dev/2009/q1/22
分享到:
相关推荐
Nmap 用于端口扫描,测试及排错
nmap在windows下的安装部署
2023 年最新版 Nmap 7.94 安装包支持 Win7 / 8 / 10 /11 系统。Nmap 是一款强大的网络扫描工具,可用于网络发现和安全评估。本资源提供了 Nmap 7.94 的安装包,帮助您快速部署和使用该工具。加强您的网络安全,发现...
Nmap for Windows Nmap for Windows Nmap for Windows Nmap for Windows
nmap windows扫描
这是一个Nmap在windows下的安装与使用教程,希望对大家有所帮助
windows版命令行nmap5,官方版本。
nmap7.80 windows版
Nmap具备主机探测、服务/版本检测、操作系统检测、网络路由跟踪、Nmap脚本引擎的功能。可以在Windows系统中自行安装Nmap,其中可以使用cmd的形式运行,也可以用zenmap的图形化工具来运行。
nmap 免安装版,解压直接使用
nmap
nmap是一个了不起的工具,适用于ctf和渗透测试,这是2023年最新版的nmap,适用于Windows系统,安装之后就可以直接使用,博主保证无毒、无后门,可以放心使用
这个工具我几乎可以不用介绍了,就算你们没用过,但是每当提起黑客工具大部分都会看到他。Nmap是一款非常强大的主机发现和端口扫描工具,而且nmap运用自带的脚本,还能完成漏洞检测,同时支持多平台
win下nmap,端口扫描工具
nmap 绿色版 6.25 强大的网络扫描工具
很好用的端口扫描工具,是Linux下知名软件。 这是windows版的,为方便使用将winpap打包在里面,使用如有提示,则安装下winpap
Nmap的中文使用指南, 根据官网英语翻译
NMAP,也就是Network Mapper,最早是Linux下的网络扫描和嗅探工具包。 nmap功能 1.主机发现; //探测存活主机 2.端口扫描; //探测开放端口及端口的服务 3.版本侦测; //探测服务的版本,eg:httpd 1.0 4.OS检测。 /...
nmap windows版本nmap
nmap windows版本